AWSTemplateFormatVersion: "2010-09-09" Description: Provides cross-reference for Security Groups in the ingress and egress rules. Parameters: VpcID: Type: String PublicSubnet1Cidr: Type: String AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ PublicSubnet2Cidr: Type: String AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ PrivateSubnet1Cidr: Type: String AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ PrivateSubnet2Cidr: Type: String AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ WorkstationAccessCIDR: Type: String AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ WorkstationConnectionManager: Type: String CreateVPNEndpoint: Type: String Conditions: IsTeradici: !Equals [!Ref WorkstationConnectionManager, teradici] IsClientVpn: !Equals [!Ref CreateVPNEndpoint, true] Resources: ActiveDirectorySecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security group for Microsoft AD Domain Members VpcId: !Ref VpcID SecurityGroupIngress: - IpProtocol: tcp FromPort: 5985 ToPort: 5985 CidrIp: !Ref PrivateSubnet1Cidr - IpProtocol: tcp FromPort: 53 ToPort: 53 CidrIp: !Ref PrivateSubnet1Cidr - IpProtocol: udp FromPort: 53 ToPort: 53 CidrIp: !Ref PrivateSubnet1Cidr - IpProtocol: tcp FromPort: 49152 ToPort: 65535 CidrIp: !Ref PrivateSubnet1Cidr - IpProtocol: udp FromPort: 49152 ToPort: 65535 CidrIp: !Ref PrivateSubnet1Cidr - IpProtocol: tcp FromPort: 5985 ToPort: 5985 CidrIp: !Ref PrivateSubnet2Cidr - IpProtocol: tcp FromPort: 53 ToPort: 53 CidrIp: !Ref PrivateSubnet2Cidr - IpProtocol: udp FromPort: 53 ToPort: 53 CidrIp: !Ref PrivateSubnet2Cidr - IpProtocol: tcp FromPort: 49152 ToPort: 65535 CidrIp: !Ref PrivateSubnet2Cidr - IpProtocol: udp FromPort: 49152 ToPort: 65535 CidrIp: !Ref PrivateSubnet2Cidr - IpProtocol: tcp FromPort: 3389 ToPort: 3389 CidrIp: !Ref PublicSubnet1Cidr - IpProtocol: tcp FromPort: 3389 ToPort: 3389 CidrIp: !Ref PublicSubnet2Cidr SecurityGroupEgress: - CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic by default IpProtocol: "-1" Tags: - Key: Name Value: microsoft-ad-sg # --> Client VPN Security Group ClientVPNSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security group for Client VPN Endpoint VpcId: !Ref VpcID SecurityGroupEgress: - CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic by default IpProtocol: "-1" Tags: - Key: Name Value: client-vpn-sg Condition: IsClientVpn VPNHostSecurityGroupIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: !Ref ClientVPNSecurityGroup IpProtocol: "-1" SourceSecurityGroupId: !Ref ClientVPNSecurityGroup Condition: IsClientVpn # --> License Server Security Group LicenseServerSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security group for License Server instance VpcId: !Ref VpcID SecurityGroupEgress: - CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic by default IpProtocol: "-1" Tags: - Key: Name Value: license-server-sg RenderSchedulerToLicenseServerIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: !Ref LicenseServerSecurityGroup Description: render-scheduler-sg IpProtocol: "-1" SourceSecurityGroupId: !Ref RenderSchedulerSecurityGroup RenderNodeToLicenseServerIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: !Ref LicenseServerSecurityGroup Description: render-node-sg IpProtocol: "-1" SourceSecurityGroupId: !Ref RenderNodeSecurityGroup WorkstationToLicenseServerIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: !Ref LicenseServerSecurityGroup Description: workstation-sg IpProtocol: "-1" SourceSecurityGroupId: !Ref WorkstationSecurityGroup ClientVpnToLisenseServerIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: !Ref LicenseServerSecurityGroup Description: client-vpn-sg IpProtocol: tcp FromPort: 3389 ToPort: 3389 SourceSecurityGroupId: !Ref ClientVPNSecurityGroup Condition: IsClientVpn # --> Render Scheduler Security Group RenderSchedulerSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security group for Render Scheduler instance VpcId: !Ref VpcID SecurityGroupEgress: - CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic by default IpProtocol: "-1" Tags: - Key: Name Value: render-scheduler-sg RenderNodeToRenderSchedulerIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: !Ref RenderSchedulerSecurityGroup Description: render-node-sg IpProtocol: "-1" SourceSecurityGroupId: !Ref RenderNodeSecurityGroup WorkstationToRenderSchedulerIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: !Ref RenderSchedulerSecurityGroup Description: workstation-sg IpProtocol: "-1" SourceSecurityGroupId: !Ref WorkstationSecurityGroup ClientVpnToRenderSchedulerIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: !Ref RenderSchedulerSecurityGroup Description: client-vpn-sg IpProtocol: tcp FromPort: 3389 ToPort: 3389 SourceSecurityGroupId: !Ref ClientVPNSecurityGroup Condition: IsClientVpn # --> Workstation Security Group WorkstationSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security group for Workstation instance VpcId: !Ref VpcID SecurityGroupIngress: !If - IsTeradici - !If - IsClientVpn - - IpProtocol: tcp FromPort: 443 ToPort: 443 SourceSecurityGroupId: !Ref ClientVPNSecurityGroup Description: client-vpn-sg - IpProtocol: tcp FromPort: 4172 ToPort: 4172 SourceSecurityGroupId: !Ref ClientVPNSecurityGroup Description: client-vpn-sg - IpProtocol: udp FromPort: 4172 ToPort: 4172 SourceSecurityGroupId: !Ref ClientVPNSecurityGroup Description: client-vpn-sg - IpProtocol: tcp FromPort: 3389 ToPort: 3389 SourceSecurityGroupId: !Ref ClientVPNSecurityGroup Description: client-vpn-sg - - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: !Ref WorkstationAccessCIDR - IpProtocol: tcp FromPort: 4172 ToPort: 4172 CidrIp: !Ref WorkstationAccessCIDR - IpProtocol: udp FromPort: 4172 ToPort: 4172 CidrIp: !Ref WorkstationAccessCIDR - IpProtocol: tcp FromPort: 3389 ToPort: 3389 CidrIp: !Ref WorkstationAccessCIDR - !If - IsClientVpn - - IpProtocol: tcp FromPort: 8443 ToPort: 8443 SourceSecurityGroupId: !Ref ClientVPNSecurityGroup - IpProtocol: tcp FromPort: 3389 ToPort: 3389 SourceSecurityGroupId: !Ref ClientVPNSecurityGroup Description: client-vpn-sg - - IpProtocol: tcp FromPort: 8443 ToPort: 8443 CidrIp: !Ref WorkstationAccessCIDR - IpProtocol: tcp FromPort: 3389 ToPort: 3389 CidrIp: !Ref WorkstationAccessCIDR SecurityGroupEgress: - CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic by default IpProtocol: "-1" Tags: - Key: Name Value: workstation-sg RenderSchedulerToWorkstationIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: !Ref WorkstationSecurityGroup Description: render-scheduler-sg IpProtocol: "-1" SourceSecurityGroupId: !Ref RenderSchedulerSecurityGroup RenderNodeToWorkstationIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: !Ref WorkstationSecurityGroup Description: render-node-sg IpProtocol: "-1" SourceSecurityGroupId: !Ref RenderNodeSecurityGroup # --> Render Node Security Group RenderNodeSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Security group for Render Node instances VpcId: !Ref VpcID SecurityGroupEgress: - CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic by default IpProtocol: "-1" Tags: - Key: Name Value: render-node-sg RenderSchedulerToRenderNodeIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: !Ref RenderNodeSecurityGroup Description: render-scheduler-sg IpProtocol: "-1" SourceSecurityGroupId: !Ref RenderSchedulerSecurityGroup WorkstationToRenderNodeIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: !Ref RenderNodeSecurityGroup Description: workstation-sg IpProtocol: "-1" SourceSecurityGroupId: !Ref WorkstationSecurityGroup Outputs: ActiveDirectorySecurityGroup: Value: !Ref ActiveDirectorySecurityGroup ClientVPNSecurityGroup: Value: !Ref ClientVPNSecurityGroup Condition: IsClientVpn LicenseServerSecurityGroup: Value: !Ref LicenseServerSecurityGroup RenderSchedulerSecurityGroup: Value: !Ref RenderSchedulerSecurityGroup RenderNodeSecurityGroup: Value: !Ref RenderNodeSecurityGroup WorkstationSecurityGroup: Value: !Ref WorkstationSecurityGroup