Skip to content

Instantly share code, notes, and snippets.

@akiraak

akiraak/network_step1.yml

Created December 2, 2021 19:34
Show Gist options
  • Save akiraak/93cf8b82d738ec1b08a56a36d1460af6 to your computer and use it in GitHub Desktop.
Save akiraak/93cf8b82d738ec1b08a56a36d1460af6 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
network_step1.yml
AWSTemplateFormatVersion: "2010-09-09"
Description: Network resource template part1
Resources:
# VPCの設定
sbcntrVpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
EnableDnsSupport: true
InstanceTenancy: default
Tags:
- Key: Name
Value: sbcntrVpc
############### Subnet, RouteTable, IGW ###############
# コンテナ周りの設定
## コンテナアプリ用のプライベートサブネット
sbcntrSubnetPrivateContainer1A:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.8.0/24
VpcId:
Ref: sbcntrVpc
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: sbcntr-subnet-private-container-1a
- Key: Type
Value: Isolated
sbcntrSubnetPrivateContainer1C:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.9.0/24
VpcId:
Ref: sbcntrVpc
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ""
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: sbcntr-subnet-private-container-1c
- Key: Type
Value: Isolated
## コンテナアプリ用のルートテーブル
sbcntrRouteApp:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: sbcntrVpc
Tags:
- Key: Name
Value: sbcntr-route-app
## コンテナサブネットへルート紐付け
sbcntrRouteAppAssociation1A:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: sbcntrRouteApp
SubnetId:
Ref: sbcntrSubnetPrivateContainer1A
sbcntrRouteAppAssociation1C:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: sbcntrRouteApp
SubnetId:
Ref: sbcntrSubnetPrivateContainer1C
# DB周りの設定
## DB用のプライベートサブネット
sbcntrSubnetPrivateDb1A:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.16.0/24
VpcId:
Ref: sbcntrVpc
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: sbcntr-subnet-private-db-1a
- Key: Type
Value: Isolated
sbcntrSubnetPrivateDb1C:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.17.0/24
VpcId:
Ref: sbcntrVpc
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ""
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: sbcntr-subnet-private-db-1c
- Key: Type
Value: Isolated
## DB用のルートテーブル
sbcntrRouteDb:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: sbcntrVpc
Tags:
- Key: Name
Value: sbcntr-route-db
## DBサブネットへルート紐付け
sbcntrRouteDbAssociation1A:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: sbcntrRouteDb
SubnetId:
Ref: sbcntrSubnetPrivateDb1A
sbcntrRouteDbAssociation1C:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: sbcntrRouteDb
SubnetId:
Ref: sbcntrSubnetPrivateDb1C
# Ingress周りの設定
## Ingress用のパブリックサブネット
sbcntrSubnetPublicIngress1A:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.0.0/24
VpcId:
Ref: sbcntrVpc
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: sbcntr-subnet-public-ingress-1a
- Key: Type
Value: Public
sbcntrSubnetPublicIngress1C:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.1.0/24
VpcId:
Ref: sbcntrVpc
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ""
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: sbcntr-subnet-public-ingress-1c
- Key: Type
Value: Public
## Ingress用のルートテーブル
sbcntrRouteIngress:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: sbcntrVpc
Tags:
- Key: Name
Value: sbcntr-route-ingress
## Ingressサブネットへルート紐付け
sbcntrRouteIngressAssociation1A:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: sbcntrRouteIngress
SubnetId:
Ref: sbcntrSubnetPublicIngress1A
sbcntrRouteIngressAssociation1C:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: sbcntrRouteIngress
SubnetId:
Ref: sbcntrSubnetPublicIngress1C
## Ingress用ルートテーブルのデフォルトルート
sbcntrRouteIngressDefault:
Type: AWS::EC2::Route
Properties:
RouteTableId:
Ref: sbcntrRouteIngress
DestinationCidrBlock: 0.0.0.0/0
GatewayId:
Ref: sbcntrIgw
DependsOn:
- sbcntrVpcgwAttachment
# 管理用サーバ周りの設定
## 管理用のパブリックサブネット
sbcntrSubnetPublicManagement1A:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.240.0/24
VpcId:
Ref: sbcntrVpc
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: sbcntr-subnet-public-management-1a
- Key: Type
Value: Public
sbcntrSubnetPublicManagement1C:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.241.0/24
VpcId:
Ref: sbcntrVpc
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ""
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: sbcntr-subnet-public-management-1c
- Key: Type
Value: Public
## 管理用サブネットのルートはIngressと同様として作成する
sbcntrRouteManagementAssociation1A:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: sbcntrRouteIngress
SubnetId:
Ref: sbcntrSubnetPublicManagement1A
sbcntrRouteManagementAssociation1C:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: sbcntrRouteIngress
SubnetId:
Ref: sbcntrSubnetPublicManagement1C
# インターネットへ通信するためのゲートウェイの作成
sbcntrIgw:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: sbcntr-igw
sbcntrVpcgwAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: sbcntrVpc
InternetGatewayId:
Ref: sbcntrIgw
############### Security groups ###############
# セキュリティグループの生成
## インターネット公開のセキュリティグループの生成
sbcntrSgIngress:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for ingress
GroupName: ingress
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
Description: Allow all outbound traffic by default
IpProtocol: "-1"
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
Description: from 0.0.0.0/0:80
FromPort: 80
IpProtocol: tcp
ToPort: 80
- CidrIpv6: ::/0
Description: from ::/0:80
FromPort: 80
IpProtocol: tcp
ToPort: 80
Tags:
- Key: Name
Value: sbcntr-sg-ingress
VpcId:
Ref: sbcntrVpc
## 管理用サーバ向けのセキュリティグループの生成
sbcntrSgManagement:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group of management server
GroupName: management
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
Description: Allow all outbound traffic by default
IpProtocol: "-1"
Tags:
- Key: Name
Value: sbcntr-sg-management
VpcId:
Ref: sbcntrVpc
## バックエンドコンテナアプリ用セキュリティグループの生成
sbcntrSgContainer:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group of backend app
GroupName: container
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
Description: Allow all outbound traffic by default
IpProtocol: "-1"
Tags:
- Key: Name
Value: sbcntr-sg-container
VpcId:
Ref: sbcntrVpc
## フロントエンドコンテナアプリ用セキュリティグループの生成
sbcntrSgFrontContainer:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group of front container app
GroupName: front-container
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
Description: Allow all outbound traffic by default
IpProtocol: "-1"
Tags:
- Key: Name
Value: sbcntr-sg-front-container
VpcId:
Ref: sbcntrVpc
## 内部用ロードバランサ用のセキュリティグループの生成
sbcntrSgInternal:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for internal load balancer
GroupName: internal
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
Description: Allow all outbound traffic by default
IpProtocol: "-1"
Tags:
- Key: Name
Value: sbcntr-sg-internal
VpcId:
Ref: sbcntrVpc
## DB用セキュリティグループの生成
sbcntrSgDb:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group of database
GroupName: database
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
Description: Allow all outbound traffic by default
IpProtocol: "-1"
Tags:
- Key: Name
Value: sbcntr-sg-db
VpcId:
Ref: sbcntrVpc
# ルール紐付け
## Internet LB -> Front Container
sbcntrSgFrontContainerFromsSgIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
IpProtocol: tcp
Description: HTTP for Ingress
FromPort: 80
GroupId:
Fn::GetAtt:
- sbcntrSgFrontContainer
- GroupId
SourceSecurityGroupId:
Fn::GetAtt:
- sbcntrSgIngress
- GroupId
ToPort: 80
## Front Container -> Internal LB
sbcntrSgInternalFromSgFrontContainer:
Type: AWS::EC2::SecurityGroupIngress
Properties:
IpProtocol: tcp
Description: HTTP for front container
FromPort: 80
GroupId:
Fn::GetAtt:
- sbcntrSgInternal
- GroupId
SourceSecurityGroupId:
Fn::GetAtt:
- sbcntrSgFrontContainer
- GroupId
ToPort: 80
## Internal LB -> Back Container
sbcntrSgContainerFromSgInternal:
Type: AWS::EC2::SecurityGroupIngress
Properties:
IpProtocol: tcp
Description: HTTP for internal lb
FromPort: 80
GroupId:
Fn::GetAtt:
- sbcntrSgContainer
- GroupId
SourceSecurityGroupId:
Fn::GetAtt:
- sbcntrSgInternal
- GroupId
ToPort: 80
## Back container -> DB
sbcntrSgDbFromSgContainerTCP:
Type: AWS::EC2::SecurityGroupIngress
Properties:
IpProtocol: tcp
Description: MySQL protocol from backend App
FromPort: 3306
GroupId:
Fn::GetAtt:
- sbcntrSgDb
- GroupId
SourceSecurityGroupId:
Fn::GetAtt:
- sbcntrSgContainer
- GroupId
ToPort: 3306
## Front container -> DB
sbcntrSgDbFromSgFrontContainerTCP:
Type: AWS::EC2::SecurityGroupIngress
Properties:
IpProtocol: tcp
Description: MySQL protocol from frontend App
FromPort: 3306
GroupId:
Fn::GetAtt:
- sbcntrSgDb
- GroupId
SourceSecurityGroupId:
Fn::GetAtt:
- sbcntrSgFrontContainer
- GroupId
ToPort: 3306
## Management server -> DB
sbcntrSgDbFromSgManagementTCP:
Type: AWS::EC2::SecurityGroupIngress
Properties:
IpProtocol: tcp
Description: MySQL protocol from management server
FromPort: 3306
GroupId:
Fn::GetAtt:
- sbcntrSgDb
- GroupId
SourceSecurityGroupId:
Fn::GetAtt:
- sbcntrSgManagement
- GroupId
ToPort: 3306
## Management server -> Internal LB
sbcntrSgInternalFromSgManagementTCP:
Type: AWS::EC2::SecurityGroupIngress
Properties:
IpProtocol: tcp
Description: HTTP for management server
FromPort: 80
GroupId:
Fn::GetAtt:
- sbcntrSgInternal
- GroupId
SourceSecurityGroupId:
Fn::GetAtt:
- sbcntrSgManagement
- GroupId
ToPort: 80
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment