--- AWSTemplateFormatVersion: "2010-09-09" Description: "This template deploys a VPC, with three subnets (management, client, server) for two Availability Zones. It deploys an internet gateway with a default route on the public subnets. This template also creates an HA pair across Availability Zones with two instances of Citrix WAF: three elastic network interfaces associated with three VPC subnets (management, client, server) on primary and three network interfaces associated with three VPC subnets (management, client, server) on secondary. All the resource names created by this AWS CloudFormation template will be prefixed with a tagName of the stackname. **WARNING** This template creates AWS resources. You will be billed for the AWS resources used if you create a stack from this template. (qs-1qtlldbck)" Metadata: QuickStartDocumentation: EntrypointName: "Parameters for launching into a new VPC" OptionalParameters: - PrimaryManagementPrivateIP - PrimaryClientPrivateIP - PrimaryServerPrivateIP - SecondaryManagementPrivateIP - SecondaryClientPrivateIP - SecondaryServerPrivateIP - CitrixADCImageID - CitrixADCIAMRole - ADMIP - LicensingMode - Platform AWS::CloudFormation::Interface: ParameterGroups: - Label: default: VPC network configuration Parameters: - PrimaryAvailabilityZone - SecondaryAvailabilityZone - VPCCIDR - RestrictedWebAppCIDR - RestrictedSSHCIDR - PrimaryManagementPrivateSubnetCIDR - PrimaryClientPublicSubnetCIDR - PrimaryServerPrivateSubnetCIDR - SecondaryManagementPrivateSubnetCIDR - SecondaryClientPublicSubnetCIDR - SecondaryServerPrivateSubnetCIDR - PrimaryManagementPrivateIP - PrimaryClientPrivateIP - PrimaryServerPrivateIP - SecondaryManagementPrivateIP - SecondaryClientPrivateIP - SecondaryServerPrivateIP - VPCTenancy - Label: default: Bastion host configuration Parameters: - BastionRequired - Label: default: Citrix WAF configuration Parameters: - KeyPairName - CitrixADCInstanceType - CitrixADCImageID - CitrixADCIAMRole - ClientEIPRequired - Label: default: Licensing configuration Parameters: - PooledLicense - ADMIP - LicensingMode - Bandwidth - PooledEdition - Platform - VCPUEdition - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix ParameterLabels: CitrixADCImageID: default: Citrix WAF AMI ID VPCCIDR: default: VPC CIDR PrimaryAvailabilityZone: default: Primary Availability Zone PrimaryManagementPrivateSubnetCIDR: default: Primary management private subnet CIDR PrimaryClientPublicSubnetCIDR: default: Primary client public subnet CIDR PrimaryServerPrivateSubnetCIDR: default: Primary server private subnet CIDR SecondaryAvailabilityZone: default: Secondary Availability Zone SecondaryManagementPrivateSubnetCIDR: default: Secondary management private subnet CIDR SecondaryClientPublicSubnetCIDR: default: Secondary client public subnet CIDR SecondaryServerPrivateSubnetCIDR: default: Secondary server private subnet CIDR PrimaryManagementPrivateIP: default: Primary management private IP (NSIP) PrimaryClientPrivateIP: default: Primary client private IP (VIP) PrimaryServerPrivateIP: default: Primary server private IP (SNIP) SecondaryManagementPrivateIP: default: Secondary management private IP (NSIP) SecondaryClientPrivateIP: default: Secondary client private IP (VIP) SecondaryServerPrivateIP: default: Secondary server private IP (SNIP) BastionRequired: default: Create bastion host VPCTenancy: default: VPC tenancy attribute RestrictedWebAppCIDR: default: Restricted web app CIDR RestrictedSSHCIDR: default: Restricted SSH CIDR KeyPairName: default: Key pair name CitrixADCInstanceType: default: Citrix WAF instance type CitrixADCIAMRole: default: Citrix WAF IAM role ClientEIPRequired: default: Assign Elastic IP address to client VIP PooledLicense: default: Pooled license from ADM ADMIP: default: Citrix ADM IP address LicensingMode: default: Licensing mode Platform: default: Appliance platform type Bandwidth: default: License bandwidth in Mbps PooledEdition: default: Pooled edition VCPUEdition: default: vCPU Edition QSS3BucketName: default: Quick Start S3 bucket name QSS3BucketRegion: default: Quick Start S3 bucket Region QSS3KeyPrefix: default: Quick Start S3 key prefix Parameters: CitrixADCImageID: Type: String Default: "" Description: >- (Optional) AMI ID of the Citrix WAF to be provisioned. If you are opting for a pooled license from ADM, enter the latest BYOL AMI ID. If opting for a PAYG subscription license, enter the AMI ID of the Citrix WAF to be provisioned. If you keep this box blank, Citrix Web App Firewall (WAF) - 200 Mbps Version 13.0-52.24 (https://aws.amazon.com/marketplace/pp/B08286P96W) is provisioned by default. VPCCIDR: Description: CIDR block for the VPC. Must be a valid IP CIDR range of the form x.x.x.x/x. Type: String Default: 10.0.0.0/16 MinLength: 9 MaxLength: 18 AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})' ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x. VPCTenancy: Description: Allowed tenancy of instances launched into the VPC. To launch EC2 instances dedicated to a single customer, choose dedicated. See InstanceTenancy at https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpc.html. Type: String Default: default AllowedValues: - default - dedicated PrimaryAvailabilityZone: Description: Availability Zone for primary Citrix WAF deployment. Type: AWS::EC2::AvailabilityZone::Name SecondaryAvailabilityZone: Description: Availability Zone for secondary Citrix WAF deployment. Type: AWS::EC2::AvailabilityZone::Name PrimaryManagementPrivateSubnetCIDR: Description: CIDR block for the primary management private subnet located in the primary Availability Zone. Type: String Default: 10.0.1.0/24 MinLength: 9 MaxLength: 18 AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})' ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x. PrimaryClientPublicSubnetCIDR: Description: CIDR block for the primary client public subnet located in the primary Availability Zone. Type: String Default: 10.0.2.0/24 MinLength: 9 MaxLength: 18 AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})' ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x. PrimaryServerPrivateSubnetCIDR: Description: CIDR block for the primary server private subnet located in the primary Availability Zone. Type: String Default: 10.0.3.0/24 MinLength: 9 MaxLength: 18 AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})' ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x. SecondaryManagementPrivateSubnetCIDR: Description: CIDR block for the secondary management private subnet located in the secondary Availability Zone. Type: String Default: 10.0.4.0/24 MinLength: 9 MaxLength: 18 AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})' ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x. SecondaryClientPublicSubnetCIDR: Description: CIDR block for the secondary client public subnet located in the secondary Availability Zone. Type: String Default: 10.0.5.0/24 MinLength: 9 MaxLength: 18 AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})' ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x. SecondaryServerPrivateSubnetCIDR: Description: CIDR block for the secondary server private subnet located in the secondary Availability Zone. Type: String Default: 10.0.6.0/24 MinLength: 9 MaxLength: 18 AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})' ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x. PrimaryManagementPrivateIP: Default: "" Type: String Description: >- (Optional) Private IP address of the primary Citrix WAF instance's management network interface. If you want to provide your own IP address, enter a number between 5 and 254 for the last octet. Otherwise, keep this box blank, and an IP address is automatically assigned from the primary management subnet CIDR. PrimaryClientPrivateIP: Default: "" Type: String Description: >- (Optional) Private IP address of the primary Citrix WAF instance's client network interface. If you want to provide your own IP address, enter a number between 5 and 254 for the last octet. Otherwise, keep this box blank, and an IP address is automatically assigned from the primary client subnet CIDR. PrimaryServerPrivateIP: Default: "" Type: String Description: >- (Optional) Private IP address of the primary Citrix WAF instance's server network interface. If you want to provide your own IP address, enter a number between 5 and 254 for the last octet. Otherwise, keep this box blank, and an IP address is automatically assigned from the primary server subnet CIDR. SecondaryManagementPrivateIP: Default: "" Type: String Description: >- (Optional) Private IP address of the secondary Citrix WAF instance's management network interface. If you want to provide your own IP address, enter a number between 5 and 254 for the last octet. Otherwise, keep this box blank, and an IP address is automatically assigned from the secondary management subnet CIDR. SecondaryClientPrivateIP: Default: "" Type: String Description: >- (Optional) Private IP address of the secondary Citrix WAF instance's client network interface. If you want to provide your own IP address, enter a number between 5 and 254 for the last octet. Otherwise, keep this box blank, and an IP address is automatically assigned from the secondary client subnet CIDR. SecondaryServerPrivateIP: Default: "" Type: String Description: >- (Optional) Private IP address of the secondary Citrix WAF instance's server network interface. If you want to provide your own IP address, enter a number between 5 and 254 for the last octet. Otherwise, keep this box blank, and an IP address is automatically assigned from the secondary server subnet CIDR. QSS3BucketName: AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$" ConstraintDescription: >- Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: >- S3 bucket that you created for your copy of Quick Start assets. Use this if you decide to customize the Quick Start. This bucket name can include numbers, lowercase letters, uppercase letters, and hyphens but should not start or end with a hyphen. Type: String QSS3BucketRegion: Default: "us-east-1" Description: "AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value." Type: String QSS3KeyPrefix: AllowedPattern: "^[0-9a-zA-Z-/]*/$" ConstraintDescription: >- Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Default: quickstart-citrix-adc-waf/ Description: >- S3 key name prefix that is used to simulate a directory for your copy of Quick Start assets. Use this if you decide to customize the Quick Start. This prefix can include numbers, lowercase letters, uppercase letters, hyphens, and forward slashes. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html. Type: String RestrictedWebAppCIDR: Type: String MinLength: 9 MaxLength: 18 Description: "CIDR block that is allowed to access the web apps behind WAF on TCP ports 80, 443. We recommend that you use a constrained CIDR range to reduce the potential of inbound attacks from unknown IP addresses. Using 0.0.0.0/0 enables all IP addresses to access your instance using SSH." AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})' ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x. RestrictedSSHCIDR: Type: String MinLength: 9 MaxLength: 18 Description: "CIDR block that is allowed to access the bastion host (if present) or WAF management interface on port 22. We recommend that you use a constrained CIDR range to reduce the potential of inbound attacks from unknown IP addresses. Note: Since the WAF management interface is deployed in a private subnet, initiate the SSH connection from a host with network connectivity to this private subnet, like bastion host or on-premises host with AWS Direct Connect." AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})' ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x. KeyPairName: Description: Name of an existing public/private key pair. If you do not have one in this AWS Region, create it before continuing. Type: AWS::EC2::KeyPair::KeyName CitrixADCInstanceType: Default: m4.xlarge ConstraintDescription: Must be a valid EC2 instance type. Type: String Description: "EC2 instance type to use for the WAF instances. Choose an instance type that’s available in the AWS Marketplace for the Region of deployment." AllowedValues: - t2.medium - t2.large - t2.xlarge - t2.2xlarge - m3.large - m3.xlarge - m3.2xlarge - m4.large - m4.xlarge - m4.2xlarge - m4.4xlarge - m4.10xlarge - m4.16xlarge - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge - m5.8xlarge - m5.12xlarge - m5.16xlarge - m5.24xlarge - c4.large - c4.xlarge - c4.2xlarge - c4.4xlarge - c4.8xlarge - c5.large - c5.xlarge - c5.2xlarge - c5.4xlarge - c5.9xlarge - c5.12xlarge - c5.18xlarge - c5.24xlarge - c5n.large - c5n.xlarge - c5n.2xlarge - c5n.4xlarge - c5n.9xlarge - c5n.18xlarge CitrixADCIAMRole: Description: "(Optional) If you want to use an existing role or create a new one, ensure that it has the required permissions, and then enter the name of the role. Otherwise, keep this box blank, and the deployment creates the required IAM role. See https://docs.citrix.com/en-us/citrix-adc/13/deploying-vpx/deploy-aws/prerequisites.html." Type: String Default: "" PooledLicense: Description: >- If choosing BYOL option for licensing, choose Yes. This would allow you to upload your already purchased licenses. Before choosing Yes, configure Citrix ADM as a license server for the Citrix ADC pooled capacity. Refer to https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/license-server/adc-pooled-capacity/configuring-adc-pooled-capacity.html#configure-citrix-adm-as-a-license-server for details. Type: String Default: "No" AllowedValues: - "No" - "Yes" LicensingMode: Description: >- (Optional) By default, Citrix Web App Firewall (WAF) - 200 Mbps Version 13.0-52.24 (https://aws.amazon.com/marketplace/pp/B08286P96W) is provisioned. If you are opting for the BYOL license from ADM, choose Yes for PooledLicense, enter the latest BYOL AMI ID in the CitrixADCImageID box, and choose one of the three licensing modes: Pooled-Licensing, CICO-Licensing (check-in-check-out), CPU-Licensing. Type: String Default: "" AllowedValues: - "" - "Pooled-Licensing" - "CICO-Licensing" - "CPU-Licensing" ADMIP: Description: "(Optional) IP address of the Citrix ADM (deployed either on-premises or as an agent in cloud) reachable from the ADC instances. If using pool licensing, enter an IP address. Otherwise, keep this box blank." Type: String Default: "" Bandwidth: Description: >- (Optional) Specify only if the licensing mode is Pooled-Licensing. It allocates an initial bandwidth of the license in Mbps to be allocated after BYOL ADCs are created. If using, enter a multiple of 10 Mbps. Type: Number Default: 0 PooledEdition: Description: "(Optional) License edition for pooled capacity licensing mode. This is used only if licensing mode is Pooled-Licensing." Type: String Default: Premium AllowedValues: - Premium VCPUEdition: Description: "(Optional) License edition for vCPU licensing mode. This is needed only if licensing mode is CPU-Licensing." Type: String Default: Premium AllowedValues: - Premium Platform: Description: "(Optional) Appliance platform type for vCPU licensing mode. If licensing mode is CICO-Licensing, choose VPX-200, VPX-1000, VPX-3000, or VPX-5000." Type: String Default: "" AllowedValues: - "" - VPX-200 - VPX-1000 - VPX-3000 - VPX-5000 BastionRequired: Type: String Default: "No" Description: For a sandbox deployment, choose Yes from the dropdown list. This deploys a Linux bastion host in the public subnet with an Elastic IP address that gives you access to the components in the private and public subnets. AllowedValues: - "No" - "Yes" ClientEIPRequired: Type: String Default: "Yes" Description: Choose No to assign client Elastic IP address manually after the deployment. AllowedValues: - "No" - "Yes" Conditions: UsingDefaultBucket: !Equals [!Ref QSS3BucketName, "aws-quickstart"] UseBastion: !Equals [!Ref BastionRequired, "Yes"] UseClientEIP: !Equals [!Ref ClientEIPRequired, "Yes"] CreateIAMRole: !Equals [!Ref CitrixADCIAMRole, ""] Resources: VPCStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref "AWS::Region", !Ref QSS3BucketRegion] S3Bucket: !If [ UsingDefaultBucket, !Sub "${QSS3BucketName}-${AWS::Region}", !Ref QSS3BucketName, ] Parameters: NumberOfAZs: "2" AvailabilityZones: !Join - "," - - !Ref PrimaryAvailabilityZone - !Ref SecondaryAvailabilityZone VPCCIDR: !Ref VPCCIDR PublicSubnet1CIDR: !Ref PrimaryClientPublicSubnetCIDR PublicSubnet2CIDR: !Ref SecondaryClientPublicSubnetCIDR CreatePrivateSubnets: "true" PrivateSubnet1ACIDR: !Ref PrimaryServerPrivateSubnetCIDR PrivateSubnet2ACIDR: !Ref SecondaryServerPrivateSubnetCIDR CreateAdditionalPrivateSubnets: "true" PrivateSubnet1BCIDR: !Ref PrimaryManagementPrivateSubnetCIDR PrivateSubnet2BCIDR: !Ref SecondaryManagementPrivateSubnetCIDR VPCTenancy: !Ref VPCTenancy DeleteServersideNATGWSRoutetack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/update-serverside-route-table.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref "AWS::Region", !Ref QSS3BucketRegion] S3Bucket: !If [ UsingDefaultBucket, !Sub "${QSS3BucketName}-${AWS::Region}", !Ref QSS3BucketName, ] Parameters: PrimaryPrivateServerSubnetRouteTableID: !GetAtt VPCStack.Outputs.PrivateSubnet1ARouteTable SecondaryPrivateServerSubnetRouteTableID: !GetAtt VPCStack.Outputs.PrivateSubnet2ARouteTable BastionStack: Condition: UseBastion Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}submodules/quickstart-linux-bastion/templates/linux-bastion.template - S3Region: !If [UsingDefaultBucket, !Ref "AWS::Region", !Ref QSS3BucketRegion] S3Bucket: !If [ UsingDefaultBucket, !Sub "${QSS3BucketName}-${AWS::Region}", !Ref QSS3BucketName, ] Parameters: BastionAMIOS: Ubuntu-Server-16.04-LTS-HVM KeyPairName: !Ref KeyPairName NumBastionHosts: "1" PublicSubnet1ID: !GetAtt VPCStack.Outputs.PublicSubnet1ID PublicSubnet2ID: !GetAtt VPCStack.Outputs.PublicSubnet2ID QSS3BucketName: !If [ UsingDefaultBucket, !Sub "${QSS3BucketName}-${AWS::Region}", !Ref QSS3BucketName, ] QSS3BucketRegion: !If [UsingDefaultBucket, !Ref "AWS::Region", !Ref QSS3BucketRegion] QSS3KeyPrefix: !Sub ${QSS3KeyPrefix}submodules/quickstart-linux-bastion/ RemoteAccessCIDR: !Ref RestrictedSSHCIDR VPCID: !GetAtt VPCStack.Outputs.VPCID WorkLoadStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/citrix-adc-waf-workload.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref "AWS::Region", !Ref QSS3BucketRegion] S3Bucket: !If [ UsingDefaultBucket, !Sub "${QSS3BucketName}-${AWS::Region}", !Ref QSS3BucketName, ] Parameters: VPCID: !GetAtt VPCStack.Outputs.VPCID VPCTenancy: !Ref VPCTenancy RestrictedSSHCIDR: !Ref RestrictedSSHCIDR RestrictedWebAppCIDR: !Ref RestrictedWebAppCIDR PrimaryManagementPrivateSubnetID: !GetAtt VPCStack.Outputs.PrivateSubnet1BID PrimaryClientPublicSubnetID: !GetAtt VPCStack.Outputs.PublicSubnet1ID PrimaryServerPrivateSubnetID: !GetAtt VPCStack.Outputs.PrivateSubnet1AID SecondaryManagementPrivateSubnetID: !GetAtt VPCStack.Outputs.PrivateSubnet2BID SecondaryClientPublicSubnetID: !GetAtt VPCStack.Outputs.PublicSubnet2ID SecondaryServerPrivateSubnetID: !GetAtt VPCStack.Outputs.PrivateSubnet2AID PrimaryManagementPrivateIP: !Ref PrimaryManagementPrivateIP PrimaryClientPrivateIP: !Ref PrimaryClientPrivateIP PrimaryServerPrivateIP: !Ref PrimaryServerPrivateIP SecondaryManagementPrivateIP: !Ref SecondaryManagementPrivateIP SecondaryClientPrivateIP: !Ref SecondaryClientPrivateIP SecondaryServerPrivateIP: !Ref SecondaryServerPrivateIP BastionSecurityGroupID: !If - UseBastion - !GetAtt BastionStack.Outputs.BastionSecurityGroupID - "" CitrixADCImageID: !Ref CitrixADCImageID KeyPairName: !Ref KeyPairName CitrixADCIAMRole: !Ref CitrixADCIAMRole ClientEIPRequired: !Ref ClientEIPRequired CitrixADCInstanceType: !Ref CitrixADCInstanceType PooledLicense: !Ref PooledLicense ADMIP: !Ref ADMIP LicensingMode: !Ref LicensingMode Bandwidth: !Ref Bandwidth PooledEdition: !Ref PooledEdition Platform: !Ref Platform VCPUEdition: !Ref VCPUEdition QSS3BucketName: !If [ UsingDefaultBucket, !Sub "${QSS3BucketName}-${AWS::Region}", !Ref QSS3BucketName, ] QSS3BucketRegion: !If [UsingDefaultBucket, !Ref "AWS::Region", !Ref QSS3BucketRegion] QSS3KeyPrefix: !Ref QSS3KeyPrefix Outputs: VPCID: Description: VPC ID Value: !GetAtt VPCStack.Outputs.VPCID PrimaryManagementPrivateSubnetID: Description: Primary management private subnet ID Value: !GetAtt VPCStack.Outputs.PrivateSubnet1BID PrimaryClientPublicSubnetID: Description: Primary client public subnet ID Value: !GetAtt VPCStack.Outputs.PublicSubnet1ID PrimaryServerPrivateSubnetID: Description: Primary server private subnet ID Value: !GetAtt VPCStack.Outputs.PrivateSubnet1AID SecondaryManagementPrivateSubnetID: Description: Secondary management private subnet ID Value: !GetAtt VPCStack.Outputs.PrivateSubnet2BID SecondaryClientPublicSubnetID: Description: Secondary client public subnet ID Value: !GetAtt VPCStack.Outputs.PublicSubnet2ID SecondaryServerPrivateSubnetID: Description: Secondary server private subnet ID Value: !GetAtt VPCStack.Outputs.PrivateSubnet2AID ManagementSecurityGroupID: Description: Security group ID for management WAF ENIs Value: !GetAtt WorkLoadStack.Outputs.ManagementSecurityGroupID ClientSecurityGroupID: Description: Security group ID for client WAF ENIs Value: !GetAtt WorkLoadStack.Outputs.ClientSecurityGroupID ServerSecurityGroupID: Description: Security group ID for server WAF ENIs Value: !GetAtt WorkLoadStack.Outputs.ServerSecurityGroupID InstanceProfileName: Condition: CreateIAMRole Description: Instance profile for ADCs Value: !GetAtt WorkLoadStack.Outputs.InstanceProfileName PrimaryADCInstanceID: Description: Primary WAF instance ID Value: !GetAtt WorkLoadStack.Outputs.PrimaryADCInstanceID PrimaryManagementPrivateNSIP: Description: Primary management private NSIP Value: !GetAtt WorkLoadStack.Outputs.PrimaryManagementPrivateNSIP PrimaryClientPublicEIP: Condition: UseClientEIP Description: Primary client public EIP Value: !GetAtt WorkLoadStack.Outputs.PrimaryClientPublicEIP PrimaryClientPrivateVIP: Description: Primary client private VIP Value: !GetAtt WorkLoadStack.Outputs.PrimaryClientPrivateVIP SecondaryADCInstanceID: Description: Secondary WAF instance ID Value: !GetAtt WorkLoadStack.Outputs.SecondaryADCInstanceID SecondaryManagementPrivateNSIP: Description: Secondary management private NSIP Value: !GetAtt WorkLoadStack.Outputs.SecondaryManagementPrivateNSIP SecondaryClientPrivateVIP: Description: Secondary client private VIP Value: !GetAtt WorkLoadStack.Outputs.SecondaryClientPrivateVIP LinuxBastionHostEIP1: Condition: UseBastion Description: Elastic IP address for bastion host 1 Value: !GetAtt BastionStack.Outputs.EIP1 # LinuxBastionHostEIP2: # Condition: 2BastionCondition # Description: Elastic IP address for bastion host 2 # Value: !GetAtt BastionStack.Outputs.EIP2