Forem: Kehinde Ogunlowo The latest articles on Forem by Kehinde Ogunlowo (@kogunlowo123). https://forem.com/kogunlowo123 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3812123%2F604d88cd-050b-4d1a-935b-1a6b3f5ef514.jpeg Forem: Kehinde Ogunlowo https://forem.com/kogunlowo123 en The Complete Guide to Production EKS with Terraform Kehinde Ogunlowo Sun, 08 Mar 2026 18:56:56 +0000 https://forem.com/kogunlowo123/the-complete-guide-to-production-eks-with-terraform-f80 https://forem.com/kogunlowo123/the-complete-guide-to-production-eks-with-terraform-f80 <h2> "Production-ready EKS deployment with Terraform — Karpenter autoscaling, self-healing nodes, pod security standards, and multi-AZ high availability." </h2> <p>EKS is the most popular managed Kubernetes service, but most deployments I've seen in production audits are dangerously under-configured. Missing node auto-remediation, no pod security standards, manual scaling — the list goes on.</p> <p>This guide covers everything you need for production EKS.</p> <h2> EKS vs AKS vs GKE </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>EKS</th> <th>AKS</th> <th>GKE</th> </tr> </thead> <tbody> <tr> <td>Control Plane Cost</td> <td>$0.10/hr</td> <td>Free</td> <td>Free (Standard)</td> </tr> <tr> <td>Autopilot Mode</td> <td>No (use Karpenter)</td> <td>No</td> <td>Yes</td> </tr> <tr> <td>Node Auto-Repair</td> <td>Manual/Lambda</td> <td>Built-in</td> <td>Built-in</td> </tr> <tr> <td>Service Mesh</td> <td>App Mesh / Istio</td> <td>Istio</td> <td>Anthos / Istio</td> </tr> <tr> <td>GPU Support</td> <td>p4d, g5</td> <td>NC, ND series</td> <td>T4, A100</td> </tr> </tbody> </table></div> <h2> Terraform Module </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"github.com/kogunlowo123/terraform-aws-auto-healing-eks"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"production-cluster"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.29"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="nx">node_groups</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"general"</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"m6i.xlarge"</span><span class="p">,</span> <span class="s2">"m6i.2xlarge"</span><span class="p">]</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="mi">20</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="mi">5</span> <span class="p">}]</span> <span class="nx">enable_karpenter</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_cluster_autoscaler</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># Use Karpenter instead</span> <span class="nx">enable_node_termination_handler</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_auto_remediation</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <h2> Best Practices </h2> <ol> <li> <strong>Use Karpenter over Cluster Autoscaler</strong> for faster scaling and better bin-packing</li> <li> <strong>Enable pod disruption budgets</strong> for every production workload</li> <li> <strong>Use node termination handler</strong> for spot instance graceful shutdown</li> <li> <strong>Implement network policies</strong> with Calico or Cilium</li> <li> <strong>Enable control plane logging</strong> to CloudWatch</li> <li> <strong>Use IRSA</strong> (IAM Roles for Service Accounts) instead of node-level IAM</li> </ol> <h2> Open Source </h2> <ul> <li> <a href="https://github.com/kogunlowo123/terraform-aws-auto-healing-eks" rel="noopener noreferrer">terraform-aws-auto-healing-eks</a> — Self-healing EKS</li> <li> <a href="https://github.com/kogunlowo123/terraform-aws-eks" rel="noopener noreferrer">terraform-aws-eks</a> — Standard EKS module</li> <li> <a href="https://github.com/kogunlowo123/terraform-aws-vpc-complete" rel="noopener noreferrer">terraform-aws-vpc-complete</a> — VPC for EKS</li> </ul> <p>Full guide: <a href="https://kogunlowo123.github.io/blog/terraform-eks-complete-guide.html" rel="noopener noreferrer">kogunlowo123.github.io</a></p> kubernetes aws terraform devops Building Production RAG Pipelines on AWS with Bedrock and OpenSearch Kehinde Ogunlowo Sun, 08 Mar 2026 18:54:25 +0000 https://forem.com/kogunlowo123/building-production-rag-pipelines-on-aws-with-bedrock-and-opensearch-o01 https://forem.com/kogunlowo123/building-production-rag-pipelines-on-aws-with-bedrock-and-opensearch-o01 <p>RAG (Retrieval-Augmented Generation) is how enterprises are deploying LLMs without fine-tuning. But most tutorials stop at the demo stage. Production RAG is a different beast entirely.</p> <p>Here's what production RAG actually requires — and how to build it on AWS.</p> <h2> RAG vs Fine-Tuning vs Prompt Engineering </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Approach</th> <th>Cost</th> <th>Data Freshness</th> <th>Accuracy</th> <th>Complexity</th> </tr> </thead> <tbody> <tr> <td>RAG</td> <td>Medium</td> <td>Real-time</td> <td>High (with good retrieval)</td> <td>Medium</td> </tr> <tr> <td>Fine-Tuning</td> <td>High</td> <td>Static (retraining needed)</td> <td>High</td> <td>High</td> </tr> <tr> <td>Prompt Engineering</td> <td>Low</td> <td>Static</td> <td>Variable</td> <td>Low</td> </tr> </tbody> </table></div> <h2> Architecture </h2> <p>The pipeline: Documents → Chunking → Embeddings → Vector Store → Query → Retrieval → LLM → Response.</p> <h2> Python Implementation </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="kn">import</span> <span class="n">json</span> <span class="n">bedrock</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">bedrock-runtime</span><span class="sh">"</span><span class="p">,</span> <span class="n">region_name</span><span class="o">=</span><span class="sh">"</span><span class="s">us-east-1</span><span class="sh">"</span><span class="p">)</span> <span class="n">opensearch</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">opensearchserverless</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">query_knowledge_base</span><span class="p">(</span><span class="n">question</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">collection_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="c1"># Generate embedding for the question </span> <span class="n">embed_response</span> <span class="o">=</span> <span class="n">bedrock</span><span class="p">.</span><span class="nf">invoke_model</span><span class="p">(</span> <span class="n">modelId</span><span class="o">=</span><span class="sh">"</span><span class="s">amazon.titan-embed-text-v2:0</span><span class="sh">"</span><span class="p">,</span> <span class="n">body</span><span class="o">=</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">inputText</span><span class="sh">"</span><span class="p">:</span> <span class="n">question</span><span class="p">})</span> <span class="p">)</span> <span class="n">query_embedding</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">embed_response</span><span class="p">[</span><span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">].</span><span class="nf">read</span><span class="p">())[</span><span class="sh">"</span><span class="s">embedding</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Search OpenSearch vector store </span> <span class="n">results</span> <span class="o">=</span> <span class="nf">search_vectors</span><span class="p">(</span><span class="n">query_embedding</span><span class="p">,</span> <span class="n">collection_id</span><span class="p">,</span> <span class="n">k</span><span class="o">=</span><span class="mi">5</span><span class="p">)</span> <span class="n">context</span> <span class="o">=</span> <span class="sh">"</span><span class="se">\n</span><span class="sh">"</span><span class="p">.</span><span class="nf">join</span><span class="p">([</span><span class="n">r</span><span class="p">[</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">]</span> <span class="k">for</span> <span class="n">r</span> <span class="ow">in</span> <span class="n">results</span><span class="p">])</span> <span class="c1"># Generate answer with context </span> <span class="n">prompt</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"""</span><span class="s">Based on the following context, answer the question. Context: </span><span class="si">{</span><span class="n">context</span><span class="si">}</span><span class="s"> Question: </span><span class="si">{</span><span class="n">question</span><span class="si">}</span><span class="s"> Answer:</span><span class="sh">"""</span> <span class="n">response</span> <span class="o">=</span> <span class="n">bedrock</span><span class="p">.</span><span class="nf">invoke_model</span><span class="p">(</span> <span class="n">modelId</span><span class="o">=</span><span class="sh">"</span><span class="s">anthropic.claude-3-sonnet-20240229-v1:0</span><span class="sh">"</span><span class="p">,</span> <span class="n">body</span><span class="o">=</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span> <span class="sh">"</span><span class="s">anthropic_version</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">bedrock-2023-05-31</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">messages</span><span class="sh">"</span><span class="p">:</span> <span class="p">[{</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">content</span><span class="sh">"</span><span class="p">:</span> <span class="n">prompt</span><span class="p">}],</span> <span class="sh">"</span><span class="s">max_tokens</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1024</span> <span class="p">})</span> <span class="p">)</span> <span class="k">return</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">response</span><span class="p">[</span><span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">].</span><span class="nf">read</span><span class="p">())[</span><span class="sh">"</span><span class="s">content</span><span class="sh">"</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">]</span> </code></pre> </div> <h2> Hallucination Mitigation </h2> <ol> <li> <strong>Chunk size matters</strong> — 512 tokens with 50-token overlap works best</li> <li> <strong>Hybrid search</strong> — combine semantic + keyword search (BM25)</li> <li> <strong>Citation grounding</strong> — force the model to cite source chunks</li> <li> <strong>Confidence scoring</strong> — filter low-relevance retrievals (cosine similarity &lt; 0.7)</li> <li> <strong>Guardrails</strong> — use Bedrock Guardrails to block off-topic responses</li> </ol> <h2> Open Source Modules </h2> <ul> <li> <a href="https://github.com/kogunlowo123/terraform-aws-rag-pipeline" rel="noopener noreferrer">terraform-aws-rag-pipeline</a> — Complete RAG infrastructure</li> <li> <a href="https://github.com/kogunlowo123/terraform-aws-bedrock-platform" rel="noopener noreferrer">terraform-aws-bedrock-platform</a> — Bedrock foundation</li> <li> <a href="https://github.com/kogunlowo123/terraform-aws-bedrock-agents" rel="noopener noreferrer">terraform-aws-bedrock-agents</a> — Autonomous Bedrock agents</li> </ul> <p>Full article with architecture diagrams: <a href="https://kogunlowo123.github.io/blog/production-rag-pipelines-aws.html" rel="noopener noreferrer">kogunlowo123.github.io</a></p> <p><em>Kehinde Ogunlowo — Principal Multi-Cloud DevSecOps Architect at <a href="https://citadelcloudmanagement.com" rel="noopener noreferrer">Citadel Cloud Management</a></em></p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> </code></pre> </div> ai aws python machinelearning # Building a Production-Ready AWS VPC with Terraform: Multi-Tier Subnets, NAT Gateways, and VPC Endpoints Kehinde Ogunlowo Sat, 07 Mar 2026 21:20:40 +0000 https://forem.com/kogunlowo123/-building-a-production-ready-aws-vpc-with-terraform-multi-tier-subnets-nat-gateways-and-vpc-49bo https://forem.com/kogunlowo123/-building-a-production-ready-aws-vpc-with-terraform-multi-tier-subnets-nat-gateways-and-vpc-49bo <p>A network topology diagram showing a multi-tier VPC with public, private, database, cache, and management subnets across three availability zones, with NAT gateways and VPC endpoints illustrated.</p> <p>If you've ever inherited an AWS account where everything lives in the default VPC, you know the pain. Security groups used as the only network boundary. No flow logs. Public IP addresses on database instances. It's the kind of setup that keeps security teams awake at night.</p> <p>A well-architected VPC is the foundation of everything you build on AWS. Get it wrong, and you're retrofitting network isolation into a running production system — one of the least enjoyable exercises in cloud engineering.</p> <p>In this article, I'll walk through a production-grade VPC architecture using Terraform, based on a module I've been refining across multiple enterprise deployments. The full module is available at <a href="https://github.com/kogunlowo123/terraform-aws-vpc-complete" rel="noopener noreferrer">terraform-aws-vpc-complete</a>.</p> <h2> Why VPC Architecture Matters More Than You Think </h2> <p>Most teams start with a simple public/private subnet split and call it a day. That works for a proof of concept, but production workloads demand more:</p> <ul> <li> <strong>Regulatory compliance</strong> often requires network-level isolation between application tiers</li> <li> <strong>Cost optimization</strong> depends on keeping traffic within the AWS network via VPC endpoints</li> <li> <strong>Blast radius reduction</strong> means a compromised web server shouldn't have a network path to your database</li> <li> <strong>Operational visibility</strong> requires flow logs that actually capture meaningful traffic patterns</li> </ul> <p>Let's build something that addresses all of these.</p> <h2> The 5-Tier Subnet Strategy </h2> <p>Instead of the typical two-tier model, I use five distinct subnet tiers:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tier</th> <th>Purpose</th> <th>Internet Access</th> <th>Example Workloads</th> </tr> </thead> <tbody> <tr> <td><strong>Public</strong></td> <td>Internet-facing resources</td> <td>Direct (IGW)</td> <td>ALBs, NAT Gateways, Bastion hosts</td> </tr> <tr> <td><strong>Application</strong></td> <td>Compute workloads</td> <td>Outbound via NAT</td> <td>ECS tasks, EC2 instances, Lambda</td> </tr> <tr> <td><strong>Data</strong></td> <td>Databases and storage</td> <td>None</td> <td>RDS, ElastiCache, OpenSearch</td> </tr> <tr> <td><strong>Cache</strong></td> <td>In-memory data stores</td> <td>None</td> <td>Redis clusters, Memcached</td> </tr> <tr> <td><strong>Management</strong></td> <td>Ops and monitoring tools</td> <td>Outbound via NAT</td> <td>Jenkins, Prometheus, VPN endpoints</td> </tr> </tbody> </table></div> <p>Each tier gets its own subnet in every availability zone, its own route table, and its own set of network ACLs.</p> <h3> Defining the Network Layout </h3> <p>Here's how the module structures the CIDR allocation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"github.com/kogunlowo123/terraform-aws-vpc-complete"</span> <span class="nx">vpc_name</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="nx">vpc_cidr</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">azs</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"eu-west-1a"</span><span class="p">,</span> <span class="s2">"eu-west-1b"</span><span class="p">,</span> <span class="s2">"eu-west-1c"</span><span class="p">]</span> <span class="c1"># 5-tier subnet strategy</span> <span class="nx">public_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.0.1.0/24"</span><span class="p">,</span> <span class="s2">"10.0.2.0/24"</span><span class="p">,</span> <span class="s2">"10.0.3.0/24"</span><span class="p">]</span> <span class="nx">application_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.0.10.0/24"</span><span class="p">,</span> <span class="s2">"10.0.11.0/24"</span><span class="p">,</span> <span class="s2">"10.0.12.0/24"</span><span class="p">]</span> <span class="nx">data_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.0.20.0/24"</span><span class="p">,</span> <span class="s2">"10.0.21.0/24"</span><span class="p">,</span> <span class="s2">"10.0.22.0/24"</span><span class="p">]</span> <span class="nx">cache_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.0.30.0/24"</span><span class="p">,</span> <span class="s2">"10.0.31.0/24"</span><span class="p">,</span> <span class="s2">"10.0.32.0/24"</span><span class="p">]</span> <span class="nx">management_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.0.40.0/24"</span><span class="p">,</span> <span class="s2">"10.0.41.0/24"</span><span class="p">,</span> <span class="s2">"10.0.42.0/24"</span><span class="p">]</span> <span class="nx">enable_nat_gateway</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">single_nat_gateway</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># one per AZ for HA</span> <span class="nx">enable_vpn_gateway</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="nx">ManagedBy</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="nx">Project</span> <span class="p">=</span> <span class="s2">"core-infrastructure"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The key design decision here is the CIDR allocation. I leave gaps between tiers (<code>/24</code> blocks starting at <code>.1</code>, <code>.10</code>, <code>.20</code>, <code>.30</code>, <code>.40</code>) so there's room to add subnets later without re-addressing. In a <code>/16</code> VPC, you have 65,536 addresses — don't be stingy with the spacing.</p> <h2> NAT Gateway Strategy: Cost vs. Availability </h2> <p>NAT gateways are one of the most expensive networking components in AWS. Each one costs roughly $32/month plus data processing charges. With three AZs, that's nearly $100/month just for NAT — before any traffic flows.</p> <p>For production, I always recommend one NAT gateway per AZ:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># High-availability NAT configuration</span> <span class="nx">enable_nat_gateway</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">single_nat_gateway</span> <span class="err">=</span> <span class="kc">false</span> <span class="nx">one_nat_gateway_per_az</span> <span class="err">=</span> <span class="kc">true</span> </code></pre> </div> <p>For development and staging environments, a single NAT gateway is acceptable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Cost-optimized NAT for non-production</span> <span class="nx">enable_nat_gateway</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">single_nat_gateway</span> <span class="err">=</span> <span class="kc">true</span> </code></pre> </div> <p>The module handles the route table associations automatically. Each private subnet's route table points to the NAT gateway in its own AZ, so if one AZ goes down, the other AZs continue to function.</p> <h3> Route Table Isolation </h3> <p>Each subnet tier gets its own route table. This is critical — it means you can have application subnets that route through NAT while data subnets have no route to the internet at all:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"data"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">azs</span><span class="p">)</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="c1"># No default route — these subnets are fully isolated</span> <span class="c1"># Only VPC-local traffic (10.0.0.0/16) is routable</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.vpc_name}-data-${var.azs[count.index]}"</span> <span class="nx">Tier</span> <span class="p">=</span> <span class="s2">"data"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>No NAT gateway route. No internet gateway route. The database subnets literally cannot reach the internet, and the internet cannot reach them. This is defense in depth at the network layer.</p> <h2> VPC Endpoints: Keeping Traffic Private and Cheap </h2> <p>Every call to an AWS API from within your VPC traverses the NAT gateway by default. That means S3 downloads, CloudWatch metrics, ECR image pulls — all going out through NAT and incurring data processing charges.</p> <p>VPC endpoints solve this by creating private paths to AWS services:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Gateway endpoints (free)</span> <span class="nx">enable_s3_endpoint</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">enable_dynamodb_endpoint</span> <span class="err">=</span> <span class="kc">true</span> <span class="c1"># Interface endpoints (cost per hour + per GB)</span> <span class="nx">enable_interface_endpoints</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">interface_endpoints</span> <span class="err">=</span> <span class="p">[</span> <span class="s2">"ecr.api"</span><span class="p">,</span> <span class="s2">"ecr.dkr"</span><span class="p">,</span> <span class="s2">"ecs"</span><span class="p">,</span> <span class="s2">"ecs-telemetry"</span><span class="p">,</span> <span class="s2">"logs"</span><span class="p">,</span> <span class="s2">"monitoring"</span><span class="p">,</span> <span class="s2">"ssm"</span><span class="p">,</span> <span class="s2">"ssmmessages"</span><span class="p">,</span> <span class="s2">"ec2messages"</span><span class="p">,</span> <span class="s2">"sts"</span><span class="p">,</span> <span class="s2">"secretsmanager"</span><span class="p">,</span> <span class="s2">"kms"</span> <span class="p">]</span> </code></pre> </div> <p><strong>Gateway endpoints</strong> (S3 and DynamoDB) are free and should always be enabled. There's no reason not to.</p> <p><strong>Interface endpoints</strong> cost about $7.20/month each (in <code>us-east-1</code>), plus $0.01/GB of data processed. The math works out in your favor when you're pulling container images from ECR multiple times a day or shipping thousands of CloudWatch metrics per minute.</p> <p>A cluster pulling 50GB of container images monthly from ECR through NAT costs roughly $2.25 in NAT data processing. The ECR interface endpoints cost $14.40/month. At scale, though — say 500GB — the NAT cost is $22.50 and the endpoint cost is still $14.40. The crossover point depends on your traffic patterns, but the security benefit of keeping traffic off the public internet is worth the cost regardless.</p> <h2> VPC Flow Logs: Visibility Into Your Network </h2> <p>Flow logs are non-negotiable in production. They capture metadata about every network flow — source, destination, ports, protocol, action (accept/reject), and byte counts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Flow log configuration</span> <span class="nx">enable_flow_logs</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">flow_log_destination_type</span> <span class="err">=</span> <span class="s2">"cloud-watch-logs"</span> <span class="nx">flow_log_retention_days</span> <span class="err">=</span> <span class="mi">90</span> <span class="nx">flow_log_cloudwatch_log_group</span> <span class="err">=</span> <span class="s2">"/vpc/production/flow-logs"</span> <span class="nx">flow_log_traffic_type</span> <span class="err">=</span> <span class="s2">"ALL"</span> <span class="c1"># capture both accepted and rejected</span> <span class="c1"># Custom log format for richer data</span> <span class="nx">flow_log_format</span> <span class="err">=</span> <span class="s2">"$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${az-id} $${sublocation-type} $${sublocation-id}"</span> </code></pre> </div> <p>I recommend shipping flow logs to CloudWatch Logs for real-time alerting and to S3 for long-term storage and analysis with Athena:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Dual destination for flow logs</span> <span class="nx">enable_flow_logs_s3</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">flow_log_s3_bucket_arn</span> <span class="err">=</span> <span class="nx">aws_s3_bucket</span><span class="err">.</span><span class="nx">flow_logs</span><span class="err">.</span><span class="nx">arn</span> <span class="nx">flow_log_s3_key_prefix</span> <span class="err">=</span> <span class="s2">"vpc-flow-logs/production"</span> </code></pre> </div> <h3> Querying Flow Logs with Athena </h3> <p>Once flow logs land in S3, you can create an Athena table and run SQL queries:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Find rejected traffic to data subnets</span> <span class="k">SELECT</span> <span class="n">srcaddr</span><span class="p">,</span> <span class="n">dstaddr</span><span class="p">,</span> <span class="n">dstport</span><span class="p">,</span> <span class="n">protocol</span><span class="p">,</span> <span class="n">action</span><span class="p">,</span> <span class="k">SUM</span><span class="p">(</span><span class="n">bytes</span><span class="p">)</span> <span class="k">as</span> <span class="n">total_bytes</span><span class="p">,</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">as</span> <span class="n">flow_count</span> <span class="k">FROM</span> <span class="n">vpc_flow_logs</span> <span class="k">WHERE</span> <span class="n">action</span> <span class="o">=</span> <span class="s1">'REJECT'</span> <span class="k">AND</span> <span class="n">dstaddr</span> <span class="k">LIKE</span> <span class="s1">'10.0.2%'</span> <span class="k">AND</span> <span class="nb">date</span> <span class="o">=</span> <span class="s1">'2026/03/06'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">srcaddr</span><span class="p">,</span> <span class="n">dstaddr</span><span class="p">,</span> <span class="n">dstport</span><span class="p">,</span> <span class="n">protocol</span><span class="p">,</span> <span class="n">action</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">flow_count</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">20</span><span class="p">;</span> </code></pre> </div> <p>This is how you catch misconfigured security groups, unexpected traffic patterns, and potential intrusion attempts.</p> <h2> Network ACLs: The Second Layer </h2> <p>Security groups are stateful and operate at the instance level. Network ACLs are stateless and operate at the subnet level. Using both gives you defense in depth:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Data tier NACLs - restrict to only application tier</span> <span class="nx">data_subnet_nacl_rules</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">inbound</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">rule_number</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.10.0/24"</span> <span class="c1"># app subnet AZ-a</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">rule_number</span> <span class="p">=</span> <span class="mi">101</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.11.0/24"</span> <span class="c1"># app subnet AZ-b</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">rule_number</span> <span class="p">=</span> <span class="mi">102</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.12.0/24"</span> <span class="c1"># app subnet AZ-c</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">5432</span> <span class="p">}</span> <span class="p">]</span> <span class="nx">outbound</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">rule_number</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.10.0/0"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">1024</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">65535</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>This ensures that even if someone misconfigures a security group, the database subnets only accept PostgreSQL traffic from the application tier.</p> <h2> Tagging Strategy for Cost Allocation </h2> <p>Every subnet, route table, NAT gateway, and endpoint gets tagged consistently:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">subnet_tags</span> <span class="err">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/cluster/production"</span> <span class="p">=</span> <span class="s2">"shared"</span> <span class="p">}</span> <span class="nx">public_subnet_tags</span> <span class="err">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/role/elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="nx">Tier</span> <span class="p">=</span> <span class="s2">"public"</span> <span class="p">}</span> <span class="nx">application_subnet_tags</span> <span class="err">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/role/internal-elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="nx">Tier</span> <span class="p">=</span> <span class="s2">"application"</span> <span class="p">}</span> </code></pre> </div> <p>These tags serve double duty: they enable Kubernetes auto-discovery of subnets for load balancers, and they allow cost allocation reports to break down networking costs by tier.</p> <h2> Putting It All Together </h2> <p>Here's a complete example that ties everything together:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"github.com/kogunlowo123/terraform-aws-vpc-complete"</span> <span class="nx">vpc_name</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="nx">vpc_cidr</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">azs</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"eu-west-1a"</span><span class="p">,</span> <span class="s2">"eu-west-1b"</span><span class="p">,</span> <span class="s2">"eu-west-1c"</span><span class="p">]</span> <span class="c1"># Subnet tiers</span> <span class="nx">public_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.0.1.0/24"</span><span class="p">,</span> <span class="s2">"10.0.2.0/24"</span><span class="p">,</span> <span class="s2">"10.0.3.0/24"</span><span class="p">]</span> <span class="nx">application_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.0.10.0/24"</span><span class="p">,</span> <span class="s2">"10.0.11.0/24"</span><span class="p">,</span> <span class="s2">"10.0.12.0/24"</span><span class="p">]</span> <span class="nx">data_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.0.20.0/24"</span><span class="p">,</span> <span class="s2">"10.0.21.0/24"</span><span class="p">,</span> <span class="s2">"10.0.22.0/24"</span><span class="p">]</span> <span class="nx">cache_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.0.30.0/24"</span><span class="p">,</span> <span class="s2">"10.0.31.0/24"</span><span class="p">,</span> <span class="s2">"10.0.32.0/24"</span><span class="p">]</span> <span class="nx">management_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.0.40.0/24"</span><span class="p">,</span> <span class="s2">"10.0.41.0/24"</span><span class="p">,</span> <span class="s2">"10.0.42.0/24"</span><span class="p">]</span> <span class="c1"># NAT</span> <span class="nx">enable_nat_gateway</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">single_nat_gateway</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">one_nat_gateway_per_az</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># VPC Endpoints</span> <span class="nx">enable_s3_endpoint</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dynamodb_endpoint</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_interface_endpoints</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">interface_endpoints</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ecr.api"</span><span class="p">,</span> <span class="s2">"ecr.dkr"</span><span class="p">,</span> <span class="s2">"logs"</span><span class="p">,</span> <span class="s2">"monitoring"</span><span class="p">,</span> <span class="s2">"ssm"</span><span class="p">,</span> <span class="s2">"sts"</span><span class="p">,</span> <span class="s2">"kms"</span><span class="p">]</span> <span class="c1"># Flow Logs</span> <span class="nx">enable_flow_logs</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">flow_log_traffic_type</span> <span class="p">=</span> <span class="s2">"ALL"</span> <span class="nx">flow_log_retention_days</span> <span class="p">=</span> <span class="mi">90</span> <span class="c1"># DNS</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="nx">ManagedBy</span> <span class="p">=</span> <span class="s2">"terraform"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Lessons Learned </h2> <p>After deploying this pattern across dozens of AWS accounts, here are the things that consistently trip teams up:</p> <ol> <li><p><strong>Don't use /16 for everything.</strong> If you ever need VPC peering or Transit Gateway, overlapping CIDRs will block you. Plan your IP address space across all accounts upfront.</p></li> <li><p><strong>Enable flow logs from day one.</strong> Retroactively enabling them means you have no baseline to compare against when something goes wrong.</p></li> <li><p><strong>Test failover.</strong> Kill a NAT gateway and verify that the AZ-local route table doesn't send traffic to a NAT in another AZ. If it does, your route table associations are wrong.</p></li> <li><p><strong>Review VPC endpoint policies.</strong> An S3 gateway endpoint with a default policy allows access to every S3 bucket in every AWS account. Lock it down to your buckets.</p></li> <li><p><strong>Monitor NAT gateway metrics.</strong> <code>BytesOutToDestination</code> and <code>PacketsDropCount</code> will tell you when you're approaching throughput limits (45 Gbps per gateway).</p></li> </ol> <h2> Wrapping Up </h2> <p>A production VPC isn't just about creating subnets. It's about building a network foundation that enforces security boundaries, optimizes costs, and provides the visibility you need when things go wrong at 3 AM.</p> <p>The module I've walked through here is available on GitHub. Fork it, adapt it, and build on it:</p> <ul> <li> <a href="https://github.com/kogunlowo123/terraform-aws-vpc-complete" rel="noopener noreferrer">terraform-aws-vpc-complete</a> — The full VPC module with all configurations discussed in this article</li> </ul> <p>Check out my other infrastructure modules at <a href="https://github.com/kogunlowo123" rel="noopener noreferrer">github.com/kogunlowo123</a> for complementary resources covering WAF, AKS, and multi-cloud landing zones.</p> <p><em>Have questions about VPC design or want to share your own patterns? Drop a comment below — I'd love to hear how other teams approach this.</em></p> aws