How to configure and use the Terraform aws_internet_gateway
resource block to create and manage AWS Internet Gateway inside a VPC to enable Internet access to and from instances.
Welcome to our tutorial series where we dive into cloud infrastructure deployment using Terraform or OpenTofu on AWS. In this series, the fundamentals are shown, guiding you through the process of minimizing resource usage and simplifying the deployment complexities associated with cloud infrastructure. This tutorial series is a work in progress.
This comprehensive OpenTofu and Terraform tutorial guides you step-by-step through creating infrastructure in AWS using Terraform.
Infrastructure as Code (IaC) helps maintain consistency, enables version control, enhances collaboration among teams, allows for easier replication of environments, streamlines the deployment and management of infrastructure boosting efficiency, and reducing errors in managing complex systems.
How to start building AWS infrastructure with Terraform: AWS Internet Gateway
Read previous sections of the tutorial: AWS with Terraform Tutorial
An AWS Internet Gateway is a component that facilitates communication between instances that have a public IP address within an Amazon Virtual Private Cloud (VPC) and the Internet. It acts as a gateway for internet-bound traffic, allowing resources within a VPC, like EC2 instances, to access the Internet and receive responses from Internet resources.
Terraform AWS Configuration Plan Definition
Previous sections of the Tutorial have covered basic information about Terraform, AWS Cloud, the Terraform AWS Provider, VPC, and Subnets. Now it is time to create the Internet Gateway.
How to Create an AWS Internet Gateway with Terraform
The Terraform aws_internet_gateway resource block creates an Internet Gateway.
Plan, and apply the Terraform plan to create the Internet Gateway in AWS.
Common Questions About AWS Internet Gateways
How many Internet gateways should be created in each VPC? What are the Alternatives to the internet gateway for EC2 instances? Should Servers be directly exposed to the Internet using an Internet Gateway?
Other tutorials for creating infrastructure in AWS using Terraform.
Read previous sections of the tutorial:
An AWS Internet Gateway is a component that facilitates communication between instances that have a public IP address within an Amazon Virtual Private Cloud (VPC) and the Internet. It acts as a gateway for internet-bound traffic, allowing resources within a VPC, like EC2 instances, to access the Internet and receive responses from Internet resources.
AWS Instances that have been assigned a public IP are only aware of their private IP and require the Internet Gateway to do one-to-one NAT in case of IPV4 IPs. For IPV6, NAT is not needed but the Internet Gateway is still required.
The Internet Gateway is assigned at the VPC level and AWS takes care of providing redundancy across availability zones.
Previous sections of this AWS with Terraform guide have covered basic information about Terraform and AWS and have configured and used the AWS Terraform provider to create a VPC and four subnets.
It is time to create the Internet Gateway. Keep adding Terraform blocks to the terraform-aws-tutorial.tf
created in previous sections.
Internet Gateway definition using Terraform, add the following block to the file terraform-aws-tutorial.tf
:
# Internet Gateway resource "aws_internet_gateway" "ditwl-ig" { vpc_id = aws_vpc.ditlw-vpc.id tags = { Name = "ditwl-ig" } }
The Terraform aws_internet_gateway resource block creates an Internet Gateway, named ditwl-
ig, inside the VPC created in the previous tutorial, using its Terraform reference aws_vpc.ditlw-vpc.id
.
The aws_internet_gateway will be used as a target for the traffic leaving the VPC private network in the routing table for the Subnets.
Open a command line shell at the same location where the terraform-aws-tutorial.tf file is located, and, run the Terraform or OpenTofu plan, and apply the commands.
Run tofu plan
to generate and review the execution plan. Check each line and value to make sure that it corresponds to the desired change.
The VPC and the Subnets were already created in the previous Terraform execution so now only the new Internet Gateway will be created. Terraform or OpenTofu show Refreshing state
for each of the existing elements and the planned actions for the changes.
$ tofu plan aws_vpc.ditlw-vpc: Refreshing state... [id=vpc-0bed1f6c715e9a909] aws_subnet.ditwl-sn-za-pro-pri-02: Refreshing state... [id=subnet-096bf79e4bab2e1c4] aws_subnet.ditwl-sn-zb-pro-pub-04: Refreshing state... [id=subnet-0d34cee7300e9fa45] aws_subnet.ditwl-sn-za-pro-pub-00: Refreshing state... [id=subnet-07753bf540026684d] aws_subnet.ditwl-sn-zb-pro-pri-06: Refreshing state... [id=subnet-0f5662bd40a070e55] OpenTofu used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create OpenTofu will perform the following actions: # aws_internet_gateway.ditwl-ig will be created + resource "aws_internet_gateway" "ditwl-ig" { + arn = (known after apply) + id = (known after apply) + owner_id = (known after apply) + tags = { + "Name" = "ditwl-ig" } + tags_all = { + "Name" = "ditwl-ig" + "cost_center" = "marketing-department" + "environment" = "pro" + "owner" = "IT Wonder Lab" } + vpc_id = "vpc-0bed1f6c715e9a909" } Plan: 1 to add, 0 to change, 0 to destroy.
Run tofu apply
to generate and apply the execution plan. OpenTofu will generate a new plan and ask for confirmation before applying the changes. Review again the changes and answer yes or no to apply the changes in AWS.
$ tofu apply aws_vpc.ditlw-vpc: Refreshing state... [id=vpc-0bed1f6c715e9a909] aws_subnet.ditwl-sn-zb-pro-pub-04: Refreshing state... [id=subnet-0d34cee7300e9fa45] aws_subnet.ditwl-sn-zb-pro-pri-06: Refreshing state... [id=subnet-0f5662bd40a070e55] aws_subnet.ditwl-sn-za-pro-pub-00: Refreshing state... [id=subnet-07753bf540026684d] aws_subnet.ditwl-sn-za-pro-pri-02: Refreshing state... [id=subnet-096bf79e4bab2e1c4] OpenTofu used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create OpenTofu will perform the following actions: # aws_internet_gateway.ditwl-ig will be created + resource "aws_internet_gateway" "ditwl-ig" { + arn = (known after apply) + id = (known after apply) + owner_id = (known after apply) + tags = { + "Name" = "ditwl-ig" } + tags_all = { + "Name" = "ditwl-ig" + "cost_center" = "marketing-department" + "environment" = "pro" + "owner" = "IT Wonder Lab" } + vpc_id = "vpc-0bed1f6c715e9a909" } Plan: 1 to add, 0 to change, 0 to destroy. Do you want to perform these actions? OpenTofu will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes aws_internet_gateway.ditwl-ig: Creating... aws_internet_gateway.ditwl-ig: Creation complete after 3s [id=igw-033b206763b59357e] Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
Review the result, it should be 1 (resource) added, 0 changed, 0 destroyed
.
You can now run tofu plan
or tofu apply
again to check that OpenTofu has not found any new changes to apply.
Check using the AWS web Console that the Internet Gateway has been created:
If you don't see the Internet gateway check on the right top corner that the Region is N. Virginia that corresponds to us-east-1.
One, having one internet gateway per Virtual Private Cloud (VPC) is a common and effective setup. This design simplifies network management and ensures a clear point of entry and exit for Internet traffic.
The internet gateway is only needed to allow access in these scenarios:
Other network topology options are available including hybrid cloud setups using VPNs or hub-and-spoke architecture for Internet access.
Directly exposing servers, such as EC2 instances, to the internet poses several security risks:
Alternatives for exposing servers to the Internet, like the AWS Load Balances, will be used in the next sections.
This tutorial series is a work in progress and will have these sections:
AWS with Terraform: The Essential Guide: Sections
IT Wonder Lab tutorials are based on the diverse experience of Javier Ruiz, who founded and bootstrapped a SaaS company in the energy sector. His company, later acquired by a NASDAQ traded company, managed over €2 billion per year of electricity for prominent energy producers across Europe and America. Javier has over 25 years of experience in building and managing IT companies, developing cloud infrastructure, leading cross-functional teams, and transitioning his own company from on-premises, consulting, and custom software development to a successful SaaS model that scaled globally.
Are you looking for cloud automation best practices tailored to your company?