Created
November 7, 2015 04:25
-
-
Save eliaslevy/bda1a3ae2588661e7121 to your computer and use it in GitHub Desktop.
OpenVPN CloudFormation template to attach a VPN AS to an existing VPC with an Internet Gateway
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"AWSTemplateFormatVersion": "2010-09-09", | |
"Description": "OpenVPN Access Server", | |
"Mappings": { | |
"RegionMap": { | |
"us-east-1" : { "AMI" : "ami-5fe36434" }, | |
"us-west-1" : { "AMI" : "ami-8bf40fcf" }, | |
"us-west-2" : { "AMI" : "ami-9fe2f2af" }, | |
"eu-west-1" : { "AMI" : "ami-03644074" }, | |
"eu-central-1" : { "AMI" : "ami-507f7e4d" }, | |
"sa-east-1" : { "AMI" : "ami-4fd55f52" }, | |
"ap-southeast-1" : { "AMI" : "ami-365c5764" }, | |
"ap-southeast-2" : { "AMI" : "ami-831d51b9" }, | |
"ap-northeast-1" : { "AMI" : "ami-5ea72b5e" } | |
} | |
}, | |
"Parameters": { | |
"VPC": { | |
"Description": "The VPC to attach the VPN access server to.", | |
"Type": "AWS::EC2::VPC::Id" | |
}, | |
"VpnSubnetCidr": { | |
"Description": "Network to use for the VPN subnet.", | |
"Type": "String" | |
}, | |
"KeyName": { | |
"Description": "Name of SSH keypair to authorize on each instance", | |
"Type": "String" | |
}, | |
"InternetGateway": { | |
"Description": "InternetGateway name", | |
"Type": "String" | |
} | |
}, | |
"Resources": { | |
"VpnSubnet": { | |
"Type": "AWS::EC2::Subnet", | |
"Properties": { | |
"VpcId": { "Ref": "VPC" }, | |
"CidrBlock": { "Ref": "VpnSubnetCidr" } | |
} | |
}, | |
"VpnRouteTable": { | |
"Type": "AWS::EC2::RouteTable", | |
"Properties": { | |
"VpcId": { "Ref": "VPC" } | |
} | |
}, | |
"VpnInternetRoute": { | |
"Type": "AWS::EC2::Route", | |
"Properties": { | |
"RouteTableId": { "Ref": "VpnRouteTable" }, | |
"DestinationCidrBlock": "0.0.0.0/0", | |
"GatewayId": { "Ref": "InternetGateway" } | |
} | |
}, | |
"VpnSubnetRouteTableAssociation": { | |
"Type": "AWS::EC2::SubnetRouteTableAssociation", | |
"Properties": { | |
"SubnetId": { "Ref": "VpnSubnet" }, | |
"RouteTableId": { "Ref": "VpnRouteTable" } | |
} | |
}, | |
"VpnNetworkAcl": { | |
"Type": "AWS::EC2::NetworkAcl", | |
"Properties": { | |
"VpcId": { "Ref": "VPC" } | |
} | |
}, | |
"InboundHttpsVpnNetworkAclEntry": { | |
"Type": "AWS::EC2::NetworkAclEntry", | |
"Properties": { | |
"NetworkAclId": { "Ref": "VpnNetworkAcl" }, | |
"RuleNumber": "100", | |
"Protocol": "6", | |
"RuleAction": "allow", | |
"Egress": "false", | |
"CidrBlock": "0.0.0.0/0", | |
"PortRange": { "From": "443", "To": "443" } | |
} | |
}, | |
"InboundUdpVpnNetworkAclEntry": { | |
"Type": "AWS::EC2::NetworkAclEntry", | |
"Properties": { | |
"NetworkAclId": { "Ref": "VpnNetworkAcl" }, | |
"RuleNumber": "101", | |
"Protocol": "17", | |
"RuleAction": "allow", | |
"Egress": "false", | |
"CidrBlock": "0.0.0.0/0", | |
"PortRange": { "From": "1194", "To": "1194" } | |
} | |
}, | |
"InboundSshVpnNetworkAclEntry": { | |
"Type": "AWS::EC2::NetworkAclEntry", | |
"Properties": { | |
"NetworkAclId": { "Ref": "VpnNetworkAcl" }, | |
"RuleNumber": "102", | |
"Protocol": "6", | |
"RuleAction": "allow", | |
"Egress": "false", | |
"CidrBlock": "0.0.0.0/0", | |
"PortRange": { "From": "22", "To": "22" } | |
} | |
}, | |
"InboundAdmVpnNetworkAclEntry": { | |
"Type": "AWS::EC2::NetworkAclEntry", | |
"Properties": { | |
"NetworkAclId": {"Ref": "VpnNetworkAcl" }, | |
"RuleNumber": "103", | |
"Protocol": "6", | |
"RuleAction": "allow", | |
"Egress": "false", | |
"CidrBlock": "0.0.0.0/0", | |
"PortRange": { "From": "943", "To": "943" } | |
} | |
}, | |
"InboundEphemeralVpnNetworkAclEntry": { | |
"Type": "AWS::EC2::NetworkAclEntry", | |
"Properties": { | |
"NetworkAclId": {"Ref": "VpnNetworkAcl" }, | |
"RuleNumber": "104", | |
"Protocol": "6", | |
"RuleAction": "allow", | |
"Egress": "false", | |
"CidrBlock": "0.0.0.0/0", | |
"PortRange": { "From": "1024", "To": "65535" } | |
} | |
}, | |
"OutboundVpnNetworkAclEntry": { | |
"Type": "AWS::EC2::NetworkAclEntry", | |
"Properties": { | |
"NetworkAclId": {"Ref": "VpnNetworkAcl" }, | |
"RuleNumber": "100", | |
"Protocol": "6", | |
"RuleAction": "allow", | |
"Egress": "true", | |
"CidrBlock": "0.0.0.0/0", | |
"PortRange": { "From": "0", "To": "65535" } | |
} | |
}, | |
"VpnSubnetNetworkAclAssociation": { | |
"Type": "AWS::EC2::SubnetNetworkAclAssociation", | |
"Properties": { | |
"SubnetId": { "Ref": "VpnSubnet" }, | |
"NetworkAclId": { "Ref": "VpnNetworkAcl" } | |
} | |
}, | |
"VpnSecurityGroup": { | |
"Type": "AWS::EC2::SecurityGroup", | |
"Properties": { | |
"VpcId": { "Ref": "VPC" }, | |
"GroupDescription": "VPN server security group.", | |
"SecurityGroupIngress": [ | |
{ "IpProtocol": "tcp", "FromPort": "443", "ToPort": "443", "CidrIp": "0.0.0.0/0" }, | |
{ "IpProtocol": "udp", "FromPort": "1194", "ToPort": "1194", "CidrIp": "0.0.0.0/0" }, | |
{ "IpProtocol": "tcp", "FromPort": "22", "ToPort": "22", "CidrIp": "0.0.0.0/0" }, | |
{ "IpProtocol": "tcp", "FromPort": "943", "ToPort": "943", "CidrIp": "0.0.0.0/0" } | |
] | |
} | |
}, | |
"VpnEIP": { | |
"Type": "AWS::EC2::EIP", | |
"Properties": { | |
"Domain": "vpc" | |
} | |
}, | |
"VpnInstance": { | |
"Type": "AWS::EC2::Instance", | |
"DependsOn": "VpnEIP", | |
"Properties": { | |
"ImageId": { "Fn::FindInMap": [ "RegionMap", {"Ref": "AWS::Region" }, "AMI" ]}, | |
"InstanceType": "t2.small", | |
"KeyName": { "Ref": "KeyName" }, | |
"SubnetId": { "Ref": "VpnSubnet" }, | |
"SecurityGroupIds": [{ "Ref": "VpnSecurityGroup" }], | |
"Tags": [{ "Key": "Name", "Value": "openVPN server" }], | |
"UserData": { | |
"Fn::Base64": { "Fn::Join": [ "", [ "public_hostname=", {"Ref": "VpnEIP"} ]] } | |
} | |
} | |
}, | |
"VpnEipAssociation": { | |
"Type": "AWS::EC2::EIPAssociation", | |
"DependsOn": "VpnInstance", | |
"Properties": { | |
"AllocationId": { "Fn::GetAtt": [ "VpnEIP", "AllocationId" ] }, | |
"InstanceId": { "Ref": "VpnInstance" } | |
} | |
}, | |
"AlarmVPNRecover": { | |
"Type": "AWS::CloudWatch::Alarm", | |
"Properties": { | |
"AlarmActions": [ | |
{ "Fn::Join": [ "", [ "arn:aws:automate:", { "Ref": "AWS::Region" }, ":ec2:recover" ] ] } | |
], | |
"AlarmDescription": "Trigger a recovery when system check fails for 5 consecutive minutes.", | |
"ComparisonOperator": "GreaterThanThreshold", | |
"Dimensions": [ { "Name": "InstanceId", "Value": { "Ref": "VpnInstance" } } ], | |
"EvaluationPeriods": "5", | |
"MetricName": "StatusCheckFailed_System", | |
"Namespace": "AWS/EC2", | |
"Period": "60", | |
"Statistic": "Minimum", | |
"Threshold": "0" | |
} | |
} | |
}, | |
"Outputs" : { | |
"OpenVPNServerAdminURL" : { | |
"Value" : { "Fn::Join" : ["", ["https://", { "Ref" : "VpnEIP" }, ":943/admin" ]] }, | |
"Description" : "openVPN Server Admin URL" | |
}, | |
"OpenVPNServerURL" : { | |
"Value" : { "Fn::Join" : ["", ["https://", { "Ref" : "VpnEIP" } ]] }, | |
"Description" : "openVPN Server URL" | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment