Secure AWS VPC with Terraform
Secure-by-default AWS VPC built with Terraform: public and private subnets, route tables, NACLs, and a baseline security group. Private subnets have no internet route; separate tiers and no public SSH by default.
Tech Stack
Overview
A secure-by-default AWS VPC architecture built entirely with Terraform. This project implements public and private subnets with proper route tables, network ACLs (NACLs), and a baseline security group. Private subnets have no direct internet route, enabling separate tiers for application and data layers. Public SSH is disabled by default for improved security posture.
Challenges
- ▹Designing a VPC layout that separates public and private workloads
- ▹Configuring route tables so private subnets have no internet route
- ▹Defining NACLs and security groups for defense in depth
- ▹Keeping public SSH disabled by default while allowing managed access
Solutions
- ▹Defined public and private subnets with distinct route tables
- ▹Used Terraform modules for route tables, NACLs, and security groups
- ▹Enforced no-internet route on private subnets via route table design
- ▹Created baseline security group with minimal ingress/egress rules
Results
- ▹Clear separation between public and private tiers
- ▹Private subnets isolated from direct internet access
- ▹Repeatable, auditable network setup via Terraform
- ▹Secure-by-default baseline suitable for production use
Architecture
The architecture uses Terraform to provision a VPC with public and private subnets across availability zones. Public subnets attach to an internet gateway; private subnets use NAT or no internet route. Route tables, NACLs, and a baseline security group are defined in code. All networking is managed as Infrastructure as Code for consistency and compliance.