基本的な使い方
設定内容
ざっくりですが、こんな項目を設定します。詳細はCloudformationのテンプレートの内容を見てもらった方が早いです。
- VPC設定
- Internet Gateway設定
- Subnetの設定
- DHCP Optionの設定
- Route Tableの設定
- ACLの設定
※設定値は参考までに。
テンプレート
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
| AWSTemplateFormatVersion: "2010-09-09"
Description: "Basic Network Setting"
Parameters:
pramStackNamePrefic:
Description: "Common stack name prefix"
Type: String
Default: ""
Resources:
VPC:
Type: "AWS::EC2::VPC"
Properties:
CidrBlock: "192.168.0.0/16"
InstanceTenancy: default
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: !Join
- ""
- - !Ref pramStackNamePrefic
- vpc
igw:
Type: "AWS::EC2::InternetGateway"
Properties:
Tags:
- Key: Name
Value: !Join
- ""
- - !Ref pramStackNamePrefic
- igw
vpcgwattc:
Type: "AWS::EC2::VPCGatewayAttachment"
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref igw
subnetA:
Type: "AWS::EC2::Subnet"
Properties:
CidrBlock: "192.168.0.0/20"
AvailabilityZone: "ap-northeast-1a"
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Join
- ""
- - !Ref pramStackNamePrefic
- subnet
subnetC:
Type: "AWS::EC2::Subnet"
Properties:
CidrBlock: "192.168.16.0/20"
AvailabilityZone: "ap-northeast-1c"
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Join
- ""
- - !Ref pramStackNamePrefic
- subnet
DHCPOpt:
Type: "AWS::EC2::DHCPOptions"
Properties:
DomainName: "ap-northeast-1.compute.internal"
DomainNameServers:
- AmazonProvidedDNS
Tags:
- Key: Name
Value: !Join
- ""
- - !Ref pramStackNamePrefic
- dhcp-ops
rtb:
Type: "AWS::EC2::RouteTable"
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Join
- ""
- - !Ref pramStackNamePrefic
- rtb
SubnetRouteTableAssociationA:
Type: "AWS::EC2::SubnetRouteTableAssociation"
Properties:
SubnetId: !Ref subnetA
RouteTableId: !Ref rtb
SubnetRouteTableAssociationC:
Type: "AWS::EC2::SubnetRouteTableAssociation"
Properties:
SubnetId: !Ref subnetC
RouteTableId: !Ref rtb
# out-bound
aclOutAll:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
CidrBlock: "0.0.0.0/0"
Egress: true # out-bound
Protocol: "-1"
RuleAction: allow
RuleNumber: 100
NetworkAclId: !GetAtt VPC.DefaultNetworkAcl
aclOut2:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
Ipv6CidrBlock: "::/0"
Egress: true # out-bound
Protocol: "-1"
RuleAction: allow
RuleNumber: 101
NetworkAclId: !GetAtt VPC.DefaultNetworkAcl
# in-bound
aclInHttp:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
CidrBlock: "0.0.0.0/0"
Egress: false # in-bound
Protocol: "6"
PortRange:
From: 80
To: 80
RuleAction: allow
RuleNumber: 200
NetworkAclId: !GetAtt VPC.DefaultNetworkAcl
aclInHttp2:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
CidrBlock: "0.0.0.0/0"
Egress: false # in-bound
Protocol: "6"
PortRange:
From: 8080
To: 8080
RuleAction: allow
RuleNumber: 300
NetworkAclId: !GetAtt VPC.DefaultNetworkAcl
aclInHttps:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
CidrBlock: "0.0.0.0/0"
Egress: false # in-bound
Protocol: "6"
PortRange:
From: 443
To: 443
RuleAction: allow
RuleNumber: 400
NetworkAclId: !GetAtt VPC.DefaultNetworkAcl
aclInSSH:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
CidrBlock: "0.0.0.0/0"
Egress: false # in-bound
Protocol: "6"
PortRange:
From: 22
To: 22
RuleAction: allow
RuleNumber: 500
NetworkAclId: !GetAtt VPC.DefaultNetworkAcl
aclInEphemeral:
Type: "AWS::EC2::NetworkAclEntry"
Properties:
CidrBlock: "0.0.0.0/0"
Egress: false # in-bound
Protocol: "6"
PortRange:
From: 1024
To: 65535
RuleAction: allow
RuleNumber: 600
NetworkAclId: !GetAtt VPC.DefaultNetworkAcl
subnetacl1:
Type: "AWS::EC2::SubnetNetworkAclAssociation"
Properties:
NetworkAclId: !GetAtt VPC.DefaultNetworkAcl
SubnetId: !Ref subnetA
subnetacl2:
Type: "AWS::EC2::SubnetNetworkAclAssociation"
Properties:
NetworkAclId: !GetAtt VPC.DefaultNetworkAcl
SubnetId: !Ref subnetC
route1:
Type: "AWS::EC2::Route"
Properties:
DestinationCidrBlock: "0.0.0.0/0"
RouteTableId: !Ref rtb
GatewayId: !Ref igw
DependsOn: vpcgwattc
dchpassoc1:
Type: "AWS::EC2::VPCDHCPOptionsAssociation"
Properties:
VpcId: !Ref VPC
DhcpOptionsId: !Ref DHCPOpt
Outputs:
VPCId:
Value: !Ref VPC
Export:
Name: !Join
- ""
- - !Ref pramStackNamePrefic
- VPC-ID
VPCCidrBlock:
Value: !GetAtt
- VPC
- CidrBlock
Export:
Name: !Join
- ""
- - !Ref pramStackNamePrefic
- VPC-CidrBlockD
VPCDefaultNetworkAcl:
Value: !GetAtt
- VPC
- DefaultNetworkAcl
Export:
Name: !Join
- ""
- - !Ref pramStackNamePrefic
- VPC-DefaultNetworkAcl
VPCDefaultSecurityGroup:
Value: !GetAtt
- VPC
- DefaultSecurityGroup
Export:
Name: !Join
- ""
- - !Ref pramStackNamePrefic
- VPC-DefaultSecurityGroup
igwId:
Value: !Ref igw
Export:
Name: !Join
- ""
- - !Ref pramStackNamePrefic
- IGW-ID
subnetAId:
Value: !Ref subnetA
Export:
Name: !Join
- ""
- - !Ref pramStackNamePrefic
- Subnet-apne1a-ID
subnetCId:
Value: !Ref subnetC
Export:
Name: !Join
- ""
- - !Ref pramStackNamePrefic
- Subnet-apne1c-ID
subnetAAZ:
Value: !GetAtt
- subnetA
- AvailabilityZone
Export:
Name: !Join
- ""
- - !Ref pramStackNamePrefic
- Subnet-apne1a-AvailabilityZone
subnetCAZ:
Value: !GetAtt
- subnetC
- AvailabilityZone
Export:
Name: !Join
- ""
- - !Ref pramStackNamePrefic
- Subnet-apne1c-AvailabilityZone
DHCPOptID:
Value: !Ref DHCPOpt
Export:
Name: !Join
- ""
- - !Ref pramStackNamePrefic
- DHCPOptions-ID
aclId:
Value: !GetAtt
- VPC
- DefaultNetworkAcl
Export:
Name: !Join
- ""
- - !Ref pramStackNamePrefic
- ACL-ID
rtbId:
Value: !Ref rtb
Export:
Name: !Join
- ""
- - !Ref pramStackNamePrefic
- RTB-ID
|
実行
パラメータ
1
2
3
4
5
| $ CF_TAG_KEY=service
$ CF_TAG_NAME=sample
$ CF_STACK_NAME_PREFIX=sample-
$ CF_STACK_NAME=${CF_STACK_NAME_PREFIX}network
$ CF_FILE_NAME=cftemplate.yaml
|
1
2
3
4
5
6
7
8
| $ aws cloudformation \
create-stack \
--tags Key=${CF_TAG_KEY},Value=${CF_TAG_NAME} \
--stack-name ${CF_STACK_NAME} \
--template-body file://./${CF_FILE_NAME} \
--parameters \
ParameterKey=pramStackNamePrefic,ParameterValue=${CF_STACK_NAME_PREFIX} \
| jq .
|
ちなみに,ACLにはタグがつけられなかったので、強引に、VPC ID取得→ACL ID取得→タグ付けをしてみる。
1
2
3
4
5
| $ VpcId=`aws ec2 describe-vpcs \
> --filters "Name=tag:Name,Values=${CF_STACK_NAME_PREFIX}vpc" \
> | jq -r '.Vpcs[].VpcId'`
$ echo $VpcId
vpc-XXXXXXXX
|
1
2
3
4
5
| $ AclId=`aws ec2 describe-network-acls \
> --filters "Name=vpc-id,Values=${VpcId}" \
> | jq -r '.NetworkAcls[].NetworkAclId'`
$ echo $AclId
acl-XXXXXXXXX
|
1
2
3
| $ aws ec2 create-tags --resources ${AclId} \
--tags Key=Name,Value=${CF_STACK_NAME_PREFIX}acl \
Key=${CF_TAG_KEY},Value=${CF_TAG_NAME}
|
ACLのデフォルト削除
ACLのインバウンドはデフォルトですべて許可されているので、削除しておくことを推奨
1
2
3
4
| $ aws ec2 delete-network-acl-entry \
--network-acl-id ${AclId} \
--ingress \
--rule-number 100
|
