Skip to content

Instantly share code, notes, and snippets.

@davidkelley

davidkelley/network.template

Created April 13, 2014 15:12
Show Gist options
  • Star 6 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save davidkelley/10588087 to your computer and use it in GitHub Desktop.
Save davidkelley/10588087 to your computer and use it in GitHub Desktop.
Download ZIP
AWS Cloudformation that launches Private and Public Subnets inside a configured VPC complete with a Bastion Host
Raw
network.template
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "Creates networking infrastructure.",
"Parameters" : {
"BastionKeyName" : {
"Description" : "Name of an existing EC2 KeyPair to enable SSH access to the bastion host",
"Type" : "String",
"Default": "bastion",
"MinLength": "1",
"MaxLength": "64",
"AllowedPattern" : "[-_ a-zA-Z0-9]*",
"ConstraintDescription" : "can contain only alphanumeric characters, spaces, dashes and underscores."
},
"NATKeyName" : {
"Description" : "Name of an existing EC2 KeyPair to enable SSH access to the bastion host",
"Type" : "String",
"Default": "nat",
"MinLength": "1",
"MaxLength": "64",
"AllowedPattern" : "[-_ a-zA-Z0-9]*",
"ConstraintDescription" : "can contain only alphanumeric characters, spaces, dashes and underscores."
},
"SSHFrom" : {
"Description" : "Lockdown SSH access to the bastion host (default can be accessed from anywhere)",
"Type" : "String",
"MinLength": "9",
"MaxLength": "18",
"Default" : "0.0.0.0/0",
"AllowedPattern" : "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription" : "must be a valid CIDR range of the form x.x.x.x/x."
},
"BastionInstanceType" : {
"Description" : "Bastion Host EC2 instance type",
"Type" : "String",
"Default" : "t1.micro",
"AllowedValues" : [ "t1.micro","m1.small","m1.medium","m1.large","m1.xlarge","m2.xlarge","m2.2xlarge","m2.4xlarge","m3.xlarge","m3.2xlarge","c1.medium","c1.xlarge","cc1.4xlarge","cc2.8xlarge","cg1.4xlarge"],
"ConstraintDescription" : "must be a valid EC2 instance type."
},
"BastionKeyBucket" : {
"Description" : "Name of the bucket where EC2 Keypairs are stored.",
"Type" : "String",
"Default" : "your-keypairs"
},
"NATInstanceType" : {
"Description" : "NET Device EC2 instance type",
"Type" : "String",
"Default" : "m1.small",
"AllowedValues" : [ "t1.micro","m1.small","m1.medium","m1.large","m1.xlarge","m2.xlarge","m2.2xlarge","m2.4xlarge","m3.xlarge","m3.2xlarge","c1.medium","c1.xlarge","cc1.4xlarge","cc2.8xlarge","cg1.4xlarge"],
"ConstraintDescription" : "must be a valid EC2 instance type."
}
},
"Mappings" : {
"AWSNATAMI" : {
"us-east-1" : { "AMI" : "ami-c6699baf" },
"us-west-2" : { "AMI" : "ami-52ff7262" },
"us-west-1" : { "AMI" : "ami-3bcc9e7e" },
"eu-west-1" : { "AMI" : "ami-0b5b6c7f" },
"ap-southeast-1" : { "AMI" : "ami-02eb9350" },
"ap-southeast-2" : { "AMI" : "ami-ab990e91" },
"ap-northeast-1" : { "AMI" : "ami-14d86d15" },
"sa-east-1" : { "AMI" : "ami-0439e619" }
},
"BastionAMI" : {
"us-east-1" : { "id" : "ami-83dee0ea" },
"us-west-1" : { "id" : "ami-c45f6281" },
"us-west-2" : { "id" : "ami-d0d8b8e0" },
"eu-west-1" : { "id" : "ami-aa56a1dd" },
"sa-east-1" : { "id" : "ami-d55bfbc8" },
"ap-southeast-1" : { "id" : "ami-bc7325ee" },
"ap-southeast-2" : { "id" : "ami-e577e9df" },
"ap-northeast-1" : { "id" : "ami-f72e45f6" }
},
"AWSInstanceType2Arch" : {
"t1.micro" : { "Arch" : "64" },
"m1.small" : { "Arch" : "64" },
"m1.medium" : { "Arch" : "64" },
"m1.large" : { "Arch" : "64" },
"m1.xlarge" : { "Arch" : "64" },
"m2.xlarge" : { "Arch" : "64" },
"m2.2xlarge" : { "Arch" : "64" },
"m2.4xlarge" : { "Arch" : "64" },
"m3.xlarge" : { "Arch" : "64" },
"m3.2xlarge" : { "Arch" : "64" },
"c1.medium" : { "Arch" : "64" },
"c1.xlarge" : { "Arch" : "64" },
"cc1.4xlarge" : { "Arch" : "64Cluster" },
"cc2.8xlarge" : { "Arch" : "64Cluster" },
"cg1.4xlarge" : { "Arch" : "64GPU" }
},
"SubnetConfig" : {
"VPC" : { "CIDR" : "10.236.0.0/16" },
"PublicSubnetA" : { "CIDR" : "10.236.100.0/24" },
"PublicSubnetB" : { "CIDR" : "10.236.101.0/24" },
"PublicSubnetC" : { "CIDR" : "10.236.102.0/24" },
"PrivateSubnetA" : { "CIDR" : "10.236.0.0/24" },
"PrivateSubnetB" : { "CIDR" : "10.236.1.0/24" },
"PrivateSubnetC" : { "CIDR" : "10.236.2.0/24" }
}
},
"Resources" : {
"VPC" : {
"Type" : "AWS::EC2::VPC",
"Properties" : {
"CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "VPC", "CIDR" ]},
"EnableDnsSupport" : "true",
"EnableDnsHostnames" : "true",
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Public" }
]
}
},
"PublicSubnetA" : {
"Type" : "AWS::EC2::Subnet",
"DependsOn" : "VPC",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"AvailabilityZone" : { "Fn::Join" : ["", [{ "Ref" : "AWS::Region"}, "a"]]},
"CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "PublicSubnetA", "CIDR" ]},
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "PublicSubnetA" }
]
}
},
"PublicSubnetB" : {
"Type" : "AWS::EC2::Subnet",
"DependsOn" : "VPC",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"AvailabilityZone" : { "Fn::Join" : ["", [{ "Ref" : "AWS::Region"}, "b"]]},
"CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "PublicSubnetB", "CIDR" ]},
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "PublicSubnetB" }
]
}
},
"PublicSubnetC" : {
"Type" : "AWS::EC2::Subnet",
"DependsOn" : "VPC",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"AvailabilityZone" : { "Fn::Join" : ["", [{ "Ref" : "AWS::Region"}, "c"]]},
"CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "PublicSubnetC", "CIDR" ]},
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "PublicSubnetC" }
]
}
},
"InternetGateway" : {
"Type" : "AWS::EC2::InternetGateway",
"Properties" : {
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Public" }
]
}
},
"GatewayToInternet" : {
"Type" : "AWS::EC2::VPCGatewayAttachment",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"InternetGatewayId" : { "Ref" : "InternetGateway" }
}
},
"PublicRouteTable" : {
"Type" : "AWS::EC2::RouteTable",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Public" }
]
}
},
"PublicRoute" : {
"Type" : "AWS::EC2::Route",
"DependsOn" : "GatewayToInternet",
"Properties" : {
"RouteTableId" : { "Ref" : "PublicRouteTable" },
"DestinationCidrBlock" : "0.0.0.0/0",
"GatewayId" : { "Ref" : "InternetGateway" }
}
},
"PublicSubnetARouteTableAssociation" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "PublicSubnetA" },
"RouteTableId" : { "Ref" : "PublicRouteTable" }
}
},
"PublicSubnetBRouteTableAssociation" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "PublicSubnetB" },
"RouteTableId" : { "Ref" : "PublicRouteTable" }
}
},
"PublicSubnetCRouteTableAssociation" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "PublicSubnetC" },
"RouteTableId" : { "Ref" : "PublicRouteTable" }
}
},
"PublicNetworkAcl" : {
"Type" : "AWS::EC2::NetworkAcl",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Public" }
]
}
},
"InboundHTTPPublicNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : { "Ref" : "PublicNetworkAcl" },
"RuleNumber" : "100",
"Protocol" : "6",
"RuleAction" : "allow",
"Egress" : "false",
"CidrBlock" : "0.0.0.0/0",
"PortRange" : { "From" : "80", "To" : "80" }
}
},
"InboundHTTPSPublicNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : { "Ref" : "PublicNetworkAcl" },
"RuleNumber" : "101",
"Protocol" : "6",
"RuleAction" : "allow",
"Egress" : "false",
"CidrBlock" : "0.0.0.0/0",
"PortRange" : { "From" : "443", "To" : "443" }
}
},
"InboundSSHPublicNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : { "Ref" : "PublicNetworkAcl" },
"RuleNumber" : "102",
"Protocol" : "6",
"RuleAction" : "allow",
"Egress" : "false",
"CidrBlock" : { "Ref" : "SSHFrom" },
"PortRange" : { "From" : "22", "To" : "22" }
}
},
"InboundEmphemeralPublicNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : { "Ref" : "PublicNetworkAcl" },
"RuleNumber" : "103",
"Protocol" : "6",
"RuleAction" : "allow",
"Egress" : "false",
"CidrBlock" : "0.0.0.0/0",
"PortRange" : { "From" : "1024", "To" : "65535" }
}
},
"OutboundPublicNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : { "Ref" : "PublicNetworkAcl" },
"RuleNumber" : "100",
"Protocol" : "6",
"RuleAction" : "allow",
"Egress" : "true",
"CidrBlock" : "0.0.0.0/0",
"PortRange" : { "From" : "0", "To" : "65535" }
}
},
"PublicSubnetANetworkAclAssociation" : {
"Type" : "AWS::EC2::SubnetNetworkAclAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "PublicSubnetA" },
"NetworkAclId" : { "Ref" : "PublicNetworkAcl" }
}
},
"PublicSubnetBNetworkAclAssociation" : {
"Type" : "AWS::EC2::SubnetNetworkAclAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "PublicSubnetB" },
"NetworkAclId" : { "Ref" : "PublicNetworkAcl" }
}
},
"PublicSubnetCNetworkAclAssociation" : {
"Type" : "AWS::EC2::SubnetNetworkAclAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "PublicSubnetC" },
"NetworkAclId" : { "Ref" : "PublicNetworkAcl" }
}
},
"PrivateSubnetA" : {
"Type" : "AWS::EC2::Subnet",
"DependsOn" : "VPC",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"AvailabilityZone" : { "Fn::Join" : ["", [{ "Ref" : "AWS::Region"}, "a"]]},
"CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "PrivateSubnetA", "CIDR" ]},
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "PrivateSubnetA" }
]
}
},
"PrivateSubnetB" : {
"Type" : "AWS::EC2::Subnet",
"DependsOn" : "VPC",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"AvailabilityZone" : { "Fn::Join" : ["", [{ "Ref" : "AWS::Region"}, "b"]]},
"CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "PrivateSubnetB", "CIDR" ]},
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "PrivateSubnetB" }
]
}
},
"PrivateSubnetC" : {
"Type" : "AWS::EC2::Subnet",
"DependsOn" : "VPC",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"AvailabilityZone" : { "Fn::Join" : ["", [{ "Ref" : "AWS::Region"}, "c"]]},
"CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "PrivateSubnetC", "CIDR" ]},
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "PrivateSubnetC" }
]
}
},
"PrivateSubnetARouteTableAssociation" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "PrivateSubnetA" },
"RouteTableId" : { "Ref" : "PrivateRouteTable" }
}
},
"PrivateSubnetBRouteTableAssociation" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "PrivateSubnetB" },
"RouteTableId" : { "Ref" : "PrivateRouteTable" }
}
},
"PrivateSubnetCRouteTableAssociation" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "PrivateSubnetC" },
"RouteTableId" : { "Ref" : "PrivateRouteTable" }
}
},
"PrivateRouteTable" : {
"Type" : "AWS::EC2::RouteTable",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Private" }
]
}
},
"PrivateRoute" : {
"Type" : "AWS::EC2::Route",
"Properties" : {
"RouteTableId" : { "Ref" : "PrivateRouteTable" },
"DestinationCidrBlock" : "0.0.0.0/0",
"InstanceId" : { "Ref" : "NATDevice" }
}
},
"PrivateNetworkAcl" : {
"Type" : "AWS::EC2::NetworkAcl",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Private" }
]
}
},
"InboundPrivateNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : { "Ref" : "PrivateNetworkAcl" },
"RuleNumber" : "100",
"Protocol" : "6",
"RuleAction" : "allow",
"Egress" : "false",
"CidrBlock" : "0.0.0.0/0",
"PortRange" : { "From" : "0", "To" : "65535" }
}
},
"OutBoundPrivateNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : { "Ref" : "PrivateNetworkAcl" },
"RuleNumber" : "100",
"Protocol" : "6",
"RuleAction" : "allow",
"Egress" : "true",
"CidrBlock" : "0.0.0.0/0",
"PortRange" : { "From" : "0", "To" : "65535" }
}
},
"PrivateSubnetANetworkAclAssociation" : {
"Type" : "AWS::EC2::SubnetNetworkAclAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "PrivateSubnetA" },
"NetworkAclId" : { "Ref" : "PrivateNetworkAcl" }
}
},
"PrivateSubnetBNetworkAclAssociation" : {
"Type" : "AWS::EC2::SubnetNetworkAclAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "PrivateSubnetB" },
"NetworkAclId" : { "Ref" : "PrivateNetworkAcl" }
}
},
"PrivateSubnetCNetworkAclAssociation" : {
"Type" : "AWS::EC2::SubnetNetworkAclAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "PrivateSubnetC" },
"NetworkAclId" : { "Ref" : "PrivateNetworkAcl" }
}
},
"NATIPAddress" : {
"Type" : "AWS::EC2::EIP",
"DependsOn" : "GatewayToInternet",
"Properties" : {
"Domain" : "vpc",
"InstanceId" : { "Ref" : "NATDevice" }
}
},
"NATDevice" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"InstanceType" : { "Ref" : "NATInstanceType" },
"SubnetId" : { "Ref" : "PublicSubnetA" },
"KeyName" : { "Ref" : "NATKeyName" },
"SourceDestCheck" : "false",
"ImageId" : { "Fn::FindInMap" : [ "AWSNATAMI", { "Ref" : "AWS::Region" }, "AMI" ]},
"SecurityGroupIds" : [{ "Ref" : "NATSecurityGroup" }],
"Tags": [
{
"Key" : "Name",
"Value" : "NAT"
}
]
}
},
"NATSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Enable internal access to the NAT device",
"VpcId" : { "Ref" : "VPC" },
"SecurityGroupIngress" : [
{ "IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80", "CidrIp" : "10.236.0.0/24" },
{ "IpProtocol" : "tcp", "FromPort" : "443", "ToPort" : "443", "CidrIp" : "10.236.0.0/24" },
{ "IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80", "CidrIp" : "10.236.1.0/24" },
{ "IpProtocol" : "tcp", "FromPort" : "443", "ToPort" : "443", "CidrIp" : "10.236.1.0/24" } ,
{ "IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80", "CidrIp" : "10.236.2.0/24" },
{ "IpProtocol" : "tcp", "FromPort" : "443", "ToPort" : "443", "CidrIp" : "10.236.2.0/24" }
],
"SecurityGroupEgress" : [
{ "IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80", "CidrIp" : "0.0.0.0/0" },
{ "IpProtocol" : "tcp", "FromPort" : "443", "ToPort" : "443", "CidrIp" : "0.0.0.0/0" }
]
}
},
"BastionIPAddress" : {
"Type" : "AWS::EC2::EIP",
"DependsOn" : "GatewayToInternet",
"Properties" : {
"Domain" : "vpc",
"InstanceId" : { "Ref" : "BastionHost" }
}
},
"BastionUser" : {
"Type" : "AWS::IAM::User",
"Properties" : {
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Statement": [
{
"Effect":"Allow",
"Action": [
"cloudformation:DescribeStackResource"
],
"Resource":"*"
},
{
"Effect" : "Allow",
"Action": [
"s3:*"
],
"Resource": [
{ "Fn::Join" : ["", ["arn:aws:s3:::", {"Ref" : "BastionKeyBucket"}]] },
{ "Fn::Join" : ["", ["arn:aws:s3:::", {"Ref" : "BastionKeyBucket"}, "/*"]] },
{ "Fn::Join" : ["", ["arn:aws:s3:::", {"Ref" : "BastionKeyBucket"}, "/", {"Ref" : "AWS::Region"}, "/*"]] }
]
}
]
}
}
]
}
},
"BastionUserKeys" : {
"Type" : "AWS::IAM::AccessKey",
"Properties" : {
"UserName" : {"Ref": "BastionUser"}
}
},
"BastionHost" : {
"Type" : "AWS::EC2::Instance",
"Metadata" : {
"AWS::CloudFormation::Init" : {
"config" : {
"packages" : {
"apt" : {
"s3cmd" : []
}
},
"files" : {
"/home/ubuntu/.s3cfg" : {
"content" : { "Fn::Join" : ["", [
"[default]\n",
"access_key = ", { "Ref" : "BastionUserKeys" }, "\n",
"secret_key = ", { "Fn::GetAtt": ["BastionUserKeys", "SecretAccessKey"] }, "\n",
"use_https = True\n"
]]},
"mode" : "000644",
"owner" : "ubuntu",
"group" : "ubuntu"
}
}
}
}
},
"Properties" : {
"InstanceType" : { "Ref" : "BastionInstanceType" },
"KeyName" : { "Ref" : "BastionKeyName" },
"SubnetId" : { "Ref" : "PublicSubnetA" },
"ImageId" : { "Fn::FindInMap": [ "BastionAMI", { "Ref": "AWS::Region" }, "id" ] },
"SecurityGroupIds" : [{ "Ref" : "BastionSecurityGroup" }],
"Tags": [
{
"Key" : "Name",
"Value" : "Bastion"
}
],
"UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
"#!/bin/bash\n",
"apt-get -y install python-setuptools\n",
"easy_install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gz\n",
"cfn-init --region ", { "Ref" : "AWS::Region" }, " -s ", { "Ref" : "AWS::StackId" }, " -r BastionHost",
" --access-key ", { "Ref" : "BastionUserKeys" }, " --secret-key ",
{ "Fn::GetAtt" : ["BastionUserKeys", "SecretAccessKey"] }, "\n",
"s3cmd sync -c /home/ubuntu/.s3cfg s3://", { "Ref" : "BastionKeyBucket" }, "/", { "Ref" : "AWS::Region" }, "/ /home/ubuntu/\n",
"chmod 0400 /home/ubuntu/*.pem\n"
]]}}
}
},
"BastionSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Enable access to the Bastion host",
"VpcId" : { "Ref" : "VPC" },
"SecurityGroupIngress" : [
{ "IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : { "Ref" : "SSHFrom" }}
],
"SecurityGroupEgress" : [
{ "IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : { "Fn::FindInMap" : [ "SubnetConfig", "PrivateSubnetA", "CIDR" ]}},
{ "IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : { "Fn::FindInMap" : [ "SubnetConfig", "PrivateSubnetB", "CIDR" ]}},
{ "IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : { "Fn::FindInMap" : [ "SubnetConfig", "PrivateSubnetC", "CIDR" ]}},
{ "IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80", "CidrIp" : "0.0.0.0/0" },
{ "IpProtocol" : "tcp", "FromPort" : "443", "ToPort" : "443", "CidrIp" : "0.0.0.0/0" },
{ "IpProtocol" : "tcp", "FromPort" : "11371", "ToPort" : "11371", "CidrIp" : "0.0.0.0/0" }
]
}
}
},
"Outputs" : {
"VPCId" : {
"Description" : "VPCId of the newly created VPC",
"Value" : { "Ref" : "VPC" }
},
"PublicSubnetA" : {
"Description" : "SubnetId of the public subnet",
"Value" : { "Ref" : "PublicSubnetA" }
},
"PublicSubnetB" : {
"Description" : "SubnetId of the public subnet",
"Value" : { "Ref" : "PublicSubnetB" }
},
"PublicSubnetC" : {
"Description" : "SubnetId of the public subnet",
"Value" : { "Ref" : "PublicSubnetC" }
},
"PrivateSubnetA" : {
"Description" : "SubnetId of the private subnet",
"Value" : { "Ref" : "PrivateSubnetA" }
},
"PrivateSubnetB" : {
"Description" : "SubnetId of the private subnet",
"Value" : { "Ref" : "PrivateSubnetB" }
},
"PrivateSubnetC" : {
"Description" : "SubnetId of the private subnet",
"Value" : { "Ref" : "PrivateSubnetC" }
},
"Bastion" : {
"Description" : "IP Address of the Bastion host",
"Value" : { "Ref" : "BastionIPAddress" }
},
"BastionSecurityGroup" : {
"Description" : "Security Group of the Bastion Host",
"Value" : { "Ref" : "BastionSecurityGroup" }
},
"NATSecurityGroup" : {
"Description" : "Security Group of the NAT Devices",
"Value" : { "Ref" : "NATSecurityGroup" }
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment