Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "CloudFormation template for a generic VPC with public and private subnets (with private network Internet access via NAT)",
"Parameters" : {
"KeyPairName" : {
"Description" : "Name of an existing EC2 KeyPair (find or create here: https://console.aws.amazon.com/ec2/v2/home#KeyPairs: )",
"Type" : "String",
"MinLength": "1",
"MaxLength": "64",
"AllowedPattern" : "[-_ a-zA-Z0-9]*",
"ConstraintDescription" : "can contain only alphanumeric characters, spaces, dashes and underscores."
},
"ServerAccess" : {
"Description" : "CIDR IP range allowed to login to the NAT instance",
"Type" : "String",
"MinLength": "9",
"MaxLength": "18",
"Default" : "0.0.0.0/0",
"AllowedPattern" : "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription" : "must be a valid CIDR range of the form x.x.x.x/x."
},
"VpcCidr": {
"Description": "CIDR IP range for the Vpc",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "10.44.0.0/16",
"AllowedPattern" : "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription" : "must be a valid CIDR range of the form x.x.x.x/x."
},
"PublicSubnetCidr": {
"Description": "CIDR IP range for the PublicSubnet",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "10.44.0.0/24",
"AllowedPattern" : "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription" : "must be a valid CIDR range of the form x.x.x.x/x."
},
"PrivateSubnetCidr": {
"Description": "CIDR IP range for the PrivateSubnet",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "10.44.1.0/24",
"AllowedPattern" : "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription" : "must be a valid CIDR range of the form x.x.x.x/x."
}
},
"Mappings" : {
"SubnetConfig" : {
"VPC" : { "CIDR" : { "Ref" : "VpcCidr" } },
"Public" : { "CIDR" : { "Ref" : "PublicSubnetCidr" } },
"Private" : { "CIDR" : { "Ref" : "PrivateSubnetCidr" } }
},
"NatRegionMap" : {
"us-east-1" : { "AMI" : "ami-184dc970" },
"us-west-1" : { "AMI" : "ami-a98396ec" },
"us-west-2" : { "AMI" : "ami-290f4119" },
"eu-west-1" : { "AMI" : "ami-14913f63" },
"eu-central-1" : { "AMI" : "ami-ae380eb3" },
"sa-east-1" : { "AMI" : "ami-8122969c" },
"ap-southeast-1" : { "AMI" : "ami-6aa38238" },
"ap-southeast-2" : { "AMI" : "ami-893f53b3" },
"ap-northeast-1" : { "AMI" : "ami-27d6e626" }
}
},
"Resources" : {
"VPC" : {
"Type" : "AWS::EC2::VPC",
"Properties" : {
"CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "VPC", "CIDR" ]},
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackName" } },
{ "Key" : "Network", "Value" : "Public" },
{ "Key" : "Name", "Value" : "NAT VPC" }
]
}
},
"PublicSubnet" : {
"DependsOn" : ["VPC"],
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "Public", "CIDR" ]},
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackName" } },
{ "Key" : "Network", "Value" : "Public" },
{ "Key" : "Name", "Value" : "Public Subnet" }
]
}
},
"InternetGateway" : {
"Type" : "AWS::EC2::InternetGateway",
"Properties" : {
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackName" } },
{ "Key" : "Network", "Value" : "Public" }
]
}
},
"GatewayToInternet" : {
"DependsOn" : ["VPC", "InternetGateway"],
"Type" : "AWS::EC2::VPCGatewayAttachment",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"InternetGatewayId" : { "Ref" : "InternetGateway" }
}
},
"PublicRouteTable" : {
"DependsOn" : ["VPC"],
"Type" : "AWS::EC2::RouteTable",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackName" } },
{ "Key" : "Network", "Value" : "Public" }
]
}
},
"PublicRoute" : {
"DependsOn" : ["PublicRouteTable", "InternetGateway"],
"Type" : "AWS::EC2::Route",
"Properties" : {
"RouteTableId" : { "Ref" : "PublicRouteTable" },
"DestinationCidrBlock" : "0.0.0.0/0",
"GatewayId" : { "Ref" : "InternetGateway" }
}
},
"PublicSubnetRouteTableAssociation" : {
"DependsOn" : ["PublicSubnet", "PublicRouteTable"],
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "PublicSubnet" },
"RouteTableId" : { "Ref" : "PublicRouteTable" }
}
},
"PrivateSubnet" : {
"DependsOn" : ["VPC"],
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "Private", "CIDR" ]},
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackName" } },
{ "Key" : "Network", "Value" : "Private" },
{ "Key" : "Name", "Value" : "Private Subnet" }
]
}
},
"PrivateRouteTable" : {
"DependsOn" : ["VPC"],
"Type" : "AWS::EC2::RouteTable",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackName" } },
{ "Key" : "Network", "Value" : "Private" }
]
}
},
"PrivateSubnetRouteTableAssociation" : {
"DependsOn" : ["PrivateSubnet", "PrivateRouteTable"],
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "PrivateSubnet" },
"RouteTableId" : { "Ref" : "PrivateRouteTable" }
}
},
"NatSecurityGroup" : {
"DependsOn" : ["VPC"],
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "NAT Security Group",
"VpcId" : { "Ref" : "VPC" },
"SecurityGroupIngress" : [{
"IpProtocol" : "tcp",
"FromPort" : "22",
"ToPort" : "22",
"CidrIp" : { "Ref" : "ServerAccess" }
},{
"IpProtocol" : "tcp",
"FromPort" : "3389",
"ToPort" : "3389",
"CidrIp" : { "Ref" : "ServerAccess" }
}],
"Tags" : [
{ "Key" : "Name", "Value" : "NAT Security Group" }
]
}
},
"NatSecurityGroupIngress1" : {
"DependsOn" : ["NatSecurityGroup"],
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "NatSecurityGroup" },
"IpProtocol": "icmp",
"FromPort": "-1",
"ToPort": "-1",
"SourceSecurityGroupId": { "Ref": "NatSecurityGroup" }
}
},
"NatSecurityGroupIngress22" : {
"DependsOn" : ["NatSecurityGroup"],
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "NatSecurityGroup" },
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"SourceSecurityGroupId": { "Ref": "NatSecurityGroup" }
}
},
"NatSecurityGroupIngress3389" : {
"DependsOn" : ["NatSecurityGroup"],
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "NatSecurityGroup" },
"IpProtocol": "tcp",
"FromPort": "3389",
"ToPort": "3389",
"SourceSecurityGroupId": { "Ref": "NatSecurityGroup" }
}
},
"NatSecurityGroupIngress80" : {
"DependsOn" : ["NatSecurityGroup"],
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "NatSecurityGroup" },
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"SourceSecurityGroupId": { "Ref": "NatSecurityGroup" }
}
},
"NatSecurityGroupIngress443" : {
"DependsOn" : ["NatSecurityGroup"],
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "NatSecurityGroup" },
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"SourceSecurityGroupId": { "Ref": "NatSecurityGroup" }
}
},
"NAT" : {
"DependsOn" : ["PublicSubnet", "NatSecurityGroup"],
"Type" : "AWS::EC2::Instance",
"Properties" : {
"InstanceType" : "t2.micro",
"KeyName" : { "Ref" : "KeyPairName" },
"SourceDestCheck" : "false",
"ImageId" : { "Fn::FindInMap" : [ "NatRegionMap", { "Ref" : "AWS::Region" }, "AMI" ]},
"NetworkInterfaces" : [{
"GroupSet" : [{ "Ref" : "NatSecurityGroup" }],
"AssociatePublicIpAddress" : "true",
"DeviceIndex" : "0",
"DeleteOnTermination" : "true",
"SubnetId" : { "Ref" : "PublicSubnet" }
}],
"Tags" : [
{ "Key" : "Name", "Value" : "NAT" }
],
"UserData" : { "Fn::Base64" : { "Fn::Join" : ["", [
"#!/bin/bash\n",
"yum update -y && yum install -y yum-cron && chkconfig yum-cron on"
]]}}
}
},
"PrivateRoute" : {
"DependsOn" : ["PrivateRouteTable", "NAT"],
"Type" : "AWS::EC2::Route",
"Properties" : {
"RouteTableId" : { "Ref" : "PrivateRouteTable" },
"DestinationCidrBlock" : "0.0.0.0/0",
"InstanceId" : { "Ref" : "NAT" }
}
}
},
"Outputs" : {
"NATIP" : {
"Description" : "NAT IP address",
"Value" : { "Fn::GetAtt" : [ "NAT", "PublicIp" ] }
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.