NTC Core Network
NTC Core Network v2 introduces major improvements including AWS Provider v6 support, AWS European Sovereign Cloud compatibility, and simplified multi-region configuration.
📖 Read the Migration Guide for step-by-step instructions.
Description​
NTC Core Network simplifies the management of your AWS core networking infrastructure, including Transit Gateway, VPN, and Direct Connect. This building block automates the setup of secure and scalable connectivity across AWS accounts and on-premises environments, supporting both single-region and multi-region network deployments.
With NTC Core Network, you can streamline hybrid network configurations, enforce consistent routing policies, and ensure reliable, high-performance connections. Designed for flexibility, this module provides a robust foundation for your AWS and hybrid network architecture.
To share Transit Gateways across Organizational Units (OUs), RAM sharing must first be enabled for the organization.
This can be configured using NTC Organizations by setting enable_ram_sharing_in_organization to true.
Usage​
| Latest Release | 2.0.0 |
|---|
Requirements​
The following requirements are needed by this module:
-
terraform (>= 1.5.0)
-
aws (>= 6.0)
-
time (>= 0.11)
Providers​
The following providers are used by this module:
-
aws (>= 6.0)
-
time (>= 0.11)
Modules​
The following Modules are called:
flow_logs​
Source: ./modules/flow-logs
Version:
Resources​
The following resources are used by this module:
- aws_customer_gateway.ntc_vpn (resource)
- aws_dx_connection.ntc_dx (resource)
- aws_dx_connection_association.ntc_dx (resource)
- aws_dx_gateway.ntc_dx (resource)
- aws_dx_gateway_association.ntc_dx (resource)
- aws_dx_lag.ntc_dx (resource)
- aws_dx_transit_virtual_interface.ntc_dx (resource)
- aws_ec2_managed_prefix_list.ntc_dynamic (resource)
- aws_ec2_managed_prefix_list_entry.ntc_dynamic (resource)
- aws_ec2_tag.ntc_dx (resource)
- aws_ec2_tag.ntc_vpn (resource)
- aws_ec2_transit_gateway.ntc_core (resource)
- aws_ec2_transit_gateway_peering_attachment.ntc_peering (resource)
- aws_ec2_transit_gateway_peering_attachment_accepter.ntc_peering (resource)
- aws_ec2_transit_gateway_route_table.ntc_core (resource)
- aws_ec2_transit_gateway_route_table_association.ntc_dx (resource)
- aws_ec2_transit_gateway_route_table_association.ntc_peering_acceptor (resource)
- aws_ec2_transit_gateway_route_table_association.ntc_peering_creator (resource)
- aws_ec2_transit_gateway_route_table_association.ntc_vpn (resource)
- aws_ec2_transit_gateway_route_table_propagation.ntc_dx (resource)
- aws_ec2_transit_gateway_route_table_propagation.ntc_vpn (resource)
- aws_ec2_transit_gateway_vpc_attachment_accepter.ntc_cross_account (resource)
- aws_ram_principal_association.ntc_prefix_list_share (resource)
- aws_ram_principal_association.ntc_tgw_share (resource)
- aws_ram_resource_association.ntc_prefix_list_share (resource)
- aws_ram_resource_association.ntc_tgw_share (resource)
- aws_ram_resource_share.ntc_prefix_list_share (resource)
- aws_ram_resource_share.ntc_tgw_share (resource)
- aws_vpn_connection.ntc_vpn (resource)
- time_sleep.ntc_dx (resource)
- aws_caller_identity.current (data source)
- aws_dx_location.available (data source)
- aws_dx_locations.available (data source)
- aws_ec2_managed_prefix_list.individual (data source)
- aws_ec2_managed_prefix_lists.all (data source)
- aws_ec2_transit_gateway_dx_gateway_attachment.ntc_dx (data source)
- aws_organizations_organization.org (data source)
- aws_partition.current (data source)
Required Inputs​
No required inputs.
Optional Inputs​
The following input variables are optional (have default values):
customer_managed_prefix_lists​
Description: Define customer managed prefix lists to be created in one or more regions and referenced in route tables.
Type:
list(object({
regions = list(string)
name = string
address_family = optional(string, "IPv4")
entries = optional(list(object({
cidr = string
description = optional(string, null)
})), [])
max_entries = optional(number, null)
ram_share_principals = optional(list(string), [])
ram_share_allow_external_principals = optional(bool, false)
}))
Default: []
direct_connect​
Description: Configuration of core network direct connect.
Type:
object({
dx_gateways = optional(list(object({
name = string
amazon_side_asn = optional(number, 65500)
})), [])
transit_gateway_associations = optional(list(object({
region = string
dx_gateway_name = optional(string, "")
dx_gateway_id = optional(string, "")
transit_gateway_name = string
transit_gateway_association_with_route_table_name = string
transit_gateway_propagation_to_route_table_names = optional(list(string), [])
allowed_prefixes = list(string)
})), [])
dx_dedicated_connections = optional(list(object({
region = string
name = string
bandwidth_in_gpbs = number
location_name = string
provider_name = optional(string, null)
macsec_support = optional(bool, false)
encryption_mode = optional(string, null)
skip_destroy = optional(bool, true)
virtual_interfaces = optional(list(object(
{
name = string
vlan = number
type = optional(string, "transit")
dx_gateway_name = optional(string, "")
dx_gateway_id = optional(string, null)
address_family = optional(string, "ipv4")
customer_side_asn = optional(number, 65352)
bgp_auth_key = optional(string, null)
mtu = optional(number, 1500)
sitelink_enabled = optional(bool, false)
customer_peer_ip = optional(string, "10.0.0.1/30")
amazon_peer_ip = optional(string, "10.0.0.2/30")
}
)), [])
})), [])
})
Default: {}
transit_gateways​
Description: List of transit gateways to create across one or more regions.
Type:
list(object({
region = string
name = string
description = optional(string, "core network")
amazon_side_asn = optional(number, 64512)
default_route_table_association = optional(bool, false)
default_route_table_propagation = optional(bool, false)
dns_support = optional(bool, true)
multicast_support = optional(bool, false)
vpn_ecmp_support = optional(bool, true)
security_group_referencing_support = optional(bool, false)
cidr_blocks = optional(list(string), [])
route_table_names = optional(list(string), ["tgw-route-table-hub", "tgw-route-table-spoke"])
cross_account_vpc_attachment_ids = optional(list(string), [])
auto_accept_shared_attachments = optional(bool, false)
ram_share_principals = optional(list(string), [])
ram_share_allow_external_principals = optional(bool, false)
flow_log_destinations = optional(list(object({
destination_type = string
destination_arn = optional(string, "")
traffic_type = optional(string, "ALL")
log_format = optional(string, null)
max_aggregation_interval = optional(number, 60)
s3_options = optional(object({
file_format = optional(string, "plain-text")
hive_compatible_partitions = optional(bool, false)
per_hour_partition = optional(bool, false)
}), {})
cloudwatch_options = optional(object({
iam_role_arn = optional(string, "")
iam_role_prefix = optional(string, "transit-gateway-flow-logs-role-")
iam_policy_prefix = optional(string, "transit-gateway-flow-logs-to-cloudwatch-")
use_existing_kms_key = optional(bool, false)
kms_key_arn = optional(string, "")
permissions_boundary_arn = optional(string, null)
name_prefix = optional(string, "/aws/transit-gateway-flow-logs/")
retention_in_days = optional(number, null)
}), {})
})), [])
peering_requests = optional(list(object({
peer_transit_gateway_name = string
association_with_route_table_name = optional(object({
peering_requester = optional(string, "")
peering_accepter = optional(string, "")
}), {})
})), [])
}))
Default: []
virtual_private_network​
Description: Configuration of core network site-2-site vpn.
Type:
object({
customer_gateways = optional(list(object({
region = string
name = string
device_name = string
customer_side_asn = number
ip_address = string
certificate_arn = optional(string, "")
})), [])
vpn_connections = optional(list(object({
region = string
name = string
transit_gateway_name = string
customer_gateway_name = string
transit_gateway_association_with_route_table_name = string
transit_gateway_propagation_to_route_table_names = optional(list(string), [])
static_routes_only = optional(bool, false)
enable_acceleration = optional(bool, false)
outside_ip_address_type = optional(string, "PublicIpv4")
transport_transit_gateway_attachment_id = optional(string, "")
address_family = optional(string, "ipv4")
local_network_cidr = optional(string, "0.0.0.0/0")
remote_network_cidr = optional(string, "0.0.0.0/0")
tunnel1_options = optional(object({
inside_cidr = optional(string, null)
preshared_key = optional(string, null)
dpd_timeout_action = optional(string, "clear")
dpd_timeout_seconds = optional(number, 30)
enable_tunnel_lifecycle_control = optional(bool, false)
ike_versions = optional(list(string), ["ikev1", "ikev2"])
phase1_dh_group_numbers = optional(list(number), [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24])
phase1_encryption_algorithms = optional(list(string), ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"])
phase1_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"])
phase1_lifetime_seconds = optional(number, 28800)
phase2_dh_group_numbers = optional(list(number), [2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24])
phase2_encryption_algorithms = optional(list(string), ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"])
phase2_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"])
phase2_lifetime_seconds = optional(number, 3600)
rekey_fuzz_percentage = optional(number, 100)
rekey_margin_time_seconds = optional(number, 540)
replay_window_size = optional(number, 1024)
startup_action = optional(string, "add")
cloudwatch_log_options = optional(object({
enabled = optional(bool, false)
log_group_arn = optional(string, "")
log_output_format = optional(string, "json")
}), {})
}), {})
tunnel2_options = optional(object({
inside_cidr = optional(string, null)
preshared_key = optional(string, null)
dpd_timeout_action = optional(string, "clear")
dpd_timeout_seconds = optional(number, 30)
enable_tunnel_lifecycle_control = optional(bool, false)
ike_versions = optional(list(string), ["ikev1", "ikev2"])
phase1_dh_group_numbers = optional(list(number), [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24])
phase1_encryption_algorithms = optional(list(string), ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"])
phase1_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"])
phase1_lifetime_seconds = optional(number, 28800)
phase2_dh_group_numbers = optional(list(number), [2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24])
phase2_encryption_algorithms = optional(list(string), ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"])
phase2_integrity_algorithms = optional(list(string), ["SHA1", "SHA2-256", "SHA2-384", "SHA2-512"])
phase2_lifetime_seconds = optional(number, 3600)
rekey_fuzz_percentage = optional(number, 100)
rekey_margin_time_seconds = optional(number, 540)
replay_window_size = optional(number, 1024)
startup_action = optional(string, "add")
cloudwatch_log_options = optional(object({
enabled = optional(bool, false)
log_group_arn = optional(string, "")
log_output_format = optional(string, "json")
}), {})
}), {})
})), [])
})
Default: {}
Outputs​
The following outputs are exported:
customer_managed_prefix_lists_by_name​
Description: Map of customer managed prefix lists indexed by name, containing info for all regions
dx_dedicated_connections_by_name​
Description: Map of direct connect dedicated connections (LAGs) indexed by 'region/name'
dx_gateway_associations​
Description: Map of direct connect gateway associations with transit gateways, indexed by 'region/tgw_name/dx_gw_name'
dx_gateway_ids_by_name​
Description: Map of direct connect gateway IDs indexed by DX gateway name
dx_virtual_interfaces_by_name​
Description: Map of direct connect virtual interfaces indexed by 'region/dxcon_name/vif_name'
prefix_list_ids_by_region_and_name​
Description: Map of all prefix list IDs indexed by region and name (includes AWS managed and customer managed)
transit_gateway_arns_by_name​
Description: Map of transit gateway ARNs indexed by TGW name
transit_gateway_ids_by_name​
Description: Map of transit gateway IDs indexed by TGW name
transit_gateway_peering_attachment_ids​
Description: Map of transit gateway peering attachment ids indexed by requester-accepter pair
transit_gateway_peering_attachments​
Description: Map of transit gateway peering attachments indexed by requester-accepter pair
transit_gateway_peering_info_by_name​
Description: Information required for transit gateway peering, indexed by TGW name
transit_gateway_route_table_ids​
Description: Nested map of transit gateway route table IDs indexed by TGW name and route table name
transit_gateways​
Description: Map of transit gateways indexed by name with all details
vpn_connections_by_name​
Description: Map of vpn connections indexed by 'region/name'
vpn_customer_gateways_by_name​
Description: Map of vpn customer gateways indexed by 'region/name'
vpn_preshared_keys_by_connection_name​
Description: Map of tunnel preshared keys of vpn connections indexed by 'region/name'