AWS with Terraform Tutorial: AWS Routing Tables (8)

How to Create, and Manage AWS Routing Tables with Terraform

How to configure and use the Terraform aws_route_table, aws_route, and aws_main_route_table_association resource blocks to create and manage AWS Routing Tables.

Welcome to our tutorial series where we dive into cloud infrastructure deployment using Terraform or OpenTofu on AWS. In this series, the fundamentals are shown, guiding you through the process of minimizing resource usage and simplifying the deployment complexities associated with cloud infrastructure. This tutorial series is a work in progress.

This comprehensive OpenTofu and Terraform tutorial guides you step-by-step through creating infrastructure in AWS using Terraform.

Infrastructure as Code (IaC) helps maintain consistency, enables version control, enhances collaboration among teams, allows for easier replication of environments, streamlines the deployment and management of infrastructure boosting efficiency, and reducing errors in managing complex systems.

Prerequisites

Read previous sections of the tutorial:

AWS Routing Tables

An AWS routing table is a set of rules that defines how network traffic is directed within a Virtual Private Cloud (VPC). It contains a list of routes, each specifying a destination and the target for the traffic.

When a VPC is created, AWS creates a default routing table. For our VPC the AWS default routing table can be seen at the AWS Console.

We will not use this Routing table as it is not Terraform managed but we will explore its configuration:

• Navigate to AWS Console: VPC - Route tables and click on the Route Table ID to access all details.

• Click on the Subnet Associations tab and look at the Subnets without explicit associations. Those subnets use the Main Routing Table (this one) as there is no explicit association with other routing tables.

This existing Routing Table is currently configured as Main but since it wasn't created with Terraform we will add a new Terraform-managed Main Routing Table for the VPC.

Routing Diagram: List of Routes Needed

A diagram with the services and intended connections helps design the routing tables.

The needs for the tutorial are:

• Each Subnet requires a route to its IP range with a target "local". The local network is added by AWS, there is no need to include the route using Terraform.
• Each Subnet requires a route to the Internet (0.0.0.0) with a target that depends on Subnet visibility and Availability Zone:
  • Public Subnets in any Availability Zone: send Internet traffic to the Internet Gateway
  • Private Subnets in Availability Zone A: send Internet traffic to the NAT Gateway for Availability Zone A.
  • Private Subnets in Availability Zone B: send Internet traffic to the NAT Gateway for Availability Zone B.

The diagram shows 3 routing tables, using red for ditwl-rt-pub-main and green for the ditwl-rt-priv-za and ditwl-rt-priv-zb:

List of Routing Tables:

• ditwl-rt-pub-main: Main Routing Table for use in All Public Subnets regardless of Availability Zone
• ditwl-rt-priv-za: Routing table for Private Subnets in Availability Zone A
• ditwl-rt-priv-zb: Routing table for Private Subnets in Availability Zone B

Terraform AWS Configuration Plan Definition

Previous sections of this AWS with Terraform guide have covered basic information about Terraform and AWS and have configured and used the AWS Terraform provider to create a VPC, four subnets, one Internet Gateway, and two NAT Gateways.

It is time to create the Routing Tables and the routes to use the Internet Gateway and the NAT Gateways.

Keep adding Terraform blocks to the terraform-aws-tutorial.tf created in previous sections.

How to Create an AWS Routing Table with Terraform

Terraform has two different ways to define a Routing Table and its routes.

• Routing Table with in-line routes: the routes are included in the Routing Table block
• Routing Table with outside route association: the routing table is created in a block and the rules are added in different blocks.

The in-line routes approach works better for small routing tables and the one with outside route association is better suited for routing tables with many routes. It is not possible to mix in the same routing table both approaches but each routing table can use one or another in the same Terraform configuration.

Terraform Definition of the Main Routing Table

A new routing table named ditwl-rt-pub-main is created and using in-line routes a route from CIDR block 0.0.0.0 to the Internet Gateway is created referencing it by its ID using the Terraform name and the id property aws_internet_gateway.ditwl-ig.id.

Once the routing table has been created it is configured as Main for the VPC using the Terraform resource aws_main_route_table_association and specifying the ID of the VPC and the ID of the newly created routing table using its Terraform resource, name, and property.

Add the following block to the file terraform-aws-tutorial.tf:

# Routing table for public subnet (access to the Internet)
# Using in-line routes 
resource "aws_route_table" "ditwl-rt-pub-main" {
  vpc_id = aws_vpc.ditlw-vpc.id

  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_internet_gateway.ditwl-ig.id
  }

  tags = {
    Name = "ditwl-rt-pub-main"
  }
}

# Set new main_route_table as main
resource "aws_main_route_table_association" "ditwl-rta-default" {
  vpc_id         = aws_vpc.ditlw-vpc.id
  route_table_id = aws_route_table.ditwl-rt-pub-main.id
}

Terraform Definition of the Routing Tables for the Private Subnets

These routing tables are defined using the outside route association approach, each routing table is created in a block with no routes.

The Routing table is assigned to its corresponding subnet using a Terraform resource block aws_route_table_association.

Each routing rule is added in an independent block using the aws_route and specifying the ID of the routing table where the rule will be added.

# Routing table for private subnet in Availability Zone A 
# Using standalone routes resources 
resource "aws_route_table" "ditwl-rt-priv-za" {
  vpc_id = aws_vpc.ditlw-vpc.id
  tags = {
    Name = "ditwl-rt-priv-za"
  }
}

# Route Access to the Internet through NAT  (Av. Zone A)
resource "aws_route" "ditwl-r-rt-priv-za-ngw-za" {
  route_table_id         = aws_route_table.ditwl-rt-priv-za.id
  destination_cidr_block = "0.0.0.0/0"
  gateway_id             = aws_nat_gateway.ditwl-ngw-za-pub.id
}

# Routing Table Association for Subnet ditwl-sn-za-pro-pri-02
resource "aws_route_table_association" "ditwl-rta-za-pro-pri-02" {
  subnet_id      = aws_subnet.ditwl-sn-za-pro-pri-02.id
  route_table_id = aws_route_table.ditwl-rt-priv-za.id
}

# Routing table for private subnet in Availability Zone B
# Using standalone routes resources 
resource "aws_route_table" "ditwl-rt-priv-zb" {
  vpc_id = aws_vpc.ditlw-vpc.id

  tags = {
    Name = "ditwl-rt-priv-zb"
  }
}

# Routing Table Association for Subnet ditwl-sn-zb-pro-pri-06
resource "aws_route_table_association" "ditwl-rta-zb-pro-pri-06" {
  subnet_id      = aws_subnet.ditwl-sn-zb-pro-pri-06.id
  route_table_id = aws_route_table.ditwl-rt-priv-zb.id
}

# Route Access to the Internet through NAT (Av. Zone B)
resource "aws_route" "ditwl-r-rt-priv-zb-ngw-zb" {
  route_table_id         = aws_route_table.ditwl-rt-priv-zb.id
  destination_cidr_block = "0.0.0.0/0"
  gateway_id             = aws_nat_gateway.ditwl-ngw-zb-pub.id
}

Run the Terraform Plan

Open a command line shell at the same location where the terraform-aws-tutorial.tf file is located, and, run the Terraform or OpenTofu plan, and apply the commands.

Plan using OpenTofu

Run tofu plan to generate and review the execution plan. Check each line and value to make sure that it corresponds to the desired change.

Terraform will refresh the state comparing it with the Cloud resources and produce a plan for the resources that need to be created, updated, or destroyed.

In the past section of the tutorial, the NAT Gateways and the EIP were created and destroyed (by commenting its definition in the Terraform configuration file) to reduce cost while developing the infrastructure definition. Now Terraform will create the NAT Gateways, the EIPs, and the Routing tables.

Uncomment the NAT Gateways and the EIP as the Routing Tables reference those resources and run the Terraform plan:

$ tofu plan
aws_vpc.ditlw-vpc: Refreshing state... [id=vpc-0bed1f6c715e9a909]
aws_internet_gateway.ditwl-ig: Refreshing state... [id=igw-033b206763b59357e]
aws_subnet.ditwl-sn-za-pro-pri-02: Refreshing state... [id=subnet-096bf79e4bab2e1c4]
aws_subnet.ditwl-sn-za-pro-pub-00: Refreshing state... [id=subnet-07753bf540026684d]
aws_subnet.ditwl-sn-zb-pro-pub-04: Refreshing state... [id=subnet-0d34cee7300e9fa45]
aws_subnet.ditwl-sn-zb-pro-pri-06: Refreshing state... [id=subnet-0f5662bd40a070e55]

OpenTofu used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
  + create

OpenTofu will perform the following actions:

  # aws_eip.ditwl-eip-ngw-za will be created
  + resource "aws_eip" "ditwl-eip-ngw-za" {
    ...
    }

  # aws_eip.ditwl-eip-ngw-zb will be created
  + resource "aws_eip" "ditwl-eip-ngw-zb" {
    ...
    }

  # aws_main_route_table_association.ditwl-rta-default will be created
  + resource "aws_main_route_table_association" "ditwl-rta-default" {
    ...
      + vpc_id                  = "vpc-0bed1f6c715e9a909"
    }

  # aws_nat_gateway.ditwl-ngw-za-pub will be created
  + resource "aws_nat_gateway" "ditwl-ngw-za-pub" {
    ...
    }

  # aws_nat_gateway.ditwl-ngw-zb-pub will be created
  + resource "aws_nat_gateway" "ditwl-ngw-zb-pub" {
    ...
    }

  # aws_route.ditwl-r-rt-priv-za-ngw-za will be created
  + resource "aws_route" "ditwl-r-rt-priv-za-ngw-za" {
      + destination_cidr_block = "0.0.0.0/0"
    ...
    }

  # aws_route.ditwl-r-rt-priv-zb-ngw-zb will be created
  + resource "aws_route" "ditwl-r-rt-priv-zb-ngw-zb" {
      + destination_cidr_block = "0.0.0.0/0"
    ...
    }

  # aws_route_table.ditwl-rt-priv-za will be created
  + resource "aws_route_table" "ditwl-rt-priv-za" {
    ...
    }

  # aws_route_table.ditwl-rt-priv-zb will be created
  + resource "aws_route_table" "ditwl-rt-priv-zb" {
    ...
    }

  # aws_route_table.ditwl-rt-pub-main will be created
  + resource "aws_route_table" "ditwl-rt-pub-main" {
    ...
    }

  # aws_route_table_association.ditwl-rta-za-pro-pri-02 will be created
  + resource "aws_route_table_association" "ditwl-rta-za-pro-pri-02" {
      + id             = (known after apply)
      + route_table_id = (known after apply)
      + subnet_id      = "subnet-096bf79e4bab2e1c4"
    }

  # aws_route_table_association.ditwl-rta-zb-pro-pri-06 will be created
  + resource "aws_route_table_association" "ditwl-rta-zb-pro-pri-06" {
      + id             = (known after apply)
      + route_table_id = (known after apply)
      + subnet_id      = "subnet-0f5662bd40a070e55"
    }

Plan: 12 to add, 0 to change, 0 to destroy.

Apply the changes using OpenTofu

Run tofu apply to generate and apply the execution plan. OpenTofu will generate a new plan and ask for confirmation before applying the changes. Review again the changes and answer yes or no to apply the changes in AWS.

$ tofu apply
aws_vpc.ditlw-vpc: Refreshing state... [id=vpc-0bed1f6c715e9a909]
aws_internet_gateway.ditwl-ig: Refreshing state... [id=igw-033b206763b59357e]
aws_subnet.ditwl-sn-za-pro-pri-02: Refreshing state... [id=subnet-096bf79e4bab2e1c4]
aws_subnet.ditwl-sn-zb-pro-pub-04: Refreshing state... [id=subnet-0d34cee7300e9fa45]
aws_subnet.ditwl-sn-za-pro-pub-00: Refreshing state... [id=subnet-07753bf540026684d]
aws_subnet.ditwl-sn-zb-pro-pri-06: Refreshing state... [id=subnet-0f5662bd40a070e55]

OpenTofu used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
  + create

OpenTofu will perform the following actions:

  # aws_eip.ditwl-eip-ngw-za will be created
....
Do you want to perform these actions?
  OpenTofu will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_route_table.ditwl-rt-priv-za: Creating...
aws_route_table.ditwl-rt-priv-zb: Creating...
aws_eip.ditwl-eip-ngw-zb: Creating...
aws_eip.ditwl-eip-ngw-za: Creating...
aws_route_table.ditwl-rt-pub-main: Creating...
aws_eip.ditwl-eip-ngw-za: Creation complete after 3s [id=eipalloc-0256d8e1eae1e7774]
aws_nat_gateway.ditwl-ngw-za-pub: Creating...
aws_eip.ditwl-eip-ngw-zb: Creation complete after 3s [id=eipalloc-0ad38a8c4f37daa52]
aws_nat_gateway.ditwl-ngw-zb-pub: Creating...
aws_route_table.ditwl-rt-priv-zb: Creation complete after 3s [id=rtb-003e3066aad95d701]
aws_route_table_association.ditwl-rta-zb-pro-pri-06: Creating...
aws_route_table.ditwl-rt-priv-za: Creation complete after 4s [id=rtb-04c95397c69600c18]
aws_route_table_association.ditwl-rta-za-pro-pri-02: Creating...
aws_route_table_association.ditwl-rta-za-pro-pri-02: Creation complete after 1s [id=rtbassoc-06395ca838c6dfa8a]
aws_route_table.ditwl-rt-pub-main: Creation complete after 6s [id=rtb-05cbe56c02830be54]
aws_main_route_table_association.ditwl-rta-default: Creating...
aws_route_table_association.ditwl-rta-zb-pro-pri-06: Creation complete after 4s [id=rtbassoc-06c8ede0cd3cbc25f]
aws_main_route_table_association.ditwl-rta-default: Creation complete after 3s [id=rtbassoc-0c3f227acd4563a24]
aws_nat_gateway.ditwl-ngw-za-pub: Still creating... [10s elapsed]
aws_nat_gateway.ditwl-ngw-zb-pub: Still creating... [10s elapsed]
aws_nat_gateway.ditwl-ngw-za-pub: Still creating... [20s elapsed]
aws_nat_gateway.ditwl-ngw-zb-pub: Still creating... [20s elapsed]
aws_nat_gateway.ditwl-ngw-za-pub: Still creating... [30s elapsed]
aws_nat_gateway.ditwl-ngw-zb-pub: Still creating... [30s elapsed]
aws_nat_gateway.ditwl-ngw-za-pub: Still creating... [40s elapsed]
aws_nat_gateway.ditwl-ngw-zb-pub: Still creating... [40s elapsed]
aws_nat_gateway.ditwl-ngw-za-pub: Still creating... [50s elapsed]
aws_nat_gateway.ditwl-ngw-zb-pub: Still creating... [50s elapsed]
aws_nat_gateway.ditwl-ngw-za-pub: Still creating... [1m0s elapsed]
aws_nat_gateway.ditwl-ngw-zb-pub: Still creating... [1m0s elapsed]
aws_nat_gateway.ditwl-ngw-za-pub: Still creating... [1m10s elapsed]
aws_nat_gateway.ditwl-ngw-zb-pub: Still creating... [1m10s elapsed]
aws_nat_gateway.ditwl-ngw-za-pub: Still creating... [1m20s elapsed]
aws_nat_gateway.ditwl-ngw-zb-pub: Still creating... [1m20s elapsed]
aws_nat_gateway.ditwl-ngw-za-pub: Still creating... [1m30s elapsed]
aws_nat_gateway.ditwl-ngw-zb-pub: Still creating... [1m30s elapsed]
aws_nat_gateway.ditwl-ngw-zb-pub: Creation complete after 1m31s [id=nat-0066c29e6212c63d9]
aws_route.ditwl-r-rt-priv-zb-ngw-zb: Creating...
aws_route.ditwl-r-rt-priv-zb-ngw-zb: Creation complete after 4s [id=r-rtb-003e3066aad95d7011080289494]
aws_nat_gateway.ditwl-ngw-za-pub: Still creating... [1m40s elapsed]
aws_nat_gateway.ditwl-ngw-za-pub: Still creating... [1m50s elapsed]
aws_nat_gateway.ditwl-ngw-za-pub: Still creating... [2m0s elapsed]
aws_nat_gateway.ditwl-ngw-za-pub: Creation complete after 2m4s [id=nat-09d7641d934f5afc2]
aws_route.ditwl-r-rt-priv-za-ngw-za: Creating...
aws_route.ditwl-r-rt-priv-za-ngw-za: Creation complete after 3s [id=r-rtb-04c95397c69600c181080289494]
Apply complete! Resources: 12 added, 0 changed, 0 destroyed.

Review the result, it should be 12 (resource) added, 0 changed, 0 destroyed.

The route associations ditwl-r-rt-priv-za-ngw-za and ditwl-r-rt-priv-zb-ngw-zb, were created after the Route Tables as Terraform was able to automatically determine the relationships and dependencies between the resources.

Check using the AWS web Console that the Route Tables have been created:

• Navigate to AWS Console: VPC - Route tables.
• Select the Route Table named ditwl-rt-priv-za and the Routes tab. Internet traffic is routed to the NAT Gateway.

• Select the Subnet Associations tab, the Route table has an explicit association to the subnet ditwl-sn-za-pro-pri-02:

Click on the Public IPs to navigate to the EIP console and see its properties.

Routing Tables Cost

There is no cost for having Routing Tables but there is a cost for running NAT gateways and EIPs.

AWS charges for Inter-regional data transfer and data transfer to the Internet.

Common Questions About AWS Routing Tables

Can I have multiple routing tables in a VPC?

Yes, a VPC can have multiple routing tables, but each subnet can only be associated with one routing table at a time.

What is the main purpose of the default route in a routing table?

The default route (0.0.0.0/0) is typically used for directing traffic to an internet gateway, allowing instances in the subnet to access the internet.

Can I modify a route in a routing table?

Yes, you can modify existing routes in a routing table to update the target or make other adjustments.

How does the route priority work in AWS routing tables?

Routes with more specific CIDR blocks take precedence over less specific ones. The most specific route that matches the destination is used.

What happens if there is no route for a destination in the routing table?

If there is no matching route, the traffic is not routed, and communication to the destination will fail.

Next Steps

This tutorial series is a work in progress and will have these sections:

AWS with Terraform: The Essential Guide: Sections

1. Terraform Basics,
2. AWS Basics,
3. Terraform AWS Provider,
4. AWS VPC,
5. AWS Subnets,
6. AWS Internet Gateway,
7. AWS NAT Gateway,
8. AWS Routing Tables,
9. AWS Security Groups,
10. AWS Key Pairs,
11. AWS AMIs,

12. AWS EC2 Instances,
13. AWS RDS databases,
14. AWS Route 53 (DNS),
15. AWS Auto Scaling,
16. AWS Load Balancers,
17. Terraform, AWS & Ansible,
18. Terraform Modules,
19. Terraform Backends,
20. Terraform Tools,
21. Terraform CI/CD