--- AWSTemplateFormatVersion: 2010-09-09 Description: Provides networking configuration for a VFX Management VPC Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Region Configuration Parameters: - pAvailabilityZones - Label: default: Network Configuration Parameters: - pManagementVPCName - pManagementVpcCIDR - pManagementDMZSubnetACIDR - pManagementDMZSubnetBCIDR - pMgmtAppPrivateSubnetACIDR - pMgmtAppPrivateSubnetBCIDR ParameterLabels: pAvailabilityZones: default: Select two Availability Zones pManagementVPCName: default: Management VPC Name pManagementVpcCIDR: default: Management VPC CIDR block pManagementDMZSubnetACIDR: default: CIDR block of Management DMZ Subnet A (internet facing) pManagementDMZSubnetBCIDR: default: CIDR block of Management DMZ Subnet B (internet facing) pMgmtAppPrivateSubnetACIDR: default: CIDR block of Management Application Subnet A (private) pMgmtAppPrivateSubnetBCIDR: default: CIDR block of Management Application Subnet B (private) Parameters: pAvailabilityZones: Description: The list of Availability Zones to use for the subnets in the VPC. This template uses two Availability Zones from your list and preserves the logical order you specify. Type: List pManagementVPCName: Default: Management VPC Description: Management VPC Name Type: String pManagementVpcCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.10.0.0/16 Description: CIDR block for Management VPC Type: String pManagementDMZSubnetACIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.10.10.0/24 Description: CIDR block for Management DMZ AZ-1a subnet Type: String pManagementDMZSubnetBCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.10.20.0/24 Description: CIDR block for Management DMZ AZ-1b subnet Type: String pMgmtAppPrivateSubnetACIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.10.96.0/21 Description: CIDR block for Management Application AZ-1a subnet Type: String pMgmtAppPrivateSubnetBCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.10.112.0/21 Description: CIDR block for Management Application AZ-1b subnet Type: String pEnvironment: AllowedValues: - DEV - TEST - PROD Default: DEV Description: Environment (Dev, Test or Prod) Type: String Resources: # -- Create VPC -- # rVPCManagement: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref pManagementVpcCIDR InstanceTenancy: default EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: !Ref pManagementVPCName - Key: Environment Value: !Ref pEnvironment # -- Create the Internet Gateway and attach to VPC-- # rIGWManagement: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: igw-management - Key: Environment Value: !Ref pEnvironment rGWAttachmentMgmtIGW: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref rVPCManagement InternetGatewayId: !Ref rIGWManagement # -- Create the Public Subnets -- # rManagementDMZSubnetA: Type: AWS::EC2::Subnet Properties: CidrBlock: !Ref pManagementDMZSubnetACIDR AvailabilityZone: !Select [0, !Ref pAvailabilityZones] VpcId: !Ref rVPCManagement Tags: - Key: Name Value: Management DMZ Subnet A - Key: Environment Value: !Ref pEnvironment rManagementDMZSubnetB: Type: AWS::EC2::Subnet Properties: CidrBlock: !Ref pManagementDMZSubnetBCIDR AvailabilityZone: !Select [1, !Ref pAvailabilityZones] VpcId: !Ref rVPCManagement Tags: - Key: Name Value: Management DMZ Subnet B - Key: Environment Value: !Ref pEnvironment # -- Create the Route Table to Enable Internet Access for the Public Subnets -- # rRouteTableMgmtDMZ: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref rVPCManagement Tags: - Key: Name Value: Management DMZ Route rRouteAssocMgmtDMZA: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref rRouteTableMgmtDMZ SubnetId: !Ref rManagementDMZSubnetA rRouteAssocMgmtDMZB: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref rRouteTableMgmtDMZ SubnetId: !Ref rManagementDMZSubnetB rRouteMgmtIGW: Type: AWS::EC2::Route DependsOn: rGWAttachmentMgmtIGW Properties: RouteTableId: !Ref rRouteTableMgmtDMZ GatewayId: !Ref rIGWManagement DestinationCidrBlock: 0.0.0.0/0 # -- Create the NAT Gateways -- # rEIPMgmtNatA: Type: AWS::EC2::EIP Properties: Domain: vpc rNATGatewaySubnetA: Type: AWS::EC2::NatGateway DependsOn: rIGWManagement Properties: AllocationId: !GetAtt rEIPMgmtNatA.AllocationId SubnetId: !Ref rManagementDMZSubnetA rEIPMgmtNatB: Type: AWS::EC2::EIP Properties: Domain: vpc rNATGatewaySubnetB: Type: AWS::EC2::NatGateway DependsOn: rIGWManagement Properties: AllocationId: !GetAtt rEIPMgmtNatB.AllocationId SubnetId: !Ref rManagementDMZSubnetB # -- Create the Private Subnets -- # rMgmtAppPrivateSubnetA: Type: AWS::EC2::Subnet Properties: CidrBlock: !Ref pMgmtAppPrivateSubnetACIDR AvailabilityZone: !Select [0, !Ref pAvailabilityZones] VpcId: !Ref rVPCManagement Tags: - Key: Name Value: Management App Subnet A - Key: Environment Value: !Ref pEnvironment rMgmtAppPrivateSubnetB: Type: AWS::EC2::Subnet Properties: CidrBlock: !Ref pMgmtAppPrivateSubnetBCIDR AvailabilityZone: !Select [1, !Ref pAvailabilityZones] VpcId: !Ref rVPCManagement Tags: - Key: Name Value: Management App Subnet B - Key: Environment Value: !Ref pEnvironment # -- Create the Route Table for the Private Subnets to Access the Internet via the NAT Gateways -- # rRouteTableMgmtPrivateA: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref rVPCManagement Tags: - Key: Name Value: Management Private Route A rRouteTableMgmtPrivateB: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref rVPCManagement Tags: - Key: Name Value: Management Private Route B rMgmtAppPrivateSubnetAssociationA: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref rRouteTableMgmtPrivateA SubnetId: !Ref rMgmtAppPrivateSubnetA rMgmtAppPrivateSubnetAssociationB: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref rRouteTableMgmtPrivateB SubnetId: !Ref rMgmtAppPrivateSubnetB rRouteMgmtPrivateNatGatewayA: Type: AWS::EC2::Route Properties: DestinationCidrBlock: 0.0.0.0/0 RouteTableId: !Ref rRouteTableMgmtPrivateA NatGatewayId: !Ref rNATGatewaySubnetA rRouteMgmtPrivateNatGatewayB: Type: AWS::EC2::Route Properties: DestinationCidrBlock: 0.0.0.0/0 RouteTableId: !Ref rRouteTableMgmtPrivateB NatGatewayId: !Ref rNATGatewaySubnetB # -- Create NACL rules for Public Subnets -- # rNACLPublic: Type: AWS::EC2::NetworkAcl Properties: VpcId: !Ref rVPCManagement rNACLRuleAllowALLIngresPublic: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: 0.0.0.0/0 Protocol: -1 RuleAction: allow RuleNumber: 100 NetworkAclId: !Ref rNACLPublic rNACLRuleAllowALLEgressPublic: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: 0.0.0.0/0 Egress: true Protocol: -1 RuleAction: allow RuleNumber: 100 NetworkAclId: !Ref rNACLPublic rNACLAssocDMZPubSubnetA: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: NetworkAclId: !Ref rNACLPublic SubnetId: !Ref rManagementDMZSubnetA rNACLAssocDMZPubSubnetB: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: NetworkAclId: !Ref rNACLPublic SubnetId: !Ref rManagementDMZSubnetB # -- Create NACL rules for Private Subnets -- # rNACLPrivate: Type: AWS::EC2::NetworkAcl Properties: VpcId: !Ref rVPCManagement rNACLRuleAllowALLIngresPrivate: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: 0.0.0.0/0 Protocol: -1 RuleAction: allow RuleNumber: 100 NetworkAclId: !Ref rNACLPrivate rNACLRuleAllowALLEgressPrivate: Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: 0.0.0.0/0 Egress: true Protocol: -1 RuleAction: allow RuleNumber: 100 NetworkAclId: !Ref rNACLPrivate rNACLAssocAppPrivSubnetA: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: NetworkAclId: !Ref rNACLPrivate SubnetId: !Ref rMgmtAppPrivateSubnetA rNACLAssocAppPrivSubnetB: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: NetworkAclId: !Ref rNACLPrivate SubnetId: !Ref rMgmtAppPrivateSubnetB # -- Create FlowLogs and CloudWatch Logs Group including Service Role policy. -- # rManagementVpcFlowLogsServiceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Sid: AllowFlowLogs Effect: Allow Principal: Service: vpc-flow-logs.amazonaws.com Action: sts:AssumeRole Path: / Policies: - PolicyName: cloudwatchlogsrole PolicyDocument: Version: 2012-10-17 Statement: - Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - logs:DescribeLogGroups - logs:DescribeLogStreams Effect: Allow Resource: '*' rManagementVpcFlowLogGroup: Type: AWS::Logs::LogGroup Properties: RetentionInDays: 90 rManagementVpcFlowLog: Type: AWS::EC2::FlowLog Properties: DeliverLogsPermissionArn: !GetAtt rManagementVpcFlowLogsServiceRole.Arn LogGroupName: !Ref rManagementVpcFlowLogGroup ResourceId: !Ref rVPCManagement ResourceType: VPC TrafficType: ALL Outputs: rVPCManagement: Value: !Ref rVPCManagement Export: Name: eVPCManagement pManagementVPCName: Value: !Ref pManagementVPCName pManagementVpcCIDR: Value: !Ref pManagementVpcCIDR Export: Name: eManagementVpcCIDR rManagementDMZSubnetA: Value: !Ref rManagementDMZSubnetA rManagementDMZSubnetB: Value: !Ref rManagementDMZSubnetB rMgmtAppPrivateSubnetA: Value: !Ref rMgmtAppPrivateSubnetA rMgmtAppPrivateSubnetB: Value: !Ref rMgmtAppPrivateSubnetB rNACLPrivate: Value: !Ref rNACLPrivate rNACLPublic: Value: !Ref rNACLPublic rRouteTableMgmtPublic: Value: !Ref rRouteTableMgmtDMZ rRouteTableMgmtPrivateA: Value: !Ref rRouteTableMgmtPrivateA Export: Name: eRouteTableMgmtPrivateA rRouteTableMgmtPrivateB: Value: !Ref rRouteTableMgmtPrivateB Export: Name: eRouteTableMgmtPrivateB rManagementVpcFlowLogGroup: Value: !Ref rManagementVpcFlowLogGroup