VPC & Networking¶
Two non-overlapping /16 VPCs — shared-services (
10.0.0.0/16) and dev (10.1.0.0/16) — connected via VPC peering and Tailscale mesh for cross-account access.
VPC Summary¶
| VPC | CIDR | Account | NAT Strategy | AZs |
|---|---|---|---|---|
cwiq-shared-vpc |
10.0.0.0/16 |
shared-services (308188966547) | HA — 2 NAT Gateways | us-west-2a, us-west-2b |
cwiq-dev-vpc |
10.1.0.0/16 |
dev (686123185567) | Single NAT (cost saving) | us-west-2a, us-west-2b |
Both VPCs have: - Internet Gateway for public subnet egress - S3 and DynamoDB gateway endpoints (free, avoids NAT charges) - DNS hostnames and DNS resolution enabled
Shared-Services Subnet Allocation (10.0.0.0/16)¶
| Category | Subnet Name | CIDR | AZ | IPs | Purpose |
|---|---|---|---|---|---|
| Public | public-1a | 10.0.1.0/24 |
us-west-2a | 254 | ALB, NAT Gateway |
| Public | public-1b | 10.0.2.0/24 |
us-west-2b | 254 | ALB, NAT Gateway |
| Private | iac-tools-1a | 10.0.10.0/26 |
us-west-2a | 62 | Ansible, Terraform, SonarQube, DefectDojo |
| Private | iac-tools-1b | 10.0.10.64/26 |
us-west-2b | 62 | GitLab, additional IaC tools |
| Private | ai-infra-1a | 10.0.10.128/26 |
us-west-2a | 62 | AI Infrastructure Manager |
| Private | ai-infra-1b | 10.0.10.192/26 |
us-west-2b | 62 | AI Infrastructure Manager |
| Private | authentik-1a | 10.0.11.0/25 |
us-west-2a | 126 | Authentik SSO instance 1 |
| Private | authentik-1b | 10.0.11.128/25 |
us-west-2b | 126 | Authentik SSO instance 2 |
| Private | vpn-access-1a | 10.0.12.0/26 |
us-west-2a | 62 | Tailscale subnet router |
| Private | vpn-access-1b | 10.0.12.64/26 |
us-west-2b | 62 | Tailscale subnet router (secondary) |
| Private | containers-1a | 10.0.13.0/24 |
us-west-2a | 254 | Container reserved (future ECS/EKS) |
| Private | containers-1b | 10.0.14.0/24 |
us-west-2b | 254 | Container reserved (future ECS/EKS) |
| Data | data-db-1a | 10.0.3.0/26 |
us-west-2a | 62 | RDS databases |
| Data | data-db-1b | 10.0.4.0/26 |
us-west-2b | 62 | RDS databases |
| Data | data-cache-1a | 10.0.3.64/26 |
us-west-2a | 62 | ElastiCache |
| Data | data-cache-1b | 10.0.4.64/26 |
us-west-2b | 62 | ElastiCache |
Quick map:
10.0.1-2.x → Public (ALB / NAT)
10.0.10.x → IaC Tools, AI Infra, SonarQube, DefectDojo
10.0.11.x → Authentik SSO (HA pair: .28, .226)
10.0.12.x → Tailscale subnet router
10.0.13-14.x → Container reserved
10.0.3-4.x → Data layer (RDS, ElastiCache)
Dev Subnet Allocation (10.1.0.0/16)¶
| Category | Subnet Name | CIDR | AZ | IPs | Purpose |
|---|---|---|---|---|---|
| Public | public-1a | 10.1.17.0/24 |
us-west-2a | 254 | ALB, NAT Gateway |
| Public | public-1b | 10.1.18.0/24 |
us-west-2b | 254 | ALB (secondary AZ) |
| Private | main-website-1a | 10.1.32.0/26 |
us-west-2a | 62 | cwiq.io website (planned) |
| Private | main-website-1b | 10.1.32.64/26 |
us-west-2b | 62 | cwiq.io website |
| Private | gitlab-1a | 10.1.34.0/24 |
us-west-2a | 254 | EKS runner pods, Demo server |
| Private | gitlab-1b | 10.1.35.0/24 |
us-west-2b | 254 | Orchestrator DEV, Identity-DB, EKS runner pods |
| Private | internal-tools-1a | 10.1.36.0/25 |
us-west-2a | 126 | Internal tools |
| Private | internal-tools-1b | 10.1.36.128/25 |
us-west-2b | 126 | Internal tools |
| Private | observability-1a | 10.1.38.0/24 |
us-west-2a | 254 | LangFuse |
| Private | observability-1b | 10.1.39.0/24 |
us-west-2b | 254 | Observability (reserved) |
| Private | vpn-access-1a | 10.1.40.0/26 |
us-west-2a | 62 | Tailscale subnet router |
| Private | vpn-access-1b | 10.1.40.64/26 |
us-west-2b | 62 | Tailscale subnet router (secondary) |
| Container | data-processing-1a | 10.1.64.0/20 |
us-west-2a | ~4,096 | Data processing workloads |
| Container | data-processing-1b | 10.1.80.0/20 |
us-west-2b | ~4,096 | Data processing workloads |
| Container | containers-1a | 10.1.96.0/21 |
us-west-2a | ~2,048 | EKS node pods (VPC CNI) |
| Container | containers-1b | 10.1.104.0/21 |
us-west-2b | ~2,048 | EKS node pods (VPC CNI) |
| Data | data-db-1a | 10.1.20.0/26 |
us-west-2a | 62 | RDS databases |
| Data | data-db-1b | 10.1.21.0/26 |
us-west-2b | 62 | RDS databases |
| Data | data-cache-1a | 10.1.20.64/26 |
us-west-2a | 62 | ElastiCache |
| Data | data-cache-1b | 10.1.21.64/26 |
us-west-2b | 62 | ElastiCache |
Quick map:
10.1.17-18.x → Public (ALB / NAT)
10.1.32.x → Main website (planned)
10.1.34-35.x → GitLab subnets: EKS pods, Demo (34.248), Orchestrator (35.46), Identity-DB (35.190)
10.1.36.x → Internal tools
10.1.38-39.x → Observability / LangFuse (38.95)
10.1.40.x → Tailscale subnet router
10.1.64-95.x → Data processing (large container pools)
10.1.96-111.x → EKS container reserved
10.1.20-21.x → Data layer (RDS, ElastiCache)
VPC Peering¶
| Attribute | Value |
|---|---|
| Peering Connection ID | pcx-0535aabbb2629e915 |
| Direction | Bidirectional |
| Shared-Services CIDR | 10.0.0.0/16 |
| Dev CIDR | 10.1.0.0/16 |
VPC peering enables EKS runner pods (which have VPC CNI IPs in 10.1.34.x/10.1.35.x) to reach shared-services resources such as SonarQube (10.0.10.8) and Nexus via private IPs — because pods cannot use Tailscale.
EKS pods cannot use Tailscale
GitLab runner pods run in the EKS cluster with VPC CNI IPs. They have no Tailscale connectivity. Any deploy-dev job or service that must reach the dev server MUST use the VPC private IP (10.1.35.46), not the Tailscale IP or hostname.
See EKS Cluster for details.
Data Subnet Isolation¶
Data subnets (10.0.3-4.x, 10.1.20-21.x) have no route to the internet. Their route tables contain only local VPC routes. This prevents databases from making outbound connections and blocks data exfiltration paths.
VPC Endpoints (Free)¶
Both VPCs have gateway endpoints for: - S3 — EC2 instances access S3 (artifacts, state, backups) without traversing NAT Gateway - DynamoDB — avoids NAT charges for any DynamoDB usage
Related Pages¶
- NAT Gateway — HA vs single NAT strategy and costs
- Security Groups — Firewall rules per service
- Tailscale Overview — Cross-VPC mesh connectivity
- EKS Cluster — VPC CNI pod networking