--- AWSTemplateFormatVersion: 2010-09-09 Description: Launches a NAT instance for external outbound connectivity (qs-1nb14cqca) Metadata: Stack: Value: 2 VersionDate: Value: 20160510 Identifier: Value: template-nat-instance Input: Description: CIDR blocks, VPC names, KeyName, EC2 instance size Output: Description: Outputs ID of all deployed resources Parameters: pDMZSubnetA: Description: Subnet for the DMZ Type: String Default: '' pSecurityGroupSSHFromVpc: Description: Enable SSH access via port 22 Type: String Default: '' pSecurityGroupVpcNat: Description: Allow NAT from production Type: String Default: '' pEC2KeyPair: Description: Key Name for Instance Type: String Default: '' pNatInstanceType: Description: NAT EC2 instance type Type: String Default: m3.large pNatAmi: Description: AMI to use for the NAT instnace Type: String Default: '' pVpcName: Description: Name of VPC used for naming resources Type: String Default: '' pRouteTablePrivateA: Description: Routing table used for the NAT instance Type: String Default: '' pRouteTablePrivateB: Description: Routing table used for the NAT instance Type: String Default: '' pEipNatAllocationId: Description: Allocation ID for NAT EIP Type: String Conditions: cAddRouteForSecondSubnet: !Not - !Equals - !Ref pRouteTablePrivateB - '' Resources: rNatInstanceEni: Type: AWS::EC2::NetworkInterface Properties: SubnetId: !Ref pDMZSubnetA GroupSet: - !Ref pSecurityGroupSSHFromVpc - !Ref pSecurityGroupVpcNat Description: Interface for ProductionNat device Tags: - Key: Network Value: ProductionNatDevice rNatInstance: Type: AWS::EC2::Instance Properties: InstanceType: !Ref pNatInstanceType SourceDestCheck: false KeyName: !Ref pEC2KeyPair Tags: - Key: Name Value: !Sub ${pVpcName} NAT device used for patching UserData: !Base64 Fn::Sub: | #!/bin/sh echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects /sbin/iptables -t nat -A POSTROUTING -o eth0 -s 0.0.0.0/0 -j MASQUERADE /sbin/iptables-save > /etc/sysconfig/iptables mkdir -p /etc/sysctl.d/ cat < /etc/sysctl.d/nat.conf net.ipv4.ip_forward = 1 net.ipv4.conf.eth0.send_redirects = 0 EOF ImageId: !Ref pNatAmi NetworkInterfaces: - NetworkInterfaceId: !Ref rNatInstanceEni DeviceIndex: '0' AssociateEipNat: Type: AWS::EC2::EIPAssociation DependsOn: - rNatInstance Properties: AllocationId: !Ref pEipNatAllocationId NetworkInterfaceId: !Ref rNatInstanceEni rRouteProdPrivateANatInstance: Type: AWS::EC2::Route Properties: DestinationCidrBlock: 0.0.0.0/0 RouteTableId: !Ref pRouteTablePrivateA InstanceId: !Ref rNatInstance rRouteProdPrivateBNatInstance: Type: AWS::EC2::Route Condition: cAddRouteForSecondSubnet Properties: DestinationCidrBlock: 0.0.0.0/0 RouteTableId: !Ref pRouteTablePrivateB InstanceId: !Ref rNatInstance ...