Terraform modules for deploying various AWS landing zones for NC2
Introduction
This guide introduces a Terraform / OpenTofu modules designed to automate the creation of all AWS resources required to successfully deploy an Nutanix Cloud Clusters (NC2) environment on AWS. There are two repositories published on GitHub for the landing zones. One is a basic AWS environment for a simple cluster deployment. The other is for DR purposes and will deploy two VPCs in various configurations.
The landing zones are made to be versatile and fully configurable to deploy VPCs for NC2 in the following patterns:
- Single Region, Single AZ
- Single Region, Dual AZ, VPC peering
- Single Region, Dual AZ, TGW routing
- Multi Region, Dual AZ, VPC peering
- Multi Region, Dual AZ, TGW peering
Benefits of automation
Automation with Terraform and OpenTofu brings several significant advantages:
- Time Efficiency: Manual configuration of NC2 environments can be time-consuming. These scripts automate the process, reducing deployment time from hours to minutes.
- Reduce human error: Creating an AWS environment which checks all the boxes for what NC2 needs can be complex and error prone if done manually.
- Consistency: Automated deployments ensure consistent configurations across different environments.
- Reproducibility: The infrastructure can be easily recreated or modified using the same code.
- Version Control: Infrastructure changes can be tracked and managed through version control systems.
Features of the Terraform module
The deployment creates the following resources:
- Single or dual VPCs
- One IGW / AZ
- One public subnet with NAT-GW / AZ
- Three private subnets (bare-metal, Prism Central, Flow)
- Public route table
- Default route table for private subnets
- Transit gateway(s) if selected
- TGW attachments (if selected)
- Routes added to all relevant route tables and TGW route tables (if selected)
Configuration of the DR modules
Configure variables in terraform.tfvars to deploy the type of environment you would like
1
2
3
4
5
6
project_prefix = "nc2"
vpc1_region = "ap-northeast-1"
vpc2_region = "ap-northeast-1" # or different region
vpc1_cidr = "10.101.0.0/16"
vpc2_cidr = "10.102.0.0/16"
peering_type = "vpc" # or "tgw"
Networking
When applied, the module will create an environment designed to support a scale-out Flow Gateway model supporting BGP for routing of overlay networks. This is beneficial for automatically sharing routes from any subnets created as overlay networks on NC2. These can be advertised via the Azure Route Server to the rest of the Azure environment as well as via a S2S VPN or ExpressRoute to an on-prem DC or office.
Solution architecture diagrams
The components shown in the following diagrams will be deployed.
1. Simple landing-zone
This scenario deploys a single VPC with the required public and private subnets + IGW and NAT-GW for external connectivity.
2. DR landing zone: Same Region, VPC Peering
This scenario deploys both VPCs in the same region with VPC peering for connectivity.
| tfvars variable | Setting |
|---|---|
| vpc1_region | ap-northeast-1 |
| vpc2_region | ap-northeast-1 |
| vpc1_cidr | “10.101.0.0/16” |
| vpc2_cidr | “10.102.0.0/16” |
| peering_type | vpc |
| vpc1_az | ap-northeast-1a |
| vpc2_az | ap-northeast-1c |
3. DR landing zone: Same Region, TGW Peering
This scenario deploys both VPCs in the same region with VPC peering for connectivity.
| tfvars variable | Setting |
|---|---|
| vpc1_region | ap-northeast-1 |
| vpc2_region | ap-northeast-1 |
| vpc1_cidr | “10.101.0.0/16” |
| vpc2_cidr | “10.102.0.0/16” |
| peering_type | tgw |
| vpc1_az | ap-northeast-1a |
| vpc2_az | ap-northeast-1c |
4. DR landing zone: Cross-Region, VPC Peering
This scenario deploys VPCs in different regions with Transit Gateway peering for connectivity.
| tfvars variable | setting |
|---|---|
| vpc1_region | ap-northeast-1 |
| vpc2_region | ap-northeast-3 |
| vpc1_cidr | “10.101.0.0/16” |
| vpc2_cidr | “10.102.0.0/16” |
| peering_type | vpc |
| vpc1_az | ap-northeast-1a |
| vpc2_az | ap-northeast-3a |
5. DR landing zone: Cross-Region, TGW Peering
This scenario deploys VPCs in different regions with Transit Gateway peering for connectivity.
| tfvars variable | setting |
|---|---|
| vpc1_region | ap-northeast-1 |
| vpc2_region | ap-northeast-3 |
| vpc1_cidr | “10.101.0.0/16” |
| vpc2_cidr | “10.102.0.0/16” |
| peering_type | tgw |
| vpc1_az | ap-northeast-1a |
| vpc2_az | ap-northeast-3a |
Subnet Structure
Each VPC contains:
- 1 public subnet
- 3 private subnets (metal, pc, flow)
- All subnets are /24 CIDR blocks
| Subnet suffix | Description | Type |
|---|---|---|
| pc | Subnet for Prism Central | Private |
| metal | EC2 bare-metal server subnet | Private |
| flow | Flow Virtual Networking subnet | Private |
| public | Internet access for cluster | Public |
Download and execution
The samples can be downloaded / cloned from the following GitHub repositories: https://github.com/jonas-werner/nc2-on-aws-landing-zone https://github.com/jonas-werner/nc2-on-aws-dr-landing-zone
For the basic landing zone:
1
git clone https://github.com/jonas-werner/nc2-on-aws-landing-zone.git
For the DR landing zones:
1
git clone https://github.com/jonas-werner/nc2-on-aws-dr-landing-zone.git
Initialize and apply:
1
2
3
terraform init
terraform plan -out nc2.plan
terraform apply nc2.plan
Conclusion
This guide has given an introduction to a Terraform module for deploying an Azure landing zone in preparation for an NC2 deployment on Azure. Hopefully it has been useful. Please refer to the links below for more resources.