{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Secure Service Catalog: VPC with public and private subnets in two AZs and Flow Logs.", "Metadata": { "AWS::CloudFormation::Interface": { "ParameterGroups": [ { "Label": { "default": "Region Configuration" }, "Parameters": [ "RegionAZ1Name", "RegionAZ2Name" ] }, { "Label": { "default": "VPC Configuration" }, "Parameters": [ "VPCCIDR" ] }, { "Label": { "default": "Public Subnet Configuration" }, "Parameters": [ "SubnetAPublicCIDR", "SubnetBPublicCIDR" ] }, { "Label": { "default": "Private Subnet Configuration" }, "Parameters": [ "SubnetAPrivateCIDR", "SubnetBPrivateCIDR" ] } ] } }, "Parameters": { "RegionAZ1Name": { "Description": "Availability Zone 1 Name in Region", "Type": "AWS::EC2::AvailabilityZone::Name" }, "RegionAZ2Name": { "Description": "Availability Zone 2 Name in Region", "Type": "AWS::EC2::AvailabilityZone::Name" }, "VPCCIDR": { "Description": "CIDR block for the VPC", "Type": "String", "Default": "10.229.0.0/16", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" }, "SubnetAPublicCIDR": { "Description": "CIDR block for the public subnet in availability zone", "Type": "String", "Default": "10.229.10.0/24", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" }, "SubnetBPublicCIDR": { "Description": "CIDR block for the public subnet in availability zone", "Type": "String", "Default": "10.229.20.0/24", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" }, "SubnetAPrivateCIDR": { "Description": "CIDR block for the private subnet in availability zone", "Type": "String", "Default": "10.229.30.0/24", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" }, "SubnetBPrivateCIDR": { "Description": "CIDR block for the private subnet in availability zone", "Type": "String", "Default": "10.229.40.0/24", "ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" } }, "Resources": { "VPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": { "Ref": "VPCCIDR" }, "EnableDnsSupport": true, "EnableDnsHostnames": true, "InstanceTenancy": "default", "Tags": [ { "Key": "Name", "Value": { "Fn::Sub": "SC-VPC-RA-${VPCCIDR}" } }, { "Key": "Description", "Value": "Service-Catalog-VPC-Reference-Architecture" } ] } }, "VPCFlowLogs": { "Type": "AWS::EC2::FlowLog", "Properties": { "LogDestinationType": "s3", "LogDestination": { "Fn::Join": [ "", [ "arn:aws:s3:::aes-siem-", { "Ref": "AWS::AccountId" }, "-log" ] ] }, "ResourceId": { "Ref": "VPC" }, "ResourceType": "VPC", "TrafficType": "ALL" } }, "InternetGateway": { "Type": "AWS::EC2::InternetGateway", "Properties": { "Tags": [ { "Key": "Name", "Value": { "Ref": "VPCCIDR" } }, { "Key": "Description", "Value": "Service-Catalog-VPC-Reference-Architecture" } ] } }, "VPCGatewayAttachment": { "Type": "AWS::EC2::VPCGatewayAttachment", "Properties": { "VpcId": { "Ref": "VPC" }, "InternetGatewayId": { "Ref": "InternetGateway" } } }, "SubnetAPublic": { "Type": "AWS::EC2::Subnet", "Properties": { "AvailabilityZone": { "Ref": "RegionAZ1Name" }, "CidrBlock": { "Ref": "SubnetAPublicCIDR" }, "MapPublicIpOnLaunch": true, "VpcId": { "Ref": "VPC" }, "Tags": [ { "Key": "Name", "Value": "A public - sc-vpc-ra" }, { "Key": "Reach", "Value": "public" }, { "Key": "Description", "Value": "Service-Catalog-VPC-Reference-Architecture" } ] } }, "SubnetBPublic": { "Type": "AWS::EC2::Subnet", "Properties": { "AvailabilityZone": { "Ref": "RegionAZ2Name" }, "CidrBlock": { "Ref": "SubnetBPublicCIDR" }, "MapPublicIpOnLaunch": true, "VpcId": { "Ref": "VPC" }, "Tags": [ { "Key": "Name", "Value": "B public - sc-vpc-ra" }, { "Key": "Reach", "Value": "public" }, { "Key": "Description", "Value": "Service-Catalog-VPC-Reference-Architecture" } ] } }, "SubnetAPrivate": { "Type": "AWS::EC2::Subnet", "Properties": { "AvailabilityZone": { "Ref": "RegionAZ1Name" }, "CidrBlock": { "Ref": "SubnetAPrivateCIDR" }, "VpcId": { "Ref": "VPC" }, "Tags": [ { "Key": "Name", "Value": "A private - sc-vpc-ra" }, { "Key": "Reach", "Value": "private" }, { "Key": "Description", "Value": "Service-Catalog-VPC-Reference-Architecture" } ] } }, "SubnetBPrivate": { "Type": "AWS::EC2::Subnet", "Properties": { "AvailabilityZone": { "Ref": "RegionAZ2Name" }, "CidrBlock": { "Ref": "SubnetBPrivateCIDR" }, "VpcId": { "Ref": "VPC" }, "Tags": [ { "Key": "Name", "Value": "B private - sc-vpc-ra" }, { "Key": "Reach", "Value": "private" }, { "Key": "Description", "Value": "Service-Catalog-VPC-Reference-Architecture" } ] } }, "RouteTableAPublic": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [ { "Key": "Name", "Value": "A Public - sc-vpc-ra" }, { "Key": "Description", "Value": "Service-Catalog-VPC-Reference-Architecture" } ] } }, "RouteTableBPublic": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [ { "Key": "Name", "Value": "B Public - sc-vpc-ra" }, { "Key": "Description", "Value": "Service-Catalog-VPC-Reference-Architecture" } ] } }, "RouteTableAPrivate": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [ { "Key": "Name", "Value": "A Private - sc-vpc-ra" }, { "Key": "Description", "Value": "Service-Catalog-VPC-Reference-Architecture" } ] } }, "RouteTableBPrivate": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [ { "Key": "Name", "Value": "B Private - sc-vpc-ra" }, { "Key": "Description", "Value": "Service-Catalog-VPC-Reference-Architecture" } ] } }, "RouteTableAssociationAPublic": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "SubnetAPublic" }, "RouteTableId": { "Ref": "RouteTableAPublic" } } }, "RouteTableAssociationBPublic": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "SubnetBPublic" }, "RouteTableId": { "Ref": "RouteTableBPublic" } } }, "RouteTableAssociationAPrivate": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "SubnetAPrivate" }, "RouteTableId": { "Ref": "RouteTableAPrivate" } } }, "RouteTableAssociationBPrivate": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "SubnetBPrivate" }, "RouteTableId": { "Ref": "RouteTableBPrivate" } } }, "RouteTablePublicAInternetRoute": { "Type": "AWS::EC2::Route", "DependsOn": "VPCGatewayAttachment", "Properties": { "RouteTableId": { "Ref": "RouteTableAPublic" }, "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "InternetGateway" } } }, "RouteTablePublicBInternetRoute": { "Type": "AWS::EC2::Route", "DependsOn": "VPCGatewayAttachment", "Properties": { "RouteTableId": { "Ref": "RouteTableBPublic" }, "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "InternetGateway" } } }, "NetworkAclPublic": { "Type": "AWS::EC2::NetworkAcl", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [ { "Key": "Name", "Value": "Public - sc-vpc-ra" }, { "Key": "Description", "Value": "Service-Catalog-VPC-Reference-Architecture" } ] } }, "NetworkAclPrivate": { "Type": "AWS::EC2::NetworkAcl", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [ { "Key": "Name", "Value": "Private - sc-vpc-ra" }, { "Key": "Description", "Value": "Service-Catalog-VPC-Reference-Architecture" } ] } }, "SubnetNetworkAclAssociationAPublic": { "Type": "AWS::EC2::SubnetNetworkAclAssociation", "Properties": { "SubnetId": { "Ref": "SubnetAPublic" }, "NetworkAclId": { "Ref": "NetworkAclPublic" } } }, "SubnetNetworkAclAssociationBPublic": { "Type": "AWS::EC2::SubnetNetworkAclAssociation", "Properties": { "SubnetId": { "Ref": "SubnetBPublic" }, "NetworkAclId": { "Ref": "NetworkAclPublic" } } }, "SubnetNetworkAclAssociationAPrivate": { "Type": "AWS::EC2::SubnetNetworkAclAssociation", "Properties": { "SubnetId": { "Ref": "SubnetAPrivate" }, "NetworkAclId": { "Ref": "NetworkAclPrivate" } } }, "SubnetNetworkAclAssociationBPrivate": { "Type": "AWS::EC2::SubnetNetworkAclAssociation", "Properties": { "SubnetId": { "Ref": "SubnetBPrivate" }, "NetworkAclId": { "Ref": "NetworkAclPrivate" } } }, "NetworkAclEntryInPublicAllowAll": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "NetworkAclPublic" }, "RuleNumber": 99, "Protocol": -1, "RuleAction": "allow", "Egress": false, "CidrBlock": "0.0.0.0/0" } }, "NetworkAclEntryOutPublicAllowAll": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "NetworkAclPublic" }, "RuleNumber": 99, "Protocol": -1, "RuleAction": "allow", "Egress": true, "CidrBlock": "0.0.0.0/0" } }, "NetworkAclEntryInPrivateAllowVPC": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "NetworkAclPrivate" }, "RuleNumber": 99, "Protocol": -1, "RuleAction": "allow", "Egress": false, "CidrBlock": "0.0.0.0/0" } }, "NetworkAclEntryOutPrivateAllowVPC": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "NetworkAclPrivate" }, "RuleNumber": 99, "Protocol": -1, "RuleAction": "allow", "Egress": true, "CidrBlock": "0.0.0.0/0" } }, "NATGatewayA": { "DependsOn": "VPCGatewayAttachment", "Type": "AWS::EC2::NatGateway", "Properties": { "AllocationId": { "Fn::GetAtt": [ "NATGatewayAEIP", "AllocationId" ] }, "SubnetId": { "Ref": "SubnetAPublic" }, "Tags": [ { "Key": "Name", "Value": "nat-gateway-Aside" }, { "Key": "Description", "Value": "Service-Catalog-VPC-Reference-Architecture" } ] } }, "NATGatewayAEIP": { "Type": "AWS::EC2::EIP", "Properties": { "Domain": "vpc" } }, "NATGatewayARoute": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { "Ref": "RouteTableAPrivate" }, "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": { "Ref": "NATGatewayA" } } }, "NATGatewayB": { "DependsOn": "VPCGatewayAttachment", "Type": "AWS::EC2::NatGateway", "Properties": { "AllocationId": { "Fn::GetAtt": [ "NATGatewayBEIP", "AllocationId" ] }, "SubnetId": { "Ref": "SubnetBPublic" }, "Tags": [ { "Key": "Name", "Value": "nat-gateway-Bside" }, { "Key": "Description", "Value": "Service-Catalog-VPC-Reference-Architecture" } ] } }, "NATGatewayBEIP": { "Type": "AWS::EC2::EIP", "Properties": { "Domain": "vpc" } }, "NATGatewayBRoute": { "Type": "AWS::EC2::Route", "Properties": { "RouteTableId": { "Ref": "RouteTableBPrivate" }, "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": { "Ref": "NATGatewayB" } } } }, "Outputs": { "AWSRegionName": { "Value": { "Ref": "AWS::Region" } }, "RegionAZ1Name": { "Value": { "Ref": "RegionAZ1Name" } }, "RegionAZ2Name": { "Value": { "Ref": "RegionAZ2Name" } }, "VPCCIDR": { "Value": { "Fn::GetAtt": ["VPC","CidrBlock"] } }, "SubnetAPublicCIDR": { "Value": { "Ref": "SubnetAPublicCIDR" } }, "SubnetBPublicCIDR": { "Value": { "Ref": "SubnetBPublicCIDR" } }, "SubnetAPrivateCIDR": { "Value": { "Ref": "SubnetAPrivateCIDR" } }, "SubnetBPrivateCIDR": { "Value": { "Ref": "SubnetAPrivateCIDR" } }, "InternetGatewayID": { "Value": { "Ref": "InternetGateway" } }, "NATGatewayAID": { "Value": { "Ref": "NATGatewayA" } }, "NATGatewayAEIP": { "Value": { "Ref": "NATGatewayAEIP" } }, "NATGatewayBID": { "Value": { "Ref": "NATGatewayB" } }, "NATGatewayBEIP": { "Value": { "Ref": "NATGatewayBEIP" } }, "RouteTableAPublic": { "Value": { "Ref": "RouteTableAPublic" } }, "RouteTableBPublic": { "Value": { "Ref": "RouteTableBPublic" } }, "RouteTableAPrivate": { "Value": { "Ref": "RouteTableAPrivate" } }, "RouteTableBPrivate": { "Value": { "Ref": "RouteTableBPrivate" } }, "NetworkAclPublic": { "Value": { "Ref": "NetworkAclPublic" } }, "NetworkAclPrivate": { "Value": { "Ref": "NetworkAclPrivate" } } } }