AWSTemplateFormatVersion: '2010-09-09' Description: >- This template creates 2 Windows Server instances into private subnets in separate Availability Zones inside a VPC. After extending your on-premises network to the VPC, you can promote the Windows Server instances to Domain Controllers in your AD forest. **WARNING** This template creates Amazon EC2 Windows instance and related resources. You will be billed for the AWS resources used if you create a stack from this template. QS(0002) Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Network Configuration Parameters: - VPCCIDR - VPCID - PrivateSubnet1CIDR - PrivateSubnet1ID - PrivateSubnet2CIDR - PrivateSubnet2ID - PublicSubnet1CIDR - PublicSubnet2CIDR - Label: default: Amazon EC2 Configuration Parameters: - KeyPairName - ADServer1InstanceType - ADServer1NetBIOSName - ADServer1PrivateIP - ADServer2InstanceType - ADServer2NetBIOSName - ADServer2PrivateIP - LatestAmiId - Label: default: AWS Quick Start Configuration Parameters: - QSS3BucketName - QSS3KeyPrefix ParameterLabels: ADServer1InstanceType: default: Domain Controller 1 Instance Type ADServer1NetBIOSName: default: Domain Controller 1 NetBIOS Name ADServer1PrivateIP: default: Domain Controller 1 Private IP Address ADServer2InstanceType: default: Domain Controller 2 Instance Type ADServer2NetBIOSName: default: Domain Controller 2 NetBIOS Name ADServer2PrivateIP: default: Domain Controller 2 Private IP Address KeyPairName: default: Key Pair Name LatestAmiId: default: SSM Parameter to Grab Latest AMI ID PrivateSubnet1CIDR: default: Private Subnet 1 CIDR PrivateSubnet1ID: default: Private Subnet 1 ID PrivateSubnet2CIDR: default: Private Subnet 2 CIDR PrivateSubnet2ID: default: Private Subnet 2 ID PublicSubnet1CIDR: default: Public Subnet 1 CIDR PublicSubnet2CIDR: default: Public Subnet 2 CIDR QSS3BucketName: default: Quick Start S3 Bucket Name QSS3KeyPrefix: default: Quick Start S3 Key Prefix VPCCIDR: default: VPC CIDR Parameters: ADServer1InstanceType: AllowedValues: - t2.large - m4.large - m4.xlarge - m4.2xlarge - m4.4xlarge Default: m4.xlarge Description: Amazon EC2 instance type for the first Active Directory Instance Type: String ADServer1NetBIOSName: AllowedPattern: '[a-zA-Z0-9\-]+' Default: DC1 Description: NetBIOS name of the 1st AD Server (upto 15 characters) MaxLength: '15' MinLength: '1' Type: String ADServer1PrivateIP: Default: 10.0.0.10 Description: Fixed private IP for the first Active Directory server located in AZ1 Type: String ADServer2InstanceType: AllowedValues: - t2.large - m4.large - m4.xlarge - m4.2xlarge - m4.4xlarge Default: m4.xlarge Description: Amazon EC2 instance type for the second Active Directory Instance Type: String ADServer2NetBIOSName: AllowedPattern: '[a-zA-Z0-9\-]+' Default: DC2 Description: NetBIOS name of the 2nd AD Server (upto 15 characters) MaxLength: '15' MinLength: '1' Type: String ADServer2PrivateIP: Default: 10.0.32.10 Description: Fixed private IP for the second Active Directory serverr located in AZ2 Type: String KeyPairName: Description: Public/private key pairs allow you to securely connect to your instance after it launches Type: AWS::EC2::KeyPair::KeyName LatestAmiId: Type: AWS::SSM::Parameter::Value Default: /aws/service/ami-windows-latest/Windows_Server-2019-English-Full-Base PrivateSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/19 Description: CIDR block for private subnet 1 located in Availability Zone 1. Type: String PrivateSubnet1ID: Description: ID of the private subnet 1 in Availability Zone 1 (e.g., subnet-a0246dcd) Type: AWS::EC2::Subnet::Id PrivateSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.32.0/19 Description: CIDR block for private subnet 2 located in Availability Zone 2. Type: String PrivateSubnet2ID: Description: ID of the private subnet 2 in Availability Zone 2 (e.g., subnet-a0246dcd) Type: AWS::EC2::Subnet::Id PublicSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.128.0/20 Description: CIDR Block for the public DMZ subnet 1 located in Availability Zone 1 Type: String PublicSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.144.0/20 Description: CIDR Block for the public DMZ subnet 2 located in Availability Zone 2 Type: String QSS3BucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Type: String QSS3KeyPrefix: AllowedPattern: ^[0-9a-zA-Z-/]*$ ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Default: quickstart-microsoft-activedirectory/ Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Type: String VPCCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/16 Description: CIDR Block for the VPC Type: String VPCID: Description: ID of the VPC (e.g., vpc-0343606e) Type: AWS::EC2::VPC::Id Rules: SubnetsInVPC: Assertions: - Assert: !EachMemberIn - !ValueOfAll - AWS::EC2::Subnet::Id - VpcId - !RefAll 'AWS::EC2::VPC::Id' AssertDescription: All subnets must in the VPC Conditions: GovCloudCondition: !Equals - !Ref 'AWS::Region' - us-gov-west-1 Resources: ADServerRole: Type: AWS::IAM::Role Properties: Policies: - PolicyDocument: Version: '2012-10-17' Statement: - Action: - s3:GetObject Resource: !Sub - arn:${Partition}:s3:::${QSS3BucketName}/${QSS3KeyPrefix}* - Partition: !If - GovCloudCondition - aws-us-gov - aws Effect: Allow PolicyName: aws-quick-start-s3-policy Path: / AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Principal: Service: - ec2.amazonaws.com Effect: Allow Version: '2012-10-17' ADServerProfile: Type: AWS::IAM::InstanceProfile Properties: Roles: - !Ref 'ADServerRole' Path: / DomainController1: Type: AWS::EC2::Instance Metadata: AWS::CloudFormation::Authentication: S3AccessCreds: type: S3 roleName: !Ref 'ADServerRole' buckets: - !Ref 'QSS3BucketName' AWS::CloudFormation::Init: configSets: config: - setup - rename - finalize setup: files: c:\cfn\cfn-hup.conf: content: !Join - '' - - "[main]\n" - stack= - !Ref 'AWS::StackName' - "\n" - region= - !Ref 'AWS::Region' - "\n" c:\cfn\hooks.d\cfn-auto-reloader.conf: content: !Join - '' - - "[cfn-auto-reloader-hook]\n" - "triggers=post.update\n" - "path=Resources.DomainController1.Metadata.AWS::CloudFormation::Init\n" - 'action=cfn-init.exe -v -c config -s ' - !Ref 'AWS::StackId' - ' -r DomainController1' - ' --region ' - !Ref 'AWS::Region' - "\n" c:\cfn\scripts\Set-StaticIP.ps1: content: !Join - '' - - $netip = Get-NetIPConfiguration; - $ipconfig = Get-NetIPAddress | ?{$_.IpAddress -eq $netip.IPv4Address.IpAddress}; - Get-NetAdapter | Set-NetIPInterface -DHCP Disabled; - Get-NetAdapter | New-NetIPAddress -AddressFamily IPv4 -IPAddress $netip.IPv4Address.IpAddress -PrefixLength $ipconfig.PrefixLength -DefaultGateway $netip.IPv4DefaultGateway.NextHop; - Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses $netip.DNSServer.ServerAddresses; - "\n" services: windows: cfn-hup: enabled: 'true' ensureRunning: 'true' files: - c:\cfn\cfn-hup.conf - c:\cfn\hooks.d\cfn-auto-reloader.conf rename: commands: a-set-static-ip: command: !Join - '' - - powershell.exe -ExecutionPolicy RemoteSigned -Command c:\cfn\scripts\Set-StaticIP.ps1 waitAfterCompletion: '45' b-execute-powershell-script-RenameComputer: command: !Join - '' - - 'powershell.exe Rename-Computer -NewName ' - !Ref 'ADServer1NetBIOSName' - ' -Restart' waitAfterCompletion: forever finalize: commands: 1-signal-success: command: !Join - '' - - cfn-signal.exe -e 0 " - !Ref 'DomainController1WaitHandle' - '"' Properties: ImageId: !Ref 'LatestAmiId' IamInstanceProfile: !Ref 'ADServerProfile' InstanceType: !Ref 'ADServer1InstanceType' SubnetId: !Ref 'PrivateSubnet1ID' Tags: - Key: Name Value: !Ref 'ADServer1NetBIOSName' BlockDeviceMappings: - DeviceName: /dev/sda1 Ebs: VolumeSize: 100 VolumeType: gp2 SecurityGroupIds: - !Ref 'DomainController1SG' PrivateIpAddress: !Ref 'ADServer1PrivateIP' KeyName: !Ref 'KeyPairName' UserData: !Base64 Fn::Join: - '' - - "\n" DomainController2: Type: AWS::EC2::Instance DependsOn: DomainController1WaitCondition Metadata: AWS::CloudFormation::Authentication: S3AccessCreds: type: S3 roleName: !Ref 'ADServerRole' buckets: - !Ref 'QSS3BucketName' AWS::CloudFormation::Init: configSets: config: - setup - rename - finalize setup: files: c:\cfn\cfn-hup.conf: content: !Join - '' - - "[main]\n" - stack= - !Ref 'AWS::StackName' - "\n" - region= - !Ref 'AWS::Region' - "\n" c:\cfn\hooks.d\cfn-auto-reloader.conf: content: !Join - '' - - "[cfn-auto-reloader-hook]\n" - "triggers=post.update\n" - "path=Resources.DomainController2.Metadata.AWS::CloudFormation::Init\n" - 'action=cfn-init.exe -v -c config -s ' - !Ref 'AWS::StackId' - ' -r DomainController2' - ' --region ' - !Ref 'AWS::Region' - "\n" c:\cfn\scripts\Set-StaticIP.ps1: content: !Join - '' - - $netip = Get-NetIPConfiguration; - $ipconfig = Get-NetIPAddress | ?{$_.IpAddress -eq $netip.IPv4Address.IpAddress}; - Get-NetAdapter | Set-NetIPInterface -DHCP Disabled; - Get-NetAdapter | New-NetIPAddress -AddressFamily IPv4 -IPAddress $netip.IPv4Address.IpAddress -PrefixLength $ipconfig.PrefixLength -DefaultGateway $netip.IPv4DefaultGateway.NextHop; - Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses $netip.DNSServer.ServerAddresses; - "\n" services: windows: cfn-hup: enabled: 'true' ensureRunning: 'true' files: - c:\cfn\cfn-hup.conf - c:\cfn\hooks.d\cfn-auto-reloader.conf rename: commands: a-set-static-ip: command: !Join - '' - - powershell.exe -ExecutionPolicy RemoteSigned -Command c:\cfn\scripts\Set-StaticIP.ps1 waitAfterCompletion: '45' b-execute-powershell-script-RenameComputer: command: !Join - '' - - 'powershell.exe Rename-Computer -NewName ' - !Ref 'ADServer2NetBIOSName' - ' -Restart' waitAfterCompletion: forever finalize: commands: 1-signal-success: command: !Join - '' - - cfn-signal.exe -e 0 " - !Ref 'DomainController2WaitHandle' - '"' Properties: ImageId: !Ref 'LatestAmiId' IamInstanceProfile: !Ref 'ADServerProfile' InstanceType: !Ref 'ADServer2InstanceType' SubnetId: !Ref 'PrivateSubnet2ID' Tags: - Key: Name Value: !Ref 'ADServer2NetBIOSName' BlockDeviceMappings: - DeviceName: /dev/sda1 Ebs: VolumeSize: 100 VolumeType: gp2 SecurityGroupIds: - !Ref 'DomainController2SG' PrivateIpAddress: !Ref 'ADServer2PrivateIP' KeyName: !Ref 'KeyPairName' UserData: !Base64 Fn::Join: - '' - - "\n" DomainController1WaitCondition: Type: AWS::CloudFormation::WaitCondition DependsOn: DomainController1 Properties: Handle: !Ref 'DomainController1WaitHandle' Timeout: '3600' DomainController1WaitHandle: Type: AWS::CloudFormation::WaitConditionHandle DomainController2WaitCondition: Type: AWS::CloudFormation::WaitCondition DependsOn: DomainController2 Properties: Handle: !Ref 'DomainController2WaitHandle' Timeout: '3600' DomainController2WaitHandle: Type: AWS::CloudFormation::WaitConditionHandle DomainController1SG: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Domain Controller VpcId: !Ref 'VPCID' SecurityGroupIngress: - IpProtocol: tcp FromPort: 5985 ToPort: 5985 CidrIp: !Ref 'VPCCIDR' - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: !Ref 'VPCCIDR' - IpProtocol: udp FromPort: 123 ToPort: 123 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 135 ToPort: 135 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 9389 ToPort: 9389 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: udp FromPort: 138 ToPort: 138 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 445 ToPort: 445 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: udp FromPort: 445 ToPort: 445 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: udp FromPort: 464 ToPort: 464 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 464 ToPort: 464 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 49152 ToPort: 65535 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: udp FromPort: 49152 ToPort: 65535 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 389 ToPort: 389 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: udp FromPort: 389 ToPort: 389 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 636 ToPort: 636 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 3268 ToPort: 3268 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 3269 ToPort: 3269 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 53 ToPort: 53 CidrIp: !Ref 'VPCCIDR' - IpProtocol: udp FromPort: 53 ToPort: 53 CidrIp: !Ref 'VPCCIDR' - IpProtocol: tcp FromPort: 9389 ToPort: 9389 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 88 ToPort: 88 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: udp FromPort: 88 ToPort: 88 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: udp FromPort: 5355 ToPort: 5355 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: udp FromPort: 137 ToPort: 137 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 139 ToPort: 139 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 5722 ToPort: 5722 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: udp FromPort: 123 ToPort: 123 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: tcp FromPort: 135 ToPort: 135 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: tcp FromPort: 9389 ToPort: 9389 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: udp FromPort: 138 ToPort: 138 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: tcp FromPort: 445 ToPort: 445 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: udp FromPort: 445 ToPort: 445 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: udp FromPort: 464 ToPort: 464 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: tcp FromPort: 464 ToPort: 464 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: tcp FromPort: 49152 ToPort: 65535 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: udp FromPort: 49152 ToPort: 65535 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: tcp FromPort: 389 ToPort: 389 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: udp FromPort: 389 ToPort: 389 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: tcp FromPort: 636 ToPort: 636 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: tcp FromPort: 3268 ToPort: 3268 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: tcp FromPort: 3269 ToPort: 3269 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: tcp FromPort: 88 ToPort: 88 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: udp FromPort: 88 ToPort: 88 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: tcp FromPort: 3389 ToPort: 3389 CidrIp: !Ref 'PublicSubnet1CIDR' - IpProtocol: tcp FromPort: 3389 ToPort: 3389 CidrIp: !Ref 'PublicSubnet2CIDR' - IpProtocol: icmp FromPort: -1 ToPort: -1 CidrIp: !Ref 'PublicSubnet1CIDR' - IpProtocol: icmp FromPort: -1 ToPort: -1 CidrIp: !Ref 'PublicSubnet2CIDR' DomainController2SG: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Domain Controller VpcId: !Ref 'VPCID' SecurityGroupIngress: - IpProtocol: tcp FromPort: 5985 ToPort: 5985 CidrIp: !Ref 'VPCCIDR' - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: !Ref 'VPCCIDR' - IpProtocol: udp FromPort: 123 ToPort: 123 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 135 ToPort: 135 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 9389 ToPort: 9389 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: udp FromPort: 138 ToPort: 138 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 445 ToPort: 445 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: udp FromPort: 445 ToPort: 445 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: udp FromPort: 464 ToPort: 464 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 464 ToPort: 464 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 49152 ToPort: 65535 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: udp FromPort: 49152 ToPort: 65535 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 389 ToPort: 389 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: udp FromPort: 389 ToPort: 389 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 636 ToPort: 636 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 3268 ToPort: 3268 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 3269 ToPort: 3269 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 53 ToPort: 53 CidrIp: !Ref 'VPCCIDR' - IpProtocol: udp FromPort: 53 ToPort: 53 CidrIp: !Ref 'VPCCIDR' - IpProtocol: tcp FromPort: 9389 ToPort: 9389 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 88 ToPort: 88 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: udp FromPort: 88 ToPort: 88 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: udp FromPort: 5355 ToPort: 5355 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: udp FromPort: 137 ToPort: 137 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 139 ToPort: 139 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 5722 ToPort: 5722 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: udp FromPort: 123 ToPort: 123 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: tcp FromPort: 135 ToPort: 135 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: tcp FromPort: 9389 ToPort: 9389 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: udp FromPort: 138 ToPort: 138 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: tcp FromPort: 445 ToPort: 445 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: udp FromPort: 445 ToPort: 445 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: udp FromPort: 464 ToPort: 464 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: tcp FromPort: 464 ToPort: 464 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: tcp FromPort: 49152 ToPort: 65535 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: udp FromPort: 49152 ToPort: 65535 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: tcp FromPort: 389 ToPort: 389 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: udp FromPort: 389 ToPort: 389 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: tcp FromPort: 636 ToPort: 636 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: tcp FromPort: 3268 ToPort: 3268 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: tcp FromPort: 3269 ToPort: 3269 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: tcp FromPort: 88 ToPort: 88 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: udp FromPort: 88 ToPort: 88 SourceSecurityGroupId: !Ref 'DomainMemberSG' - IpProtocol: tcp FromPort: 3389 ToPort: 3389 CidrIp: !Ref 'PublicSubnet1CIDR' - IpProtocol: tcp FromPort: 3389 ToPort: 3389 CidrIp: !Ref 'PublicSubnet2CIDR' - IpProtocol: icmp FromPort: -1 ToPort: -1 CidrIp: !Ref 'PublicSubnet1CIDR' - IpProtocol: icmp FromPort: -1 ToPort: -1 CidrIp: !Ref 'PublicSubnet2CIDR' DomainMemberSG: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Domain Members VpcId: !Ref 'VPCID' SecurityGroupIngress: - IpProtocol: tcp FromPort: 5985 ToPort: 5985 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 53 ToPort: 53 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: udp FromPort: 53 ToPort: 53 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 49152 ToPort: 65535 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: udp FromPort: 49152 ToPort: 65535 CidrIp: !Ref 'PrivateSubnet1CIDR' - IpProtocol: tcp FromPort: 5985 ToPort: 5985 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 53 ToPort: 53 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: udp FromPort: 53 ToPort: 53 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 49152 ToPort: 65535 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: udp FromPort: 49152 ToPort: 65535 CidrIp: !Ref 'PrivateSubnet2CIDR' - IpProtocol: tcp FromPort: 3389 ToPort: 3389 CidrIp: !Ref 'PublicSubnet1CIDR' - IpProtocol: tcp FromPort: 3389 ToPort: 3389 CidrIp: !Ref 'PublicSubnet2CIDR' Outputs: DomainMemberSGID: Value: !Ref 'DomainMemberSG' Description: Domain Member Security Group ID DC1InstanceId: Value: !Ref 'DomainController1' Description: DomainController 1 instance ID DC2InstanceId: Value: !Ref 'DomainController2' Description: DomainController 2 instance ID