{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Secure Service Catalog: VPC with public and private subnets in two AZs and Flow Logs.", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Region Configuration" }, "Parameters": [ "RegionAZ1Name", "RegionAZ2Name" ] }, { "Label": { "default": "VPC Configuration" }, "Parameters": [ "VPCCIDR" ] }, { "Label": { "default": "Private Subnet Configuration" }, "Parameters": [ "SubnetAPrivateCIDR", "SubnetBPrivateCIDR" ] } ] } }, "Parameters": { "RegionAZ1Name": { "Description": "Availability Zone 1 Name in Region", "Type": "AWS::EC2::AvailabilityZone::Name" }, "RegionAZ2Name": { "Description": "Availability Zone 2 Name in Region", "Type": "AWS::EC2::AvailabilityZone::Name" }, "VPCCIDR": { "Description": "CIDR block for the VPC", "Type": "String", "Default": "10.229.0.0/16", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" }, "SubnetAPrivateCIDR": { "Description": "CIDR block for the private subnet in availability zone", "Type": "String", "Default": "10.229.30.0/24", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" }, "SubnetBPrivateCIDR": { "Description": "CIDR block for the private subnet in availability zone", "Type": "String", "Default": "10.229.40.0/24", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" } }, "Resources": { "VPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": { "Ref": "VPCCIDR" }, "EnableDnsSupport": true, "EnableDnsHostnames": true, "InstanceTenancy": "default", "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "SC-VPC-RA-${VPCCIDR}" } }, { "Key": "Description", "Value": "Service-Catalog-VPC-Reference-Architecture" } ] } }, "VPCFlowLogs": { "Type": "AWS::EC2::FlowLog", "Properties": { "LogDestinationType": "s3", "LogDestination": { "Fn::Join": [ "", [ "arn:aws:s3:::aes-siem-", { "Ref": "AWS::AccountId" }, "-log" ] ] }, "ResourceId": { "Ref": "VPC" }, "ResourceType": "VPC", "TrafficType": "ALL" } }, "SubnetAPrivate": { "Type": "AWS::EC2::Subnet", "Properties": { "AvailabilityZone": { "Ref": "RegionAZ1Name" }, "CidrBlock": { "Ref": "SubnetAPrivateCIDR" }, "VpcId": { "Ref": "VPC" }, "Tags": [ { "Key": "Name", "Value": "A private - sc-vpc-ra" }, { "Key": "Reach", "Value": "private" }, { "Key": "Description", "Value": "Service-Catalog-VPC-Reference-Architecture" } ] } }, "SubnetBPrivate": { "Type": "AWS::EC2::Subnet", "Properties": { "AvailabilityZone": { "Ref": "RegionAZ2Name" }, "CidrBlock": { "Ref": "SubnetBPrivateCIDR" }, "VpcId": { "Ref": "VPC" }, "Tags": [ { "Key": "Name", "Value": "B private - sc-vpc-ra" }, { "Key": "Reach", "Value": "private" }, { "Key": "Description", "Value": "Service-Catalog-VPC-Reference-Architecture" } ] } }, "RouteTableAPrivate": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [ { "Key": "Name", "Value": "A Private - sc-vpc-ra" }, { "Key": "Description", "Value": "Service-Catalog-VPC-Reference-Architecture" } ] } }, "RouteTableBPrivate": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [ { "Key": "Name", "Value": "B Private - sc-vpc-ra" }, { "Key": "Description", "Value": "Service-Catalog-VPC-Reference-Architecture" } ] } }, "RouteTableAssociationAPrivate": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "SubnetAPrivate" }, "RouteTableId": { "Ref": "RouteTableAPrivate" } } }, "RouteTableAssociationBPrivate": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "SubnetBPrivate" }, "RouteTableId": { "Ref": "RouteTableBPrivate" } } }, "NetworkAclPrivate": { "Type": "AWS::EC2::NetworkAcl", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [ { "Key": "Name", "Value": "Private - sc-vpc-ra" }, { "Key": "Description", "Value": "Service-Catalog-VPC-Reference-Architecture" } ] } }, "SubnetNetworkAclAssociationAPrivate": { "Type": "AWS::EC2::SubnetNetworkAclAssociation", "Properties": { "SubnetId": { "Ref": "SubnetAPrivate" }, "NetworkAclId": { "Ref": "NetworkAclPrivate" } } }, "SubnetNetworkAclAssociationBPrivate": { "Type": "AWS::EC2::SubnetNetworkAclAssociation", "Properties": { "SubnetId": { "Ref": "SubnetBPrivate" }, "NetworkAclId": { "Ref": "NetworkAclPrivate" } } }, "NetworkAclEntryInPrivateAllowVPC": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "NetworkAclPrivate" }, "RuleNumber": 99, "Protocol": -1, "RuleAction": "allow", "Egress": false, "CidrBlock": "0.0.0.0/0" } }, "NetworkAclEntryOutPrivateAllowVPC": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "NetworkAclPrivate" }, "RuleNumber": 99, "Protocol": -1, "RuleAction": "allow", "Egress": true, "CidrBlock": "0.0.0.0/0" } } }, "Outputs": { "AWSRegionName": { "Value": { "Ref": "AWS::Region" } }, "RegionAZ1Name": { "Value": { "Ref": "RegionAZ1Name" } }, "RegionAZ2Name": { "Value": { "Ref": "RegionAZ2Name" } }, "VPCCIDR": { "Value": { "Fn::GetAtt": ["VPC","CidrBlock"] } }, "SubnetAPrivateCIDR": { "Value": { "Ref": "SubnetAPrivateCIDR" } }, "SubnetBPrivateCIDR": { "Value": { "Ref": "SubnetAPrivateCIDR" } }, "RouteTableAPrivate": { "Value": { "Ref": "RouteTableAPrivate" } }, "RouteTableBPrivate": { "Value": { "Ref": "RouteTableBPrivate" } }, "NetworkAclPrivate": { "Value": { "Ref": "NetworkAclPrivate" } } } }