Skip to content

Instantly share code, notes, and snippets.

@Vadim-Zenin
Created September 2, 2018 19:50
Show Gist options
  • Save Vadim-Zenin/02c74008520b8dcb0d834e6bc3111a57 to your computer and use it in GitHub Desktop.
Save Vadim-Zenin/02c74008520b8dcb0d834e6bc3111a57 to your computer and use it in GitHub Desktop.
Creating VPC environment in amazon AWS for test environment by script.
@echo on
:: *****************************************************************************
:: Author: Vadim Zenin http://vadimzenin.blogspot.com
:: Version: 0.90
:: Date: 2012-02-07 11:22:03
:: Creating VPC environment in amazon AWS for test environment
::
:: Usage: %SCRIPTNAME%
::
:: THE SCRIPT IS VERY OLD. PLEASE DO NOT USE IT
::
:: Limits !
:: Number of VPC security groups per VPC 50
:: Number of rules per VPC security group 50
:: Number of VPC security groups a VPC instance can be in 5
:: Number of network ACLs per VPC 10
:: Number of rules per network ACL 20
:: http://docs.amazonwebservices.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html
::
:: Tested platform:
:: Windows 7 x64 SP1
:: java version "1.6.0_31"
:: Java(TM) SE Runtime Environment (build 1.6.0_31-b05)
:: Java HotSpot(TM) Client VM (build 20.2-b06, mixed mode, sharing)
::
:: Version 0.90 revision:
::
:: This code is made available as is, without warranty of any kind. The entire
:: risk of the use or the results from the use of this code remains with the user.
:: *****************************************************************************
::@echo off
@SETLOCAL ENABLEEXTENSIONS ENABLEDELAYEDEXPANSION
:: Grab a file name and extension only
::FOR %%I IN ( "%0" ) DO SET SCRIPTNAME=%%~nxI
SET SCRIPTNAME=%~nx0
:: Grab a file name only (prefix)
SET SCRIPTONLYNAME=%~n0
:: Replace "
SET SCRIPTNAME=%SCRIPTNAME:"=%
SET SCRIPTONLYNAME=%SCRIPTONLYNAME:"=%
:: Replace spases
SET SCRIPTONLYNAME=%SCRIPTONLYNAME: =%
echo SCRIPTONLYNAME: %SCRIPTONLYNAME%
SET VERSION=1
SET AWSENV=vpc
:: Please write your region
SET AWSREGION=us-west-1
:: Please write zone (a,b,c, etc) depends on the region.
SET SUBNETZONE=%AWSREGION%c
SET MYENV=%AWSENV%_%AWSREGION%
SET LOGDIR=q:\Amazon\VPC_test\%MYENV%
SET DOCDIR=%LOGDIR%\var
SET MYREGIONURL=https://ec2.%AWSREGION%.amazonaws.com
SET VPCNETPREF=10.100.
SET VPCNET=%VPCNETPREF%0.0/16
SET SUBNETPREFWEB=%VPCNETPREF%100.
SET SUBNETPREFAPP=%VPCNETPREF%101.
SET SUBNETPREFDB=%VPCNETPREF%102.
SET SUBNETPREFFRONT=%VPCNETPREF%104.
SET SUBNETWEB=%SUBNETPREFWEB%0/24
SET SUBNETAPP=%SUBNETPREFAPP%0/24
SET SUBNETWEBAPP=%SUBNETPREFWEB%0/23
SET SUBNETDB=%SUBNETPREFDB%0/24
SET SUBNETFRONT=%SUBNETPREFFRONT%0/24
SET SNETFRONTSNETLB=%SUBNETPREFFRONT%200/29
SET SNETFRONTSNETNAT=%SUBNETPREFFRONT%232/29
SET SNETFRONTSNETVPN=%SUBNETPREFFRONT%240/29
SET IPPRIVNAT=%SUBNETPREFFRONT%233
:: NAT instance (contains ami-vpc-nat)
::us-east-1
::SET AMINAT=ami-d8699bb1
::us-west-1
SET AMINAT=ami-c7cc9e82
:: Ubuntu ami from https://help.ubuntu.com/community/EC2StartersGuide
::us-east-1
::SET AMIUBUNTU=ami-6ba27502
::us-west-1
SET AMIUBUNTU=ami-d986a39c
SET AMIWEB=%AMIUBUNTU%
SET IPPRIVVPNMAN=%SUBNETPREFFRONT%241
:: New or own VPN manager AMI
SET AMIVPNMAN=%AMIUBUNTU%
:: Write Amazon EIP for VPN manager. If value is 0 Elastic IP would be generated
#SET IPVPNMAN=22.22.22.22
SET IPVPNMAN=0
:: A pair key must be created before the script launching
SET PAIRKEY=test-%AWSREGION%-key
SET SGROUPNAMEPREFIX=%MYENV%_%VERSION%_
SET IPLISTWEBSRV=(%SUBNETPREFWEB%10 %SUBNETPREFWEB%20)
SET IPLISTOFFICESOUT=(89.101.128.90/32 82.117.202.38/32)
SET IPLISTOFFICESINSIDE=(10.150.8.0/21 10.190.16.0/24)
SET PORTSFRONTTOWEB=(80-81 443)
SET PORTSWEBTOAPP=(9551-9557 8983 11210-11211)
SET PORTSTOINET=(80 443)
SET PORTSAPPTOWEB=(80-81 443)
SET PORTSAPPTODB=(1433)
:: If TEST=0 - execute basic configuration (almost everithing)
:: If TEST=1 - scip Network ACL rules and Security Groups rules creation
:: If TEST=2 - execute basic configuration + WEB servers additional SG for WEB servers
SET TEST=2
:: =============================================================================
@echo on
SET SRVPREF=%AWSREGION:-=%
SET SRVPREF=%SRVPREF:~0,3%
SET VPC_ID=
SET RETURN=0
:: ***Start of code to set date/time variables for filename*****************
:: XP has date without day of week, Windows 2003 has with day of week by default
:: date output and depends on International settings.
FOR /F "TOKENS=1-3 DELIMS=/" %%a IN ("%date%") DO SET dd=%%a&SET mm=%%b&SET yy=%%c
FOR /F "TOKENS=1-3 DELIMS=:." %%a IN ("%time%") DO SET hh=%%a&SET tt=%%b&SET ss=%%c
:: Replace space by 0
SET hh=%hh: =0%
:: echo "%yy%-%mm%-%dd% %hh%h.%tt%m.%ss%s"
:: ***End of code to set date/time variables for filename***
SET FILEDATE=%yy%%mm%%dd%-%hh%%tt%
SET LOGFILE=%LOGDIR%\%SCRIPTNAME%_%FILEDATE%.log
::goto WEBSRVS
if not exist %LOGDIR% md %LOGDIR%
echo. >%LOGFILE%
echo ============================================================================= >>%LOGFILE%
echo %DATE% %TIME% %SCRIPTNAME% has started >>%LOGFILE%
echo ============================================================================= >>%LOGFILE%
::goto TEST
@if not exist %DOCDIR% (
md %DOCDIR%
) else (
echo "Deleting %DOCDIR%\*.txt"
erase /Q %DOCDIR%\*.txt
)
:: Test Java
%JAVA_HOME%\bin\java -version
::ec2-describe-regions
::REGION eu-west-1 ec2.eu-west-1.amazonaws.com
::REGION sa-east-1 ec2.sa-east-1.amazonaws.com
::REGION us-east-1 ec2.us-east-1.amazonaws.com
::REGION ap-northeast-1 ec2.ap-northeast-1.amazonaws.com
::REGION us-west-2 ec2.us-west-2.amazonaws.com
::REGION us-west-1 ec2.us-west-1.amazonaws.com
::REGION ap-southeast-1 ec2.ap-southeast-1.amazonaws.com
@echo "My configured AWS region is %MYREGIONURL%
@if "%EC2_URL%"=="%MYREGIONURL%" (
@echo "My AWS region is %EC2_URL%. No changes needed."
) else (
@echo "Current AWS region is %EC2_URL%"
@SETX EC2_URL "%MYREGIONURL%"
@echo "AWS region has changed."
@echo "AWS region has changed to %MYREGIONURL%" >>%LOGFILE%
pause
exit 128
)
::pause
::goto RUN
::exit /b 0
:: CREATE VPC
cmd /c "ec2-create-vpc.cmd %VPCNET% >%DOCDIR%\VPC_ID.txt"
@echo Waiting for AWS
@ping localhost -n 5 > nul
FOR /F "EOL=E TOKENS=1-2" %%a IN (%DOCDIR%\VPC_ID.txt) DO SET "VPC_ID=%%b"
if "%VPC_ID%"=="" (
@echo "VPC was not created. Stopping."
exit /b 64
) else (
SET VPC_ID=%VPC_ID: =%
@echo "%VPC_ID%"
type %DOCDIR%\VPC_ID.txt >>%LOGFILE%
)
:: CREATE Subnets
@echo ## %time% subnet creation >>%LOGFILE%
cmd /c "ec2-create-subnet -c %VPC_ID% -i %SUBNETWEB% -z %SUBNETZONE% >%DOCDIR%\SUBNET_WEB.txt"
@FOR /F "EOL=E TOKENS=1-3" %%a IN (%DOCDIR%\SUBNET_WEB.txt) DO SET "SUBNET_WEB_ID=%%b"
:: Replace spases
SET SUBNET_WEB_ID=%SUBNET_WEB_ID: =%
@echo "%SUBNET_WEB_ID%"
cmd /c "ec2-create-subnet -c %VPC_ID% -i %SUBNETAPP% -z %SUBNETZONE% >%DOCDIR%\SUBNET_APP.txt"
@FOR /F "EOL=E TOKENS=1-3" %%a IN (%DOCDIR%\SUBNET_APP.txt) DO SET "SUBNET_APP_ID=%%b"
:: Replace spases
SET SUBNET_APP_ID=%SUBNET_APP_ID: =%
@echo "%SUBNET_APP_ID%"
cmd /c "ec2-create-subnet -c %VPC_ID% -i %SUBNETDB% -z %SUBNETZONE% >%DOCDIR%\SUBNET_DB.txt"
@FOR /F "EOL=E TOKENS=1-3" %%a IN (%DOCDIR%\SUBNET_DB.txt) DO SET "SUBNET_DB_ID=%%b"
:: Replace spases
SET SUBNET_DB_ID=%SUBNET_DB_ID: =%
@echo "%SUBNET_DB_ID%"
cmd /c "ec2-create-subnet -c %VPC_ID% -i %SUBNETFRONT% -z %SUBNETZONE% >%DOCDIR%\SUBNET_FRONT.txt"
@FOR /F "EOL=E TOKENS=1-3" %%a IN (%DOCDIR%\SUBNET_FRONT.txt) DO SET "SUBNET_FRONT_ID=%%b"
:: Replace spases
SET SUBNET_FRONT_ID=%SUBNET_FRONT_ID: =%
@echo "%SUBNET_FRONT_ID%"
cmd /c "ec2-describe-subnets >>%LOGFILE%"
:: =============================================================================
@echo ## %time% Security Group creation >>%LOGFILE%
:: TEST OUT FULL Security GROUP = default security group
cmd /c "ec2-describe-group >%DOCDIR%\%VERSION%-SGROUP_DEFAULT.txt"
FOR /F "EOL=E TOKENS=1-6" %%a IN (%DOCDIR%\%VERSION%-SGROUP_DEFAULT.txt) DO (
IF /I "%%a"=="GROUP" (
echo "%%a, %%b, %%c, %%d, %%e, %%f"
IF /I "%%f"=="VPC" (
SET "SGROUP_DEFAULT_ID=%%b"
echo %%a %%b %%c >%DOCDIR%\%VERSION%-SGROUP_DEFAULT_ID.txt
)
)
)
:: Replace spases
SET SGROUP_DEFAULT_ID=%SGROUP_DEFAULT_ID: =%
echo "%SGROUP_DEFAULT_ID%"
:: CREATE TEST IN OUT FULL Security GROUP
cmd /c "ec2-create-group %SGROUPNAMEPREFIX%TEST_IN_OUT_FULL -d "vpc-test_in_out_full_access_sec_group" -c %VPC_ID% >%DOCDIR%\%VERSION%-SGROUP_TEST_IN_OUT_FULL_temp.txt"
FOR /F "EOL=E TOKENS=1-2" %%a IN (%DOCDIR%\%VERSION%-SGROUP_TEST_IN_OUT_FULL_temp.txt) DO SET "SGROUP_TEST_IN_OUT_FULL_ID=%%b"
SET SGROUP_TEST_IN_OUT_FULL_ID=%SGROUP_TEST_IN_OUT_FULL_ID: =%
:: CREATE TEST INSIDE FULL Security GROUP
cmd /c "ec2-create-group %SGROUPNAMEPREFIX%TEST_INSIDE_FULL -d "vpc-test_inside_full_access_sec_group" -c %VPC_ID% >%DOCDIR%\%VERSION%-SGROUP_TEST_INSIDE_FULL_temp.txt"
FOR /F "EOL=E TOKENS=1-2" %%a IN (%DOCDIR%\%VERSION%-SGROUP_TEST_INSIDE_FULL_temp.txt) DO SET "SGROUP_TEST_INSIDE_FULL_ID=%%b"
SET SGROUP_TEST_INSIDE_FULL_ID=%SGROUP_TEST_INSIDE_FULL_ID: =%
:: CREATE OFFICE ACCESS instance Security GROUP
cmd /c "ec2-create-group %SGROUPNAMEPREFIX%OFFICE -d "vpc-OFFICE_sec_group" -c %VPC_ID% >%DOCDIR%\%VERSION%-SGROUP_OFFICE.txt"
FOR /F "EOL=E TOKENS=1-2" %%a IN (%DOCDIR%\%VERSION%-SGROUP_OFFICE.txt) DO SET "SGROUP_OFFICE_ID=%%b"
SET SGROUP_OFFICE_ID=%SGROUP_OFFICE_ID: =%
echo "%SGROUP_OFFICE_ID%"
:: CREATE VPNMAN instance Security GROUP
cmd /c "ec2-create-group %SGROUPNAMEPREFIX%VPNMAN -d "vpc-VPNMAN_sec_group" -c %VPC_ID% >%DOCDIR%\%VERSION%-SGROUP_VPNMAN.txt"
FOR /F "EOL=E TOKENS=1-2" %%a IN (%DOCDIR%\%VERSION%-SGROUP_VPNMAN.txt) DO SET "SGROUP_VPNMAN_ID=%%b"
SET SGROUP_VPNMAN_ID=%SGROUP_VPNMAN_ID: =%
echo "%SGROUP_VPNMAN_ID%"
:: CREATE WEB LB Security GROUP
cmd /c "ec2-create-group %SGROUPNAMEPREFIX%WEBLB -d "vpc-WEB_LB_sec_group" -c %VPC_ID% >%DOCDIR%\%VERSION%-SGROUP_WEBLB.txt"
FOR /F "EOL=E TOKENS=1-2" %%a IN (%DOCDIR%\%VERSION%-SGROUP_WEBLB.txt) DO SET "SGROUP_WEBLB_ID=%%b"
SET SGROUP_WEBLB_ID=%SGROUP_WEBLB_ID: =%
echo "%SGROUP_WEBLB_ID%"
:: CREATE WEB SERVERS Security GROUP
cmd /c "ec2-create-group %SGROUPNAMEPREFIX%WEBSRV -d "vpc-WEB_Servers_sec_group" -c %VPC_ID% >%DOCDIR%\%VERSION%-SGROUP_WEBSRV.txt"
FOR /F "EOL=E TOKENS=1-2" %%a IN (%DOCDIR%\%VERSION%-SGROUP_WEBSRV.txt) DO SET "SGROUP_WEBSRV_ID=%%b"
SET SGROUP_WEBSRV_ID=%SGROUP_WEBSRV_ID: =%
echo "%SGROUP_WEBSRV_ID%"
:: CREATE APP SERVERS Security GROUP
cmd /c "ec2-create-group %SGROUPNAMEPREFIX%APPSRV -d "vpc-APP_Servers_sec_group" -c %VPC_ID% >%DOCDIR%\%VERSION%-SGROUP_APPSRV.txt"
FOR /F "EOL=E TOKENS=1-2" %%a IN (%DOCDIR%\%VERSION%-SGROUP_APPSRV.txt) DO SET "SGROUP_APPSRV_ID=%%b"
SET SGROUP_APPSRV_ID=%SGROUP_APPSRV_ID: =%
echo "%SGROUP_APPSRV_ID%"
:: CREATE DB SERVERS Security GROUP
cmd /c "ec2-create-group %SGROUPNAMEPREFIX%DBSRV -d "vpc-DB_Servers_sec_group" -c %VPC_ID% >%DOCDIR%\%VERSION%-SGROUP_DBSRV.txt"
FOR /F "EOL=E TOKENS=1-2" %%a IN (%DOCDIR%\%VERSION%-SGROUP_DBSRV.txt) DO SET "SGROUP_DBSRV_ID=%%b"
SET SGROUP_DBSRV_ID=%SGROUP_DBSRV_ID: =%
echo "%SGROUP_DBSRV_ID%"
:: CREATE NAT instance Security GROUP
cmd /c "ec2-create-group %SGROUPNAMEPREFIX%NAT -d "vpc-NAT_sec_group" -c %VPC_ID% >%DOCDIR%\%VERSION%-SGROUP_NAT.txt"
FOR /F "EOL=E TOKENS=1-2" %%a IN (%DOCDIR%\%VERSION%-SGROUP_NAT.txt) DO SET "SGROUP_NAT_ID=%%b"
SET SGROUP_NAT_ID=%SGROUP_NAT_ID: =%
echo "%SGROUP_NAT_ID%"
:: =============================================================================
@echo ## %time% NAT Instances launch >>%LOGFILE%
:: Launch NAT inctance in Front subnet
cmd /c "ec2-run-instances %AMINAT% --group %SGROUP_OFFICE_ID% --group %SGROUP_NAT_ID% --key %PAIRKEY% --instance-type m1.small --subnet %SUBNET_FRONT_ID% --private-ip-address %IPPRIVNAT% --user-data "vpc NAT instance" >%DOCDIR%\instance_NAT.txt"
type %DOCDIR%\instance_NAT.txt >>%LOGFILE%
@FOR /F "EOL=E TOKENS=1-3" %%a IN (%DOCDIR%\instance_NAT.txt) DO ( IF "%%a"=="INSTANCE" (echo %%a %%b %%c >%DOCDIR%\instance_NAT_ID.txt) )
@FOR /F "EOL=E TOKENS=1-3" %%a IN (%DOCDIR%\instance_NAT_ID.txt) DO SET "INCTANCE_NAT_ID=%%b"
:: Replace spases
SET INCTANCE_NAT_ID=%INCTANCE_NAT_ID: =%
@echo "%INCTANCE_NAT_ID%"
:: =============================================================================
@echo ## %time% VPN manager Instances launch >>%LOGFILE%
:: Launch Ubuntu VPN manager inctance in Front subnet
cmd /c "ec2-run-instances %AMIVPNMAN% --group %SGROUP_OFFICE_ID% --group %SGROUP_VPNMAN_ID% --group %SGROUP_DEFAULT_ID% --key %PAIRKEY% --instance-type m1.small --subnet %SUBNET_FRONT_ID% --private-ip-address %IPPRIVVPNMAN% --user-data "vpc NAT instance" >%DOCDIR%\instance_VPNMAN.txt"
type %DOCDIR%\instance_VPNMAN.txt >>%LOGFILE%
@FOR /F "EOL=E TOKENS=1-3" %%a IN (%DOCDIR%\instance_VPNMAN.txt) DO ( IF "%%a"=="INSTANCE" (echo %%a %%b %%c >%DOCDIR%\instance_VPNMAN_ID.txt) )
@FOR /F "EOL=E TOKENS=1-3" %%a IN (%DOCDIR%\instance_VPNMAN_ID.txt) DO SET "INSTANCE_VPNMAN_ID=%%b"
:: Replace spases
SET INSTANCE_VPNMAN_ID=%INSTANCE_VPNMAN_ID: =%
@echo "%INSTANCE_VPNMAN_ID%"
:: =============================================================================
:: Launch WEB inctances in WEB subnet
SET TMP2=
IF "%TEST%"=="2" (
SET TMP2=--group %SGROUP_DEFAULT_ID%
SET /a TMP1=1
for %%a in %IPLISTWEBSRV% do (
@echo TMP1: !TMP1!
cmd /c "ec2-run-instances %AMIWEB% --group %SGROUP_WEBSRV_ID% %TMP2% --key %PAIRKEY% --instance-type m1.small --subnet %SUBNET_WEB_ID% --private-ip-address %%a --user-data "vpc WEB instance" >>%DOCDIR%\instance_WEB_!TMP1!.txt"
SET /a TMP1+=1
)
)
:: =============================================================================
@echo ## %time% network ACLs creation and subnets assigment >>%LOGFILE%
cmd /c "ec2-describe-network-acls >%DOCDIR%\ACL_default.txt"
@FOR /F "EOL=E TOKENS=1-3" %%a IN (%DOCDIR%\ACL_default.txt) DO ( IF "%%a"=="ASSOCIATION" (echo %%a %%b %%c >%DOCDIR%\ACL_ASSOC_%%c.txt) )
:: =============================================================================
:: CREATE network ACL FRONT
cmd /c "ec2-create-network-acl %VPC_ID% > %DOCDIR%\ACL_new_FRONT.txt"
FOR /F "EOL=E TOKENS=1-3" %%a IN (%DOCDIR%\ACL_new_FRONT.txt) DO SET "ACL_FRONT_ID=%%b"
:: Replace spases
SET ACL_FRONT_ID=%ACL_FRONT_ID: =%
echo %ACL_FRONT_ID%
:: CREATE network ACL WEB
cmd /c "ec2-create-network-acl %VPC_ID% > %DOCDIR%\ACL_WEB.txt"
FOR /F "EOL=E TOKENS=1-3" %%a IN (%DOCDIR%\ACL_WEB.txt) DO SET "ACL_WEB_ID=%%b"
:: Replace spases
SET ACL_WEB_ID=%ACL_WEB_ID: =%
echo "%ACL_WEB_ID%"
:: CREATE network ACL APP
cmd /c "ec2-create-network-acl %VPC_ID% > %DOCDIR%\ACL_new_APP.txt"
FOR /F "EOL=E TOKENS=1-3" %%a IN (%DOCDIR%\ACL_new_APP.txt) DO SET "ACL_APP_ID=%%b"
SET ACL_APP_ID=%ACL_APP_ID: =%
echo %ACL_APP_ID%
:: CREATE network ACL DB
cmd /c "ec2-create-network-acl %VPC_ID% > %DOCDIR%\ACL_new_DB.txt"
FOR /F "EOL=E TOKENS=1-3" %%a IN (%DOCDIR%\ACL_new_DB.txt) DO SET "ACL_DB_ID=%%b"
SET ACL_DB_ID=%ACL_DB_ID: =%
echo %ACL_DB_ID%
:: =============================================================================
::goto ACLRULES
:: WEB SUBNET association with network ACL
FOR /F "EOL=E TOKENS=1-3" %%a IN (%DOCDIR%\ACL_ASSOC_%SUBNET_WEB_ID%.txt) DO SET "SUBNET_WEB_ACLASSOC=%%b"
:: Replace spases
SET SUBNET_WEB_ACLASSOC=%SUBNET_WEB_ACLASSOC: =%
@echo "%SUBNET_WEB_ACLASSOC%"
cmd /c "ec2-replace-network-acl-association %SUBNET_WEB_ACLASSOC% -a %ACL_WEB_ID% >%DOCDIR%\ACL_ASSOC_%SUBNET_WEB_ID%.txt"
:: APP SUBNET association with network ACL
FOR /F "EOL=E TOKENS=1-3" %%a IN (%DOCDIR%\ACL_ASSOC_%SUBNET_APP_ID%.txt) DO SET "SUBNET_APP_ACLASSOC=%%b"
:: Replace spases
SET SUBNET_APP_ACLASSOC=%SUBNET_APP_ACLASSOC: =%
@echo "%SUBNET_APP_ACLASSOC%"
cmd /c "ec2-replace-network-acl-association %SUBNET_APP_ACLASSOC% -a %ACL_APP_ID% >%DOCDIR%\ACL_ASSOC_%SUBNET_APP_ID%.txt"
:: DB SUBNET association with network ACL
FOR /F "EOL=E TOKENS=1-3" %%a IN (%DOCDIR%\ACL_ASSOC_%SUBNET_DB_ID%.txt) DO SET "SUBNET_DB_ACLASSOC=%%b"
:: Replace spases
SET SUBNET_DB_ACLASSOC=%SUBNET_DB_ACLASSOC: =%
@echo "%SUBNET_DB_ACLASSOC%"
cmd /c "ec2-replace-network-acl-association %SUBNET_DB_ACLASSOC% -a %ACL_DB_ID% >%DOCDIR%\ACL_ASSOC_%SUBNET_DB_ID%.txt"
:: FRONT SUBNET association with network ACL
FOR /F "EOL=E TOKENS=1-3" %%a IN (%DOCDIR%\ACL_ASSOC_%SUBNET_FRONT_ID%.txt) DO SET "SUBNET_FRONT_ACLASSOC=%%b"
:: Replace spases
SET SUBNET_FRONT_ACLASSOC=%SUBNET_FRONT_ACLASSOC: =%
@echo "%SUBNET_FRONT_ACLASSOC%"
cmd /c "ec2-replace-network-acl-association %SUBNET_FRONT_ACLASSOC% -a %ACL_FRONT_ID% >%DOCDIR%\ACL_ASSOC_%SUBNET_FRONT_ID%.txt"
:: =============================================================================
@echo ## %time% Internet Gateway, Route Tables >>%LOGFILE%
:: Create and assign Internet Gateway
cmd /c "ec2-create-internet-gateway >%DOCDIR%\IGW.txt"
FOR /F "EOL=E TOKENS=1-2" %%a IN (%DOCDIR%\IGW.txt) DO SET "IGW_ID=%%b"
:: Replace spases
SET IGW_ID=%IGW_ID: =%
@echo "%IGW_ID%"
cmd /c "ec2-attach-internet-gateway %IGW_ID% -c %VPC_ID% >%DOCDIR%\IGW_attach.txt"
:: Route Tables
cmd /c "ec2-describe-route-tables >%DOCDIR%\RTB_default.txt"
@FOR /F "EOL=E TOKENS=1-3" %%a IN (%DOCDIR%\RTB_default.txt) DO ( IF "%%a"=="ROUTETABLE" ( SET RTB_DEF_ID=%%b ) )
:: Replace spases
SET RTB_DEF_ID=%RTB_DEF_ID: =%
@echo "%RTB_DEF_ID%"
cmd /c "ec2-create-route-table %VPC_ID% >%DOCDIR%\RTB_2.txt"
@FOR /F "EOL=E TOKENS=1-3" %%a IN (%DOCDIR%\RTB_2.txt) DO ( IF "%%a"=="ROUTETABLE" ( SET RTB_2_ID=%%b ) )
:: Replace spases
SET RTB_2_ID=%RTB_2_ID: =%
@echo "%RTB_2_ID%"
cmd /c "ec2-associate-route-table %RTB_2_ID% -s %SUBNET_WEB_ID% >%DOCDIR%\%RTB_2_ID%_ASSOC_%SUBNET_WEB_ID%.txt"
cmd /c "ec2-associate-route-table %RTB_2_ID% -s %SUBNET_APP_ID% >%DOCDIR%\%RTB_2_ID%_ASSOC_%SUBNET_APP_ID%.txt"
cmd /c "ec2-associate-route-table %RTB_2_ID% -s %SUBNET_DB_ID% >%DOCDIR%\%RTB_2_ID%_ASSOC_%SUBNET_DB_ID%.txt"
cmd /c "ec2-associate-route-table %RTB_DEF_ID% -s %SUBNET_FRONT_ID% >%DOCDIR%\%RTB_DEF_ID%_ASSOC_%SUBNET_FRONT_ID%.txt"
cmd /c "ec2-create-route %RTB_DEF_ID% -r 0.0.0.0/0 -g %IGW_ID% >%DOCDIR%\%RTB_DEF_ID%_ASSOC_%SUBNET_FRONT_ID%.txt"
:: Add route to NAT instance to default Route Table
cmd /c "ec2-create-route %RTB_2_ID% -r 0.0.0.0/0 -i %INCTANCE_NAT_ID% >%DOCDIR%\%RTB_2_ID%_NAT.txt"
type %DOCDIR%\%RTB_2_ID%_NAT.txt >>%LOGFILE%
:: Add office net route to VPN manager instance to all Route Tables
SET /a TMP1=1
for %%a in %IPLISTOFFICESINSIDE% do (
@echo TMP1: !TMP1!
cmd /c "ec2-create-route %RTB_2_ID% -r %%a -i %INSTANCE_VPNMAN_ID% >%DOCDIR%\%RTB_2_ID%_VPNMAN!TMP1!.txt"
cmd /c "ec2-create-route %RTB_DEF_ID% -r %%a -i %INSTANCE_VPNMAN_ID% >%DOCDIR%\%RTB_DEF_ID%_VPNMAN!TMP1!.txt"
SET /a TMP1+=1
)
cmd /c "ec2-describe-route-tables >>%LOGFILE%"
:: =============================================================================
@echo ## %time% Elastic IPs >>%LOGFILE%
:: Create Elastic IP for VPNMAN in the VPC
cmd /c "ec2-describe-addresses >%DOCDIR%\EIPs_before.txt"
IF "%IPVPNMAN%"=="0" (
cmd /c "ec2-allocate-address -d vpc >%DOCDIR%\EIP_VPNMAN.txt"
type %DOCDIR%\EIP_VPNMAN.txt >>%LOGFILE%
@FOR /F "EOL=E TOKENS=1-4" %%a IN (%DOCDIR%\EIP_VPNMAN.txt) DO SET "IPVPNMAN=%%b"
:: Replace spases
SET IPVPNMAN=!IPVPNMAN: =!
@echo Elastic IP created for VPNMAN: !IPVPNMAN!
@echo Elastic IP created for VPNMAN: !IPVPNMAN! >>%LOGFILE%
) ELSE (
@echo Elastic IP for VPNMAN: !IPVPNMAN! >>%LOGFILE%
)
:: Associate Elastic IP to VPN manager instance
cmd /c "ec2-describe-addresses >%DOCDIR%\EIPs_01.txt"
FOR /F "EOL=E TOKENS=1-6" %%a IN (%DOCDIR%\EIPs_01.txt) DO (
@echo %%b
IF %%b==%IPVPNMAN% (
IF "%%e"=="" (
echo Elastic IP associates to VPNMAN: %IPVPNMAN%
@echo Elastic IP associates to VPNMAN: %IPVPNMAN% >>%LOGFILE%
SET "EIP_VPNMAN_ALLOC_ID=%%d"
) ELSE (
echo ERROR: VPNMAN EIP: %IPVPNMAN% is not free
@echo ERROR: VPNMAN EIP: %IPVPNMAN% is not free >>%LOGFILE%
)
)
)
echo EIP_VPNMAN_ALLOC_ID: %EIP_VPNMAN_ALLOC_ID%
IF NOT "%EIP_VPNMAN_ALLOC_ID%"=="" (
cmd /c "ec2-associate-address --instance %INSTANCE_VPNMAN_ID% --allocation-id %EIP_VPNMAN_ALLOC_ID% >%DOCDIR%\EIP_VPNMAN_ASSOC.txt"
)
::pause
:: Create Elastic IP in the VPC
cmd /c "ec2-allocate-address -d vpc >%DOCDIR%\EIP_NAT.txt"
type %DOCDIR%\EIP_NAT.txt >>%LOGFILE%
@FOR /F "EOL=E TOKENS=1-4" %%a IN (%DOCDIR%\EIP_NAT.txt) DO SET "EIP_NAT_ALLOC_ID=%%d"
:: Replace spases
SET EIP_NAT_ALLOC_ID=%EIP_NAT_ALLOC_ID: =%
@echo "%EIP_NAT_ALLOC_ID%"
:: Associate Elastic IP to NAT instance
@ping localhost -n 5 > nul
cmd /c "ec2-associate-address --instance %INCTANCE_NAT_ID% --allocation-id %EIP_NAT_ALLOC_ID% >%DOCDIR%\EIP_NAT_ASSOC.txt"
type %DOCDIR%\EIP_NAT_ASSOC.txt >>%LOGFILE%
cmd /c "ec2-describe-addresses >%DOCDIR%\EIPs_after.txt"
:: =============================================================================
@echo ## %time% modify instance attribute >>%LOGFILE%
cmd /c "ec2-modify-instance-attribute %INCTANCE_NAT_ID% --source-dest-check false >>%LOGFILE%"
cmd /c "ec2-create-tags %INCTANCE_NAT_ID% --tag "Name=%SRVPREF%-nat01" >>%LOGFILE%"
cmd /c "ec2-modify-instance-attribute %INSTANCE_VPNMAN_ID% --source-dest-check false >>%LOGFILE%"
cmd /c "ec2-create-tags %INSTANCE_VPNMAN_ID% --tag "Name=%SRVPREF%-vpnman01" >>%LOGFILE%"
IF "%TEST%"=="2" (
SET /a TMP1=1
FOR %%i in %IPLISTWEBSRV% do (
@echo TMP1: !TMP1!
FOR /F "EOL=E TOKENS=1-2" %%a IN (%DOCDIR%\instance_WEB_!TMP1!.txt) DO (
IF "%%a"=="INSTANCE" (
echo TMP1_in: !TMP1!
SET INSTANCE_ID=%%b
SET INSTANCE_ID=!INSTANCE_ID: =!
cmd /c "ec2-create-tags !INSTANCE_ID! --tag "Name=%SRVPREF%-web0!TMP1!" >>%LOGFILE%"
SET /a TMP1+=1
)
)
)
)
cmd /c "ec2-describe-instances --filter "vpc-id=%VPC_ID%"" >>%LOGFILE%"
:: =============================================================================
IF "%TEST%"=="1" ( GOTO SCIPACLSG )
:ACLRULES
@echo ## %time% network ACLs rules creation >>%LOGFILE%
:: FRONT tier ACL IN ingres
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 1 -P tcp -p 22 -r %SUBNETFRONT% --allow"
:: ICMP 100 - 199
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 100 -P icmp -r 0.0.0.0/0 -t 0:-1 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 105 -P icmp -r %VPCNET% -t 8:-1 --allow"
:: DENY 200 - 299
:: web load balansers 300 - 399
:: Neighbours subnets 400 - 499
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 400 -P tcp -p 1024-65535 -r %VPCNET% --allow"
:: access to office share (SMB)
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 410 -P tcp -p 445 -r %VPCNET% --allow"
:: access to SMTP
::cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 420 -P tcp -p 25 -r %VPCNET% --allow"
:: WEB to FRONT access
SET /a TMP1=450
for %%a in %PORTSTOINET% do (
@echo TMP1: !TMP1!
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n !TMP1! -P tcp -p %%a -r %SUBNETWEBAPP% --allow"
SET /a TMP1+=2
)
:: oficces external 600 - 699
:: DNS
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 600 -P tcp -p 53 -r 0.0.0.0/0 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 605 -P udp -p 53 -r 0.0.0.0/0 --allow"
:: NTP
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 610 -P udp -p 123 -r 0.0.0.0/0 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 620 -P tcp -p 32768-65535 -r 0.0.0.0/0 --allow"
:: SMTP
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 630 -P tcp -p 25 -r 0.0.0.0/0 --allow"
:: Offices external 800 - 899
SET /a TMP1=800
for %%a in %IPLISTOFFICESOUT% do (
@echo TMP1: !TMP1!
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n !TMP1! -P all -r %%a --allow"
SET /a TMP1+=2
)
:: Offices internal 900 - 999
SET /a TMP1=900
for %%a in %IPLISTOFFICESINSIDE% do (
@echo TMP1: !TMP1!
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n !TMP1! -P all -r %%a --allow"
SET /a TMP1+=2
)
:: =============================================================================
:: FRONT tier ACL OUT --egress
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 1 --egress -P tcp -p 22 -r %SUBNETFRONT% --allow"
:: ICMP 100 - 199
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 100 --egress -P icmp -r 0.0.0.0/0 -t 8:-1 --allow"
::cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 105 --egress -P icmp -r %VPCNET% -t 0:-1 --allow"
::cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 110 --egress -P icmp -r %SUBNETAPP% -t 0:-1 --allow"
:: DENY 200 - 299
:: web load balansers 300 - 399
:: Neighbours subnets 400 - 499
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 400 --egress -P all -r %VPCNET% --allow"
::cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 405 --egress -P tcp -p 22 -r %VPCNET% --allow"
:: FRONT to WEB access
::SET /a TMP1=400
::for %%a in %PORTSFRONTTOWEB% do (
:: @echo TMP1: !TMP1!
:: cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n !TMP1! --egress -P tcp -p %%a -r %SUBNETWEB% --allow"
:: SET /a TMP1+=2
::)
:: Internet access 600 - 699
:: Reply from DNS
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 600 --egress -P tcp -p 53 -r 0.0.0.0/0 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 602 --egress -P udp -p 53 -r 0.0.0.0/0 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 610 --egress -P tcp -p 80 -r 0.0.0.0/0 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 615 --egress -P tcp -p 443 -r 0.0.0.0/0 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 620 --egress -P tcp -p 1024-65535 -r 0.0.0.0/0 --allow"
:: NTP
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 630 --egress -P udp -p 123 -r 0.0.0.0/0 --allow"
:: MAIL
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 640 --egress -P tcp -p 587 -r 0.0.0.0/0 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n 645 --egress -P tcp -p 25 -r 0.0.0.0/0 --allow"
:: Offices external 800 - 899
SET /a TMP1=800
for %%a in %IPLISTOFFICESOUT% do (
@echo TMP1: !TMP1!
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n !TMP1! --egress -P all -r %%a --allow"
SET /a TMP1+=2
)
:: Offices internal 900 - 999
SET /a TMP1=900
for %%a in %IPLISTOFFICESINSIDE% do (
@echo TMP1: !TMP1!
cmd /c "ec2-create-network-acl-entry %ACL_FRONT_ID% -n !TMP1! --egress -P all -r %%a --allow"
SET /a TMP1+=2
)
:: =============================================================================
:: WEB tier ACL IN ingres
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 1 -P all -r %SUBNETWEB% --allow"
:: ICMP 100 - 199
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 100 -P icmp -r 0.0.0.0/0 -t 0:-1 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 105 -P icmp -r %SUBNETFRONT% -t 8:-1 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 110 -P icmp -r %SUBNETAPP% -t 8:-1 --allow"
:: DENY 200 - 299
:: web load balansers 300 - 399
:: Neighbours subnets 400 - 499
:: NTP
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 400 -P udp -p 123 -r 0.0.0.0/0 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 410 -P all -r %SNETFRONTSNETVPN% --allow"
:: APP to WEB access
::cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 420 -P all -r %SUBNETAPP% --allow"
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 425 -P tcp -p 445 -r %SUBNETAPP% --allow"
SET /a TMP1=430
for %%a in %PORTSAPPTOWEB% do (
@echo TMP1: !TMP1!
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n !TMP1! -P tcp -p %%a -r %SUBNETAPP% --allow"
SET /a TMP1+=2
)
:: FRONT to WEB access
SET /a TMP1=400
for %%a in %PORTSFRONTTOWEB% do (
@echo TMP1: !TMP1!
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n !TMP1! -P tcp -p %%a -r %SNETFRONTSNETLB% --allow"
SET /a TMP1+=2
)
:: Internet access 600 - 699
:: DNS
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 600 -P tcp -p 53 -r 0.0.0.0/0 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 605 -P udp -p 53 -r 0.0.0.0/0 --allow"
:: Internet access
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 610 -P tcp -p 49152-65535 -r 0.0.0.0/0 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 615 -P udp -p 49152-65535 -r 0.0.0.0/0 --allow"
:: Offices external 800 - 899
SET /a TMP1=800
for %%a in %IPLISTOFFICESOUT% do (
@echo TMP1: !TMP1!
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n !TMP1! -P all -r %%a --allow"
SET /a TMP1+=2
)
:: Offices internal 900 - 999
SET /a TMP1=900
for %%a in %IPLISTOFFICESINSIDE% do (
@echo TMP1: !TMP1!
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n !TMP1! -P all -r %%a --allow"
SET /a TMP1+=2
)
::IF "%TEST%"=="2" (
:: cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 1000 -P all -r 89.101.128.90/32 --allow"
::)
:: =============================================================================
:: WEB tier ACL OUT --egress
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 1 --egress -P all -r %SUBNETWEB% --allow"
:: ICMP 100 - 199
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 100 --egress -P icmp -r 0.0.0.0/0 -t 8:-1 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 105 --egress -P icmp -r %VPCNET% -t 0:-1 --allow"
::cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 110 --egress -P icmp -r %SUBNETAPP% -t 0:-1 --allow"
:: DENY 200 - 299
:: web load balansers 300 - 399
:: Neighbours subnets 400 - 499
:: NTP
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 400 --egress -P udp -p 123 -r 0.0.0.0/0 --allow"
::NAT
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 415 --egress -P tcp -p all -r %SNETFRONTSNETNAT% --allow"
:: access to SMTP
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 420 --egress -P tcp -p 25 -r %SNETFRONTSNETVPN% --allow"
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 425 --egress -P udp -p 49152-65535 -r %VPCNET% --allow"
:: access from WEB to APP
SET /a TMP1=450
for %%a in %PORTSWEBTOAPP% do (
@echo TMP1: !TMP1!
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n !TMP1! --egress -P tcp -p %%a -r %SUBNETAPP% --allow"
SET /a TMP1+=2
)
:: Internet access 600 - 699
:: Reply from DNS
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 600 --egress -P tcp -p 53 -r 0.0.0.0/0 --allow"
::cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 610 --egress -P tcp -p 80 -r 0.0.0.0/0 --allow"
::cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 615 --egress -P tcp -p 443 -r 0.0.0.0/0 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 620 --egress -P tcp -p 32768-65535 -r 0.0.0.0/0 --allow"
:: WEB to INET access
SET /a TMP1=650
for %%a in %PORTSTOINET% do (
@echo TMP1: !TMP1!
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n !TMP1! --egress -P tcp -p %%a -r 0.0.0.0/0 --allow"
SET /a TMP1+=2
)
:: Offices external 800 - 899
SET /a TMP1=800
for %%a in %IPLISTOFFICESOUT% do (
@echo TMP1: !TMP1!
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n !TMP1! --egress -P all -r %%a --allow"
SET /a TMP1+=2
)
:: Offices internal 900 - 999
SET /a TMP1=900
for %%a in %IPLISTOFFICESINSIDE% do (
@echo TMP1: !TMP1!
cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n !TMP1! --egress -P all -r %%a --allow"
SET /a TMP1+=2
)
::IF "%TEST%"=="2" (
:: cmd /c "ec2-create-network-acl-entry %ACL_WEB_ID% -n 1000 --egress -P all -r 89.101.128.90/32 --allow"
::)
:: =============================================================================
:: APP tier ACL IN ingres
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n 1 -P all -r %SUBNETAPP% --allow"
:: ICMP 100 - 199
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n 100 -P icmp -r 0.0.0.0/0 -t 0:-1 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n 105 -P icmp -r %VPCNET% -t 8:-1 --allow"
:: DENY 200 - 299
:: web load balansers 300 - 399
:: Neighbours subnets 400 - 499
:: NTP
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n 400 -P udp -p 123 -r %VPCNET% --allow"
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n 420 -P all -r %SNETFRONTSNETVPN% --allow"
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n 425 -P udp -p 49152-65535 -r %SUBNETWEB% --allow"
:: access from WEB to APP
SET /a TMP1=450
for %%a in %PORTSWEBTOAPP% do (
@echo TMP1: !TMP1!
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n !TMP1! -P tcp -p %%a -r %SUBNETWEB% --allow"
SET /a TMP1+=2
)
:: Internet access 600 - 699
:: DNS
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n 600 -P tcp -p 53 -r 0.0.0.0/0 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n 605 -P udp -p 53 -r 0.0.0.0/0 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n 610 -P tcp -p 32768-65535 -r 0.0.0.0/0 --allow"
:: Offices external 800 - 899
::SET /a TMP1=800
::for %%a in %IPLISTOFFICESOUT% do (
:: @echo TMP1: !TMP1!
:: cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n !TMP1! -P all -r %%a --allow"
:: SET /a TMP1+=2
::)
:: Offices internal 900 - 999
SET /a TMP1=900
for %%a in %IPLISTOFFICESINSIDE% do (
@echo TMP1: !TMP1!
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n !TMP1! -P all -r %%a --allow"
SET /a TMP1+=2
)
:: =============================================================================
:: APP tier ACL OUT --egress
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n 1 --egress -P all -r %SUBNETAPP% --allow"
:: ICMP 100 - 199
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n 100 --egress -P icmp -r 0.0.0.0/0 -t 8:-1 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n 105 --egress -P icmp -r %VPCNET% -t 0:-1 --allow"
:: DENY 200 - 299
:: web load balansers 300 - 399
:: Neighbours subnets 400 - 499
:: NTP
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n 400 --egress -P udp -p 123 -r %VPCNET% --allow"
::cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n 415 --egress -P tcp -p 80 -r %SUBNETWEB% --allow"
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n 420 --egress -P tcp -p 1024-65535 -r %VPCNET% --allow"
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n 425 --egress -P tcp -p 445 -r %VPCNET% --allow"
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n 430 --egress -P all -r %SUBNETWEB% --allow"
:: access to SMTP
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n 435 --egress -P tcp -p 25 -r %SNETFRONTSNETVPN% --allow"
:: access from APP to DB
SET /a TMP1=450
for %%a in %PORTSAPPTODB% do (
@echo TMP1: !TMP1!
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n !TMP1! --egress -P tcp -p %%a -r %SUBNETAPP% --allow"
SET /a TMP1+=2
)
:: Internet access 600 - 699
:: Reply from DNS
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n 600 --egress -P tcp -p 53 -r 0.0.0.0/0 --allow"
::cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n 610 --egress -P tcp -p 80 -r 0.0.0.0/0 --allow"
::cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n 615 --egress -P tcp -p 443 -r 0.0.0.0/0 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n 620 --egress -P tcp -p 32768-65535 -r 0.0.0.0/0 --allow"
:: APP to INET access
SET /a TMP1=650
for %%a in %PORTSTOINET% do (
@echo TMP1: !TMP1!
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n !TMP1! --egress -P tcp -p %%a -r 0.0.0.0/0 --allow"
SET /a TMP1+=2
)
:: Offices external 800 - 899
::SET /a TMP1=800
::for %%a in %IPLISTOFFICESOUT% do (
:: @echo TMP1: !TMP1!
:: cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n !TMP1! --egress -P all -r %%a --allow"
:: SET /a TMP1+=2
::)
:: Offices internal 900 - 999
SET /a TMP1=900
for %%a in %IPLISTOFFICESINSIDE% do (
@echo TMP1: !TMP1!
cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n !TMP1! --egress -P all -r %%a --allow"
SET /a TMP1+=2
)
:: =============================================================================
:: DB tier ACL IN ingres
cmd /c "ec2-create-network-acl-entry %ACL_DB_ID% -n 1 -P all -r %SUBNETDB% --allow"
:: ICMP 100 - 199
cmd /c "ec2-create-network-acl-entry %ACL_DB_ID% -n 100 -P icmp -r 0.0.0.0/0 -t 0:-1 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_DB_ID% -n 105 -P icmp -r %SUBNETFRONT% -t 8:-1 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_DB_ID% -n 110 -P icmp -r %SUBNETAPP% -t 8:-1 --allow"
:: DENY 200 - 299
:: web load balansers 300 - 399
:: Neighbours subnets 400 - 499
:: NTP
cmd /c "ec2-create-network-acl-entry %ACL_DB_ID% -n 400 -P udp -p 123 -r %VPCNET% --allow"
cmd /c "ec2-create-network-acl-entry %ACL_DB_ID% -n 420 -P tcp -p 32768-65535 -r %SNETFRONTSNETVPN% --allow"
cmd /c "ec2-create-network-acl-entry %ACL_DB_ID% -n 425 -P udp -p 49152-65535 -r %SUBNETWEB% --allow"
cmd /c "ec2-create-network-acl-entry %ACL_DB_ID% -n 430 -P tcp -p 445 -r %SUBNETAPP% --allow"
:: access from APP to DB
SET /a TMP1=450
for %%a in %PORTSAPPTODB% do (
@echo TMP1: !TMP1!
cmd /c "ec2-create-network-acl-entry %ACL_DB_ID% -n !TMP1! -P tcp -p %%a -r %SUBNETAPP% --allow"
SET /a TMP1+=2
)
:: Internet access 600 - 699
:: DNS
cmd /c "ec2-create-network-acl-entry %ACL_DB_ID% -n 600 -P tcp -p 53 -r 0.0.0.0/0 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_DB_ID% -n 605 -P udp -p 53 -r 0.0.0.0/0 --allow"
:: Offices external 800 - 899
::SET /a TMP1=800
::for %%a in %IPLISTOFFICESOUT% do (
:: @echo TMP1: !TMP1!
:: cmd /c "ec2-create-network-acl-entry %ACL_DB_ID% -n !TMP1! -P all -r %%a --allow"
:: SET /a TMP1+=2
::)
:: Offices internal 900 - 999
SET /a TMP1=900
for %%a in %IPLISTOFFICESINSIDE% do (
@echo TMP1: !TMP1!
cmd /c "ec2-create-network-acl-entry %ACL_DB_ID% -n !TMP1! -P all -r %%a --allow"
SET /a TMP1+=2
)
:: =============================================================================
:: DB tier ACL OUT --egress
cmd /c "ec2-create-network-acl-entry %ACL_DB_ID% -n 1 --egress -P all -r %SUBNETDB% --allow"
:: ICMP 100 - 199
cmd /c "ec2-create-network-acl-entry %ACL_DB_ID% -n 100 --egress -P icmp -r %SUBNETAPP% -t 8:-1 --allow"
cmd /c "ec2-create-network-acl-entry %ACL_DB_ID% -n 105 --egress -P icmp -r %SUBNETAPP% -t 0:-1 --allow"
::cmd /c "ec2-create-network-acl-entry %ACL_DB_ID% -n 110 --egress -P icmp -r %SUBNETAPP% -t 0:-1 --allow"
:: DENY 200 - 299
:: web load balansers 300 - 399
:: Neighbours subnets 400 - 499
:: NTP
cmd /c "ec2-create-network-acl-entry %ACL_DB_ID% -n 400 --egress -P udp -p 123 -r %VPCNET% --allow"
cmd /c "ec2-create-network-acl-entry %ACL_DB_ID% -n 410 --egress -P tcp -p 1024-65535 -r %SUBNETAPP% --allow"
cmd /c "ec2-create-network-acl-entry %ACL_DB_ID% -n 420 --egress -P tcp -p 1024-65535 -r %SUBNETFRONT% --allow"
:: access to SMTP
cmd /c "ec2-create-network-acl-entry %ACL_DB_ID% -n 430 --egress -P tcp -p 25 -r %SNETFRONTSNETVPN% --allow"
:: Internet access 600 - 699
:: Reply from DNS
cmd /c "ec2-create-network-acl-entry %ACL_DB_ID% -n 600 --egress -P tcp -p 53 -r %VPCNET% --allow"
:: Offices external 800 - 899
::SET /a TMP1=800
::for %%a in %IPLISTOFFICESOUT% do (
:: @echo TMP1: !TMP1!
:: cmd /c "ec2-create-network-acl-entry %ACL_APP_ID% -n !TMP1! --egress -P all -r %%a --allow"
:: SET /a TMP1+=2
::)
:: Offices internal 900 - 999
SET /a TMP1=900
for %%a in %IPLISTOFFICESINSIDE% do (
@echo TMP1: !TMP1!
cmd /c "ec2-create-network-acl-entry %ACL_DB_ID% -n !TMP1! --egress -P all -r %%a --allow"
SET /a TMP1+=2
)
:: =============================================================================
cmd /c "ec2-describe-network-acls >>%LOGFILE%"
::goto END
@echo ## %time% Security Group rules creation >>%LOGFILE%
:: TEST groups
:: TEST OUT FULL Security GROUP = default security group
:: TEST_IN_OUT_FULL ACCESS Security Group IN ingres
cmd /c "ec2-authorize %SGROUP_TEST_IN_OUT_FULL_ID% -P all -s 0.0.0.0/0"
:: TEST_IN_OUT_FULL ACCESS Security Group OUT eggres
::cmd /c "ec2-revoke %SGROUP_TEST_IN_OUT_FULL_ID% -P all -s 0.0.0.0/0 --egress"
:: TEST_INSIDE_FULL ACCESS Security Group IN ingres
cmd /c "ec2-authorize %SGROUP_TEST_INSIDE_FULL_ID% -P all -s %VPCNET%"
:: TEST_INSIDE_FULL ACCESS Security Group OUT eggres
cmd /c "ec2-revoke %SGROUP_TEST_INSIDE_FULL_ID% -P all -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_TEST_INSIDE_FULL_ID% -P all -s %VPCNET% --egress"
:: =============================================================================
:: OFFICE ACCESS Security Group IN ingres
::cmd /c "ec2-authorize %SGROUP_OFFICE_ID% -P all -s %SNETFRONTSNETVPN%"
cmd /c "ec2-authorize %SGROUP_OFFICE_ID% -P tcp -p 22 -s %SNETFRONTSNETVPN%"
cmd /c "ec2-authorize %SGROUP_OFFICE_ID% -P tcp -p 445 -s %SNETFRONTSNETVPN%"
cmd /c "ec2-authorize %SGROUP_OFFICE_ID% -P tcp -p 3389 -s %SNETFRONTSNETVPN%"
cmd /c "ec2-authorize %SGROUP_OFFICE_ID% -P tcp -p 32768-65535 -s %SNETFRONTSNETVPN%"
:: Oficces external
for %%a in %IPLISTOFFICESOUT% do ( cmd /c "ec2-authorize %SGROUP_OFFICE_ID% -P all -s %%a" )
:: Oficces internal
for %%a in %IPLISTOFFICESINSIDE% do ( cmd /c "ec2-authorize %SGROUP_OFFICE_ID% -P all -s %%a" )
:: OFFICE ACCESS Security Group OUT eggres
::cmd /c "ec2-authorize %SGROUP_OFFICE_ID% -P all -s %SNETFRONTSNETVPN% --egress"
cmd /c "ec2-authorize %SGROUP_OFFICE_ID% -P tcp -p 445 -s %SNETFRONTSNETVPN% --egress"
cmd /c "ec2-authorize %SGROUP_OFFICE_ID% -P tcp -p 32768-65535 -s %SNETFRONTSNETVPN% --egress"
:: Oficces external
for %%a in %IPLISTOFFICESOUT% do ( cmd /c "ec2-authorize %SGROUP_OFFICE_ID% -P all -s %%a --egress" )
:: Oficces internal
for %%a in %IPLISTOFFICESINSIDE% do ( cmd /c "ec2-authorize %SGROUP_OFFICE_ID% -P all -s %%a --egress" )
cmd /c "ec2-revoke %SGROUP_OFFICE_ID% -P all -s 0.0.0.0/0 --egress"
:: =============================================================================
:: VPNMAN ACCESS Security Group IN ingres
cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P icmp -t 8:-1 -s %VPCNET%"
cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P icmp -t 30:-1 -s %VPCNET%"
cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P icmp -t 0:-1 -s 0.0.0.0/0"
::cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P udp -p 32768-65535 -s %VPCNET%"
:: access to File Share
cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P tcp -p 445 -s %VPCNET%"
:: access to WSUS
cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P tcp -p 80 -s %VPCNET%"
cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P tcp -p 25 -s 0.0.0.0/0"
cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P tcp -p 53 -s 0.0.0.0/0"
cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P udp -p 53 -s 0.0.0.0/0"
cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P udp -p 123 -s 0.0.0.0/0"
::cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P tcp -p 1024-65535 -s 0.0.0.0/0"
cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P tcp -p 32768-65535 -s 0.0.0.0/0"
:: VPNMAN ACCESS Security Group OUT eggres
cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P icmp -t 8:-1 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P icmp -t 30:-1 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P icmp -t 0:-1 -s %VPCNET% --egress"
::cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P tcp -p 22 -s %VPCNET% --egress"
::cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P tcp -p 3389 -s %VPCNET% --egress"
cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P tcp -p -1 -s %VPCNET% --egress"
cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P tcp -p 25 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P tcp -p 587 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P tcp -p 53 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P udp -p 53 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P udp -p 123 -s 0.0.0.0/0 --egress"
::cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P tcp -p 1024-65535 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_VPNMAN_ID% -P tcp -p 32768-65535 -s 0.0.0.0/0 --egress"
cmd /c "ec2-revoke %SGROUP_VPNMAN_ID% -P all -s 0.0.0.0/0 --egress"
:: =============================================================================
:: WEB LB Security Group IN ingres
cmd /c "ec2-authorize %SGROUP_WEBLB_ID% -P icmp -t 8:-1 -s 0.0.0.0/0"
cmd /c "ec2-authorize %SGROUP_WEBLB_ID% -P icmp -t 0:-1 -s 0.0.0.0/0"
cmd /c "ec2-authorize %SGROUP_WEBLB_ID% -P tcp -p 80 -s 0.0.0.0/0"
cmd /c "ec2-authorize %SGROUP_WEBLB_ID% -P tcp -p 443 -s 0.0.0.0/0"
cmd /c "ec2-authorize %SGROUP_WEBLB_ID% -P tcp -p 53 -s 0.0.0.0/0"
cmd /c "ec2-authorize %SGROUP_WEBLB_ID% -P udp -p 53 -s 0.0.0.0/0"
cmd /c "ec2-authorize %SGROUP_WEBLB_ID% -P udp -p 123 -s 0.0.0.0/0"
:: WEB LB Security Group OUT eggres
cmd /c "ec2-revoke %SGROUP_WEBLB_ID% -P all -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_WEBLB_ID% -P icmp -t 8:-1 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_WEBLB_ID% -P icmp -t 0:-1 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_WEBLB_ID% -P tcp -p 53 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_WEBLB_ID% -P udp -p 53 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_WEBLB_ID% -P udp -p 123 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_WEBLB_ID% -P tcp -p 80-81 -s %SUBNETWEB% --egress"
cmd /c "ec2-authorize %SGROUP_WEBLB_ID% -P tcp -p 443 -s %SUBNETWEB% --egress"
cmd /c "ec2-authorize %SGROUP_WEBLB_ID% -P tcp -p 1024-65535 -s 0.0.0.0/0 --egress"
:: =============================================================================
:: WEB SERVERS Security Group IN ingres
cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P icmp -t 8:-1 -s %VPCNET%"
cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P icmp -t 0:-1 -s 0.0.0.0/0"
cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P all -s %SUBNETWEB%"
:: APP to WEB access
for %%a in %PORTSAPPTOWEB% do ( cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P tcp -p %%a -s %SUBNETAPP%" )
::cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P tcp -p 80-81 -s %SUBNETAPP%"
::cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P tcp -p 443 -s %SUBNETAPP%"
cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P tcp -p 445 -s %SUBNETAPP%"
cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P tcp -p 49152-65535 -s %SUBNETAPP%"
::cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P all -s %SUBNETAPP%"
:: FRONT to WEB access
for %%a in %PORTSFRONTTOWEB% do ( cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P tcp -p %%a -s %SNETFRONTSNETLB%" )
::cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P tcp -p 80-81 -s %SNETFRONTSNETLB%"
::cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P tcp -p 443 -s %SNETFRONTSNETLB%"
cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P tcp -p 53 -s 0.0.0.0/0"
cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P udp -p 53 -s 0.0.0.0/0"
cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P udp -p 123 -s 0.0.0.0/0"
::cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P tcp -p 32768-65535 -s 0.0.0.0/0"
cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P tcp -p 32768-65535 -s %SNETFRONTSNETNAT%"
:: WEB SERVERS Security Group OUT eggres
cmd /c "ec2-revoke %SGROUP_WEBSRV_ID% -P all -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P icmp -t 8:-1 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P icmp -t 0:-1 -s %SUBNETAPP% --egress"
cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P icmp -t 0:-1 -s %SUBNETFRONT% --egress"
cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P all -s %SUBNETWEB% --egress"
::cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P all -s %SUBNETAPP% --egress"
:: WEB to APP access
for %%a in %PORTSWEBTOAPP% do ( cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P tcp -p %%a -s %SUBNETAPP% --egress" )
::cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P tcp -p 9551-9557 -s %SUBNETAPP% --egress"
::cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P tcp -p 8983 -s %SUBNETAPP% --egress"
::cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P tcp -p 80-81 -s %SUBNETAPP% --egress"
cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P tcp -p 32768-65535 -s %SUBNETAPP% --egress"
cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P tcp -p 32768-65535 -s %SNETFRONTSNETNAT% --egress"
cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P tcp -p 25 -s %SNETFRONTSNETVPN% --egress"
:: WEB to Internet access
for %%a in %PORTSTOINET% do ( cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P tcp -p %%a -s 0.0.0.0/0 --egress" )
cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P tcp -p 53 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P udp -p 53 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P udp -p 123 -s 0.0.0.0/0 --egress"
::cmd /c "ec2-authorize %SGROUP_WEBSRV_ID% -P tcp -p 1024-65535 -s 0.0.0.0/0 --egress"
:: =============================================================================
:: APP SERVERS Security Group IN ingres
cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P icmp -t 8:-1 -s %VPCNET%"
cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P icmp -t 0:-1 -s 0.0.0.0/0"
cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P all -s %SUBNETAPP%"
:: WEB to APP access
for %%a in %PORTSWEBTOAPP% do ( cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P tcp -p %%a -s %SUBNETWEB%" )
::cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P tcp -p 9551-9557 -s %SUBNETWEB%"
::cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P tcp -p 11210-11211 -s %SUBNETWEB%"
::cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P tcp -p 8983 -s %SUBNETWEB%"
cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P tcp -p 53 -s 0.0.0.0/0"
cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P udp -p 53 -s 0.0.0.0/0"
cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P udp -p 123 -s %VPCNET%"
cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P udp -p 32768-65535 -s %SUBNETWEB%"
cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P udp -p 32768-65535 -s %SNETFRONTSNETLB%"
cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P tcp -p 32768-65535 -s 0.0.0.0/0"
:: APP SERVERS Security Group OUT eggres
cmd /c "ec2-revoke %SGROUP_APPSRV_ID% -P all -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P icmp -t 8:-1 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P icmp -t 0:-1 -s %VPCNET% --egress"
cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P all -s %SUBNETAPP% --egress"
cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P tcp -p 25 -s %SNETFRONTSNETVPN% --egress"
::cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P tcp -p 22 -s %VPCNET% --egress"
cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P tcp -p 445 -s %VPCNET% --egress"
:: APP to WEB access
for %%a in %PORTSAPPTOWEB% do ( cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P tcp -p %%a -s %SUBNETAPP% --egress" )
::cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P tcp -p 81 -s %SUBNETWEB% --egress"
cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P tcp -p 1024-65535 -s %VPCNET% --egress"
:: access from APP to DB
for %%a in %PORTSAPPTODB% do ( cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P tcp -p %%a -s %SUBNETDB% --egress" )
::cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P tcp -p 1433 -s %SUBNETDB% --egress"
cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P tcp -p 53 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P udp -p 53 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P udp -p 123 -s %VPCNET% --egress"
cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P tcp -p 80 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P tcp -p 443 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_APPSRV_ID% -P tcp -p 32768-65535 -s 0.0.0.0/0 --egress"
:: =============================================================================
:: DB SERVERS Security Group IN ingres
cmd /c "ec2-authorize %SGROUP_DBSRV_ID% -P icmp -t 8:-1 -s %SUBNETAPP%"
cmd /c "ec2-authorize %SGROUP_DBSRV_ID% -P icmp -t 0:-1 -s %SUBNETAPP%"
cmd /c "ec2-authorize %SGROUP_DBSRV_ID% -P all -s %SUBNETDB%"
:: access from APP to DB
for %%a in %PORTSAPPTODB% do ( cmd /c "ec2-authorize %SGROUP_DBSRV_ID% -P tcp -p %%a -s %SUBNETAPP%" )
::cmd /c "ec2-authorize %SGROUP_DBSRV_ID% -P tcp -p 1433 -s %SUBNETAPP%"
cmd /c "ec2-authorize %SGROUP_DBSRV_ID% -P tcp -p 445 -s %SUBNETAPP%"
cmd /c "ec2-authorize %SGROUP_DBSRV_ID% -P tcp -p 53 -s %VPCNET%"
cmd /c "ec2-authorize %SGROUP_DBSRV_ID% -P udp -p 53 -s %VPCNET%"
cmd /c "ec2-authorize %SGROUP_DBSRV_ID% -P udp -p 123 -s %VPCNET%"
cmd /c "ec2-authorize %SGROUP_DBSRV_ID% -P tcp -p 32768-65535 -s %SNETFRONTSNETVPN%"
:: DB SERVERS Security Group OUT eggres
cmd /c "ec2-revoke %SGROUP_DBSRV_ID% -P all -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_DBSRV_ID% -P icmp -t 8:-1 -s %SUBNETAPP% --egress"
cmd /c "ec2-authorize %SGROUP_DBSRV_ID% -P icmp -t 0:-1 -s %SUBNETAPP% --egress"
cmd /c "ec2-authorize %SGROUP_DBSRV_ID% -P all -s %SUBNETDB% --egress"
cmd /c "ec2-authorize %SGROUP_DBSRV_ID% -P tcp -p 25 -s %SNETFRONTSNETVPN% --egress"
cmd /c "ec2-authorize %SGROUP_DBSRV_ID% -P tcp -p 53 -s %VPCNET% --egress"
cmd /c "ec2-authorize %SGROUP_DBSRV_ID% -P udp -p 53 -s %VPCNET% --egress"
cmd /c "ec2-authorize %SGROUP_DBSRV_ID% -P udp -p 123 -s %VPCNET% --egress"
cmd /c "ec2-authorize %SGROUP_DBSRV_ID% -P tcp -p 49152-65535 -s %SUBNETAPP% --egress"
cmd /c "ec2-authorize %SGROUP_DBSRV_ID% -P tcp -p 32768-65535 -s %SNETFRONTSNETVPN% --egress"
:: =============================================================================
:::: Grab WEBSRV security group ID
::FOR /F "EOL=P TOKENS=1-3" %%a IN (%DOCDIR%\%VERSION%-SGROUP_WEBSRV_temp.txt) DO SET "SGROUP_WEBSRV_ID=%%b"
:::: Grab APPSRV security group ID
::FOR /F "EOL=P TOKENS=1-3" %%a IN (%DOCDIR%\%VERSION%-SGROUP_APPSRV_temp.txt) DO SET "SGROUP_APPSRV_ID=%%b"
:: NAT SERVERS Security Group IN ingres
cmd /c "ec2-authorize %SGROUP_NAT_ID% -P icmp -t 8:-1 -s %VPCNET%"
cmd /c "ec2-authorize %SGROUP_NAT_ID% -P icmp -t 0:-1 -s 0.0.0.0/0"
cmd /c "ec2-authorize %SGROUP_NAT_ID% -P tcp -p 80 -o %SGROUP_WEBSRV_ID%"
cmd /c "ec2-authorize %SGROUP_NAT_ID% -P tcp -p 80 -o %SGROUP_APPSRV_ID%"
cmd /c "ec2-authorize %SGROUP_NAT_ID% -P tcp -p 443 -o %SGROUP_WEBSRV_ID%"
cmd /c "ec2-authorize %SGROUP_NAT_ID% -P tcp -p 443 -o %SGROUP_APPSRV_ID%"
cmd /c "ec2-authorize %SGROUP_NAT_ID% -P tcp -p 53 -s 0.0.0.0/0"
cmd /c "ec2-authorize %SGROUP_NAT_ID% -P udp -p 53 -s 0.0.0.0/0"
cmd /c "ec2-authorize %SGROUP_NAT_ID% -P udp -p 123 -s 0.0.0.0/0"
cmd /c "ec2-authorize %SGROUP_NAT_ID% -P tcp -p 1024-65535 -s 0.0.0.0/0"
:: NAT SERVERS Security Group OUT eggres
cmd /c "ec2-revoke %SGROUP_NAT_ID% -P all -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_NAT_ID% -P icmp -t 8:-1 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_NAT_ID% -P icmp -t 0:-1 -s %VPCNET% --egress"
cmd /c "ec2-authorize %SGROUP_NAT_ID% -P tcp -p 32768-65535 -o %SGROUP_WEBSRV_ID% --egress"
cmd /c "ec2-authorize %SGROUP_NAT_ID% -P tcp -p 32768-65535 -o %SGROUP_APPSRV_ID% --egress"
cmd /c "ec2-authorize %SGROUP_NAT_ID% -P tcp -p 53 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_NAT_ID% -P udp -p 53 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_NAT_ID% -P udp -p 123 -s 0.0.0.0/0 --egress"
::cmd /c "ec2-authorize %SGROUP_NAT_ID% -P tcp -p 32768-65535 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_NAT_ID% -P tcp -p 80 -s 0.0.0.0/0 --egress"
cmd /c "ec2-authorize %SGROUP_NAT_ID% -P tcp -p 443 -s 0.0.0.0/0 --egress"
:: =============================================================================
cmd /c "ec2-describe-group >>%LOGFILE%"
:SCIPACLSG
:END
::SET RETURN=0
@echo "Script finished"
echo. >>%LOGFILE%
echo ============================================================================= >>%LOGFILE%
echo %DATE% %TIME% %SCRIPTNAME% has finished with code %RETURN% >>%LOGFILE%
echo. >>%LOGFILE%
copy %LOGFILE% %LOGDIR%\%SCRIPTNAME%_%FILEDATE%_%VPC_ID%.txt
@start notepad %LOGDIR%\%SCRIPTNAME%_%FILEDATE%_%VPC_ID%.txt
exit /b %RETURN%
:: !----------------------- END ----------------------------
:: ICMP 100 - 199
:: DENY 200 - 299
:: web load balansers 300 - 399
:: Neighbours subnets 400 - 499
:: Internet access 600 - 699
:: Offices external 800 - 899
:: Offices internal 900 - 999
Ephemeral Ports
The example ACL in the preceding section uses an ephemeral port range of 49152-65535. However, you might want to use a different range for your network ACLs. This section explains why.
The client that initiates the request chooses the ephemeral port range. The range varies depending on the client's operating system. Many Linux kernels (including the Amazon Linux kernel) use 32768-61000.
Windows operating systems through Windows Server 2003 use 1025-5000. Windows Server 2008 uses 49152-65535. Therefore, if a request comes in to a web server in your VPC from a Windows XP client on the Internet, your network ACL must have an outbound rule to enable traffic destined for ports 1025-5000.
If an instance in your VPC is the client initiating a request, your network ACL must have an inbound rule to enable traffic destined for the ephemeral ports specific to the type of instance (Amazon Linux, Windows Server 2008, etc.).
In practice, to cover the different types of clients that might initiate traffic to public-facing instances in your VPC, you need to open ephemeral ports 1024-65535. However, you can also add rules to the ACL to deny traffic on any malicious ports within that range. Make sure to place the DENY rules earlier in the table than the rule that opens the wide range of ephemeral ports.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment