-
-
Save nobishiro-blue/f687d11ea9ed9d6198f05091db7d47b6 to your computer and use it in GitHub Desktop.
AWS Network FIrewallを配置した検査用VPCと、被検査VPCを作成するためのCloudFormationテンプレート
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: 2010-09-09 | |
Description: nfwkensyou | |
Parameters: | |
VpcNwMngCidr: | |
Description: CIDR of vpc-NwMng | |
Type: String | |
Default: 10.0.0.0/24 | |
SubnetNwMngPublicACidr: | |
Description: CIDR of subnet-NwMng-public-a | |
Type: String | |
Default: 10.0.0.0/28 | |
SubnetNwMngPublicCCidr: | |
Description: CIDR of subnet-NwMng-public-c | |
Type: String | |
Default: 10.0.0.16/28 | |
SubnetNwMngFirewallACidr: | |
Description: CIDR of subnet-NwMng-nfw-a | |
Type: String | |
Default: 10.0.0.32/28 | |
SubnetNwMngFirewallCCidr: | |
Description: CIDR of subnet-NwMng-nfw-c | |
Type: String | |
Default: 10.0.0.48/28 | |
SubnetNwMngEndpointACidr: | |
Description: CIDR of subnet-NwMng-endpoint-a | |
Type: String | |
Default: 10.0.0.128/28 | |
SubnetNwMngEndpointCCidr: | |
Description: CIDR of subnet-NwMng-endpoint-c | |
Type: String | |
Default: 10.0.0.144/28 | |
SubnetNwMngTransitACidr: | |
Description: CIDR of subnet-NwMng-tgw-a | |
Type: String | |
Default: 10.0.0.160/28 | |
SubnetNwMngTransitCCidr: | |
Description: CIDR of subnet-NwMng-tgw-c | |
Type: String | |
Default: 10.0.0.176/28 | |
VpcSpoke1Cidr: | |
Description: CIDR of vpc-Spoke1 | |
Type: String | |
Default: 10.0.1.0/24 | |
SubnetSpoke1ProtectedACidr: | |
Description: CIDR of subnet-Spoke1-protected-a | |
Type: String | |
Default: 10.0.1.64/28 | |
SubnetSpoke1ProtectedCCidr: | |
Description: CIDR of subnet-Spoke1-protected-c | |
Type: String | |
Default: 10.0.1.80/28 | |
SubnetSpoke1PrivateACidr: | |
Description: CIDR of subnet-Spoke1-private-a | |
Type: String | |
Default: 10.0.1.96/28 | |
SubnetSpoke1PrivateCCidr: | |
Description: CIDR of subnet-Spoke1-private-c | |
Type: String | |
Default: 10.0.1.112/28 | |
SubnetSpoke1EndpointACidr: | |
Description: CIDR of subnet-Spoke1-endpoint-a | |
Type: String | |
Default: 10.0.1.128/28 | |
SubnetSpoke1EndpointCCidr: | |
Description: CIDR of subnet-Spoke1-endpoint-c | |
Type: String | |
Default: 10.0.1.144/28 | |
SubnetSpoke1TransitACidr: | |
Description: CIDR of subnet-Spoke1-tgw-a | |
Type: String | |
Default: 10.0.1.160/28 | |
SubnetSpoke1TransitCCidr: | |
Description: CIDR of subnet-Spoke1-tgw-c | |
Type: String | |
Default: 10.0.1.176/28 | |
Ec2Spoke1PrivateIp: | |
Description: Private IP of ec2-Spoke1-protected-a | |
Type: String | |
Default: 10.0.1.68 | |
VpcSpoke2Cidr: | |
Description: CIDR of vpc-Spoke2 | |
Type: String | |
Default: 10.0.2.0/24 | |
SubnetSpoke2ProtectedACidr: | |
Description: CIDR of subnet-Spoke2-protected-a | |
Type: String | |
Default: 10.0.2.64/28 | |
SubnetSpoke2ProtectedCCidr: | |
Description: CIDR of subnet-Spoke2-protected-c | |
Type: String | |
Default: 10.0.2.80/28 | |
SubnetSpoke2PrivateACidr: | |
Description: CIDR of subnet-Spoke2-private-a | |
Type: String | |
Default: 10.0.2.96/28 | |
SubnetSpoke2PrivateCCidr: | |
Description: CIDR of subnet-Spoke2-private-c | |
Type: String | |
Default: 10.0.2.112/28 | |
SubnetSpoke2EndpointACidr: | |
Description: CIDR of subnet-Spoke2-endpoint-a | |
Type: String | |
Default: 10.0.2.128/28 | |
SubnetSpoke2EndpointCCidr: | |
Description: CIDR of subnet-Spoke2-endpoint-c | |
Type: String | |
Default: 10.0.2.144/28 | |
SubnetSpoke2TransitACidr: | |
Description: CIDR of subnet-Spoke2-tgw-a | |
Type: String | |
Default: 10.0.2.160/28 | |
SubnetSpoke2TransitCCidr: | |
Description: CIDR of subnet-Spoke2-tgw-c | |
Type: String | |
Default: 10.0.2.176/28 | |
Ec2Spoke2PrivateIp: | |
Description: Private IP of ec2-Spoke2-protected-c | |
Type: String | |
Default: 10.0.2.84 | |
Metadata: | |
AWS::CloudFormation::Interface: | |
ParameterGroups: | |
- | |
Label: | |
default: Parameters related to vpc-NwMng | |
Parameters: | |
- VpcNwMngCidr | |
- SubnetNwMngPublicACidr | |
- SubnetNwMngPublicCCidr | |
- SubnetNwMngFirewallACidr | |
- SubnetNwMngFirewallCCidr | |
- SubnetNwMngEndpointACidr | |
- SubnetNwMngEndpointCCidr | |
- SubnetNwMngTransitACidr | |
- SubnetNwMngTransitCCidr | |
- | |
Label: | |
default: Parameters related to vpc-Spoke1 | |
Parameters: | |
- VpcSpoke1Cidr | |
- SubnetSpoke1ProtectedACidr | |
- SubnetSpoke1ProtectedCCidr | |
- SubnetSpoke1PrivateACidr | |
- SubnetSpoke1PrivateCCidr | |
- SubnetSpoke1EndpointACidr | |
- SubnetSpoke1EndpointCCidr | |
- SubnetSpoke1TransitACidr | |
- SubnetSpoke1TransitCCidr | |
- Ec2Spoke1PrivateIp | |
- | |
Label: | |
default: Parameters related to vpc-Spoke2 | |
Parameters: | |
- VpcSpoke2Cidr | |
- SubnetSpoke2ProtectedACidr | |
- SubnetSpoke2ProtectedCCidr | |
- SubnetSpoke2PrivateACidr | |
- SubnetSpoke2PrivateCCidr | |
- SubnetSpoke2EndpointACidr | |
- SubnetSpoke2EndpointCCidr | |
- SubnetSpoke2TransitACidr | |
- SubnetSpoke2TransitCCidr | |
- Ec2Spoke2PrivateIp | |
Resources: | |
####################################################################### | |
## 共通 ## | |
####################################################################### | |
# VPCフローログ用IAMロール | |
FlowLogsRole: | |
Type: AWS::IAM::Role | |
Properties: | |
RoleName: role-vpcflowlogs | |
AssumeRolePolicyDocument: | |
Version: 2012-10-17 | |
Statement: | |
- Effect: Allow | |
Principal: | |
Service: | |
- vpc-flow-logs.amazonaws.com | |
Action: | |
- sts:AssumeRole | |
Path: / | |
FlowLogsPolicy: | |
Type: AWS::IAM::Policy | |
Properties: | |
PolicyName: FlowLogsPolicy | |
PolicyDocument: | |
Version: 2012-10-17 | |
Statement: | |
- Action: | |
# - logs:CreateLogGroup # スタック削除操作を行って、VPCフローログ格納用ロググループが削除された後に同名のロググループが作成されてしまう現象を回避するためコメントアウトする。 | |
- logs:CreateLogStream | |
- logs:PutLogEvents | |
- logs:DescribeLogGroups | |
- logs:DescribeLogStreams | |
Effect: Allow | |
Resource: '*' | |
Roles: | |
- !Ref FlowLogsRole | |
# セッションマネージャ用IAMロール | |
EC2IAMRole: | |
Type: AWS::IAM::Role | |
Properties: | |
RoleName: role-ec2-sessionmanager | |
AssumeRolePolicyDocument: | |
Version: 2012-10-17 | |
Statement: | |
- Effect: Allow | |
Principal: | |
Service: | |
- ec2.amazonaws.com | |
Action: | |
- sts:AssumeRole | |
Path: / | |
ManagedPolicyArns: | |
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore | |
EC2InstanceProfile: | |
Type: AWS::IAM::InstanceProfile | |
Properties: | |
Path: / | |
Roles: | |
- Ref: EC2IAMRole | |
InstanceProfileName: EC2InstanceProfile-sessionmanager | |
# Transit Gateway | |
TGWCommon: | |
Type: AWS::EC2::TransitGateway | |
Properties: | |
AmazonSideAsn: 65000 | |
Description: TGW Network Firewall Demo | |
AutoAcceptSharedAttachments: enable | |
DefaultRouteTableAssociation: disable | |
DnsSupport: enable | |
VpnEcmpSupport: enable | |
Tags: | |
- Key: Name | |
Value: tgw-Common | |
####################################################################### | |
## vpc-NwMng関連リソース ## | |
####################################################################### | |
VpcNwMng: | |
Type: AWS::EC2::VPC | |
Properties: | |
CidrBlock: !Ref VpcNwMngCidr | |
EnableDnsHostnames: true | |
EnableDnsSupport: true | |
Tags: | |
- Key: Name | |
Value: vpc-NwMng | |
## VPCフローログ | |
LogGroupVPCFlowLogNwMng: | |
Type: AWS::Logs::LogGroup | |
Properties: | |
RetentionInDays: 7 | |
LogGroupName: vpcflowlog-NwMng | |
VPCFlowLogNwMng: | |
Type: AWS::EC2::FlowLog | |
Properties: | |
DeliverLogsPermissionArn: !GetAtt | |
- FlowLogsRole | |
- Arn | |
LogGroupName: !Ref LogGroupVPCFlowLogNwMng | |
ResourceId: !Ref VpcNwMng | |
ResourceType: VPC | |
Tags: | |
- Key: Name | |
Value: vpcflowlog-NwMng | |
TrafficType: ALL | |
## サブネット | |
SubnetNwMngPublicA: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcNwMng | |
AvailabilityZone: ap-northeast-1a | |
CidrBlock: !Ref SubnetNwMngPublicACidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-NwMng-public-a | |
SubnetNwMngPublicC: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcNwMng | |
AvailabilityZone: ap-northeast-1c | |
CidrBlock: !Ref SubnetNwMngPublicCCidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-NwMng-public-c | |
SubnetNwMngFirewallA: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcNwMng | |
AvailabilityZone: ap-northeast-1a | |
CidrBlock: !Ref SubnetNwMngFirewallACidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-NwMng-nfw-a | |
SubnetNwMngFirewallC: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcNwMng | |
AvailabilityZone: ap-northeast-1c | |
CidrBlock: !Ref SubnetNwMngFirewallCCidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-NwMng-nfw-c | |
SubnetNwMngEndpointA: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcNwMng | |
AvailabilityZone: ap-northeast-1a | |
CidrBlock: !Ref SubnetNwMngEndpointACidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-NwMng-endpoint-a | |
SubnetNwMngEndpointC: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcNwMng | |
AvailabilityZone: ap-northeast-1c | |
CidrBlock: !Ref SubnetNwMngEndpointCCidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-NwMng-endpoint-c | |
SubnetNwMngTransitA: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcNwMng | |
AvailabilityZone: ap-northeast-1a | |
CidrBlock: !Ref SubnetNwMngTransitACidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-NwMng-tgw-a | |
SubnetNwMngTransitC: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcNwMng | |
AvailabilityZone: ap-northeast-1c | |
CidrBlock: !Ref SubnetNwMngTransitCCidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-NwMng-tgw-c | |
## Internet Gateway | |
IgwNwMng: | |
Type: AWS::EC2::InternetGateway | |
Properties: | |
Tags: | |
- Key: Name | |
Value: igw-NwMng | |
IgwNwMngAttach: | |
Type: AWS::EC2::VPCGatewayAttachment | |
Properties: | |
VpcId: !Ref VpcNwMng | |
InternetGatewayId: !Ref IgwNwMng | |
## Nat Gagteway | |
NgwNwMngA: | |
Type: AWS::EC2::NatGateway | |
Properties: | |
AllocationId: !GetAtt | |
- EipNgwNwMngA | |
- AllocationId | |
SubnetId: !Ref SubnetNwMngPublicA | |
Tags: | |
- Key: Name | |
Value: ngw-NwMng-a | |
EipNgwNwMngA: | |
Type: AWS::EC2::EIP | |
Properties: | |
Domain: vpc | |
Tags: | |
- Key: Name | |
Value: eip-ngw-NwMng-a | |
NgwNwMngC: | |
Type: AWS::EC2::NatGateway | |
Properties: | |
AllocationId: !GetAtt | |
- EipNgwNwMngC | |
- AllocationId | |
SubnetId: !Ref SubnetNwMngPublicC | |
Tags: | |
- Key: Name | |
Value: ngw-NwMng-c | |
EipNgwNwMngC: | |
Type: AWS::EC2::EIP | |
Properties: | |
Domain: vpc | |
Tags: | |
- Key: Name | |
Value: eip-ngw-NwMng-c | |
## ルートテーブル | |
### rtb.NwMng-public-a | |
RtbNwMngPublicA: | |
Type: AWS::EC2::RouteTable | |
Properties: | |
VpcId: !Ref VpcNwMng | |
Tags: | |
- Key: Name | |
Value: rtb-NwMng-public-a | |
RtbNwMngPublicARoute0: | |
Type: AWS::EC2::Route | |
DependsOn: IgwNwMngAttach | |
Properties: | |
RouteTableId: !Ref RtbNwMngPublicA | |
DestinationCidrBlock: 0.0.0.0/0 | |
GatewayId: !Ref IgwNwMng | |
RtbNwMngPublicARoute1: | |
Type: AWS::EC2::Route | |
DependsOn: NetworkFirewallNwMng | |
Properties: | |
RouteTableId: !Ref RtbNwMngPublicA | |
DestinationCidrBlock: !Ref VpcSpoke1Cidr | |
VpcEndpointId: !Select [ 0, !Split [ ',', !Select [ 1 , !Split [ 'a:', !Join [ ',', !GetAtt NetworkFirewallNwMng.EndpointIds ] ] ] ] ] | |
RtbNwMngPublicARoute2: | |
Type: AWS::EC2::Route | |
DependsOn: NetworkFirewallNwMng | |
Properties: | |
RouteTableId: !Ref RtbNwMngPublicA | |
DestinationCidrBlock: !Ref VpcSpoke2Cidr | |
VpcEndpointId: !Select [ 0, !Split [ ',', !Select [ 1 , !Split [ 'a:', !Join [ ',', !GetAtt NetworkFirewallNwMng.EndpointIds ] ] ] ] ] | |
### rtb.NwMng-public-c | |
RtbNwMngPublicC: | |
Type: AWS::EC2::RouteTable | |
Properties: | |
VpcId: !Ref VpcNwMng | |
Tags: | |
- Key: Name | |
Value: rtb-NwMng-public-c | |
RtbNwMngPublicCRoute0: | |
Type: AWS::EC2::Route | |
DependsOn: IgwNwMngAttach | |
Properties: | |
RouteTableId: !Ref RtbNwMngPublicC | |
DestinationCidrBlock: 0.0.0.0/0 | |
GatewayId: !Ref IgwNwMng | |
RtbNwMngPublicCRoute1: | |
Type: AWS::EC2::Route | |
DependsOn: NetworkFirewallNwMng | |
Properties: | |
RouteTableId: !Ref RtbNwMngPublicC | |
DestinationCidrBlock: !Ref VpcSpoke1Cidr | |
VpcEndpointId: !Select [ 0, !Split [ ',', !Select [ 1 , !Split [ 'c:', !Join [ ',', !GetAtt NetworkFirewallNwMng.EndpointIds ] ] ] ] ] | |
RtbNwMngPublicCRoute2: | |
Type: AWS::EC2::Route | |
DependsOn: NetworkFirewallNwMng | |
Properties: | |
RouteTableId: !Ref RtbNwMngPublicC | |
DestinationCidrBlock: !Ref VpcSpoke2Cidr | |
VpcEndpointId: !Select [ 0, !Split [ ',', !Select [ 1 , !Split [ 'c:', !Join [ ',', !GetAtt NetworkFirewallNwMng.EndpointIds ] ] ] ] ] | |
### rtb-NwMng-nfw-a | |
RtbNwMngFirewallA: | |
Type: AWS::EC2::RouteTable | |
Properties: | |
VpcId: !Ref VpcNwMng | |
Tags: | |
- Key: Name | |
Value: rtb-NwMng-nfw-a | |
RtbNwMngFirewallARoute0: | |
Type: AWS::EC2::Route | |
DependsOn: NgwNwMngA | |
Properties: | |
RouteTableId: !Ref RtbNwMngFirewallA | |
DestinationCidrBlock: 0.0.0.0/0 | |
NatGatewayId: !Ref NgwNwMngA | |
RtbNwMngFirewallARoute1: | |
Type: AWS::EC2::Route | |
DependsOn: TGWAttNwMng | |
Properties: | |
RouteTableId: !Ref RtbNwMngFirewallA | |
DestinationCidrBlock: !Ref VpcSpoke1Cidr | |
TransitGatewayId: !Ref TGWCommon | |
RtbNwMngFirewallARoute2: | |
Type: AWS::EC2::Route | |
DependsOn: TGWAttNwMng | |
Properties: | |
RouteTableId: !Ref RtbNwMngFirewallA | |
DestinationCidrBlock: !Ref VpcSpoke2Cidr | |
TransitGatewayId: !Ref TGWCommon | |
### rtb-NwMng-nfw-c | |
RtbNwMngFirewallC: | |
Type: AWS::EC2::RouteTable | |
Properties: | |
VpcId: !Ref VpcNwMng | |
Tags: | |
- Key: Name | |
Value: rtb-NwMng-nfw-c | |
RtbNwMngFirewallCRoute0: | |
Type: AWS::EC2::Route | |
DependsOn: NgwNwMngC | |
Properties: | |
RouteTableId: !Ref RtbNwMngFirewallC | |
DestinationCidrBlock: 0.0.0.0/0 | |
NatGatewayId: !Ref NgwNwMngC | |
RtbNwMngFirewallCRoute1: | |
Type: AWS::EC2::Route | |
DependsOn: TGWAttNwMng | |
Properties: | |
RouteTableId: !Ref RtbNwMngFirewallC | |
DestinationCidrBlock: !Ref VpcSpoke1Cidr | |
TransitGatewayId: !Ref TGWCommon | |
RtbNwMngFirewallCRoute2: | |
Type: AWS::EC2::Route | |
DependsOn: TGWAttNwMng | |
Properties: | |
RouteTableId: !Ref RtbNwMngFirewallC | |
DestinationCidrBlock: !Ref VpcSpoke2Cidr | |
TransitGatewayId: !Ref TGWCommon | |
### rtb-NwMng-endpoint | |
RtbNwMngEndpoint: | |
Type: AWS::EC2::RouteTable | |
Properties: | |
VpcId: !Ref VpcNwMng | |
Tags: | |
- Key: Name | |
Value: rtb-NwMng-endpoint | |
### rtb-NwMng-tgw-a | |
RtbNwMngTransitA: | |
Type: AWS::EC2::RouteTable | |
Properties: | |
VpcId: !Ref VpcNwMng | |
Tags: | |
- Key: Name | |
Value: rtb-NwMng-tgw-a | |
RtbNwMngTransitARoute0: | |
Type: AWS::EC2::Route | |
DependsOn: NetworkFirewallNwMng | |
Properties: | |
RouteTableId: !Ref RtbNwMngTransitA | |
DestinationCidrBlock: 0.0.0.0/0 | |
VpcEndpointId: !Select [ 0, !Split [ ',', !Select [ 1 , !Split [ 'a:', !Join [ ',', !GetAtt NetworkFirewallNwMng.EndpointIds ] ] ] ] ] | |
### rtb-NwMng-tgw-c | |
RtbNwMngTransitC: | |
Type: AWS::EC2::RouteTable | |
Properties: | |
VpcId: !Ref VpcNwMng | |
Tags: | |
- Key: Name | |
Value: rtb-NwMng-tgw-c | |
RtbNwMngTransitCRoute0: | |
Type: AWS::EC2::Route | |
DependsOn: NetworkFirewallNwMng | |
Properties: | |
RouteTableId: !Ref RtbNwMngTransitC | |
DestinationCidrBlock: 0.0.0.0/0 | |
VpcEndpointId: !Select [ 0, !Split [ ',', !Select [ 1 , !Split [ 'c:', !Join [ ',', !GetAtt NetworkFirewallNwMng.EndpointIds ] ] ] ] ] | |
## ルートテーブルへのサブネット関連付け | |
SubnetRouteTableAssociationSubnetNwMngPublicA: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetNwMngPublicA | |
Properties: | |
SubnetId: !Ref SubnetNwMngPublicA | |
RouteTableId: !Ref RtbNwMngPublicA | |
SubnetRouteTableAssociationSubnetNwMngPublicC: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetNwMngPublicC | |
Properties: | |
SubnetId: !Ref SubnetNwMngPublicC | |
RouteTableId: !Ref RtbNwMngPublicC | |
SubnetRouteTableAssociationSubnetNwMngFirewallA: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetNwMngFirewallA | |
Properties: | |
SubnetId: !Ref SubnetNwMngFirewallA | |
RouteTableId: !Ref RtbNwMngFirewallA | |
SubnetRouteTableAssociationSubnetNwMngFirewallC: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetNwMngFirewallC | |
Properties: | |
SubnetId: !Ref SubnetNwMngFirewallC | |
RouteTableId: !Ref RtbNwMngFirewallC | |
SubnetRouteTableAssociationSubnetNwMngEndpointA: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetNwMngEndpointA | |
Properties: | |
SubnetId: !Ref SubnetNwMngEndpointA | |
RouteTableId: !Ref RtbNwMngEndpoint | |
SubnetRouteTableAssociationSubnetNwMngEndpointC: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetNwMngEndpointC | |
Properties: | |
SubnetId: !Ref SubnetNwMngEndpointC | |
RouteTableId: !Ref RtbNwMngEndpoint | |
SubnetRouteTableAssociationSubnetNwMngTransitA: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetNwMngTransitA | |
Properties: | |
SubnetId: !Ref SubnetNwMngTransitA | |
RouteTableId: !Ref RtbNwMngTransitA | |
SubnetRouteTableAssociationSubnetNwMngTransitC: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetNwMngTransitC | |
Properties: | |
SubnetId: !Ref SubnetNwMngTransitC | |
RouteTableId: !Ref RtbNwMngTransitC | |
# Network Firewall | |
## NFW本体 | |
NetworkFirewallNwMng: | |
Type: AWS::NetworkFirewall::Firewall | |
Properties: | |
FirewallName: nfw-NwMng | |
FirewallPolicyArn: !Ref FirewallNwMngPolicy | |
VpcId: !Ref VpcNwMng | |
SubnetMappings: | |
- SubnetId: !Ref SubnetNwMngFirewallA | |
- SubnetId: !Ref SubnetNwMngFirewallC | |
Tags: | |
- Key: Name | |
Value: nfw-NwMng | |
## ファイアウォールポリシー | |
FirewallNwMngPolicy: | |
Type: AWS::NetworkFirewall::FirewallPolicy | |
Properties: | |
FirewallPolicyName: nfw-policy-NwMng | |
FirewallPolicy: | |
StatelessDefaultActions: | |
- aws:forward_to_sfe | |
StatelessFragmentDefaultActions: | |
- aws:forward_to_sfe | |
### 暗黙的拒否になるよう評価順序を「厳密な順序」にした上でステートフルデフォルトアクションを「確立された接続をドロップ」に設定 | |
StatefulEngineOptions: | |
RuleOrder: STRICT_ORDER | |
StreamExceptionPolicy: DROP | |
StatefulDefaultActions: | |
- aws:drop_established | |
- aws:alert_established | |
StatefulRuleGroupReferences: | |
- ResourceArn: !Ref InternalStatefulRuleGroup | |
Priority: 1 | |
- ResourceArn: !Ref InternetEgressStatefulRuleGroup | |
Priority: 2 | |
Tags: | |
- Key: Name | |
Value: nfw-policy-NwMng | |
## ルールグループ(内部通信用) | |
InternalStatefulRuleGroup: | |
Type: AWS::NetworkFirewall::RuleGroup | |
Properties: | |
RuleGroupName: nfw-rulegroup-NwMng-Internal | |
Type: STATEFUL | |
Capacity: 100 | |
RuleGroup: | |
StatefulRuleOptions: | |
RuleOrder: STRICT_ORDER | |
RulesSource: | |
StatefulRules: | |
- Action: ALERT | |
Header: | |
Protocol: IP | |
Source: !Ref VpcSpoke1Cidr | |
SourcePort: ANY | |
Destination: !Ref VpcSpoke2Cidr | |
DestinationPort: ANY | |
Direction: ANY | |
RuleOptions: | |
- Keyword: sid:1001 | |
- Action: PASS | |
Header: | |
Protocol: IP | |
Source: !Ref VpcSpoke1Cidr | |
SourcePort: ANY | |
Destination: !Ref VpcSpoke2Cidr | |
DestinationPort: ANY | |
Direction: ANY | |
RuleOptions: | |
- Keyword: sid:1002 | |
Tags: | |
- Key: Name | |
Value: nfw-rulegroup-NwMng-Internal | |
## ルールグループ(インターネット通信用) | |
InternetEgressStatefulRuleGroup: | |
Type: AWS::NetworkFirewall::RuleGroup | |
Properties: | |
RuleGroupName: nfw-rulegroup-NwMng-InternetEgress | |
Type: STATEFUL | |
Capacity: 100 | |
RuleGroup: | |
StatefulRuleOptions: | |
RuleOrder: STRICT_ORDER | |
RulesSource: | |
StatefulRules: | |
- Action: ALERT | |
Header: | |
Protocol: IP | |
Source: !Sub ${VpcSpoke1Cidr},${VpcSpoke2Cidr} | |
SourcePort: ANY | |
Destination: ANY | |
DestinationPort: ANY | |
Direction: FORWARD | |
RuleOptions: | |
- Keyword: sid:2001 | |
- Action: PASS | |
Header: | |
Protocol: IP | |
Source: !Sub ${VpcSpoke1Cidr},${VpcSpoke2Cidr} | |
SourcePort: ANY | |
Destination: ANY | |
DestinationPort: ANY | |
Direction: FORWARD | |
RuleOptions: | |
- Keyword: sid:2002 | |
Tags: | |
- Key: Name | |
Value: nfw-rulegroup-NwMng-InternetEgress | |
## NFWログ | |
### ログ出力設定 | |
NetworkFirewallNwMngLog: | |
Type: AWS::NetworkFirewall::LoggingConfiguration | |
Properties: | |
FirewallArn: !Ref NetworkFirewallNwMng | |
LoggingConfiguration: | |
LogDestinationConfigs: | |
- LogType: FLOW | |
LogDestinationType: CloudWatchLogs | |
LogDestination: | |
logGroup: nfw-flowlog-NwMng | |
- LogType: ALERT | |
LogDestinationType: CloudWatchLogs | |
LogDestination: | |
logGroup: nfw-alertlog-NwMng | |
### フローログ出力先 | |
LogGroupNetworkFirewallFlowNwMng: | |
Type: AWS::Logs::LogGroup | |
Properties: | |
RetentionInDays: 7 | |
LogGroupName: nfw-flowlog-NwMng | |
### アラートログ出力先 | |
LogGroupNetworkFirewallAlertNwMng: | |
Type: AWS::Logs::LogGroup | |
Properties: | |
RetentionInDays: 7 | |
LogGroupName: nfw-alertlog-NwMng | |
# Transit Gatewayアタッチメント及びルートテーブル | |
TGWAttNwMng: | |
Type: AWS::EC2::TransitGatewayAttachment | |
Properties: | |
Options: | |
ApplianceModeSupport: enable | |
SubnetIds: | |
- !Ref SubnetNwMngTransitA | |
- !Ref SubnetNwMngTransitC | |
Tags: | |
- Key: Name | |
Value: tgw-attach-NwMng | |
TransitGatewayId: !Ref TGWCommon | |
VpcId: !Ref VpcNwMng | |
TGWRouteTableNwMng: | |
Type: AWS::EC2::TransitGatewayRouteTable | |
Properties: | |
Tags: | |
- Key: Name | |
Value: tgw-rtb-NwMng | |
TransitGatewayId: !Ref TGWCommon | |
TGWCommonRoute0: | |
Type: AWS::EC2::TransitGatewayRoute | |
Properties: | |
DestinationCidrBlock: !Ref VpcSpoke1Cidr | |
TransitGatewayAttachmentId: !Ref TGWAttSpoke1 | |
TransitGatewayRouteTableId: !Ref TGWRouteTableNwMng | |
TGWCommonRoute1: | |
Type: AWS::EC2::TransitGatewayRoute | |
Properties: | |
DestinationCidrBlock: !Ref VpcSpoke2Cidr | |
TransitGatewayAttachmentId: !Ref TGWAttSpoke2 | |
TransitGatewayRouteTableId: !Ref TGWRouteTableNwMng | |
AssociateVpcNwMngRouteTable: | |
Type: AWS::EC2::TransitGatewayRouteTableAssociation | |
Properties: | |
TransitGatewayAttachmentId: !Ref TGWAttNwMng | |
TransitGatewayRouteTableId: !Ref TGWRouteTableNwMng | |
####################################################################### | |
## vpc-Spoke1関連リソース ## | |
####################################################################### | |
VpcSpoke1: | |
Type: AWS::EC2::VPC | |
Properties: | |
CidrBlock: !Ref VpcSpoke1Cidr | |
EnableDnsHostnames: true | |
EnableDnsSupport: true | |
Tags: | |
- Key: Name | |
Value: vpc-Spoke1 | |
## VPCフローログ | |
LogGroupVPCFlowLogSpoke1: | |
Type: AWS::Logs::LogGroup | |
Properties: | |
RetentionInDays: 7 | |
LogGroupName: vpcflowlog-Spoke1 | |
VPCFlowLogSpoke1: | |
Type: AWS::EC2::FlowLog | |
Properties: | |
DeliverLogsPermissionArn: !GetAtt | |
- FlowLogsRole | |
- Arn | |
LogGroupName: !Ref LogGroupVPCFlowLogSpoke1 | |
ResourceId: !Ref VpcSpoke1 | |
ResourceType: VPC | |
Tags: | |
- Key: Name | |
Value: vpcflowlog-Spoke1 | |
TrafficType: ALL | |
## サブネット | |
SubnetSpoke1ProtectedA: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcSpoke1 | |
AvailabilityZone: ap-northeast-1a | |
CidrBlock: !Ref SubnetSpoke1ProtectedACidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-Spoke1-protected-a | |
SubnetSpoke1ProtectedC: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcSpoke1 | |
AvailabilityZone: ap-northeast-1c | |
CidrBlock: !Ref SubnetSpoke1ProtectedCCidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-Spoke1-protected-c | |
SubnetSpoke1PrivateA: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcSpoke1 | |
AvailabilityZone: ap-northeast-1a | |
CidrBlock: !Ref SubnetSpoke1PrivateACidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-Spoke1-private-a | |
SubnetSpoke1PrivateC: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcSpoke1 | |
AvailabilityZone: ap-northeast-1c | |
CidrBlock: !Ref SubnetSpoke1PrivateCCidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-Spoke1-private-c | |
SubnetSpoke1EndpointA: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcSpoke1 | |
AvailabilityZone: ap-northeast-1a | |
CidrBlock: !Ref SubnetSpoke1EndpointACidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-Spoke1-endpoint-a | |
SubnetSpoke1EndpointC: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcSpoke1 | |
AvailabilityZone: ap-northeast-1c | |
CidrBlock: !Ref SubnetSpoke1EndpointCCidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-Spoke1-endpoint-c | |
SubnetSpoke1TransitA: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcSpoke1 | |
AvailabilityZone: ap-northeast-1a | |
CidrBlock: !Ref SubnetSpoke1TransitACidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-Spoke1-tgw-a | |
SubnetSpoke1TransitC: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcSpoke1 | |
AvailabilityZone: ap-northeast-1c | |
CidrBlock: !Ref SubnetSpoke1TransitCCidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-Spoke1-tgw-c | |
## ルートテーブル | |
### rtb.Spoke1-protected | |
RtbSpoke1Protected: | |
Type: AWS::EC2::RouteTable | |
Properties: | |
VpcId: !Ref VpcSpoke1 | |
Tags: | |
- Key: Name | |
Value: rtb-Spoke1-protected | |
RtbSpoke1ProtectedARoute0: | |
Type: AWS::EC2::Route | |
DependsOn: TGWAttSpoke1 | |
Properties: | |
RouteTableId: !Ref RtbSpoke1Protected | |
DestinationCidrBlock: 0.0.0.0/0 | |
TransitGatewayId: !Ref TGWCommon | |
### rtb-Spoke1-private | |
RtbSpoke1Private: | |
Type: AWS::EC2::RouteTable | |
Properties: | |
VpcId: !Ref VpcSpoke1 | |
Tags: | |
- Key: Name | |
Value: rtb-Spoke1-private | |
### rtb-Spoke1-endpoint | |
RtbSpoke1Endpoint: | |
Type: AWS::EC2::RouteTable | |
Properties: | |
VpcId: !Ref VpcSpoke1 | |
Tags: | |
- Key: Name | |
Value: rtb-Spoke1-endpoint | |
### rtb-Spoke1-tgw | |
RtbSpoke1Transit: | |
Type: AWS::EC2::RouteTable | |
Properties: | |
VpcId: !Ref VpcSpoke1 | |
Tags: | |
- Key: Name | |
Value: rtb-Spoke1-tgw | |
## ルートテーブルへのサブネット関連付け | |
SubnetRouteTableAssociationSubnetSpoke1ProtectedA: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetSpoke1ProtectedA | |
Properties: | |
SubnetId: !Ref SubnetSpoke1ProtectedA | |
RouteTableId: !Ref RtbSpoke1Protected | |
SubnetRouteTableAssociationSubnetSpoke1ProtectedC: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetSpoke1ProtectedC | |
Properties: | |
SubnetId: !Ref SubnetSpoke1ProtectedC | |
RouteTableId: !Ref RtbSpoke1Protected | |
SubnetRouteTableAssociationSubnetSpoke1PrivateA: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetSpoke1PrivateA | |
Properties: | |
SubnetId: !Ref SubnetSpoke1PrivateA | |
RouteTableId: !Ref RtbSpoke1Private | |
SubnetRouteTableAssociationSubnetSpoke1PrivateC: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetSpoke1PrivateC | |
Properties: | |
SubnetId: !Ref SubnetSpoke1PrivateC | |
RouteTableId: !Ref RtbSpoke1Private | |
SubnetRouteTableAssociationSubnetSpoke1EndpointA: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetSpoke1EndpointA | |
Properties: | |
SubnetId: !Ref SubnetSpoke1EndpointA | |
RouteTableId: !Ref RtbSpoke1Endpoint | |
SubnetRouteTableAssociationSubnetSpoke1EndpointC: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetSpoke1EndpointC | |
Properties: | |
SubnetId: !Ref SubnetSpoke1EndpointC | |
RouteTableId: !Ref RtbSpoke1Endpoint | |
SubnetRouteTableAssociationSubnetSpoke1TransitA: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetSpoke1TransitA | |
Properties: | |
SubnetId: !Ref SubnetSpoke1TransitA | |
RouteTableId: !Ref RtbSpoke1Transit | |
SubnetRouteTableAssociationSubnetSpoke1TransitC: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetSpoke1TransitC | |
Properties: | |
SubnetId: !Ref SubnetSpoke1TransitC | |
RouteTableId: !Ref RtbSpoke1Transit | |
# EC2 | |
Ec2Spoke1: | |
Type: AWS::EC2::Instance | |
Properties: | |
BlockDeviceMappings: | |
- DeviceName: /dev/xvda | |
Ebs: | |
DeleteOnTermination: true | |
Encrypted: false | |
VolumeType: gp3 | |
VolumeSize: 8 | |
Iops: 3000 | |
DisableApiTermination: false | |
EbsOptimized: false | |
IamInstanceProfile: !Ref EC2InstanceProfile | |
ImageId: ami-07fb3592ea2a31402 | |
InstanceType: t4g.nano | |
Monitoring: false | |
NetworkInterfaces: | |
- AssociatePublicIpAddress: false | |
DeleteOnTermination: true | |
DeviceIndex: 0 | |
GroupSet: | |
- !Ref SgEc2Spoke1 # SecurityGroup | |
PrivateIpAddresses: | |
- PrivateIpAddress: !Ref Ec2Spoke1PrivateIp | |
Primary: true | |
SubnetId: !Ref SubnetSpoke1ProtectedA # Subnet | |
SourceDestCheck: true | |
Tags: | |
- Key: Name | |
Value: ec2-spoke1-protected-a # Name | |
## EC2用セキュリティグループ | |
SgEc2Spoke1: | |
Type: AWS::EC2::SecurityGroup | |
Properties: | |
GroupDescription: for ec2-Spoke1 | |
GroupName: sec-ec2-Spoke1 | |
### vpc-Spoke2からの疎通を許可。ログインにはセッションマネージャを使用するためvpc-Spoke1CIDRは許可しなくて良い。 | |
SecurityGroupIngress: | |
- CidrIp: !Ref VpcSpoke2Cidr | |
FromPort: -1 | |
ToPort: -1 | |
IpProtocol: -1 | |
Tags: | |
- Key: Name | |
Value: sec-ec2-Spoke1 | |
VpcId: !Ref VpcSpoke1 | |
# VPCエンドポイント | |
## セッションマネージャ利用のためのVPCエンドポイント3つ | |
Spoke1Ssm: | |
Type: AWS::EC2::VPCEndpoint | |
Properties: | |
PrivateDnsEnabled: true | |
SecurityGroupIds: | |
- !Ref SgVpceSpoke1 | |
ServiceName: com.amazonaws.ap-northeast-1.ssm | |
SubnetIds: | |
- !Ref SubnetSpoke1EndpointA | |
VpcEndpointType: Interface | |
VpcId: !Ref VpcSpoke1 | |
Spoke1SsmMessages: | |
Type: AWS::EC2::VPCEndpoint | |
Properties: | |
PrivateDnsEnabled: true | |
SecurityGroupIds: | |
- !Ref SgVpceSpoke1 | |
ServiceName: com.amazonaws.ap-northeast-1.ssmmessages | |
SubnetIds: | |
- !Ref SubnetSpoke1EndpointA | |
VpcEndpointType: Interface | |
VpcId: !Ref VpcSpoke1 | |
Spoke1Ec2Message: | |
Type: AWS::EC2::VPCEndpoint | |
Properties: | |
PrivateDnsEnabled: true | |
SecurityGroupIds: | |
- !Ref SgVpceSpoke1 | |
ServiceName: com.amazonaws.ap-northeast-1.ec2messages | |
SubnetIds: | |
- !Ref SubnetSpoke1EndpointA # EndPoint Subnet | |
VpcEndpointType: Interface | |
VpcId: !Ref VpcSpoke1 | |
## VPCエンドポイント用セキュリティグループ | |
SgVpceSpoke1: | |
Type: AWS::EC2::SecurityGroup | |
Properties: | |
GroupDescription: temp | |
GroupName: sec-vpce-Spoke1 | |
SecurityGroupIngress: | |
- CidrIp: !Ref VpcSpoke1Cidr # vpc-Spoke1のCIDRからの通信を許可 | |
FromPort: 443 | |
ToPort: 443 | |
IpProtocol: tcp | |
Tags: | |
- Key: Name | |
Value: sec-vpce-Spoke1 | |
VpcId: !Ref VpcSpoke1 | |
# Transit Gatewayアタッチメント及びルートテーブル | |
TGWAttSpoke1: | |
Type: AWS::EC2::TransitGatewayAttachment | |
Properties: | |
SubnetIds: | |
- !Ref SubnetSpoke1TransitA | |
- !Ref SubnetSpoke1TransitC | |
Tags: | |
- Key: Name | |
Value: tgw-attach-Spoke1 | |
TransitGatewayId: !Ref TGWCommon | |
VpcId: !Ref VpcSpoke1 | |
TGWRouteTableSpoke1: | |
Type: AWS::EC2::TransitGatewayRouteTable | |
Properties: | |
Tags: | |
- Key: Name | |
Value: tgw-rtb-Spoke1 | |
TransitGatewayId: !Ref TGWCommon | |
TGWSpoke1Route0: | |
Type: AWS::EC2::TransitGatewayRoute | |
Properties: | |
DestinationCidrBlock: 0.0.0.0/0 | |
TransitGatewayAttachmentId: !Ref TGWAttNwMng | |
TransitGatewayRouteTableId: !Ref TGWRouteTableSpoke1 | |
AssociateVpcSpoke1RouteTable: | |
Type: AWS::EC2::TransitGatewayRouteTableAssociation | |
Properties: | |
TransitGatewayAttachmentId: !Ref TGWAttSpoke1 | |
TransitGatewayRouteTableId: !Ref TGWRouteTableSpoke1 | |
####################################################################### | |
## vpc-Spoke2関連リソース ## | |
####################################################################### | |
VpcSpoke2: | |
Type: AWS::EC2::VPC | |
Properties: | |
CidrBlock: !Ref VpcSpoke2Cidr | |
EnableDnsHostnames: true | |
EnableDnsSupport: true | |
Tags: | |
- Key: Name | |
Value: vpc-Spoke2 | |
## VPCフローログ | |
LogGroupVPCFlowLogSpoke2: | |
Type: AWS::Logs::LogGroup | |
Properties: | |
RetentionInDays: 7 | |
LogGroupName: vpcflowlog-Spoke2 | |
VPCFlowLogSpoke2: | |
Type: AWS::EC2::FlowLog | |
Properties: | |
DeliverLogsPermissionArn: !GetAtt | |
- FlowLogsRole | |
- Arn | |
LogGroupName: !Ref LogGroupVPCFlowLogSpoke2 | |
ResourceId: !Ref VpcSpoke2 | |
ResourceType: VPC | |
Tags: | |
- Key: Name | |
Value: vpcflowlog-Spoke2 | |
TrafficType: ALL | |
## サブネット | |
SubnetSpoke2ProtectedA: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcSpoke2 | |
AvailabilityZone: ap-northeast-1a | |
CidrBlock: !Ref SubnetSpoke2ProtectedACidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-Spoke2-protected-a | |
SubnetSpoke2ProtectedC: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcSpoke2 | |
AvailabilityZone: ap-northeast-1c | |
CidrBlock: !Ref SubnetSpoke2ProtectedCCidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-Spoke2-protected-c | |
SubnetSpoke2PrivateA: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcSpoke2 | |
AvailabilityZone: ap-northeast-1a | |
CidrBlock: !Ref SubnetSpoke2PrivateACidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-Spoke2-private-a | |
SubnetSpoke2PrivateC: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcSpoke2 | |
AvailabilityZone: ap-northeast-1c | |
CidrBlock: !Ref SubnetSpoke2PrivateCCidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-Spoke2-private-c | |
SubnetSpoke2EndpointA: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcSpoke2 | |
AvailabilityZone: ap-northeast-1a | |
CidrBlock: !Ref SubnetSpoke2EndpointACidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-Spoke2-endpoint-a | |
SubnetSpoke2EndpointC: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcSpoke2 | |
AvailabilityZone: ap-northeast-1c | |
CidrBlock: !Ref SubnetSpoke2EndpointCCidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-Spoke2-endpoint-c | |
SubnetSpoke2TransitA: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcSpoke2 | |
AvailabilityZone: ap-northeast-1a | |
CidrBlock: !Ref SubnetSpoke2TransitACidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-Spoke2-tgw-a | |
SubnetSpoke2TransitC: | |
Type: AWS::EC2::Subnet | |
Properties: | |
VpcId: !Ref VpcSpoke2 | |
AvailabilityZone: ap-northeast-1c | |
CidrBlock: !Ref SubnetSpoke2TransitCCidr | |
MapPublicIpOnLaunch: false | |
Tags: | |
- Key: Name | |
Value: subnet-Spoke2-tgw-c | |
## ルートテーブル | |
### rtb.Spoke2-protected | |
RtbSpoke2Protected: | |
Type: AWS::EC2::RouteTable | |
Properties: | |
VpcId: !Ref VpcSpoke2 | |
Tags: | |
- Key: Name | |
Value: rtb-Spoke2-protected | |
RtbSpoke2ProtectedARoute0: | |
Type: AWS::EC2::Route | |
DependsOn: TGWAttSpoke2 | |
Properties: | |
RouteTableId: !Ref RtbSpoke2Protected | |
DestinationCidrBlock: 0.0.0.0/0 | |
TransitGatewayId: !Ref TGWCommon | |
### rtb-Spoke2-private | |
RtbSpoke2Private: | |
Type: AWS::EC2::RouteTable | |
Properties: | |
VpcId: !Ref VpcSpoke2 | |
Tags: | |
- Key: Name | |
Value: rtb-Spoke2-private | |
### rtb-Spoke2-endpoint | |
RtbSpoke2Endpoint: | |
Type: AWS::EC2::RouteTable | |
Properties: | |
VpcId: !Ref VpcSpoke2 | |
Tags: | |
- Key: Name | |
Value: rtb-Spoke2-endpoint | |
### rtb-Spoke2-tgw | |
RtbSpoke2Transit: | |
Type: AWS::EC2::RouteTable | |
Properties: | |
VpcId: !Ref VpcSpoke2 | |
Tags: | |
- Key: Name | |
Value: rtb-Spoke2-tgw | |
## ルートテーブルへのサブネット関連付け | |
SubnetRouteTableAssociationSubnetSpoke2ProtectedA: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetSpoke2ProtectedA | |
Properties: | |
SubnetId: !Ref SubnetSpoke2ProtectedA | |
RouteTableId: !Ref RtbSpoke2Protected | |
SubnetRouteTableAssociationSubnetSpoke2ProtectedC: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetSpoke2ProtectedC | |
Properties: | |
SubnetId: !Ref SubnetSpoke2ProtectedC | |
RouteTableId: !Ref RtbSpoke2Protected | |
SubnetRouteTableAssociationSubnetSpoke2PrivateA: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetSpoke2PrivateA | |
Properties: | |
SubnetId: !Ref SubnetSpoke2PrivateA | |
RouteTableId: !Ref RtbSpoke2Private | |
SubnetRouteTableAssociationSubnetSpoke2PrivateC: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetSpoke2PrivateC | |
Properties: | |
SubnetId: !Ref SubnetSpoke2PrivateC | |
RouteTableId: !Ref RtbSpoke2Private | |
SubnetRouteTableAssociationSubnetSpoke2EndpointA: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetSpoke2EndpointA | |
Properties: | |
SubnetId: !Ref SubnetSpoke2EndpointA | |
RouteTableId: !Ref RtbSpoke2Endpoint | |
SubnetRouteTableAssociationSubnetSpoke2EndpointC: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetSpoke2EndpointC | |
Properties: | |
SubnetId: !Ref SubnetSpoke2EndpointC | |
RouteTableId: !Ref RtbSpoke2Endpoint | |
SubnetRouteTableAssociationSubnetSpoke2TransitA: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetSpoke2TransitA | |
Properties: | |
SubnetId: !Ref SubnetSpoke2TransitA | |
RouteTableId: !Ref RtbSpoke2Transit | |
SubnetRouteTableAssociationSubnetSpoke2TransitC: | |
Type: AWS::EC2::SubnetRouteTableAssociation | |
DependsOn: SubnetSpoke2TransitC | |
Properties: | |
SubnetId: !Ref SubnetSpoke2TransitC | |
RouteTableId: !Ref RtbSpoke2Transit | |
# EC2 | |
Ec2Spoke2: | |
Type: AWS::EC2::Instance | |
Properties: | |
BlockDeviceMappings: | |
- DeviceName: /dev/xvda | |
Ebs: | |
DeleteOnTermination: true | |
Encrypted: false | |
VolumeType: gp3 | |
VolumeSize: 8 | |
Iops: 3000 | |
DisableApiTermination: false | |
EbsOptimized: false | |
IamInstanceProfile: !Ref EC2InstanceProfile | |
ImageId: ami-07fb3592ea2a31402 | |
InstanceType: t4g.nano | |
Monitoring: false | |
NetworkInterfaces: | |
- AssociatePublicIpAddress: false | |
DeleteOnTermination: true | |
DeviceIndex: 0 | |
GroupSet: | |
- !Ref SgEc2Spoke2 # SecurityGroup | |
PrivateIpAddresses: | |
- PrivateIpAddress: !Ref Ec2Spoke2PrivateIp | |
Primary: true | |
SubnetId: !Ref SubnetSpoke2ProtectedC # Subnet | |
SourceDestCheck: true | |
Tags: | |
- Key: Name | |
Value: ec2-Spoke2-protected-c # Name | |
## EC2用セキュリティグループ | |
SgEc2Spoke2: | |
Type: AWS::EC2::SecurityGroup | |
Properties: | |
GroupDescription: for ec2-Spoke2 | |
GroupName: sec-ec2-Spoke2 | |
### vpc-Spoke1からの疎通を許可。ログインにはセッションマネージャを使用するためvpc-Spoke2CIDRは許可しなくて良い。 | |
SecurityGroupIngress: | |
- CidrIp: !Ref VpcSpoke1Cidr | |
FromPort: -1 | |
ToPort: -1 | |
IpProtocol: -1 | |
Tags: | |
- Key: Name | |
Value: sec-ec2-Spoke2 | |
VpcId: !Ref VpcSpoke2 | |
# VPCエンドポイント | |
## セッションマネージャ利用のためのVPCエンドポイント3つ | |
Spoke2Ssm: | |
Type: AWS::EC2::VPCEndpoint | |
Properties: | |
PrivateDnsEnabled: true | |
SecurityGroupIds: | |
- !Ref SgVpceSpoke2 | |
ServiceName: com.amazonaws.ap-northeast-1.ssm | |
SubnetIds: | |
- !Ref SubnetSpoke2EndpointA | |
VpcEndpointType: Interface | |
VpcId: !Ref VpcSpoke2 | |
Spoke2SsmMessages: | |
Type: AWS::EC2::VPCEndpoint | |
Properties: | |
PrivateDnsEnabled: true | |
SecurityGroupIds: | |
- !Ref SgVpceSpoke2 | |
ServiceName: com.amazonaws.ap-northeast-1.ssmmessages | |
SubnetIds: | |
- !Ref SubnetSpoke2EndpointA | |
VpcEndpointType: Interface | |
VpcId: !Ref VpcSpoke2 | |
Spoke2Ec2Message: | |
Type: AWS::EC2::VPCEndpoint | |
Properties: | |
PrivateDnsEnabled: true | |
SecurityGroupIds: | |
- !Ref SgVpceSpoke2 | |
ServiceName: com.amazonaws.ap-northeast-1.ec2messages | |
SubnetIds: | |
- !Ref SubnetSpoke2EndpointA # EndPoint Subnet | |
VpcEndpointType: Interface | |
VpcId: !Ref VpcSpoke2 | |
## VPCエンドポイント用セキュリティグループ | |
SgVpceSpoke2: | |
Type: AWS::EC2::SecurityGroup | |
Properties: | |
GroupDescription: temp | |
GroupName: sec-vpce-Spoke2 | |
SecurityGroupIngress: | |
- CidrIp: !Ref VpcSpoke2Cidr # vpc-Spoke2のCIDRからの通信を許可 | |
FromPort: 443 | |
ToPort: 443 | |
IpProtocol: tcp | |
Tags: | |
- Key: Name | |
Value: sec-vpce-Spoke2 | |
VpcId: !Ref VpcSpoke2 | |
# Transit Gatewayアタッチメント及びルートテーブル | |
TGWAttSpoke2: | |
Type: AWS::EC2::TransitGatewayAttachment | |
Properties: | |
SubnetIds: | |
- !Ref SubnetSpoke2TransitA | |
- !Ref SubnetSpoke2TransitC | |
Tags: | |
- Key: Name | |
Value: tgw-attach-Spoke2 | |
TransitGatewayId: !Ref TGWCommon | |
VpcId: !Ref VpcSpoke2 | |
TGWRouteTableSpoke2: | |
Type: AWS::EC2::TransitGatewayRouteTable | |
Properties: | |
Tags: | |
- Key: Name | |
Value: tgw-rtb-Spoke2 | |
TransitGatewayId: !Ref TGWCommon | |
TGWSpoke2Route0: | |
Type: AWS::EC2::TransitGatewayRoute | |
Properties: | |
DestinationCidrBlock: 0.0.0.0/0 | |
TransitGatewayAttachmentId: !Ref TGWAttNwMng | |
TransitGatewayRouteTableId: !Ref TGWRouteTableSpoke2 | |
AssociateVpcSpoke2RouteTable: | |
Type: AWS::EC2::TransitGatewayRouteTableAssociation | |
Properties: | |
TransitGatewayAttachmentId: !Ref TGWAttSpoke2 | |
TransitGatewayRouteTableId: !Ref TGWRouteTableSpoke2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment