Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
566 lines (565 sloc) 15.1 KB
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create network ACLs and NACL entries for NAT/NAT Gateway multiAZ public/private VPC",
"Parameters": {
"AvZone1": {
"Type": "String",
"Description": "First AZ to use for subnets, etc.",
"ConstraintDescription": "Must be a valid AZ - # aws ec2 describe-availability-zones"
},
"AvZone2": {
"Type": "String",
"Description": "Second AZ to use for subnets, etc.",
"ConstraintDescription": "Must be a valid AZ - # aws ec2 describe-availability-zones"
},
"Environment": {
"Type": "String",
"Description": "Used for miscellaneous object names and tags"
},
"PrivSubnetAZ1": {
"Type": "String",
"Description": "Object ID for AZ1 private subnet"
},
"PrivateSubnetAZ1": {
"Type": "String",
"Description": "IP Address range for AZ1 private subnet",
"ConstraintDescription": "Valid IP CIDR block range - x.x.x.x/x."
},
"PrivSubnetAZ2": {
"Type": "String",
"Description": "Object ID for AZ2 private subnet"
},
"PrivateSubnetAZ2": {
"Type": "String",
"Description": "IP Address range for AZ2 private subnet",
"ConstraintDescription": "Valid IP CIDR block range - x.x.x.x/x."
},
"PubSubnetAZ1": {
"Type": "String",
"Description": "Object ID for AZ1 public subnet"
},
"PubSubnetAZ2": {
"Type": "String",
"Description": "Object ID for AZ2 public subnet"
},
"RemoteCIDR": {
"Type": "String",
"Description": "CIDR IP range allowed to remotely connect to the VPC, ideally your VPN/ISP netblock",
"ConstraintDescription": "Valid IP CIDR block range - x.x.x.x/x."
},
"VPC": {
"Type": "String",
"Description": "Object ID of VPC"
},
"VpcCIDR": {
"Type": "String",
"Description": "IP Address range for the VPC"
}
},
"Resources": {
"PrivateNetworkAcl": {
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"",
[
"vpc_",
{
"Ref": "Environment"
},
"_private_networkacl"
]
]
}
},
{
"Key": "Environment",
"Value": {
"Ref": "Environment"
}
}
]
}
},
"PrivSubnetNetAclAssocAZ1": {
"DependsOn": [ "PrivateNetworkAcl" ],
"Type":"AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"SubnetId": {
"Ref": "PrivSubnetAZ1"
},
"NetworkAclId": {
"Ref": "PrivateNetworkAcl"
}
}
},
"PrivSubnetNetAclAssocAZ2": {
"DependsOn": [ "PrivateNetworkAcl" ],
"Type":"AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"SubnetId": {
"Ref": "PrivSubnetAZ2"
},
"NetworkAclId": {
"Ref": "PrivateNetworkAcl"
}
}
},
"PrivNetAclInboundEntry100": {
"DependsOn": [ "PrivateNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PrivateNetworkAcl" },
"RuleNumber": "100",
"Protocol": "6",
"RuleAction": "allow",
"Egress": "false",
"CidrBlock": "0.0.0.0/0",
"PortRange": {
"From": "80",
"To": "80"
}
}
},
"PrivNetAclInboundEntry110": {
"DependsOn": [ "PrivateNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PrivateNetworkAcl" },
"RuleNumber": "110",
"Protocol": "6",
"RuleAction": "allow",
"Egress": "false",
"CidrBlock": "0.0.0.0/0",
"PortRange": {
"From": "443",
"To": "443"
}
}
},
"PrivNetAclInboundEntry120": {
"DependsOn": [ "PrivateNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PrivateNetworkAcl" },
"RuleNumber": "120",
"Protocol": "6",
"RuleAction": "allow",
"Egress": "false",
"CidrBlock": { "Ref": "VpcCIDR" },
"PortRange": {
"From": "22",
"To": "22"
}
}
},
"PrivNetAclInboundEntry140": {
"DependsOn": [ "PrivateNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PrivateNetworkAcl" },
"RuleNumber": "140",
"Protocol": "6",
"RuleAction": "allow",
"Egress": "false",
"CidrBlock": "0.0.0.0/0",
"PortRange": {
"From": "1024",
"To": "65535"
}
}
},
"PrivNetAclInboundEntry150": {
"DependsOn": [ "PrivateNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PrivateNetworkAcl" },
"RuleNumber": "150",
"Protocol": "1",
"RuleAction": "allow",
"Egress": "false",
"CidrBlock": { "Ref": "VpcCIDR" },
"Icmp": {
"Code": "-1",
"Type": "-1"
}
}
},
"PrivNetAclOutboundEntry100": {
"DependsOn": [ "PrivateNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PrivateNetworkAcl" },
"RuleNumber": "100",
"Protocol": "6",
"RuleAction": "allow",
"Egress": "true",
"CidrBlock": "0.0.0.0/0",
"PortRange": {
"From": "80",
"To": "80"
}
}
},
"PrivNetAclOutboundEntry110": {
"DependsOn": [ "PrivateNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PrivateNetworkAcl" },
"RuleNumber": "110",
"Protocol": "6",
"RuleAction": "allow",
"Egress": "true",
"CidrBlock": "0.0.0.0/0",
"PortRange": {
"From": "443",
"To": "443"
}
}
},
"PrivNetAclOutboundEntry120": {
"DependsOn": [ "PrivateNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PrivateNetworkAcl" },
"RuleNumber": "120",
"Protocol": "6",
"RuleAction": "allow",
"Egress": "true",
"CidrBlock": { "Ref": "VpcCIDR" },
"PortRange": {
"From": "1024",
"To": "65535"
}
}
},
"PrivNetAclOutboundEntry150": {
"DependsOn": [ "PrivateNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PrivateNetworkAcl" },
"RuleNumber": "150",
"Protocol": "6",
"RuleAction": "allow",
"Egress": "true",
"CidrBlock": { "Ref": "PrivateSubnetAZ1" },
"PortRange": {
"From": "22",
"To": "22"
}
}
},
"PrivNetAclOutboundEntry151": {
"DependsOn": [ "PrivateNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PrivateNetworkAcl" },
"RuleNumber": "151",
"Protocol": "6",
"RuleAction": "allow",
"Egress": "true",
"CidrBlock": { "Ref": "PrivateSubnetAZ2" },
"PortRange": {
"From": "22",
"To": "22"
}
}
},
"PrivNetAclOutboundEntry160": {
"DependsOn": [ "PrivateNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PrivateNetworkAcl" },
"RuleNumber": "160",
"Protocol": "1",
"RuleAction": "allow",
"Egress": "true",
"CidrBlock": { "Ref": "VpcCIDR" },
"Icmp": {
"Code": "-1",
"Type": "-1"
}
}
},
"PublicNetworkAcl": {
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"",
[
"vpc_",
{
"Ref": "Environment"
},
"_public_networkacl"
]
]
}
},
{
"Key": "Environment",
"Value": {
"Ref": "Environment"
}
}
]
}
},
"PubSubnetNetAclAssocAZ1": {
"DependsOn": [ "PublicNetworkAcl" ],
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"SubnetId": {
"Ref": "PubSubnetAZ1"
},
"NetworkAclId": {
"Ref": "PublicNetworkAcl"
}
}
},
"PubSubnetNetAclAssocAZ2": {
"DependsOn": [ "PublicNetworkAcl" ],
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"SubnetId": {
"Ref": "PubSubnetAZ2"
},
"NetworkAclId": {
"Ref": "PublicNetworkAcl"
}
}
},
"PubNetAclInboundEntry100": {
"DependsOn": [ "PublicNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PublicNetworkAcl" },
"RuleNumber": "100",
"Protocol": "6",
"RuleAction": "allow",
"Egress": "false",
"CidrBlock": "0.0.0.0/0",
"PortRange": {
"From": "80",
"To": "80"
}
}
},
"PubNetAclInboundEntry110": {
"DependsOn": [ "PublicNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PublicNetworkAcl" },
"RuleNumber": "110",
"Protocol": "6",
"RuleAction": "allow",
"Egress": "false",
"CidrBlock": "0.0.0.0/0",
"PortRange": {
"From": "443",
"To": "443"
}
}
},
"PubNetAclInboundEntry120": {
"DependsOn": [ "PublicNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PublicNetworkAcl" },
"RuleNumber": "120",
"Protocol": "6",
"RuleAction": "allow",
"Egress": "false",
"CidrBlock": { "Ref": "RemoteCIDR" },
"PortRange": {
"From": "22",
"To": "22"
}
}
},
"PubNetAclInboundEntry140": {
"DependsOn": [ "PublicNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PublicNetworkAcl" },
"RuleNumber": "140",
"Protocol": "6",
"RuleAction": "allow",
"Egress": "false",
"CidrBlock": "0.0.0.0/0",
"PortRange": {
"From": "1024",
"To": "65535"
}
}
},
"PubNetAclInboundEntry150": {
"DependsOn": [ "PublicNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PublicNetworkAcl" },
"RuleNumber": "150",
"Protocol": "1",
"RuleAction": "allow",
"Egress": "false",
"CidrBlock": { "Ref": "VpcCIDR" },
"Icmp": {
"Code": "-1",
"Type": "-1"
}
}
},
"PubNetAclOutboundEntry100": {
"DependsOn": [ "PublicNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PublicNetworkAcl" },
"RuleNumber": "100",
"Protocol": "6",
"RuleAction": "allow",
"Egress": "true",
"CidrBlock": "0.0.0.0/0",
"PortRange": {
"From": "80",
"To": "80"
}
}
},
"PubNetAclOutboundEntry110": {
"DependsOn": [ "PublicNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PublicNetworkAcl" },
"RuleNumber": "110",
"Protocol": "6",
"RuleAction": "allow",
"Egress": "true",
"CidrBlock": "0.0.0.0/0",
"PortRange": {
"From": "443",
"To": "443"
}
}
},
"PubNetAclOutboundEntry130": {
"DependsOn": [ "PublicNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PublicNetworkAcl" },
"RuleNumber": "130",
"Protocol": "6",
"RuleAction": "allow",
"Egress": "true",
"CidrBlock": { "Ref": "PrivateSubnetAZ1" },
"PortRange": {
"From": "3306",
"To": "3306"
}
}
},
"PubNetAclOutboundEntry131": {
"DependsOn": [ "PublicNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PublicNetworkAcl" },
"RuleNumber": "131",
"Protocol": "6",
"RuleAction": "allow",
"Egress": "true",
"CidrBlock": { "Ref": "PrivateSubnetAZ2" },
"PortRange": {
"From": "3306",
"To": "3306"
}
}
},
"PubNetAclOutboundEntry140": {
"DependsOn": [ "PublicNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PublicNetworkAcl" },
"RuleNumber": "140",
"Protocol": "6",
"RuleAction": "allow",
"Egress": "true",
"CidrBlock": "0.0.0.0/0",
"PortRange": {
"From": "1024",
"To": "65535"
}
}
},
"PubNetAclOutboundEntry150": {
"DependsOn": [ "PublicNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PublicNetworkAcl" },
"RuleNumber": "150",
"Protocol": "6",
"RuleAction": "allow",
"Egress": "true",
"CidrBlock": { "Ref": "PrivateSubnetAZ1" },
"PortRange": {
"From": "22",
"To": "22"
}
}
},
"PubNetAclOutboundEntry151": {
"DependsOn": [ "PublicNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PublicNetworkAcl" },
"RuleNumber": "151",
"Protocol": "6",
"RuleAction": "allow",
"Egress": "true",
"CidrBlock": { "Ref": "PrivateSubnetAZ2" },
"PortRange": {
"From": "22",
"To": "22"
}
}
},
"PubNetAclOutboundEntry160": {
"DependsOn": [ "PublicNetworkAcl" ],
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "PublicNetworkAcl" },
"RuleNumber": "160",
"Protocol": "1",
"RuleAction": "allow",
"Egress": "true",
"CidrBlock": "0.0.0.0/0",
"Icmp": {
"Code": "-1",
"Type": "-1"
}
}
}
},
"Outputs": {
"PrivateNetworkAcl": {
"Description": "Network ACL for private subnets",
"Value": { "Ref": "PrivateNetworkAcl" }
},
"PublicNetworkAcl": {
"Description": "Network ACL for public subnets",
"Value": { "Ref": "PublicNetworkAcl" }
}
}
}