diff --git a/README.md b/README.md
new file mode 100644
index 0000000..4ddb621
--- /dev/null
+++ b/README.md
@@ -0,0 +1,48 @@
+# terraform-aws-stateful
+
+This terraform module creates an EC2 Cluster on AWS.
+
+The following resources will be created:
+
+- Elastic File System (EFS)
+- Auto Scaling
+- Security groups for (ALB/NLB,EC2,EFS)
+- IAM roles and policies for the EC2 instances
+
+In addition, you have the option to create:
+ - Elastic Load Balancer
+     - ALB - An external Application Load Balancer
+     - NLB - An external Network Load Balancer
+
+ - Route 53 (requires ALB)
+     - URL pointing to a hostname (NLB or ALB hostname)
+
+## Usage
+
+For deployment usage please see the `examples` folder.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| certificate\_arn | Certificate ARN to be used on the ALB | `any` | n/a | no |
+| custom\_efs\_dir | Custom EFS mount point - e.g /home | `string` | `""` | no |
+| enable\_alb | Wheter to enable application load balancer | `bool` | `false` | no |
+| hosted\_zone | Route 53 hosted zone | `string` | `""` | no |
+| hostname\_create | Wheter to create the hostnames on Route 53 | `bool` | `false` | no |
+| hostnames | Hostnames to be created on Route 53 | `any` | n/a | no |
+| instance\_count | Number of EC2 intances | `number` | `1` | no |
+| instance\_type | EC2 instance type | `string` | `"t2.micro"` | no |
+| instance\_volume\_size\_root | Volume root size | `number` | `16` | no |
+| instances\_subnet | List of private subnet IDs for EC2 instances | `list` | n/a | yes |
+| name | Name of this EC2/default cluster | `any` | n/a | yes |
+| cluster_name | Name of the environment (dev/prod) | `any` | n/a | yes |
+| public\_subnet\_ids | List of public subnet IDs for the ALB | `list` | `[]` | no |
+| secure\_subnet\_ids | List of secure subnet IDs for EFS | `list` | n/a | yes |
+| security\_group\_ids | Extra security groups for instances | `list` | `[]` | no |
+| userdata | Extra commands to pass to userdata | `string` | `""` | no |
+| vpc\_id | VPC ID to deploy the EC2/default cluster | `any` | n/a | yes |
+| lb\_type| Either ALB, NLB, or EIP to enable | `string` | `""` | no |
+| lb\_port| Port to be used in the security groups and in LB the health check | `number` | `0` | no |
+| lb\_protocol| LB protocol - TCP or UDP | `number` | `""` | no |
+| sg\_cidr\_blocks| LB protocol - TCP or UDP | `list` | `[]` | no |
diff --git a/_data.tf b/_data.tf
new file mode 100644
index 0000000..116a6dc
--- /dev/null
+++ b/_data.tf
@@ -0,0 +1,28 @@
+data "aws_region" "current" {}
+
+data "aws_ami" "amazon-linux-2" {
+  most_recent = true
+  owners      = ["amazon"]
+
+  filter {
+    name   = "name"
+    values = ["amzn2-ami-hvm*"]
+  }
+
+  filter {
+    name   = "architecture"
+    values = ["x86_64"]
+  }
+}
+
+data "aws_autoscaling_groups" "groups" {
+  filter {
+    name   = "key"
+    values = ["Name"]
+  }
+
+  filter {
+    name   = "value"
+    values = ["${var.name}-*"]
+  }
+}
\ No newline at end of file
diff --git a/_variables.tf b/_variables.tf
new file mode 100644
index 0000000..b5544f9
--- /dev/null
+++ b/_variables.tf
@@ -0,0 +1,113 @@
+variable "name" {
+  description = "Name of this EC2 cluster"
+}
+
+variable "cluster_name" {
+  description = "Environment name"
+}
+
+variable "instance_type" {
+  default     = "t2.micro"
+  description = "EC2 instance type"
+}
+
+variable "on_demand_base_capacity" {
+  description = "on_demand_base_capacity"
+}
+
+variable "on_demand_percentage" {
+  description = "on_demand_percentage"
+}
+
+variable "instance_type" {
+  default     = "t2.micro"
+  description = "EC2 instance type"
+}
+
+variable "instance_count" {
+  default     = 1
+  description = "Number of EC2 intances"
+}
+
+variable "lb_type" {
+  default     = ""
+  description = "Either alb nlb or EIP to enable"
+}
+
+variable "lb_port" {
+  type        = number
+  default     = 0
+  description = "LB port"
+}
+
+variable "lb_protocol" {
+  default     = ""
+  description = "LB protocol"
+}
+
+variable "sg_cidr_blocks" {
+  type        = list
+  default     = []
+  description = "Which cidr blocks allowed to connect to the service"
+}
+
+variable "certificate_arn" {
+  default     = ""
+  description = "Certificate ARN to be used on the ALB"
+}
+
+variable "userdata" {
+  default     = ""
+  description = "Extra commands to pass to userdata"
+}
+
+variable "instance_volume_size_root" {
+  default     = 16
+  description = "Volume root size"
+}
+
+variable "custom_efs_dir" {
+  default     = ""
+  description = "Custom EFS mount point - e.g /home"
+}
+
+variable "instances_subnet" {
+  type        = list
+  description = "List of private subnet IDs for EC2 instances"
+}
+
+variable "public_subnet_ids" {
+  type        = list
+  default     = []
+  description = "List of public subnet IDs for the ALB"
+}
+
+variable "secure_subnet_ids" {
+  type        = list
+  description = "List of secure subnet IDs for EFS"
+}
+
+variable "vpc_id" {
+  description = "VPC ID to deploy the EC2/default cluster"
+}
+
+variable "security_group_ids" {
+  type        = list
+  default     = []
+  description = "Extra security groups for instances"
+}
+
+variable "hostname_create" {
+  default     = false
+  description = "Wheter to create the hostnames on Route 53"
+}
+
+variable "hosted_zone" {
+  default     = ""
+  description = "Route 53 hosted zone"
+}
+
+variable "hostnames" {
+  default     = []
+  description = "Hostnames to be created on Route 53"
+}
\ No newline at end of file
diff --git a/alb-sg.tf b/alb-sg.tf
new file mode 100644
index 0000000..06e53ed
--- /dev/null
+++ b/alb-sg.tf
@@ -0,0 +1,61 @@
+resource "aws_security_group" "alb" {
+  count = var.lb_type == "ALB" ? 1 : 0
+
+  name        = "${var.name}-lb"
+  description = "SG for ALB"
+  vpc_id      = var.vpc_id
+
+  tags = {
+    Name = "${var.name}-lb"
+  }
+}
+
+resource "aws_security_group_rule" "http_from_world_to_alb" {
+  count = var.lb_type == "ALB" ? 1 : 0
+
+  description       = "HTTP Redirect ${var.name} ALB"
+  type              = "ingress"
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  security_group_id = aws_security_group.alb[0].id
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "https_from_world_to_alb" {
+  count = var.lb_type == "ALB" ? 1 : 0
+
+  description       = "HTTPS ${var.name} ALB"
+  type              = "ingress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  security_group_id = aws_security_group.alb[0].id
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "alb_to_nodes" {
+  count = var.lb_type == "ALB" ? 1 : 0
+
+  description              = "Traffic to ${var.name} Nodes"
+  type                     = "egress"
+  from_port                = 0
+  to_port                  = 0
+  protocol                 = "-1"
+  security_group_id        = aws_security_group.alb[0].id
+  source_security_group_id = aws_security_group.default.id
+}
+
+resource "aws_security_group_rule" "from_alb_to_nodes" {
+  count = var.lb_type == "ALB" ? 1 : 0
+
+  description              = "from ALB"
+  type                     = "ingress"
+  from_port                = 0
+  to_port                  = 0
+  protocol                 = "-1"
+  security_group_id        = aws_security_group.default.id
+  source_security_group_id = aws_security_group.alb[0].id
+
+  depends_on = [aws_security_group.default]
+}
\ No newline at end of file
diff --git a/alb.tf b/alb.tf
new file mode 100644
index 0000000..d94d186
--- /dev/null
+++ b/alb.tf
@@ -0,0 +1,63 @@
+resource "aws_lb" "alb" {
+  count              = var.lb_type == "ALB" ? 1 : 0
+  name               = "alb-${var.name}"
+  internal           = false
+  load_balancer_type = "application"
+  subnets            = var.public_subnet_ids
+
+  security_groups = [
+    aws_security_group.alb[0].id,
+  ]
+
+  idle_timeout = 400
+
+  tags = {
+    Name = "${var.name}"
+  }
+}
+
+resource "aws_lb_target_group" "alb_tg" {
+  count    = var.lb_type == "ALB" ? 1 : 0
+  name     = "tg-${var.name}"
+  port     = 80
+  protocol = "HTTP"
+  vpc_id   = var.vpc_id
+}
+
+resource "aws_lb_listener" "alb_http_listener" {
+  count             = var.lb_type == "ALB" ? 1 : 0
+  load_balancer_arn = aws_lb.alb[0].arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type = "redirect"
+
+    redirect {
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301"
+    }
+  }
+}
+
+resource "aws_lb_listener" "alb_https_listener" {
+  count             = var.lb_type == "ALB" ? 1 : 0
+  load_balancer_arn = aws_lb.alb[0].arn
+  port              = "443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-2016-08"
+  certificate_arn   = var.certificate_arn
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.alb_tg[0].arn
+  }
+}
+
+resource "aws_autoscaling_attachment" "alb_asg_attachment" {
+  count                  = "${var.lb_type == "ALB" ? 1 : 0}" * var.instance_count
+  autoscaling_group_name = aws_autoscaling_group.asg[count.index].name
+  alb_target_group_arn   = aws_lb_target_group.alb_tg[0].arn
+  depends_on             = [aws_lb_target_group.alb_tg]
+}
\ No newline at end of file
diff --git a/asg.tf b/asg.tf
new file mode 100644
index 0000000..77b5371
--- /dev/null
+++ b/asg.tf
@@ -0,0 +1,30 @@
+resource "aws_autoscaling_group" "asg" {
+  count = var.instance_count
+  name  = "${var.name}-${var.cluster_name}-${count.index}"
+
+  min_size = 1
+  max_size = 1
+
+  vpc_zone_identifier = var.instances_subnet
+
+  launch_template {
+    name    = aws_launch_template.default.name
+    version = "$Latest"
+  }
+
+  tags = [
+    map("key", "Name", "value", "${var.name}", "propagate_at_launch", true)
+  ]
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  instances_distribution {
+      spot_instance_pools                      = 3
+      on_demand_base_capacity                  = var.on_demand_base_capacity
+      on_demand_percentage_above_base_capacity = var.on_demand_percentage
+    }
+
+  depends_on = [aws_efs_file_system.default]
+}
\ No newline at end of file
diff --git a/ec2-iam.tf b/ec2-iam.tf
new file mode 100644
index 0000000..6e5887d
--- /dev/null
+++ b/ec2-iam.tf
@@ -0,0 +1,29 @@
+resource "aws_iam_instance_profile" "default" {
+  name = "${var.name}-${data.aws_region.current.name}"
+  role = aws_iam_role.default.name
+}
+
+resource "aws_iam_role" "default" {
+  name = "${var.name}-${data.aws_region.current.name}"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "default_ssm" {
+  role       = aws_iam_role.default.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
+}
\ No newline at end of file
diff --git a/ec2-sg.tf b/ec2-sg.tf
new file mode 100644
index 0000000..a5baeec
--- /dev/null
+++ b/ec2-sg.tf
@@ -0,0 +1,29 @@
+resource "aws_security_group" "default" {
+  name        = var.name
+  description = "SG for ${var.name}"
+  vpc_id      = var.vpc_id
+
+  tags = {
+    Name = var.name
+  }
+}
+
+resource "aws_security_group_rule" "default_ingress" {
+  description              = "Traffic between ${var.name}"
+  type                     = "ingress"
+  from_port                = 0
+  to_port                  = 0
+  protocol                 = "-1"
+  security_group_id        = aws_security_group.default.id
+  source_security_group_id = aws_security_group.default.id
+}
+
+resource "aws_security_group_rule" "default_egress" {
+  description       = "Traffic to internet"
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  security_group_id = aws_security_group.default.id
+  cidr_blocks       = ["0.0.0.0/0"]
+}
\ No newline at end of file
diff --git a/efs.tf b/efs.tf
new file mode 100644
index 0000000..c2229fd
--- /dev/null
+++ b/efs.tf
@@ -0,0 +1,43 @@
+resource "aws_efs_file_system" "default" {
+  creation_token = var.name
+  encrypted      = true
+
+  tags = {
+    Name = "efs-${var.name}"
+  }
+
+}
+
+resource "aws_efs_mount_target" "default" {
+  count          = length(var.secure_subnet_ids)
+  file_system_id = aws_efs_file_system.default.id
+  subnet_id      = var.secure_subnet_ids[count.index]
+
+  security_groups = [
+    aws_security_group.efs.id,
+  ]
+
+  lifecycle {
+    ignore_changes = [subnet_id]
+  }
+}
+
+resource "aws_security_group" "efs" {
+  name        = "efs-${var.name}"
+  description = "for EFS to talk to default cluster"
+  vpc_id      = var.vpc_id
+
+  tags = {
+    Name = "efs-${var.name}"
+  }
+}
+
+resource "aws_security_group_rule" "nfs_from_node_to_efs" {
+  description              = "${var.name} to EFS"
+  type                     = "ingress"
+  from_port                = 2049
+  to_port                  = 2049
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.efs.id
+  source_security_group_id = aws_security_group.default.id
+}
diff --git a/eip-iam.tf b/eip-iam.tf
new file mode 100644
index 0000000..7cb847b
--- /dev/null
+++ b/eip-iam.tf
@@ -0,0 +1,31 @@
+resource "aws_iam_policy" "default_eip" {
+  count = var.lb_type == "EIP" ? 1 : 0
+
+  name        = var.name
+  path        = "/"
+  description = "Policy for EC2 instances"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "ec2:AssociateAddress",
+        "ec2:DisassociateAddress",
+        "ec2:DescribeAddresses"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "default_extra" {
+  count = var.lb_type == "EIP" ? 1 : 0
+
+  role       = aws_iam_role.default.name
+  policy_arn = aws_iam_policy.default_eip[0].arn
+}
\ No newline at end of file
diff --git a/eip-sg.tf b/eip-sg.tf
new file mode 100644
index 0000000..009f652
--- /dev/null
+++ b/eip-sg.tf
@@ -0,0 +1,12 @@
+resource "aws_security_group_rule" "eip_access" {
+  count = var.lb_type == "EIP" ? 1 : 0
+
+  description       = "${var.lb_port} access"
+  type              = "ingress"
+  from_port         = var.lb_port
+  to_port           = var.lb_port
+  protocol          = var.lb_protocol
+  security_group_id = aws_security_group.default.id
+  cidr_blocks       = var.sg_cidr_blocks
+  depends_on        = [aws_security_group.default]
+}
diff --git a/eip.tf b/eip.tf
new file mode 100644
index 0000000..e3af1d4
--- /dev/null
+++ b/eip.tf
@@ -0,0 +1,8 @@
+resource "aws_eip" "default" {
+  count = var.lb_type == "EIP" ? 1 : 0
+  vpc   = true
+
+  tags = {
+    Name = var.name
+  }
+}
\ No newline at end of file
diff --git a/examples/README.md b/examples/README.md
new file mode 100644
index 0000000..b320ea8
--- /dev/null
+++ b/examples/README.md
@@ -0,0 +1,7 @@
+# Examples
+
+Please see the readme in per example for more details:
+
+- [alb-cluster] EC2 Cluster in a private subnet, ALB in a public subnet, EFS and ASG.
+- [nlb-cluster] EC2 Cluster in a private subnet, NLB in a public subnet, EFS and ASG.
+- [eip-instance] Single EC2 instance in a private subnet, EFS and ASG
diff --git a/examples/alb-cluster/README.md b/examples/alb-cluster/README.md
new file mode 100644
index 0000000..612f744
--- /dev/null
+++ b/examples/alb-cluster/README.md
@@ -0,0 +1,12 @@
+# Example - ALB Cluster
+
+In this scenario, multiple instances can be created.
+
+Resources to be created via this stack:
+
+  - An auto scaling group per instance
+  - Usages of private VPC
+  - Provision an ALB
+  - Creates the DNS record pointing to the ALB hostname
+  - You can log into the instance via SSM (Session Manager)
+  - You can also get the SSM key from a SSM parameter and connect via OpenVPN
\ No newline at end of file
diff --git a/examples/alb-cluster/_data.tf b/examples/alb-cluster/_data.tf
new file mode 100644
index 0000000..bf690c5
--- /dev/null
+++ b/examples/alb-cluster/_data.tf
@@ -0,0 +1,44 @@
+data "aws_vpc" "selected" {
+  filter {
+    name   = "tag:Name"
+    values = ["${local.workspace["cluster_name"]}-VPC"]
+  }
+}
+
+data "aws_subnet_ids" "public" {
+  vpc_id = data.aws_vpc.selected.id
+
+  filter {
+    name   = "tag:Scheme"
+    values = ["public"]
+  }
+}
+
+data "aws_subnet_ids" "private" {
+  vpc_id = data.aws_vpc.selected.id
+
+  filter {
+    name   = "tag:Scheme"
+    values = ["private"]
+  }
+}
+
+data "aws_subnet_ids" "secure" {
+  vpc_id = data.aws_vpc.selected.id
+
+  filter {
+    name   = "tag:Scheme"
+    values = ["secure"]
+  }
+}
+
+data "aws_acm_certificate" "domain_host" {
+  domain   = "*.hosted.zone"
+  statuses = ["ISSUED"]
+}
+
+data "aws_route53_zone" "selected" {
+  name  = local.workspace["hosted_zone"]
+}
+
+data "aws_region" "current" {}
\ No newline at end of file
diff --git a/examples/alb-cluster/_variables.tf b/examples/alb-cluster/_variables.tf
new file mode 100644
index 0000000..6b72253
--- /dev/null
+++ b/examples/alb-cluster/_variables.tf
@@ -0,0 +1,21 @@
+variable "aws_account_id" {}
+variable "aws_role" {}
+
+locals {
+  env = {
+    labs-ap-southeast-2-dev = {
+      cluster_name   = "labs2"
+      region         = "ap-southeast-2"
+      instance_type  = "t2.micro"
+      name           = "app-name"
+      hosted_zone    = "hosted.zone"
+      hostnames      = ["mydomain.hosted.zone"]
+      custom_efs_dir = "/my-dir"
+      instance_count = 3
+      lb_type        = "ALB"
+    }
+  }
+
+  workspace = local.env[terraform.workspace]
+
+}
\ No newline at end of file
diff --git a/examples/alb-cluster/instance.tf b/examples/alb-cluster/instance.tf
new file mode 100644
index 0000000..fe929cd
--- /dev/null
+++ b/examples/alb-cluster/instance.tf
@@ -0,0 +1,16 @@
+module "alb_cluster" {
+  source             = "./modules/terraform-aws-stateful/"
+  name               = local.workspace["name"]
+  cluster_name       = local.workspace["cluster_name"]
+  instance_type      = local.workspace["instance_type"]
+  instance_count     = local.workspace["instance_count"]
+  custom_efs_dir     = local.workspace["custom_efs_dir"]
+  hostnames          = local.workspace["hostnames"]
+  hosted_zone        = local.workspace["hosted_zone"]
+  lb_type            = local.workspace["lb_type"]
+  hostname_create    = true
+  vpc_id             = data.aws_vpc.selected.id
+  instances_subnet   = data.aws_subnet_ids.private.ids
+  secure_subnet_ids  = data.aws_subnet_ids.secure.ids
+  public_subnet_ids  = data.aws_subnet_ids.public.ids
+}
\ No newline at end of file
diff --git a/examples/eip-instance/README.md b/examples/eip-instance/README.md
new file mode 100644
index 0000000..026c257
--- /dev/null
+++ b/examples/eip-instance/README.md
@@ -0,0 +1,10 @@
+# Example - EIP Single Instance
+
+In this scenario there is only one EC2 instance running with an Elastic IP attached.
+
+Resources to be created via this stack:
+
+  - Usages of private VPC
+  - Provision an Elastic IP and attach it to the EC2 instance
+  - You can log into the instance via SSM (Session Manager)
+  - You can also get the SSM key from a SSM parameter and connect via OpenVPN
\ No newline at end of file
diff --git a/examples/eip-instance/_data.tf b/examples/eip-instance/_data.tf
new file mode 100644
index 0000000..bf690c5
--- /dev/null
+++ b/examples/eip-instance/_data.tf
@@ -0,0 +1,44 @@
+data "aws_vpc" "selected" {
+  filter {
+    name   = "tag:Name"
+    values = ["${local.workspace["cluster_name"]}-VPC"]
+  }
+}
+
+data "aws_subnet_ids" "public" {
+  vpc_id = data.aws_vpc.selected.id
+
+  filter {
+    name   = "tag:Scheme"
+    values = ["public"]
+  }
+}
+
+data "aws_subnet_ids" "private" {
+  vpc_id = data.aws_vpc.selected.id
+
+  filter {
+    name   = "tag:Scheme"
+    values = ["private"]
+  }
+}
+
+data "aws_subnet_ids" "secure" {
+  vpc_id = data.aws_vpc.selected.id
+
+  filter {
+    name   = "tag:Scheme"
+    values = ["secure"]
+  }
+}
+
+data "aws_acm_certificate" "domain_host" {
+  domain   = "*.hosted.zone"
+  statuses = ["ISSUED"]
+}
+
+data "aws_route53_zone" "selected" {
+  name  = local.workspace["hosted_zone"]
+}
+
+data "aws_region" "current" {}
\ No newline at end of file
diff --git a/examples/eip-instance/_variables.tf b/examples/eip-instance/_variables.tf
new file mode 100644
index 0000000..45b6644
--- /dev/null
+++ b/examples/eip-instance/_variables.tf
@@ -0,0 +1,24 @@
+variable "aws_account_id" {}
+variable "aws_role" {}
+
+locals {
+  env = {
+    labs-ap-southeast-2-dev = {
+      cluster_name   = "labs2"
+      region         = "ap-southeast-2"
+      instance_type  = "t2.micro"
+      name           = "app-name"
+      hosted_zone    = "hosted.zone"
+      hostnames      = ["mydomain.hosted.zone"]
+      custom_efs_dir = "/my-dir"
+      instance_count = 1
+      lb_type        = "EIP"
+      lb_port        = 22
+      lb_protocol    = "TCP"
+      sg_cidr_blocks = ["0.0.0.0/0"]
+    }
+  }
+
+  workspace = local.env[terraform.workspace]
+
+}
\ No newline at end of file
diff --git a/examples/eip-instance/instance.tf b/examples/eip-instance/instance.tf
new file mode 100644
index 0000000..9cc92ec
--- /dev/null
+++ b/examples/eip-instance/instance.tf
@@ -0,0 +1,19 @@
+module "cluster" {
+  source             = "./modules/terraform-aws-stateful/"
+  name               = local.workspace["name"]
+  cluster_name       = local.workspace["cluster_name"]
+  instance_type      = local.workspace["instance_type"]
+  instance_count     = local.workspace["instance_count"]
+  custom_efs_dir     = local.workspace["custom_efs_dir"]
+  hostnames          = local.workspace["hostnames"]
+  hosted_zone        = local.workspace["hosted_zone"]
+  lb_type            = local.workspace["lb_type"]
+  lb_port            = local.workspace["lb_port"]
+  lb_protocol        = local.workspace["lb_protocol"]
+  sg_cidr_blocks     = local.workspace["sg_cidr_blocks"]
+  hostname_create    = true
+  vpc_id             = data.aws_vpc.selected.id
+  instances_subnet   = data.aws_subnet_ids.private.ids
+  secure_subnet_ids  = data.aws_subnet_ids.secure.ids
+  public_subnet_ids  = data.aws_subnet_ids.public.ids
+}
\ No newline at end of file
diff --git a/examples/nlb-cluster/README.md b/examples/nlb-cluster/README.md
new file mode 100644
index 0000000..a0f4164
--- /dev/null
+++ b/examples/nlb-cluster/README.md
@@ -0,0 +1,12 @@
+# Example - NLB Cluster
+
+In this scenario, multiple instances can be created.
+
+Resources to be created via this stack:
+
+  - An auto scaling group per instance
+  - Usages of private VPC
+  - Provision an NLB
+  - Creates the DNS record pointing to the NLB hostname
+  - You can log into the instance via SSM (Session Manager)
+  - You can also get the SSH key from a SSM parameter and connect via OpenVPN
diff --git a/examples/nlb-cluster/_data.tf b/examples/nlb-cluster/_data.tf
new file mode 100644
index 0000000..bf690c5
--- /dev/null
+++ b/examples/nlb-cluster/_data.tf
@@ -0,0 +1,44 @@
+data "aws_vpc" "selected" {
+  filter {
+    name   = "tag:Name"
+    values = ["${local.workspace["cluster_name"]}-VPC"]
+  }
+}
+
+data "aws_subnet_ids" "public" {
+  vpc_id = data.aws_vpc.selected.id
+
+  filter {
+    name   = "tag:Scheme"
+    values = ["public"]
+  }
+}
+
+data "aws_subnet_ids" "private" {
+  vpc_id = data.aws_vpc.selected.id
+
+  filter {
+    name   = "tag:Scheme"
+    values = ["private"]
+  }
+}
+
+data "aws_subnet_ids" "secure" {
+  vpc_id = data.aws_vpc.selected.id
+
+  filter {
+    name   = "tag:Scheme"
+    values = ["secure"]
+  }
+}
+
+data "aws_acm_certificate" "domain_host" {
+  domain   = "*.hosted.zone"
+  statuses = ["ISSUED"]
+}
+
+data "aws_route53_zone" "selected" {
+  name  = local.workspace["hosted_zone"]
+}
+
+data "aws_region" "current" {}
\ No newline at end of file
diff --git a/examples/nlb-cluster/_variables.tf b/examples/nlb-cluster/_variables.tf
new file mode 100644
index 0000000..2f63653
--- /dev/null
+++ b/examples/nlb-cluster/_variables.tf
@@ -0,0 +1,24 @@
+variable "aws_account_id" {}
+variable "aws_role" {}
+
+locals {
+  env = {
+    labs-ap-southeast-2-dev = {
+      cluster_name   = "labs2"
+      region         = "ap-southeast-2"
+      instance_type  = "t2.micro"
+      name           = "app-name"
+      hosted_zone    = "hosted.zone"
+      hostnames      = ["mydomain.hosted.zone"]
+      custom_efs_dir = "/my-dir"
+      instance_count = 1
+      lb_type        = "NLB"
+      lb_port        = 22 ## any tcp port, if you choose an UDP port, also change the lb_protocol variable below
+      lb_protocol    = "TCP"
+      sg_cidr_blocks = ["0.0.0.0/0"]
+    }
+  }
+
+  workspace = local.env[terraform.workspace]
+
+}
\ No newline at end of file
diff --git a/examples/nlb-cluster/instance.tf b/examples/nlb-cluster/instance.tf
new file mode 100644
index 0000000..d6fa7b3
--- /dev/null
+++ b/examples/nlb-cluster/instance.tf
@@ -0,0 +1,19 @@
+module "nlb_cluster" {
+  source             = "./modules/terraform-aws-stateful/"
+  name               = local.workspace["name"]
+  cluster_name       = local.workspace["cluster_name"]
+  instance_type      = local.workspace["instance_type"]
+  instance_count     = local.workspace["instance_count"]
+  custom_efs_dir     = local.workspace["custom_efs_dir"]
+  hostnames          = local.workspace["hostnames"]
+  hosted_zone        = local.workspace["hosted_zone"]
+  lb_type            = local.workspace["lb_type"]
+  lb_port            = local.workspace["lb_port"]
+  lb_protocol        = local.workspace["lb_protocol"]
+  sg_cidr_blocks     = local.workspace["sg_cidr_blocks"]
+  hostname_create    = true
+  vpc_id             = data.aws_vpc.selected.id
+  instances_subnet   = data.aws_subnet_ids.private.ids
+  secure_subnet_ids  = data.aws_subnet_ids.secure.ids
+  public_subnet_ids  = data.aws_subnet_ids.public.ids
+}
\ No newline at end of file
diff --git a/launch-template.tf b/launch-template.tf
new file mode 100644
index 0000000..9e0cda5
--- /dev/null
+++ b/launch-template.tf
@@ -0,0 +1,61 @@
+data "template_file" "userdata" {
+  template = file("${path.module}/userdata.tpl")
+
+  vars = {
+    custom_efs_dir = var.custom_efs_dir
+    tf_efs_id      = aws_efs_file_system.default.id
+    userdata_extra = var.userdata
+    eip            = var.lb_type == "EIP" ? local.template_eip : ""
+  }
+}
+
+locals {
+  template_eip = templatefile("${path.module}/userdata-eip.tpl", { region = data.aws_region.current.id, eip_id = tostring(try(aws_eip.default[0].id, "")) })
+}
+
+resource "aws_launch_template" "default" {
+  name_prefix   = "${var.name}-"
+  image_id      = data.aws_ami.amazon-linux-2.image_id
+  instance_type = var.instance_type
+
+  iam_instance_profile {
+    name = aws_iam_instance_profile.default.name
+  }
+
+  block_device_mappings {
+    device_name = "/dev/xvda"
+
+    ebs {
+      volume_size = var.instance_volume_size_root
+    }
+  }
+
+  key_name = aws_key_pair.default.id
+
+  vpc_security_group_ids = concat(list(aws_security_group.default.id), var.security_group_ids)
+
+  user_data = base64encode(data.template_file.userdata.rendered)
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "tls_private_key" "default" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "aws_key_pair" "default" {
+  key_name   = var.name
+  public_key = tls_private_key.default.public_key_openssh
+}
+
+resource "aws_ssm_parameter" "default_private_key" {
+  name  = "/ec2/${var.cluster_name}/${var.name}/PRIVATE_KEY"
+  type  = "SecureString"
+  value = tls_private_key.default.private_key_pem
+  lifecycle {
+    ignore_changes = [value]
+  }
+}
\ No newline at end of file
diff --git a/nlb-sg.tf b/nlb-sg.tf
new file mode 100644
index 0000000..f96c0dc
--- /dev/null
+++ b/nlb-sg.tf
@@ -0,0 +1,12 @@
+resource "aws_security_group_rule" "to_nlb" {
+  count = var.lb_type == "NLB" ? 1 : 0
+
+  description       = "${var.lb_port} access"
+  type              = "ingress"
+  from_port         = var.lb_port
+  to_port           = var.lb_port
+  protocol          = var.lb_protocol
+  security_group_id = aws_security_group.default.id
+  cidr_blocks       = var.sg_cidr_blocks
+  depends_on        = [aws_security_group.default]
+}
\ No newline at end of file
diff --git a/nlb.tf b/nlb.tf
new file mode 100644
index 0000000..9e8516a
--- /dev/null
+++ b/nlb.tf
@@ -0,0 +1,38 @@
+resource "aws_lb" "nlb" {
+  count              = var.lb_type == "NLB" ? 1 : 0
+  name               = "nlb-${var.name}"
+  internal           = false
+  load_balancer_type = "network"
+  subnets            = var.public_subnet_ids
+
+  tags = {
+    Name = "${var.name}"
+  }
+}
+
+resource "aws_lb_target_group" "nlb_tg" {
+  count    = var.lb_type == "NLB" ? 1 : 0
+  name     = "tg-${var.name}"
+  port     = var.lb_port
+  protocol = var.lb_protocol
+  vpc_id   = var.vpc_id
+}
+
+resource "aws_lb_listener" "nlb_listener" {
+  count             = var.lb_type == "NLB" ? 1 : 0
+  load_balancer_arn = aws_lb.nlb[0].arn
+  port              = var.lb_port
+  protocol          = var.lb_protocol
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.nlb_tg[0].arn
+  }
+}
+
+resource "aws_autoscaling_attachment" "nlb_asg_attachment" {
+  count                  = "${var.lb_type == "NLB" ? 1 : 0}" * var.instance_count
+  autoscaling_group_name = aws_autoscaling_group.asg[count.index].name
+  alb_target_group_arn   = aws_lb_target_group.nlb_tg[0].arn
+  depends_on             = [aws_lb_target_group.nlb_tg]
+}
\ No newline at end of file
diff --git a/route53.tf b/route53.tf
new file mode 100644
index 0000000..ad8cfac
--- /dev/null
+++ b/route53.tf
@@ -0,0 +1,36 @@
+data "aws_route53_zone" "selected" {
+  count = var.hostname_create ? 1 : 0
+  name  = var.hosted_zone
+}
+
+resource "aws_route53_record" "alb_hostname" {
+  count = var.lb_type == "ALB" && var.hostname_create && length(var.hostnames) != 0 ? length(var.hostnames) : 0
+
+  zone_id = data.aws_route53_zone.selected.*.zone_id[0]
+  name    = var.hostnames[count.index]
+  type    = "CNAME"
+  ttl     = "300"
+  records = aws_lb.alb.*.dns_name
+}
+
+resource "aws_route53_record" "nlb_hostname" {
+  count = var.lb_type == "NLB" && var.hostname_create && length(var.hostnames) != 0 ? length(var.hostnames) : 0
+
+  zone_id = data.aws_route53_zone.selected.*.zone_id[0]
+  name    = var.hostnames[count.index]
+  type    = "CNAME"
+  ttl     = "300"
+  records = aws_lb.nlb.*.dns_name
+}
+
+resource "aws_route53_record" "eip_hostname" {
+  count = var.lb_type == "EIP" && var.hostname_create && length(var.hostnames) != 0 ? length(var.hostnames) : 0
+
+  zone_id = data.aws_route53_zone.selected.*.zone_id[0]
+  name    = var.hostnames[count.index]
+  type    = "A"
+  ttl     = "300"
+  records = aws_eip.default.*.public_ip
+
+  depends_on = [aws_eip.default]
+}
\ No newline at end of file
diff --git a/userdata-eip.tpl b/userdata-eip.tpl
new file mode 100644
index 0000000..81b725d
--- /dev/null
+++ b/userdata-eip.tpl
@@ -0,0 +1,2 @@
+INSTANCE_ID=$(curl -w '\n' -s http://169.254.169.254/latest/meta-data/instance-id)
+aws --region ${region} ec2 associate-address --allocation-id ${eip_id} --instance-id $INSTANCE_ID
\ No newline at end of file
diff --git a/userdata.tpl b/userdata.tpl
new file mode 100644
index 0000000..68f112e
--- /dev/null
+++ b/userdata.tpl
@@ -0,0 +1,31 @@
+#! /bin/bash
+
+set -eux
+
+echo "### INSTALL PACKAGES"
+yum update -y
+yum install -y amazon-efs-utils aws-cli httpd
+
+echo "### SETUP EFS"
+
+EFS_DIR=${custom_efs_dir}
+
+if [ -z "$${EFS_DIR}" ]; then
+    EFS_DIR=/mnt/efs
+fi
+
+EFS_ID=${tf_efs_id}
+
+mkdir -p $${EFS_DIR}
+echo "$${EFS_ID}:/ $${EFS_DIR} efs tls,_netdev" >> /etc/fstab
+mount -a -t efs defaults
+
+echo "### SETUP AGENT"
+
+echo "### SETUP APACHE"
+touch /var/www/html/index.html
+systemctl restart httpd
+
+${eip}
+
+${userdata_extra}
\ No newline at end of file