--- AWSTemplateFormatVersion: 2010-09-09 Description: Provides networking configuration for a standard, public facing application, separates private-public subnets and enforces traffic with NACL rules (qs-1nb14cqcl) Metadata: Stack: Value: 2 VersionDate: Value: 20160510 Identifier: Value: template-vpc-production Input: Description: CIDR blocks, VPC names, KeyName, EC2 instance size Output: Description: Outputs ID of all deployed resources AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Region Config Parameters: - pRegionAZ1Name - pRegionAZ2Name - Label: default: Production VPC Config Parameters: - pBastionSSHCIDR - pProductionVPCName - pProductionCIDR - pDMZSubnetACIDR - pDMZSubnetBCIDR - pAppPrivateSubnetACIDR - pAppPrivateSubnetBCIDR - pDBPrivateSubnetACIDR - pDBPrivateSubnetBCIDR - pEC2KeyPair - pVPCTenancy - Label: default: AWS Quick Start Configuration Parameters: - QSS3BucketName - QSS3KeyPrefix ParameterLabels: pProductionVPCName: default: Name of Production VPC pProductionCIDR: default: Production VPC CIDR block pDMZSubnetACIDR: default: CIDR block of DMZ A subnet (internet facing) pDMZSubnetBCIDR: default: CIDR block of DMZ B subnet (internet facing) pAppPrivateSubnetACIDR: default: CIDR block of Application B subnet (private) pAppPrivateSubnetBCIDR: default: CIDR block of Application A subnet (private) pDBPrivateSubnetACIDR: default: CIDR block of Database A subnet (private) pDBPrivateSubnetBCIDR: default: CIDR block of Database B subnet (private) pEC2KeyPair: default: Name of existing SSH Key for NAT Instance pVPCTenancy: default: Instance tenancy QSS3BucketName: default: Quick Start S3 Bucket Name QSS3KeyPrefix: default: Quick Start S3 Key Prefix Parameters: pBastionSSHCIDR: Description: CIDR block to allow access to bastion SSH Type: String Default: 0.0.0.0/0 pRegionAZ1Name: Description: Availability Zone 1 Name in Region Type: AWS::EC2::AvailabilityZone::Name pRegionAZ2Name: Description: Availability Zone 2 Name in Region Type: AWS::EC2::AvailabilityZone::Name pProductionVPCName: Description: Production VPC Name Type: String Default: CommandCentral-Production pProductionCIDR: Description: CIDR block for Production VPC Type: String Default: 10.100.0.0/16 pManagementCIDR: Description: CIDR of Management VPC Type: String pDMZSubnetACIDR: Description: CIDR block for DMZ AZ-1b subnet Type: String Default: 10.100.10.0/24 pDMZSubnetBCIDR: Description: CIDR block for DMZ AZ-1b subnet Type: String Default: 10.100.20.0/24 pAppPrivateSubnetACIDR: Description: CIDR block for Application AZ-1a subnet Type: String Default: 10.100.96.0/21 pAppPrivateSubnetBCIDR: Description: CIDR block for Application AZ-1b subnet Type: String Default: 10.100.119.0/21 pDBPrivateSubnetACIDR: Description: CIDR block for Private AZ-1a subnet Type: String Default: 10.100.194.0/21 pDBPrivateSubnetBCIDR: Description: CIDR block for Private AZ-1b subnet Type: String Default: 10.100.212.0/21 pEC2KeyPair: Description: Name of existing EC2 key pair for production hosts Type: String Default: '' pVPCTenancy: Description: Instance tenancy behavior for this VPC Type: String Default: default AllowedValues: - default - dedicated pEnvironment: Description: Environment (development, test, or production) Type: String Default: development pSupportsNatGateway: Description: Specifies whether this region supports NAT Gateway (this value is determined by the main stack if it is invoked from there) Type: String Default: true pNatAmi: Description: AMI to use for the NAT intstance if the region does not support NAT Gateway (this value is determined by the main stack if it is invoked from there) Type: String Default: '' pNatInstanceType: Description: Instance type to use for the NAT intstance if the region does not support NAT Gateway (this value is determined by the main stack if it is invoked from there) Type: String Default: '' pFlowLogGroup: Description: Log Group for capturing VPC Flow Logs Type: String Default: '' QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z\-\.]*[0-9a-zA-Z])*$ ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, periods (.), and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, periods (.), and hyphens (-). It cannot start or end with a hyphen (-). Type: String QSS3KeyPrefix: AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Default: quickstart-compliance-nist/ Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Type: String Conditions: cGovCloudCondition: !Equals - !Ref AWS::Region - us-gov-west-1 cNeedNatInstance: !Equals - false - !Ref pSupportsNatGateway cSupportsNatGateway: !Equals - true - !Ref pSupportsNatGateway cEnableFlowLogs: !Not - !Equals - !Ref pFlowLogGroup - '' Resources: rVPCProduction: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref pProductionCIDR InstanceTenancy: !Ref pVPCTenancy EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: !Ref pProductionVPCName - Key: Environment Value: !Ref pEnvironment rSecurityGroupVpcNat: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow NAT from production VpcId: !Ref rVPCProduction SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: !Ref pProductionCIDR - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: !Ref pProductionCIDR Tags: - Key: Name Value: sg-web-access-ports-from-production - Key: Environment Value: !Ref pEnvironment rSecurityGroupMgmtBastion: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow Bastion from Management Network VpcId: !Ref rVPCProduction SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: !Ref pBastionSSHCIDR Tags: - Key: Name Value: sg-ssh-access-from-management-vpc - Key: Environment Value: !Ref pEnvironment rSecurityGroupSSHFromProd: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Enable SSH access via port 22 VpcId: !Ref rVPCProduction SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: !Ref pProductionCIDR Tags: - Key: Name Value: sg-enable-ssh-access - Key: Environment Value: !Ref pEnvironment rDMZSubnetA: Type: AWS::EC2::Subnet Properties: CidrBlock: !Ref pDMZSubnetACIDR AvailabilityZone: !Ref pRegionAZ1Name VpcId: !Ref rVPCProduction Tags: - Key: Name Value: Production DMZ Subnet A - Key: Environment Value: !Ref pEnvironment rDMZSubnetB: Type: AWS::EC2::Subnet Properties: CidrBlock: !Ref pDMZSubnetBCIDR AvailabilityZone: !Ref pRegionAZ2Name VpcId: !Ref rVPCProduction Tags: - Key: Name Value: Production DMZ Subnet B - Key: Environment Value: !Ref pEnvironment rAppPrivateSubnetA: Type: AWS::EC2::Subnet Properties: CidrBlock: !Ref pAppPrivateSubnetACIDR AvailabilityZone: !Ref pRegionAZ1Name VpcId: !Ref rVPCProduction Tags: - Key: Name Value: Production App Subnet A - Key: Environment Value: !Ref pEnvironment rAppPrivateSubnetB: Type: AWS::EC2::Subnet Properties: CidrBlock: !Ref pAppPrivateSubnetBCIDR AvailabilityZone: !Ref pRegionAZ2Name VpcId: !Ref rVPCProduction Tags: - Key: Name Value: Production App Subnet B - Key: Environment Value: !Ref pEnvironment rDBPrivateSubnetA: Type: AWS::EC2::Subnet Properties: CidrBlock: !Ref pDBPrivateSubnetACIDR AvailabilityZone: !Ref pRegionAZ1Name VpcId: !Ref rVPCProduction Tags: - Key: Name Value: Production DB Subnet A - Key: Environment Value: !Ref pEnvironment rDBPrivateSubnetB: Type: AWS::EC2::Subnet Properties: CidrBlock: !Ref pDBPrivateSubnetBCIDR AvailabilityZone: !Ref pRegionAZ2Name VpcId: !Ref rVPCProduction Tags: - Key: Name Value: Production DB Subnet B - Key: Environment Value: !Ref pEnvironment rIGWProd: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: igw-production - Key: Environment Value: !Ref pEnvironment rNACLPublic: Type: AWS::EC2::NetworkAcl Properties: VpcId: !Ref rVPCProduction rNACLPrivate: Type: AWS::EC2::NetworkAcl Properties: VpcId: !Ref rVPCProduction rRouteTableMain: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref rVPCProduction Tags: - Key: Name Value: Production DMZ Route rEIPProdNatA: Type: AWS::EC2::EIP Properties: Domain: vpc rNATGatewaySubnetA: Type: AWS::EC2::NatGateway DependsOn: rIGWProd Condition: cSupportsNatGateway Properties: AllocationId: !GetAtt rEIPProdNatA.AllocationId SubnetId: !Ref rDMZSubnetA rEIPProdNatB: Type: AWS::EC2::EIP Properties: Domain: vpc rNATGatewaySubnetB: Type: AWS::EC2::NatGateway DependsOn: rIGWProd Condition: cSupportsNatGateway Properties: AllocationId: !GetAtt rEIPProdNatB.AllocationId SubnetId: !Ref rDMZSubnetB rNatInstanceTemplate: Type: AWS::CloudFormation::Stack Condition: cNeedNatInstance Properties: TemplateURL: !Sub - https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-compliance-common/templates/nat-instance.template - QSS3Region: !If - cGovCloudCondition - s3-us-gov-west-1 - s3 TimeoutInMinutes: 20 Parameters: pDMZSubnetA: !Ref rDMZSubnetA pSecurityGroupSSHFromVpc: !Ref rSecurityGroupSSHFromProd pSecurityGroupVpcNat: !Ref rSecurityGroupVpcNat pNatAmi: !Ref pNatAmi pNatInstanceType: !Ref pNatInstanceType pEC2KeyPair: !Ref pEC2KeyPair pVpcId: !Ref rVPCProduction pVpcName: !Ref pProductionVPCName pRouteTablePrivateA: !Ref rRouteTableProdPrivateA pRouteTablePrivateB: !Ref rRouteTableProdPrivateB pEipNatAllocationId: !GetAtt rEIPProdNatA.AllocationId rRouteProdIGW: Type: AWS::EC2::Route DependsOn: rGWAttachmentProdIGW Properties: RouteTableId: !Ref rRouteTableMain GatewayId: !Ref rIGWProd DestinationCidrBlock: 0.0.0.0/0 rRouteProdPrivateNatGatewayA: Type: AWS::EC2::Route Condition: cSupportsNatGateway Properties: DestinationCidrBlock: 0.0.0.0/0 RouteTableId: !Ref rRouteTableProdPrivateA NatGatewayId: !Ref rNATGatewaySubnetA rRouteProdPrivateNatGatewayB: Type: AWS::EC2::Route Condition: cSupportsNatGateway Properties: DestinationCidrBlock: 0.0.0.0/0 RouteTableId: !Ref rRouteTableProdPrivateB NatGatewayId: !Ref rNATGatewaySubnetB rRouteAssocProdDMZA: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref rRouteTableMain SubnetId: !Ref rDMZSubnetA rRouteAssocProdDMZB: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref rRouteTableMain SubnetId: !Ref rDMZSubnetB rAppPrivateSubnetAssociationA: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref rRouteTableProdPrivateA SubnetId: !Ref rAppPrivateSubnetA rAppPrivateSubnetAssociationB: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref rRouteTableProdPrivateB SubnetId: !Ref rAppPrivateSubnetB rRouteAssocDBPrivateA: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref rRouteTableProdPrivateA SubnetId: !Ref rDBPrivateSubnetA rRouteAssocDBPrivateB: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref rRouteTableProdPrivateB SubnetId: !Ref rDBPrivateSubnetB rRouteTableProdPrivateA: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref rVPCProduction Tags: - Key: Name Value: Production Private Route A rRouteTableProdPrivateB: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref rVPCProduction Tags: - Key: Name Value: Production Private Route B rNACLRuleAllowAllTCPInternal: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: !Ref pProductionCIDR Protocol: 6 PortRange: From: 1 To: 65535 RuleAction: allow RuleNumber: 120 NetworkAclId: !Ref rNACLPrivate rNACLRuleAllowBastionSSHAccessPrivate: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: 0.0.0.0/0 Protocol: 6 PortRange: From: 22 To: 22 RuleAction: allow RuleNumber: 130 NetworkAclId: !Ref rNACLPrivate rNACLRuleAllowMgmtAccessSSHtoPrivate: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: !Ref pManagementCIDR Protocol: 6 PortRange: From: 22 To: 22 RuleAction: allow RuleNumber: 125 NetworkAclId: !Ref rNACLPrivate rNACLRuleAllowReturnTCPPriv: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: 0.0.0.0/0 Protocol: 6 PortRange: From: 1024 To: 65535 RuleAction: allow RuleNumber: 140 NetworkAclId: !Ref rNACLPrivate rNACLRuleAllowALLfromPrivEgress: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: 0.0.0.0/0 Egress: true Protocol: 6 PortRange: From: 1 To: 65535 RuleAction: allow RuleNumber: 120 NetworkAclId: !Ref rNACLPrivate rNACLRuleAllowAllTCPInternalEgress: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: 0.0.0.0/0 Egress: true Protocol: 6 PortRange: From: 1 To: 65535 RuleAction: allow RuleNumber: 100 NetworkAclId: !Ref rNACLPrivate rNACLRuleAllowALLEgressPublic: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: 0.0.0.0/0 Egress: true Protocol: 6 PortRange: From: 1 To: 65535 RuleAction: allow RuleNumber: 100 NetworkAclId: !Ref rNACLPublic rNACLRuleAllowAllReturnTCP: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: 0.0.0.0/0 Protocol: 6 PortRange: From: 1024 To: 65535 RuleAction: allow RuleNumber: 140 NetworkAclId: !Ref rNACLPublic rNACLRuleAllowHTTPfromProd: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: !Ref pProductionCIDR Protocol: 6 PortRange: From: 80 To: 80 RuleAction: allow RuleNumber: 200 NetworkAclId: !Ref rNACLPublic rNACLRuleAllowBastionSSHAccessPublic: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: 0.0.0.0/0 Protocol: 6 PortRange: From: 22 To: 22 RuleAction: allow RuleNumber: 210 NetworkAclId: !Ref rNACLPublic rNACLRuleAllowEgressReturnTCP: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: 0.0.0.0/0 Egress: true Protocol: 6 PortRange: From: 1024 To: 65535 RuleAction: allow RuleNumber: 140 NetworkAclId: !Ref rNACLPublic rNACLRuleAllowHTTPSPublic: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: 0.0.0.0/0 Protocol: 6 PortRange: From: 443 To: 443 RuleAction: allow RuleNumber: 100 NetworkAclId: !Ref rNACLPublic rNACLAssocAppPrivSubnetB: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: NetworkAclId: !Ref rNACLPrivate SubnetId: !Ref rAppPrivateSubnetB rNACLAssocDMZPubSubnetA: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: NetworkAclId: !Ref rNACLPublic SubnetId: !Ref rDMZSubnetA rNACLAssocDMZPubSubnetB: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: NetworkAclId: !Ref rNACLPublic SubnetId: !Ref rDMZSubnetB rNACLAssocAppPrivSubnetA: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: NetworkAclId: !Ref rNACLPrivate SubnetId: !Ref rAppPrivateSubnetA rNACLAssocDBPrivSubnetA: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: NetworkAclId: !Ref rNACLPrivate SubnetId: !Ref rDBPrivateSubnetA rNACLAssocDBPrivSubnetB: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: NetworkAclId: !Ref rNACLPrivate SubnetId: !Ref rDBPrivateSubnetB rGWAttachmentProdIGW: Type: AWS::EC2::VPCGatewayAttachment DependsOn: rIGWProd Properties: VpcId: !Ref rVPCProduction InternetGatewayId: !Ref rIGWProd rProductionVpcFlowLogsServiceRole: Condition: cEnableFlowLogs Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Sid: AllowFlowLogs Effect: Allow Principal: Service: vpc-flow-logs.amazonaws.com Action: sts:AssumeRole Path: / Policies: - PolicyName: cloudwatchlogsrole PolicyDocument: Version: 2012-10-17 Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - logs:DescribeLogGroups - logs:DescribeLogStreams Effect: Allow Resource: '*' rProductionVpcFlowLog: Condition: cEnableFlowLogs Type: AWS::EC2::FlowLog Properties: DeliverLogsPermissionArn: !GetAtt rProductionVpcFlowLogsServiceRole.Arn LogGroupName: !Ref pFlowLogGroup ResourceId: !Ref rVPCProduction ResourceType: VPC TrafficType: ALL rProductionVpcFlowLogStream: Condition: cEnableFlowLogs Type: AWS::Logs::LogStream Properties: LogGroupName: !Ref pFlowLogGroup Outputs: rVPCProduction: Value: !Ref rVPCProduction rDMZSubnetA: Value: !Ref rDMZSubnetA rDMZSubnetB: Value: !Ref rDMZSubnetB rRouteTableProdPrivate: Value: !Ref rRouteTableProdPrivateA rRouteTableProdPrivateB: Value: !Ref rRouteTableProdPrivateB rRouteTableProdPublic: Value: !Ref rRouteTableMain rAppPrivateSubnetA: Value: !Ref rAppPrivateSubnetA rAppPrivateSubnetB: Value: !Ref rAppPrivateSubnetB rDBPrivateSubnetA: Value: !Ref rDBPrivateSubnetA rDBPrivateSubnetB: Value: !Ref rDBPrivateSubnetB rNACLPrivate: Value: !Ref rNACLPrivate rNACLPublic: Value: !Ref rNACLPublic rSecurityGroupSSHFromProd: Value: !Ref rSecurityGroupSSHFromProd rSecurityGroupVpcNat: Value: !Ref rSecurityGroupVpcNat ...