AWS Cloudformation Marco for VPC with IPv6, VPC Endpoints, Subnets, Routetables & Network ACLs
Clone or download
Latest commit cd996cc Jan 14, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.cache/v/cache Modifying lambda.py -> macro.py, adding basic unittest, conforming to… Jan 4, 2019
.codebuild Adding in codebuild pipeline Jan 9, 2019
ci/scripts Adding better discrete tests against the functions as python objects Jan 5, 2019
spec Adding in codebuild pipeline Jan 9, 2019
src
tests Adding Lint tests, modifications to Marco Fragment output for correct… Jan 10, 2019
.cfnlintrc Baseline for cfn-lint for a Macro (wip) Jan 8, 2019
.coverage Modifying lambda.py -> macro.py, adding basic unittest, conforming to… Jan 4, 2019
.gitignore Adding Lint tests, modifications to Marco Fragment output for correct… Jan 10, 2019
.travis.yml
LICENSE Adding in a License Jan 4, 2019
README.md Adding coveralls and correcting some tests Jan 5, 2019
example.yaml Adding in codebuild pipeline Jan 9, 2019
makefile Adding TransitGateway Attachment(s) Nov 27, 2018
requirements.txt Baseline VPC Builder Macro for AWS Cloudformation Nov 11, 2018
requirements_test.txt Adding Lint tests, modifications to Marco Fragment output for correct… Jan 10, 2019
transform.yaml

README.md

VPC Builder

Build Status Coverage Status

Builds out a "fully" featured VPC summarising the complexity associated with a VPC such as Internet & Customer Gateways, Subnets, Routetables and NATGateways.

It also adds in VPC Flowlogs with an IAM role and supports full dynamic allocation of IPv6 with the VPC and to each subnet.

The IPv6 handles Egress Internet Gateway and default route against ::/0

Build Package

make buildPackage

Upload package to S3

Fill in your bucket and profile (utilises a crude aws cli s3 upload command)

make uploadToS3

To Do

Add Outputs with Exports for critical resources VPC Endpoints for all AWS Services Add a little better handling of custom pieces (e.g. different route gateways) Adding proper IPv6 regex and handling with NetworkACLs

Basic Usage

Utilise the yaml structure below as a template, changing the Account ID in the transformation definiton. It will support the removal of Subnets, RouteTables, NATGateways and NetworkACLs.

Virtual Private Gateway

Ideally you should never spin up a VPGW in Cloudformation. If you ever plan to attach it to a Direct Connect Virtual Interface you wont be able to tear up & down the VPC without destorying the VIF attachment. Either by hand in the console (shudder) or ideally via the CLI/SDK call with the following

Command: aws ec2 create-vpn-gateway --type ipsec.1 --amazon-side-asn <AWS BGP ASN>

You can omit the AWS BGP ASN if you're not sure what you would like to make it and can happily utilise the standard ASN provided by AWS.

Network ACL Breakdown

RuleName: "rule_number,protocol_number,[allow|deny],egress[true|false],cidr[0-255.0-255.0-255.0-255/0-32],from_port,to_port"
AWSTemplateFormatVersion: 2010-09-09
Description: Private VPC Template
Parameters:
  VGW: {Description: VPC Gateway, Type: String, Default: vgw-012345678}
Mappings: {}
Resources:

    KABLAMOBUILDVPC:
        Type: Kablamo::Network::VPC
        Properties:
            CIDR: 172.16.0.0/20
            Details: {VPCName: PRIVATEEGRESSVPC, VPCDesc: Private Egress VPC, Region: ap-southeast-2, IPv6: True}
            Tags: {Name: PRIVATE-EGRESS-VPC, Template: VPC for private endpoints egress only}            
            DHCP: {Name: DhcpOptions, DNSServers: 172.16.0.2, NTPServers: 169.254.169.123, NTBType: 2}
            Subnets:
                ReservedMgmt1: {CIDR: 172.16.0.0/26, AZ: 0, NetACL: InternalSubnetAcl, RouteTable: InternalRT1 }
                ReservedMgmt2: {CIDR: 172.16.1.0/26, AZ: 1, NetACL: InternalSubnetAcl, RouteTable: InternalRT2 }
                ReservedMgmt3: {CIDR: 172.16.2.0/26, AZ: 2, NetACL: InternalSubnetAcl, RouteTable: InternalRT3 }
                ReservedNet1: {CIDR: 172.16.0.192/26, AZ: 0, NetACL: RestrictedSubnetAcl, RouteTable: PublicRT }
                ReservedNet2: {CIDR: 172.16.1.192/26, AZ: 1, NetACL: RestrictedSubnetAcl, RouteTable: PublicRT }
                ReservedNet3: {CIDR: 172.16.2.192/26, AZ: 2, NetACL: RestrictedSubnetAcl, RouteTable: PublicRT }
                Internal1: {CIDR: 172.16.3.0/24, AZ: 0, NetACL: InternalSubnetAcl, RouteTable: InternalRT1 }
                Internal2: {CIDR: 172.16.4.0/24, AZ: 1, NetACL: InternalSubnetAcl, RouteTable: InternalRT2 }
                Internal3: {CIDR: 172.16.5.0/24, AZ: 2, NetACL: InternalSubnetAcl, RouteTable: InternalRT3 }
                PerimeterInternal1: {CIDR: 172.16.6.0/24, AZ: 0, NetACL: InternalSubnetAcl, RouteTable: InternalRT1 }
                PerimeterInternal2: {CIDR: 172.16.7.0/24, AZ: 1, NetACL: InternalSubnetAcl, RouteTable: InternalRT2 }
                PerimeterInternal3: {CIDR: 172.16.8.0/24, AZ: 2, NetACL: InternalSubnetAcl, RouteTable: InternalRT3 }
            RouteTables:
                PublicRT:
                  - RouteName: PublicRoute
                    RouteCIDR: 0.0.0.0/0
                    RouteGW: InternetGateway
                  - RouteName: PublicRouteIPv6
                    RouteCIDR: ::/0
                    RouteGW: InternetGateway
                InternalRT1:
                InternalRT2:
                InternalRT3:
            NATGateways:
                NATGW1:
                    {Subnet: ReservedNet1, Routetable: InternalRT1}
                NATGW2:
                    {Subnet: ReservedNet2, Routetable: InternalRT2}
                NATGW3:
                    {Subnet: ReservedNet3, Routetable: InternalRT3}
            SecurityGroups:
                VPCEndpoint:
                    GroupDescription: VPC Endpoint Interface Firewall Rules
                    SecurityGroupIngress:
                    - [icmp,-1,-1,172.16.0.0/20, All ICMP Traffic]
                    - [tcp,0,65535,172.16.0.0/20, All TCP Traffic]
                    - [udp,0,65535,172.16.0.0/20, All UDP Traffic]
                    SecurityGroupEgress:
                    - [icmp,-1,-1,172.16.0.0/20, All ICMP Traffic]
                    - [tcp,0,65535,172.16.0.0/20, All TCP Traffic]
                    - [udp,0,65535,172.16.0.0/20, All UDP Traffic]
                    Tags:
                      Name: VPCEndpoint
            Endpoints:
                cloudformation:
                    Type: Interface
                    SubnetIds:
                      - ReservedMgmt1
                      - ReservedMgmt2
                      - ReservedMgmt3
                    SecurityGroupIds:
                      - VPCEndpoint
                cloudtrail:
                    Type: Interface
                    SubnetIds:
                      - ReservedMgmt1
                      - ReservedMgmt2
                      - ReservedMgmt3
                    SecurityGroupIds:
                      - VPCEndpoint
                codebuild:
                    Type: Interface
                    SubnetIds:
                      - ReservedMgmt1
                      - ReservedMgmt2
                      - ReservedMgmt3
                    SecurityGroupIds:
                      - VPCEndpoint
                config:
                    Type: Interface
                    SubnetIds:
                      - ReservedMgmt1
                      - ReservedMgmt2
                      - ReservedMgmt3
                    SecurityGroupIds:
                      - VPCEndpoint
                dynamodb:
                    Type: Gateway
                    RouteTableIds:
                      - PublicRT
                      - InternalRT1
                      - InternalRT2
                      - InternalRT3
                    PolicyDocument: |
                        {
                            "Version":"2012-10-17",
                            "Statement":[
                                {
                                    "Effect":"Allow",
                                    "Principal": "*",
                                    "Action":["s3:*"],
                                    "Resource":["*"]
                                }
                            ]
                        }
                ec2:
                    Type: Interface
                    SubnetIds:
                      - ReservedMgmt1
                      - ReservedMgmt2
                      - ReservedMgmt3
                    SecurityGroupIds:
                      - VPCEndpoint
                ec2messages:
                    Type: Interface
                    SubnetIds:
                      - ReservedMgmt1
                      - ReservedMgmt2
                      - ReservedMgmt3
                    SecurityGroupIds:
                      - VPCEndpoint
                elasticloadbalancing:
                    Type: Interface
                    SubnetIds:
                      - ReservedMgmt1
                      - ReservedMgmt2
                      - ReservedMgmt3
                    SecurityGroupIds:
                      - VPCEndpoint
                events:
                    Type: Interface
                    SubnetIds:
                      - ReservedMgmt1
                      - ReservedMgmt2
                      - ReservedMgmt3
                    SecurityGroupIds:
                      - VPCEndpoint
                execute-api:
                    Type: Interface
                    SubnetIds:
                      - ReservedMgmt1
                      - ReservedMgmt2
                      - ReservedMgmt3
                    SecurityGroupIds:
                      - VPCEndpoint
                kinesis-streams:
                    Type: Interface
                    SubnetIds:
                      - ReservedMgmt1
                      - ReservedMgmt2
                      - ReservedMgmt3
                    SecurityGroupIds:
                      - VPCEndpoint
                kms:
                    Type: Interface
                    SubnetIds:
                      - ReservedMgmt1
                      - ReservedMgmt2
                      - ReservedMgmt3
                    SecurityGroupIds:
                      - VPCEndpoint
                logs:
                    Type: Interface
                    SubnetIds:
                      - ReservedMgmt1
                      - ReservedMgmt2
                      - ReservedMgmt3
                    SecurityGroupIds:
                      - VPCEndpoint
                monitoring:
                    Type: Interface
                    SubnetIds:
                      - ReservedMgmt1
                      - ReservedMgmt2
                      - ReservedMgmt3
                    SecurityGroupIds:
                      - VPCEndpoint
                sagemaker.api:
                    Type: Interface
                    SubnetIds:
                      - ReservedMgmt1
                      - ReservedMgmt2
                      - ReservedMgmt3
                    SecurityGroupIds:
                      - VPCEndpoint
                sagemaker.runtime:
                    Type: Interface
                    SubnetIds:
                      - ReservedMgmt1
                      - ReservedMgmt2
                      - ReservedMgmt3
                    SecurityGroupIds:
                      - VPCEndpoint
                s3:
                    Type: Gateway
                    RouteTableIds:
                      - PublicRT
                      - InternalRT1
                      - InternalRT2
                      - InternalRT3
                    PolicyDocument: |
                        {
                            "Version":"2012-10-17",
                            "Statement":[
                                {
                                    "Effect":"Allow",
                                    "Principal": "*",
                                    "Action":["s3:*"],
                                    "Resource":["*"]
                                }
                            ]
                        }
                secretsmanager:
                    Type: Interface
                    SubnetIds:
                      - ReservedMgmt1
                      - ReservedMgmt2
                      - ReservedMgmt3
                    SecurityGroupIds:
                      - VPCEndpoint
                servicecatalog:
                    Type: Interface
                    SubnetIds:
                      - ReservedMgmt1
                      - ReservedMgmt2
                      - ReservedMgmt3
                    SecurityGroupIds:
                      - VPCEndpoint
                sns:
                    Type: Interface
                    SubnetIds:
                      - ReservedMgmt1
                      - ReservedMgmt2
                      - ReservedMgmt3
                    SecurityGroupIds:
                      - VPCEndpoint
                ssm:
                    Type: Interface
                    SubnetIds:
                      - ReservedMgmt1
                      - ReservedMgmt2
                      - ReservedMgmt3
                    SecurityGroupIds:
                      - VPCEndpoint
                ssmmessages:
                    Type: Interface
                    SubnetIds:
                      - ReservedMgmt1
                      - ReservedMgmt2
                      - ReservedMgmt3
                    SecurityGroupIds:
                      - VPCEndpoint
            NetworkACLs:
                RestrictedSubnetAcl: 
                    RestrictedSubnetAclEntryInTCPUnReserved: "90,6,allow,false,0.0.0.0/0,1024,65535"
                    RestrictedSubnetAclEntryInUDPUnReserved: "91,17,allow,false,0.0.0.0/0,1024,65535"
                    RestrictedSubnetAclEntryInTCPUnReservedIPv6: "92,6,allow,false,::/0,1024,65535"
                    RestrictedSubnetAclEntryInUDPUnReservedIPv6: "93,17,allow,false,::/0,1024,65535"
                    RestrictedSubnetAclEntryOutTCPUnReserved: "90,6,allow,true,0.0.0.0/0,1024,65535"
                    RestrictedSubnetAclEntryOutUDPUnReserved: "91,17,allow,true,0.0.0.0/0,1024,65535"
                    RestrictedSubnetAclEntryOutTCPUnReservedIPv6: "92,6,allow,true,::/0,1024,65535"
                    RestrictedSubnetAclEntryOutUDPUnReservedIPv6: "93,17,allow,true,::/0,1024,65535"
                    RestrictedSubnetAclEntryOutPuppet: "94,6,allow,true,172.16.0.0/16,8140,8140"
                    RestrictedSubnetAclEntryOutHTTP: "101,6,allow,true,0.0.0.0/0,80,80"
                    RestrictedSubnetAclEntryOutHTTPS: "102,6,allow,true,0.0.0.0/0,443,443"
                    RestrictedSubnetAclEntryOutSSH: "103,6,allow,true,0.0.0.0/0,22,22"
                    RestrictedSubnetAclEntryOutHTTPIPv6: "104,6,allow,true,::/0,80,80"
                    RestrictedSubnetAclEntryOutHTTPSIPv6: "105,6,allow,true,::/0,443,443"
                    RestrictedSubnetAclEntryOutSSHIPv6: "106,6,allow,true,::/0,22,22"
                    RestrictedSubnetAclEntryInHTTP: "101,6,allow,false,0.0.0.0/0,80,80"
                    RestrictedSubnetAclEntryInHTTPS: "102,6,allow,false,0.0.0.0/0,443,443"
                    RestrictedSubnetAclEntryInHTTPIPv6: "103,6,allow,false,::/0,80,80"
                    RestrictedSubnetAclEntryInHTTPSIPv6: "104,6,allow,false,::/0,443,443"
                    RestrictedSubnetAclEntryIn: "110,-1,allow,false,172.16.0.0/16,1,65535"
                    RestrictedSubnetAclEntryOut: "110,-1,allow,true,172.16.0.0/16,1,65535"
                    RestrictedSubnetAclEntryNTP: "120,6,allow,true,0.0.0.0/0,123,123"
                    RestrictedSubnetAclEntryInSquid2: "140,6,allow,false,172.16.0.0/16,3128,3128"
                    RestrictedSubnetAclEntryInDNSTCP: "150,6,allow,false,172.16.0.0/16,53,53"
                    RestrictedSubnetAclEntryOutDNSTCP: "150,6,allow,true,0.0.0.0/0,53,53"
                    RestrictedSubnetAclEntryOutDNSTCPIPv6: "151,6,allow,true,::/0,53,53"
                    RestrictedSubnetAclEntryInDNSUDP: "160,17,allow,false,172.16.0.0/16,53,53"
                    RestrictedSubnetAclEntryOutDNSUDP: "160,17,allow,true,0.0.0.0/0,53,53"
                    RestrictedSubnetAclEntryOutDNSUDPIPv6: "161,17,allow,true,::/0,53,53"
                    RestrictedSubnetAclEntryInNetBios: "170,6,allow,false,172.16.0.0/16,389,389"
                    RestrictedSubnetAclEntryOutNetBios: "170,6,allow,true,172.16.0.0/16,389,389"
                    RestrictedSubnetAclEntryInNetBios1: "80,6,allow,false,172.16.0.0/16,137,139"
                    RestrictedSubnetAclEntryOutNetBios1: "180,6,allow,true,172.16.0.0/16,137,139"
                InternalSubnetAcl:
                    InternalSubnetAclEntryIn: "100,-1,allow,false,172.16.0.0/16,1,65535"
                    InternalSubnetAclEntryOut: "100,-1,allow,true,172.16.0.0/16,1,65535"
                    InternalSubnetAclEntryInTCPUnreserved: "102,6,allow,false,0.0.0.0/0,1024,65535"
                    InternalSubnetAclEntryInUDPUnreserved: "103,17,allow,false,0.0.0.0/0,1024,65535"
                    InternalSubnetAclEntryInTCPUnreservedIPv6: "104,6,allow,false,::/0,1024,65535"
                    InternalSubnetAclEntryInUDPUnreservedIPv6: "105,17,allow,false,::/0,1024,65535"
                    InternalSubnetAclEntryOutHTTP: "102,6,allow,true,0.0.0.0/0,80,80"
                    InternalSubnetAclEntryOutHTTPS: "103,6,allow,true,0.0.0.0/0,443,443"
                    InternalSubnetAclEntryOutHTTPIPv6: "104,6,allow,true,::/0,80,80"
                    InternalSubnetAclEntryOutHTTPSIPv6: "105,6,allow,true,::/0,443,443"
                    InternalSubnetAclEntryOutTCPUnreserved: "106,6,allow,true,172.16.0.0/16,1024,65535"
                    InternalSubnetAclEntryOutUDPUnreserved: "107,6,allow,true,172.16.0.0/16,1024,65535"
                    InternalSubnetAclEntryOutTCPDNS: "110,6,allow,true,0.0.0.0/0,53,53"
                    InternalSubnetAclEntryOutUDPDNS: "111,17,allow,true,0.0.0.0/0,53,53"
                    InternalSubnetAclEntryOutTCPDNSIPv6: "112,6,allow,true,::/0,53,53"
                    InternalSubnetAclEntryOutUDPDNSIPv6: "113,17,allow,true,::/0,53,53"
                    InternalSubnetAclEntryOutSSH: "150,6,allow,true,0.0.0.0/0,22,22"
Transform: "012345678901::VPC"