{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "This template creates 2 Windows Server instances into private subnets in separate Availability Zones inside a VPC. After extending your on-premises network to the VPC, you can promote the Windows Server instances to Domain Controllers in your AD forest. **WARNING** This template creates Amazon EC2 Windows instance and related resources. You will be billed for the AWS resources used if you create a stack from this template. QS(0002)",
"Metadata": {
"AWS::CloudFormation::Interface": {
"ParameterGroups": [
{
"Label": {
"default": "Network Configuration"
},
"Parameters": [
"VPCCIDR",
"VPCID",
"PrivateSubnet1CIDR",
"PrivateSubnet1ID",
"PrivateSubnet2CIDR",
"PrivateSubnet2ID",
"PublicSubnet1CIDR",
"PublicSubnet2CIDR"
]
},
{
"Label": {
"default": "Amazon EC2 Configuration"
},
"Parameters": [
"KeyPairName",
"ADServer1InstanceType",
"ADServer1NetBIOSName",
"ADServer1PrivateIP",
"ADServer2InstanceType",
"ADServer2NetBIOSName",
"ADServer2PrivateIP"
]
},
{
"Label": {
"default": "AWS Quick Start Configuration"
},
"Parameters": [
"QSS3BucketName",
"QSS3KeyPrefix"
]
}
],
"ParameterLabels": {
"ADServer1InstanceType": {
"default": "Domain Controller 1 Instance Type"
},
"ADServer1NetBIOSName": {
"default": "Domain Controller 1 NetBIOS Name"
},
"ADServer1PrivateIP": {
"default": "Domain Controller 1 Private IP Address"
},
"ADServer2InstanceType": {
"default": "Domain Controller 2 Instance Type"
},
"ADServer2NetBIOSName": {
"default": "Domain Controller 2 NetBIOS Name"
},
"ADServer2PrivateIP": {
"default": "Domain Controller 2 Private IP Address"
},
"KeyPairName": {
"default": "Key Pair Name"
},
"PrivateSubnet1CIDR": {
"default": "Private Subnet 1 CIDR"
},
"PrivateSubnet1ID": {
"default": "Private Subnet 1 ID"
},
"PrivateSubnet2CIDR": {
"default": "Private Subnet 2 CIDR"
},
"PrivateSubnet2ID": {
"default": "Private Subnet 2 ID"
},
"PublicSubnet1CIDR": {
"default": "Public Subnet 1 CIDR"
},
"PublicSubnet2CIDR": {
"default": "Public Subnet 2 CIDR"
},
"QSS3BucketName": {
"default": "Quick Start S3 Bucket Name"
},
"QSS3KeyPrefix": {
"default": "Quick Start S3 Key Prefix"
},
"VPCCIDR": {
"default": "VPC CIDR"
}
}
}
},
"Parameters": {
"ADServer1InstanceType": {
"AllowedValues": [
"t2.large",
"m4.large",
"m4.xlarge",
"m4.2xlarge",
"m4.4xlarge"
],
"Default": "m4.xlarge",
"Description": "Amazon EC2 instance type for the first Active Directory Instance",
"Type": "String"
},
"ADServer1NetBIOSName": {
"AllowedPattern": "[a-zA-Z0-9\\-]+",
"Default": "DC1",
"Description": "NetBIOS name of the 1st AD Server (upto 15 characters)",
"MaxLength": "15",
"MinLength": "1",
"Type": "String"
},
"ADServer1PrivateIP": {
"Default": "10.0.0.10",
"Description": "Fixed private IP for the first Active Directory server located in AZ1",
"Type": "String"
},
"ADServer2InstanceType": {
"AllowedValues": [
"t2.large",
"m4.large",
"m4.xlarge",
"m4.2xlarge",
"m4.4xlarge"
],
"Default": "m4.xlarge",
"Description": "Amazon EC2 instance type for the second Active Directory Instance",
"Type": "String"
},
"ADServer2NetBIOSName": {
"AllowedPattern": "[a-zA-Z0-9\\-]+",
"Default": "DC2",
"Description": "NetBIOS name of the 2nd AD Server (upto 15 characters)",
"MaxLength": "15",
"MinLength": "1",
"Type": "String"
},
"ADServer2PrivateIP": {
"Default": "10.0.32.10",
"Description": "Fixed private IP for the second Active Directory serverr located in AZ2",
"Type": "String"
},
"KeyPairName": {
"Description": "Public/private key pairs allow you to securely connect to your instance after it launches",
"Type": "AWS::EC2::KeyPair::KeyName"
},
"PrivateSubnet1CIDR": {
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28",
"Default": "10.0.0.0/19",
"Description": "CIDR block for private subnet 1 located in Availability Zone 1.",
"Type": "String"
},
"PrivateSubnet1ID": {
"Description": "ID of the private subnet 1 in Availability Zone 1 (e.g., subnet-a0246dcd)",
"Type": "AWS::EC2::Subnet::Id"
},
"PrivateSubnet2CIDR": {
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28",
"Default": "10.0.32.0/19",
"Description": "CIDR block for private subnet 2 located in Availability Zone 2.",
"Type": "String"
},
"PrivateSubnet2ID": {
"Description": "ID of the private subnet 2 in Availability Zone 2 (e.g., subnet-a0246dcd)",
"Type": "AWS::EC2::Subnet::Id"
},
"PublicSubnet1CIDR": {
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28",
"Default": "10.0.128.0/20",
"Description": "CIDR Block for the public DMZ subnet 1 located in Availability Zone 1",
"Type": "String"
},
"PublicSubnet2CIDR": {
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28",
"Default": "10.0.144.0/20",
"Description": "CIDR Block for the public DMZ subnet 2 located in Availability Zone 2",
"Type": "String"
},
"QSS3BucketName": {
"AllowedPattern": "^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$",
"ConstraintDescription": "Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).",
"Default": "aws-quickstart",
"Description": "S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-).",
"Type": "String"
},
"QSS3KeyPrefix": {
"AllowedPattern": "^[0-9a-zA-Z-/]*$",
"ConstraintDescription": "Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/).",
"Default": "quickstart-microsoft-activedirectory/",
"Description": "S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/).",
"Type": "String"
},
"VPCCIDR": {
"AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$",
"ConstraintDescription": "CIDR block parameter must be in the form x.x.x.x/16-28",
"Default": "10.0.0.0/16",
"Description": "CIDR Block for the VPC",
"Type": "String"
},
"VPCID": {
"Description": "ID of the VPC (e.g., vpc-0343606e)",
"Type": "AWS::EC2::VPC::Id"
}
},
"Rules": {
"SubnetsInVPC": {
"Assertions": [
{
"Assert": {
"Fn::EachMemberIn": [
{
"Fn::ValueOfAll": [
"AWS::EC2::Subnet::Id",
"VpcId"
]
},
{
"Fn::RefAll": "AWS::EC2::VPC::Id"
}
]
},
"AssertDescription": "All subnets must in the VPC"
}
]
}
},
"Mappings": {
"AWSAMIRegionMap": {
"AMI": {
"WS2012R2": "Windows_Server-2012-R2_RTM-English-64Bit-Base-2019.07.12"
},
"ap-northeast-1": {
"WS2012R2": "ami-06823103be2218b98"
},
"ap-northeast-2": {
"WS2012R2": "ami-050e65d9f2ec90145"
},
"ap-south-1": {
"WS2012R2": "ami-045e1f06f29929467"
},
"ap-southeast-1": {
"WS2012R2": "ami-0c322369af7718803"
},
"ap-southeast-2": {
"WS2012R2": "ami-0813db0de4ddab990"
},
"ca-central-1": {
"WS2012R2": "ami-0850dfaa3ee6f6233"
},
"eu-central-1": {
"WS2012R2": "ami-024652d0a3df40e74"
},
"eu-west-1": {
"WS2012R2": "ami-0d2f69fcc5f00c97a"
},
"eu-west-2": {
"WS2012R2": "ami-0998a91bb1756752d"
},
"sa-east-1": {
"WS2012R2": "ami-044d56b6baa621d7d"
},
"us-east-1": {
"WS2012R2": "ami-094a644f1fb9e4ce3"
},
"us-east-2": {
"WS2012R2": "ami-0a1a54d8690206089"
},
"us-west-1": {
"WS2012R2": "ami-094dcbdb1aa24c8da"
},
"us-west-2": {
"WS2012R2": "ami-0f8967b5f815400c0"
}
}
},
"Conditions": {
"GovCloudCondition": {
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-gov-west-1"
]
}
},
"Resources": {
"ADServerRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"Policies": [
{
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Resource": {
"Fn::Sub": [
"arn:${Partition}:s3:::${QSS3BucketName}/${QSS3KeyPrefix}*",
{
"Partition": {
"Fn::If": [
"GovCloudCondition",
"aws-us-gov",
"aws"
]
}
}
]
},
"Effect": "Allow"
}
]
},
"PolicyName": "aws-quick-start-s3-policy"
}
],
"Path": "/",
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Effect": "Allow"
}
],
"Version": "2012-10-17"
}
}
},
"ADServerProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Roles": [
{
"Ref": "ADServerRole"
}
],
"Path": "/"
}
},
"DomainController1": {
"Type": "AWS::EC2::Instance",
"Metadata": {
"AWS::CloudFormation::Authentication": {
"S3AccessCreds": {
"type": "S3",
"roleName": {
"Ref": "ADServerRole"
},
"buckets": [
{
"Ref": "QSS3BucketName"
}
]
}
},
"AWS::CloudFormation::Init": {
"configSets": {
"config": [
"setup",
"rename",
"finalize"
]
},
"setup": {
"files": {
"c:\\cfn\\cfn-hup.conf": {
"content": {
"Fn::Join": [
"",
[
"[main]\n",
"stack=",
{
"Ref": "AWS::StackName"
},
"\n",
"region=",
{
"Ref": "AWS::Region"
},
"\n"
]
]
}
},
"c:\\cfn\\hooks.d\\cfn-auto-reloader.conf": {
"content": {
"Fn::Join": [
"",
[
"[cfn-auto-reloader-hook]\n",
"triggers=post.update\n",
"path=Resources.DomainController1.Metadata.AWS::CloudFormation::Init\n",
"action=cfn-init.exe -v -c config -s ",
{
"Ref": "AWS::StackId"
},
" -r DomainController1",
" --region ",
{
"Ref": "AWS::Region"
},
"\n"
]
]
}
},
"c:\\cfn\\scripts\\Set-StaticIP.ps1": {
"content": {
"Fn::Join": [
"",
[
"$netip = Get-NetIPConfiguration;",
"$ipconfig = Get-NetIPAddress | ?{$_.IpAddress -eq $netip.IPv4Address.IpAddress};",
"Get-NetAdapter | Set-NetIPInterface -DHCP Disabled;",
"Get-NetAdapter | New-NetIPAddress -AddressFamily IPv4 -IPAddress $netip.IPv4Address.IpAddress -PrefixLength $ipconfig.PrefixLength -DefaultGateway $netip.IPv4DefaultGateway.NextHop;",
"Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses $netip.DNSServer.ServerAddresses;",
"\n"
]
]
}
}
},
"services": {
"windows": {
"cfn-hup": {
"enabled": "true",
"ensureRunning": "true",
"files": [
"c:\\cfn\\cfn-hup.conf",
"c:\\cfn\\hooks.d\\cfn-auto-reloader.conf"
]
}
}
}
},
"rename": {
"commands": {
"a-set-static-ip": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -ExecutionPolicy RemoteSigned -Command c:\\cfn\\scripts\\Set-StaticIP.ps1"
]
]
},
"waitAfterCompletion": "45"
},
"b-execute-powershell-script-RenameComputer": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe Rename-Computer -NewName ",
{
"Ref": "ADServer1NetBIOSName"
},
" -Restart"
]
]
},
"waitAfterCompletion": "forever"
}
}
},
"finalize": {
"commands": {
"1-signal-success": {
"command": {
"Fn::Join": [
"",
[
"cfn-signal.exe -e 0 \"",
{
"Ref": "DomainController1WaitHandle"
},
"\""
]
]
}
}
}
}
}
},
"Properties": {
"ImageId": {
"Fn::FindInMap": [
"AWSAMIRegionMap",
{
"Ref": "AWS::Region"
},
"WS2012R2"
]
},
"IamInstanceProfile": {
"Ref": "ADServerProfile"
},
"InstanceType": {
"Ref": "ADServer1InstanceType"
},
"SubnetId": {
"Ref": "PrivateSubnet1ID"
},
"Tags": [
{
"Key": "Name",
"Value": {
"Ref": "ADServer1NetBIOSName"
}
}
],
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": {
"VolumeSize": "100",
"VolumeType": "gp2"
}
}
],
"SecurityGroupIds": [
{
"Ref": "DomainController1SG"
}
],
"PrivateIpAddress": {
"Ref": "ADServer1PrivateIP"
},
"KeyName": {
"Ref": "KeyPairName"
},
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"\n"
]
]
}
}
}
},
"DomainController2": {
"Type": "AWS::EC2::Instance",
"DependsOn": "DomainController1WaitCondition",
"Metadata": {
"AWS::CloudFormation::Authentication": {
"S3AccessCreds": {
"type": "S3",
"roleName": {
"Ref": "ADServerRole"
},
"buckets": [
{
"Ref": "QSS3BucketName"
}
]
}
},
"AWS::CloudFormation::Init": {
"configSets": {
"config": [
"setup",
"rename",
"finalize"
]
},
"setup": {
"files": {
"c:\\cfn\\cfn-hup.conf": {
"content": {
"Fn::Join": [
"",
[
"[main]\n",
"stack=",
{
"Ref": "AWS::StackName"
},
"\n",
"region=",
{
"Ref": "AWS::Region"
},
"\n"
]
]
}
},
"c:\\cfn\\hooks.d\\cfn-auto-reloader.conf": {
"content": {
"Fn::Join": [
"",
[
"[cfn-auto-reloader-hook]\n",
"triggers=post.update\n",
"path=Resources.DomainController2.Metadata.AWS::CloudFormation::Init\n",
"action=cfn-init.exe -v -c config -s ",
{
"Ref": "AWS::StackId"
},
" -r DomainController2",
" --region ",
{
"Ref": "AWS::Region"
},
"\n"
]
]
}
},
"c:\\cfn\\scripts\\Set-StaticIP.ps1": {
"content": {
"Fn::Join": [
"",
[
"$netip = Get-NetIPConfiguration;",
"$ipconfig = Get-NetIPAddress | ?{$_.IpAddress -eq $netip.IPv4Address.IpAddress};",
"Get-NetAdapter | Set-NetIPInterface -DHCP Disabled;",
"Get-NetAdapter | New-NetIPAddress -AddressFamily IPv4 -IPAddress $netip.IPv4Address.IpAddress -PrefixLength $ipconfig.PrefixLength -DefaultGateway $netip.IPv4DefaultGateway.NextHop;",
"Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses $netip.DNSServer.ServerAddresses;",
"\n"
]
]
}
}
},
"services": {
"windows": {
"cfn-hup": {
"enabled": "true",
"ensureRunning": "true",
"files": [
"c:\\cfn\\cfn-hup.conf",
"c:\\cfn\\hooks.d\\cfn-auto-reloader.conf"
]
}
}
}
},
"rename": {
"commands": {
"a-set-static-ip": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe -ExecutionPolicy RemoteSigned -Command c:\\cfn\\scripts\\Set-StaticIP.ps1"
]
]
},
"waitAfterCompletion": "45"
},
"b-execute-powershell-script-RenameComputer": {
"command": {
"Fn::Join": [
"",
[
"powershell.exe Rename-Computer -NewName ",
{
"Ref": "ADServer2NetBIOSName"
},
" -Restart"
]
]
},
"waitAfterCompletion": "forever"
}
}
},
"finalize": {
"commands": {
"1-signal-success": {
"command": {
"Fn::Join": [
"",
[
"cfn-signal.exe -e 0 \"",
{
"Ref": "DomainController2WaitHandle"
},
"\""
]
]
}
}
}
}
}
},
"Properties": {
"ImageId": {
"Fn::FindInMap": [
"AWSAMIRegionMap",
{
"Ref": "AWS::Region"
},
"WS2012R2"
]
},
"IamInstanceProfile": {
"Ref": "ADServerProfile"
},
"InstanceType": {
"Ref": "ADServer2InstanceType"
},
"SubnetId": {
"Ref": "PrivateSubnet2ID"
},
"Tags": [
{
"Key": "Name",
"Value": {
"Ref": "ADServer2NetBIOSName"
}
}
],
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": {
"VolumeSize": "100",
"VolumeType": "gp2"
}
}
],
"SecurityGroupIds": [
{
"Ref": "DomainController2SG"
}
],
"PrivateIpAddress": {
"Ref": "ADServer2PrivateIP"
},
"KeyName": {
"Ref": "KeyPairName"
},
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"\n"
]
]
}
}
}
},
"DomainController1WaitCondition": {
"Type": "AWS::CloudFormation::WaitCondition",
"DependsOn": "DomainController1",
"Properties": {
"Handle": {
"Ref": "DomainController1WaitHandle"
},
"Timeout": "3600"
}
},
"DomainController1WaitHandle": {
"Type": "AWS::CloudFormation::WaitConditionHandle"
},
"DomainController2WaitCondition": {
"Type": "AWS::CloudFormation::WaitCondition",
"DependsOn": "DomainController2",
"Properties": {
"Handle": {
"Ref": "DomainController2WaitHandle"
},
"Timeout": "3600"
}
},
"DomainController2WaitHandle": {
"Type": "AWS::CloudFormation::WaitConditionHandle"
},
"DomainController1SG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Domain Controller",
"VpcId": {
"Ref": "VPCID"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "5985",
"ToPort": "5985",
"CidrIp": {
"Ref": "VPCCIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": {
"Ref": "VPCCIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "123",
"ToPort": "123",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "135",
"ToPort": "135",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "9389",
"ToPort": "9389",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "138",
"ToPort": "138",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "445",
"ToPort": "445",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "445",
"ToPort": "445",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "464",
"ToPort": "464",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "464",
"ToPort": "464",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "49152",
"ToPort": "65535",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "49152",
"ToPort": "65535",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "389",
"ToPort": "389",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "389",
"ToPort": "389",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "636",
"ToPort": "636",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3268",
"ToPort": "3268",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3269",
"ToPort": "3269",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "53",
"ToPort": "53",
"CidrIp": {
"Ref": "VPCCIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "53",
"ToPort": "53",
"CidrIp": {
"Ref": "VPCCIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "9389",
"ToPort": "9389",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "88",
"ToPort": "88",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "88",
"ToPort": "88",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "5355",
"ToPort": "5355",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "137",
"ToPort": "137",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "139",
"ToPort": "139",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "5722",
"ToPort": "5722",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "123",
"ToPort": "123",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "135",
"ToPort": "135",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "9389",
"ToPort": "9389",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "138",
"ToPort": "138",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "445",
"ToPort": "445",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "445",
"ToPort": "445",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "464",
"ToPort": "464",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "464",
"ToPort": "464",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "49152",
"ToPort": "65535",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "49152",
"ToPort": "65535",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "389",
"ToPort": "389",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "389",
"ToPort": "389",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "636",
"ToPort": "636",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3268",
"ToPort": "3268",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3269",
"ToPort": "3269",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "88",
"ToPort": "88",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "88",
"ToPort": "88",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3389",
"ToPort": "3389",
"CidrIp": {
"Ref": "PublicSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3389",
"ToPort": "3389",
"CidrIp": {
"Ref": "PublicSubnet2CIDR"
}
},
{
"IpProtocol": "icmp",
"FromPort": "-1",
"ToPort": "-1",
"CidrIp": {
"Ref": "PublicSubnet1CIDR"
}
},
{
"IpProtocol": "icmp",
"FromPort": "-1",
"ToPort": "-1",
"CidrIp": {
"Ref": "PublicSubnet2CIDR"
}
}
]
}
},
"DomainController2SG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Domain Controller",
"VpcId": {
"Ref": "VPCID"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "5985",
"ToPort": "5985",
"CidrIp": {
"Ref": "VPCCIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": {
"Ref": "VPCCIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "123",
"ToPort": "123",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "135",
"ToPort": "135",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "9389",
"ToPort": "9389",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "138",
"ToPort": "138",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "445",
"ToPort": "445",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "445",
"ToPort": "445",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "464",
"ToPort": "464",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "464",
"ToPort": "464",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "49152",
"ToPort": "65535",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "49152",
"ToPort": "65535",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "389",
"ToPort": "389",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "389",
"ToPort": "389",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "636",
"ToPort": "636",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3268",
"ToPort": "3268",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3269",
"ToPort": "3269",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "53",
"ToPort": "53",
"CidrIp": {
"Ref": "VPCCIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "53",
"ToPort": "53",
"CidrIp": {
"Ref": "VPCCIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "9389",
"ToPort": "9389",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "88",
"ToPort": "88",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "88",
"ToPort": "88",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "5355",
"ToPort": "5355",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "137",
"ToPort": "137",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "139",
"ToPort": "139",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "5722",
"ToPort": "5722",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "123",
"ToPort": "123",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "135",
"ToPort": "135",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "9389",
"ToPort": "9389",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "138",
"ToPort": "138",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "445",
"ToPort": "445",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "445",
"ToPort": "445",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "464",
"ToPort": "464",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "464",
"ToPort": "464",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "49152",
"ToPort": "65535",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "49152",
"ToPort": "65535",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "389",
"ToPort": "389",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "389",
"ToPort": "389",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "636",
"ToPort": "636",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3268",
"ToPort": "3268",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3269",
"ToPort": "3269",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "88",
"ToPort": "88",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "udp",
"FromPort": "88",
"ToPort": "88",
"SourceSecurityGroupId": {
"Ref": "DomainMemberSG"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3389",
"ToPort": "3389",
"CidrIp": {
"Ref": "PublicSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3389",
"ToPort": "3389",
"CidrIp": {
"Ref": "PublicSubnet2CIDR"
}
},
{
"IpProtocol": "icmp",
"FromPort": "-1",
"ToPort": "-1",
"CidrIp": {
"Ref": "PublicSubnet1CIDR"
}
},
{
"IpProtocol": "icmp",
"FromPort": "-1",
"ToPort": "-1",
"CidrIp": {
"Ref": "PublicSubnet2CIDR"
}
}
]
}
},
"DomainMemberSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Domain Members",
"VpcId": {
"Ref": "VPCID"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "5985",
"ToPort": "5985",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "53",
"ToPort": "53",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "53",
"ToPort": "53",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "49152",
"ToPort": "65535",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "49152",
"ToPort": "65535",
"CidrIp": {
"Ref": "PrivateSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "5985",
"ToPort": "5985",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "53",
"ToPort": "53",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "53",
"ToPort": "53",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "49152",
"ToPort": "65535",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "udp",
"FromPort": "49152",
"ToPort": "65535",
"CidrIp": {
"Ref": "PrivateSubnet2CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3389",
"ToPort": "3389",
"CidrIp": {
"Ref": "PublicSubnet1CIDR"
}
},
{
"IpProtocol": "tcp",
"FromPort": "3389",
"ToPort": "3389",
"CidrIp": {
"Ref": "PublicSubnet2CIDR"
}
}
]
}
}
},
"Outputs": {
"DomainMemberSGID": {
"Value": {
"Ref": "DomainMemberSG"
},
"Description": "Domain Member Security Group ID"
}
}
}