--- name: creating-production-vpc-multi-az description: Creates a production-ready VPC with public and private subnets across multiple Availability Zones, including internet gateway, NAT gateways, route tables, and security groups following AWS Well-Architected principles. Use when deploying multi-AZ VPC infrastructure with automatic CIDR planning and DNS resolution. version: 1 --- # Creating a Production-Ready VPC Across Multiple Availability Zones ## Overview Domain expertise for creating production-ready VPC infrastructure distributed across multiple Availability Zones. Covers VPC creation with DNS support, public and private subnet layout with automatic CIDR calculation, internet gateway, NAT gateways for high-availability outbound access, route table configuration, and tiered security groups following AWS Well-Architected principles. ## Create a production VPC To create a fully configured multi-AZ VPC with public/private subnets, NAT gateways, route tables, and security groups, follow the procedure exactly. See [Production VPC creation procedure](references/create-production-vpc-multi-az.md). Key parameters: - `vpc_name` (required): Name prefix for all resources - `region` (required): Target AWS region - `allowed_web_cidrs` (required): CIDR blocks allowed for web access — allow 0.0.0.0/0 only if explicitly requested - `vpc_cidr` (optional, default `10.0.0.0/16`): VPC CIDR block - `availability_zones` (optional, default 3): Number of AZs (2–6) - `environment` (required): Environment tag - `enable_ssh_access` (optional, default false): Whether to create SSH security group ## Troubleshooting ### Insufficient Availability Zones The target region must have at least 2 available AZs. Use `aws ec2 describe-availability-zones` to verify. ### NAT Gateway creation delays NAT Gateways can take several minutes to become available. The procedure waits for availability before configuring route tables. ### Security group CIDR warnings The procedure warns about `0.0.0.0/0` for web access CIDRs and recommends specific IP ranges for production workloads, but allows it if explicitly requested.