AWSTemplateFormatVersion: '2010-09-09' Description: >- This template creates a Multi-AZ, multi-subnet VPC infrastructure with managed NAT gateways in the public subnet for each Availability Zone. You can also create additional private subnets with dedicated custom network access control lists (ACLs). If you deploy the Quick Start in a region that doesn't support NAT gateways, NAT instances are deployed instead. **WARNING** This template creates AWS resources. You will be billed for the AWS resources used if you create a stack from this template. SO0016vpc. Version %%VERSION%% Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Availability Zone Configuration Parameters: - AvailabilityZones - Label: default: Network Configuration Parameters: - VPCCIDR - PrivateSubnet1ACIDR - PrivateSubnet2ACIDR - PublicSubnet1CIDR - PublicSubnet2CIDR - CreateAdditionalPrivateSubnets - PrivateSubnet1BCIDR - PrivateSubnet2BCIDR - Label: default: Amazon EC2 Configuration Parameters: - KeyPairName - NATInstanceType ParameterLabels: AvailabilityZones: default: Availability Zones CreateAdditionalPrivateSubnets: default: Create additional private subnets with dedicated network ACLs KeyPairName: default: Key pair name NATInstanceType: default: NAT instance type PrivateSubnet1ACIDR: default: Private subnet 1A CIDR PrivateSubnet1BCIDR: default: Private subnet 1B with dedicated network ACL CIDR PrivateSubnet2ACIDR: default: Private subnet 2A CIDR PrivateSubnet2BCIDR: default: Private subnet 2B with dedicated network ACL CIDR PublicSubnet1CIDR: default: Public subnet 1 CIDR PublicSubnet2CIDR: default: Public subnet 2 CIDR VPCCIDR: default: VPC CIDR Parameters: AvailabilityZones: Description: 'List of Availability Zones to use for the subnets in the VPC. Note: The logical order is preserved.' Type: List CreateAdditionalPrivateSubnets: AllowedValues: - 'true' - 'false' Default: 'false' Description: Set to true to create a network ACL protected subnet in each Availability Zone. If false, the CIDR parameters for those subnets will be ignored. Type: String KeyPairName: Description: Public/private key pairs allow you to securely connect to your NAT instance after it launches. This is used only if the region does not support NAT gateways. Type: AWS::EC2::KeyPair::KeyName NATInstanceType: AllowedValues: - t2.nano - t2.micro - t2.small - t2.medium - t2.large Default: t2.small Description: Amazon EC2 instance type for the NAT instances. This is used only if the region does not support NAT gateways. Type: String PrivateSubnet1ACIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/19 Description: CIDR block for private subnet 1A located in Availability Zone 1 Type: String PrivateSubnet1BCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.192.0/21 Description: CIDR block for private subnet 1B with dedicated network ACL located in Availability Zone 1 Type: String PrivateSubnet2ACIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.32.0/19 Description: CIDR block for private subnet 2A located in Availability Zone 2 Type: String PrivateSubnet2BCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.200.0/21 Description: CIDR block for private subnet 2B with dedicated network ACL located in Availability Zone 2 Type: String PublicSubnet1CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.128.0/20 Description: CIDR block for the public DMZ subnet 1 located in Availability Zone 1 Type: String PublicSubnet2CIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.144.0/20 Description: CIDR block for the public DMZ subnet 2 located in Availability Zone 2 Type: String VPCCIDR: AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.0.0.0/16 Description: CIDR block for the VPC Type: String Mappings: AWSAMIRegionMap: AMI: AWSNATHVM: amzn-ami-vpc-nat-hvm-2016.03.3.x86_64-ebs ap-northeast-1: AWSNATHVM: ami-2443b745 ap-northeast-2: AWSNATHVM: ami-d14388bf ap-south-1: AWSNATHVM: ami-e2b9d38d ap-southeast-1: AWSNATHVM: ami-a79b49c4 ap-southeast-2: AWSNATHVM: ami-53371f30 ca-central-1: AWSNATHVM: ami-32f14356 eu-central-1: AWSNATHVM: ami-5825cd37 eu-west-1: AWSNATHVM: ami-a8dd45db eu-west-2: AWSNATHVM: ami-6b4d470f sa-east-1: AWSNATHVM: ami-9336bcff us-east-1: AWSNATHVM: ami-4868ab25 us-east-2: AWSNATHVM: ami-92a6fef7 us-west-1: AWSNATHVM: ami-004b0f60 us-west-2: AWSNATHVM: ami-a275b1c2 Conditions: AdditionalPrivateSubnetsCondition: !Equals - !Ref 'CreateAdditionalPrivateSubnets' - 'true' NATInstanceCondition: !Or - !Equals - !Ref 'AWS::Region' - us-gov-west-1 - !Equals - !Ref 'AWS::Region' - cn-north-1 NATGatewayCondition: !Not - !Condition 'NATInstanceCondition' NVirginiaRegionCondition: !Equals - !Ref 'AWS::Region' - us-east-1 VPCEndpointCondition: !Not - !Or - !Equals - !Ref 'AWS::Region' - us-gov-west-1 - !Equals - !Ref 'AWS::Region' - cn-north-1 Resources: FlowLogRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: vpc-flow-logs.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: flowlogs-policy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - logs:CreateLogStream - logs:PutLogEvents - logs:DescribeLogGroups - logs:DescribeLogStreams Resource: !GetAtt FlowLogGroup.Arn FlowLogGroup: Type: AWS::Logs::LogGroup Metadata: cfn_nag: rules_to_suppress: - id: W84 reason: Log group is already encrypted with a key managed by CloudWatch - id: W86 reason: RetentionInDays for the log group is omitted to preserve data indefinitely FlowLog: Type: AWS::EC2::FlowLog Properties: DeliverLogsPermissionArn: !GetAtt FlowLogRole.Arn LogGroupName: !Ref FlowLogGroup ResourceId: !Ref VPC ResourceType: VPC TrafficType: ALL DHCPOptions: Type: AWS::EC2::DHCPOptions Properties: DomainName: !If - NVirginiaRegionCondition - ec2.internal - !Join - '' - - !Ref 'AWS::Region' - .compute.internal DomainNameServers: - AmazonProvidedDNS VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref 'VPCCIDR' EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: !Ref 'AWS::StackName' VPCDHCPOptionsAssociation: Type: AWS::EC2::VPCDHCPOptionsAssociation Properties: VpcId: !Ref 'VPC' DhcpOptionsId: !Ref 'DHCPOptions' InternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Network Value: Public VPCGatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref 'VPC' InternetGatewayId: !Ref 'InternetGateway' PrivateSubnet1A: Type: AWS::EC2::Subnet Properties: VpcId: !Ref 'VPC' CidrBlock: !Ref 'PrivateSubnet1ACIDR' AvailabilityZone: !Select - '0' - !Ref 'AvailabilityZones' Tags: - Key: Name Value: Private subnet 1A - Key: Network Value: Private PrivateSubnet1B: Condition: AdditionalPrivateSubnetsCondition Type: AWS::EC2::Subnet Properties: VpcId: !Ref 'VPC' CidrBlock: !Ref 'PrivateSubnet1BCIDR' AvailabilityZone: !Select - '0' - !Ref 'AvailabilityZones' Tags: - Key: Name Value: Private subnet 1B - Key: Network Value: Private PrivateSubnet2A: Type: AWS::EC2::Subnet Properties: VpcId: !Ref 'VPC' CidrBlock: !Ref 'PrivateSubnet2ACIDR' AvailabilityZone: !Select - '1' - !Ref 'AvailabilityZones' Tags: - Key: Name Value: Private subnet 2A - Key: Network Value: Private PrivateSubnet2B: Condition: AdditionalPrivateSubnetsCondition Type: AWS::EC2::Subnet Properties: VpcId: !Ref 'VPC' CidrBlock: !Ref 'PrivateSubnet2BCIDR' AvailabilityZone: !Select - '1' - !Ref 'AvailabilityZones' Tags: - Key: Name Value: Private subnet 2B - Key: Network Value: Private PublicSubnet1: Type: AWS::EC2::Subnet Metadata: cfn_nag: rules_to_suppress: - id: W33 reason: The subnet is a public subnet and hence instances in the public subnet require public ip Properties: VpcId: !Ref 'VPC' CidrBlock: !Ref 'PublicSubnet1CIDR' AvailabilityZone: !Select - '0' - !Ref 'AvailabilityZones' Tags: - Key: Name Value: Public subnet 1 - Key: Network Value: Public MapPublicIpOnLaunch: true PublicSubnet2: Type: AWS::EC2::Subnet Metadata: cfn_nag: rules_to_suppress: - id: W33 reason: The subnet is a public subnet and hence instances in the public subnet require public ip Properties: VpcId: !Ref 'VPC' CidrBlock: !Ref 'PublicSubnet2CIDR' AvailabilityZone: !Select - '1' - !Ref 'AvailabilityZones' Tags: - Key: Name Value: Public subnet 2 - Key: Network Value: Public MapPublicIpOnLaunch: true PrivateSubnet1ARouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref 'VPC' Tags: - Key: Name Value: Private subnet 1A - Key: Network Value: Private PrivateSubnet1ARoute: Type: AWS::EC2::Route Properties: RouteTableId: !Ref 'PrivateSubnet1ARouteTable' DestinationCidrBlock: '0.0.0.0/0' InstanceId: !If - NATInstanceCondition - !Ref 'NATInstance1' - !Ref 'AWS::NoValue' NatGatewayId: !If - NATGatewayCondition - !Ref 'NATGateway1' - !Ref 'AWS::NoValue' PrivateSubnet1ARouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref 'PrivateSubnet1A' RouteTableId: !Ref 'PrivateSubnet1ARouteTable' PrivateSubnet2ARouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref 'VPC' Tags: - Key: Name Value: Private subnet 2A - Key: Network Value: Private PrivateSubnet2ARoute: Type: AWS::EC2::Route Properties: RouteTableId: !Ref 'PrivateSubnet2ARouteTable' DestinationCidrBlock: '0.0.0.0/0' InstanceId: !If - NATInstanceCondition - !Ref 'NATInstance2' - !Ref 'AWS::NoValue' NatGatewayId: !If - NATGatewayCondition - !Ref 'NATGateway2' - !Ref 'AWS::NoValue' PrivateSubnet2ARouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref 'PrivateSubnet2A' RouteTableId: !Ref 'PrivateSubnet2ARouteTable' PrivateSubnet1BRouteTable: Condition: AdditionalPrivateSubnetsCondition Type: AWS::EC2::RouteTable Properties: VpcId: !Ref 'VPC' Tags: - Key: Name Value: Private subnet 1B - Key: Network Value: Private PrivateSubnet1BRoute: Condition: AdditionalPrivateSubnetsCondition Type: AWS::EC2::Route Properties: RouteTableId: !Ref 'PrivateSubnet1BRouteTable' DestinationCidrBlock: '0.0.0.0/0' InstanceId: !If - NATInstanceCondition - !Ref 'NATInstance1' - !Ref 'AWS::NoValue' NatGatewayId: !If - NATGatewayCondition - !Ref 'NATGateway1' - !Ref 'AWS::NoValue' PrivateSubnet1BRouteTableAssociation: Condition: AdditionalPrivateSubnetsCondition Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref 'PrivateSubnet1B' RouteTableId: !Ref 'PrivateSubnet1BRouteTable' PrivateSubnet1BNetworkAcl: Condition: AdditionalPrivateSubnetsCondition Type: AWS::EC2::NetworkAcl Properties: VpcId: !Ref 'VPC' Tags: - Key: Name Value: NACL Protected subnet 1 - Key: Network Value: NACL Protected PrivateSubnet1BNetworkAclEntryInbound: Condition: AdditionalPrivateSubnetsCondition Type: AWS::EC2::NetworkAclEntry Metadata: cfn_nag: rules_to_suppress: - id: W66 reason: Solution uses security groups to control access to resources Properties: CidrBlock: '0.0.0.0/0' Egress: false NetworkAclId: !Ref 'PrivateSubnet1BNetworkAcl' Protocol: -1 RuleAction: allow RuleNumber: 100 PrivateSubnet1BNetworkAclEntryOutbound: Condition: AdditionalPrivateSubnetsCondition Type: AWS::EC2::NetworkAclEntry Metadata: cfn_nag: rules_to_suppress: - id: W66 reason: Solution uses security groups to control access to resources Properties: CidrBlock: '0.0.0.0/0' Egress: true NetworkAclId: !Ref 'PrivateSubnet1BNetworkAcl' Protocol: -1 RuleAction: allow RuleNumber: 100 PrivateSubnet1BNetworkAclAssociation: Condition: AdditionalPrivateSubnetsCondition Type: AWS::EC2::SubnetNetworkAclAssociation Properties: SubnetId: !Ref 'PrivateSubnet1B' NetworkAclId: !Ref 'PrivateSubnet1BNetworkAcl' PrivateSubnet2BRouteTable: Condition: AdditionalPrivateSubnetsCondition Type: AWS::EC2::RouteTable Properties: VpcId: !Ref 'VPC' Tags: - Key: Name Value: Private subnet 2B - Key: Network Value: Private PrivateSubnet2BRoute: Condition: AdditionalPrivateSubnetsCondition Type: AWS::EC2::Route Properties: RouteTableId: !Ref 'PrivateSubnet2BRouteTable' DestinationCidrBlock: '0.0.0.0/0' InstanceId: !If - NATInstanceCondition - !Ref 'NATInstance2' - !Ref 'AWS::NoValue' NatGatewayId: !If - NATGatewayCondition - !Ref 'NATGateway2' - !Ref 'AWS::NoValue' PrivateSubnet2BRouteTableAssociation: Condition: AdditionalPrivateSubnetsCondition Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref 'PrivateSubnet2B' RouteTableId: !Ref 'PrivateSubnet2BRouteTable' PrivateSubnet2BNetworkAcl: Condition: AdditionalPrivateSubnetsCondition Type: AWS::EC2::NetworkAcl Properties: VpcId: !Ref 'VPC' Tags: - Key: Name Value: NACL Protected subnet 2 - Key: Network Value: NACL Protected PrivateSubnet2BNetworkAclEntryInbound: Condition: AdditionalPrivateSubnetsCondition Type: AWS::EC2::NetworkAclEntry Metadata: cfn_nag: rules_to_suppress: - id: W66 reason: Solution uses security groups to control access to resources Properties: CidrBlock: '0.0.0.0/0' Egress: false NetworkAclId: !Ref 'PrivateSubnet2BNetworkAcl' Protocol: -1 RuleAction: allow RuleNumber: 100 PrivateSubnet2BNetworkAclEntryOutbound: Condition: AdditionalPrivateSubnetsCondition Type: AWS::EC2::NetworkAclEntry Metadata: cfn_nag: rules_to_suppress: - id: W66 reason: Solution uses security groups to control access to resources Properties: CidrBlock: '0.0.0.0/0' Egress: true NetworkAclId: !Ref 'PrivateSubnet2BNetworkAcl' Protocol: -1 RuleAction: allow RuleNumber: 100 PrivateSubnet2BNetworkAclAssociation: Condition: AdditionalPrivateSubnetsCondition Type: AWS::EC2::SubnetNetworkAclAssociation Properties: SubnetId: !Ref 'PrivateSubnet2B' NetworkAclId: !Ref 'PrivateSubnet2BNetworkAcl' PublicSubnetRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref 'VPC' Tags: - Key: Name Value: Public Subnets - Key: Network Value: Public PublicSubnetRoute: DependsOn: VPCGatewayAttachment Type: AWS::EC2::Route Properties: RouteTableId: !Ref 'PublicSubnetRouteTable' DestinationCidrBlock: '0.0.0.0/0' GatewayId: !Ref 'InternetGateway' PublicSubnet1RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref 'PublicSubnet1' RouteTableId: !Ref 'PublicSubnetRouteTable' PublicSubnet2RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref 'PublicSubnet2' RouteTableId: !Ref 'PublicSubnetRouteTable' NAT1EIP: DependsOn: VPCGatewayAttachment Type: AWS::EC2::EIP Properties: Domain: vpc InstanceId: !If - NATInstanceCondition - !Ref 'NATInstance1' - !Ref 'AWS::NoValue' NAT2EIP: DependsOn: VPCGatewayAttachment Type: AWS::EC2::EIP Properties: Domain: vpc InstanceId: !If - NATInstanceCondition - !Ref 'NATInstance2' - !Ref 'AWS::NoValue' NATGateway1: Condition: NATGatewayCondition DependsOn: VPCGatewayAttachment Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt 'NAT1EIP.AllocationId' SubnetId: !Ref 'PublicSubnet1' NATGateway2: Condition: NATGatewayCondition DependsOn: VPCGatewayAttachment Type: AWS::EC2::NatGateway Properties: AllocationId: !GetAtt 'NAT2EIP.AllocationId' SubnetId: !Ref 'PublicSubnet2' NATInstance1: Condition: NATInstanceCondition DependsOn: VPCGatewayAttachment Type: AWS::EC2::Instance Properties: ImageId: !FindInMap - AWSAMIRegionMap - !Ref 'AWS::Region' - AWSNATHVM InstanceType: !Ref 'NATInstanceType' Tags: - Key: Name Value: NAT1 NetworkInterfaces: - GroupSet: - !Ref 'NATInstanceSecurityGroup' AssociatePublicIpAddress: true DeviceIndex: '0' DeleteOnTermination: true SubnetId: !Ref 'PublicSubnet1' KeyName: !If - NATInstanceCondition - !Ref 'KeyPairName' - !Ref 'AWS::NoValue' SourceDestCheck: false NATInstance2: Condition: NATInstanceCondition DependsOn: VPCGatewayAttachment Type: AWS::EC2::Instance Properties: ImageId: !FindInMap - AWSAMIRegionMap - !Ref 'AWS::Region' - AWSNATHVM InstanceType: !Ref 'NATInstanceType' Tags: - Key: Name Value: NAT2 NetworkInterfaces: - GroupSet: - !Ref 'NATInstanceSecurityGroup' AssociatePublicIpAddress: true DeviceIndex: '0' DeleteOnTermination: true SubnetId: !Ref 'PublicSubnet2' KeyName: !If - NATInstanceCondition - !Ref 'KeyPairName' - !Ref 'AWS::NoValue' SourceDestCheck: false NATInstanceSecurityGroup: Condition: NATInstanceCondition Type: AWS::EC2::SecurityGroup Metadata: cfn_nag: rules_to_suppress: - id: W42 reason: Security group is for the NAT instance. Instances behind the NAT may have varied protocols to communicate - id: W27 reason: Security group is for the NAT instance. Instances behind the NAT may have range of ports to communicate. - id: F1000 reason: NAT instance allow all outgoing protocols Properties: GroupDescription: Enables outbound internet access for the VPC via the NAT instances VpcId: !Ref 'VPC' SecurityGroupIngress: - Description: Allow all ibound traffic IpProtocol: '-1' FromPort: 1 ToPort: 65535 CidrIp: !Ref 'VPCCIDR' S3Endpoint: Condition: VPCEndpointCondition Type: AWS::EC2::VPCEndpoint Properties: PolicyDocument: Version: '2012-10-17' Statement: - Action: '*' Effect: Allow Resource: '*' Principal: '*' RouteTableIds: - !Ref 'PrivateSubnet1ARouteTable' - !Ref 'PrivateSubnet2ARouteTable' - !If - AdditionalPrivateSubnetsCondition - !Ref 'PrivateSubnet1BRouteTable' - !Ref 'AWS::NoValue' - !If - AdditionalPrivateSubnetsCondition - !Ref 'PrivateSubnet2BRouteTable' - !Ref 'AWS::NoValue' ServiceName: !Join - '' - - com.amazonaws. - !Ref 'AWS::Region' - .s3 VpcId: !Ref 'VPC' Outputs: NAT1EIP: Description: NAT Gateway 1 IP address Value: !Ref 'NAT1EIP' NAT2EIP: Description: NAT Gateway 2 IP address Value: !Ref 'NAT2EIP' PrivateSubnet1ACIDR: Description: Private subnet 1A CIDR in Availability Zone 1 Value: !Ref 'PrivateSubnet1ACIDR' PrivateSubnet1AID: Description: Private subnet 1A ID in Availability Zone 1 Value: !Ref 'PrivateSubnet1A' PrivateSubnet1BCIDR: Condition: AdditionalPrivateSubnetsCondition Description: Private subnet 1B CIDR in Availability Zone 1 Value: !Ref 'PrivateSubnet1BCIDR' PrivateSubnet1BID: Condition: AdditionalPrivateSubnetsCondition Description: Private subnet 1B ID in Availability Zone 1 Value: !Ref 'PrivateSubnet1B' PrivateSubnet2ACIDR: Description: Private subnet 2A CIDR in Availability Zone 2 Value: !Ref 'PrivateSubnet2ACIDR' PrivateSubnet2AID: Description: Private subnet 2A ID in Availability Zone 2 Value: !Ref 'PrivateSubnet2A' PrivateSubnet2BCIDR: Condition: AdditionalPrivateSubnetsCondition Description: Private subnet 2B CIDR in Availability Zone 2 Value: !Ref 'PrivateSubnet2BCIDR' PrivateSubnet2BID: Condition: AdditionalPrivateSubnetsCondition Description: Private subnet 2B ID in Availability Zone 2 Value: !Ref 'PrivateSubnet2B' PublicSubnet1CIDR: Description: Public subnet 1 CIDR in Availability Zone 1 Value: !Ref 'PublicSubnet1CIDR' PublicSubnet1ID: Description: Public subnet 1 ID in Availability Zone 1 Value: !Ref 'PublicSubnet1' PublicSubnet2CIDR: Description: Public subnet 2 CIDR in Availability Zone 2 Value: !Ref 'PublicSubnet2CIDR' PublicSubnet2ID: Description: Public subnet 2 ID in Availability Zone 2 Value: !Ref 'PublicSubnet2' VPCCIDR: Value: !Ref 'VPCCIDR' Description: VPC CIDR VPCID: Value: !Ref 'VPC' Description: VPC ID