global: # ** Replace with overall organizational ID and Account ID owning the organization ** # Uncomment below if you'd like to use RAM Sharing # organizationId: o-REPLACEME # organizationMainAccountId: 123456789012 stackNamePrefix: sample-complex ssmPrefix: /sample-complex/network region: us-east-1 availabilityZones: - us-east-1a - us-east-1b tags: - aws-vpc-builder: sample-complex vpns: on-premises: style: transitGatewayAttached ## Substitute for a REAL public IP Address of a VPN device if you plan to establish a VPN connection. Also adjust the ASN number. newCustomerGatewayIp: 1.2.3.4 newCustomerGatewayAsn: 64501 newCustomerGatewayName: sample-vpn-onprem CGW useTransit: central providers: firewall: internet-inspection: vpcCidr: 100.64.0.0/16 useTransit: central style: awsNetworkFirewall firewallDescription: sample-complex AWS Network Firewall firewallName: InspectionInternet internet: central-egress: vpcCidr: 10.10.63.192/26 style: natEgress useTransit: central endpoints: vpc-endpoints: style: serviceInterfaceEndpoint vpcCidr: 10.20.0.0/19 endpointMask: 24 endpointConfigFile: sample-complex-endpoints useTransit: central dns-resolvers: vpcCidr: 10.10.63.128/26 # ** Narrow to specific inbound resolver source IPs if desired ** resolveRequestsFromCidrs: - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 forwardRequests: # ** Narrow to specific on-premesis domains ** forDomains: - onprem.net # ** Replace with the IPs of on-premesis DNS servers ** toIps: - 172.31.1.10 - 172.31.2.10 # ** All VPCs are permitted to resolve on prem ** forVpcs: - workload-dev - workload-prod style: route53ResolverEndpoint useTransit: central dns: base: domains: - cloud.net # ** Everyone can resolve our base domain ** shareWithVpcs: - workload-dev - workload-prod prod: domains: - prod.cloud.net # ** Prod domain can be resolved from prod ** shareWithVpcs: - workload-prod dev: domains: - dev.cloud.net # ** Dev domain can be resolved from prod ** shareWithVpcs: - workload-dev vpcs: workload-dev: style: workloadIsolated vpcCidr: 10.10.0.0/19 providerInternet: central-egress providerEndpoints: vpc-endpoints subnets: workload: cidrMask: 20 # ** Update with the Dev OU if you wish to RAM Share ** #sharedWith: # - ou-REPLACEME workload-prod: style: workloadIsolated vpcCidr: 10.10.32.0/20 providerInternet: central-egress providerEndpoints: vpc-endpoints subnets: workload: cidrMask: 21 # ** Update with the Prod OU if you wish to RAM Share ** #sharedWith: # - ou-REPLACEME central-ingress: style: workloadPublic vpcCidr: 10.10.64.0/19 subnets: workload: cidrMask: 20 # ** Update with the Prod and Dev OU if you wish to RAM Share ** #sharedWith: # - ou-REPLACEMEDev # - ou-REPLACEMEProd transitGateways: central: style: transitGateway tgwDescription: sample-complex TGW defaultRoutes: # Dev and Prod default to internet egress inspected by a firewall. - vpcName: workload-dev routesTo: central-egress inspectedBy: internet-inspection - vpcName: workload-prod routesTo: central-egress inspectedBy: internet-inspection dynamicRoutes: # Dev and Prod can both go on-prem via VPN. BGP will advertise routes for us to use - vpcName: workload-dev routesTo: on-premises - vpcName: workload-prod routesTo: on-premises blackholeRoutes: # Dev may not communicate with prod and vice versa - vpcName: workload-dev blackholeCidrs: - 10.10.32.0/20 - vpcName: workload-prod blackholeCidrs: - 10.10.0.0/19