From 7dbd20826d5b5113104de6665753088e9c986198 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 30 Jan 2025 12:10:43 -0500 Subject: [PATCH] update, add tic stuff --- aws/documentation/transit-gateway/lab-dmz.md | 35 ++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/aws/documentation/transit-gateway/lab-dmz.md b/aws/documentation/transit-gateway/lab-dmz.md index f53b05dc..fc19463e 100644 --- a/aws/documentation/transit-gateway/lab-dmz.md +++ b/aws/documentation/transit-gateway/lab-dmz.md @@ -71,6 +71,41 @@ performance testing, as well as for some potential future use. Each is comprise * test 2 1. (TBD) For IPv6, repeat the setup as with IPv4. VPN tunnels for IPv6 use only IPv4 endpoints, but carry IPv6 traffic. +## TIC 3.0 Architecture + +This has to fit into our existing DMZ configuration, using the existing modules for setting up VPC, subnets, route tables, +TGW attachments, etc. These modules do include setup of IGW, NATGW, public and private subnets, and so forth. We have this +pattern and code deployed for every VPC in prod (over 175) and lab (20 ish). + +For new, non-existent capabilities, we can look at new code for handling that (network firewall, ecs/asg for cloudflared). + +1. need diagram updated to include the parts for this +1. in lab-gov-dmz-network-nonprod +1. potentially new TGW route table for inspection (all stuff handled through TGW route tables as is) +1. inspection VPC (/23 or maybe /22) +1. public subnets in inspection VPC + * public: for natgw, anythign else? /28? +1. private subnets in inspection VPC + * attachment: TGW Attachment (/28) + * firewall: for AWS firewall (/28) + * endpoints: for VPC endpoints (/28 may be too small, we use /26 normally) + * management: not sure what these are for + * cloudflared: for CF tunnels, /28 may be too small + * apps: for testing, /28 probably big enough +1. potentially a dmz VPC, though not sure what purpose this serves +1. internet gateway +1. nat gateway assocated with inspection vpc +1. network firewall configured as an organization wide utility + * does every VPC (tgw internal) need a fw interface to make this all work? + * manage centrally + * use prefix lists as much as possible + * code driven configuration +1. ECS and/or autoscaling for cloudflared tunnels + * desire is to have them created through iac in this repo which configure everything on the CF side too +1. how do we tie the internal lab TGWs into this structure? + * peering from respective regions, internal tgw -> dmz tgw? + * some other way? + ## Diagrams ![Transit Gateway with Lab DMZ](images/tgw-networking-lab-dmz.png)