VPC 网络搭建实战 #
架构概述 #
本案例将搭建一个完整的 AWS VPC 网络架构:
text
┌─────────────────────────────────────────────────────────────┐
│ VPC 架构 │
├─────────────────────────────────────────────────────────────┤
│ │
│ 可用区 A 可用区 B │
│ ┌─────────────────┐ ┌─────────────────┐ │
│ │ 公有子网 │ │ 公有子网 │ │
│ │ 10.0.1.0/24 │ │ 10.0.2.0/24 │ │
│ │ ┌─────────────┐ │ │ ┌─────────────┐ │ │
│ │ │ NAT Gateway │ │ │ │ NAT Gateway │ │ │
│ │ └─────────────┘ │ │ └─────────────┘ │ │
│ └─────────────────┘ └─────────────────┘ │
│ ┌─────────────────┐ ┌─────────────────┐ │
│ │ 私有子网 │ │ 私有子网 │ │
│ │ 10.0.11.0/24 │ │ 10.0.12.0/24 │ │
│ │ ┌─────────────┐ │ │ ┌─────────────┐ │ │
│ │ │ 应用服务 │ │ │ │ 应用服务 │ │ │
│ │ └─────────────┘ │ │ └─────────────┘ │ │
│ └─────────────────┘ └─────────────────┘ │
│ ┌─────────────────┐ ┌─────────────────┐ │
│ │ 数据库子网 │ │ 数据库子网 │ │
│ │ 10.0.21.0/24 │ │ 10.0.22.0/24 │ │
│ └─────────────────┘ └─────────────────┘ │
│ │
│ ┌─────────────┐ │
│ │ IGW │ │
│ └─────────────┘ │
│ │
└─────────────────────────────────────────────────────────────┘
项目结构 #
text
vpc/
├── main.tf
├── variables.tf
├── outputs.tf
├── versions.tf
├── vpc.tf
├── subnets.tf
├── nat.tf
├── routing.tf
├── endpoints.tf
├── flow-logs.tf
└── vpn.tf
配置文件 #
variables.tf #
hcl
variable "region" {
description = "AWS region"
type = string
default = "us-east-1"
}
variable "project_name" {
description = "Project name for resource naming"
type = string
}
variable "environment" {
description = "Environment name"
type = string
default = "dev"
}
variable "vpc_cidr" {
description = "CIDR block for VPC"
type = string
default = "10.0.0.0/16"
}
variable "availability_zones" {
description = "List of availability zones"
type = list(string)
default = []
}
variable "public_subnet_cidrs" {
description = "CIDR blocks for public subnets"
type = list(string)
default = []
}
variable "private_subnet_cidrs" {
description = "CIDR blocks for private subnets"
type = list(string)
default = []
}
variable "database_subnet_cidrs" {
description = "CIDR blocks for database subnets"
type = list(string)
default = []
}
variable "enable_nat_gateway" {
description = "Enable NAT Gateway"
type = bool
default = true
}
variable "single_nat_gateway" {
description = "Use single NAT Gateway for all AZs"
type = bool
default = false
}
variable "enable_vpn_gateway" {
description = "Enable VPN Gateway"
type = bool
default = false
}
variable "enable_flow_logs" {
description = "Enable VPC Flow Logs"
type = bool
default = true
}
variable "tags" {
description = "Tags to apply to all resources"
type = map(string)
default = {}
}
vpc.tf #
hcl
data "aws_availability_zones" "available" {
state = "available"
}
locals {
name_prefix = "${var.project_name}-${var.environment}"
azs = coalesce(var.availability_zones, slice(data.aws_availability_zones.available.names, 0, 2))
public_subnet_cidrs = coalesce(var.public_subnet_cidrs, [
for i in range(length(local.azs)) : cidrsubnet(var.vpc_cidr, 8, i)
])
private_subnet_cidrs = coalesce(var.private_subnet_cidrs, [
for i in range(length(local.azs)) : cidrsubnet(var.vpc_cidr, 8, i + 10)
])
database_subnet_cidrs = coalesce(var.database_subnet_cidrs, [
for i in range(length(local.azs)) : cidrsubnet(var.vpc_cidr, 8, i + 20)
])
common_tags = merge(var.tags, {
Project = var.project_name
Environment = var.environment
ManagedBy = "terraform"
})
}
resource "aws_vpc" "main" {
cidr_block = var.vpc_cidr
enable_dns_hostnames = true
enable_dns_support = true
instance_tenancy = "default"
tags = merge(local.common_tags, {
Name = "${local.name_prefix}-vpc"
})
}
resource "aws_vpc_ipv4_cidr_block_association" "secondary" {
count = var.enable_secondary_cidr ? 1 : 0
vpc_id = aws_vpc.main.id
cidr_block = var.secondary_cidr
}
subnets.tf #
hcl
resource "aws_subnet" "public" {
count = length(local.azs)
vpc_id = aws_vpc.main.id
cidr_block = local.public_subnet_cidrs[count.index]
availability_zone = local.azs[count.index]
map_public_ip_on_launch = true
tags = merge(local.common_tags, {
Name = "${local.name_prefix}-public-${local.azs[count.index]}"
Tier = "public"
})
}
resource "aws_subnet" "private" {
count = length(local.azs)
vpc_id = aws_vpc.main.id
cidr_block = local.private_subnet_cidrs[count.index]
availability_zone = local.azs[count.index]
tags = merge(local.common_tags, {
Name = "${local.name_prefix}-private-${local.azs[count.index]}"
Tier = "private"
})
}
resource "aws_subnet" "database" {
count = length(local.azs)
vpc_id = aws_vpc.main.id
cidr_block = local.database_subnet_cidrs[count.index]
availability_zone = local.azs[count.index]
tags = merge(local.common_tags, {
Name = "${local.name_prefix}-database-${local.azs[count.index]}"
Tier = "database"
})
}
resource "aws_db_subnet_group" "main" {
name = "${local.name_prefix}-db"
subnet_ids = aws_subnet.database[*].id
tags = merge(local.common_tags, {
Name = "${local.name_prefix}-db-subnet-group"
})
}
nat.tf #
hcl
resource "aws_internet_gateway" "main" {
vpc_id = aws_vpc.main.id
tags = merge(local.common_tags, {
Name = "${local.name_prefix}-igw"
})
}
resource "aws_eip" "nat" {
count = var.enable_nat_gateway ? (var.single_nat_gateway ? 1 : length(local.azs)) : 0
domain = "vpc"
tags = merge(local.common_tags, {
Name = "${local.name_prefix}-nat-${count.index + 1}"
})
depends_on = [aws_internet_gateway.main]
}
resource "aws_nat_gateway" "main" {
count = var.enable_nat_gateway ? (var.single_nat_gateway ? 1 : length(local.azs)) : 0
allocation_id = aws_eip.nat[count.index].id
subnet_id = aws_subnet.public[count.index].id
tags = merge(local.common_tags, {
Name = "${local.name_prefix}-nat-${count.index + 1}"
})
depends_on = [aws_internet_gateway.main]
}
routing.tf #
hcl
resource "aws_route_table" "public" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.main.id
}
tags = merge(local.common_tags, {
Name = "${local.name_prefix}-public-rt"
})
}
resource "aws_route_table" "private" {
count = var.enable_nat_gateway ? (var.single_nat_gateway ? 1 : length(local.azs)) : 1
vpc_id = aws_vpc.main.id
dynamic "route" {
for_each = var.enable_nat_gateway ? [1] : []
content {
cidr_block = "0.0.0.0/0"
nat_gateway_id = var.single_nat_gateway ? aws_nat_gateway.main[0].id : aws_nat_gateway.main[count.index].id
}
}
tags = merge(local.common_tags, {
Name = "${local.name_prefix}-private-rt-${count.index + 1}"
})
}
resource "aws_route_table_association" "public" {
count = length(local.azs)
subnet_id = aws_subnet.public[count.index].id
route_table_id = aws_route_table.public.id
}
resource "aws_route_table_association" "private" {
count = length(local.azs)
subnet_id = aws_subnet.private[count.index].id
route_table_id = var.single_nat_gateway ? aws_route_table.private[0].id : aws_route_table.private[count.index].id
}
resource "aws_route_table_association" "database" {
count = length(local.azs)
subnet_id = aws_subnet.database[count.index].id
route_table_id = var.single_nat_gateway ? aws_route_table.private[0].id : aws_route_table.private[count.index].id
}
endpoints.tf #
hcl
resource "aws_vpc_endpoint" "s3" {
vpc_id = aws_vpc.main.id
service_name = "com.amazonaws.${var.region}.s3"
vpc_endpoint_type = "Gateway"
route_table_ids = concat(
[aws_route_table.public.id],
aws_route_table.private[*].id
)
tags = merge(local.common_tags, {
Name = "${local.name_prefix}-s3-endpoint"
})
}
resource "aws_vpc_endpoint" "dynamodb" {
vpc_id = aws_vpc.main.id
service_name = "com.amazonaws.${var.region}.dynamodb"
vpc_endpoint_type = "Gateway"
route_table_ids = concat(
[aws_route_table.public.id],
aws_route_table.private[*].id
)
tags = merge(local.common_tags, {
Name = "${local.name_prefix}-dynamodb-endpoint"
})
}
resource "aws_security_group" "vpc_endpoints" {
name = "${local.name_prefix}-vpc-endpoints-sg"
description = "Security group for VPC endpoints"
vpc_id = aws_vpc.main.id
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = [var.vpc_cidr]
}
tags = merge(local.common_tags, {
Name = "${local.name_prefix}-vpc-endpoints-sg"
})
}
resource "aws_vpc_endpoint" "secretsmanager" {
vpc_id = aws_vpc.main.id
service_name = "com.amazonaws.${var.region}.secretsmanager"
vpc_endpoint_type = "Interface"
subnet_ids = aws_subnet.private[*].id
security_group_ids = [aws_security_group.vpc_endpoints.id]
private_dns_enabled = true
tags = merge(local.common_tags, {
Name = "${local.name_prefix}-secretsmanager-endpoint"
})
}
flow-logs.tf #
hcl
resource "aws_flow_log" "main" {
count = var.enable_flow_logs ? 1 : 0
iam_role_arn = aws_iam_role.flow_logs[0].arn
log_destination = aws_cloudwatch_log_group.flow_logs[0].arn
traffic_type = "ALL"
vpc_id = aws_vpc.main.id
tags = merge(local.common_tags, {
Name = "${local.name_prefix}-flow-logs"
})
}
resource "aws_cloudwatch_log_group" "flow_logs" {
count = var.enable_flow_logs ? 1 : 0
name = "/aws/vpc-flow-logs/${local.name_prefix}"
retention_in_days = 30
tags = local.common_tags
}
resource "aws_iam_role" "flow_logs" {
count = var.enable_flow_logs ? 1 : 0
name = "${local.name_prefix}-flow-logs-role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "vpc-flow-logs.amazonaws.com"
}
}
]
})
tags = local.common_tags
}
resource "aws_iam_role_policy" "flow_logs" {
count = var.enable_flow_logs ? 1 : 0
name = "${local.name_prefix}-flow-logs-policy"
role = aws_iam_role.flow_logs[0].id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
]
Effect = "Allow"
Resource = "*"
}
]
})
}
outputs.tf #
hcl
output "vpc_id" {
description = "The ID of the VPC"
value = aws_vpc.main.id
}
output "vpc_cidr_block" {
description = "The CIDR block of the VPC"
value = aws_vpc.main.cidr_block
}
output "vpc_arn" {
description = "The ARN of the VPC"
value = aws_vpc.main.arn
}
output "public_subnet_ids" {
description = "List of public subnet IDs"
value = aws_subnet.public[*].id
}
output "private_subnet_ids" {
description = "List of private subnet IDs"
value = aws_subnet.private[*].id
}
output "database_subnet_ids" {
description = "List of database subnet IDs"
value = aws_subnet.database[*].id
}
output "database_subnet_group" {
description = "Database subnet group name"
value = aws_db_subnet_group.main.name
}
output "nat_gateway_ids" {
description = "List of NAT Gateway IDs"
value = aws_nat_gateway.main[*].id
}
output "nat_gateway_public_ips" {
description = "List of NAT Gateway public IPs"
value = aws_eip.nat[*].public_ip
}
output "internet_gateway_id" {
description = "The ID of the Internet Gateway"
value = aws_internet_gateway.main.id
}
output "public_route_table_id" {
description = "ID of the public route table"
value = aws_route_table.public.id
}
output "private_route_table_ids" {
description = "List of private route table IDs"
value = aws_route_table.private[*].id
}
使用示例 #
hcl
module "vpc" {
source = "./modules/vpc"
project_name = "myproject"
environment = "prod"
vpc_cidr = "10.0.0.0/16"
enable_nat_gateway = true
single_nat_gateway = false
enable_flow_logs = true
tags = {
Owner = "platform-team"
}
}
下一步 #
完成 VPC 网络搭建后,接下来学习 Kubernetes 集群部署,了解如何部署 EKS 集群!
最后更新:2026-03-29