Review Note: This section is an early draft and undergoing reviewing and editing.
In this step your Cloud Administrators will review the solution’s networking requirements and provision VPCs in the workload accounts if required.
This step should take about 60 minutes to complete.
If you’ve determined that the workload will not require VPC networking support, you can skip this step.
Unlike the development/sandbox accounts, test and production environments would typically call for dedicated VPCs. Dedicated VPCs increase isolation of the accounts and provide additional flexibility in certain deployment scenarios.
In those AWS regions in which at least 3 Availability Zones (AZs) are available for customer use, it’s recommended that your initial set of VPCs have subnets in each of the 3 AZs so that your builder teams can experiment with and perform early testing of workloads and AWS services that can take advantage of 3 AZs.
At least one public subnet will have a NAT Gateway that enables workloads in any of the private subnets to send traffic outbound to the Internet. For example, to enable workloads to download content from Internet accessible source code and package repositories.
Option to filter outbound Internet traffic: As you progress in your journey, you may transition from this initial approach of providing builder teams with unfiltered outbound or egress Internet access via the initial set of public subnets and NAT Gateway to a more secure architecture where all Internet egress traffic is routed through your standard enterprise edge security services so that all egress traffic is inspected for compliance. This capability is highlighted in the optional capabilities.
If you have a formally assigned CIDR block to use, in this step you’ll:
The default parameters of the AWS CloudFormation template that you will use in the next step will result in a VPC with:
The CloudFormation template requires you to supply a CIDR block for each of the following:
To keep things simple, you can size the subnets identically.
Allocate a distinct CIDR range for each AWS account if possible to allow for ease of future VPC peering and/or hybrid connectivity scenarios. As you will be subdividing this CIDR block into six different subnets, please try and allocate at minimum a /20
and ideally a /18
for each workload account to allow for scale-out.
/16
- /20
. You should strive to use a distinct CIDR range for each VPC you build, so make sure it’s different from what you’ve previously used for your shared development VPC
If you need to break down a larger block:
/nn
in the Network Address
field.Mask bits
field.Update
.Divide
link to break down the block into smaller blocks.When you’ve reached block sizes from /20
- /22
, select a block size of most interest to you and record that CIDR range so that you can use it in the next step.
Once you’ve determined the VPC CIDR block, breaking it down into an equal size block per subnets is straightforward.
/nn
the Network Address
field.Mask bits
field.Update
.Divide
links to start subdividing the larger block into 6 blocks of equal size.You can use this sample AWS CloudFormation template to easily deploy your centrally managed development network.
Download the sample AWS CloudFormation template vpc-multi-tier.yml to your desktop. You can review the README to understand the role of this template.
Next, access the workload-prod
AWS account:
workload-prod-<workloadId>
AWS account.Management console
associated with the AWSAdministratorAccess
role.Now create a new AWS CloudFormation stack using the sample template you downloaded to your desktop:
CloudFormation
.Create stack
and With new resources
.Upload a template file
.Choose file
to select the downloaded template file from your desktop.Next
.Stack name
. For example, prod-infra-vpc
.Parameters
:Parameter | Guidance |
---|---|
Business Scope |
Replace example with your organization identifier or stock ticker if that applies. This value is used as a prefix in the name of some of the VPC-related cloud resources. For example, in the name of the IAM role used to support VPC flow logs. |
VPC Name |
Change to prod |
Cidr |
Enter values for the pVpcCidr , pTier1.. , and pTier2... CIDR blocks from the prior step. You can ignore the pTier3... parameters because only two tiers - public and private - are being provisioned by default. |
Leave all of the other parameters at their default settings unless you’re comfortable changing them. You can always easily create another stack to experiment with other parameter values. Review the README for details on parameters.
If you have reviewed guidance above and you do not need public subnets, set the following parameters:
pTier1Create
: falsepCreateNatGateways
: falsepCreateInternetGateways
: falseNext
.Next
.Create stack
.In the Events
tab, monitor the progress of the stack creation process. After 5 or so minutes, creation of the stack should complete.
Repeat steps 1-3 above for the workloads-test-<workloadId>
account.