Skip to content

Instantly share code, notes, and snippets.

@thapakazi thapakazi/vpc.yaml

Created Apr 11, 2019
Embed
What would you like to do?
create_vpc work in progress
---
Description: >-
An AWS VPC with model according to https://medium.com/aws-activate-startup-blog/practical-vpc-design-8412e1a18dcc
AWSTemplateFormatVersion: 2010-09-09
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
InstanceTenancy: default
InternetGateway:
Type: AWS::EC2::InternetGateway
VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
###### SubnetA ########################
SubnetAPrivate:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.0.0/19
SubnetAPublic:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.32.0/20
MapPublicIpOnLaunch: true
SubnetAProtected:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.48.0/21
######SubnetB ########################
SubnetBPrivate:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.64.0/19
SubnetBPublic:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.96.0/20
MapPublicIpOnLaunch: true
SubnetBProtected:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.112.0/21
##### Routing ######################
RouteTablePublic:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
InternetRoute:
Type: AWS::EC2::Route
DependsOn: VPCGatewayAttachment
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
RouteTableId: !Ref RouteTablePublic
SubnetARouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTablePublic
SubnetId: !Ref SubnetAPublic
SubnetBRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTablePublic
SubnetId: !Ref SubnetBPublic
##### NAT Gateway ######################
# NatGatewayEIP:
# Type: AWS::EC2::EIP
# Properties:
# Domain: "vpc"
# NatGateway:
# Type: AWS::EC2::NatGateway
# DependsOn: VPCGatewayAttachment
# Properties:
# AllocationId:
# "Fn::GetAtt" :
# [
# "NATGateway1EIP",
# "AllocationId"
# ]
# SubnetId: !Ref SubnetAPublic
# PrivateNat:
# Type: AWS::EC2::Route
# DependsOn: VPCGatewayAttachment
# Properties:
# DestinationCidrBlock: 0.0.0.0/0
# NatGatewayId: !Ref NatGateway
# RouteTableId: !Ref RouteTablePublic
##### SG ####################
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "Internet Group"
GroupDescription: "SSH traffic in, all traffic out."
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
@BalmanRawat

This comment has been minimized.

Copy link

BalmanRawat commented Apr 12, 2019

Looks fine but minor improvements can be done like:

  • CFN Parameters can be used in multiple places
  • CIDR block could be made dynamic so that multiple VPC can be created like this
VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: !Sub '10.${SecondOctet}.0.0/16'
  • Addition of Availability Zones in subnets
  • Addition of TAGS
  • Addition of NACL as well
  • Addition of Flow logs
LogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: 90
      LogGroupName: !Join ['/', ['/aws', 'vpc', 'myvpc']]

  Role:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - vpc-flow-logs.amazonaws.com
          Action: sts:AssumeRole
      Policies:
        # PolicyName must be unique
      - PolicyName: mypolicyforflowlog
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - logs:CreateLogStream
            - logs:PutLogEvents
            - logs:DescribeLogGroups
            - logs:DescribeLogStreams
            Resource: !GetAtt LogGroup.Arn

  FlowLog:
    Type: AWS::EC2::FlowLog
    Properties:
      DeliverLogsPermissionArn: !GetAtt Role.Arn
      LogGroupName: !Ref LogGroup
      ResourceId: !Ref VPC
      ResourceType: VPC
      TrafficType: REJECT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.