AWS Enterprise VPC Design Patterns

Production-ready Terraform implementations of enterprise AWS VPC design patterns. Covers hub-and-spoke Transit Gateway architecture, network segmentation, AWS Network Firewall, PrivateLink, VPC endpoints, and multi-region connectivity.

Executive Summary

Network architecture is the foundation of cloud security and performance. This repository demonstrates how to design AWS networks that enforce least-privilege connectivity, provide centralized inspection, and scale to hundreds of VPCs — without becoming a bottleneck for development teams.

Architecture Patterns Implemented

Pattern 1 — Hub-and-Spoke with Centralized Inspection

                    ┌─────────────────────────────────┐
                    │        Inspection VPC            │
                    │  ┌──────────────────────────┐   │
                    │  │   AWS Network Firewall   │   │
                    │  │   (stateful + stateless) │   │
                    │  └──────────────┬───────────┘   │
                    └─────────────────┼───────────────┘
                                      │
              ┌───────────────────────┼───────────────────────┐
              │              Transit Gateway                   │
              │         (hub for all VPC routing)             │
              └──┬──────────────┬──────────────┬──────────────┘
                 │              │              │
        ┌────────┴──┐   ┌───────┴──┐   ┌──────┴────┐
        │  Prod VPC │   │  Dev VPC │   │Shared Svc │
        │           │   │          │   │    VPC    │
        │ App  │ DB │   │App │ DB  │   │DNS │ Tools│
        └───────────┘   └──────────┘   └───────────┘

Pattern 2 — Three-Tier Application VPC

┌─────────────────────────────────────────────────────┐
│                      VPC (10.0.0.0/16)              │
│                                                     │
│  ┌──────────────────────────────────────────────┐  │
│  │               Public Subnets                │  │
│  │  AZ-a: 10.0.0.0/24  │  AZ-b: 10.0.1.0/24  │  │
│  │  ALB / NAT Gateway  │  ALB / NAT Gateway   │  │
│  └──────────────────────────────────────────────┘  │
│  ┌──────────────────────────────────────────────┐  │
│  │               Private Subnets               │  │
│  │  AZ-a: 10.0.10.0/24 │  AZ-b: 10.0.11.0/24 │  │
│  │  ECS / EKS / EC2    │  ECS / EKS / EC2     │  │
│  └──────────────────────────────────────────────┘  │
│  ┌──────────────────────────────────────────────┐  │
│  │               Data Subnets                  │  │
│  │  AZ-a: 10.0.20.0/24 │  AZ-b: 10.0.21.0/24 │  │
│  │  RDS / ElastiCache  │  RDS / ElastiCache   │  │
│  └──────────────────────────────────────────────┘  │
│  ┌──────────────────────────────────────────────┐  │
│  │           VPC Endpoints (Private)           │  │
│  │  S3 • DynamoDB • ECR • SSM • Secrets Mgr   │  │
│  └──────────────────────────────────────────────┘  │
└─────────────────────────────────────────────────────┘

Repository Structure

vpc-design-patterns/
├── .github/workflows/        # CI/CD pipelines
├── terraform/
│   ├── modules/
│   │   ├── vpc/              # Core VPC + subnets + routing
│   │   ├── transit-gateway/  # TGW + attachments + route tables
│   │   ├── vpc-endpoints/    # Interface + gateway endpoints
│   │   ├── security-groups/  # Layered security group rules
│   │   └── network-firewall/ # AWS Network Firewall
│   └── environments/
│       ├── prod/             # Production hub-and-spoke
│       └── dev/              # Development single-VPC
├── docs/architecture/        # ADRs and design docs
├── docs/runbooks/            # Operational runbooks
├── scripts/                  # Python + Bash automation
└── diagrams/                 # Architecture diagrams (draw.io)

Key Design Decisions

Decision	Choice	Rationale
Transit Gateway vs VPC Peering	Transit Gateway	Scales to 5000 VPCs; avoids full-mesh peering
Centralized vs distributed inspection	Centralized	Single chokepoint; easier policy management
NAT Gateway placement	Per-AZ	Avoids cross-AZ data transfer costs
VPC CIDR design	/16 per VPC, /24 per subnet	Room for growth; clean summarization
DNS strategy	Route 53 Resolver + forwarding rules	Hybrid DNS without exposing endpoints

IP Addressing Scheme

Environment	VPC CIDR	Purpose
Inspection	100.64.0.0/16	Shared services / firewall
Shared Services	10.0.0.0/16	DNS, tooling, endpoints
Production	10.1.0.0/16	Production workloads
Staging	10.2.0.0/16	Pre-production testing
Development	10.3.0.0/16	Developer environments
On-premises	172.16.0.0/12	Hybrid via Direct Connect/VPN

Security Layers

1. Network Firewall — stateful L7 inspection on all egress/ingress
2. Security Groups — stateful instance-level firewall (allow-list only)
3. NACLs — stateless subnet-level controls for explicit deny rules
4. VPC Flow Logs — all traffic captured to S3 and CloudWatch
5. DNS Firewall — block DNS exfiltration and known-bad domains
6. PrivateLink — service consumption without internet exposure

Quick Start

git clone https://github.com/Chebis26/vpc-design-patterns.git
cd vpc-design-patterns/terraform/environments/prod

# Configure variables
cp terraform.tfvars.example terraform.tfvars

# Deploy
terraform init
terraform plan -out=tfplan
terraform apply tfplan

Cost Optimization

Resource	Monthly Cost	Optimization
Transit Gateway	~$36 + $0.02/GB	Share across org via RAM
NAT Gateway	~$32/AZ + $0.045/GB	Use in private subnets only; consider NAT instance for dev
Network Firewall	~$395/AZ	Only in prod; skip in dev/test
VPC Endpoints (interface)	~$7.20/endpoint/AZ	Consolidate in shared services VPC
VPC Flow Logs	$0.50/GB ingested	Sample rate 1-in-10 for dev

Disaster Recovery

• Transit Gateway spans multiple AZs automatically
• Subnets in 3 AZs for all critical environments
• VPC configuration backed by Terraform state with versioning
• Route 53 health checks with automatic failover

License

MIT License — see LICENSE