Skip to content

Instantly share code, notes, and snippets.

@samkeen

samkeen/vpc-with-NAT-gateway-bastion-host.template.json

Last active June 22, 2018 14:20
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save samkeen/2929a138e7b5d9757904 to your computer and use it in GitHub Desktop.
Save samkeen/2929a138e7b5d9757904 to your computer and use it in GitHub Desktop.
Download ZIP
Same as lean version, but with NAT Gateway and Bastion host
Raw
vpc-with-NAT-gateway-bastion-host.template.json
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "VPC Across 3 AZs",
"Parameters": {
"EnvName": {
"Type": "String",
"Default": "Dev",
"AllowedValues": [
"Dev", "Test", "Prod"
],
"Description": "Select the environment name"
},
"TargetAZs": {
"Description": "AZs to create Subnets for. Hardcoded to 3 currently, if you do not supply 3, STACK WILL FAIL.",
"Type": "List<AWS::EC2::AvailabilityZone::Name>"
},
"BastionKeyName": {
"Description": "Name of an existing EC2 KeyPair to enable SSH access to the bastion host",
"Type": "AWS::EC2::KeyPair::KeyName",
"ConstraintDescription": "must be the name of an existing EC2 KeyPair."
},
"BastionInstanceType": {
"Description": "Bastion Host EC2 instance type",
"Type": "String",
"Default": "t2.micro",
"AllowedValues": [
"t1.micro", "t2.nano", "t2.micro", "t2.small", "t2.medium", "t2.large", "m1.small", "m1.medium", "m1.large",
"m1.xlarge", "m2.xlarge", "m2.2xlarge", "m2.4xlarge", "m3.medium", "m3.large", "m3.xlarge", "m3.2xlarge",
"m4.large", "m4.xlarge", "m4.2xlarge", "m4.4xlarge", "m4.10xlarge", "c1.medium", "c1.xlarge", "c3.large",
"c3.xlarge", "c3.2xlarge", "c3.4xlarge", "c3.8xlarge", "c4.large", "c4.xlarge", "c4.2xlarge", "c4.4xlarge",
"c4.8xlarge", "g2.2xlarge", "g2.8xlarge", "r3.large", "r3.xlarge", "r3.2xlarge", "r3.4xlarge", "r3.8xlarge",
"i2.xlarge", "i2.2xlarge", "i2.4xlarge", "i2.8xlarge", "d2.xlarge", "d2.2xlarge", "d2.4xlarge", "d2.8xlarge",
"hi1.4xlarge", "hs1.8xlarge", "cr1.8xlarge", "cc2.8xlarge", "cg1.4xlarge"
],
"ConstraintDescription": "must be a valid EC2 instance type."
},
"BastionSSHLocation": {
"Description": "Lockdown SSH access to the bastion host (default can be accessed from anywhere)",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription": "must be a valid CIDR range of the form x.x.x.x/x."
}
},
"Mappings": {
"SubnetConfig": {
"VPC": {
"CIDR": "10.0.0.0/16"
}, "AZ1-Public": {
"CIDR": "10.0.32.0/20"
}, "AZ1-Private": {
"CIDR": "10.0.0.0/19"
}, "AZ2-Public": {
"CIDR": "10.0.96.0/20"
}, "AZ2-Private": {
"CIDR": "10.0.64.0/19"
}, "AZ3-Public": {
"CIDR": "10.0.160.0/20"
}, "AZ3-Private": {
"CIDR": "10.0.128.0/19"
}
},
"AWSInstanceType2Arch": {
"t1.micro": {"Arch": "PV64"},
"t2.nano": {"Arch": "HVM64"},
"t2.micro": {"Arch": "HVM64"},
"t2.small": {"Arch": "HVM64"},
"t2.medium": {"Arch": "HVM64"},
"t2.large": {"Arch": "HVM64"},
"m1.small": {"Arch": "PV64"},
"m1.medium": {"Arch": "PV64"},
"m1.large": {"Arch": "PV64"},
"m1.xlarge": {"Arch": "PV64"},
"m2.xlarge": {"Arch": "PV64"},
"m2.2xlarge": {"Arch": "PV64"},
"m2.4xlarge": {"Arch": "PV64"},
"m3.medium": {"Arch": "HVM64"},
"m3.large": {"Arch": "HVM64"},
"m3.xlarge": {"Arch": "HVM64"},
"m3.2xlarge": {"Arch": "HVM64"},
"m4.large": {"Arch": "HVM64"},
"m4.xlarge": {"Arch": "HVM64"},
"m4.2xlarge": {"Arch": "HVM64"},
"m4.4xlarge": {"Arch": "HVM64"},
"m4.10xlarge": {"Arch": "HVM64"},
"c1.medium": {"Arch": "PV64"},
"c1.xlarge": {"Arch": "PV64"},
"c3.large": {"Arch": "HVM64"},
"c3.xlarge": {"Arch": "HVM64"},
"c3.2xlarge": {"Arch": "HVM64"},
"c3.4xlarge": {"Arch": "HVM64"},
"c3.8xlarge": {"Arch": "HVM64"},
"c4.large": {"Arch": "HVM64"},
"c4.xlarge": {"Arch": "HVM64"},
"c4.2xlarge": {"Arch": "HVM64"},
"c4.4xlarge": {"Arch": "HVM64"},
"c4.8xlarge": {"Arch": "HVM64"},
"g2.2xlarge": {"Arch": "HVMG2"},
"g2.8xlarge": {"Arch": "HVMG2"},
"r3.large": {"Arch": "HVM64"},
"r3.xlarge": {"Arch": "HVM64"},
"r3.2xlarge": {"Arch": "HVM64"},
"r3.4xlarge": {"Arch": "HVM64"},
"r3.8xlarge": {"Arch": "HVM64"},
"i2.xlarge": {"Arch": "HVM64"},
"i2.2xlarge": {"Arch": "HVM64"},
"i2.4xlarge": {"Arch": "HVM64"},
"i2.8xlarge": {"Arch": "HVM64"},
"d2.xlarge": {"Arch": "HVM64"},
"d2.2xlarge": {"Arch": "HVM64"},
"d2.4xlarge": {"Arch": "HVM64"},
"d2.8xlarge": {"Arch": "HVM64"},
"hi1.4xlarge": {"Arch": "HVM64"},
"hs1.8xlarge": {"Arch": "HVM64"},
"cr1.8xlarge": {"Arch": "HVM64"},
"cc2.8xlarge": {"Arch": "HVM64"}
},
"AWSRegionArch2AMI": {
"us-east-1": {"PV64": "ami-5fb8c835", "HVM64": "ami-60b6c60a", "HVMG2": "ami-e998ea83"},
"us-west-2": {"PV64": "ami-d93622b8", "HVM64": "ami-f0091d91", "HVMG2": "ami-315f4850"},
"us-west-1": {"PV64": "ami-56ea8636", "HVM64": "ami-d5ea86b5", "HVMG2": "ami-943956f4"},
"eu-west-1": {"PV64": "ami-95e33ce6", "HVM64": "ami-bff32ccc", "HVMG2": "ami-83fd23f0"},
"eu-central-1": {"PV64": "ami-794a5915", "HVM64": "ami-bc5b48d0", "HVMG2": "ami-ba1a09d6"},
"ap-northeast-1": {"PV64": "ami-393c1957", "HVM64": "ami-383c1956", "HVMG2": "ami-08e5c166"},
"ap-northeast-2": {"PV64": "NOT_SUPPORTED", "HVM64": "ami-249b554a", "HVMG2": "NOT_SUPPORTED"},
"ap-southeast-1": {"PV64": "ami-34bd7a57", "HVM64": "ami-c9b572aa", "HVMG2": "ami-5a15d239"},
"ap-southeast-2": {"PV64": "ami-ced887ad", "HVM64": "ami-48d38c2b", "HVMG2": "ami-0c1a446f"},
"sa-east-1": {"PV64": "ami-7d15ad11", "HVM64": "ami-6817af04", "HVMG2": "NOT_SUPPORTED"},
"cn-north-1": {"PV64": "ami-18ac6575", "HVM64": "ami-43a36a2e", "HVMG2": "NOT_SUPPORTED"}
}
},
"Resources": {
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": {"Fn::FindInMap": ["SubnetConfig", "VPC", "CIDR"]},
"InstanceTenancy": "default",
"EnableDnsSupport": "true",
"EnableDnsHostnames": "false",
"Tags": [
{
"Key": "Name", "Value": {"Fn::Join": ["", [{"Ref": "EnvName"}, "_VPC"]]}
}
]
}
},
"SubnetAz1Public": {
"Type": "AWS::EC2::Subnet", "Properties": {
"CidrBlock": {
"Fn::FindInMap": ["SubnetConfig", "AZ1-Public", "CIDR"]
},
"AvailabilityZone": {
"Fn::Select": ["0", {"Ref": "TargetAZs"}]
},
"VpcId": {"Ref": "VPC"},
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"", [{"Ref": "EnvName"}, "-", {"Fn::Select": ["0", {"Ref": "TargetAZs"}]}, "-public"]
]
}
}
]
}
},
"SubnetAz1Private": {
"Type": "AWS::EC2::Subnet", "Properties": {
"CidrBlock": {"Fn::FindInMap": ["SubnetConfig", "AZ1-Private", "CIDR"]},
"AvailabilityZone": {"Fn::Select": ["0", {"Ref": "TargetAZs"}]}, "VpcId": {"Ref": "VPC"},
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"", [{"Ref": "EnvName"}, "-", {"Fn::Select": ["0", {"Ref": "TargetAZs"}]}, "-private"]
]
}
}
]
}
},
"SubnetAz2Public": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": {"Fn::FindInMap": ["SubnetConfig", "AZ2-Public", "CIDR"]},
"AvailabilityZone": {"Fn::Select": ["1", {"Ref": "TargetAZs"}]}, "VpcId": {"Ref": "VPC"},
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"", [{"Ref": "EnvName"}, "-", {"Fn::Select": ["1", {"Ref": "TargetAZs"}]}, "-public"]
]
}
}
]
}
},
"SubnetAz2Private": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": {"Fn::FindInMap": ["SubnetConfig", "AZ2-Private", "CIDR"]},
"AvailabilityZone": {"Fn::Select": ["1", {"Ref": "TargetAZs"}]}, "VpcId": {"Ref": "VPC"},
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"", [{"Ref": "EnvName"}, "-", {"Fn::Select": ["1", {"Ref": "TargetAZs"}]}, "-private"]
]
}
}
]
}
},
"SubnetAz3Public": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": {"Fn::FindInMap": ["SubnetConfig", "AZ3-Public", "CIDR"]},
"AvailabilityZone": {"Fn::Select": ["2", {"Ref": "TargetAZs"}]}, "VpcId": {"Ref": "VPC"},
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"", [{"Ref": "EnvName"}, "-", {"Fn::Select": ["2", {"Ref": "TargetAZs"}]}, "-public"]
]
}
}
]
}
},
"SubnetAz3Private": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": {"Fn::FindInMap": ["SubnetConfig", "AZ3-Private", "CIDR"]},
"AvailabilityZone": {"Fn::Select": ["2", {"Ref": "TargetAZs"}]}, "VpcId": {"Ref": "VPC"},
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"", [{"Ref": "EnvName"}, "-", {"Fn::Select": ["2", {"Ref": "TargetAZs"}]}, "-private"]
]
}
}
]
}
},
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway",
"Properties": {
"Tags": [
{
"Key": "Name", "Value": "Dev-Internet_Gateway"
}
]
}
},
"RouteTableInternal": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {"Ref": "VPC"},
"Tags": [
{
"Key": "Name", "Value": "Dev-Internal-RouteTable"
}
]
}
},
"RouteTablePublic": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {"Ref": "VPC"},
"Tags": [
{
"Key": "Name", "Value": "Dev-Public-RouteTable"
}
]
}
},
"GwAttachmentInternetGateway": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": {"Ref": "VPC"},
"InternetGatewayId": {"Ref": "InternetGateway"}
}
}, "RouteTableAssocAz1Private": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {"Ref": "RouteTableInternal"},
"SubnetId": {"Ref": "SubnetAz1Private"}
}
},
"RouteTableAssocAz3Private": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {"Ref": "RouteTableInternal"},
"SubnetId": {"Ref": "SubnetAz3Private"}
}
},
"RouteTableAssocAz2Private": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {"Ref": "RouteTableInternal"},
"SubnetId": {"Ref": "SubnetAz2Private"}
}
},
"RouteTableAssocAz1Public": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {"Ref": "RouteTablePublic"},
"SubnetId": {"Ref": "SubnetAz1Public"}
}
},
"RouteTableAssocAz3Public": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {"Ref": "RouteTablePublic"},
"SubnetId": {"Ref": "SubnetAz3Public"}
}
},
"RouteTableAssocAz2Public": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {"Ref": "RouteTablePublic"},
"SubnetId": {"Ref": "SubnetAz2Public"}
}
},
"RouteTablePublicRoute1": {
"Type": "AWS::EC2::Route",
"Properties": {
"DestinationCidrBlock": "0.0.0.0/0",
"RouteTableId": {"Ref": "RouteTablePublic"},
"GatewayId": {"Ref": "InternetGateway"}
},
"DependsOn": "GwAttachmentInternetGateway"
},
"NatGatewayElasticIP": {
"DependsOn": "GwAttachmentInternetGateway",
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc"
}
},
"NatGateway": {
"DependsOn": "GwAttachmentInternetGateway",
"Type": "AWS::EC2::NatGateway",
"Properties": {
"AllocationId": {"Fn::GetAtt": ["NatGatewayElasticIP", "AllocationId"]},
"SubnetId": {"Ref": "SubnetAz1Public"}
}
},
"NatGatewayRoute": {
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {"Ref": "RouteTableInternal"},
"DestinationCidrBlock": "0.0.0.0/0",
"NatGatewayId": {"Ref": "NatGateway"}
}
},
"BastionIPAddress": {
"Type": "AWS::EC2::EIP",
"DependsOn": "GwAttachmentInternetGateway",
"Properties": {
"Domain": "vpc",
"InstanceId": {"Ref": "BastionHost"}
}
},
"BastionHost": {
"Type": "AWS::EC2::Instance",
"Properties": {
"InstanceType": {"Ref": "BastionInstanceType"},
"KeyName": {"Ref": "BastionKeyName"},
"SubnetId": {"Ref": "SubnetAz1Public"},
"ImageId": {
"Fn::FindInMap": [
"AWSRegionArch2AMI", {"Ref": "AWS::Region"},
{"Fn::FindInMap": ["AWSInstanceType2Arch", {"Ref": "BastionInstanceType"}, "Arch"]}
]
},
"SecurityGroupIds": [{"Ref": "BastionSecurityGroup"}],
"Tags": [
{
"Key": "Name", "Value": {"Fn::Join": ["", [{"Ref": "EnvName"}, "_VPC_BastionHost"]]}
}
]
}
},
"BastionSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enable access to the Bastion host",
"VpcId": {"Ref": "VPC"},
"SecurityGroupIngress": [
{"IpProtocol": "tcp", "FromPort": "22", "ToPort": "22", "CidrIp": {"Ref": "BastionSSHLocation"}}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp", "FromPort": "22", "ToPort": "22",
"CidrIp": {"Fn::FindInMap": ["SubnetConfig", "AZ1-Private", "CIDR"]}
},
{
"IpProtocol": "tcp", "FromPort": "22", "ToPort": "22",
"CidrIp": {"Fn::FindInMap": ["SubnetConfig", "AZ2-Private", "CIDR"]}
},
{
"IpProtocol": "tcp", "FromPort": "22", "ToPort": "22",
"CidrIp": {"Fn::FindInMap": ["SubnetConfig", "AZ3-Private", "CIDR"]}
}
],
"Tags": [
{
"Key": "Name", "Value": {"Fn::Join": ["", [{"Ref": "EnvName"}, "_VPC_BastionHost_SG"]]}
}
]
}
},
"SshAccessSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Add this SG to instances in private subnets to allow ssh connect from Bastion host",
"VpcId": {"Ref": "VPC"},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp", "FromPort": "22", "ToPort": "22",
"SourceSecurityGroupId": {"Ref": "BastionSecurityGroup"}
}
],
"Tags": [
{
"Key": "Name", "Value": {"Fn::Join": ["", [{"Ref": "EnvName"}, "_VPC_AllowBastionSshConnect"]]}
}
]
}
}
}
}
@stcs1
Copy link

stcs1 commented Jun 22, 2018

Thanks that help me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment