Last active
January 29, 2019 18:23
-
-
Save jeffbrl/9d8b009cb7e91c14714e590bbdfb2568 to your computer and use it in GitHub Desktop.
Outbound Internet Access by Web Proxy for AWS VPCs - CloudFormation templates
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: 2010-09-09 | |
| Description: >- | |
| AWS CloudFormation template to create an App VPC that uses a proxy in the Outbound VPC | |
| for HTTP/HTTPS Internet access. | |
| Parameters: | |
| KeyName: | |
| Description: Name of an existing EC2 KeyPair to enable SSH access to the instances | |
| Type: String | |
| OutboundVpcStack: | |
| Description: Name of the Cloudformation stack used to create the Outbound VPC | |
| Type: String | |
| AppVpcCIDR: | |
| Description: CIDR Range for App VPC | |
| Type: String | |
| Default: 172.17.0.0/24 | |
| Mappings: | |
| UbuntuRegionMap: | |
| us-east-1: | |
| Ubuntu18AMI: ami-0ac019f4fcb7cb7e6 | |
| us-west-1: | |
| Ubuntu18AMI: ami-063aa838bd7631e0b | |
| Resources: | |
| AppVPC: | |
| Type: AWS::EC2::VPC | |
| Properties: | |
| CidrBlock: !Ref AppVpcCIDR | |
| EnableDnsSupport: 'true' | |
| EnableDnsHostnames: 'true' | |
| Tags: | |
| - Key: Name | |
| Value: !Sub '${AWS::StackName}-app' | |
| AppPrivateRouteTable: | |
| Type: AWS::EC2::RouteTable | |
| Properties: | |
| VpcId: !Ref AppVPC | |
| Tags: | |
| - Key: Name | |
| Value: !Sub '${AWS::StackName}-app' | |
| AppPrivateSubnet: | |
| Type: AWS::EC2::Subnet | |
| Properties: | |
| Tags: | |
| - Key: Name | |
| Value: !Sub '${AWS::StackName}-app' | |
| VpcId: !Ref AppVPC | |
| AvailabilityZone: !Sub ${AWS::Region}a | |
| CidrBlock: !Ref AppVpcCIDR | |
| MapPublicIpOnLaunch: false | |
| AppVpcSecurityGroup: | |
| Type: 'AWS::EC2::SecurityGroup' | |
| Description: SG to permit SSH for management | |
| Properties: | |
| Tags: | |
| - Key: Name | |
| Value: !Sub '${AWS::StackName}-app' | |
| GroupName: !Sub '${AWS::StackName}-app' | |
| GroupDescription: Allow traffic from Outbound Services VPC | |
| VpcId: !Ref AppVPC | |
| SecurityGroupIngress: | |
| - IpProtocol: tcp | |
| CidrIp: 172.16.0.0/24 | |
| FromPort: 22 | |
| ToPort: 22 | |
| AppPrivateRouteTableAssociation: | |
| Type: AWS::EC2::SubnetRouteTableAssociation | |
| Properties: | |
| SubnetId: | |
| !Ref AppPrivateSubnet | |
| RouteTableId: | |
| !Ref AppPrivateRouteTable | |
| AppEC2Instance: | |
| Type: 'AWS::EC2::Instance' | |
| Properties: | |
| Tags: | |
| - Key: Name | |
| Value: !Sub '${AWS::StackName}-app' | |
| KeyName: !Ref KeyName | |
| ImageId: !FindInMap [ UbuntuRegionMap, !Ref 'AWS::Region', Ubuntu18AMI ] | |
| InstanceType: t3.nano | |
| SecurityGroupIds: | |
| - !Ref AppVpcSecurityGroup | |
| SubnetId: !Ref AppPrivateSubnet | |
| UserData: | |
| Fn::Base64: | | |
| #!/bin/bash -xe | |
| cat << EOF > /etc/apt/apt.conf.d/95proxies | |
| Acquire::http::proxy "http://172.16.0.100:3128/"; | |
| Acquire::https::proxy "https://172.16.0.100:3128/"; | |
| EOF | |
| cat << EOF >> /etc/environment | |
| http_proxy="http://172.16.0.100:3128/" | |
| https_proxy="http://172.16.0.100:3128/" | |
| EOF | |
| VPCPeeringConnection: | |
| Type: AWS::EC2::VPCPeeringConnection | |
| Properties: | |
| VpcId: !Ref AppVPC | |
| PeerVpcId: | |
| Fn::ImportValue: !Sub '${OutboundVpcStack}-OutboundVpc' | |
| AppDefaultRoute: | |
| Type: AWS::EC2::Route | |
| Properties: | |
| RouteTableId: !Ref AppPrivateRouteTable | |
| DestinationCidrBlock: 0.0.0.0/0 | |
| VpcPeeringConnectionId: !Ref VPCPeeringConnection | |
| OutboundVPCRoutetoAppVPC: | |
| Type: AWS::EC2::Route | |
| Properties: | |
| RouteTableId: | |
| Fn::ImportValue: !Sub ${OutboundVpcStack}-InternetRouteTable | |
| DestinationCidrBlock: !Ref AppVpcCIDR | |
| VpcPeeringConnectionId: !Ref VPCPeeringConnection |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: 2010-09-09 | |
| Description: >- | |
| AWS CloudFormation template to create an Outbound VPC with a proxy for the App VPCs | |
| Parameters: | |
| KeyName: | |
| Description: Name of an existing EC2 KeyPair to enable SSH access to the instances | |
| Type: String | |
| SourceIpCIDR: | |
| Description: CIDR Range allowed to SSH to Squid Proxy | |
| Type: String | |
| MinLength: '9' | |
| MaxLength: '18' | |
| Default: 0.0.0.0/0 | |
| AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) | |
| ConstraintDescription: Must use a valid IP CIDR range using slash notation (e.g., x.x.x.x/y) | |
| AmazonLinuxAMI: | |
| Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>' | |
| Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2' | |
| Resources: | |
| OutboundVpc: | |
| Type: AWS::EC2::VPC | |
| Properties: | |
| CidrBlock: 172.16.0.0/24 | |
| EnableDnsSupport: 'true' | |
| EnableDnsHostnames: 'true' | |
| Tags: | |
| - Key: Name | |
| Value: !Sub '${AWS::StackName}-internet-access' | |
| IGW: | |
| Type: AWS::EC2::InternetGateway | |
| Properties: | |
| Tags: | |
| - Key: Name | |
| Value: !Sub '${AWS::StackName}-internet-access' | |
| IgwAttachment: | |
| Type: AWS::EC2::VPCGatewayAttachment | |
| Properties: | |
| VpcId: !Ref OutboundVpc | |
| InternetGatewayId: !Ref IGW | |
| OutboundPublicSubnet: | |
| Type: AWS::EC2::Subnet | |
| Properties: | |
| Tags: | |
| - Key: Name | |
| Value: !Sub '${AWS::StackName}-output' | |
| VpcId: !Ref OutboundVpc | |
| AvailabilityZone: !Sub ${AWS::Region}a | |
| MapPublicIpOnLaunch: false | |
| CidrBlock: 172.16.0.0/24 | |
| InternetRouteTable: | |
| Type: AWS::EC2::RouteTable | |
| Properties: | |
| VpcId: | |
| !Ref OutboundVpc | |
| Tags: | |
| - Key: Name | |
| Value: !Sub '${AWS::StackName}-internet-access' | |
| InternetDefaultRoute: | |
| Type: AWS::EC2::Route | |
| DependsOn: | |
| - IGW | |
| - IgwAttachment | |
| Properties: | |
| RouteTableId: !Ref InternetRouteTable | |
| DestinationCidrBlock: 0.0.0.0/0 | |
| GatewayId: !Ref IGW | |
| InternetRouteTableAssociation: | |
| Type: AWS::EC2::SubnetRouteTableAssociation | |
| Properties: | |
| SubnetId: | |
| !Ref OutboundPublicSubnet | |
| RouteTableId: | |
| !Ref InternetRouteTable | |
| OutboundVpcSecurityGroup: | |
| Type: 'AWS::EC2::SecurityGroup' | |
| Description: SG to permit all traffic | |
| Properties: | |
| Tags: | |
| - Key: Name | |
| Value: !Sub '${AWS::StackName}-outbound' | |
| GroupName: !Sub '${AWS::StackName}-outbound' | |
| GroupDescription: Allow all traffic | |
| VpcId: !Ref OutboundVpc | |
| SecurityGroupIngress: | |
| - IpProtocol: tcp | |
| CidrIp: !Ref SourceIpCIDR | |
| FromPort: 22 | |
| ToPort: 22 | |
| - IpProtocol: tcp | |
| CidrIp: 172.17.0.0/16 | |
| FromPort: 3128 | |
| ToPort: 3128 | |
| SquidEC2Instance: | |
| Type: 'AWS::EC2::Instance' | |
| Properties: | |
| Tags: | |
| - Key: Name | |
| Value: !Sub '${AWS::StackName}-squid' | |
| KeyName: !Ref KeyName | |
| ImageId: !Ref AmazonLinuxAMI | |
| InstanceType: t3.nano | |
| NetworkInterfaces: | |
| - AssociatePublicIpAddress: true | |
| DeviceIndex: 0 | |
| PrivateIpAddress: 172.16.0.100 | |
| GroupSet: [ !Ref OutboundVpcSecurityGroup ] | |
| SubnetId: !Ref OutboundPublicSubnet | |
| UserData: | |
| Fn::Base64: | | |
| #!/bin/bash -xe | |
| yum install -y squid | |
| systemctl start squid.service | |
| systemctl enable squid.service | |
| Outputs: | |
| SquidProxyDNS: | |
| Description: DNS name for squid proxy | |
| Value: !GetAtt SquidEC2Instance.PublicDnsName | |
| InternetRouteTable: | |
| Description: Internet Route Table ID | |
| Value: !Ref InternetRouteTable | |
| Export: | |
| Name: !Sub ${AWS::StackName}-InternetRouteTable | |
| OutboundVpc: | |
| Description: VPC ID of Outbound VPC | |
| Value: !Ref OutboundVpc | |
| Export: | |
| Name: !Sub ${AWS::StackName}-OutboundVpc |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment