Generate CloudFormation Resources in YAML to create VPC that has AWS Client VPN endpoints
AWSTemplateFormatVersion: '2010-09-09'
Resources:
ClientVPNEndpoint:
Type: 'AWS::ClientVPN::Endpoint'
Properties:
CACertificateArn: !GetAtt 'CACertificate.Arn' # Reference to a pre-existing Certificate Authority (CA) certificate
ClientCertificateArn: !GetAtt 'ClientCertificate.Arn' # Reference to a pre-existing client certificate
SessionTimeoutHours: 12 # session timeout in hours
VpnConfiguration:
Type: 'AWS::ClientVPN::VpnConfiguration'
Properties:
CACertificateArn: !GetAtt 'CACertificate.Arn' # reference to the CA Certificate used for this VPN
ClientCertificateArn: !GetAtt 'ClientCertificate.Arn' # reference to a client certificate (also known as a server-side certificate) used for
this VPN
VpcId:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock: '10.0.0.0/16' # Your choice of IP address range
Tags:
- Key: Name
Value: !Sub '${AWS::Region}-ClientVPN'
CACertificate:
Type: 'AWS::CertificateManager::Certificate'
Properties:
DomainName: example.com
ValidationMethod: EMAIL
ClientCertificate:
Type: 'AWS::CertificateManager::Certificate'
Properties:
DomainName: client.example.com
ValidationMethod: EMAIL
Outputs:
VpcId:
Description: ID of the VPC created by this template.
Value: !Ref VpcId
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
VpcId: !Ref VPC
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
MainRoute:
Type: AWS::EC2::SubnetRoute
Properties:
SubnetId: !Ref PublicSubnet1
RouteTableId: !Ref RouteTable
DestinationCidrBlock: 0.0.0.0/0
PublicSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.1.0/24
AvailabilityZone: us-east-1a # Replace with your desired AZ
ClientVpnEndpoint:
Type: AWS::EC2::ClientVpnEndpoint
Properties:
VpcId: !Ref VPC
SubnetIds:
- !Ref PublicSubnet1
AuthenticationMethods:
- CertificateBased
ConnectionLogOptions:
Enabled: true
ClientVpnRoute:
Type: AWS::EC2::ClientVpnRoute
Properties:
CidrTarget: 10.0.0.0/16
EndpointId: !Ref ClientVpnEndpoint
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: false
Tags:
- Key: Name
Value: MyVPCTag
# Create a public subnet in the VPC
PublicSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.1.0/24
AvailabilityZone: us-east-1a
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: MyPublicSubnetTag
# Create a private subnet in the VPC
PrivateSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.2.0/24
AvailabilityZone: us-east-1a
Tags:
- Key: Name
Value: MyPrivateSubnetTag
# Create a Route Table for the public subnet
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
# Create a default route in the public route table pointing to an internet gateway
PublicInternetGateway:
Type: AWS::EC2::InternetGateway
PublicRoute:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref PublicInternetGateway
RouteTableId: !Ref PublicRouteTable
# Associate the public subnet with the public route table
PublicSubnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref PublicSubnet1
# Create a Client VPN endpoint in the VPC
ClientVPNEndpoint:
Type: AWS::EC2::ClientVpnEndpoint
Properties:
ServerCertificateArn: arn:aws:acm:us-east-1:123456789012:certificate/1234abcd5678ef90a12b34c56d78e9f0
AuthenticationOptions:
Type: "certificate-authentication"
MutualAuthentication:
ClientRootCertificateChainArn: arn:aws:acm:us-east-1:123456789012:certificate/8765asdfghjkl09
ClientConnectOptions:
Enabled: true
ClientConnectScript: "echo 'Welcome to the Client VPN!';"
Description: "My Client VPN Endpoint"
DnsServers: 10.0.1.1,8.8.8.8
SplitTunnel: true
Tags:
- Key: Name
Value: MyClientVPNTag
Outputs:
VPCId:
Description: The ID of the VPC
Value: !Ref VPC
It also generateed this Python
import boto3
import yaml
# Create a client object for AWS
client = boto3.client('cloudformation')
# Define the template
template = """
Resources:
VPC:
Type: 'AWS::EC2::Vpc'
Properties:
CidrBlock: {cidr_block}
SecurityGroupIds: ['{sg_ids}']
Tags:
- Key: 'VPC'
- Value: 'My VPC'
Client VPNs:
Type: 'AWS::EC2::ClientVPN'
Properties:
SourceCidrBlock: {source_cidr}
DestinationCidrBlock: {destination_cidr}
UserId: '{user_id}'
Password: '{password}'
Tags:
- Key: 'Client VPN'
- Value: 'My Client VPN'
"""
# Define the AWS region and VPC ID
region = 'us-east-1'
vpc_id = 'my-vpc-1234567890abcdef0'
# Get the VPC CIDR block from CloudFormation
cidr_block = client.describe_vpcs(VpcIds=[vpc_id])['Vpcs'][0]['CidrBlock']
# Define the source and destination CIDR blocks for the Client VPNs
source_cidr = '10.0.0.1/28'
destination_cidr = '10.0.0.2/28'
user_id = 'my-user'
password = 'my-password'
# Generate the CloudFormation Resources in YAML format
yaml_data = template.format(cidr_block=cidr_block, source_cidr=source_cidr, destination_cidr=destination_cidr, user_id=user_id, password=password)
# Print the YAML data to confirm the results
print(yaml_data)
AWSTemplateFormatVersion: '2010-09-09'
Description: "Stack that deploys a client vpn."
Resources:
Vpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 172.31.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: !Sub "${AWS::StackName}-vpc"
Subnet:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: !Select [ 0, !GetAZs '' ]
CidrBlock: 172.31.89.0/24
VpcId: !Ref Vpc
Tags:
- Key: Name
Value: !Sub "${AWS::StackName}-subnet"
ClientVpnEndpoint:
Type: AWS::EC2::ClientVpnEndpoint
Properties:
ClientCidrBlock: 172.31.0.0/16
Description: "A client VPN endpoint for use in a VPC."
ServerCertificateArn: !Ref ServerCertificate
VpcId: !Ref Vpc
Tags:
- Key: Name
Value: !Sub "${AWS::StackName}-endpoint"
TargetNetworkAssociation:
Type: AWS::EC2::ClientVpnTargetNetworkAssociation
Properties:
ClientVpnEndpointId: !Ref ClientVpnEndpoint
SubnetId: !Ref Subnet
Outputs:
VpcId:
Description: The ID of the VPC
Value: !Ref Vpc
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: MyVPCIGW
VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
PublicSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.1.0/24
AvailabilityZone: us-east-1a
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
PublicRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
ClientVPNEndpoint:
Type: AWS::EC2::ClientVPNEndpoint
Properties:
VpcId: !Ref VPC
SecurityGroupIds:
- !Ref ClientVPNSecurityGroup
ServerCertificateArn: <your_server_certificate_arn>
ClientCidrBlock: <your_client_cidr_block>
ClientVPNSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VPC
GroupDescription: Client VPN Security Group
SecurityGroupIngress:
- FromPort: 443
ToPort: 443
IpProtocol: tcp
CidrIp: <your_client_cidr_block>
Outputs:
VPCId:
Value: !Ref VPC
ClientVPNEndpointId:
Value: !Ref ClientVPNEndpoint
AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation template to create a VPC with AWS Client VPN endpoints.
Resources:
# Define the VPC
MyVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: '10.0.0.0/16'
EnableDnsSupport: true
EnableDnsHostnames: true
# Define a public subnet for the Client VPN endpoint
PublicSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref MyVPC
CidrBlock: '10.0.0.0/24'
AvailabilityZone: !Select [0, !GetAZs]
# Define a security group for the Client VPN endpoint
ClientVPNSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for AWS Client VPN
VpcId: !Ref MyVPC
# Define the Client VPN endpoint
ClientVPNEndpoint:
Type: AWS::EC2::ClientVpnEndpoint
Properties:
Description: 'My Client VPN Endpoint'
ServerCertificateArn: arn:aws:acm:region:account-id:certificate/certificate-id
ClientCidrBlock: '10.0.0.0/24'
SplitTunnel: false
VpcId: !Ref MyVPC
SecurityGroupId: !Ref ClientVPNSecurityGroup
SubnetIds:
- !Ref PublicSubnet
Outputs:
VpcId:
Description: ID of the created VPC.
Value: !Ref MyVPC
AWSTemplateFormatVersion: '2010-09-09'
Description: AWS VPC with Client VPN Endpoint
Parameters:
VpcCidr:
Type: String
Default: "10.0.0.0/16"
Description: CIDR block for the VPC
Subnet1Cidr:
Type: String
Default: "10.0.1.0/24"
Description: CIDR block for the first subnet
Subnet2Cidr:
Type: String
Default: "10.0.2.0/24"
Description: CIDR block for the second subnet
ClientCidrBlock:
Type: String
Default: "10.0.100.0/22"
Description: CIDR block for the Client VPN endpoint
ServerCertificateArn:
Type: String
Description: ARN of the server certificate for the Client VPN
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref VpcCidr
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: VPCWithClientVPN
Subnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: !Ref Subnet1Cidr
AvailabilityZone: !Select [0, !GetAZs '']
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: Subnet1
Subnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: !Ref Subnet2Cidr
AvailabilityZone: !Select [1, !GetAZs '']
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: Subnet2
InternetGateway:
Type: AWS::EC2::InternetGateway
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Route:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref RouteTable
DestinationCidrBlock: "0.0.0.0/0"
GatewayId: !Ref InternetGateway
Subnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref Subnet1
RouteTableId: !Ref RouteTable
Subnet2RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref Subnet2
RouteTableId: !Ref RouteTable
ClientVpnEndpoint:
Type: AWS::EC2::ClientVpnEndpoint
Properties:
ClientCidrBlock: !Ref ClientCidrBlock
ServerCertificateArn: !Ref ServerCertificateArn
AuthenticationOptions:
- Type: "certificate-authentication"
MutualAuthentication:
ClientRootCertificateChainArn: !Ref ServerCertificateArn
VpcId: !Ref VPC
ConnectionLogOptions:
Enabled: true
CloudwatchLogGroup: "YourCloudwatchLogGroup"
CloudwatchLogStream: "YourCloudwatchLogStream"
TagSpecifications:
- ResourceType: "client-vpn-endpoint"
Tags:
- Key: Name
Value: "ClientVPN"
Outputs:
VPCId:
Description: "VPC ID"
Value: !Ref VPC
ClientVpnEndpointId:
Description: "Client VPN Endpoint ID"
Value: !Ref ClientVpnEndpoint
AWSTemplateFormatVersion: "2010-09-09"
Description: CloudFormation template for creating VPC with AWS Client VPN endpoint
Resources:
MyVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: "10.0.0.0/16"
EnableDnsSupport: "true"
EnableDnsHostnames: "true"
Tags:
- Key: "Name"
Value: "My VPC"
MyVPCCustomerGateway:
Type: 'AWS::EC2::CustomerGateway'
Properties:
Type: ipsec.1
IpAddress: 192.0.2.1
BgpAsn: 65000
MyVPCVPNConnection:
Type: 'AWS::EC2::VPNConnection'
Properties:
CustomerGatewayId:
Ref: MyVPCCustomerGateway
Type: ipsec.1
VpnGatewayId:
Ref: MyVPCVPNGateway
MyVPCVPNGateway:
Type: 'AWS::EC2::VPNGateway'
Properties:
Type: ipsec.1
MyClientVPCEndpoint:
Type: 'AWS::EC2::ClientVpnEndpoint'
Properties:
AuthenticationOptions:
- Type: 'certificate-authentication'
MutualAuthentication:
ClientRootCertificateChainArn: String
ClientCidrBlock: '10.0.0.0/16'
ConnectionLogOptions:
Enabled: true
CloudwatchLogGroup: String
CloudwatchLogStream: String
DnsServers:
- '8.8.8.8'
- '8.8.4.4'
ServerCertificateArn: String
SplitTunnel: false
TransportProtocol: 'udp'
VpcId:
Ref: 'MyVPC'
AWSTemplateFormatVersion: '2010-09-09'
Description: A CloudFormation template to create a VPC and an AWS Client VPN endpoint
Resources:
MyVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: '10.0.0.0/16'
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: MyVPC
MySubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref MyVPC
CidrBlock: '10.0.1.0/24'
MapPublicIpOnLaunch: true
AvailabilityZone: !Select [0, !GetAZs '']
Tags:
- Key: Name
Value: MySubnet
MyInternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: MyInternetGateway
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref MyVPC
InternetGatewayId: !Ref MyInternetGateway
MyRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref MyVPC
Tags:
- Key: Name
Value: MyRouteTable
MyRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref MyRouteTable
DestinationCidrBlock: '0.0.0.0/0'
GatewayId: !Ref MyInternetGateway
MySubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref MySubnet
RouteTableId: !Ref MyRouteTable
MySecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow VPN traffic
VpcId: !Ref MyVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: '0.0.0.0/0'
- IpProtocol: udp
FromPort: 1194
ToPort: 1194
CidrIp: '0.0.0.0/0'
Tags:
- Key: Name
Value: MySecurityGroup
MyClientVpnEndpoint:
Type: AWS::EC2::ClientVpnEndpoint
Properties:
Description: My Client VPN Endpoint
ClientCidrBlock: '10.8.0.0/16'
ServerCertificateArn: 'arn:aws:acm:region:account-id:certificate/certificate-id' # Replace with your actual ARN
AuthenticationOptions:
- Type: mutual-authentication
MutualAuthentication:
ClientRootCertificateChainArn: 'arn:aws:acm:region:account-id:certificate/certificate-id' # Replace with your actual ARN
ConnectionLogOptions:
Enabled: false
VpcId: !Ref MyVPC
SecurityGroupIds:
- !Ref MySecurityGroup
Tags:
- Key: Name
Value: MyClientVpnEndpoint
MyClientVpnTargetNetworkAssociation:
Type: AWS::EC2::ClientVpnTargetNetworkAssociation
Properties:
ClientVpnEndpointId: !Ref MyClientVpnEndpoint
SubnetId: !Ref MySubnet
VPNAuthorizationRule:
Type: AWS::EC2::ClientVpnAuthorizationRule
Properties:
ClientVpnEndpointId: !Ref MyClientVpnEndpoint
TargetNetworkCidr: '10.0.0.0/16'
AuthorizeAllGroups: true
Outputs:
VpcId:
Description: VPC ID
Value: !Ref MyVPC
ClientVpnEndpointId:
Description: Client VPN Endpoint ID
Value: !Ref MyClientVpnEndpoint