# AWS Network Firewall Module - Centralized Inspection VPC in a Hub and Spoke architecture with AWS Transit Gateway
This example shows the creation of a centralized Inspection VPC in a Hub and Spoke architecture with AWS Transit Gateway, with the idea of managing the traffic inspection at scale (East/West). This example creates the following resources:
* Outside of the Network Firewall module:
* Firewall policies - in `policy.tf`
* AWS Transit Gateway.
* Inspection VPC, attached to the Transit Gateway.
* Routing in the Inspection VPC to route traffic from the inspection subnets to the Transit Gateway (0.0.0.0/0).
* Created by the Network Firewall mdodule:
* AWS Network Firewall resource.
* Routing to the firewall endpoints (from the transit\_gateway).
The AWS Region used in the example is **us-west-1 (N. California)**.
## Prerequisites
* An AWS account with an IAM user with the appropriate permissions
* Terraform installed
## Code Principles
* Writing DRY (Do No Repeat Yourself) code using a modular design pattern
## Usage
* Clone the repository
* Edit the *variables.tf* file in the project root directory
**Note** Network Firewall endpoints will be deployted in all the Availability Zones used in the example (*var.vpc.number\_azs*). By default, the number of AZs used is 2 to follow best practices. Take that into account when doing tests from a cost perspective.
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3.0 |
| [aws](#requirement\_aws) | >= 3.73.0 |
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >= 3.73.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| [inspection\_vpc](#module\_inspection\_vpc) | aws-ia/vpc/aws | = 4.0.0 |
| [network\_firewall](#module\_network\_firewall) | aws-ia/networkfirewall/aws | 0.1.1 |
## Resources
| Name | Type |
|------|------|
| [aws_ec2_transit_gateway.tgw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway) | resource |
| [aws_networkfirewall_firewall_policy.anfw_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy) | resource |
| [aws_networkfirewall_rule_group.allow_icmp_1_to_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |
| [aws_networkfirewall_rule_group.allow_icmp_2_to_3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |
| [aws_networkfirewall_rule_group.drop_remote](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [aws\_region](#input\_aws\_region) | AWS Region. | `string` | `"us-west-1"` | no |
| [identifier](#input\_identifier) | Project identifier. | `string` | `"central-inspection"` | no |
| [inspection\_vpc](#input\_inspection\_vpc) | VPCs to create | `any` | {
"cidr_block": "10.129.0.0/16",
"number_azs": 2,
"private_subnet_netmask": 28,
"tgw_subnet_netmask": 28
} | no |
## Outputs
| Name | Description |
|------|-------------|
| [inspection\_vpc](#output\_inspection\_vpc) | Inspection VPC ID. |
| [network\_firewall](#output\_network\_firewall) | AWS Network Firewall ID. |
| [transit\_gateway](#output\_transit\_gateway) | AWS Transit Gateway ID. |