vpc_addon_vpn.yaml
---

Addon VPN CloudFormation Deployment

This CloudFormation template deploys a VPN connection to an existing VPC.

AWSTemplateFormatVersion: '2010-09-09'

Metadata

Metadata is mostly for organizing and presenting Parameters in a better way when using CloudFormation in the AWS Web UI.

Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: VPC Settings Parameters: - VPCStackName - VPCType - Label: default: VPN Settings Parameters: - VpnASR1IpAddress - VpnASR1BgpAsn - VpnASR2IpAddress - VpnASR2BgpAsn - Label: default: Tagging and Cost Management Parameters: - ServiceTag - EnvironmentTag - ContactNetidTag - AccountNumberTag - SubaccountTag - TicketNumberTag ParameterLabels: ServiceTag: default: "Service Name:" EnvironmentTag: default: 'Environment Type:' ContactNetidTag: default: 'Contact NetID:' AccountNumberTag: default: 'Financial Account Number:' TicketNumberTag: default: 'Ticket Number:'

Parameters

These are the input parameters for this template. All of these parameters must be supplied for this template to be deployed.

Parameters: VPCStackName: Type: String Description: The Name of the CloudFormation Stack for the VPC to attach this VPN to. VpnASR1BgpAsn: Type: String Description: BGP ASN for ASR1, ie 65524 VpnASR1IpAddress: Type: String Description: IP Address for ASR1 connection, ie 206.207.227.86 VpnASR2BgpAsn: Type: String Description: BGP ASN for ASR2, ie 65525 VpnASR2IpAddress: Type: String Description: IP Address for ASR2 connection, ie 206.207.227.102

Prod or NonProd VPC.

VPCType: Description: Single VPN for NonProd, Dual VPN connections for Production. Type: String Default: Non-Production AllowedValues: - Non-Production - Production

Tags

The following tags are applied to all resources created by this template.

ServiceTag: Type: String Description: Exact name of the Service as defined in the service catalog. EnvironmentTag: Type: String Description: Used to distinguish between development, test, production,etc. environment types. AllowedValues: [dev, tst, prd, trn, stg, cfg, sup, rpt] Default: dev ContactNetidTag: Type: String Description: Used to identify the netid of the person most familiar with the usage of the resource. AccountNumberTag: Type: String Description: Identifies the financial system account number. SubaccountTag: Type: String Description: Identifies the financial system subaccount. TicketNumberTag: Type: String Description: Used to identify the Jira, Cherwell, or other ticketing system ticket number to link to more information about the need for the resource.

Conditions

Conditions:

From Parameters, is this a Prod or NonProd account? Determines what resources are created.

IsProdVPC: !Equals [!Ref VPCType, 'Production']

Resources

These are all of the resources deployed by this template.

Resources:

Create a Customer Gateway to connect to campus (ASR1)

CustomerGatewayASR1: Type: AWS::EC2::CustomerGateway Properties: BgpAsn: !Ref VpnASR1BgpAsn IpAddress: !Ref VpnASR1IpAddress Type: ipsec.1 Tags: - Key: Name Value: !Sub "${AWS::StackName} Gateway ASR1" - Key: service Value: !Ref ServiceTag - Key: environment Value: !Ref EnvironmentTag - Key: contactnetid Value: !Ref ContactNetidTag - Key: accountnumber Value: !Ref AccountNumberTag - Key: subaccount Value: !Ref SubaccountTag - Key: ticketnumber Value: !Ref TicketNumberTag

Create a Customer Gateway to connect to campus (ASR2)

CustomerGatewayASR2: Type: AWS::EC2::CustomerGateway Condition: IsProdVPC Properties: BgpAsn: !Ref VpnASR2BgpAsn IpAddress: !Ref VpnASR2IpAddress Type: ipsec.1 Tags: - Key: Name Value: !Sub "${AWS::StackName} Gateway ASR2" - Key: service Value: !Ref ServiceTag - Key: environment Value: !Ref EnvironmentTag - Key: contactnetid Value: !Ref ContactNetidTag - Key: accountnumber Value: !Ref AccountNumberTag - Key: subaccount Value: !Ref SubaccountTag - Key: ticketnumber Value: !Ref TicketNumberTag

Create a VPN connection for the ASR1 CustomerGateway

VPNConnectionASR1: Type: AWS::EC2::VPNConnection Properties: Type: ipsec.1 StaticRoutesOnly: 'false' CustomerGatewayId: !Ref CustomerGatewayASR1 VpnGatewayId: Fn::ImportValue: !Sub "${VPCStackName}-vgw" Tags: - Key: Name Value: !Sub "${AWS::StackName} VPNConnection ASR1" - Key: service Value: !Ref ServiceTag - Key: environment Value: !Ref EnvironmentTag - Key: contactnetid Value: !Ref ContactNetidTag - Key: accountnumber Value: !Ref AccountNumberTag - Key: subaccount Value: !Ref SubaccountTag - Key: ticketnumber Value: !Ref TicketNumberTag

Create a VPN connection for the ASR2 CustomerGateway

VPNConnectionASR2: Type: AWS::EC2::VPNConnection Condition: IsProdVPC Properties: Type: ipsec.1 StaticRoutesOnly: 'false' CustomerGatewayId: !Ref CustomerGatewayASR2 VpnGatewayId: Fn::ImportValue: !Sub "${VPCStackName}-vgw" Tags: - Key: Name Value: !Sub "${AWS::StackName} VPNConnection ASR2" - Key: service Value: !Ref ServiceTag - Key: environment Value: !Ref EnvironmentTag - Key: contactnetid Value: !Ref ContactNetidTag - Key: accountnumber Value: !Ref AccountNumberTag - Key: subaccount Value: !Ref SubaccountTag - Key: ticketnumber Value: !Ref TicketNumberTag