-
-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding "intra subnets" as a class #135
Adding "intra subnets" as a class #135
Conversation
Hi Mark, This is exactly when private subnet should be used for. Also, private subnets have route table associated. Let me know if I am missing something here. If not, let's close this PR. |
Happy to not complicate things, but I'm wondering how to configure two classes of private subnets when I configure the VPC. I want a group of subnets of one size for Kubernetes worker nodes, and these need access to NAT gateway and thereby, to the external internet. Then I need a set of subnets for Lambda ENI allocation (for API Gateway, basically), and those subnets only need to be able to reach other VPC subnets, not the external internet. I'd like the two classes of subnets to have different tags so that other systems can query by tag and find all my lambda, or all my k8s worker subnets, across VPCs and regions, etc etc. You get the picture. How do I use "private_subnet" twice, basically, but still keep the terraform.tfvars definition as simple as possible? |
Right, thanks for the clarification. This module currently does not support such duality, there is no way to create private subnets with NAT and without NAT in one go. I think we should add this. The naming (especially when it is +32C in the room) gets very tricky. Mainly, how to name private subnet which does not have NAT. I forgot the scientific term. I think it is called something like When name is there we should duplicate half of the code which takes care of private subnet resources (like routing tables, associations, etc). If you can do this, PR is welcome. If not, let us know and me or someone else may help with this. Thanks again for opening this issue! |
I agree, lambda is too specific, I can envision placing other backend systems in subnets of this type as well. I'll work on it a bit, as you say duplicating the half of the code that handles the needed resources, leaving out NAT. If I need help, I'll ask! |
Regarding namings... RFC1918 says:
So, there is no official name for Category 1. After some reading and talking to other people in couple chats I'd like to call it |
The name makes sense to me. I've been using this over the weekend to create some test VPCs for a project, and I end up with private subnets that have route table entries, but no NAT gateway entries, which is what we want for Category 1 RFC1918 networks. See what you think. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks pretty good. Please update the complete example and probably it is time to describe features in a README.md :)
main.tf
Outdated
##################################################### | ||
# infra subnets - private subnet with no NAT gateway | ||
##################################################### | ||
resource "aws_subnet" "infra" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be intra
, not infra
example. Fixed naming.
There you go - docs and the example, changed "infra" to "intra", sorry about that - I read it wrong! Thanks for your help. |
Merging, great work! |
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
For situations where Lambda functions are used (e.g., with API Gateway) inside the VPC, the Lambdas need to be configured with subnet IDs from which they can allocate ENIs. The PR simply adds subnets across the AZs for that.