Provisioning VPCs using Terraform VPC Module: Step-by-Step Guide for Common Use Cases

1. Introduction

Virtual Private Clouds (VPCs) in AWS are pivotal for establishing secure, isolated cloud environments, giving you control over IP ranges, subnets, and network gateways. Terraform, a prominent tool in Infrastructure as Code (IaC), simplifies the management and provisioning of AWS infrastructure, ensuring efficient and consistent deployments. This guide focuses on leveraging Terraform VPC module to streamline the creation and management of AWS VPCs, emphasizing its efficacy in enhancing security and performance.

2. Understanding VPC Requirements

The configuration of an AWS VPC must be tailored to the specific network design and goals of your project, making a deep understanding of VPC requirements essential for creating a high-performing and secure environment. For instance, a project demanding robust security might focus on intricate security group and network ACL configurations, while a high-availability setup would prioritize distributing resources across multiple Availability Zones.

Recognizing these nuanced VPC requirements is key to effectively leveraging VPC capabilities to meet your unique infrastructure needs, whether you are provisioning your VPCs using Terraform, CDK, plain CF or some other way.

3. Setting Up the Terraform Environment

Setting up your environment for using Terraform is a critical first step in managing your VPCs using Terraform.

Installing Terraform

  1. Download and Install: Download Terraform from the official Terraform website. Choose the package that matches your operating system and architecture, then follow the installation instructions specific to your platform.
  2. Verify the Installation: After installation, verify Terraform is correctly installed by running terraform -v in your terminal or command prompt. This command should return the Terraform version, indicating a successful installation.

For a more comprehensive guide on installing Terraform, including detailed steps for different operating systems, refer to our in-depth article on setting up Terraform.

With Terraform installed and a basic understanding of the configuration files, you are now ready to begin defining your infrastructure as code. Remember, these files form the foundation of your Terraform project, dictating how your infrastructure is provisioned and managed.

4. Using the Terraform VPC Module

The Terraform VPC Module is an essential tool in the Terraform ecosystem for creating and managing AWS Virtual Private Clouds (VPCs) efficiently. This module simplifies the process of VPC setup, allowing you to configure complex networks with minimal code. In this section, we’ll first explore the advantages of using the Terraform VPC module and then provide a basic example of how to define a VPC using this module.

4.1 Advantages of the Terraform VPC Module

  1. Simplicity and Reusability: The module abstracts the complexity of VPC creation, offering a simpler interface to define network components. It can be reused across different projects, ensuring consistency and saving time.
  2. Customization: Despite its simplicity, the module is highly customizable, allowing you to specify various aspects of your VPC, such as CIDR blocks, subnets, route tables, and more.
  3. Community-Driven Best Practices: As a community-driven module, it incorporates best practices and is regularly updated, ensuring your infrastructure adheres to the latest standards.
  4. Integration with Other AWS Services: The module smoothly integrates with other AWS services, facilitating a comprehensive cloud environment setup.
  5. Error Reduction: By using a well-tested module, you reduce the likelihood of errors that might occur when manually scripting complex VPC configurations.

4.2 Defining a Basic VPC Using the Terraform VPC Module

Below is a simple example of how to use the Terraform VPC module to define a basic VPC:

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "3.0.0"

  name = "my-vpc"
  cidr = ""

  azs             = ["us-east-1a", "us-east-1b"]
  private_subnets = ["", ""]
  public_subnets  = ["", ""]

  enable_nat_gateway = true
  single_nat_gateway = true

output "vpc_id" {
  value = module.vpc.vpc_id

In this code snippet:

  • source specifies the Terraform registry location of the VPC module.
  • namecidrazsprivate_subnets, and public_subnets are parameters to configure the VPC’s name, CIDR block, availability zones, and subnet definitions.
  • enable_nat_gateway and single_nat_gateway are options for configuring NAT gateways for outbound internet access from the private subnets.

By applying this configuration, Terraform will create a VPC with the specified settings, demonstrating the module’s effectiveness in simplifying VPC creation. For more complex setups and advanced configurations, you can explore the Terraform AWS VPC Module documentation and our article on creating an EC2 instance using Terraform, which provides insights into integrating VPCs with other AWS resources.

5. Using Terraform VPC Module to Implement Common VPC Requirements and Configurations

In this section, we’ll delve into common VPC requirements and demonstrate how to implement them using Terraform, with detailed code snippets and explanations.

5.1 Provisioning VPC With Multiple Subnets

Splitting a VPC into public and private subnets is crucial for managing access and security effectively.

Configuration and Code Snippet:

module "vpc" {
  # ... (other configurations)

  private_subnets = ["", ""]
  public_subnets  = ["", ""]

By specifying different CIDR blocks for private_subnets and public_subnets, this configuration creates distinct zones for internal and external resource access.

5.2 VPC With NAT Gateways

NAT Gateways allow secure internet access from private subnets without exposing them directly.

Configuration and Code Snippet:

module "vpc" {
  # ... (other configurations)

  enable_nat_gateway = true
  single_nat_gateway = true

enable_nat_gateway ensures the creation of NAT gateways, and single_nat_gateway uses one gateway for all private subnets, optimizing costs.

5.3 High Availability

Ensuring high availability involves spreading resources across multiple Availability Zones.

Configuration and Code Snippet:

module "vpc" {
  # ... (other configurations)

  azs = ["us-east-1a", "us-east-1b"]

This setup distributes the VPC’s infrastructure across two Availability Zones, providing resilience and reliability.

5.4 Secure VPCs: Security Groups and Network ACLs

Security groups and network ACLs are critical for defining granular network access control within a VPC.

Configuration and Code Snippet:

resource "aws_security_group" "my_security_group" {
  vpc_id = module.vpc.vpc_id

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = [""]

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["YOUR_IP_ADDRESS/32"]

This example configures a security group allowing all outbound traffic (egress) and inbound SSH access (ingress) from a specific IP.

5.5 VPN/Direct Connect

Configuring VPNs or Direct Connect ensures secure connectivity with external networks.

Configuration and Code Snippet:

resource "aws_vpn_connection" "my_vpn" {
  vpn_gateway_id      =
  customer_gateway_id =
  type                = "ipsec.1"

This snippet sets up a VPN connection using specified VPN and customer gateways.

5.6 VPC with Custom Route Tables

Custom route tables are essential for directing traffic within your VPC according to specific requirements.

Configuration and Code Snippet:

resource "aws_route_table" "my_route_table" {
  vpc_id = module.vpc.vpc_id

  route {
    cidr_block = ""
    gateway_id =

This configuration creates a route table with a route directing all traffic ( to an internet gateway.

5.7 VPC Peering/Transit Gateway

VPC peering or using Transit Gateways is necessary for communication between multiple VPCs.

Configuration and Code Snippet:

resource "aws_vpc_peering_connection" "peer_vpc" {
  peer_vpc_id  =
  vpc_id       = module.vpc.vpc_id
  auto_accept  = true

  tags = {
    Name = "VPC Peering"

This snippet establishes a peering connection with another VPC, enabling inter-VPC communication.

5.8 Tagging Your VPC Resources

Tagging helps in organizing and managing AWS resources effectively.

Configuration and Code Snippet:

resource "aws_vpc" "my_vpc" {
  # ... (other configurations)

  tags = {
    Name        = "my-vpc"
    Environment = "Production"

This example assigns descriptive tags to the VPC, aiding in categorization and management.

Each of these configurations demonstrates how Terraform can be effectively used to set up various aspects of a VPC. By using Terraform, these configurations can be easily managed and version-controlled, making your infrastructure more scalable and maintainable. For further details on advanced VPC configurations and Terraform best practices, refer to our articles on AWS VPC best practices and Terraform best practices.

6. Initializing and Applying Terraform Configuration

The process of initializing and applying your Terraform VPC configuration is pivotal in turning your code into a functioning cloud infrastructure.

  1. Initialization: Run terraform init to prepare your Terraform project. This step is crucial to set up the necessary backend and plugins.
  2. Execution Plan and Application: Generate an execution plan with terraform plan to preview changes, and apply them using terraform apply. Always confirm the plan before applying to avoid unintended changes.
  3. Verification: After applying, verify the changes in your AWS environment to ensure correct implementation.

For detailed instructions and best practices on initializing and applying Terraform configurations, refer to our comprehensive guides on Terraform plan and Terraform init. These resources provide in-depth insights and are essential for efficiently managing your Terraform projects.

7. Maintaining Terraform Provisioned VPC

Maintaining a VPC provisioned by Terraform involves regular updates and, when necessary, deletion. It’s crucial to manage these operations with care to ensure the infrastructure remains reliable and secure.

7.1 Updating the VPC using Terraform

  1. Modify Configuration: Make the required changes to your Terraform configuration files.
  2. Review Changes: Run terraform plan to review the changes that will be made. Ensure that these changes align with your objectives and do not unintentionally disrupt existing infrastructure.
  3. Apply Updates: Execute terraform apply to apply the changes. Monitor the output to ensure the update completes successfully.

7.2 Deleting the VPC using Terraform

  1. Plan Deletion: Before deleting a VPC, ensure that all dependent resources are appropriately handled. This might include migrating or backing up data.
  2. Terraform Deletion Command: To delete the VPC, remove the VPC configuration from your Terraform files and run terraform apply. Terraform will recognize that resources need to be deleted.
  3. Verify Deletion: After running the apply command, check your AWS account to confirm that the VPC and its resources have been successfully removed.

Best Practices

  • Regularly update your Terraform configurations to match best practices and address any identified vulnerabilities.
  • Keep your Terraform state files secure and backed up.
  • Use version control for your Terraform files to track changes and facilitate team collaboration.

Maintaining your Terraform-managed VPC requires a balance between updating configurations to meet evolving needs and ensuring stability and security. Regular reviews and cautious updates can help maintain this balance effectively. For more detailed guidance, refer to our articles on Terraform best practices and AWS VPC best practices.

8. Conclusion

This guide covered the key aspects of using Terraform to create secure and efficient AWS VPCs. We emphasized the importance of understanding VPC requirements, setting up Terraform, and applying best practices for maintenance and updates.

For further exploration and advanced techniques, consider reviewing our articles on Terraform best practices and AWS VPC best practices, which offer valuable insights for optimizing your cloud infrastructure. Remember, hands-on experimentation in a controlled environment is the best way to hone your skills and ensure successful implementations.

FAQs for Terraform VPC Module

How do I create a VPC network using Terraform?

To create a VPC network using Terraform, define your VPC resource in a Terraform configuration file, specifying necessary attributes like CIDR block. Use terraform init to initialize the project, terraform plan to review the infrastructure plan, and terraform apply to create the VPC in AWS.

How to create VPC in AWS using Terraform step by step?

  1. Install Terraform: Ensure Terraform is installed on your system.
  2. Write Terraform Configuration: Define your VPC in a Terraform file (e.g., with the required CIDR block and other settings.
  3. Initialize Terraform: Run terraform init in your project directory.
  4. Review the Plan: Use terraform plan to preview the changes.
  5. Apply Configuration: Execute terraform apply to create the VPC in AWS.
  6. Verify: Check your AWS console to confirm the VPC creation.

How do I create multiple VPCs in terraform?

To create multiple VPCs in Terraform, define multiple VPC resources in your Terraform configuration files, ensuring each VPC has unique identifiers and settings. You can also use modules and loops for more dynamic configuration if you have a pattern or template for VPC creation.

How to create EC2 in VPC using Terraform?

To create an EC2 instance in a VPC using Terraform, define an aws_instance resource in your Terraform configuration. Specify the VPC’s subnet ID in the instance configuration to ensure the EC2 instance is launched within your desired VPC. Include necessary details like AMI, instance type, and security group.

What is Terraform VPC Module?

The Terraform VPC Module is a pre-built set of Terraform configurations provided by the Terraform Registry, designed to simplify the creation and management of AWS VPCs. It abstracts the complexity of VPC components into a more user-friendly configuration, facilitating the easy setup of secure and efficient VPCs in AWS.

How can I ensure high availability in a Terraform-created VPC?

To ensure high availability in a Terraform-created VPC, distribute resources across multiple Availability Zones. In your Terraform configuration, define subnets in different Availability Zones and set up redundant resources (like NAT gateways or EC2 instances) in each zone to ensure continuous availability in case of zone failures.

What are the best practices for securing a VPC provisioned by Terraform?

Best practices for securing a VPC provisioned by Terraform include:

  1. Defining strict security groups and network ACLs to control inbound and outbound traffic.
  2. Using private subnets for sensitive resources like databases.
  3. Implementing VPC flow logs for monitoring network traffic.
  4. Regularly updating Terraform configurations to incorporate security enhancements and patches.

How can I manage VPC peering connections using Terraform?

To manage VPC peering connections using Terraform, use the aws_vpc_peering_connection resource in your configuration. Define the peering details like the requester and accepter VPCs, and specify the necessary route table modifications to allow traffic between the peered VPCs.

Can Terraform handle VPC updates and changes after initial creation?

Yes, Terraform can handle updates and changes to a VPC after its initial creation. Modify the existing Terraform configuration files to reflect the desired changes, then run terraform plan to review the changes and terraform apply to execute them. Terraform will adjust only the resources that need updating based on your modifications.

How do I delete a VPC created with Terraform?

To delete a VPC created with Terraform, remove or comment out the VPC resource configuration in your Terraform files. Then run terraform plan to review the changes and terraform apply to execute the deletion. Ensure that all dependencies and linked resources are also appropriately handled or removed to avoid conflicts during deletion.