Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
592 lines (519 sloc) 13.7 KB
---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'VPC: public and private subnets in three availability zones'
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: 'VPC Parameters'
Parameters:
- ClassB
- DualStack
Parameters:
ClassB:
Description: 'Class B of VPC (10.XXX.0.0/16)'
Type: Number
Default: 0
ConstraintDescription: 'Must be in the range [0-255]'
MinValue: 0
MaxValue: 255
DualStack:
Description: 'Request IPv6 CIDR block'
Type: String
Default: 'false'
AllowedValues:
- 'true'
- 'false'
Conditions:
DualStacked: !Equals [!Ref DualStack, 'true']
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Sub '10.${ClassB}.0.0/16'
EnableDnsSupport: true
EnableDnsHostnames: true
InstanceTenancy: default
Tags:
- Key: Name
Value: !Sub '10.${ClassB}.0.0/16'
VPCv6CIDR:
Condition: DualStacked
Type: AWS::EC2::VPCCidrBlock
Properties:
AmazonProvidedIpv6CidrBlock: !Ref DualStack
VpcId: !Ref VPC
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: !Sub '10.${ClassB}.0.0/16'
VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
SubnetAPublic:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: !Ref 'AWS::Region'
CidrBlock: !Sub '10.${ClassB}.0.0/20'
VpcId: !Ref VPC
Tags:
- Key: Name
Value: A public
- Key: Reach
Value: public
SubnetAPrivate:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: !Ref 'AWS::Region'
CidrBlock: !Sub '10.${ClassB}.16.0/20'
VpcId: !Ref VPC
Tags:
- Key: Name
Value: A private
- Key: Reach
Value: private
SubnetBPublic:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: !Ref 'AWS::Region'
CidrBlock: !Sub '10.${ClassB}.32.0/20'
VpcId: !Ref VPC
Tags:
- Key: Name
Value: B public
- Key: Reach
Value: public
SubnetBPrivate:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: !Ref 'AWS::Region'
CidrBlock: !Sub '10.${ClassB}.48.0/20'
VpcId: !Ref VPC
Tags:
- Key: Name
Value: B private
- Key: Reach
Value: private
SubnetCPublic:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone:
Fn::Select:
- 2
- Fn::GetAZs: !Ref 'AWS::Region'
CidrBlock: !Sub '10.${ClassB}.64.0/20'
VpcId: !Ref VPC
Tags:
- Key: Name
Value: C public
- Key: Reach
Value: public
SubnetCPrivate:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone:
Fn::Select:
- 2
- Fn::GetAZs: !Ref 'AWS::Region'
CidrBlock: !Sub '10.${ClassB}.80.0/20'
VpcId: !Ref VPC
Tags:
- Key: Name
Value: C private
- Key: Reach
Value: private
RouteTableAPublic:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: A Public
RouteTableAPrivate:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: A Private
RouteTableBPublic:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: B Public
RouteTableBPrivate:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: B Private
RouteTableCPublic:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: C Public
RouteTableCPrivate:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: C Private
RouteTableAssociationAPublic:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref SubnetAPublic
RouteTableId: !Ref RouteTableAPublic
RouteTableAssociationAPrivate:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref SubnetAPrivate
RouteTableId: !Ref RouteTableAPrivate
RouteTableAssociationBPublic:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref SubnetBPublic
RouteTableId: !Ref RouteTableBPublic
RouteTableAssociationBPrivate:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref SubnetBPrivate
RouteTableId: !Ref RouteTableBPrivate
RouteTableAssociationCPublic:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref SubnetCPublic
RouteTableId: !Ref RouteTableCPublic
RouteTableAssociationCPrivate:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref SubnetCPrivate
RouteTableId: !Ref RouteTableCPrivate
RouteTablePublicAInternetRoute:
Type: AWS::EC2::Route
DependsOn: VPCGatewayAttachment
Properties:
RouteTableId: !Ref RouteTableAPublic
DestinationCidrBlock: '0.0.0.0/0'
GatewayId: !Ref InternetGateway
RouteTablePublicBInternetRoute:
Type: AWS::EC2::Route
DependsOn: VPCGatewayAttachment
Properties:
RouteTableId: !Ref RouteTableBPublic
DestinationCidrBlock: '0.0.0.0/0'
GatewayId: !Ref InternetGateway
RouteTablePublicCInternetRoute:
Type: AWS::EC2::Route
DependsOn: VPCGatewayAttachment
Properties:
RouteTableId: !Ref RouteTableCPublic
DestinationCidrBlock: '0.0.0.0/0'
GatewayId: !Ref InternetGateway
EndpointS3:
Type: AWS::EC2::VPCEndpoint
Properties:
RouteTableIds:
- !Ref RouteTableAPrivate
- !Ref RouteTableBPrivate
- !Ref RouteTableCPrivate
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.s3'
VpcId: !Ref VPC
EndpointDynamoDB:
Type: AWS::EC2::VPCEndpoint
Properties:
RouteTableIds:
- !Ref RouteTableAPrivate
- !Ref RouteTableBPrivate
- !Ref RouteTableCPrivate
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.dynamodb'
VpcId: !Ref VPC
NetworkAclPublic:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: Public
NetworkAclPrivate:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: Private
SubnetNetworkAclAssociationAPublic:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
SubnetId: !Ref SubnetAPublic
NetworkAclId: !Ref NetworkAclPublic
SubnetNetworkAclAssociationAPrivate:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
SubnetId: !Ref SubnetAPrivate
NetworkAclId: !Ref NetworkAclPrivate
SubnetNetworkAclAssociationBPublic:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
SubnetId: !Ref SubnetBPublic
NetworkAclId: !Ref NetworkAclPublic
SubnetNetworkAclAssociationBPrivate:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
SubnetId: !Ref SubnetBPrivate
NetworkAclId: !Ref NetworkAclPrivate
SubnetNetworkAclAssociationCPublic:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
SubnetId: !Ref SubnetCPublic
NetworkAclId: !Ref NetworkAclPublic
SubnetNetworkAclAssociationCPrivate:
Type: AWS::EC2::SubnetNetworkAclAssociation
Properties:
SubnetId: !Ref SubnetCPrivate
NetworkAclId: !Ref NetworkAclPrivate
NetworkAclEntryInPublicAllowAll:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref NetworkAclPublic
RuleNumber: 100
Protocol: -1
RuleAction: allow
Egress: false
CidrBlock: '0.0.0.0/0'
NetworkAclEntryOutPublicAllowAll:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref NetworkAclPublic
RuleNumber: 100
Protocol: -1
RuleAction: allow
Egress: true
CidrBlock: '0.0.0.0/0'
NetworkAclEntryInPublicAllowAllv6:
Condition: DualStacked
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref NetworkAclPublic
RuleNumber: 101
Protocol: -1
RuleAction: allow
Egress: false
Ipv6CidrBlock: '::/0'
NetworkAclEntryOutPublicAllowAllv6:
Condition: DualStacked
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref NetworkAclPublic
RuleNumber: 101
Protocol: -1
RuleAction: allow
Egress: true
Ipv6CidrBlock: '::/0'
NetworkAclEntryInPrivateAllowVPC:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref NetworkAclPrivate
RuleNumber: 100
Protocol: -1
RuleAction: allow
Egress: false
CidrBlock: '0.0.0.0/0'
NetworkAclEntryOutPrivateAllowVPC:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref NetworkAclPrivate
RuleNumber: 100
Protocol: -1
RuleAction: allow
Egress: true
CidrBlock: '0.0.0.0/0'
NetworkAclEntryInPrivateAllowv6VPC:
Condition: DualStacked
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref NetworkAclPrivate
RuleNumber: 101
Protocol: -1
RuleAction: allow
Egress: false
Ipv6CidrBlock: '::/0'
NetworkAclEntryOutPrivateAllowv6VPC:
Condition: DualStacked
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref NetworkAclPrivate
RuleNumber: 101
Protocol: -1
RuleAction: allow
Egress: true
Ipv6CidrBlock: '::/0'
Outputs:
StackName:
Description: 'Stack name'
Value: !Sub '${AWS::StackName}'
AZs:
Description: 'AZs'
Value: 3
Export:
Name: !Sub '${AWS::StackName}-AZs'
AZA:
Description: 'AZ of A'
Value:
Fn::Select:
- 0
- Fn::GetAZs: !Ref 'AWS::Region'
Export:
Name: !Sub '${AWS::StackName}-AZA'
AZB:
Description: 'AZ of B'
Value:
Fn::Select:
- 1
- Fn::GetAZs: !Ref 'AWS::Region'
Export:
Name: !Sub '${AWS::StackName}-AZB'
AZC:
Description: 'AZ of C'
Value:
Fn::Select:
- 2
- Fn::GetAZs: !Ref 'AWS::Region'
Export:
Name: !Sub '${AWS::StackName}-AZC'
ClassB:
Description: 'Class B.'
Value: !Ref ClassB
Export:
Name: !Sub '${AWS::StackName}-ClassB'
VPC:
Description: 'VPC.'
Value: !Ref VPC
Export:
Name: !Sub '${AWS::StackName}-VPC'
SubnetsPublic:
Description: 'Subnets public.'
Value:
Fn::Join:
- ','
- - !Ref SubnetAPublic
- !Ref SubnetBPublic
- !Ref SubnetCPublic
Export:
Name: !Sub '${AWS::StackName}-SubnetsPublic'
SubnetsPrivate:
Description: 'Subnets private.'
Value:
Fn::Join:
- ','
- - !Ref SubnetAPrivate
- !Ref SubnetBPrivate
- !Ref SubnetCPrivate
Export:
Name: !Sub '${AWS::StackName}-SubnetsPrivate'
RouteTablesPrivate:
Description: 'Route tables private.'
Value:
Fn::Join:
- ','
- - !Ref RouteTableAPrivate
- !Ref RouteTableBPrivate
- !Ref RouteTableCPrivate
Export:
Name: !Sub '${AWS::StackName}-RouteTablesPrivate'
RouteTablesPublic:
Description: 'Route tables public.'
Value:
Fn::Join:
- ','
- - !Ref RouteTableAPublic
- !Ref RouteTableBPublic
- !Ref RouteTableCPublic
Export:
Name: !Sub '${AWS::StackName}-RouteTablesPublic'
SubnetAPublic:
Description: 'Subnet A public.'
Value: !Ref SubnetAPublic
Export:
Name: !Sub '${AWS::StackName}-SubnetAPublic'
RouteTableAPublic:
Description: 'Route table A public.'
Value: !Ref RouteTableAPublic
Export:
Name: !Sub '${AWS::StackName}-RouteTableAPublic'
SubnetAPrivate:
Description: 'Subnet A private.'
Value: !Ref SubnetAPrivate
Export:
Name: !Sub '${AWS::StackName}-SubnetAPrivate'
RouteTableAPrivate:
Description: 'Route table A private.'
Value: !Ref RouteTableAPrivate
Export:
Name: !Sub '${AWS::StackName}-RouteTableAPrivate'
SubnetBPublic:
Description: 'Subnet B public.'
Value: !Ref SubnetBPublic
Export:
Name: !Sub '${AWS::StackName}-SubnetBPublic'
RouteTableBPublic:
Description: 'Route table B public.'
Value: !Ref RouteTableBPublic
Export:
Name: !Sub '${AWS::StackName}-RouteTableBPublic'
SubnetBPrivate:
Description: 'Subnet B private.'
Value: !Ref SubnetBPrivate
Export:
Name: !Sub '${AWS::StackName}-SubnetBPrivate'
RouteTableBPrivate:
Description: 'Route table B private.'
Value: !Ref RouteTableBPrivate
Export:
Name: !Sub '${AWS::StackName}-RouteTableBPrivate'
SubnetCPublic:
Description: 'Subnet C public.'
Value: !Ref SubnetCPublic
Export:
Name: !Sub '${AWS::StackName}-SubnetCPublic'
RouteTableCPublic:
Description: 'Route table C public.'
Value: !Ref RouteTableCPublic
Export:
Name: !Sub '${AWS::StackName}-RouteTableCPublic'
SubnetCPrivate:
Description: 'Subnet C private.'
Value: !Ref SubnetCPrivate
Export:
Name: !Sub '${AWS::StackName}-SubnetCPrivate'
RouteTableCPrivate:
Description: 'Route table C private.'
Value: !Ref RouteTableCPrivate
Export:
Name: !Sub '${AWS::StackName}-RouteTableCPrivate'
EndpointS3:
Description: 'The VPC endpoint to S3.'
Value: !Ref EndpointS3
Export:
Name: !Sub '${AWS::StackName}-EndpointS3'