Ninja Docs Help

LLD002-001 - Intra Region Connection

Introduction

Purpose

The purpose of this Low-Level Design is to provide an exhaustive representation of the intra-region connections within our AWS environment, clearly defining system components, their interactions, and data flow. It serves as a definitive guide for developers during the implementation phase and aids in future system maintenance and enhancements.

Changelog

Revision

Date

Description

1.0

02.07.2024

Initial document

1.1

10.07.2024

Add missing parts

Background

  • Proposed structure of network & VPC across the organization, with internet access limited to specified networks and restricted connectivity between application environments.

  • CIDR ranges of the VPS as a proposed solution and starting point for discussion.

  • Transit Gateway used as the central point of connectivity between accounts & VPCs, egress & ingress traffic flowing through Inspection VPC located in the Network account.

  • Sandbox accounts separated from the rest of the Organization.

Architecture diagram

LLD002-001-IRC-01.png

Explanation

Diagram represents detailed implementation of centralized network model with Transit Gateway as network transit hub that enables VPCs and VPN connections to connect to each other.

Implementation Details

CIDR list for VPCs

Each VPC spans all the Availability Zones in the Region. Subnets are created in each Availability Zone - depends on needs.

We can plan environments accordingly in these spaces:

  • OU Infrastructure, OU Security → 10.148.0.0/16:

    • Shared Services prod VPC → 10.148.0.0/19

    • Shared Services TST VPC → 10.148.32.0/19

    • Central Network VPC → 10.148.64.0/19

    • Remote Access Prod VPC → 10.148.96.0/20

    • Remote Access Non-Prod VPC → 10.148.112.0/20

    • Backup VPC → 10.148.128.0/19

    • Log-Archive VPC → 10.148.160.0/19

    • Monitoring VPC → 10.148.192.0/20

    • CICD VPC → 10.148.208.0/21

    • CloudIAM Prod → 10.148.216.0/21

    • CloudIAM Non-Prod → 10.148.224.0/21

  • OU Workloads (Shared Network VPCs) → X.X.X.X/14

    • DEV → 10.142.0.0/19

    • TST → 10.142.32.0/19

    • NIT → 10.142.64.0/19

    • PRE → 10.142.96.0/19

    • prod → 10.142.128.0/19

    • SIT → 10.142.160.0/19

  • OU Sandbox → X.X.X.X/16

OU Infrastructure/Security

Shared Services prod VPC (10.148.0.0/19)

shared-services-prod-vpc

Private Subnets

Public Subnets

DB Subnets

Infra Subnets

AZ-a [eu-central-1-a]

10.148.0.0/22

10.148.12.0/22

10.148.24.0/23

10.148.30.0/27

AZ-b [eu-central-1-b]

10.148.4.0/22

10.148.16.0/22

10.148.26.0/23

10.148.30.32/27

AZ-c [eu-central-1-c]

10.148.8.0/22

10.148.20.0/22

10.148.28.0/23

10.148.30.64/27

Shared Services TST VPC (10.148.32.0/19)

shared-services-tst-vpc

Private Subnets

Public Subnets

DB Subnets

Infra Subnets

AZ-a [eu-central-1-a]

10.148.32.0/22

10.148.44.0/22

10.148.56.0/23

10.148.62.0/27

AZ-b [eu-central-1-b]

10.148.36.0/22

10.148.48.0/22

10.148.58.0/23

10.148.62.32/27

AZ-c [eu-central-1-c]

10.148.40.0/22

10.148.52.0/22

10.148.60.0/23

10.148.63.64/27

Central Network VPC (10.148.64.0/19)

inspection-vpc

Public Subnets

DB Subnets

Intra Subnets

AZ-a [eu-central-1-a]

10.148.64.0/21

10.148.88.0/25

10.148.89.128/27

AZ-b [eu-central-1-b]

10.148.72.0/21

10.148.88.128/25

10.148.90.160/27

AZ-c [eu-central-1-c]

10.148.80.0/21

10.148.89.0/25

10.148.91.192/27

Remote Access PROD VPC (10.148.96.0/20)

remote-access-prod-vpc

Private Subnets

Public Subnets

DB Subnets

Intra Subnets

AZ-a [eu-central-1-a]

10.148.96.0/23

10.148.102.0/23

10.148.108.0/24

10.148.111.0/27

AZ-b [eu-central-1-b]

10.148.98.0/23

10.148.104.0/23

10.148.109.0/24

10.148.111.32/27

AZ-c [eu-central-1-c]

10.148.100.0/23

10.148.106.0/23

10.148.110.0/24

10.148.111.64/27

Remote Access Non-PROD VPC (10.148.112.0/20)

remote-access-non-prod-vpc

Private Subnets

Public Subnets

DB Subnets

Intra Subnets

AZ-a [eu-central-1-a]

10.148.112.0/23

10.148.118.0/23

10.148.123.0/24

10.148.126.0/27

AZ-b [eu-central-1-b]

10.148.114.0/23

10.148.120.0/23

10.148.124.0/24

10.148.126.32/27

AZ-c [eu-central-1-c]

10.148.116.0/23

10.148.122.0/23

10.148.125.0/24

10.148.127.64/27

Backup VPC (10.148.128.0/19)

backup-vpc

Private Subnets

Public Subnets

DB Subnets

Intra Subnets

AZ-a [eu-central-1-a]

10.148.128.0/22

10.148.140.0/22

10.148.152.0/23

10.148.158.0/27

AZ-b [eu-central-1-b]

10.148.132.0/22

10.148.144.0/22

10.148.154.0/23

10.148.158.32/27

AZ-c [eu-central-1-c]

10.148.136.0/22

10.148.148.0/22

10.148.156.0/23

10.148.159.64/27

Log Archive VPC (10.148.160.0/19)

log-archive-vpc

Private Subnets

Public Subnets

DB Subnets

Intra Subnets

AZ-a [eu-central-1-a]

10.148.160.0/22

10.148.172.0/22

10.148.184.0/23

10.148.190.0/27

AZ-b [eu-central-1-b]

10.148.164.0/22

10.148.176.0/22

10.148.186.0/23

10.148.190.32/27

AZ-c [eu-central-1-c]

10.148.168.0/22

10.148.180.0/22

10.148.188.0/23

10.148.191.64/27

Monitoring VPC (10.148.192.0/20)

monitoring-vpc

Private Subnets

Public Subnets

DB Subnets

Intra Subnets

AZ-a [eu-central-1-a]

10.148.192.0/23

10.148.198.0/23

10.148.204.0/24

10.148.207.0/27

AZ-b [eu-central-1-b]

10.148.194.0/23

10.148.200.0/23

10.148.205.0/24

10.148.207.32/27

AZ-c [eu-central-1-c]

10.148.196.0/23

10.148.202.0/23

10.148.206.0/24

10.148.207.64/27

CICD VPC (10.148.208.0/21)

cicd-vpc

Private Subnets

Public Subnets

DB Subnets

Intra Subnets

AZ-a [eu-central-1-a]

10.148.208.0/24

10.148.211.0/24

10.148.214.0/25

10.148.215.128/27

AZ-b [eu-central-1-b]

10.148.209.0/24

10.148.212.0/24

10.148.214.128/25

10.148.215.160/27

AZ-c [eu-central-1-c]

10.148.210.0/24

10.148.213.0/24

10.148.215.0/25

10.148.215.192/27

OU Workloads -> Shared-network VPCs

Subnets on shared network accounts will be added on an ongoing basis and made available to application accounts. There will be two VPCs on each shared network account, for iDMZ and eDMZ.

DEV - iDMZ (10.142.0.0/20)

shared-network-dev-idmz

Private Subnets

Public Subnets

DB Subnets

Intra Subnets

AZ-a [eu-central-1-a]

10.142.0.0/27

AZ-b [eu-central-1-b]

10.142.0.32/27

AZ-c [eu-central-1-c]

10.142.0.64/27

DEV - eDMZ (10.141.0.0/19)

shared-network-dev-edmz

Private Subnets

Public Subnets

DB Subnets

Intra Subnets

AZ-a [eu-central-1-a]

10.141.31.0/26

10.141.0.0/23

AZ-b [eu-central-1-b]

10.141.31.64/26

10.141.2.0/23

AZ-c [eu-central-1-c]

10.141.31.128/26

10.141.4.0/23

TST - iDMZ (10.142.32.0/20)

shared-network-tst-idmz

Private Subnets

Public Subnets

DB Subnets

Intra Subnets

AZ-a [eu-central-1-a]

10.142.32.0/27

AZ-b [eu-central-1-b]

10.142.32.32/27

AZ-c [eu-central-1-c]

10.142.32.64/27

TST - eDMZ (10.141.32.0/19)

shared-network-tst-edmz

Private Subnets

Public Subnets

DB Subnets

Intra Subnets

AZ-a [eu-central-1-a]

10.141.63.0/26

10.141.32.0/23

AZ-b [eu-central-1-b]

10.141.63.64/26

10.141.34.0/23

AZ-c [eu-central-1-c]

10.141.63.128/26

10.141.36.0/23

NIT - iDMZ (10.142.64.0/20)

shared-network-nit-idmz

Private Subnets

Public Subnets

DB Subnets

Intra Subnets

AZ-a [eu-central-1-a]

10.142.64.0/27

AZ-b [eu-central-1-b]

10.142.64.32/27

AZ-c [eu-central-1-c]

10.142.64.64/27

NIT - eDMZ (10.141.64.0/19)

shared-network-nit-edmz

Private Subnets

Public Subnets

DB Subnets

Intra Subnets

AZ-a [eu-central-1-a]

10.141.95.0/26

10.141.64.0/23

AZ-b [eu-central-1-b]

10.141.95.64/26

10.141.66.0/23

AZ-c [eu-central-1-c]

10.141.95.128/26

10.141.68.0/23

PRE - iDMZ (10.142.96.0/20)

shared-network-pre-idmz

Private Subnets

Public Subnets

DB Subnets

Intra Subnets

AZ-a [eu-central-1-a]

10.142.96.0/27

AZ-b [eu-central-1-b]

10.142.96.32/27

AZ-c [eu-central-1-c]

10.142.96.64/27

PRE - eDMZ (10.142.112.0/20)

shared-network-pre-edmz

Private Subnets

Public Subnets

DB Subnets

Intra Subnets

AZ-a [eu-central-1-a]

10.142.112.0/23

AZ-b [eu-central-1-b]

10.142.112.0/23

AZ-c [eu-central-1-c]

10.142.112.0/23

PROD - iDMZ (10.142.128.0/20)

shared-network-prod-idmz

Private Subnets

Public Subnets

DB Subnets

Intra Subnets

AZ-a [eu-central-1-a]

10.142.128.0/27

AZ-b [eu-central-1-b]

10.142.128.32/27

AZ-c [eu-central-1-c]

10.142.128.64/27

PROD - eDMZ (10.142.144.0/20)

shared-network-prod-edmz

Private Subnets

Public Subnets

DB Subnets

Intra Subnets

AZ-a [eu-central-1-a]

10.142.144.0/27

AZ-b [eu-central-1-b]

10.142.144.32/27

AZ-c [eu-central-1-c]

10.142.144.64/27

SIT - iDMZ (10.142.160.0/20)

shared-network-sit-idmz

Private Subnets

Public Subnets

DB Subnets

Intra Subnets

AZ-a [eu-central-1-a]

10.142.160.0/27

AZ-b [eu-central-1-b]

10.142.160.32/27

AZ-c [eu-central-1-c]

10.142.160.64/27

SIT - eDMZ (10.141.128.0/19)

shared-network-sit-edmz

Private Subnets

Public Subnets

DB Subnets

Intra Subnets

AZ-a [eu-central-1-a]

10.141.159.0/26

10.141.128.0/23

AZ-b [eu-central-1-b]

10.141.159.64/26

10.141.130.0/23

AZ-c [eu-central-1-c]

10.141.159.128/26

10.141.132.0/23

Transit gateway routing tables

Transit Gateway attachments are used to connect many VPCs within the Organization.

It allows to route traffic between Spoke VPCs (located on separate accounts). Each VPC is attached with AWS Transit Gateway for communication across the regional network, the traffic is managed by Transit Gateway routing tables - which allow to define connectivity between VPCs and on-premise networks.

Inspection

All VPCs should be connected to the inspection VPC to provide an internet connection. It also provides robust and scalable approach to network security that can help to improve overall network performance reduce the risk of security breaches.

a-tmpl-prod-tgw-rt-egress

CIDR

Attachment

Propagation

10.141.0.0/19

a-tmpl-dev-att-edmz

10.141.32.0/19

a-tmpl-test-att-edmz

10.141.64.0/19

a-tmpl-nit-att-edmz

10.141.96.0/19

a-tmpl-prep-att-edmz

10.141.128.0/19

a-tmpl-sit-att-edmz

10.141.160.0/19

a-tmpl-prod-att-edmz

10.142.0.0/20

a-tmpl-dev-att-idmz

10.142.16.0/20

a-tmpl-dev-att-idmz

10.142.32.0/20

a-tmpl-test-att-idmz

10.142.48.0/20

a-tmpl-test-att-idmz

10.142.64.0/20

a-tmpl-nit-att-idmz

10.142.80.0/20

a-tmpl-nit-att-idmz

10.142.96.0/20

a-tmpl-prep-att-idmz

10.142.112.0/20

a-tmpl-prep-att-idmz

10.142.128.0/20

a-tmpl-sit-att-idmz

10.142.144.0/20

a-tmpl-sit-att-idmz

10.142.160.0/19

a-tmpl-prod-att-idmz

10.148.32.0/19

a-tmpl-tst-att-shared-services

10.148.64.0/19

a-tmpl-prod-add-inspection

10.148.90.0/24

a-tmpl-prod-att-mgmnt

10.148.96.0/19

a-tmpl-prod-att-remote-access

10.148.128.0/19

a-tmpl-prod-att-backup

10.148.160.0/19

a-tmpl-prod-att-log-archive

10.148.192.0/20

a-tmpl-prod-att-monitoring

10.148.208.0/21

a-tmpl-prod-att-cicd

10.0.0.0/8

a-tmpl-prod-att-dx-1

172.16.0.0/12

a-tmpl-prod-att-dx-2

192.168.0.0/16

a-tmpl-prod-att-dx-3

10.0.0.0/8

a-tmpl-prod-att-vpn-1

172.16.0.0/12

a-tmpl-prod-att-vpn-2

192.168.0.0/16

a-tmpl-prod-att-vpn-3

Shared services

a-tmpl-prod-tgw-rt-shared-svc-prod

CIDR

Attachment

Propagation

10.141.0.0/19

a-tmpl-dev-att-edmz

10.141.32.0/19

a-tmpl-test-att-edmz

10.141.64.0/19

a-tmpl-nit-att-edmz

10.141.96.0/19

a-tmpl-prep-att-edmz

10.141.128.0/19

a-tmpl-sit-att-edmz

10.141.160.0/19

a-tmpl-prod-att-edmz

10.142.0.0/20

a-tmpl-dev-att-idmz

10.142.16.0/20

a-tmpl-dev-att-idmz

10.142.32.0/20

a-tmpl-test-att-idmz

10.142.48.0/20

a-tmpl-test-att-idmz

10.142.64.0/20

a-tmpl-nit-att-idmz

10.142.80.0/20

a-tmpl-nit-att-idmz

10.142.96.0/20

a-tmpl-prep-att-idmz

10.142.112.0/20

a-tmpl-prep-att-idmz

10.142.128.0/20

a-tmpl-sit-att-idmz

10.142.144.0/20

a-tmpl-sit-att-idmz

10.142.160.0/19

a-tmpl-prod-att-idmz

10.148.32.0/19

a-tmpl-tst-att-shared-services

10.148.64.0/19

a-tmpl-prod-add-inspection

10.148.90.0/24

a-tmpl-prod-att-mgmnt

10.148.96.0/19

a-tmpl-prod-att-remote-access

10.148.128.0/19

a-tmpl-prod-att-backup

10.148.160.0/19

a-tmpl-prod-att-log-archive

10.148.192.0/20

a-tmpl-prod-att-monitoring

10.148.208.0/21

a-tmpl-prod-att-cicd

10.0.0.0/8

a-tmpl-prod-att-dx-1

172.16.0.0/12

a-tmpl-prod-att-dx-2

192.168.0.0/16

a-tmpl-prod-att-dx-3

10.0.0.0/8

a-tmpl-prod-att-vpn-1

172.16.0.0/12

a-tmpl-prod-att-vpn-2

192.168.0.0/16

a-tmpl-prod-att-vpn-3

Static

0.0.0.0/0

a-tmpl-prod-att-inspection

tst-tgw-rtb-shared-services

CIDR

Attachment

Propagation

10.148.96.0/19

a-tmpl-prod-att-remote-access

Black hole

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

Static

0.0.0.0/0

a-tmpl-prod-att-inspection

Monitoring

a-tmpl-prod-tgw-rt-monitoring

CIDR

Attachment

Propagation

10.148.0.0/19

a-tmpl-prod-att-shared-services

10.148.64.0/19

a-tmpl-prod-att-inspection

10.148.96.0/19

a-tmpl-prod-att-remote-access

10.148.128.0/19

a-tmpl-prod-att-backup

10.148.160.0/19

a-tmpl-prod-att-log-archive

10.148.208.0/21

a-tmpl-prod-att-cicd

10.0.0.0/8

a-tmpl-prod-att-dx-1

172.16.0.0/12

a-tmpl-prod-att-dx-2

192.168.0.0/16

a-tmpl-prod-att-dx-3

10.0.0.0/8

a-tmpl-prod-att-vpn-1

172.16.0.0/12

a-tmpl-prod-att-vpn-2

192.168.0.0/16

a-tmpl-prod-att-vpn-3

Static

0.0.0.0/0

a-tmpl-prod-att-inspection

Workloads

a-tmpl-prod-tgw-rt-shared-network-prod-edmz

CIDR

Attachment

Propagation

10.148.0.0/19

a-tmpl-prod-att-shared-services

10.148.64.0/19

a-tmpl-prod-att-inspection

10.148.96.0/19

a-tmpl-prod-att-remote-access

10.148.192.0/20

a-tmpl-prod-att-monitoring

10.148.208.0/21

a-tmpl-prod-att-cicd

10.0.0.0/8

a-tmpl-prod-att-dx-1

172.16.0.0/12

a-tmpl-prod-att-dx-2

192.168.0.0/16

a-tmpl-prod-att-dx-3

10.0.0.0/8

a-tmpl-prod-att-vpn-1

172.16.0.0/12

a-tmpl-prod-att-vpn-2

192.168.0.0/16

a-tmpl-prod-att-vpn-3

Static

0.0.0.0/0

a-tmpl-prod-att-inspection

a-tmpl-prod-tgw-rt-shared-network-prod-idmz

CIDR

Attachment

Propagation

10.148.0.0/19

a-tmpl-prod-att-shared-services

10.148.64.0/19

a-tmpl-prod-att-inspection

10.148.96.0/19

a-tmpl-prod-att-remote-access

10.148.192.0/20

a-tmpl-prod-att-monitoring

10.148.208.0/21

a-tmpl-prod-att-cicd

10.0.0.0/8

a-tmpl-prod-att-dx-1

172.16.0.0/12

a-tmpl-prod-att-dx-2

192.168.0.0/16

a-tmpl-prod-att-dx-3

10.0.0.0/8

a-tmpl-prod-att-vpn-1

172.16.0.0/12

a-tmpl-prod-att-vpn-2

192.168.0.0/16

a-tmpl-prod-att-vpn-3

Static

0.0.0.0/0

a-tmpl-prod-att-inspection

a-tmpl-prod-tgw-rt-shared-network-nonprod-edmz

CIDR

Attachment

Propagation

10.148.0.0/19

a-tmpl-prod-att-shared-services

10.148.64.0/19

a-tmpl-prod-att-inspection

10.148.96.0/19

a-tmpl-prod-att-remote-access

10.148.192.0/20

a-tmpl-prod-att-monitoring

10.148.208.0/21

a-tmpl-prod-att-cicd

10.0.0.0/8

a-tmpl-prod-att-dx-1

172.16.0.0/12

a-tmpl-prod-att-dx-2

192.168.0.0/16

a-tmpl-prod-att-dx-3

10.0.0.0/8

a-tmpl-prod-att-vpn-1

172.16.0.0/12

a-tmpl-prod-att-vpn-2

192.168.0.0/16

a-tmpl-prod-att-vpn-3

Static

0.0.0.0/0

a-tmpl-prod-att-inspection

a-tmpl-prod-tgw-rt-shared-network-nonprod-idmz

CIDR

Attachment

Propagation

10.148.0.0/19

a-tmpl-prod-att-shared-services

10.148.64.0/19

a-tmpl-prod-att-inspection

10.148.96.0/19

a-tmpl-prod-att-remote-access

10.148.192.0/20

a-tmpl-prod-att-monitoring

10.148.208.0/21

a-tmpl-prod-att-cicd

10.0.0.0/8

a-tmpl-prod-att-dx-1

172.16.0.0/12

a-tmpl-prod-att-dx-2

192.168.0.0/16

a-tmpl-prod-att-dx-3

10.0.0.0/8

a-tmpl-prod-att-vpn-1

172.16.0.0/12

a-tmpl-prod-att-vpn-2

192.168.0.0/16

a-tmpl-prod-att-vpn-3

Static

0.0.0.0/0

a-tmpl-prod-att-inspection

Remote access

a-tmpl-prod-tgw-rt-remote-access-nonprod

CIDR

Attachment

Propagation

10.141.0.0/19

a-tmpl-dev-att-edmz

10.141.32.0/19

a-tmpl-test-att-edmz

10.141.64.0/19

a-tmpl-nit-att-edmz

10.141.96.0/19

a-tmpl-prep-att-edmz

10.141.128.0/19

a-tmpl-sit-att-edmz

10.142.0.0/20

a-tmpl-dev-att-idmz

10.142.16.0/20

a-tmpl-dev-att-idmz

10.142.32.0/20

a-tmpl-test-att-idmz

10.142.48.0/20

a-tmpl-test-att-idmz

10.142.64.0/20

a-tmpl-nit-att-idmz

10.142.80.0/20

a-tmpl-nit-att-idmz

10.142.96.0/20

a-tmpl-prep-att-idmz

10.142.112.0/20

a-tmpl-prep-att-idmz

10.142.128.0/20

a-tmpl-sit-att-idmz

10.142.144.0/20

a-tmpl-sit-att-idmz

10.0.0.0/8

a-tmpl-prod-att-dx-1

172.16.0.0/12

a-tmpl-prod-att-dx-2

192.168.0.0/16

a-tmpl-prod-att-dx-3

10.0.0.0/8

a-tmpl-prod-att-vpn-1

172.16.0.0/12

a-tmpl-prod-att-vpn-2

192.168.0.0/16

a-tmpl-prod-att-vpn-3

Static

0.0.0.0/0

a-tmpl-prod-att-inspection

a-tmpl-prod-tgw-rt-remote-access-prod

CIDR

Attachment

Propagation

10.141.160.0/19

a-tmpl-prod-att-edmz

10.142.160.0/19

a-tmpl-prod-att-idmz

10.148.64.0/19

a-tmpl-prod-att-inspection

10.148.96.0/19

a-tmpl-prod-att-remote-access

10.148.128.0/19

a-tmpl-prod-att-backup

10.148.160.0/19

a-tmpl-prod-att-log-archive

10.148.192.0/20

a-tmpl-prod-att-monitoring

10.148.208.0/21

a-tmpl-prod-att-cicd

10.0.0.0/8

a-tmpl-prod-att-dx-1

172.16.0.0/12

a-tmpl-prod-att-dx-2

192.168.0.0/16

a-tmpl-prod-att-dx-3

10.0.0.0/8

a-tmpl-prod-att-vpn-1

172.16.0.0/12

a-tmpl-prod-att-vpn-2

192.168.0.0/16

a-tmpl-prod-att-vpn-3

Static

0.0.0.0/0

a-tmpl-prod-att-inspection

VPC routing tables

Routing tables are built around centralized routing of ingress & egress network traffic coming in and out of the regional network, with a central Firewall in between and Transit Gateway as the method of maintaining connectivity between account VPCs, as per our high-level design documentation. The default route 0.0.0.0/0 in the VPC route tables towards AWS Transit Gateway ensures any traffic exiting a Spoke VPC will go to the Inspection VPC.

CORE Infrastructure – Shared-Services VPC

Public

Destination

Target

0.0.0.0/0

TGW

10.148.0.0/19

local

Private

Destination

Target

0.0.0.0/0

TGW

10.148.0.0/19

local

DB

Destination

Target

0.0.0.0/0

TGW

10.148.96.0/19

local

Infra

Destination

Target

10.148.0.0/19

local

Network Access Control List

NACL is a security layer that acts as a firewall to allow or deny traffic based on rules that you define. NACLs are used to add a layer of security to your VPC by filtering inbound and outbound traffic based on IP addresses, ports, and protocols.

Shared-services prod

prod-acl-pub-shared-services

Rule number

Source

Type

Protocol

Port range

Action

Inbound

100

10.148.42.0/19

All traffic

ALL

ALL

Deny

2000

0.0.0.0/0

All traffic

ALL

ALL

Allow

*

0.0.0.0/0

All traffic

ALL

ALL

Deny

Outbound

2000

0.0.0.0/0

All traffic

ALL

ALL

Allow

*

0.0.0.0/0

All traffic

ALL

ALL

Deny

prod-acl-priv-shared-services

Rule number

Source

Type

Protocol

Port range

Action

Inbound

100

10.148.32.0/19

All traffic

ALL

ALL

Allow

110

10.148.16.0/22

All traffic

ALL

ALL

Allow

120

10.148.20.0/22

All traffic

ALL

ALL

Allow

130

10.148.24.0/22

All traffic

ALL

ALL

Allow

140

10.148.26.0/22

All traffic

ALL

ALL

Allow

150

10.148.28.0/22

All traffic

ALL

ALL

Allow

800

10.148.160.0/22

All traffic

ALL

ALL

Allow

2000

0.0.0.0/0

Custom TCP

TCP

1024-65535

Allow

*

0.0.0.0/0

All traffic

ALL

ALL

Deny

Outbound

2000

0.0.0.0/0

All traffic

ALL

ALL

Allow

*

0.0.0.0/0

All traffic

ALL

ALL

Deny

prod-acl-db-shared-services

Rule number

Source

Type

Protocol

Port range

Action

Inbound

100

10.148.32.0/19

All traffic

ALL

ALL

Deny

110

10.148.16.0/22

All traffic

ALL

ALL

Allow

120

10.148.20.0/22

All traffic

ALL

ALL

Allow

800

10.148.160.0/22

All traffic

ALL

ALL

Allow

2000

0.0.0.0/0

All traffic

ALL

ALL

Allow

*

0.0.0.0/0

All traffic

ALL

ALL

Deny

Outbound

100

10.148.0.0/22

All traffic

ALL

ALL

Allow

110

10.148.4.0/22

All traffic

ALL

ALL

Allow

120

10.148.8.0/22

All traffic

ALL

ALL

Allow

800

10.148.160.0/19

All traffic

ALL

ALL

Allow

*

0.0.0.0/0

All traffic

ALL

ALL

Deny

Workload OU

Dev Public VPC

dev-acl-pub-workload-dev-public-vpc

Rule number

Source

Type

Protocol

Port range

Action

Inbound

100

10.X.X.0/19 (private VPC)

All traffic

ALL

ALL

Deny

110

10.X.X.0/19 (isolated VPC)

All traffic

ALL

ALL

Deny

2000

0.0.0.0/0

All traffic

ALL

ALL

Allow

*

0.0.0.0/0

All traffic

ALL

ALL

Deny

Outbound

2000

0.0.0.0/0

All traffic

ALL

ALL

Allow

*

0.0.0.0/0

All traffic

ALL

ALL

Deny

dev-acl-pub-workload-dev-public-vpc

Rule number

Source

Type

Protocol

Port range

Action

Inbound

100

10.X.X.0/20 (pub-subnet-az1)

All traffic

ALL

ALL

Allow

110

10.X.X.0/20 (pub-subnet-az2)

All traffic

ALL

ALL

Allow

120

10.X.X.0/20 (pub-subnet-az3)

All traffic

ALL

ALL

Allow

130

10.X.X.0/27 (gwlb-subnet-az1)

All traffic

ALL

ALL

Allow

140

10.X.X.0/27 (gwlb-subnet-az2)

All traffic

ALL

ALL

Allow

150

10.X.X.0/27 (gwlb-subnet-az3)

All traffic

ALL

ALL

Allow

160

10.X.X.0/27 (infra-subnet-az1)

All traffic

ALL

ALL

Allow

170

10.X.X.0/27 (infra-subnet-az2)

All traffic

ALL

ALL

Allow

180

10.X.X.0/27 (infra-subnet-az3)

All traffic

ALL

ALL

Allow

800

10.148.160.0/19

All traffic

ALL

ALL

Allow

2000

0.0.0.0/0

Custom TCP

TCP

1024-65535

Allow

*

0.0.0.0/0

All traffic

ALL

ALL

Deny

Outbound

2000

0.0.0.0/0

All traffic

ALL

ALL

Allow

*

0.0.0.0/0

All traffic

ALL

ALL

Deny

dev-acl-gwlb-workload-dev-public-vpc

Rule number

Source

Type

Protocol

Port range

Action

Inbound

100

10.X.X.0/20 (pub-subnet-az1)

All traffic

ALL

ALL

Allow

110

10.X.X.0/20 (pub-subnet-az2)

All traffic

ALL

ALL

Allow

120

10.X.X.0/20 (pub-subnet-az3)

All traffic

ALL

ALL

Allow

130

10.X.X.0/20 (priv-subnet-az1)

All traffic

ALL

ALL

Allow

140

10.X.X.0/20 (priv-subnet-az2)

All traffic

ALL

ALL

Allow

150

10.X.X.0/20 (priv-subnet-az3)

All traffic

ALL

ALL

Allow

160

10.X.X.0/27 (infra-subnet-az1)

All traffic

ALL

ALL

Allow

170

10.X.X.0/27 (infra-subnet-az2)

All traffic

ALL

ALL

Allow

180

10.X.X.0/27 (infra-subnet-az3)

All traffic

ALL

ALL

Allow

800

10.148.160.0/19

All traffic

ALL

ALL

Allow

2000

0.0.0.0/0

Custom TCP

TCP

1024-65535

Allow

*

0.0.0.0/0

All traffic

ALL

ALL

Deny

Outbound

2000

0.0.0.0/0

All traffic

ALL

ALL

Allow

*

0.0.0.0/0

All traffic

ALL

ALL

Deny

dev-acl-infra-workload-dev-public-vpc

Rule number

Source

Type

Protocol

Port range

Action

Inbound

100

10.X.X.0/16 (DEV-CIDR)

All traffic

ALL

ALL

Allow

110

10.148.0.0/16 (OU-infrastructure)

All traffic

ALL

ALL

Allow

2000

0.0.0.0/0

Custom TCP

TCP

1024-65535

Allow

*

0.0.0.0/0

All traffic

ALL

ALL

Deny

Outbound

100

10.X.X.0/16 (DEV-CIDR)

All traffic

ALL

ALL

Allow

110

10.148.0.0/16 (OU-infrastructure)

All traffic

ALL

ALL

Allow

*

0.0.0.0/0

All traffic

ALL

ALL

Deny

DEV Private VPC

dev-acl-priv-workload-dev-private-vpc

Rule number

Source

Type

Protocol

Port range

Action

Inbound

100

10.X.X.0/27 (infra-subnet-az1)

All traffic

ALL

ALL

Allow

110

10.X.X.0/27 (infra-subnet-az2)

All traffic

ALL

ALL

Allow

120

10.X.X.0/27 (infra-subnet-az3)

All traffic

ALL

ALL

Allow

800

10.148.160.0/19

All traffic

ALL

ALL

Allow

2000

0.0.0.0/0

Custom TCP

TCP

1024-65535

Allow

*

0.0.0.0/0

All traffic

ALL

ALL

Deny

Outbound

2000

0.0.0.0/0

All traffic

ALL

ALL

Allow

*

0.0.0.0/0

All traffic

ALL

ALL

Deny

dev-acl-infra-workload-dev-private-vpc

Rule number

Source

Type

Protocol

Port range

Action

Inbound

100

10.X.X.0/16 (DEV-CIDR)

All traffic

ALL

ALL

Allow

110

10.148.0.0/16 (OU-Infrastructure)

All traffic

ALL

ALL

Allow

2000

0.0.0.0/0

Custom TCP

TCP

1024-65535

Allow

*

0.0.0.0/0

All traffic

ALL

ALL

Deny

Outbound

100

10.X.X.0/16 (DEV-CIDR)

All traffic

ALL

ALL

Allow

110

10.148.0.0/16 (OU-Infrastructure)

All traffic

ALL

ALL

Allow

*

0.0.0.0/0

All traffic

ALL

ALL

Deny

DEV Isolated VPC

dev-acl-infra-workload-dev-private-vpc

Rule number

Source

Type

Protocol

Port range

Action

Inbound

800

10.148.160.0/19

All traffic

ALL

ALL

Allow

*

0.0.0.0/0

All traffic

ALL

ALL

Deny

Outbound

800

10.148.160.0/19

All traffic

ALL

ALL

Allow

*

0.0.0.0/0

All traffic

ALL

ALL

Deny

Communication between accounts

Communication between accounts is set up by routing domains on Transit Gateways and VPCs route tables. Application environments are separated from each other without connectivity and Sandbox accounts are fully isolated.

shared-services-prod

shared-services-tst

central-network

remote-access

backup

log-archive

monitoring

shared-services-prod

X

No

Yes

Yes

No

No

No

shared-services-tst

No

X

Yes

Yes

No

No

No

central-network

Yes

Yes

X

Yes

Yes

Yes

Yes

remote-access

Yes

Yes

Yes

X

Yes

Yes

Yes

backup

No

No

Yes

Yes

X

No

Yes

log-archive

No

No

Yes

Yes

No

X

Yes

monitoring

No

No

Yes

Yes

Yes

Yes

X

Expected Outcomes

  1. Secure setup of AWS environment Network.

  2. Centralized Internet connection.

  3. Established connections between Spoke VPCs.

Last modified: 17 February 2025
LLD001-003 - Break GlassLLD002-002 - On Premise <> AWS connectivity