Created
April 7, 2020 21:37
-
-
Save jeffbrl/d582f0c15a9c2ad69d08996afdf9213d to your computer and use it in GitHub Desktop.
VPC Ingress Routing CloudFormation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: 2010-09-09 | |
| Description: >- | |
| AWS CloudFormation template to deploy a VPC with VPC Ingress Routing | |
| Parameters: | |
| KeyName: | |
| Description: Name of an existing EC2 KeyPair to enable SSH access to the instances | |
| Type: String | |
| AmazonLinuxAMI: | |
| Type: "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>" | |
| Default: "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" | |
| Mappings: | |
| VyosRegionMap: | |
| us-east-1: | |
| VyosAMI: ami-80b683fb | |
| us-west-1: | |
| VyosAMI: ami-e583a885 | |
| LinuxRegionMap: | |
| us-east-1: | |
| LinuxAMI: ami-0ff82839cd27c0730 | |
| us-west-1: | |
| LinuxAMI: ami-0bf4c20bc0118f30c | |
| Resources: | |
| VPC: | |
| Type: AWS::EC2::VPC | |
| Properties: | |
| CidrBlock: 10.0.0.0/20 | |
| EnableDnsSupport: "true" | |
| EnableDnsHostnames: "true" | |
| Tags: | |
| - Key: Name | |
| Value: !Sub "${AWS::StackName}-vpc-ingress-routing" | |
| IGW: | |
| Type: AWS::EC2::InternetGateway | |
| Properties: | |
| Tags: | |
| - Key: Name | |
| Value: !Sub "${AWS::StackName}-vpc-ingress-routing" | |
| IgwAttachment: | |
| Type: AWS::EC2::VPCGatewayAttachment | |
| Properties: | |
| VpcId: !Ref VPC | |
| InternetGatewayId: !Ref IGW | |
| PublicSubnetAZa: | |
| Type: AWS::EC2::Subnet | |
| Properties: | |
| Tags: | |
| - Key: Name | |
| Value: !Sub "${AWS::StackName}-public-subnet1" | |
| VpcId: !Ref VPC | |
| AvailabilityZone: !Sub ${AWS::Region}a | |
| MapPublicIpOnLaunch: true | |
| CidrBlock: 10.0.0.0/24 | |
| PublicSubnetAZb: | |
| Type: AWS::EC2::Subnet | |
| Properties: | |
| Tags: | |
| - Key: Name | |
| Value: !Sub "${AWS::StackName}-public-subnet1" | |
| VpcId: !Ref VPC | |
| AvailabilityZone: !Sub ${AWS::Region}b | |
| MapPublicIpOnLaunch: true | |
| CidrBlock: 10.0.1.0/24 | |
| PublicRouteTable: | |
| Type: AWS::EC2::RouteTable | |
| Properties: | |
| VpcId: !Ref VPC | |
| Tags: | |
| - Key: Name | |
| Value: !Sub "${AWS::StackName}-public" | |
| IGWRouteTable: | |
| Type: AWS::EC2::RouteTable | |
| Properties: | |
| VpcId: !Ref VPC | |
| Tags: | |
| - Key: Name | |
| Value: !Sub "${AWS::StackName}-ingress" | |
| InternetAccessDefaultRoute: | |
| Type: AWS::EC2::Route | |
| DependsOn: | |
| - IGW | |
| - IgwAttachment | |
| Properties: | |
| RouteTableId: !Ref PublicRouteTable | |
| DestinationCidrBlock: 0.0.0.0/0 | |
| GatewayId: !Ref IGW | |
| PublicRouteTableAssociationAZa: | |
| Type: AWS::EC2::SubnetRouteTableAssociation | |
| Properties: | |
| SubnetId: !Ref PublicSubnetAZa | |
| RouteTableId: !Ref PublicRouteTable | |
| PublicRouteTableAssociationAZb: | |
| Type: AWS::EC2::SubnetRouteTableAssociation | |
| Properties: | |
| SubnetId: !Ref PublicSubnetAZb | |
| RouteTableId: !Ref PublicRouteTable | |
| PublicRouteTableAssociationAZb: | |
| Type: AWS::EC2::SubnetRouteTableAssociation | |
| Properties: | |
| SubnetId: !Ref PublicSubnetAZb | |
| RouteTableId: !Ref PublicRouteTable | |
| PermitAllSG: | |
| Type: "AWS::EC2::SecurityGroup" | |
| Description: SG to permit all traffic | |
| Properties: | |
| Tags: | |
| - Key: Name | |
| Value: !Sub "${AWS::StackName}-vpc-ingress-routing-permit-all" | |
| GroupName: !Sub "${AWS::StackName}-vpc-ingress-routing-permit-all" | |
| GroupDescription: Allow all traffic | |
| VpcId: !Ref VPC | |
| SecurityGroupIngress: | |
| - IpProtocol: -1 | |
| CidrIp: 0.0.0.0/0 | |
| PublicENIAZa: | |
| Type: AWS::EC2::NetworkInterface | |
| Properties: | |
| Description: ENI for Router Outside Interface | |
| Tags: | |
| - Key: Name | |
| Value: !Sub "${AWS::StackName}-vpc-ingress-routing" | |
| SourceDestCheck: "false" | |
| GroupSet: | |
| - !Ref PermitAllSG | |
| - !GetAtt VPC.DefaultSecurityGroup | |
| SubnetId: !Ref PublicSubnetAZa | |
| PublicENIAZb: | |
| Type: AWS::EC2::NetworkInterface | |
| Properties: | |
| Description: ENI for Router Outside Interface | |
| Tags: | |
| - Key: Name | |
| Value: !Sub "${AWS::StackName}-vpc-ingress-routing" | |
| SourceDestCheck: "false" | |
| GroupSet: | |
| - !Ref PermitAllSG | |
| - !GetAtt VPC.DefaultSecurityGroup | |
| SubnetId: !Ref PublicSubnetAZb | |
| PrivateENIAZa: | |
| Type: AWS::EC2::NetworkInterface | |
| Properties: | |
| Description: ENI for Router Outside Interface | |
| Tags: | |
| - Key: Name | |
| Value: !Sub "${AWS::StackName}-vpc-ingress-routing" | |
| SourceDestCheck: false | |
| PrivateIpAddress: 10.0.5.10 | |
| GroupSet: | |
| - !Ref PermitAllSG | |
| - !GetAtt VPC.DefaultSecurityGroup | |
| SubnetId: !Ref PrivateSubnetAZa | |
| PrivateENIAZb: | |
| Type: AWS::EC2::NetworkInterface | |
| Properties: | |
| Description: ENI for Router Outside Interface | |
| Tags: | |
| - Key: Name | |
| Value: !Sub "${AWS::StackName}-vpc-ingress-routing" | |
| SourceDestCheck: false | |
| PrivateIpAddress: 10.0.6.10 | |
| GroupSet: | |
| - !Ref PermitAllSG | |
| - !GetAtt VPC.DefaultSecurityGroup | |
| SubnetId: !Ref PrivateSubnetAZb | |
| IngressRouteAZa: | |
| Type: AWS::EC2::Route | |
| Properties: | |
| DestinationCidrBlock: "10.0.5.0/24" | |
| NetworkInterfaceId: !Ref PublicENIAZa | |
| RouteTableId: !Ref IGWRouteTable | |
| IngressRouteAZb: | |
| Type: AWS::EC2::Route | |
| Properties: | |
| DestinationCidrBlock: "10.0.6.0/24" | |
| NetworkInterfaceId: !Ref PublicENIAZb | |
| RouteTableId: !Ref IGWRouteTable | |
| EdgeAssociation: | |
| Type: AWS::EC2::GatewayRouteTableAssociation | |
| Properties: | |
| GatewayId: !Ref IGW | |
| RouteTableId: !Ref IGWRouteTable | |
| RouterInstanceAZa: | |
| Type: "AWS::EC2::Instance" | |
| Properties: | |
| Tags: | |
| - Key: Name | |
| Value: !Sub "${AWS::StackName}-vyos-AZa" | |
| KeyName: !Ref KeyName | |
| ImageId: !FindInMap [VyosRegionMap, !Ref "AWS::Region", VyosAMI] | |
| InstanceType: t2.nano | |
| NetworkInterfaces: | |
| - NetworkInterfaceId: !Ref PublicENIAZa | |
| DeviceIndex: 0 | |
| - NetworkInterfaceId: !Ref PrivateENIAZa | |
| DeviceIndex: 1 | |
| UserData: | |
| Fn::Base64: !Sub | | |
| #!/bin/vbash | |
| source /opt/vyatta/etc/functions/script-template | |
| set system host-name ingress-a | |
| set interfaces ethernet eth1 address 10.0.5.10/24 | |
| set nat source rule 100 outbound-interface 'eth1' | |
| set nat source rule 100 source address '0.0.0.0/0' | |
| set nat source rule 100 translation address 'masquerade' | |
| commit | |
| save | |
| exit | |
| RouterInstanceAZb: | |
| Type: "AWS::EC2::Instance" | |
| Properties: | |
| Tags: | |
| - Key: Name | |
| Value: !Sub "${AWS::StackName}-vyos-AZb" | |
| KeyName: !Ref KeyName | |
| ImageId: !FindInMap [VyosRegionMap, !Ref "AWS::Region", VyosAMI] | |
| InstanceType: t2.nano | |
| NetworkInterfaces: | |
| - NetworkInterfaceId: !Ref PublicENIAZb | |
| DeviceIndex: 0 | |
| - NetworkInterfaceId: !Ref PrivateENIAZb | |
| DeviceIndex: 1 | |
| UserData: | |
| Fn::Base64: !Sub | | |
| #!/bin/vbash | |
| source /opt/vyatta/etc/functions/script-template | |
| set system host-name ingress-a | |
| set interfaces ethernet eth1 address 10.0.6.10/24 | |
| set nat source rule 100 outbound-interface 'eth1' | |
| set nat source rule 100 source address '0.0.0.0/0' | |
| set nat source rule 100 translation address 'masquerade' | |
| commit | |
| save | |
| exit | |
| PrivateRouteTableAZa: | |
| Type: AWS::EC2::RouteTable | |
| Properties: | |
| VpcId: !Ref VPC | |
| Tags: | |
| - Key: Name | |
| Value: !Sub "${AWS::StackName}-private-AZa" | |
| PrivateRouteTableAZb: | |
| Type: AWS::EC2::RouteTable | |
| Properties: | |
| VpcId: !Ref VPC | |
| Tags: | |
| - Key: Name | |
| Value: !Sub "${AWS::StackName}-private-AZb" | |
| PrivateSubnetAZa: | |
| Type: AWS::EC2::Subnet | |
| Properties: | |
| Tags: | |
| - Key: Name | |
| Value: !Sub "${AWS::StackName}-private-AZa" | |
| VpcId: !Ref VPC | |
| AvailabilityZone: !Sub ${AWS::Region}a | |
| MapPublicIpOnLaunch: false | |
| CidrBlock: 10.0.5.0/24 | |
| PrivateSubnetAZb: | |
| Type: AWS::EC2::Subnet | |
| Properties: | |
| Tags: | |
| - Key: Name | |
| Value: !Sub "${AWS::StackName}-private-AZb" | |
| VpcId: !Ref VPC | |
| AvailabilityZone: !Sub ${AWS::Region}b | |
| MapPublicIpOnLaunch: false | |
| CidrBlock: 10.0.6.0/24 | |
| PrivateRouteTableAssociationAZa: | |
| Type: AWS::EC2::SubnetRouteTableAssociation | |
| Properties: | |
| SubnetId: !Ref PrivateSubnetAZa | |
| RouteTableId: !Ref PrivateRouteTableAZa | |
| PrivateRouteTableAssociationAZb: | |
| Type: AWS::EC2::SubnetRouteTableAssociation | |
| Properties: | |
| SubnetId: !Ref PrivateSubnetAZb | |
| RouteTableId: !Ref PrivateRouteTableAZb | |
| S3EndpointAZa: | |
| Type: "AWS::EC2::VPCEndpoint" | |
| Description: S3 endpoint for downloading Amazon Linux 2 packages | |
| Properties: | |
| ServiceName: !Sub "com.amazonaws.${AWS::Region}.s3" | |
| VpcEndpointType: "Gateway" | |
| VpcId: !Ref VPC | |
| RouteTableIds: [!Ref PrivateRouteTableAZa] | |
| S3EndpointAZb: | |
| Type: "AWS::EC2::VPCEndpoint" | |
| Description: S3 endpoint for downloading Amazon Linux 2 packages | |
| Properties: | |
| ServiceName: !Sub "com.amazonaws.${AWS::Region}.s3" | |
| VpcEndpointType: "Gateway" | |
| VpcId: !Ref VPC | |
| RouteTableIds: [!Ref PrivateRouteTableAZb] | |
| AmazonLinuxInstanceAZa: | |
| Type: "AWS::EC2::Instance" | |
| DependsOn: [ S3EndpointAZa ] | |
| Properties: | |
| Tags: | |
| - Key: Name | |
| Value: !Sub "${AWS::StackName}-amazonlinux" | |
| KeyName: !Ref KeyName | |
| ImageId: !Ref AmazonLinuxAMI | |
| InstanceType: t2.nano | |
| NetworkInterfaces: | |
| - DeviceIndex: 0 | |
| GroupSet: [ !GetAtt VPC.DefaultSecurityGroup ] | |
| SubnetId: !Ref PrivateSubnetAZa | |
| UserData: | |
| Fn::Base64: !Sub | | |
| #!/bin/bash -xe | |
| yum update -y | |
| yum install -y httpd | |
| systemctl start httpd | |
| systemctl enable httpd | |
| usermod -a -G apache ec2-user | |
| chown -R ec2-user:apache /var/www | |
| chmod 2775 /var/www | |
| find /var/www -type d -exec chmod 2775 {} \; | |
| find /var/www -type f -exec chmod 0664 {} \; | |
| echo `hostname` > /var/www/html/index.html | |
| echo '<br><br>' >> /var/www/html/index.html | |
| base64 /dev/urandom | head -c 10000 >> /var/www/html/index.html | |
| AmazonLinuxInstanceAZb: | |
| Type: "AWS::EC2::Instance" | |
| DependsOn: [ S3EndpointAZb ] | |
| Properties: | |
| Tags: | |
| - Key: Name | |
| Value: !Sub "${AWS::StackName}-amazonlinux" | |
| KeyName: !Ref KeyName | |
| ImageId: !Ref AmazonLinuxAMI | |
| InstanceType: t2.nano | |
| NetworkInterfaces: | |
| - DeviceIndex: 0 | |
| GroupSet: [ !GetAtt VPC.DefaultSecurityGroup ] | |
| SubnetId: !Ref PrivateSubnetAZb | |
| UserData: | |
| Fn::Base64: !Sub | | |
| #!/bin/bash -xe | |
| yum update -y | |
| yum install -y httpd | |
| systemctl start httpd | |
| systemctl enable httpd | |
| usermod -a -G apache ec2-user | |
| chown -R ec2-user:apache /var/www | |
| chmod 2775 /var/www | |
| find /var/www -type d -exec chmod 2775 {} \; | |
| find /var/www -type f -exec chmod 0664 {} \; | |
| echo `hostname` > /var/www/html/index.html | |
| echo '<br><br>' >> /var/www/html/index.html | |
| base64 /dev/urandom | head -c 10000 >> /var/www/html/index.html | |
| LoadBalancer: | |
| Type: AWS::ElasticLoadBalancingV2::LoadBalancer | |
| Properties: | |
| Name: !Sub "${AWS::StackName}-alb" | |
| Subnets: [ !Ref PrivateSubnetAZa, !Ref PrivateSubnetAZb ] | |
| SecurityGroups: [ !GetAtt VPC.DefaultSecurityGroup ] | |
| Tags: | |
| - Key: Name | |
| Value: !Sub "${AWS::StackName}-alb" | |
| LoadBalancerListenerHTTP: | |
| Type: AWS::ElasticLoadBalancingV2::Listener | |
| Properties: | |
| LoadBalancerArn: !Ref LoadBalancer | |
| Port: 80 | |
| Protocol: HTTP | |
| DefaultActions: | |
| - Type: forward | |
| TargetGroupArn: !Ref TargetGroup | |
| TargetGroup: | |
| Type: AWS::ElasticLoadBalancingV2::TargetGroup | |
| Properties: | |
| Name: !Sub "${AWS::StackName}-alb" | |
| VpcId: !Ref VPC | |
| Port: 80 | |
| Protocol: HTTP | |
| Targets: | |
| - Id: !Ref AmazonLinuxInstanceAZa | |
| Port: 80 | |
| - Id: !Ref AmazonLinuxInstanceAZb | |
| Port: 80 | |
| Outputs: | |
| LoadBalancerDNS: | |
| Description: Loadbalancer Public DNS | |
| Value: !GetAtt LoadBalancer.DNSName | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment