Configuration ReferenceΒΆ
Configuration File StructureΒΆ
Table of ContentsΒΆ
The VPC Provisioner uses a YAML configuration file with three main sections:
client:
company_name: Edge Corp
company_prefix: edge
account_id: "123456789012"
tenant_id: "b001"
environment:
env: prod
region: us-west-2
vpc:
vpc_name_override: ""
cidr_block: 10.0.0.0/16
availability_zones:
- us-west-2a
- us-west-2b
subnets:
public:
- name: public-subnet-1
cidr: 10.0.1.0/24
az: us-west-2a
- name: public-subnet-2
cidr: 10.0.2.0/24
az: us-west-2b
private:
- name: private-app-subnet-1
cidr: 10.0.11.0/24
az: us-west-2a
- name: private-app-subnet-2
cidr: 10.0.12.0/24
az: us-west-2b
- name: private-ml-subnet-1
cidr: 10.0.13.0/24
az: us-west-2a
database:
- name: database-subnet-1
cidr: 10.0.21.0/26
az: us-west-2a
- name: database-subnet-2
cidr: 10.0.22.0/26
az: us-west-2b
internet_gateway:
enabled: true
nat_gateway:
enabled: true
high_availability: true
tags:
cost_center: Engineering
project: ML-Platform
owner: devops-team
Section 1: Client ConfigurationΒΆ
company_nameΒΆ
Type: string
Required: Yes
Description: Full company name
Example:
Edge Corp,Acme Corporation
company_prefixΒΆ
Type: string
Required: Yes
Description: Short company identifier (lowercase, no spaces)
Constraints: Used in VPC naming
Example:
edge,acme
account_idΒΆ
Type: string (quoted)
Required: Yes
Description: 12-digit AWS account ID
Format: Must be quoted to preserve leading zeros
Example:
"123456789012"
tenant_idΒΆ
Type: string (quoted)
Required: Yes
Description: Human-readable account identifier
Format: Must be quoted to preserve leading zeros
Example:
"b001"
Section 2: Environment ConfigurationΒΆ
envΒΆ
Type: string
Required: Yes
Description: Environment name
Valid Values:
prod,dev,test,stagingExample:
prod
regionΒΆ
Type: string
Required: Yes
Description: AWS region for VPC
Valid Values: Any valid AWS region (us-east-1, us-west-2, eu-west-1, etc.)
Example:
us-west-2
Section 3: VPC ConfigurationΒΆ
vpc_name_overrideΒΆ
Type: string
Required: No (can be empty)
Default: Auto-generated from client/environment values
Description: Override auto-generated VPC name
Format: Alphanumeric and hyphens only
vpc:
vpc_name_override: "" # Use auto-generated name
# OR
vpc_name_override: "my-custom-vpc-name"
cidr_blockΒΆ
Type: string
Required: Yes
Description: VPC IPv4 CIDR block
Valid Range: /16 to /28
Format: x.x.x.x/y
Recommended: Use RFC 1918 private ranges
# Valid
vpc:
cidr_block: 10.0.0.0/16 # 65,536 IPs
cidr_block: 172.16.0.0/16 # 65,536 IPs
cidr_block: 192.168.0.0/16 # 65,536 IPs
# Invalid
vpc:
cidr_block: 10.0.0.0/8 # Too large
cidr_block: 10.0.0.0/29 # Too small
availability_zonesΒΆ
Type: array of strings
Required: Yes
Description: List of availability zones for subnet placement
Format: {region}{letter}
vpc:
availability_zones:
- us-west-2a
- us-west-2b
- us-west-2c
subnetsΒΆ
Type: object with nested arrays
Required: Yes (at least one subnet type)
Description: Subnet configurations organized by type
Types:
public,private,database
vpc:
subnets:
public: # Public subnets (internet-facing)
- name: public-subnet-1
cidr: 10.0.1.0/24
az: us-west-2a
private: # Private subnets (application tier)
- name: private-app-subnet-1
cidr: 10.0.11.0/24
az: us-west-2a
database: # Database subnets (isolated tier)
- name: database-subnet-1
cidr: 10.0.21.0/26
az: us-west-2a
Subnet ParametersΒΆ
name
Type: string
Required: Yes
Description: Subnet identifier
Example:
public-subnet-1,private-app-subnet-1
cidr
Type: string
Required: Yes
Description: Subnet IPv4 CIDR block
Constraints: Must be within VPC CIDR, /16 to /28
Note: AWS reserves 5 IPs per subnet
# VPC: 10.0.0.0/16
# Valid subnets:
cidr: 10.0.1.0/24 # 251 usable IPs
cidr: 10.0.2.0/24 # 251 usable IPs
# Invalid (outside VPC CIDR):
cidr: 192.168.1.0/24
az
Type: string
Required: Yes
Description: Availability zone for subnet
Format: Must match one of the AZs in
availability_zoneslist
az: us-west-2a
az: us-west-2b
internet_gatewayΒΆ
Type: object
Required: Yes
Description: Internet Gateway configuration
vpc:
internet_gateway:
enabled: true # Create Internet Gateway
# OR
enabled: false # No Internet Gateway
enabled
Type: boolean
Required: Yes
Description: Enable Internet Gateway for public subnet internet access
Note: Required if you have public subnets
nat_gatewayΒΆ
Type: object
Required: Yes
Description: NAT Gateway configuration for private subnet internet access
vpc:
nat_gateway:
enabled: true # Create NAT Gateway(s)
high_availability: true # NAT Gateway in each AZ
# OR
enabled: false # No NAT Gateway
enabled
Type: boolean
Required: Yes
Description: Enable NAT Gateway for private subnet outbound internet access
high_availability
Type: boolean
Required: Yes (if enabled is true)
Description: Create NAT Gateway in each availability zone
Cost Impact: Multiple NAT Gateways increase cost but provide redundancy
High Availability Options:
# Single NAT Gateway (lower cost, single point of failure)
nat_gateway:
enabled: true
high_availability: false
# Multiple NAT Gateways (higher cost, no single point of failure)
nat_gateway:
enabled: true
high_availability: true
Traffic Assumptions FileΒΆ
The cost-traffic action generates a traffic assumptions YAML file used by cost-estimate to calculate usage-based costs. This file is saved in the configs/ directory.
File NamingΒΆ
<vpc-name>-traffic.yaml
Example: edge-prod-b001-us-west-2-vpc-traffic.yaml
File StructureΒΆ
# Auto-generated traffic assumptions for cost estimation
# Edit values to match your expected monthly usage
# All traffic values are in GB per month
traffic:
NATGateway2A:
type: AWS::EC2::NatGateway
data_gb_per_month: 100
NATGateway2B:
type: AWS::EC2::NatGateway
data_gb_per_month: 100
ParametersΒΆ
type
Type: string
Generated: Yes (do not modify)
Description: CloudFormation resource type
data_gb_per_month
Type: integer
Generated: Yes (with defaults)
Description: Expected monthly data transfer in GB
Default: 100 GB for NAT Gateways, 50 GB for VPC Endpoints
Action: Edit this value to match your expected usage
UsageΒΆ
Run
cost-trafficto generate the file with defaultsEdit
data_gb_per_monthvalues to reflect your expected trafficRun
cost-estimateto calculate costs based on your assumptionsRe-edit and re-run to model different scenarios
Complete Configuration ExamplesΒΆ
Example 1: Simple Public VPCΒΆ
Single public subnet for simple applications:
client:
company_name: Edge Corp
company_prefix: edge
account_id: "123456789012"
tenant_id: "b001"
environment:
env: dev
region: us-west-2
vpc:
vpc_name_override: ""
cidr_block: 10.0.0.0/16
availability_zones:
- us-west-2a
subnets:
public:
- name: public-subnet-1
cidr: 10.0.1.0/24
az: us-west-2a
internet_gateway:
enabled: true
nat_gateway:
enabled: false
tags:
cost_center: Engineering
project: Development
Result: Simple VPC with one public subnet and Internet Gateway.
Example 2: Public-Private VPCΒΆ
Public subnet for web tier, private subnet for app tier:
client:
company_name: Edge Corp
company_prefix: edge
account_id: "123456789012"
tenant_id: "b001"
environment:
env: staging
region: us-west-2
vpc:
vpc_name_override: ""
cidr_block: 10.0.0.0/16
availability_zones:
- us-west-2a
subnets:
public:
- name: public-web-subnet-1
cidr: 10.0.1.0/24
az: us-west-2a
private:
- name: private-app-subnet-1
cidr: 10.0.11.0/24
az: us-west-2a
internet_gateway:
enabled: true
nat_gateway:
enabled: true
high_availability: false
tags:
cost_center: Engineering
project: Staging-Environment
Result: VPC with public and private subnets, single NAT Gateway.
Example 3: 3-Tier Architecture (Recommended)ΒΆ
Public, private, and database tiers with high availability:
client:
company_name: Edge Corp
company_prefix: edge
account_id: "123456789012"
tenant_id: "b001"
environment:
env: prod
region: us-west-2
vpc:
vpc_name_override: ""
cidr_block: 10.0.0.0/16
availability_zones:
- us-west-2a
- us-west-2b
subnets:
public:
- name: public-subnet-1
cidr: 10.0.1.0/24
az: us-west-2a
- name: public-subnet-2
cidr: 10.0.2.0/24
az: us-west-2b
private:
- name: private-app-subnet-1
cidr: 10.0.11.0/24
az: us-west-2a
- name: private-app-subnet-2
cidr: 10.0.12.0/24
az: us-west-2b
- name: private-ml-subnet-1
cidr: 10.0.13.0/24
az: us-west-2a
database:
- name: database-subnet-1
cidr: 10.0.21.0/26
az: us-west-2a
- name: database-subnet-2
cidr: 10.0.22.0/26
az: us-west-2b
internet_gateway:
enabled: true
nat_gateway:
enabled: true
high_availability: true
tags:
cost_center: Engineering
project: ML-Platform
owner: devops-team
compliance: required
Result: Production-ready 3-tier VPC with high availability across 2 AZs.
Example 4: Multi-AZ High AvailabilityΒΆ
Maximum redundancy across 3 availability zones:
client:
company_name: Edge Corp
company_prefix: edge
account_id: "123456789012"
tenant_id: "b001"
environment:
env: prod
region: us-east-1
vpc:
vpc_name_override: ""
cidr_block: 10.0.0.0/16
availability_zones:
- us-east-1a
- us-east-1b
- us-east-1c
subnets:
public:
- name: public-subnet-1a
cidr: 10.0.1.0/24
az: us-east-1a
- name: public-subnet-1b
cidr: 10.0.2.0/24
az: us-east-1b
- name: public-subnet-1c
cidr: 10.0.3.0/24
az: us-east-1c
private:
- name: private-subnet-1a
cidr: 10.0.11.0/24
az: us-east-1a
- name: private-subnet-1b
cidr: 10.0.12.0/24
az: us-east-1b
- name: private-subnet-1c
cidr: 10.0.13.0/24
az: us-east-1c
database:
- name: database-subnet-1a
cidr: 10.0.21.0/26
az: us-east-1a
- name: database-subnet-1b
cidr: 10.0.22.0/26
az: us-east-1b
- name: database-subnet-1c
cidr: 10.0.23.0/26
az: us-east-1c
internet_gateway:
enabled: true
nat_gateway:
enabled: true
high_availability: true
tags:
cost_center: Engineering
project: Critical-Infrastructure
high_availability: true
Result: Maximum redundancy with resources in 3 AZs, 3 NAT Gateways.
VPC Naming ConventionΒΆ
When vpc_name_override is empty, the tool auto-generates VPC names using this pattern:
{company_prefix}-{env}-{tenant_id}-{region}
Examples:
edge-prod-b001-us-west-2acme-dev-100000000002-us-east-1tech-staging-100000000003-eu-west-1
CIDR Planning GuideΒΆ
VPC CIDR BlocksΒΆ
Size |
CIDR |
Total IPs |
Usable IPs |
Use Case |
|---|---|---|---|---|
/16 |
x.x.0.0/16 |
65,536 |
65,536 |
Large production |
/20 |
x.x.0.0/20 |
4,096 |
4,096 |
Medium production |
/24 |
x.x.x.0/24 |
256 |
256 |
Small/dev |
/28 |
x.x.x.x/28 |
16 |
16 |
Minimal/test |
Subnet CIDR BlocksΒΆ
Size |
CIDR |
Total IPs |
Usable IPs* |
Use Case |
|---|---|---|---|---|
/24 |
x.x.x.0/24 |
256 |
251 |
Standard subnet |
/25 |
x.x.x.0/25 |
128 |
123 |
Small subnet |
/26 |
x.x.x.0/26 |
64 |
59 |
Micro subnet |
/28 |
x.x.x.x/28 |
16 |
11 |
Minimal subnet |
*AWS reserves 5 IPs per subnet:
.0: Network address
.1: VPC router
.2: DNS server
.3: Future use
.255: Broadcast address
CIDR Planning ExampleΒΆ
# VPC: 10.0.0.0/16 (65,536 IPs)
# Public Subnets (256 IPs each, 251 usable)
# 10.0.1.0/24 - public-subnet-1a
# 10.0.2.0/24 - public-subnet-1b
# 10.0.3.0/24 - public-subnet-1c
# Private Subnets (256 IPs each, 251 usable)
# 10.0.11.0/24 - private-app-subnet-1a
# 10.0.12.0/24 - private-app-subnet-1b
# 10.0.13.0/24 - private-ml-subnet-1a
# Database Subnets (64 IPs each, 59 usable)
# 10.0.21.0/26 - database-subnet-1a
# 10.0.22.0/26 - database-subnet-1b
# Reserved for future expansion
# 10.0.30.0/24 - 10.0.255.0/24
Configuration Validation RulesΒΆ
VPC CIDRΒΆ
Must be valid IPv4 CIDR block
Size between /16 and /28
Cannot overlap with existing VPCs (if peering planned)
Recommended: Use RFC 1918 private ranges
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Subnet CIDRΒΆ
Must be within VPC CIDR range
Cannot overlap with other subnets
Size between /16 and /28
AWS reserves 5 IPs per subnet
Availability ZonesΒΆ
Must be valid AZs for the specified region
Subnet AZs must be in the
availability_zoneslistRecommended: Use at least 2 AZs for high availability
NAT GatewayΒΆ
Requires
internet_gateway.enabled: trueRequires at least one public subnet
high_availability: truecreates NAT Gateway in each AZ
Configuration Best PracticesΒΆ
1. Plan CIDR Blocks CarefullyΒΆ
Cannot be changed after VPC creation
Leave room for future subnet expansion
Avoid overlapping with other VPCs or on-premises networks
2. Use Multiple Availability ZonesΒΆ
Minimum 2 AZs for production
3 AZs for critical workloads
Distribute subnets evenly across AZs
3. Separate Subnet TiersΒΆ
Public subnets: Internet-facing resources (load balancers, bastion hosts)
Private subnets: Application servers, compute resources
Database subnets: Isolated database instances
4. Enable High Availability NATΒΆ
nat_gateway:
enabled: true
high_availability: true # Production recommendation
5. Tag All ResourcesΒΆ
tags:
Environment: production
CostCenter: Engineering
Project: ML-Platform
Owner: devops-team
ManagedBy: vpc-provisioner
6. Use Descriptive NamesΒΆ
subnets:
public:
- name: public-web-subnet-1a # Clear purpose and AZ
7. Version Control ConfigurationsΒΆ
Store configs in Git
Tag releases for production deployments
Document manual changes
8. Test in Dev FirstΒΆ
environment:
env: dev # Test here first
9. Review Generated TemplatesΒΆ
Always review CloudFormation templates before deployment.
10. Document ArchitectureΒΆ
Maintain architecture diagrams showing subnet layout and routing.
Troubleshooting Configuration IssuesΒΆ
Issue: Invalid CIDR blockΒΆ
Error: Invalid CIDR block format
Solution:
# β Wrong
vpc:
cidr_block: 10.0.0.0/8 # Too large
# β
Correct
vpc:
cidr_block: 10.0.0.0/16
Issue: Subnet CIDR not within VPC CIDRΒΆ
Error: Subnet CIDR must be within VPC CIDR
Solution:
# VPC: 10.0.0.0/16
# β Wrong
subnets:
public:
- cidr: 192.168.1.0/24 # Outside VPC CIDR
# β
Correct
subnets:
public:
- cidr: 10.0.1.0/24 # Within VPC CIDR
Issue: Overlapping subnet CIDRsΒΆ
Error: Subnet CIDRs cannot overlap
Solution:
# β Wrong
subnets:
public:
- cidr: 10.0.1.0/24
private:
- cidr: 10.0.1.0/24 # Overlaps with public
# β
Correct
subnets:
public:
- cidr: 10.0.1.0/24
private:
- cidr: 10.0.11.0/24 # No overlap
Issue: Invalid availability zoneΒΆ
Error: Availability zone not in list
Solution:
# β Wrong
vpc:
availability_zones:
- us-west-2a
subnets:
public:
- az: us-west-2c # Not in AZ list
# β
Correct
vpc:
availability_zones:
- us-west-2a
- us-west-2c
subnets:
public:
- az: us-west-2c # In AZ list
Issue: Account ID not quotedΒΆ
Error: Account ID lost leading zeros
Solution:
# β Wrong
client:
account_id: 123456789012
# β
Correct
client:
account_id: "123456789012"
Additional ResourcesΒΆ
User Guide - Complete command reference
IAM Permissions - Required AWS permissions
Troubleshooting - Common issues and solutions
Support - Getting help
AWS VPC Documentation: https://docs.aws.amazon.com/vpc/