--- AWSTemplateFormatVersion: "2010-09-09" Description: " This template creates an HA pair across Availability Zones with two instances of Citrix WAF: three elastic network interfaces associated with three VPC subnets (management, client, server) on primary and three network interfaces associated with three VPC subnets (management, client, server) on secondary. All the resource names created by this AWS CloudFormation template will be prefixed with a tagName of the stackname. **WARNING** This template creates AWS resources. You will be billed for the AWS resources used if you create a stack from this template. (qs-1qtlldbfr)" Metadata: QuickStartDocumentation: EntrypointName: "Parameters for launching into an existing VPC" OptionalParameters: - PrimaryManagementPrivateIP - PrimaryClientPrivateIP - PrimaryServerPrivateIP - SecondaryManagementPrivateIP - SecondaryClientPrivateIP - SecondaryServerPrivateIP - CitrixADCImageID - CitrixADCIAMRole - ADMIP - LicensingMode - Platform AWS::CloudFormation::Interface: ParameterGroups: - Label: default: VPC network configuration Parameters: - VPCID - BastionSecurityGroupID - RestrictedSSHCIDR - RestrictedWebAppCIDR - PrimaryManagementPrivateSubnetID - PrimaryClientPublicSubnetID - PrimaryServerPrivateSubnetID - SecondaryManagementPrivateSubnetID - SecondaryClientPublicSubnetID - SecondaryServerPrivateSubnetID - PrimaryManagementPrivateIP - PrimaryClientPrivateIP - PrimaryServerPrivateIP - SecondaryManagementPrivateIP - SecondaryClientPrivateIP - SecondaryServerPrivateIP - VPCTenancy - Label: default: Citrix WAF configuration Parameters: - KeyPairName - CitrixADCInstanceType - CitrixADCImageID - CitrixADCIAMRole - ClientEIPRequired - Label: default: Licensing configuration Parameters: - PooledLicense - ADMIP - LicensingMode - Bandwidth - PooledEdition - Platform - VCPUEdition - Label: default: AWS Quick Start configuration Parameters: - QSS3BucketName - QSS3BucketRegion - QSS3KeyPrefix ParameterLabels: CitrixADCImageID: default: Citrix WAF AMI ID VPCID: default: VPC ID PrimaryManagementPrivateSubnetID: default: Primary management private subnet ID PrimaryClientPublicSubnetID: default: Primary client public subnet ID PrimaryServerPrivateSubnetID: default: Primary server private subnet ID SecondaryManagementPrivateSubnetID: default: Secondary management private subnet ID SecondaryClientPublicSubnetID: default: Secondary client public subnet ID SecondaryServerPrivateSubnetID: default: Secondary server private subnet ID PrimaryManagementPrivateIP: default: Primary management private IP (NSIP) PrimaryClientPrivateIP: default: Primary client private IP (VIP) PrimaryServerPrivateIP: default: Primary server private IP (SNIP) SecondaryManagementPrivateIP: default: Secondary management private IP (NSIP) SecondaryClientPrivateIP: default: Secondary client private IP (VIP) SecondaryServerPrivateIP: default: Secondary server private IP (SNIP) BastionSecurityGroupID: default: Bastion security group ID VPCTenancy: default: VPC tenancy attribute RestrictedWebAppCIDR: default: Restricted web app CIDR RestrictedSSHCIDR: default: Restricted SSH CIDR KeyPairName: default: Key pair name CitrixADCInstanceType: default: Citrix WAF instance type CitrixADCIAMRole: default: Citrix WAF IAM role ClientEIPRequired: default: Assign Elastic IP address to client VIP PooledLicense: default: Pooled license from ADM ADMIP: default: Citrix ADM IP address LicensingMode: default: Licensing mode Platform: default: Appliance platform type Bandwidth: default: License bandwidth in Mbps PooledEdition: default: Pooled edition VCPUEdition: default: vCPU Edition QSS3BucketName: default: Quick Start S3 bucket name QSS3BucketRegion: default: Quick Start S3 bucket region QSS3KeyPrefix: default: Quick Start S3 key prefix Parameters: CitrixADCImageID: Type: String Default: "" Description: >- (Optional) AMI ID of the Citrix WAF to be provisioned. If you are opting for a pooled license from ADM, enter the latest BYOL AMI ID. If opting for a PAYG subscription license, enter the AMI ID of the Citrix WAF to be provisioned. If you keep this box blank, Citrix Web App Firewall (WAF) - 200 Mbps Version 13.0-52.24 (https://aws.amazon.com/marketplace/pp/B08286P96W) is provisioned by default. VPCID: Type: AWS::EC2::VPC::Id Description: ID of your existing VPC (e.g., vpc-0343606e). VPCTenancy: Description: Allowed tenancy of instances launched into the VPC. To launch EC2 instances dedicated to a single customer, choose dedicated. See InstanceTenancy at https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpc.html. Type: String Default: default AllowedValues: - default - dedicated PrimaryManagementPrivateSubnetID: Type: AWS::EC2::Subnet::Id Description: >- Private subnet ID of an existing subnet dedicated for primary management network interface. PrimaryClientPublicSubnetID: Type: AWS::EC2::Subnet::Id Description: >- Public subnet ID of an existing subnet dedicated for primary client network interface. PrimaryServerPrivateSubnetID: Type: AWS::EC2::Subnet::Id Description: >- Private subnet ID of an existing subnet dedicated for primary server network interface. SecondaryManagementPrivateSubnetID: Type: AWS::EC2::Subnet::Id Description: >- Private subnet ID of an existing subnet dedicated for secondary management network interface. SecondaryClientPublicSubnetID: Type: AWS::EC2::Subnet::Id Description: >- Public subnet ID of an existing subnet dedicated for secondary client network interface. SecondaryServerPrivateSubnetID: Type: AWS::EC2::Subnet::Id Description: >- Private subnet ID of an existing subnet dedicated for secondary server network interface. PrimaryManagementPrivateIP: Default: "" Type: String Description: >- (Optional) Private IP address of the primary Citrix WAF instance's management network interface. If you want to provide your own IP address, enter a number between 5 and 254 for the last octet. Otherwise, keep this box blank, and an IP address is automatically assigned from the primary management subnet CIDR. PrimaryClientPrivateIP: Default: "" Type: String Description: >- (Optional) Private IP address of the primary Citrix WAF instance's client network interface. If you want to provide your own IP address, enter a number between 5 and 254 for the last octet. Otherwise, keep this box blank, and an IP address is automatically assigned from the primary client subnet CIDR. PrimaryServerPrivateIP: Default: "" Type: String Description: >- (Optional) Private IP address of the primary Citrix WAF instance's server network interface. If you want to provide your own IP address, enter a number between 5 and 254 for the last octet. Otherwise, keep this box blank, and an IP address is automatically assigned from the primary server subnet CIDR. SecondaryManagementPrivateIP: Default: "" Type: String Description: >- (Optional) Private IP address of the secondary Citrix WAF instance's management network interface. If you want to provide your own IP address, enter a number between 5 and 254 for the last octet. Otherwise, keep this box blank, and an IP address is automatically assigned from the secondary management subnet CIDR. SecondaryClientPrivateIP: Default: "" Type: String Description: >- (Optional) Private IP address of the secondary Citrix WAF instance's client network interface. If you want to provide your own IP address, enter a number between 5 and 254 for the last octet. Otherwise, keep this box blank, and an IP address is automatically assigned from the secondary client subnet CIDR. SecondaryServerPrivateIP: Default: "" Type: String Description: >- (Optional) Private IP address of the secondary Citrix WAF instance's server network interface. If you want to provide your own IP address, enter a number between 5 and 254 for the last octet. Otherwise, keep this box blank, and an IP address is automatically assigned from the secondary server subnet CIDR. BastionSecurityGroupID: Type: String Default: "" Description: >- (Optional) Security group ID associated with the bastion host, if present. This is used to allow access from the bastion hosts to the interfaces belonging to the security groups that will be created for the Citrix WAF HA pair. Effectively, the bastion hosts can open connections to all WAF interfaces (management, client, and server). QSS3BucketName: AllowedPattern: "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$" ConstraintDescription: >- Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Default: aws-quickstart Description: >- S3 bucket that you created for your copy of Quick Start assets. Use this if you decide to customize the Quick Start. This bucket name can include numbers, lowercase letters, uppercase letters, and hyphens but should not start or end with a hyphen. Type: String QSS3BucketRegion: Default: "us-east-1" Description: "AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value." Type: String QSS3KeyPrefix: AllowedPattern: "^[0-9a-zA-Z-/]*/$" ConstraintDescription: >- Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/). Default: quickstart-citrix-adc-waf/ Description: >- S3 key name prefix that is used to simulate a folder for your copy of Quick Start assets. Use this if you decide to customize the Quick Start. This prefix can include numbers, lowercase letters, uppercase letters, hyphens, and forward slashes. See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html. Type: String RestrictedWebAppCIDR: Type: String MinLength: 9 MaxLength: 18 Description: "CIDR block that is allowed to access the web apps behind WAF on TCP ports 80, 443. We recommend that you use a constrained CIDR range to reduce the potential of inbound attacks from unknown IP addresses. Using 0.0.0.0/0 enables all IP addresses to access your instance using SSH." AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})' ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x. RestrictedSSHCIDR: Type: String MinLength: 9 MaxLength: 18 Description: "CIDR block that is allowed to access the bastion host (if present) or WAF management interface on port 22. We recommend that you use a constrained CIDR range to reduce the potential of inbound attacks from unknown IP addresses. Note: Since the WAF management interface is deployed in a private subnet, initiate the SSH connection from a host with network connectivity to this private subnet, like bastion host or on-premises host with AWS Direct Connect." AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})' ConstraintDescription: Must be a valid IP CIDR range of the form x.x.x.x/x. KeyPairName: Description: Name of an existing public/private key pair. If you do not have one in this AWS Region, create it before continuing. Type: AWS::EC2::KeyPair::KeyName CitrixADCInstanceType: Default: m4.xlarge ConstraintDescription: Must be a valid EC2 instance type. Type: String Description: "EC2 instance type to use for the WAF instances. Choose an instance type that’s available in the AWS Marketplace for the Region of deployment." AllowedValues: - t2.medium - t2.large - t2.xlarge - t2.2xlarge - m3.large - m3.xlarge - m3.2xlarge - m4.large - m4.xlarge - m4.2xlarge - m4.4xlarge - m4.10xlarge - m4.16xlarge - m5.large - m5.xlarge - m5.2xlarge - m5.4xlarge - m5.8xlarge - m5.12xlarge - m5.16xlarge - m5.24xlarge - c4.large - c4.xlarge - c4.2xlarge - c4.4xlarge - c4.8xlarge - c5.large - c5.xlarge - c5.2xlarge - c5.4xlarge - c5.9xlarge - c5.12xlarge - c5.18xlarge - c5.24xlarge - c5n.large - c5n.xlarge - c5n.2xlarge - c5n.4xlarge - c5n.9xlarge - c5n.18xlarge CitrixADCIAMRole: Description: "(Optional) If you want to use an existing role or create a new one, ensure that it has the required permissions, and then enter the name of the role. Otherwise, keep this box blank, and the deployment creates the required IAM role. See https://docs.citrix.com/en-us/citrix-adc/13/deploying-vpx/deploy-aws/prerequisites.html." Type: String Default: "" PooledLicense: Description: >- If choosing BYOL option for licensing, choose Yes. This would allow you to upload your already purchased licenses. Before choosing Yes, configure Citrix ADM as a license server for the Citrix ADC pooled capacity. Refer to https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/license-server/adc-pooled-capacity/configuring-adc-pooled-capacity.html#configure-citrix-adm-as-a-license-server for details. Type: String Default: "No" AllowedValues: - "No" - "Yes" LicensingMode: Description: >- (Optional) By default, Citrix Web App Firewall (WAF) - 200 Mbps Version 13.0-52.24 (https://aws.amazon.com/marketplace/pp/B08286P96W) is provisioned. If you are opting for the BYOL license from ADM, choose Yes for PooledLicense, enter the latest BYOL AMI ID in the CitrixADCImageID box, and choose one of the three licensing modes: Pooled-Licensing, CICO-Licensing (check-in-check-out), CPU-Licensing. Type: String Default: "" AllowedValues: - "" - "Pooled-Licensing" - "CICO-Licensing" - "CPU-Licensing" ADMIP: Description: "(Optional) IP address of the Citrix ADM (deployed either on-premises or as an agent in cloud) reachable from the ADC instances. If using pool licensing, enter an IP address. Otherwise, keep this box blank." Type: String Default: "" Bandwidth: Description: >- (Optional) Specify only if the licensing mode is Pooled-Licensing. It allocates an initial bandwidth of the license in Mbps to be allocated after BYOL ADCs are created. If using, enter a multiple of 10 Mbps. Type: Number Default: 0 PooledEdition: Description: "(Optional) License edition for pooled capacity licensing mode. This is used only if licensing mode is Pooled-Licensing." Type: String Default: Premium AllowedValues: - Premium VCPUEdition: Description: "(Optional) License edition for vCPU licensing mode. This is needed only if licensing mode is CPU-Licensing." Type: String Default: Premium AllowedValues: - Premium Platform: Description: "(Optional) Appliance platform type for vCPU licensing mode. If licensing mode is CICO-Licensing, choose VPX-200, VPX-1000, VPX-3000, or VPX-5000." Type: String Default: "" AllowedValues: - "" - VPX-200 - VPX-1000 - VPX-3000 - VPX-5000 ClientEIPRequired: Type: String Default: "Yes" Description: Choose No to assign client Elastic IP address manually after the deployment. AllowedValues: - "No" - "Yes" Conditions: UsingDefaultBucket: !Equals [!Ref QSS3BucketName, "aws-quickstart"] CreateIAMRole: !Equals [!Ref CitrixADCIAMRole, ""] UseClientEIP: !Equals [!Ref ClientEIPRequired, "Yes"] UsePooledLicense: !Equals [!Ref PooledLicense, "Yes"] Resources: SecurityGroupStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/security-group.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref "AWS::Region", !Ref QSS3BucketRegion] S3Bucket: !If [ UsingDefaultBucket, !Sub "${QSS3BucketName}-${AWS::Region}", !Ref QSS3BucketName, ] Parameters: VPCID: !Ref VPCID RestrictedWebAppCIDR: !Ref RestrictedWebAppCIDR RestrictedSSHCIDR: !Ref RestrictedSSHCIDR BastionSecurityGroupID: !Ref BastionSecurityGroupID IAMRoleStack: Condition: CreateIAMRole Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/iam.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref "AWS::Region", !Ref QSS3BucketRegion] S3Bucket: !If [ UsingDefaultBucket, !Sub "${QSS3BucketName}-${AWS::Region}", !Ref QSS3BucketName, ] PrimaryADCInstance: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/citrix-adc.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref "AWS::Region", !Ref QSS3BucketRegion] S3Bucket: !If [ UsingDefaultBucket, !Sub "${QSS3BucketName}-${AWS::Region}", !Ref QSS3BucketName, ] Parameters: CitrixADCImageID: !Ref CitrixADCImageID ManagementSecurityGroup: !GetAtt SecurityGroupStack.Outputs.ManagementSecurityGroupID ClientSecurityGroup: !GetAtt SecurityGroupStack.Outputs.ClientSecurityGroupID ServerSecurityGroup: !GetAtt SecurityGroupStack.Outputs.ServerSecurityGroupID ManagementPrivateSubnetID: !Ref PrimaryManagementPrivateSubnetID ClientPublicSubnetID: !Ref PrimaryClientPublicSubnetID ServerPrivateSubnetID: !Ref PrimaryServerPrivateSubnetID ManagementPrivateIP: !Ref PrimaryManagementPrivateIP ClientPrivateIP: !Ref PrimaryClientPrivateIP ServerPrivateIP: !Ref PrimaryServerPrivateIP ClientENIEIP: !Ref ClientEIPRequired ADCInstanceTagName: Primary KeyPairName: !Ref KeyPairName VPCTenancy: !Ref VPCTenancy CitrixNodesProfile: !If - CreateIAMRole - !GetAtt IAMRoleStack.Outputs.CitrixNodesProfile - !Ref CitrixADCIAMRole CitrixADCInstanceType: !Ref CitrixADCInstanceType SecondaryADCInstance: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/citrix-adc.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref "AWS::Region", !Ref QSS3BucketRegion] S3Bucket: !If [ UsingDefaultBucket, !Sub "${QSS3BucketName}-${AWS::Region}", !Ref QSS3BucketName, ] Parameters: CitrixADCImageID: !Ref CitrixADCImageID ManagementSecurityGroup: !GetAtt SecurityGroupStack.Outputs.ManagementSecurityGroupID ClientSecurityGroup: !GetAtt SecurityGroupStack.Outputs.ClientSecurityGroupID ServerSecurityGroup: !GetAtt SecurityGroupStack.Outputs.ServerSecurityGroupID ManagementPrivateSubnetID: !Ref SecondaryManagementPrivateSubnetID ClientPublicSubnetID: !Ref SecondaryClientPublicSubnetID ServerPrivateSubnetID: !Ref SecondaryServerPrivateSubnetID ManagementPrivateIP: !Ref SecondaryManagementPrivateIP ClientPrivateIP: !Ref SecondaryClientPrivateIP ServerPrivateIP: !Ref SecondaryServerPrivateIP ClientENIEIP: "No" ADCInstanceTagName: Secondary KeyPairName: !Ref KeyPairName VPCTenancy: !Ref VPCTenancy CitrixNodesProfile: !If - CreateIAMRole - !GetAtt IAMRoleStack.Outputs.CitrixNodesProfile - !Ref CitrixADCIAMRole CitrixADCInstanceType: !Ref CitrixADCInstanceType LambdaCopierStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/lambda-copier.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref "AWS::Region", !Ref QSS3BucketRegion] S3Bucket: !If [ UsingDefaultBucket, !Sub "${QSS3BucketName}-${AWS::Region}", !Ref QSS3BucketName, ] Parameters: QSS3BucketName: !If [ UsingDefaultBucket, !Sub "${QSS3BucketName}-${AWS::Region}", !Ref QSS3BucketName, ] QSS3KeyPrefix: !Ref QSS3KeyPrefix PrimaryPooledLicenseStack: Condition: UsePooledLicense Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/lambda-pooled-license.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref "AWS::Region", !Ref QSS3BucketRegion] S3Bucket: !If [ UsingDefaultBucket, !Sub "${QSS3BucketName}-${AWS::Region}", !Ref QSS3BucketName, ] Parameters: ADCInstanceID: !GetAtt PrimaryADCInstance.Outputs.CitrixADCInstanceID ADMIP: !Ref ADMIP Bandwidth: !Ref Bandwidth LicensingMode: !Ref LicensingMode ManagementPrivateIP: !GetAtt PrimaryADCInstance.Outputs.ManagementPrivateNSIP ManagementPrivateSubnetID: !Ref PrimaryManagementPrivateSubnetID ManagementSecurityGroupID: !GetAtt SecurityGroupStack.Outputs.ManagementSecurityGroupID Platform: !Ref Platform PooledEdition: !Ref PooledEdition QSS3BucketName: !GetAtt LambdaCopierStack.Outputs.LambdaZipsBucket QSS3KeyPrefix: !Ref QSS3KeyPrefix VCPUEdition: !Ref VCPUEdition SecondaryPooledLicenseStack: Condition: UsePooledLicense Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/lambda-pooled-license.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref "AWS::Region", !Ref QSS3BucketRegion] S3Bucket: !If [ UsingDefaultBucket, !Sub "${QSS3BucketName}-${AWS::Region}", !Ref QSS3BucketName, ] Parameters: ADCInstanceID: !GetAtt SecondaryADCInstance.Outputs.CitrixADCInstanceID ADMIP: !Ref ADMIP Bandwidth: !Ref Bandwidth LicensingMode: !Ref LicensingMode ManagementPrivateIP: !GetAtt SecondaryADCInstance.Outputs.ManagementPrivateNSIP ManagementPrivateSubnetID: !Ref SecondaryManagementPrivateSubnetID ManagementSecurityGroupID: !GetAtt SecurityGroupStack.Outputs.ManagementSecurityGroupID Platform: !Ref Platform PooledEdition: !Ref PooledEdition QSS3BucketName: !GetAtt LambdaCopierStack.Outputs.LambdaZipsBucket QSS3KeyPrefix: !Ref QSS3KeyPrefix VCPUEdition: !Ref VCPUEdition LambdaHAAZStack: Metadata: PseudoDependsOn: !If - UsePooledLicense - - !Ref PrimaryPooledLicenseStack - !Ref SecondaryPooledLicenseStack - '' Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/lambda-ha-across-az.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref "AWS::Region", !Ref QSS3BucketRegion] S3Bucket: !If [ UsingDefaultBucket, !Sub "${QSS3BucketName}-${AWS::Region}", !Ref QSS3BucketName, ] Parameters: PrimaryInstanceID: !GetAtt PrimaryADCInstance.Outputs.CitrixADCInstanceID PrimaryManagementPrivateIP: !GetAtt PrimaryADCInstance.Outputs.ManagementPrivateNSIP PrimaryClientPrivateIP: !GetAtt PrimaryADCInstance.Outputs.ClientPrivateVIP PrimaryClientPublicSubnetID: !Ref PrimaryClientPublicSubnetID SecondaryInstanceID: !GetAtt SecondaryADCInstance.Outputs.CitrixADCInstanceID SecondaryManagementPrivateIP: !GetAtt SecondaryADCInstance.Outputs.ManagementPrivateNSIP SecondaryClientPrivateIP: !GetAtt SecondaryADCInstance.Outputs.ClientPrivateVIP ManagementSecurityGroupID: !GetAtt SecurityGroupStack.Outputs.ManagementSecurityGroupID PrimaryManagementPrivateSubnetID: !Ref PrimaryManagementPrivateSubnetID SecondaryManagementPrivateSubnetID: !Ref SecondaryManagementPrivateSubnetID QSS3BucketName: !GetAtt LambdaCopierStack.Outputs.LambdaZipsBucket QSS3KeyPrefix: !Ref QSS3KeyPrefix LambdaServersActiveActiveStack: DependsOn: LambdaHAAZStack Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/lambda-servers-active-active.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref "AWS::Region", !Ref QSS3BucketRegion] S3Bucket: !If [ UsingDefaultBucket, !Sub "${QSS3BucketName}-${AWS::Region}", !Ref QSS3BucketName, ] Parameters: PrimaryInstanceID: !GetAtt PrimaryADCInstance.Outputs.CitrixADCInstanceID PrimaryManagementPrivateIP: !GetAtt PrimaryADCInstance.Outputs.ManagementPrivateNSIP SecondaryInstanceID: !GetAtt PrimaryADCInstance.Outputs.CitrixADCInstanceID SecondaryManagementPrivateIP: !GetAtt SecondaryADCInstance.Outputs.ManagementPrivateNSIP QSS3BucketName: !GetAtt LambdaCopierStack.Outputs.LambdaZipsBucket QSS3KeyPrefix: !Ref QSS3KeyPrefix ManagementSecurityGroupID: !GetAtt SecurityGroupStack.Outputs.ManagementSecurityGroupID PrimaryManagementPrivateSubnetID: !Ref PrimaryManagementPrivateSubnetID SecondaryManagementPrivateSubnetID: !Ref SecondaryManagementPrivateSubnetID PrimaryServerPrivateSubnetID: !Ref PrimaryServerPrivateSubnetID SecondaryServerPrivateSubnetID: !Ref SecondaryServerPrivateSubnetID LambdaWAFStack: DependsOn: LambdaServersActiveActiveStack Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/lambda-waf.template.yaml - S3Region: !If [UsingDefaultBucket, !Ref "AWS::Region", !Ref QSS3BucketRegion] S3Bucket: !If [ UsingDefaultBucket, !Sub "${QSS3BucketName}-${AWS::Region}", !Ref QSS3BucketName, ] Parameters: PrimaryInstanceID: !GetAtt PrimaryADCInstance.Outputs.CitrixADCInstanceID PrimaryManagementPrivateIP: !GetAtt PrimaryADCInstance.Outputs.ManagementPrivateNSIP QSS3BucketName: !GetAtt LambdaCopierStack.Outputs.LambdaZipsBucket QSS3KeyPrefix: !Ref QSS3KeyPrefix ManagementSecurityGroupID: !GetAtt SecurityGroupStack.Outputs.ManagementSecurityGroupID PrimaryManagementPrivateSubnetID: !Ref PrimaryManagementPrivateSubnetID SecondaryManagementPrivateSubnetID: !Ref SecondaryManagementPrivateSubnetID Outputs: ManagementSecurityGroupID: Description: Security group ID for management WAF ENIs Value: !GetAtt SecurityGroupStack.Outputs.ManagementSecurityGroupID ClientSecurityGroupID: Description: Security group ID for client WAF ENIs Value: !GetAtt SecurityGroupStack.Outputs.ClientSecurityGroupID ServerSecurityGroupID: Description: Security group ID for server WAF ENIs Value: !GetAtt SecurityGroupStack.Outputs.ServerSecurityGroupID InstanceProfileName: Condition: CreateIAMRole Description: Instance profile for ADCs Value: !GetAtt IAMRoleStack.Outputs.CitrixNodesProfile PrimaryADCInstanceID: Description: Primary WAF instance ID Value: !GetAtt PrimaryADCInstance.Outputs.CitrixADCInstanceID PrimaryManagementPrivateNSIP: Description: Primary management private NSIP Value: !GetAtt PrimaryADCInstance.Outputs.ManagementPrivateNSIP PrimaryClientPublicEIP: Condition: UseClientEIP Description: Primary client public EIP Value: !GetAtt PrimaryADCInstance.Outputs.ClientPublicEIP PrimaryClientPrivateVIP: Description: Primary client private VIP Value: !GetAtt PrimaryADCInstance.Outputs.ClientPrivateVIP SecondaryADCInstanceID: Description: Secondary WAF instance ID Value: !GetAtt SecondaryADCInstance.Outputs.CitrixADCInstanceID SecondaryManagementPrivateNSIP: Description: Secondary management private NSIP Value: !GetAtt SecondaryADCInstance.Outputs.ManagementPrivateNSIP SecondaryClientPrivateVIP: Description: Secondary client private VIP Value: !GetAtt SecondaryADCInstance.Outputs.ClientPrivateVIP