AWS: Reference Network Architecture

Amazon Web Services (AWS) provides great flexibility in configuring infrastructure. We provide a basic reference architecture to assist administrators deploy a secure network within a VPC that follows our best practices.

The objective is to minimize any attack surface and to bring a layered approach to security that delivers a high level of isolation.

Technical Overview

At a high level, this consists of:

  • One Public subnet hosting a NAT Gateway with an Elastic IP and an Internet Gateway allowing for egress to the public Internet

  • One Private subnet hosting a Twingate Connector with egress to the NAT gateway. This subnet hosts internal resources that you can define access control policies for through the Twingate Admin Console.


  • Routing and security groups should prevent any inbound connections into the VPC.
  • The NAT Gateway is the only resource with a public IP address. We recommend that it is in a subnet that contains no private resources in order to reduce any attack surface.
  • The Twingate Connector will access the Twingate Relay infrastructure using an outbound connection through the NAT Gateway. No inbound connections are required.
  • The Twingate Connector can reach private resources within the private subnet (TCP, UDP, ICMP) and access can be further tuned by network administrators.
  • Minimal configuration is required for this architecture so AWS resource costs should be minimal while bringing a high degree of protection.

Deployment through Terraform

We provide a Terraform configuration for this architecture documented at our Terraform AWS Deployment Guide.

Production considerations

Please note we always recommend deploying a minimum of 2 Twingate Connectors for a production environment to provide for redundancy. Additional Connectors may be deployed to provide increased capacity for users accessing resources via the Twingate network.

Last updated 2 years ago