Skip to content

Instantly share code, notes, and snippets.

@jeffbrl
Last active January 29, 2019 18:23
Show Gist options
  • Save jeffbrl/9d8b009cb7e91c14714e590bbdfb2568 to your computer and use it in GitHub Desktop.
Save jeffbrl/9d8b009cb7e91c14714e590bbdfb2568 to your computer and use it in GitHub Desktop.
Outbound Internet Access by Web Proxy for AWS VPCs - CloudFormation templates
AWSTemplateFormatVersion: 2010-09-09
Description: >-
AWS CloudFormation template to create an App VPC that uses a proxy in the Outbound VPC
for HTTP/HTTPS Internet access.
Parameters:
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the instances
Type: String
OutboundVpcStack:
Description: Name of the Cloudformation stack used to create the Outbound VPC
Type: String
AppVpcCIDR:
Description: CIDR Range for App VPC
Type: String
Default: 172.17.0.0/24
Mappings:
UbuntuRegionMap:
us-east-1:
Ubuntu18AMI: ami-0ac019f4fcb7cb7e6
us-west-1:
Ubuntu18AMI: ami-063aa838bd7631e0b
Resources:
AppVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref AppVpcCIDR
EnableDnsSupport: 'true'
EnableDnsHostnames: 'true'
Tags:
- Key: Name
Value: !Sub '${AWS::StackName}-app'
AppPrivateRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref AppVPC
Tags:
- Key: Name
Value: !Sub '${AWS::StackName}-app'
AppPrivateSubnet:
Type: AWS::EC2::Subnet
Properties:
Tags:
- Key: Name
Value: !Sub '${AWS::StackName}-app'
VpcId: !Ref AppVPC
AvailabilityZone: !Sub ${AWS::Region}a
CidrBlock: !Ref AppVpcCIDR
MapPublicIpOnLaunch: false
AppVpcSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Description: SG to permit SSH for management
Properties:
Tags:
- Key: Name
Value: !Sub '${AWS::StackName}-app'
GroupName: !Sub '${AWS::StackName}-app'
GroupDescription: Allow traffic from Outbound Services VPC
VpcId: !Ref AppVPC
SecurityGroupIngress:
- IpProtocol: tcp
CidrIp: 172.16.0.0/24
FromPort: 22
ToPort: 22
AppPrivateRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId:
!Ref AppPrivateSubnet
RouteTableId:
!Ref AppPrivateRouteTable
AppEC2Instance:
Type: 'AWS::EC2::Instance'
Properties:
Tags:
- Key: Name
Value: !Sub '${AWS::StackName}-app'
KeyName: !Ref KeyName
ImageId: !FindInMap [ UbuntuRegionMap, !Ref 'AWS::Region', Ubuntu18AMI ]
InstanceType: t3.nano
SecurityGroupIds:
- !Ref AppVpcSecurityGroup
SubnetId: !Ref AppPrivateSubnet
UserData:
Fn::Base64: |
#!/bin/bash -xe
cat << EOF > /etc/apt/apt.conf.d/95proxies
Acquire::http::proxy "http://172.16.0.100:3128/";
Acquire::https::proxy "https://172.16.0.100:3128/";
EOF
cat << EOF >> /etc/environment
http_proxy="http://172.16.0.100:3128/"
https_proxy="http://172.16.0.100:3128/"
EOF
VPCPeeringConnection:
Type: AWS::EC2::VPCPeeringConnection
Properties:
VpcId: !Ref AppVPC
PeerVpcId:
Fn::ImportValue: !Sub '${OutboundVpcStack}-OutboundVpc'
AppDefaultRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref AppPrivateRouteTable
DestinationCidrBlock: 0.0.0.0/0
VpcPeeringConnectionId: !Ref VPCPeeringConnection
OutboundVPCRoutetoAppVPC:
Type: AWS::EC2::Route
Properties:
RouteTableId:
Fn::ImportValue: !Sub ${OutboundVpcStack}-InternetRouteTable
DestinationCidrBlock: !Ref AppVpcCIDR
VpcPeeringConnectionId: !Ref VPCPeeringConnection
AWSTemplateFormatVersion: 2010-09-09
Description: >-
AWS CloudFormation template to create an Outbound VPC with a proxy for the App VPCs
Parameters:
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the instances
Type: String
SourceIpCIDR:
Description: CIDR Range allowed to SSH to Squid Proxy
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})
ConstraintDescription: Must use a valid IP CIDR range using slash notation (e.g., x.x.x.x/y)
AmazonLinuxAMI:
Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'
Resources:
OutboundVpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 172.16.0.0/24
EnableDnsSupport: 'true'
EnableDnsHostnames: 'true'
Tags:
- Key: Name
Value: !Sub '${AWS::StackName}-internet-access'
IGW:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: !Sub '${AWS::StackName}-internet-access'
IgwAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref OutboundVpc
InternetGatewayId: !Ref IGW
OutboundPublicSubnet:
Type: AWS::EC2::Subnet
Properties:
Tags:
- Key: Name
Value: !Sub '${AWS::StackName}-output'
VpcId: !Ref OutboundVpc
AvailabilityZone: !Sub ${AWS::Region}a
MapPublicIpOnLaunch: false
CidrBlock: 172.16.0.0/24
InternetRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
!Ref OutboundVpc
Tags:
- Key: Name
Value: !Sub '${AWS::StackName}-internet-access'
InternetDefaultRoute:
Type: AWS::EC2::Route
DependsOn:
- IGW
- IgwAttachment
Properties:
RouteTableId: !Ref InternetRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref IGW
InternetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId:
!Ref OutboundPublicSubnet
RouteTableId:
!Ref InternetRouteTable
OutboundVpcSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Description: SG to permit all traffic
Properties:
Tags:
- Key: Name
Value: !Sub '${AWS::StackName}-outbound'
GroupName: !Sub '${AWS::StackName}-outbound'
GroupDescription: Allow all traffic
VpcId: !Ref OutboundVpc
SecurityGroupIngress:
- IpProtocol: tcp
CidrIp: !Ref SourceIpCIDR
FromPort: 22
ToPort: 22
- IpProtocol: tcp
CidrIp: 172.17.0.0/16
FromPort: 3128
ToPort: 3128
SquidEC2Instance:
Type: 'AWS::EC2::Instance'
Properties:
Tags:
- Key: Name
Value: !Sub '${AWS::StackName}-squid'
KeyName: !Ref KeyName
ImageId: !Ref AmazonLinuxAMI
InstanceType: t3.nano
NetworkInterfaces:
- AssociatePublicIpAddress: true
DeviceIndex: 0
PrivateIpAddress: 172.16.0.100
GroupSet: [ !Ref OutboundVpcSecurityGroup ]
SubnetId: !Ref OutboundPublicSubnet
UserData:
Fn::Base64: |
#!/bin/bash -xe
yum install -y squid
systemctl start squid.service
systemctl enable squid.service
Outputs:
SquidProxyDNS:
Description: DNS name for squid proxy
Value: !GetAtt SquidEC2Instance.PublicDnsName
InternetRouteTable:
Description: Internet Route Table ID
Value: !Ref InternetRouteTable
Export:
Name: !Sub ${AWS::StackName}-InternetRouteTable
OutboundVpc:
Description: VPC ID of Outbound VPC
Value: !Ref OutboundVpc
Export:
Name: !Sub ${AWS::StackName}-OutboundVpc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment