Last active
November 17, 2020 14:32
-
-
Save oz-urabe/c66244d6a59295c82c0dfc39b44143c4 to your computer and use it in GitHub Desktop.
AWS Clinent VPN を固定IP から接続するための 起動用 Cloudformation テンプレート
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: "2010-09-09" | |
| Description: VPN Template | |
| Parameters: | |
| EIPAllocationId: | |
| Description: "Elastic IP AllocationId. See here https://console.aws.amazon.com/vpc/home#Addresses" | |
| Default: eipalloc-00000000000000000 | |
| Type: String | |
| ACMArn: | |
| Description: "AWS Certificate Manager Arn. See here https://console.aws.amazon.com/acm/home" | |
| Default: arn:aws:acm:ap-northeast-1:000000000000:certificate/00000000-0000-0000-0000-000000000000 | |
| Type: String | |
| SSHKeyName: | |
| Description: "SSH Key Name to nat instance. See here https://console.aws.amazon.com/ec2/v2/home#KeyPairs:" | |
| Default: hogehoge_key | |
| Type: String | |
| NatAMIImage: | |
| Description: "Nat AMI Image" | |
| Default: ami-00d29e4cb217ae06b | |
| Type: String | |
| AvailabilityZoneLeft: | |
| Description: "Availability Zone Left" | |
| Default: ap-northeast-1a | |
| Type: String | |
| AvailabilityZoneRight: | |
| Description: "Availability Zone Right" | |
| Default: ap-northeast-1c | |
| Type: String | |
| Resources: | |
| VPC: | |
| Type: AWS::EC2::VPC | |
| Properties: | |
| CidrBlock: 10.0.0.0/16 | |
| EnableDnsSupport: true | |
| EnableDnsHostnames: true | |
| Tags: | |
| - Key: Name | |
| Value: "vpn-vpc" | |
| PublicSubnet: | |
| Type: AWS::EC2::Subnet | |
| Properties: | |
| AvailabilityZone: !Ref AvailabilityZoneLeft | |
| CidrBlock: 10.0.0.0/22 | |
| MapPublicIpOnLaunch: true | |
| VpcId: !Ref VPC | |
| Tags: | |
| - Key: Name | |
| Value: "vpn-public" | |
| PrivateLeftSubnet: | |
| Type: AWS::EC2::Subnet | |
| Properties: | |
| AvailabilityZone: !Ref AvailabilityZoneLeft | |
| CidrBlock: 10.0.4.0/23 | |
| MapPublicIpOnLaunch: false | |
| VpcId: !Ref VPC | |
| Tags: | |
| - Key: Name | |
| Value: "vpn-private-left" | |
| PrivateRightSubnet: | |
| Type: AWS::EC2::Subnet | |
| Properties: | |
| AvailabilityZone: !Ref AvailabilityZoneRight | |
| CidrBlock: 10.0.6.0/23 | |
| MapPublicIpOnLaunch: false | |
| VpcId: !Ref VPC | |
| Tags: | |
| - Key: Name | |
| Value: "vpn-private-right" | |
| InternetGateway: | |
| Type: AWS::EC2::InternetGateway | |
| Properties: | |
| Tags: | |
| - Key: Name | |
| Value: "vpn-igw" | |
| IgwAttache: | |
| Type: AWS::EC2::VPCGatewayAttachment | |
| Properties: | |
| InternetGatewayId: !Ref InternetGateway | |
| VpcId: !Ref VPC | |
| PrivateRouteTable: | |
| Type: AWS::EC2::RouteTable | |
| Properties: | |
| VpcId: !Ref VPC | |
| Tags: | |
| - Key: Name | |
| Value: "vpn-private-rtb" | |
| PublicRouteTable: | |
| Type: AWS::EC2::RouteTable | |
| Properties: | |
| VpcId: !Ref VPC | |
| Tags: | |
| - Key: Name | |
| Value: "vpn-public-rtb" | |
| ChangePublicRouteTable: | |
| Type: AWS::EC2::Route | |
| DependsOn: IgwAttache | |
| Properties: | |
| RouteTableId: !Ref PublicRouteTable | |
| DestinationCidrBlock: 0.0.0.0/0 | |
| GatewayId: !Ref InternetGateway | |
| ChangePrivateRouteTable: | |
| Type: AWS::EC2::Route | |
| DependsOn: IgwAttache | |
| Properties: | |
| RouteTableId: !Ref PrivateRouteTable | |
| DestinationCidrBlock: 0.0.0.0/0 | |
| InstanceId: !Ref EC2Nat | |
| SubnetPublicRouteTableAssociation: | |
| Type: AWS::EC2::SubnetRouteTableAssociation | |
| Properties: | |
| RouteTableId: !Ref PublicRouteTable | |
| SubnetId: !Ref PublicSubnet | |
| SubnetPrivateLeftRouteTableAssociation: | |
| Type: AWS::EC2::SubnetRouteTableAssociation | |
| Properties: | |
| RouteTableId: !Ref PrivateRouteTable | |
| SubnetId: !Ref PrivateLeftSubnet | |
| SubnetPrivateRightRouteTableAssociation: | |
| Type: AWS::EC2::SubnetRouteTableAssociation | |
| Properties: | |
| RouteTableId: !Ref PrivateRouteTable | |
| SubnetId: !Ref PrivateRightSubnet | |
| NatSecurityGroup: | |
| Type: AWS::EC2::SecurityGroup | |
| Properties: | |
| GroupName: "vpn-nat-sg" | |
| GroupDescription: "vpn-nat-sg" | |
| VpcId: !Ref VPC | |
| Tags: | |
| - Key: Name | |
| Value: "vpn-nat-sg" | |
| SecurityGroupIngress: | |
| - IpProtocol: -1 | |
| FromPort: -1 | |
| ToPort: -1 | |
| CidrIp: 10.0.0.0/16 | |
| Description: from vpc | |
| EC2Nat: | |
| Type: AWS::EC2::Instance | |
| Properties: | |
| BlockDeviceMappings: | |
| - DeviceName: /dev/xvda | |
| Ebs: | |
| VolumeType: gp2 | |
| VolumeSize: 8 | |
| ImageId: !Ref NatAMIImage | |
| InstanceInitiatedShutdownBehavior: stop | |
| InstanceType: t3.nano | |
| KeyName: !Ref SSHKeyName | |
| Monitoring: false | |
| SecurityGroupIds: | |
| - !GetAtt NatSecurityGroup.GroupId | |
| SubnetId: !Ref PublicSubnet | |
| Tenancy: default | |
| SourceDestCheck: false | |
| UserData: | |
| Fn::Base64: !Sub | | |
| #!/bin/bash | |
| yum -y update | |
| Tags: | |
| - Key: Name | |
| Value: "vpn-nat" | |
| ElasticIPAssociate: | |
| Type: AWS::EC2::EIPAssociation | |
| Properties: | |
| AllocationId: !Ref EIPAllocationId | |
| InstanceId: !Ref EC2Nat | |
| VPNLogGroup: | |
| Type: AWS::Logs::LogGroup | |
| Properties: | |
| LogGroupName: "/aws/vpn" | |
| RetentionInDays: 90 | |
| VPNLogStream: | |
| Type: AWS::Logs::LogStream | |
| Properties: | |
| LogGroupName: !Ref VPNLogGroup | |
| LogStreamName: all-vpn | |
| AwsClinentVPN: | |
| Type: AWS::EC2::ClientVpnEndpoint | |
| DependsOn: VPNLogStream | |
| Properties: | |
| AuthenticationOptions: | |
| - Type: "certificate-authentication" | |
| MutualAuthentication: | |
| ClientRootCertificateChainArn: !Ref ACMArn | |
| ClientCidrBlock: 10.1.0.0/16 | |
| ConnectionLogOptions: | |
| Enabled: true | |
| CloudwatchLogGroup: !Ref VPNLogGroup | |
| CloudwatchLogStream: !Ref VPNLogStream | |
| Description: "private vpn" | |
| ServerCertificateArn: !Ref ACMArn | |
| TransportProtocol: udp | |
| TagSpecifications: | |
| - ResourceType: "client-vpn-endpoint" | |
| Tags: | |
| - Key: Name | |
| Value: "vpn" | |
| ClientVpnLeftTargetNetworkAssociation: | |
| Type: AWS::EC2::ClientVpnTargetNetworkAssociation | |
| DependsOn: PrivateLeftSubnet | |
| Properties: | |
| ClientVpnEndpointId: !Ref AwsClinentVPN | |
| SubnetId: !Ref PrivateLeftSubnet | |
| ClientVpnRightTargetNetworkAssociation: | |
| Type: AWS::EC2::ClientVpnTargetNetworkAssociation | |
| DependsOn: PrivateRightSubnet | |
| Properties: | |
| ClientVpnEndpointId: !Ref AwsClinentVPN | |
| SubnetId: !Ref PrivateRightSubnet | |
| ClientVpnAuthorizationRule: | |
| Type: AWS::EC2::ClientVpnAuthorizationRule | |
| Properties: | |
| ClientVpnEndpointId: !Ref AwsClinentVPN | |
| AuthorizeAllGroups: true | |
| TargetNetworkCidr: 0.0.0.0/0 | |
| ClientVpnLeftRoute: | |
| Type: AWS::EC2::ClientVpnRoute | |
| DependsOn: ClientVpnLeftTargetNetworkAssociation | |
| Properties: | |
| ClientVpnEndpointId: !Ref AwsClinentVPN | |
| DestinationCidrBlock: 0.0.0.0/0 | |
| TargetVpcSubnetId: !Ref PrivateLeftSubnet | |
| ClientVpnRightRoute: | |
| Type: AWS::EC2::ClientVpnRoute | |
| DependsOn: ClientVpnRightTargetNetworkAssociation | |
| Properties: | |
| ClientVpnEndpointId: !Ref AwsClinentVPN | |
| DestinationCidrBlock: 0.0.0.0/0 | |
| TargetVpcSubnetId: !Ref PrivateRightSubnet |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment