This Module doesnt appear to be useable for routing traffic through the firewall

[jseiser]

Is your request related to a new offering from AWS?

• Yes ✅: please list the AWS provider version which introduced this functionality

Is your request related to a problem? Please describe.

This module doesn't actually appear to be usable for routing traffic through the network firewall , when using this module for the vpc: https://github.com/terraform-aws-modules/terraform-aws-vpc

Describe the solution you'd like.

The VPC module, and this module, should be able to create the firewall subnets, and handle the routing for the IGW to force traffic through the firewall

Describe alternatives you've considered.

What we currently have to do with the normal VPC Module

1. Disable public subnets, and nat gateways
2. Create Public Subnets and NAT Gateway, and Internet Gateway
3. Create the route table for the NAT gateways
4. Create 2 Firewall Subnets and their route tables
5. Deploy this ( actually your old beta version) module passing in the firewall subnets in the subnet mapping
6. Create the routes for the IGW
7. Create the routes for the firewall subnets
8. Create all the route associations

Additional context

My fear is this will eventually create a situation where we can no longer upgrade the main VPC module, since we have so much stuff disabled and manually created

[jseiser]

Related Links:

https://docs.aws.amazon.com/network-firewall/latest/developerguide/vpc-config.html

Reserve these firewall subnets for the exclusive use of Network Firewall. A firewall endpoint can't filter traffic coming into or going out of the subnet in which it resides, so don't place other applications in the firewall endpoint subnets. 

For example, suppose you wanted to filter traffic that's currently routed between a customer subnet and an internet gateway. You would update your route table configuration as follows to insert a firewall endpoint into the traffic flow:

    Change the customer subnet route table so that it directs internet-bound traffic to the firewall endpoint.

    Change the internet gateway route table so that it directs traffic that's bound for the customer subnet to the firewall endpoint.

    Create a route table for the firewall endpoint so that it directs internet-bound traffic to the internet gateway and directs traffic that's bound for any destination inside the VPC to the destination specification local.

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[connellian]

Any update on this? It would be nice to have the routing and subnet associations added, as it is the complete example is not usable.

[bryantbiggs]

XRef terraform-aws-modules/terraform-aws-vpc#978 (comment)

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions]

This issue was automatically closed because of stale in 10 days

[jseiser]

Still Applies

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions]

This issue was automatically closed because of stale in 10 days