When deploying to networks account, the environment variable should be set to "shared". Currently, the only options are dev, test, preprod and prod. In my opinion, none of these values are valid for the central resources created in networks account, because these resources (tgw, ipam, network firewall etc) are used by every environment.

My suggestion is to add "shared" as an extra option to the environment variable, and to use that as the default value when when deploying to networks account:
environment = "shared" # dev, test, preprod, prod, shared

HI @aandsco @jplock @luigidifraiawork

Whether the network_hub was region specific?

I am getting below error in us-west-2

╷
│ Error: error creating EC2 Subnet: InvalidSubnet.Range: The IPv6 CIDR '2600:1f13:bbc:9501::/64' is invalid.
│       status code: 400, request id: eb43aee4-9884-4bd7-93e5-29ac731f4eb2
│
│   with module.network_firewall_vpc.aws_subnet.attachment_subnet["us-west-2b"],
│   on modules/network_firewall_vpc/vpc.tf line 73, in resource "aws_subnet" "attachment_subnet":
│   73: resource "aws_subnet" "attachment_subnet" {
│
╵
╷
│ Error: error creating EC2 Subnet: InvalidSubnet.Range: The IPv6 CIDR '2600:1f13:bbc:9502::/64' is invalid.
│       status code: 400, request id: 7d75038f-02bb-481c-b451-4fdc67419eaa
│
│   with module.network_firewall_vpc.aws_subnet.attachment_subnet["us-west-2c"],
│   on modules/network_firewall_vpc/vpc.tf line 73, in resource "aws_subnet" "attachment_subnet":
│   73: resource "aws_subnet" "attachment_subnet" {
│
╵
╷
│ Error: error creating EC2 Subnet: InvalidSubnet.Range: The IPv6 CIDR '2600:1f13:bbc:9500::/64' is invalid.
│       status code: 400, request id: 7b426eab-e2b2-4d09-bd96-ec7948d82e46
│
│   with module.network_firewall_vpc.aws_subnet.attachment_subnet["us-west-2a"],
│   on modules/network_firewall_vpc/vpc.tf line 73, in resource "aws_subnet" "attachment_subnet":
│   73: resource "aws_subnet" "attachment_subnet" {
│
╵
╷
│ Error: error creating EC2 Subnet: InvalidSubnet.Range: The IPv6 CIDR '2600:1f13:bbc:9504::/64' is invalid.
│       status code: 400, request id: d7000f01-dc7b-4769-87f7-6c83ece964c7
│
│   with module.network_firewall_vpc.aws_subnet.inspection_subnet["us-west-2b"],
│   on modules/network_firewall_vpc/vpc.tf line 144, in resource "aws_subnet" "inspection_subnet":
│  144: resource "aws_subnet" "inspection_subnet" {
│
╵
╷
│ Error: error creating EC2 Subnet: InvalidSubnet.Range: The IPv6 CIDR '2600:1f13:bbc:9503::/64' is invalid.
│       status code: 400, request id: 25de3fe7-ad05-4194-84ac-fbda88af9937
│
│   with module.network_firewall_vpc.aws_subnet.inspection_subnet["us-west-2a"],
│   on modules/network_firewall_vpc/vpc.tf line 144, in resource "aws_subnet" "inspection_subnet":
│  144: resource "aws_subnet" "inspection_subnet" {
│
╵
╷
│ Error: error creating EC2 Subnet: InvalidSubnet.Range: The IPv6 CIDR '2600:1f13:bbc:9505::/64' is invalid.
│       status code: 400, request id: eb463167-f415-4eb0-8a51-b970b1bd0b88
│
│   with module.network_firewall_vpc.aws_subnet.inspection_subnet["us-west-2c"],
│   on modules/network_firewall_vpc/vpc.tf line 144, in resource "aws_subnet" "inspection_subnet":
│  144: resource "aws_subnet" "inspection_subnet" {
│
╵
╷
│ Error: error creating EC2 Subnet: InvalidSubnet.Range: The IPv6 CIDR '2600:1f13:bbc:9506::/64' is invalid.
│       status code: 400, request id: d2079724-bdf4-4561-a8c2-6b05f3e2c8ff
│
│   with module.network_firewall_vpc.aws_subnet.internet_subnet["us-west-2a"],
│   on modules/network_firewall_vpc/vpc.tf line 217, in resource "aws_subnet" "internet_subnet":
│  217: resource "aws_subnet" "internet_subnet" {
│
╵
╷
│ Error: error creating EC2 Subnet: InvalidSubnet.Range: The IPv6 CIDR '2600:1f13:bbc:9508::/64' is invalid.
│       status code: 400, request id: 7a9f15fa-0c2d-4ca5-8cc7-f7f22b97561b
│
│   with module.network_firewall_vpc.aws_subnet.internet_subnet["us-west-2c"],
│   on modules/network_firewall_vpc/vpc.tf line 217, in resource "aws_subnet" "internet_subnet":
│  217: resource "aws_subnet" "internet_subnet" {
│
╵
╷
│ Error: error creating EC2 Subnet: InvalidSubnet.Range: The IPv6 CIDR '2600:1f13:bbc:9507::/64' is invalid.
│       status code: 400, request id: 3e87d330-578e-4dae-8960-f28c76c1a471
│
│   with module.network_firewall_vpc.aws_subnet.internet_subnet["us-west-2b"],
│   on modules/network_firewall_vpc/vpc.tf line 217, in resource "aws_subnet" "internet_subnet":
│  217: resource "aws_subnet" "internet_subnet" {
│

Can someone please guide and help me.

A help request, Do you have any sample code/ existing repo for reference to deploy ec2 instance on these network hub?

HI @aandsco @jplock @luigidifraiawork
I am re-using this code, Got struck at terraform plan for spoke_vpc.
I have successfully created on network-hub on prod environment. Similarly trying to create spoke-vpc facing below issue.

 terraform plan
var.environment
  Deployment environment passed as argument or environment variable

  Enter a value: prod

var.network_hub_account_number
  network hub account number passed as argument or environment variable

  Enter a value: xxx

╷
│ Error: error reading EC2 Transit Gateway: no results found
│
│   with data.aws_ec2_transit_gateway.org_env,
│   on data.tf line 8, in data "aws_ec2_transit_gateway" "org_env":
│    8: data "aws_ec2_transit_gateway" "org_env" {
│
╵
╷
│ Error: no Route53 Resolver rules matched
│
│   with module.dns.data.aws_route53_resolver_rule.root_domain,
│   on modules/dns/data.tf line 6, in data "aws_route53_resolver_rule" "root_domain":
│    6: data "aws_route53_resolver_rule" "root_domain" {
│
╵
╷
│ Error: no matching EC2 VPC found
│
│   with module.dns.data.aws_vpc.selected,
│   on modules/dns/data.tf line 16, in data "aws_vpc" "selected":
│   16: data "aws_vpc" "selected" {
│
╵
╷
│ Error: no matching EC2 VPC found
│
│   with module.dns.data.aws_vpc.endpoint,
│   on modules/dns/data.tf line 24, in data "aws_vpc" "endpoint":
│   24: data "aws_vpc" "endpoint" {
│
╵
╷
│ Error: Error describing SSM parameter (/ipam/pool/id): ParameterNotFound:
│
│   with module.network.data.aws_ssm_parameter.ipam_pool,
│   on modules/network/data.tf line 4, in data "aws_ssm_parameter" "ipam_pool":
│    4: data "aws_ssm_parameter" "ipam_pool" {

Can you please suggest how to solve this issue.

Hi! 👋 I'm new to terraform, and I'm looking to create a set of EC2 instances that can see one another. I've done this on Google Cloud, and for that strategy I use a common module to setup networking, and then I have some logic in the startup script to use the Google metadata API to get the ips for other instances. I'm looking for a similar setup for AWS. To be specific, my questions are:

• Is there an example using this network hub alongside creating instances that can easily see one another?
• What are best practices to share ip addresses between the instances?

Thanks for your help!

HI @aandsco @jplock @luigidifraiawork

We have enabled RAM sharing and testing this feature, got struck with this error.

│ Error: error updating EC2 Transit Gateway Attachment (tgw-attach-01f89f6f73a41a5fe) Route Table () association: error associating EC2 Transit Gateway Route Table () assoc
iation (tgw-attach-01f89f6f73a41a5fe): MissingParameter: Missing required parameter in request: TransitGatewayRouteTableId.
│ status code: 400, request id: ebc18aa5-c437-4afc-b417-d81f07a3938f
│
│ with module.network.aws_ec2_transit_gateway_vpc_attachment.vpc_endpoint,
│ on modules/network/vpc.tf line 77, in resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_endpoint":
│ 77: resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_endpoint" {

  # module.network.aws_ec2_transit_gateway_vpc_attachment.vpc_endpoint will be created
  + resource "aws_ec2_transit_gateway_vpc_attachment" "vpc_endpoint" {
      + appliance_mode_support                          = "disable"
      + dns_support                                     = "enable"
      + id                                              = (known after apply)
      + ipv6_support                                    = "enable"
      + subnet_ids                                      = (known after apply)
      + tags_all                                        = {
          + "Env"        = "prod"
          + "Owner"      = "WWPS"
          + "Product"    = "Network_Automation"
          + "Project_ID" = "12345"
        }
      + transit_gateway_default_route_table_association = true
      + transit_gateway_default_route_table_propagation = true
      + transit_gateway_id                              = "tgw-xxx"
      + vpc_id                                          = (known after apply)
      + vpc_owner_id                                    = (known after apply)
    }

Can you please suggest how to solve this issue.

Thank you for the material and networking pattern implemented in this repo.

As the root README.md file mentions:

Perfect for a central networking hub account, potentially alongside Account Factory for Terraform

I thought to ask for your thoughts on the below. It's probably a long shot but I'd appreciate the feedback, even if it where along the lines of "don't ask here, go ask there instead".

1. Would you reckon it makes sense to implement the networking pattern directly as part of AFT account customizations?
2. If so, any thoughts on how to access route tables from a spoke account within the AWS Organization using native AFT facilities?
3. Are you aware of anyone working on 1. already?

Thank you.

This PR by @jplock introduced support for IPv6.

However, IPv6 connectivity within a spoke_app subnet, e.g. spoke_app_eu-west-2a, doesn't appear to be working. E.g. from an EC2 instance with IPv6 configuration:

$ ping6 localhost
PING localhost(localhost6) 56 data bytes
64 bytes from localhost6: icmp_seq=1 ttl=64 time=0.022 ms
^C

$ traceroute6 google.com
traceroute to google.com (2a00:1450:4009:821::200e), 30 hops max, 80 byte packets
 1  * * *
...
30  * * *

The above-mentioned PR also reads:

To reduce costs, we could have IPv6 traffic egress directly from the example spoke VPC for now.

The PR does indeed create an Egress-only IGW in each spoke VPC too but these are not used anywhere.

Routing non-local IPv6 traffic (by changing the route table of the spoke_app subnets) to the spoke VPC EIGW does make IPv6 connectivity to the Internet work:

$ traceroute6 google.com
traceroute to google.com (2a00:1450:4009:821::200e), 30 hops max, 80 byte packets
 1  * * *
...
20  lhr48s28-in-x0e.1e100.net (2a00:1450:4009:821::200e)  2.381 ms  1.592 ms  2.358 ms

If I were to raise a PR, would it be preferable to use spoke VPC EIGWs, or remove these spoke VPC EIGWs and fix IPv6 connectivity so that IPv6 traffic goes through the single EIGW in the inspection VPC?

I'm confused about what should be set for the central networking account's var.environment. The documentation seems to point toward this setting for spoke resources, not for the central account itself.

Also, if those environments need to be customized, what is the proper place to customize them?

We have deployed a standard hub and spoke architecture using this repository, and the example-spoke-vpc code.

Everything has run smoothly, and we can communicate via ICMP from an application in our dev spoke, to another EC2 instance in our test account (via the TGW)

However name resolution is failing - e.g. from DEVELOPMENT account - ping instance.test.network.internal (a Route53 A record in the TEST account, in the PHZ test.network.internal. The above command returns ping: instance.test.network.internal: Name or service not known

We have a top-level domain in the networking account network.internal but we get NXDOMAIN when we try to resolve that from any of the spoke accounts.

Any idea what we might be missing? We haven't changed any of the code from this repository, apart from non-consequential variables such as tags and IPAM CIDR ranges.

Does the ec2_transit_gateway_vpc_attachment in the inspection_vpc need appliance_mode_support set to enable?

https://github.com/aws-samples/aws-network-hub-for-terraform/blob/main/modules/network_firewall_vpc/vpc.tf#L103

per https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-inspection-architecture-with-aws-gateway-load-balancer-and-aws-transit-gateway/

Error: error updating EC2 Transit Gateway Attachment (tgw-attach-0d42be5b321cc1c72) Route Table () association: error associating EC2 Transit Gateway Route Table () association (tgw-attach-0d42be5b321cc1c72): MissingParameter: Missing required parameter in request: TransitGatewayRouteTableId.

I've currently deployed this network-hub solution to a dedicated subaccount (hub-account) in my AWS Organization, and have also deployed the provided example-spoke-vpc solution to a separate subaccount (spoke-account) in the same AWS Organization.

Please correct me if I am wrong here, but...
I am currently under the impression that, out-the-box, my spoke-account is currently only capable of Egress with this setup. Specifically, that my EKS Cluster deployed into the spoke-account's spoke-vpc subnets is only capable of connecting outbound to the Internet.

And so if I wanted to be able to connect to this EKS Cluster from the Internet, that I would have to deploy an ALB into the hub-account using the inspection_internet_* public subnets [that is, the subnets which have a 0.0.0.0/0 route to an IGW]. And then from here, have the ALB forward traffic to the Private IPs of a NLB in the spoke-account.

Is my [general] understanding of the Ingress networking above correct, in that in order to enable Ingress to my spoke workload I'd have to take additional steps of deploying an ALB into the hub-account and forward it to the specific Private IPs of my workload machines?

If so, is the hub-account ALB to spoke-account NLB the general recommended solution architecture for this as well?
Or is there a better approach to this? Like sharing the hub-account internet/public subnets with the spoke-account, and deploying the ALB into the spoke-account?

Apologies for my confusion, and thanks in advance for your time.

Best,

Would you accept a pull request to add IPv6 support? I know we can't route IPv6 through the Network Firewall because the Gateway Load Balancer doesn't yet support IPv6, but we could plumb everything else through.

Currently the inspection VPC flow logs are being sent to CloudWatch Logs. Would you be interested in a PR to send them to an S3 bucket the module creates instead or make it configurable?

I have a docker instance, in that terraform and aws-cli installed in it.
Facing one issue while re-using network-hub code.

Anyone please suggest how to solve this issue.