AWS Amazon EC2 Route
This page shows how to write Terraform and CloudFormation for Amazon EC2 Route and write them securely.
aws_route (Terraform)
The Route in Amazon EC2 can be configured in Terraform with the resource name aws_route. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_route" "source-route-private" {
provider = aws.source
route_table_id = var.source-route_table-private-id
destination_cidr_block = data.aws_vpc.peer.cidr_block
vpc_peering_connection_id = aws_vpc_peering_connection.vpc_peering_connection.id
}
resource "aws_route" "bastion_vpc_dr" {
provider = aws.us-east-1
count = length(module.dr_cluster.public_subnets)
route_table_id = module.primary_cluster.bastion_route_table
destination_cidr_block = element(module.dr_cluster.public_subnets, count.index)
vpc_peering_connection_id = aws_vpc_peering_connection.bastion_connectivity_dr.id
resource "aws_route" "public_internet_gateway_a" {
route_table_id = aws_route_table.public_table_a.id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.igw_a.id
timeouts {
resource "aws_route" "ngw-default-route" {
for_each = {for sd in local.subnet_data:sd.name=>sd
if sd.layer == "ngw" }
route_table_id = aws_route_table.routers[each.value.name].id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.inet-gw.id
Parameters
-
carrier_gateway_idoptional - string -
destination_cidr_blockoptional - string -
destination_ipv6_cidr_blockoptional - string -
destination_prefix_list_idoptional - string -
egress_only_gateway_idoptional - string -
gateway_idoptional - string -
idoptional computed - string -
instance_idoptional computed - string -
instance_owner_idoptional computed - string -
local_gateway_idoptional - string -
nat_gateway_idoptional - string -
network_interface_idoptional computed - string -
originoptional computed - string -
route_table_idrequired - string -
stateoptional computed - string -
transit_gateway_idoptional - string -
vpc_endpoint_idoptional - string -
vpc_peering_connection_idoptional - string -
timeoutssingle block
Explanation in Terraform Registry
Provides a resource to create a routing table entry (a route) in a VPC routing table.
NOTE on Route Tables and Routes: Terraform currently provides both a standalone Route resource and a Route Table resource with routes defined in-line. At this time you cannot use a Route Table with in-line routes in conjunction with any Route resources. Doing so will cause a conflict of rule settings and will overwrite rules. NOTE on
gateway_idattribute: The AWS API is very forgiving with the resource ID passed in thegateway_idattribute. For example anaws_routeresource can be created with anaws_nat_gatewayoraws_egress_only_internet_gatewayID specified for thegateway_idattribute. Specifying anything other than anaws_internet_gatewayoraws_vpn_gatewayID will lead to Terraform reporting a permanent diff between your configuration and recorded state, as the AWS API returns the more-specific attribute. If you are experiencing constant diffs with anaws_routeresource, the first thing to check is that the correct attribute is being specified.
Tips: Best Practices for The Other AWS Amazon EC2 Resources
In addition to the aws_default_vpc, AWS Amazon EC2 has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_default_vpc
Ensure to avoid using default VPC
It is better to define the own VPC and use it.
aws_network_acl_rule
Ensure your network ACL rule blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
aws_ebs_volume
Ensure to use a customer-managed key for EBS volume encryption
It is better to use a customer-managed key for EBS volume encryption. It can be gain more control over the encryption by using customer-managed keys (CMK).
aws_instance
Ensure to avoid storing AWS access keys in user data
It is better to avoid storing AWS access keys in user data. `aws_iam_instance_profile` could be used instead.
aws_security_group
Ensure your security group blocks unwanted inbound traffic
It is better to block unwanted inbound traffic.
AWS::EC2::Route (CloudFormation)
The Route in EC2 can be configured in CloudFormation with the resource name AWS::EC2::Route. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: myPrivateVPC
PeeringRoute1:
Type: AWS::EC2::Route
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: Vpc
Tags:
- Key: Name
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref VPC1RouteTable
DestinationCidrBlock: 10.2.0.0/16
TransitGatewayId: !Ref Region1TransitGateway
VPC1TGWRoute3:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref VPC1RouteTable
DestinationCidrBlock: 10.2.0.0/16
TransitGatewayId: !Ref Region1TransitGateway
VPC1TGWRoute3:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: ServerlessVPC
DefaultPrivateRouteA:
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {"Fn::ImportValue": "VPCId"},
"Tags": [
{
"Key": "Name",
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {"Fn::ImportValue": "VPCId"},
"Tags": [
{
"Key": "Name",
"Type": "AWS::EC2::RouteTable"
},
"rtb00404b6df41dfc37aassociation1": {
"Properties": {
"RouteTableId": {
"Ref": "rtb00404b6df41dfc37a"
"Type": "AWS::EC2::Route",
"Condition": "Peer1Vpc",
"Properties": {
"DestinationCidrBlock": { "Ref": "Peer1VpcCidr" },
"RouteTableId": { "Fn::ImportValue": { "Fn::Sub": "${DeploymentName}-InternetRouteTable" } },
"VpcPeeringConnectionId": { "Ref": "VpcPeer1" }
"Type" : "AWS::EC2::RouteTable",
"Properties" : {
"VpcId" : {"Ref" : "VPC"}
}
},
Parameters
-
CarrierGatewayIdoptional - String -
DestinationCidrBlockoptional - String -
DestinationIpv6CidrBlockoptional - String -
EgressOnlyInternetGatewayIdoptional - String -
GatewayIdoptional - String -
InstanceIdoptional - String -
LocalGatewayIdoptional - String -
NatGatewayIdoptional - String -
NetworkInterfaceIdoptional - String -
RouteTableIdrequired - String -
TransitGatewayIdoptional - String -
VpcEndpointIdoptional - String -
VpcPeeringConnectionIdoptional - String
Explanation in CloudFormation Registry
Specifies a route in a route table within a VPC.
You must specify either
DestinationCidrBlockorDestinationIpv6CidrBlock, plus the ID of one of the target resources.If you create a route that references a transit gateway in the same template where you create the transit gateway, you must declare a dependency on the transit gateway attachment. The route table cannot use the transit gateway until it has successfully attached to the VPC. Add a DependsOn Attribute in the
AWS::EC2::Routeresource to explicitly declare a dependency on theAWS::EC2::TransitGatewayAttachmentresource.
Frequently asked questions
What is AWS Amazon EC2 Route?
AWS Amazon EC2 Route is a resource for Amazon EC2 of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon EC2 Route?
For Terraform, the atc-labs/terraform-aws-vpc-peering, bstascavage/terraform-vault-consul-deployment and annagtaraujo/Terraform-Transit-Gateway source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the lijoyoung/cloudformation, bcx-exa/open_source_triple_continent_traditional and aobao32/transit-gateway-workshop source code examples are useful. See the CloudFormation Example section for further details.
