This post provides hands-on Terraform templates and step-by-step guidance to create compliant public subnetworks for hosting internet-facing services in alignment with FAR 52.204-21 basic safeguarding and CMMC 2.0 Level 1 SC.L1-B.1.XI expectations, with practical tips for a small business environment.
Why subnetworks matter for FAR 52.204-21 and CMMC 2.0 Level 1
FAR 52.204-21 requires contractors to implement basic safeguards for contractor information systems, and CMMC 2.0 Level 1 focuses on basic cyber hygiene—both of which include network segmentation and boundary protections to reduce exposure of sensitive information. Creating dedicated public subnetworks for public services (e.g., web frontends, public APIs) while keeping sensitive assets in private subnets reduces attack surface, simplifies auditing, and supports least privilege and separation of duties.
High-level design and compliance mapping
Design a VPC with: (1) one or more public subnets for internet-facing services, each associated with a dedicated route table and Internet Gateway; (2) private subnets for application or data stores; (3) strict security groups that only allow required ingress (e.g., 80/443) and explicit egress controls; (4) centralized logging for VPC Flow Logs and OS/application logs; and (5) management access via bastion hosts or vendor management tools such as AWS Systems Manager Session Manager. These controls provide evidence and operational behavior that align to the Compliance Framework requirements for boundary protection, monitoring, and access restrictions.
Step-by-step Terraform templates (AWS example)
Below are compact, practical Terraform snippets you can assemble into a module. This example assumes AWS; adapt provider blocks for other clouds. Files: vpc.tf, public_subnet.tf, igw_route.tf, security_groups.tf, flow_logs.tf, outputs.tf. Run terraform init, plan, apply after filling variables.
Main VPC and public subnet (vpc.tf / public_subnet.tf)
resource "aws_vpc" "main" {
cidr_block = var.vpc_cidr
enable_dns_hostnames = true
tags = {
Name = "${var.env}-vpc"
Classification = var.classification
}
}
resource "aws_subnet" "public" {
count = length(var.public_subnet_cidrs)
vpc_id = aws_vpc.main.id
cidr_block = var.public_subnet_cidrs[count.index]
map_public_ip_on_launch = true
availability_zone = element(data.aws_availability_zones.available.names, count.index)
tags = {
Name = "${var.env}-public-${count.index}"
Role = "public"
}
}Internet gateway and public route table (igw_route.tf)
resource "aws_internet_gateway" "igw" {
vpc_id = aws_vpc.main.id
tags = { Name = "${var.env}-igw" }
}
resource "aws_route_table" "public_rt" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.igw.id
}
tags = { Name = "${var.env}-public-rt" }
}
resource "aws_route_table_association" "public_assoc" {
count = length(aws_subnet.public)
subnet_id = aws_subnet.public[count.index].id
route_table_id = aws_route_table.public_rt.id
}Security group for public services (security_groups.tf)
resource "aws_security_group" "public_sg" {
name = "${var.env}-public-sg"
description = "Allow only HTTP/HTTPS from the Internet and health checks"
vpc_id = aws_vpc.main.id
ingress {
description = "HTTP"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "HTTPS"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
# Block SSH from Internet - enforce SSM or VPN
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = { Name = "${var.env}-public-sg" }
}VPC Flow Logs and auditing (flow_logs.tf)
resource "aws_cloudwatch_log_group" "vpc_flow" {
name = "/aws/vpc/flowlogs/${var.env}"
retention_in_days = 90
}
resource "aws_flow_log" "vpc" {
resource_id = aws_vpc.main.id
resource_type = "VPC"
traffic_type = "ALL"
log_destination = aws_cloudwatch_log_group.vpc_flow.arn
iam_role_arn = aws_iam_role.flow_logs_role.arn
}Practical implementation notes for a small business
Start small: create a single VPC and 2 public subnets across AZs for redundancy. Use Terraform modules in a private registry or version-controlled repo. Use variables for environment (dev/prod), cidr ranges, and classification tags (e.g., "Controlled Unclassified Information" or "Non-sensitive"). Use AWS Systems Manager to manage instances—this allows you to keep SSH off (no inbound 22) which is an important CMMC/NIST-aligned control to reduce attack surface.
Real-world example scenario
Imagine a small contractor hosting a public-facing documentation portal that may contain non-sensitive government contract information. Deploy the portal in the public subnets with the public_sg allowing only 80/443. Keep backend databases in private subnets inaccessible from the Internet; ensure the application uses IAM roles to access secrets (AWS Secrets Manager) so no credentials are stored on instances. Enable VPC Flow Logs and CloudWatch alarms for spikes in traffic that might indicate scanning or DDoS attempts—document these configurations for audit evidence required by FAR and CMMC.
Compliance tips, best practices, and evidence collection
Best practices: (1) tag resources consistently for automated evidence gathering (e.g., env, owner, classification); (2) enforce infrastructure-as-code reviews (pull requests) and retain Terraform state securely (remote backend with encryption and access controls); (3) enable drift detection and periodic reconciling; (4) restrict management access to known IPs or use a VPN/SSM; (5) log everything—VPC Flow Logs, CloudTrail, and host-level logs—and ship to centralized, immutable storage (S3 with MFA delete where possible); (6) store runbooks showing how subnetworks are provisioned and how to prove segregation during an audit.
Risks of not implementing this requirement
Without proper subnet separation and controls you increase the likelihood of data exposure, lateral movement after compromise, and inadvertent public access to sensitive systems. For contractors, failing to meet FAR 52.204-21 or CMMC Level 1 expectations risks contract disqualification, loss of award, regulatory penalties, and reputational damage. Operationally, you also face increased firefighting, higher incident response costs, and longer remediation timelines.
In summary, using Terraform to create dedicated, well-tagged public subnetworks combined with strict security groups, centralized logging, management without open SSH, and documented evidence provides a practical, auditable path to meet the relevant FAR 52.204-21 and CMMC 2.0 Level 1 controls—start with the provided templates, tailor CIDR and tagging to your environment, enforce code reviews, and automate logging and monitoring to reduce risk.
