VPC Module
Deploy an AWS Virtual Private Cloud with multi-tier subnet configuration, NAT gateways, and optional IPv6 support.
What You'll Build
A production-ready VPC with:
- Configurable public, private, and isolated subnets across multiple AZs
- NAT gateway options (single, per-AZ, or custom)
- DNS resolution and DNS hostname support
- Optional secondary CIDR blocks and IPv6
- VPC endpoints for S3 and DynamoDB
- Flow logs with CloudWatch integration
How to Use
module "vpc" {
source = "github.com/nnthanh101/terraform-aws/modules/vpc"
name = "main"
cidr = "10.0.0.0/16"
# Subnets across 3 AZs
azs = ["us-east-1a", "us-east-1b", "us-east-1c"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
# NAT configuration (one per AZ)
enable_nat_gateway = true
one_nat_gateway_per_az = true
# DNS + flow logs
enable_dns_hostnames = true
enable_dns_support = true
enable_flow_log = true
flow_log_retention_in_days = 7
tags = {
Environment = "prod"
}
}
Key Variables
| Variable | Type | Default | Purpose |
|---|---|---|---|
name | string | "" | Resource identifier; used in all resource names |
cidr | string | "0.0.0.0/0" | VPC CIDR block; must be valid AWS range |
azs | list(string) | [] | Availability zones for subnets |
private_subnets | list(string) | [] | Private subnet CIDR blocks |
public_subnets | list(string) | [] | Public subnet CIDR blocks |
enable_nat_gateway | bool | false | Create NAT gateways |
one_nat_gateway_per_az | bool | false | One NAT per AZ; if false, uses single NAT or custom count |
enable_ipv6 | bool | false | Request Amazon-provided IPv6 /56 block |
enable_dns_hostnames | bool | true | Enable DNS hostname resolution |
enable_dns_support | bool | true | Enable DNS support |
enable_flow_log | bool | false | Enable VPC flow logs to CloudWatch |
flow_log_retention_in_days | number | 7 | CloudWatch log retention |
Outputs
| Output | Type | Use Case |
|---|---|---|
vpc_id | string | VPC identifier for cross-stack references |
private_subnets | list(string) | Private subnet IDs (EC2, ECS, RDS placement) |
public_subnets | list(string) | Public subnet IDs (ALB, NAT gateway placement) |
nat_gateway_ips | list(string) | NAT gateway Elastic IPs for egress allowlisting |
vpc_cidr_block | string | VPC CIDR for security group ingress rules |
Architecture
- Public subnets: NAT gateways, application load balancers, bastion hosts
- Private subnets: EC2, ECS tasks, RDS databases
- Isolated subnets: Databases, caches with no internet egress
- VPC endpoints: S3 and DynamoDB without internet gateway traversal
Source Reference
- Module:
terraform-aws/modules/vpc - Terraform docs: Run
terraform-docsin the module directory for full variable reference - AWS VPC concepts: https://docs.aws.amazon.com/vpc/