Infra Foundation module

VPC Pro: enterprise-grade AWS VPC module for production workloads

A production-ready, multi-AZ AWS VPC module engineered for startups, platform teams, consultants, and enterprise teams that need secure, repeatable networking without rebuilding the foundation from scratch.

See what is included
VPC Pro multi-AZ architecture diagram

Built for real production environments

VPC Pro is Infra Foundation's flagship networking module: a hardened Terraform foundation for public and private AWS networking across multiple Availability Zones. It packages the pieces most teams need before deploying load balancers, EC2, ECS, EKS, Lambda, RDS, or internal services.

VPC Pro includes public and private subnet tiers, Internet Gateway routing, NAT Gateway strategies, optional VPC Flow Logs to CloudWatch Logs, custom network ACLs, and baseline security groups for ALB-facing and private compute workloads.

It is designed to be understandable, repeatable, and audit-friendly: deterministic resource names, clear tags, locked provider constraints, examples, diagrams, and root-module separation from the reusable vpc/ submodule.

What is included

Production-ready VPC architecture
  • Configurable VPC CIDR and Availability Zone count
  • One public subnet and one private subnet per AZ
  • Internet Gateway and public route table
  • Per-AZ private route tables
  • DNS support and hostnames enabled by default
NAT and routing strategies
  • One NAT Gateway for cost-sensitive environments
  • One NAT Gateway per AZ for high availability
  • Elastic IPs managed with Terraform
  • Stable for_each addressing keyed by AZ
Security baseline
  • Optional custom public and private NACLs
  • Optional ALB security group for public ingress
  • Optional private compute security group
  • Configurable app port from ALB to private workloads
  • SSH disabled in public NACLs by default
Operational visibility
  • Optional VPC Flow Logs
  • CloudWatch Logs delivery and retention control
  • IAM role and policy for log publishing
  • Outputs for VPC, subnets, route tables, NAT, NACLs, and security groups
Documentation and examples
  • Complete README and extended docs
  • Architecture documentation and Mermaid diagram source
  • Minimal example for VPC-only adoption
  • Complete example with ALB and private EC2 placeholders
Terraform quality
  • Provider constraints and lock file guidance
  • No hard-coded account or region values
  • Input validation for key variables
  • Consistent tagging: Project, Environment, ManagedBy

Repository structure

VPC Pro uses a compact, reviewable repository layout: the reusable implementation lives in vpc/, while the repository root provides a convenience wrapper for teams that want a single entry point.

terraform-aws-vpc-pro/
├── main.tf
├── variables.tf
├── outputs.tf
├── versions.tf
├── vpc/
│   ├── main.tf
│   ├── variables.tf
│   ├── outputs.tf
│   └── README.md
├── examples/
│   ├── minimal/
│   └── complete/
├── docs/
│   ├── architecture.md
│   ├── compatibility.md
│   ├── upgrade.md
│   └── diagrams/
└── README.md

Frequently asked questions

Who is VPC Pro for?

Founders, DevOps engineers, platform teams, and consultants who need a secure AWS network foundation without reinventing the VPC from scratch.

Does it follow AWS best practices?

Yes. The module follows common AWS Well-Architected networking patterns: multi-AZ design, private workloads, controlled egress, DNS support, flow logs, and consistent tagging.

Is it safe for compliance-driven workloads?

It provides useful building blocks for SOC2, PCI, and HIPAA-aligned environments: isolation, logging, deterministic naming, and Terraform-managed controls. Final compliance depends on your complete workload and organization policies.

Can I customize CIDRs, AZs, or NAT strategy?

Yes. You can configure the VPC CIDR, explicit Availability Zones or AZ count, subnet sizing, NAT strategy, flow log retention, NACL creation, and baseline security group creation.

Does it support PrivateLink or Transit Gateway?

VPC Pro is designed so VPC endpoints and Transit Gateway routes can be added cleanly when your architecture needs them. Done-for-you endpoint or Transit Gateway implementation fits the Enterprise+ tier.

What happens after checkout?

You receive product delivery through the configured download flow and, when a GitHub username is provided, private repository access for the purchased product.