# AWS Network Firewall Module - Intra-VPC Inspection This example builds AWS Network Firewall in a single VPC to perform intra-VPC inspection between its subnets. This example creates the following resources: * Outside of the Network Firewall module: * Firewall policies - in `policy.tf` * Amazon VPC with several subnets (3 private subnets, 1 inspection subnet, 1 endpoints subnet) * Created by the Network Firewall mdodule: * AWS Network Firewall resource. * Routing to the firewall endpoints - to inspect traffic between the private subnets. The AWS Region used in the example is **eu-west-2 (London)**. ## Prerequisites * An AWS account with an IAM user with the appropriate permissions * Terraform installed ## Code Principles * Writing DRY (Do No Repeat Yourself) code using a modular design pattern ## Usage * Clone the repository * Edit the *variables.tf* file in the project root directory **Note** Network Firewall endpoints will be deployted in all the Availability Zones used in the example (*var.vpc.number\_azs*). By default, the number of AZs used is 2 to follow best practices. Take that into account when doing tests from a cost perspective. ## Requirements | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.3.0 | | [aws](#requirement\_aws) | >= 3.73.0 | ## Providers | Name | Version | |------|---------| | [aws](#provider\_aws) | >= 3.73.0 | ## Modules | Name | Source | Version | |------|--------|---------| | [network\_firewall](#module\_network\_firewall) | aws-ia/networkfirewall/aws | 0.1.1 | | [vpc](#module\_vpc) | ./modules/vpc | n/a | ## Resources | Name | Type | |------|------| | [aws_networkfirewall_firewall_policy.anfw_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy) | resource | | [aws_networkfirewall_rule_group.allow_icmp_private1_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource | | [aws_networkfirewall_rule_group.allow_icmp_private2_3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource | | [aws_networkfirewall_rule_group.drop_remote](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [aws\_region](#input\_aws\_region) | AWS Region. | `string` | `"eu-west-2"` | no | | [identifier](#input\_identifier) | Project identifier. | `string` | `"intra-vpc-inspection"` | no | | [vpc](#input\_vpc) | Information about the VPC to create. | `any` |

{
  "cidr_block": "10.129.0.0/16",
  "endpoint_subnet_cidrs": [
    "10.129.9.48/28",
    "10.129.9.64/28",
    "10.129.9.80/28"
  ],
  "firewall_subnet_cidrs": [
    "10.129.9.0/28",
    "10.129.9.16/28",
    "10.129.9.32/28"
  ],
  "number_azs": 2,
  "private_subnet_cidrs": {
    "private1": [
      "10.129.0.0/24",
      "10.129.1.0/24",
      "10.129.2.0/24"
    ],
    "private2": [
      "10.129.3.0/24",
      "10.129.4.0/24",
      "10.129.5.0/24"
    ],
    "private3": [
      "10.129.6.0/24",
      "10.129.7.0/24",
      "10.129.8.0/24"
    ]
  }
}

| no | ## Outputs | Name | Description | |------|-------------| | [network\_firewall](#output\_network\_firewall) | AWS Network Firewall ID. | | [vpc](#output\_vpc) | VPC ID. |