Skip to main content

Create AWS Routing

important

This is a multi-section tutorial, with dependencies between each section. Please perform each section in order, per the links on the left-hand sidebar.

Objective

In this part of the tutorial, the objective is to define AWS routing which will steer traffic in and out of Cloud NGFW as an enforcement point betweeen subnets. Now the Cloud NFGW resources are successfully created, the rulestack is live on the Cloud NGFW, and the VPC endpoint is attached, you can start to steer traffic into Cloud NGFW for inspection.

Assumptions and Lab Guidance

Please ensure you have read and understood the assumptions and lab guideance at the start of this multi-section tutorial.

Select and configure Terraform Providers

First, create a providers.tf file, in a directory called 03_aws_routing. This file defines any Terraform providers you will use, and configures them appropriately. Here just need the AWS provider.

03_aws_routing/providers.tf
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.5"
}
}
}

# Configure AWS Provider
provider "aws" {
region = local.aws_region
access_key = var.aws_access_key
secret_key = var.aws_secret_key
}

Define input variables

Create a variables.tf file in the 03_aws_routing directory. Some values are retrieved from the outputs of the first section of this tutorial, where you created your AWS infrastructure.

03_aws_routing/variables.tf
# AWS Provider Variables
variable "aws_access_key" {
type = string
}

variable "aws_secret_key" {
type = string
}

# Build path to AWS Infrastructure's Terraform state
data "terraform_remote_state" "aws_infra" {
backend = "local"
config = {
path = "../00_aws_infra/terraform.tfstate"
}
}

# Variables - values retrieved from previous Terraform deployment, using the deployment's state as declared above
locals {
projectname = data.terraform_remote_state.aws_infra.outputs.projectname
aws_region = data.terraform_remote_state.aws_infra.outputs.aws_region
aws_vpc_id = data.terraform_remote_state.aws_infra.outputs.vpc_id
dmz1_subnet_cidr_block = data.terraform_remote_state.aws_infra.outputs.dmz1_subnet_cidr_block
dmz2_subnet_cidr_block = data.terraform_remote_state.aws_infra.outputs.dmz2_subnet_cidr_block
dmz1_routetable_id = data.terraform_remote_state.aws_infra.outputs.dmz1_routetable_id
dmz2_routetable_id = data.terraform_remote_state.aws_infra.outputs.dmz2_routetable_id
}

Define input variable values

Next, create a terraform.tfvars file in the 03_aws_routing directory. This file defines values for all the variables defined in the variables.tf file.

Note that you are authenticating to AWS with credentials stored in this terraform.tfvars file. This is just one of many options for the AWS provider, and care should be taken to ensure that this method is appropriate for your environment. Per the lab guidance above, ideally this tutorial would be performed in a non-production AWS account which contains no production assets or data. An alternative to storing the credentials in this file would be to provide them via environment variables.

03_aws_routing/terraform.tfvars
# AWS Provider Variables
aws_access_key = "ABC123"
aws_secret_key = "abc123abc123"

Define AWS Routing

The next file, main.tf, defines the AWS routing between the subnets containing the two test hosts:

03_aws_routing/main.tf
# Retrieve the VPC Endpoint deployed by Cloud NGFW
data "aws_vpc_endpoint" "the_vpc_endpoint" {
vpc_id = local.aws_vpc_id
}

# Create routes to steer traffic into Cloud NGFW (uncomment once Cloud NGFW is successfully deployed with VPC endpoint(s))
resource "aws_route" "to_dmz2" {
route_table_id = local.dmz1_routetable_id
destination_cidr_block = local.dmz2_subnet_cidr_block
vpc_endpoint_id = data.aws_vpc_endpoint.the_vpc_endpoint.id
}

resource "aws_route" "to_dmz1" {
route_table_id = local.dmz2_routetable_id
destination_cidr_block = local.dmz1_subnet_cidr_block
vpc_endpoint_id = data.aws_vpc_endpoint.the_vpc_endpoint.id
}

Terraform init

With all the files above in place, ensure you are in the 03_aws_routing directory, then execute terraform init to initialize the Terraform working directory and download the required providers. Your output should look similar to this:

Initializing the backend...

Initializing provider plugins...
- terraform.io/builtin/terraform is built in to Terraform
- Finding hashicorp/aws versions matching "~> 4.5"...
- Installing hashicorp/aws v4.52.0...
- Installed hashicorp/aws v4.52.0 (signed by HashiCorp)

Terraform plan

Next, run terraform plan to view the upcoming changes Terraform would make next in order to perform the commit operation. The output should look similar to this:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create

Terraform will perform the following actions:

# aws_route.to_dmz1 will be created
+ resource "aws_route" "to_dmz1" {
+ destination_cidr_block = "10.1.2.0/24"
+ id = (known after apply)
+ instance_id = (known after apply)
+ instance_owner_id = (known after apply)
+ network_interface_id = (known after apply)
+ origin = (known after apply)
+ route_table_id = "rtb-05e4c35fb0b72d879"
+ state = (known after apply)
+ vpc_endpoint_id = "vpce-035c90e2c87b20988"
}

# aws_route.to_dmz2 will be created
+ resource "aws_route" "to_dmz2" {
+ destination_cidr_block = "10.1.3.0/24"
+ id = (known after apply)
+ instance_id = (known after apply)
+ instance_owner_id = (known after apply)
+ network_interface_id = (known after apply)
+ origin = (known after apply)
+ route_table_id = "rtb-03548393f0e609457"
+ state = (known after apply)
+ vpc_endpoint_id = "vpce-035c90e2c87b20988"
}

Plan: 2 to add, 0 to change, 0 to destroy.

Terraform apply

If you are happy with the plan, instruct Terraform to create the AWS infrastructure with terraform apply --auto-approve. The output will look like this:

aws_route.to_dmz1: Creating...
aws_route.to_dmz2: Creating...
aws_route.to_dmz1: Creation complete after 1s [id=r-rtb-05e4c35fb0b72d8791325105504]
aws_route.to_dmz2: Creation complete after 1s [id=r-rtb-03548393f0e6094572242335429]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

Testing

Your Cloud NGFW deployment is now complete. Continue to the next section, where the first task will be to test traffic between the two hosts now protected from each other by Cloud NGFW.