AWS with Terraform Tutorial: AWS Subnets (5)

How to Create, and Manage AWS Subnets with Terraform

How to configure and use the Terraform aws_subnet resource block to create and manage AWS Subnets inside a VPC. AWS Subnets are a subdivision of the IP Network assigned to the VPC.

Welcome to our tutorial series where we dive into cloud infrastructure deployment using Terraform or OpenTofu on AWS. In this series, the fundamentals are shown, guiding you through the process of minimizing resource usage and simplifying the deployment complexities associated with cloud infrastructure. This tutorial series is a work in progress.

This comprehensive OpenTofu and Terraform tutorial guides you step-by-step through creating infrastructure in AWS using Terraform.

Infrastructure as Code (IaC) helps maintain consistency, enables version control, enhances collaboration among teams, allows for easier replication of environments, streamlines the deployment and management of infrastructure boosting efficiency, and reducing errors in managing complex systems.

Prerequisites

Read previous sections of the tutorial:

Terraform AWS Configuration Plan Definition

Previous sections of this AWS with Terraform guide have covered basic information about Terraform and AWS and have configured and used the AWS Terraform provider to create a VPC.

It is time to create the Subnets. Keep adding Terraform blocks to the terraform-aws-tutorial.tf created in previous sections.

How to Create an AWS Subnets with Terraform

AWS Subnets are a subdivision of the IP Network assigned to the VPC. In the AWS with Terraform: The Essential Guide (4/21) – AWS VPC section the VPC was created and can now be used as an input to other Terraform blocks.

Use a CIDR Calculator to divide the VPC IP Network into the desired subnets.

Each subnet is assigned to one availability zone (us-east-1a, us-east-1b, us-east-1c, ...) in the chosen region (us-east-1).

Additionally, a subnet can be configured as public or private:

• Public subnets: have a route to the Internet via an Internet gateway and assign public IP addresses to their instances making it possible for instances to send and receive traffic from the Internet directly.
• Private subnets: typically do not have direct internet access and are used for resources that should not be publicly accessible. A NAT device is needed to access the Internet (e.g. for software update downloads).

Subnet definition using Terraform, add the following block to the file terraform-aws-tutorial.tf:

# Av. Zone: A, Env: PRO, Type: PUBLIC, Code: 00, CIDR Block: 172.21.0.0/23
resource "aws_subnet" "ditwl-sn-za-pro-pub-00" {
  vpc_id                  = aws_vpc.ditlw-vpc.id
  cidr_block              = "172.21.0.0/23" #172.21.0.0 - 172.21.1.255
  map_public_ip_on_launch = true
  availability_zone       = "us-east-1a"
  tags = {
    Name = "ditwl-sn-za-pro-pub-00"
  }
}

The Terraform aws_subnet resource block creates a Subnet, named ditwl-sn-za-pro-pub-00, inside the VPC created in the previous tutorial, using its Terraform reference aws_vpc.ditlw-vpc.id.

The Subnet has the following properties:

• cidr_block = "172.21.0.0/23"
• map_public_ip_on_launch = true (Assigns public IPV4 addresses to instances launched inside the Subnet)
• availability_zone = "us-east-1a"
• Tags:
  • Name = "ditwl-sn-za-pro-pub-00"
  • Tags defined as default at the AWS provider level

Use the same values for the Terraform name and the Tag Name and follow a company wide naming standard and pattern to easily identify the resource across companies, products, projects, and clouds.

ditwl-sn-za-pro-pub-00 stands for:

• ditwl: a prefix specifying the unique name of this cloud across all available clouds and providers. In this case, the prefix will be ditwl which stands for Demo IT Wonder Lab in lowercase.
• sn: a short name identifying the resource, in this case, sn stands for subnet
• za: the availability zone for the resources, in this case, zone A.
• pro: an environment for the resource, the 3-letter acronym pro identifies this subnet as a Production subnet.
• pub: visibility of the resources, the 3-letter acronym pub identifies the subnet as Public.
• 00: a unique number related to the resource, in this case, 00 is the value of the 3rd octet in the IP addresses (172.21.NN.0).

Learn more about AWS and Terraform Naming Best Practices.

Add 3 more subnet blocks to the file terraform-aws-tutorial.tf:

# Av. Zone: A, Env: PRO, Type: PRIVATE, Code: 02, CIDR Block: 172.21.2.0/23
resource "aws_subnet" "ditwl-sn-za-pro-pri-02" {
  vpc_id                  = aws_vpc.ditlw-vpc.id
  cidr_block              = "172.21.2.0/23" #172.21.2.0 - 172.21.3.255
  map_public_ip_on_launch = false
  availability_zone       = "us-east-1a"
  tags = {
    Name = "ditwl-sn-za-pro-pri-02"
  }
}

# Av. Zone: B, Env: PRO, Type: PUBLIC, Code: 04, CIDR Block: 172.21.4.0/23
resource "aws_subnet" "ditwl-sn-zb-pro-pub-04" {
  vpc_id                  = aws_vpc.ditlw-vpc.id
  cidr_block              = "172.21.4.0/23" #172.21.4.0 - 172.21.5.255
  map_public_ip_on_launch = true
  availability_zone       = "us-east-1b"
  tags = {
    Name = "ditwl-sn-zb-pro-pub-04"
  }
}

# Av. Zone: B, Env: PRO, Type: PRIVATE, Code: 06, CIDR Block: 172.21.6.0/23
resource "aws_subnet" "ditwl-sn-zb-pro-pri-06" {
  vpc_id                  = aws_vpc.ditlw-vpc.id
  cidr_block              = "172.21.6.0/23" #172.21.6.0 - 172.21.7.255	
  map_public_ip_on_launch = false
  availability_zone       = "us-east-1b"
  tags = {
    Name = "ditwl-sn-zb-pro-pri-06"
  }
}

Run the Terraform Plan

Open a command line shell at the same location where the terraform-aws-tutorial.tf file is located, and, run the Terraform or OpenTofu plan, and apply the commands.

Plan using OpenTofu

Run tofu plan to generate and review the execution plan. Check each line and value to make sure that corresponds to the desired change. The VPC was already created in the previous Terraform execution so now only the new subnets will be created.

As you can see the order of creation of the subnets is not the same as the order in which they are defined in the file terraform-aws-tutorial.tf, this is correct and doesn't have an impact as each subnet is independent from the others.

Terraform generates a dependency graph to understand the order in which resources should be created or modified. It helps determine the relationships and dependencies between different resources defined in your Terraform configuration. This ensures that resources are created or modified in the correct order to maintain a consistent infrastructure state. Sometimes Terraform or the provider can't generate accurate dependency relations and require additional configuration using the depends_on Meta-Argument (to be documented in other tutorial sections).

$ tofu plan
aws_vpc.ditlw-vpc: Refreshing state... [id=vpc-0bed1f6c715e9a909]

OpenTofu used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
  + create

OpenTofu will perform the following actions:

  # aws_subnet.ditwl-sn-za-pro-pri-02 will be created
  + resource "aws_subnet" "ditwl-sn-za-pro-pri-02" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "us-east-1a"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "172.21.2.0/23"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Name" = "ditwl-sn-za-pro-pri-02"
        }
      + tags_all                                       = {
          + "Name"        = "ditwl-sn-za-pro-pri-02"
          + "cost_center" = "marketing-department"
          + "environment" = "pro"
          + "owner"       = "IT Wonder Lab"
        }
      + vpc_id                                         = "vpc-0bed1f6c715e9a909"
    }

  # aws_subnet.ditwl-sn-za-pro-pub-00 will be created
  + resource "aws_subnet" "ditwl-sn-za-pro-pub-00" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "us-east-1a"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "172.21.0.0/23"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_public_ip_on_launch                        = true
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Name" = "ditwl-sn-za-pro-pub-00"
        }
      + tags_all                                       = {
          + "Name"        = "ditwl-sn-za-pro-pub-00"
          + "cost_center" = "marketing-department"
          + "environment" = "pro"
          + "owner"       = "IT Wonder Lab"
        }
      + vpc_id                                         = "vpc-0bed1f6c715e9a909"
    }

  # aws_subnet.ditwl-sn-zb-pro-pri-06 will be created
  + resource "aws_subnet" "ditwl-sn-zb-pro-pri-06" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "us-east-1b"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "172.21.6.0/23"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Name" = "ditwl-sn-zb-pro-pri-06"
        }
      + tags_all                                       = {
          + "Name"        = "ditwl-sn-zb-pro-pri-06"
          + "cost_center" = "marketing-department"
          + "environment" = "pro"
          + "owner"       = "IT Wonder Lab"
        }
      + vpc_id                                         = "vpc-0bed1f6c715e9a909"
    }

  # aws_subnet.ditwl-sn-zb-pro-pub-04 will be created
  + resource "aws_subnet" "ditwl-sn-zb-pro-pub-04" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "us-east-1b"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "172.21.4.0/23"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_public_ip_on_launch                        = true
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Name" = "ditwl-sn-zb-pro-pub-04"
        }
      + tags_all                                       = {
          + "Name"        = "ditwl-sn-zb-pro-pub-04"
          + "cost_center" = "marketing-department"
          + "environment" = "pro"
          + "owner"       = "IT Wonder Lab"
        }
      + vpc_id                                         = "vpc-0bed1f6c715e9a909"
    }

Plan: 4 to add, 0 to change, 0 to destroy.

────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so OpenTofu can't guarantee to take exactly these actions if you run "tofu
apply" now.

Apply the changes using OpenTofu

Run tofu apply to generate and apply the execution plan. OpenTofu will generate a new plan and ask for confirmation before applying the changes. Review again the changes and answer yes or no to apply the changes in AWS.

$ tofu apply
aws_vpc.ditlw-vpc: Refreshing state... [id=vpc-0bed1f6c715e9a909]

OpenTofu used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
  + create

OpenTofu will perform the following actions:

  # aws_subnet.ditwl-sn-za-pro-pri-02 will be created
  + resource "aws_subnet" "ditwl-sn-za-pro-pri-02" {
   ...
      + vpc_id                                         = "vpc-0bed1f6c715e9a909"
    }

  # aws_subnet.ditwl-sn-za-pro-pub-00 will be created
  + resource "aws_subnet" "ditwl-sn-za-pro-pub-00" {
   ...
      + vpc_id                                         = "vpc-0bed1f6c715e9a909"
    }

  # aws_subnet.ditwl-sn-zb-pro-pri-06 will be created
  + resource "aws_subnet" "ditwl-sn-zb-pro-pri-06" {
   ...
      + vpc_id                                         = "vpc-0bed1f6c715e9a909"
    }

  # aws_subnet.ditwl-sn-zb-pro-pub-04 will be created
  + resource "aws_subnet" "ditwl-sn-zb-pro-pub-04" {
   ...
      + vpc_id                                         = "vpc-0bed1f6c715e9a909"
    }

Plan: 4 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  OpenTofu will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_subnet.ditwl-sn-za-pro-pub-00: Creating...
aws_subnet.ditwl-sn-za-pro-pri-02: Creating...
aws_subnet.ditwl-sn-zb-pro-pub-04: Creating...
aws_subnet.ditwl-sn-zb-pro-pri-06: Creating...
aws_subnet.ditwl-sn-zb-pro-pri-06: Creation complete after 2s [id=subnet-0f5662bd40a070e55]
aws_subnet.ditwl-sn-za-pro-pri-02: Creation complete after 2s [id=subnet-096bf79e4bab2e1c4]
aws_subnet.ditwl-sn-za-pro-pub-00: Still creating... [10s elapsed]
aws_subnet.ditwl-sn-zb-pro-pub-04: Still creating... [10s elapsed]
aws_subnet.ditwl-sn-za-pro-pub-00: Creation complete after 13s [id=subnet-07753bf540026684d]
aws_subnet.ditwl-sn-zb-pro-pub-04: Creation complete after 13s [id=subnet-0d34cee7300e9fa45]

Apply complete! Resources: 4 added, 0 changed, 0 destroyed.

Review the result, it should be 4 (resource) added, 0 changed, 0 destroyed.

You can now run tofu plan or tofu apply again to check that OpenTofu has not found any new changes to apply.

$ tofu plan
aws_vpc.ditlw-vpc: Refreshing state... [id=vpc-0bed1f6c715e9a909]
aws_subnet.ditwl-sn-zb-pro-pri-06: Refreshing state... [id=subnet-0f5662bd40a070e55]
aws_subnet.ditwl-sn-za-pro-pub-00: Refreshing state... [id=subnet-07753bf540026684d]
aws_subnet.ditwl-sn-za-pro-pri-02: Refreshing state... [id=subnet-096bf79e4bab2e1c4]
aws_subnet.ditwl-sn-zb-pro-pub-04: Refreshing state... [id=subnet-0d34cee7300e9fa45]

No changes. Your infrastructure matches the configuration.

OpenTofu has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Check using the AWS web Console that the Subnets have been created:

• Navigate to AWS Console: VPC - Subnets:

If you don't see the Subnets check on the right top corner that the Region is N. Virginia that corresponds to us-east-1.

Common Questions About AWS Subnets

How many Subnets should be created in each VPC?

The number of subnets you create in each Virtual Private Cloud (VPC) depends on your specific requirements and network architecture. However, it's a common practice to have at least two subnets in each VPC: one public and one private.

Consider factors like security, isolation, and scalability. Additional subnets may be created for specific purposes, like separating application tiers or isolating sensitive data.

As long as the VPC is created with a large CIDR block that has remaining sub-blocks for future use, you can add subnets later as needed.

What IP range should be used for a Subnet?

When planning your Virtual Private Cloud (VPC) network CIDR (Classless Inter-Domain Routing) and its Subnets, consider the following:

• Size: Choose a CIDR block size that provides enough IP addresses for your resources but avoids wasting address space.
• Subnetting: Plan your subnets within the VPC wisely, considering the number of subnets needed, their size, and the future scalability. Subnets in the same VPC can have different CIDR network sizes assigned depending on need.
• Overlap Avoidance: Ensure there's no overlap with other networks to prevent routing issues. It's common to avoid using the same CIDR block as other networks you might connect to.
• Future Growth: Plan for future growth and expansion by choosing a CIDR block that allows for additional subnets and addresses.
• Reserved Addresses: Each subnet reserves a few IP addresses for AWS use:
  • Network Address (First IP): This is the base network address and is reserved.
  • VPC Router (Second IP): The second IP address is reserved for the VPC router.
  • DNS Server (Third IP): The third IP address is reserved for the Amazon DNS server.
  • Reserved for Future Use (Last IP): The last IP address in the subnet is reserved for future use.
  • Additional Addresses for AWS services. For example, AWS Elastic Kubernetes Services needs to have at least 6 IP addresses available but at least 16 IPs are recommended.

Peering or VPNs: If you plan to connect VPCs or use VPNs, ensure that the CIDR blocks don't overlap with other clouds, existing VPCs, on-premises data centers, and LAN networks.

Private IP addresses are free to use but proper planning is required for routing across the organization.

Next Steps

This tutorial series is a work in progress and will have these sections:

AWS with Terraform: The Essential Guide: Sections

1. Terraform Basics,
2. AWS Basics,
3. Terraform AWS Provider,
4. AWS VPC,
5. AWS Subnets,
6. AWS Internet Gateway,
7. AWS NAT Gateway,
8. AWS Routing Tables,
9. AWS Security Groups,
10. AWS Key Pairs,
11. AWS AMIs,

12. AWS EC2 Instances,
13. AWS RDS databases,
14. AWS Route 53 (DNS),
15. AWS Auto Scaling,
16. AWS Load Balancers,
17. Terraform, AWS & Ansible,
18. Terraform Modules,
19. Terraform Backends,
20. Terraform Tools,
21. Terraform CI/CD