# AWS Hub and Spoke Architecture with AWS Transit Gateway - Example: Central Inspection This example centralizes the traffic inspection and egress traffic within the same VPC, with a central Inspection VPC with public subnets. The following resources are built: - Built by the **Hub and Spoke module**: - AWS Transit Gateway. - AWS Transit Gateway Route Tables: 1 Inspection, 2 Spokes (production and non-production). - Transit Gateway routes. - Inspection VPC - with public subnets for Internet access. - AWS Network Firewall (and routes in the Inspection VPC to the firewall endpoints). - Built outside the module: - AWS Network Firewall policy and rule groups - check the *policy.tf* file. ## Deployment instructions * To apply all the resources - `terraform apply`. * Once you finish your testing remember to delete the resources to avoid having unexpected charges - `terraform destroy`. ## Requirements | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.3.0 | | [aws](#requirement\_aws) | >= 3.73.0 | ## Providers | Name | Version | |------|---------| | [aws](#provider\_aws) | >= 3.73.0 | ## Modules | Name | Source | Version | |------|--------|---------| | [hub-and-spoke](#module\_hub-and-spoke) | aws-ia/network-hubandspoke/aws | 3.0.0 | | [spoke\_vpcs](#module\_spoke\_vpcs) | aws-ia/vpc/aws | 4.0.0 | ## Resources | Name | Type | |------|------| | [aws_networkfirewall_firewall_policy.anfw_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy) | resource | | [aws_networkfirewall_rule_group.allow_domains](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource | | [aws_networkfirewall_rule_group.drop_remote](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [aws\_region](#input\_aws\_region) | AWS Region - to build the Hub and Spoke. | `string` | `"eu-west-1"` | no | | [identifier](#input\_identifier) | Project identifier. | `string` | `"central-inspection"` | no | | [spoke\_vpcs](#input\_spoke\_vpcs) | Spoke VPCs. | `map(any)` |

{
  "nonprod-vpc": {
    "cidr_block": "10.0.1.0/24",
    "number_azs": 2,
    "routing_domain": "nonprod"
  },
  "prod-vpc": {
    "cidr_block": "10.0.0.0/24",
    "number_azs": 2,
    "routing_domain": "prod"
  }
}

| no | ## Outputs | Name | Description | |------|-------------| | [central\_vpcs](#output\_central\_vpcs) | Central VPCs created. | | [network\_firewall](#output\_network\_firewall) | AWS Network Firewall ID. | | [spoke\_vpcs](#output\_spoke\_vpcs) | Spoke VPCs created. | | [transit\_gateway\_id](#output\_transit\_gateway\_id) | ID of the AWS Transit Gateway resource. |