--- AWSTemplateFormatVersion: '2010-09-09' Description: Provides networking configuration for a standard, public facing application, separates private-public subnets and enforces traffic with NACL rules. In addition, enable VPC flow logs to CloudWatch Logs. Metadata: Stack: Value: 2 VersionDate: Value: 20200325 Identifier: Value: template-vpc-production Input: Description: CIDR blocks, VPC names, AZs. Output: Description: Outputs ID of all deployed resources. AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Region Config Parameters: - pRegionAZ1Name - pRegionAZ2Name - Label: default: Production VPC Config Parameters: - pProductionVPCName - pProductionCIDR - pDMZSubnetACIDR - pDMZSubnetBCIDR - pAppPrivateSubnetACIDR - pAppPrivateSubnetBCIDR - pVPCTenancy ParameterLabels: pProductionVPCName: default: Name of Production VPC pProductionCIDR: default: Production VPC CIDR block pDMZSubnetACIDR: default: CIDR block of DMZ A subnet (internet facing) pDMZSubnetBCIDR: default: CIDR block of DMZ B subnet (internet facing) pAppPrivateSubnetACIDR: default: CIDR block of Application B subnet (private) pAppPrivateSubnetBCIDR: default: CIDR block of Application A subnet (private) pVPCTenancy: default: Instance tenancy Parameters: pRegionAZ1Name: Description: Availability Zone 1 Name in Region Type: AWS::EC2::AvailabilityZone::Name pRegionAZ2Name: Description: Availability Zone 2 Name in Region Type: AWS::EC2::AvailabilityZone::Name pProductionVPCName: Description: Production VPC Name Type: String Default: CommandCentral-Production pProductionCIDR: Description: CIDR block for Production VPC Type: String Default: 10.100.0.0/16 pDMZSubnetACIDR: Description: CIDR block for DMZ AZ-1b subnet Type: String Default: 10.100.10.0/24 pDMZSubnetBCIDR: Description: CIDR block for DMZ AZ-1b subnet Type: String Default: 10.100.20.0/24 pAppPrivateSubnetACIDR: Description: CIDR block for Application AZ-1a subnet Type: String Default: 10.100.96.0/21 pAppPrivateSubnetBCIDR: Description: CIDR block for Application AZ-1b subnet Type: String Default: 10.100.119.0/21 pVPCTenancy: Description: Instance tenancy behavior for this VPC Type: String Default: default AllowedValues: - default - dedicated pEnvironment: Description: Environment (development, test, or production) Type: String Default: production pSupportsNatGateway: Description: Specifies whether this region supports NAT Gateway (this value is determined by the main stack if it is invoked from there) Type: String Default: true pNatAmi: Description: AMI to use for the NAT intstance if the region does not support NAT Gateway (this value is determined by the main stack if it is invoked from there) Type: String Default: '' pNatInstanceType: Description: Instance type to use for the NAT intstance if the region does not support NAT Gateway (this value is determined by the main stack if it is invoked from there) Type: String Default: '' Conditions: cGovCloudCondition: !Equals - !Ref AWS::Region - us-gov-west-1 cNeedNatInstance: !Equals - false - !Ref pSupportsNatGateway cSupportsNatGateway: !Equals - true - !Ref pSupportsNatGateway Resources: rVPCProduction: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref pProductionCIDR InstanceTenancy: !Ref pVPCTenancy EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: !Ref pProductionVPCName - Key: Environment Value: !Ref pEnvironment rDMZSubnetA: Type: AWS::EC2::Subnet Properties: CidrBlock: !Ref pDMZSubnetACIDR AvailabilityZone: !Ref pRegionAZ1Name VpcId: !Ref rVPCProduction Tags: - Key: Name Value: Production DMZ Subnet A - Key: Environment Value: !Ref pEnvironment rDMZSubnetB: Type: AWS::EC2::Subnet Properties: CidrBlock: !Ref pDMZSubnetBCIDR AvailabilityZone: !Ref pRegionAZ2Name VpcId: !Ref rVPCProduction Tags: - Key: Name Value: Production DMZ Subnet B - Key: Environment Value: !Ref pEnvironment rAppPrivateSubnetA: Type: AWS::EC2::Subnet Properties: CidrBlock: !Ref pAppPrivateSubnetACIDR AvailabilityZone: !Ref pRegionAZ1Name VpcId: !Ref rVPCProduction Tags: - Key: Name Value: Production App Subnet A - Key: Environment Value: !Ref pEnvironment rAppPrivateSubnetB: Type: AWS::EC2::Subnet Properties: CidrBlock: !Ref pAppPrivateSubnetBCIDR AvailabilityZone: !Ref pRegionAZ2Name VpcId: !Ref rVPCProduction Tags: - Key: Name Value: Production App Subnet B - Key: Environment Value: !Ref pEnvironment rIGWProd: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: igw-production - Key: Environment Value: !Ref pEnvironment rNACLPublic: Type: AWS::EC2::NetworkAcl Properties: VpcId: !Ref rVPCProduction Tags: - Key: Name Value: Production ACL Public rNACLPrivate: Type: AWS::EC2::NetworkAcl Properties: VpcId: !Ref rVPCProduction Tags: - Key: Name Value: Production ACL Private rRouteTableMain: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref rVPCProduction Tags: - Key: Name Value: Production DMZ Route rEIPProdNatA: Type: AWS::EC2::EIP Properties: Domain: vpc rNATGatewaySubnetA: Type: AWS::EC2::NatGateway DependsOn: rIGWProd Condition: cSupportsNatGateway Properties: AllocationId: !GetAtt rEIPProdNatA.AllocationId SubnetId: !Ref rDMZSubnetA rRouteProdIGW: Type: AWS::EC2::Route DependsOn: rGWAttachmentProdIGW Properties: RouteTableId: !Ref rRouteTableMain GatewayId: !Ref rIGWProd DestinationCidrBlock: 0.0.0.0/0 rRouteProdPrivateNatGatewayA: Type: AWS::EC2::Route Condition: cSupportsNatGateway Properties: DestinationCidrBlock: 0.0.0.0/0 RouteTableId: !Ref rRouteTableProdPrivateA NatGatewayId: !Ref rNATGatewaySubnetA rRouteProdPrivateNatGatewayB: Type: AWS::EC2::Route Condition: cSupportsNatGateway Properties: DestinationCidrBlock: 0.0.0.0/0 RouteTableId: !Ref rRouteTableProdPrivateB NatGatewayId: !Ref rNATGatewaySubnetA # Sending traffic to NatGateway SUbnet A rRouteAssocProdDMZA: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref rRouteTableMain SubnetId: !Ref rDMZSubnetA rRouteAssocProdDMZB: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref rRouteTableMain SubnetId: !Ref rDMZSubnetB rAppPrivateSubnetAssociationA: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref rRouteTableProdPrivateA SubnetId: !Ref rAppPrivateSubnetA rAppPrivateSubnetAssociationB: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref rRouteTableProdPrivateB SubnetId: !Ref rAppPrivateSubnetB rRouteTableProdPrivateA: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref rVPCProduction Tags: - Key: Name Value: Production Private Route A rRouteTableProdPrivateB: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref rVPCProduction Tags: - Key: Name Value: Production Private Route B rNACLRuleAllowAllTCPInternal: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: !Ref pProductionCIDR Protocol: 6 PortRange: From: 1 To: 65535 RuleAction: allow RuleNumber: 120 NetworkAclId: !Ref rNACLPrivate rNACLRuleAllowReturnTCPPriv: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: 0.0.0.0/0 Protocol: 6 PortRange: From: 1024 To: 65535 RuleAction: allow RuleNumber: 140 NetworkAclId: !Ref rNACLPrivate rNACLRuleAllowALLfromPrivEgress: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: 0.0.0.0/0 Egress: true Protocol: 6 PortRange: From: 1 To: 65535 RuleAction: allow RuleNumber: 120 NetworkAclId: !Ref rNACLPrivate rNACLRuleAllowAllTCPInternalEgress: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: 0.0.0.0/0 Egress: true Protocol: 6 PortRange: From: 1 To: 65535 RuleAction: allow RuleNumber: 100 NetworkAclId: !Ref rNACLPrivate rNACLRuleAllowALLEgressPublic: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: 0.0.0.0/0 Egress: true Protocol: 6 PortRange: From: 1 To: 65535 RuleAction: allow RuleNumber: 100 NetworkAclId: !Ref rNACLPublic rNACLRuleAllowAllReturnTCP: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: 0.0.0.0/0 Protocol: 6 PortRange: From: 1024 To: 65535 RuleAction: allow RuleNumber: 140 NetworkAclId: !Ref rNACLPublic rNACLRuleAllowHTTPfromProd: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: !Ref pProductionCIDR Protocol: 6 PortRange: From: 80 To: 80 RuleAction: allow RuleNumber: 200 NetworkAclId: !Ref rNACLPublic rNACLRuleAllowBastionSSHAccessPublic: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: 0.0.0.0/0 Protocol: 6 PortRange: From: 22 To: 22 RuleAction: allow RuleNumber: 210 NetworkAclId: !Ref rNACLPublic rNACLRuleAllowEgressReturnTCP: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: 0.0.0.0/0 Egress: true Protocol: 6 PortRange: From: 1024 To: 65535 RuleAction: allow RuleNumber: 140 NetworkAclId: !Ref rNACLPublic rNACLRuleAllowHTTPSPublic: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: 0.0.0.0/0 Protocol: 6 PortRange: From: 443 To: 443 RuleAction: allow RuleNumber: 100 NetworkAclId: !Ref rNACLPublic rNACLAssocAppPrivSubnetB: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: NetworkAclId: !Ref rNACLPrivate SubnetId: !Ref rAppPrivateSubnetB rNACLAssocDMZPubSubnetA: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: NetworkAclId: !Ref rNACLPublic SubnetId: !Ref rDMZSubnetA rNACLAssocDMZPubSubnetB: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: NetworkAclId: !Ref rNACLPublic SubnetId: !Ref rDMZSubnetB rNACLAssocAppPrivSubnetA: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: NetworkAclId: !Ref rNACLPrivate SubnetId: !Ref rAppPrivateSubnetA rGWAttachmentProdIGW: Type: AWS::EC2::VPCGatewayAttachment DependsOn: rIGWProd Properties: VpcId: !Ref rVPCProduction InternetGatewayId: !Ref rIGWProd Outputs: rVPCProduction: Value: !Ref rVPCProduction rDMZSubnetA: Value: !Ref rDMZSubnetA rDMZSubnetB: Value: !Ref rDMZSubnetB rRouteTableProdPrivate: Value: !Ref rRouteTableProdPrivateA rRouteTableProdPrivateB: Value: !Ref rRouteTableProdPrivateB rRouteTableProdPublic: Value: !Ref rRouteTableMain rAppPrivateSubnetA: Value: !Ref rAppPrivateSubnetA rAppPrivateSubnetB: Value: !Ref rAppPrivateSubnetB rNACLPrivate: Value: !Ref rNACLPrivate rNACLPublic: Value: !Ref rNACLPublic ...