Skip to content

Commit

Permalink
update, add tic stuff
Browse files Browse the repository at this point in the history
  • Loading branch information
@badra001
badra001 committed Jan 30, 2025
1 parent 0390d37 commit 7dbd208
Showing 1 changed file with 35 additions and 0 deletions.
35 changes: 35 additions & 0 deletions aws/documentation/transit-gateway/lab-dmz.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,41 @@ performance testing, as well as for some potential future use. Each is comprise
* test 2
1. (TBD) For IPv6, repeat the setup as with IPv4. VPN tunnels for IPv6 use only IPv4 endpoints, but carry IPv6 traffic.

## TIC 3.0 Architecture

This has to fit into our existing DMZ configuration, using the existing modules for setting up VPC, subnets, route tables,
TGW attachments, etc. These modules do include setup of IGW, NATGW, public and private subnets, and so forth. We have this
pattern and code deployed for every VPC in prod (over 175) and lab (20 ish).

For new, non-existent capabilities, we can look at new code for handling that (network firewall, ecs/asg for cloudflared).

1. need diagram updated to include the parts for this
1. in lab-gov-dmz-network-nonprod
1. potentially new TGW route table for inspection (all stuff handled through TGW route tables as is)
1. inspection VPC (/23 or maybe /22)
1. public subnets in inspection VPC
* public: for natgw, anythign else? /28?
1. private subnets in inspection VPC
* attachment: TGW Attachment (/28)
* firewall: for AWS firewall (/28)
* endpoints: for VPC endpoints (/28 may be too small, we use /26 normally)
* management: not sure what these are for
* cloudflared: for CF tunnels, /28 may be too small
* apps: for testing, /28 probably big enough
1. potentially a dmz VPC, though not sure what purpose this serves
1. internet gateway
1. nat gateway assocated with inspection vpc
1. network firewall configured as an organization wide utility
* does every VPC (tgw internal) need a fw interface to make this all work?
* manage centrally
* use prefix lists as much as possible
* code driven configuration
1. ECS and/or autoscaling for cloudflared tunnels
* desire is to have them created through iac in this repo which configure everything on the CF side too
1. how do we tie the internal lab TGWs into this structure?
* peering from respective regions, internal tgw -> dmz tgw?
* some other way?

## Diagrams

![Transit Gateway with Lab DMZ](images/tgw-networking-lab-dmz.png)
Expand Down

0 comments on commit 7dbd208

Please sign in to comment.