AWS with Terraform Tutorial: AWS Internet Gateway (6)

How to Create, and Manage AWS Internet Gateway with Terraform

How to configure and use the Terraform aws_internet_gateway resource block to create and manage AWS Internet Gateway inside a VPC to enable Internet access to and from instances.

Welcome to our tutorial series where we dive into cloud infrastructure deployment using Terraform or OpenTofu on AWS. In this series, the fundamentals are shown, guiding you through the process of minimizing resource usage and simplifying the deployment complexities associated with cloud infrastructure. This tutorial series is a work in progress.

This comprehensive OpenTofu and Terraform tutorial guides you step-by-step through creating infrastructure in AWS using Terraform.

Terraform Basics, AWS Basics, Terraform AWS Provider, AWS VPC, AWS Subnets, AWS Internet Gateway, AWS NAT Gateway, AWS Routing Tables, AWS Security Groups, AWS Key Pairs, AWS AMIs, AWS EC2 Instances, AWS RDS, AWS Route 53 (DNS), AWS Auto Scaling, AWS Load Balancers, Terraform AWS & Ansible, Terraform Modules, Terraform Backends, Terraform Tools, Terraform CI/CD.

Infrastructure as Code (IaC) helps maintain consistency, enables version control, enhances collaboration among teams, allows for easier replication of environments, streamlines the deployment and management of infrastructure boosting efficiency, and reducing errors in managing complex systems.

How to start building AWS infrastructure with Terraform: AWS Internet Gateway

  1. Prerequisites

    Read previous sections of the tutorial: AWS with Terraform Tutorial

  2. AWS Internet Gateway

    An AWS Internet Gateway is a component that facilitates communication between instances that have a public IP address within an Amazon Virtual Private Cloud (VPC) and the Internet. It acts as a gateway for internet-bound traffic, allowing resources within a VPC, like EC2 instances, to access the Internet and receive responses from Internet resources.

  3. Terraform AWS Configuration Plan Definition

    Previous sections of the Tutorial have covered basic information about Terraform, AWS Cloud, the Terraform AWS Provider, VPC, and Subnets. Now it is time to create the Internet Gateway.

  4. How to Create an AWS Internet Gateway with Terraform

    The Terraform aws_internet_gateway resource block creates an Internet Gateway.

  5. Run the Terraform Plan

    Plan, and apply the Terraform plan to create the Internet Gateway in AWS.

  6. Common Questions About AWS Internet Gateways

    How many Internet gateways should be created in each VPC? What are the Alternatives to the internet gateway for EC2 instances? Should Servers be directly exposed to the Internet using an Internet Gateway?

  7. Next Steps

    Other tutorials for creating infrastructure in AWS using Terraform.

Prerequisites

Read previous sections of the tutorial:

AWS Internet Gateway

AWS Internet Gateway

An AWS Internet Gateway is a component that facilitates communication between instances that have a public IP address within an Amazon Virtual Private Cloud (VPC) and the Internet. It acts as a gateway for internet-bound traffic, allowing resources within a VPC, like EC2 instances, to access the Internet and receive responses from Internet resources.

AWS Instances that have been assigned a public IP are only aware of their private IP and require the Internet Gateway to do one-to-one NAT in case of IPV4 IPs. For IPV6, NAT is not needed but the Internet Gateway is still required.

The Internet Gateway is assigned at the VPC level and AWS takes care of providing redundancy across availability zones.

AWS Internet Gateway

Terraform AWS Configuration Plan Definition

Previous sections of this AWS with Terraform guide have covered basic information about Terraform and AWS and have configured and used the AWS Terraform provider to create a VPC and four subnets.

It is time to create the Internet Gateway. Keep adding Terraform blocks to the terraform-aws-tutorial.tf created in previous sections.

How to Create an AWS Internet Gateway with Terraform

Internet Gateway definition using Terraform, add the following block to the file terraform-aws-tutorial.tf:

# Internet Gateway
resource "aws_internet_gateway" "ditwl-ig" {
  vpc_id = aws_vpc.ditlw-vpc.id
  tags = {
    Name = "ditwl-ig"
  }
}

The Terraform aws_internet_gateway resource block creates an Internet Gateway, named ditwl-ig, inside the VPC created in the previous tutorial, using its Terraform reference aws_vpc.ditlw-vpc.id.

The aws_internet_gateway will be used as a target for the traffic leaving the VPC private network in the routing table for the Subnets.

Run the Terraform Plan

Open a command line shell at the same location where the terraform-aws-tutorial.tf file is located, and, run the Terraform or OpenTofu plan, and apply the commands.

Plan using OpenTofu

Run tofu plan to generate and review the execution plan. Check each line and value to make sure that it corresponds to the desired change.

The VPC and the Subnets were already created in the previous Terraform execution so now only the new Internet Gateway will be created. Terraform or OpenTofu show Refreshing state for each of the existing elements and the planned actions for the changes.

$ tofu plan
aws_vpc.ditlw-vpc: Refreshing state... [id=vpc-0bed1f6c715e9a909]
aws_subnet.ditwl-sn-za-pro-pri-02: Refreshing state... [id=subnet-096bf79e4bab2e1c4]
aws_subnet.ditwl-sn-zb-pro-pub-04: Refreshing state... [id=subnet-0d34cee7300e9fa45]
aws_subnet.ditwl-sn-za-pro-pub-00: Refreshing state... [id=subnet-07753bf540026684d]
aws_subnet.ditwl-sn-zb-pro-pri-06: Refreshing state... [id=subnet-0f5662bd40a070e55]

OpenTofu used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
  + create

OpenTofu will perform the following actions:

  # aws_internet_gateway.ditwl-ig will be created
  + resource "aws_internet_gateway" "ditwl-ig" {
      + arn      = (known after apply)
      + id       = (known after apply)
      + owner_id = (known after apply)
      + tags     = {
          + "Name" = "ditwl-ig"
        }
      + tags_all = {
          + "Name"        = "ditwl-ig"
          + "cost_center" = "marketing-department"
          + "environment" = "pro"
          + "owner"       = "IT Wonder Lab"
        }
      + vpc_id   = "vpc-0bed1f6c715e9a909"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Apply the changes using OpenTofu

Run tofu apply to generate and apply the execution plan. OpenTofu will generate a new plan and ask for confirmation before applying the changes. Review again the changes and answer yes or no to apply the changes in AWS.

$ tofu apply
aws_vpc.ditlw-vpc: Refreshing state... [id=vpc-0bed1f6c715e9a909]
aws_subnet.ditwl-sn-zb-pro-pub-04: Refreshing state... [id=subnet-0d34cee7300e9fa45]
aws_subnet.ditwl-sn-zb-pro-pri-06: Refreshing state... [id=subnet-0f5662bd40a070e55]
aws_subnet.ditwl-sn-za-pro-pub-00: Refreshing state... [id=subnet-07753bf540026684d]
aws_subnet.ditwl-sn-za-pro-pri-02: Refreshing state... [id=subnet-096bf79e4bab2e1c4]

OpenTofu used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
  + create

OpenTofu will perform the following actions:

  # aws_internet_gateway.ditwl-ig will be created
  + resource "aws_internet_gateway" "ditwl-ig" {
      + arn      = (known after apply)
      + id       = (known after apply)
      + owner_id = (known after apply)
      + tags     = {
          + "Name" = "ditwl-ig"
        }
      + tags_all = {
          + "Name"        = "ditwl-ig"
          + "cost_center" = "marketing-department"
          + "environment" = "pro"
          + "owner"       = "IT Wonder Lab"
        }
      + vpc_id   = "vpc-0bed1f6c715e9a909"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  OpenTofu will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_internet_gateway.ditwl-ig: Creating...
aws_internet_gateway.ditwl-ig: Creation complete after 3s [id=igw-033b206763b59357e]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Review the result, it should be 1 (resource) added, 0 changed, 0 destroyed.

You can now run tofu plan or tofu apply again to check that OpenTofu has not found any new changes to apply.

Check using the AWS web Console that the Internet Gateway has been created:

If you don't see the Internet gateway check on the right top corner that the Region is N. Virginia that corresponds to us-east-1.

Common Questions About AWS Internet Gateways

How many Internet Gateways should be created in each VPC?

One, having one internet gateway per Virtual Private Cloud (VPC) is a common and effective setup. This design simplifies network management and ensures a clear point of entry and exit for Internet traffic.

What are the Alternatives to the Internet Gateway for EC2 instances?

The internet gateway is only needed to allow access in these scenarios:

  • Public Instances that require access from the instance to the Internet
  • Private Instances that require access from the instance to the Internet (an additional NAT Gateway is needed).
  • Public Instances that require to be accessed from the Internet directly (without using an Application Load Balancer).

Other network topology options are available including hybrid cloud setups using VPNs or hub-and-spoke architecture for Internet access.

Should Servers be directly exposed to the Internet using an Internet Gateway?

Directly exposing servers, such as EC2 instances, to the internet poses several security risks:

  • Security Vulnerabilities: Exposed servers may have vulnerabilities that could be exploited by attackers. Without proper security measures, malicious actors can target these vulnerabilities to gain unauthorized access, potentially leading to data breaches or service disruptions.
  • Increased Attack Surface: Direct exposure expands the attack surface of your servers. Any service, application, or open port becomes a potential entry point for attackers. This increases the likelihood of successful attacks and compromises the overall security posture.
  • Brute Force Attacks: Exposed servers are susceptible to brute force attacks where attackers repeatedly attempt to guess usernames and passwords. If strong authentication measures are not in place, this can lead to unauthorized access.
  • Lack of Network Segmentation: Directly exposing servers may bypass network segmentation measures. Proper network segmentation is crucial for containing potential breaches and limiting the lateral movement of attackers within the network.
  • Unprotected Services: Services running on servers may not be properly protected or secured. Exposing these services directly to the internet increases the risk of exploitation, especially if default configurations or weak security practices are in place.
  • Limited Visibility and Control: Without a proper network architecture, monitoring, and control become challenging. Directly exposed servers may lack visibility into network traffic, making it harder to detect and respond to suspicious activities.
  • Denial-of-Service (DoS) Attacks: Exposed servers are more vulnerable to DoS attacks, where attackers flood the server with traffic to overwhelm and disrupt its normal operation. This can lead to service downtime and impact business operations.

Alternatives for exposing servers to the Internet, like the AWS Load Balances, will be used in the next sections.

Next Steps

This tutorial series is a work in progress and will have these sections:

Terraform Basics, AWS Basics, Terraform AWS Provider, AWS VPC, AWS Subnets, AWS Internet Gateway, AWS NAT Gateway, AWS Routing Tables, AWS Security Groups, AWS Key Pairs, AWS AMIs, AWS EC2 Instances, AWS RDS, AWS Route 53 (DNS), AWS Auto Scaling, AWS Load Balancers, Terraform AWS & Ansible, Terraform Modules, Terraform Backends, Terraform Tools, Terraform CI/CD.

AWS with Terraform: The Essential Guide: Sections

Leave a Reply

Your email address will not be published. Required fields are marked *


Related Cloud Tutorials

Securing your Infrastructure: Encrypting Terraform State Files with OpenTofu
Using the Terraform aws_route53_delegation_set, aws_route53_zone, and aws_route53_record resource blocks to configure DNS in AWS.
Using the Terraform aws_db_instance resource block to configure, launch, and secure RDS instances.
How to use the Terraform aws_instance resource block to configure, launch, and secure EC2 instances.
How to configure and use the Terraform aws_ami data source block to find and use AWS AMIs as templates (root volume snapshot with operating system and applications) for EC2 instances.
Javier Ruiz Cloud and SaaS Expert

Javier Ruiz

IT Wonder Lab tutorials are based on the diverse experience of Javier Ruiz, who founded and bootstrapped a SaaS company in the energy sector. His company, later acquired by a NASDAQ traded company, managed over €2 billion per year of electricity for prominent energy producers across Europe and America. Javier has over 25 years of experience in building and managing IT companies, developing cloud infrastructure, leading cross-functional teams, and transitioning his own company from on-premises, consulting, and custom software development to a successful SaaS model that scaled globally.

Are you looking for cloud automation best practices tailored to your company?

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram