Outbound Internet Access by Web Proxy for AWS VPCs - CloudFormation templates

app_vpc_proxy_access.yml

AWSTemplateFormatVersion: 2010-09-09
Description: >-
    AWS CloudFormation template to create an App VPC that uses a proxy in the Outbound VPC
    for HTTP/HTTPS Internet access.
Parameters:
  KeyName:
    Description: Name of an existing EC2 KeyPair to enable SSH access to the instances
    Type: String
  OutboundVpcStack:
    Description: Name of the Cloudformation stack used to create the Outbound VPC
    Type: String
  AppVpcCIDR:
    Description: CIDR Range for App VPC
    Type: String
    Default: 172.17.0.0/24
Mappings:
  UbuntuRegionMap:
    us-east-1:
      Ubuntu18AMI: ami-0ac019f4fcb7cb7e6
    us-west-1:
      Ubuntu18AMI: ami-063aa838bd7631e0b
Resources:
  AppVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: !Ref AppVpcCIDR
      EnableDnsSupport: 'true'
      EnableDnsHostnames: 'true'
      Tags:
      - Key: Name
        Value: !Sub '${AWS::StackName}-app'
  AppPrivateRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref AppVPC
      Tags:
      - Key: Name
        Value: !Sub '${AWS::StackName}-app'
  AppPrivateSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName}-app'
      VpcId: !Ref AppVPC
      AvailabilityZone: !Sub ${AWS::Region}a
      CidrBlock: !Ref AppVpcCIDR
      MapPublicIpOnLaunch: false
  AppVpcSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Description: SG to permit SSH for management
    Properties:
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName}-app'
      GroupName: !Sub '${AWS::StackName}-app'
      GroupDescription: Allow traffic from Outbound Services VPC
      VpcId: !Ref AppVPC
      SecurityGroupIngress:
      - IpProtocol: tcp
        CidrIp: 172.16.0.0/24
        FromPort: 22
        ToPort: 22
  AppPrivateRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId:
        !Ref AppPrivateSubnet
      RouteTableId:
        !Ref AppPrivateRouteTable
  AppEC2Instance:
    Type: 'AWS::EC2::Instance'
    Properties:
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName}-app'
      KeyName: !Ref KeyName
      ImageId: !FindInMap [ UbuntuRegionMap, !Ref 'AWS::Region', Ubuntu18AMI ]
      InstanceType: t3.nano
      SecurityGroupIds:
        - !Ref AppVpcSecurityGroup
      SubnetId: !Ref AppPrivateSubnet
      UserData:
        Fn::Base64: |
          #!/bin/bash -xe
          cat << EOF > /etc/apt/apt.conf.d/95proxies
          Acquire::http::proxy "http://172.16.0.100:3128/";
          Acquire::https::proxy "https://172.16.0.100:3128/";
          EOF
          cat << EOF >> /etc/environment
          http_proxy="http://172.16.0.100:3128/"
          https_proxy="http://172.16.0.100:3128/"
          EOF
  VPCPeeringConnection:
    Type: AWS::EC2::VPCPeeringConnection
    Properties:
      VpcId: !Ref AppVPC
      PeerVpcId:
        Fn::ImportValue: !Sub '${OutboundVpcStack}-OutboundVpc'
  AppDefaultRoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref AppPrivateRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      VpcPeeringConnectionId: !Ref VPCPeeringConnection
  OutboundVPCRoutetoAppVPC:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId:
        Fn::ImportValue: !Sub ${OutboundVpcStack}-InternetRouteTable
      DestinationCidrBlock: !Ref AppVpcCIDR
      VpcPeeringConnectionId: !Ref VPCPeeringConnection

outbound_vpc_proxy.yml

AWSTemplateFormatVersion: 2010-09-09
Description: >-
    AWS CloudFormation template to create an Outbound VPC with a proxy for the App VPCs
Parameters:
  KeyName:
    Description: Name of an existing EC2 KeyPair to enable SSH access to the instances
    Type: String
  SourceIpCIDR:
    Description: CIDR Range allowed to SSH to Squid Proxy
    Type: String
    MinLength: '9'
    MaxLength: '18'
    Default: 0.0.0.0/0
    AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})
    ConstraintDescription: Must use a valid IP CIDR range using slash notation (e.g., x.x.x.x/y)
  AmazonLinuxAMI:
    Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
    Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'
Resources:
  OutboundVpc:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 172.16.0.0/24
      EnableDnsSupport: 'true'
      EnableDnsHostnames: 'true'
      Tags:
      - Key: Name
        Value: !Sub '${AWS::StackName}-internet-access'
  IGW:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName}-internet-access'
  IgwAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref OutboundVpc
      InternetGatewayId: !Ref IGW
  OutboundPublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName}-output'
      VpcId: !Ref OutboundVpc
      AvailabilityZone: !Sub ${AWS::Region}a
      MapPublicIpOnLaunch: false
      CidrBlock: 172.16.0.0/24
  InternetRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId:
        !Ref OutboundVpc
      Tags:
      - Key: Name
        Value: !Sub '${AWS::StackName}-internet-access'
  InternetDefaultRoute:
    Type: AWS::EC2::Route
    DependsOn:
      - IGW
      - IgwAttachment
    Properties:
      RouteTableId: !Ref InternetRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref IGW
  InternetRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId:
        !Ref OutboundPublicSubnet
      RouteTableId:
        !Ref InternetRouteTable
  OutboundVpcSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Description: SG to permit all traffic
    Properties:
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName}-outbound'
      GroupName: !Sub '${AWS::StackName}-outbound'
      GroupDescription: Allow all traffic
      VpcId: !Ref OutboundVpc
      SecurityGroupIngress:
      - IpProtocol: tcp
        CidrIp: !Ref SourceIpCIDR
        FromPort: 22
        ToPort: 22
      - IpProtocol: tcp
        CidrIp: 172.17.0.0/16
        FromPort: 3128
        ToPort: 3128
  SquidEC2Instance:
    Type: 'AWS::EC2::Instance'
    Properties:
      Tags:
        - Key: Name
          Value: !Sub '${AWS::StackName}-squid'
      KeyName: !Ref KeyName
      ImageId: !Ref AmazonLinuxAMI
      InstanceType: t3.nano
      NetworkInterfaces:
        - AssociatePublicIpAddress: true
          DeviceIndex: 0
          PrivateIpAddress: 172.16.0.100
          GroupSet: [ !Ref OutboundVpcSecurityGroup ]
          SubnetId: !Ref OutboundPublicSubnet
      UserData:
        Fn::Base64: |
          #!/bin/bash -xe
          yum install -y squid
          systemctl start squid.service
          systemctl enable squid.service
Outputs:
  SquidProxyDNS:
    Description: DNS name for squid proxy
    Value: !GetAtt SquidEC2Instance.PublicDnsName
  InternetRouteTable:
    Description: Internet Route Table ID
    Value: !Ref InternetRouteTable
    Export:
      Name: !Sub ${AWS::StackName}-InternetRouteTable
  OutboundVpc:
    Description: VPC ID of Outbound VPC
    Value: !Ref OutboundVpc
    Export:
      Name: !Sub ${AWS::StackName}-OutboundVpc