vpc_no-vpn_multi-az.yaml
---

UITS VPC (without VPN) CloudFormation Deployment

This CloudFormation template deploys an AWS VPC without a VPN connection

AWSTemplateFormatVersion: '2010-09-09' Description: UITS VPC Template (no VPN)

Metadata

Metadata is mostly for organizing and presenting Parameters in a better way when using CloudFormation in the AWS Web UI.

Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: VPC Settings Parameters: - VPCName - VPCcidr - VPCType - Label: default: Public Subnets Parameters: - SubnetPublicAcidr - SubnetPublicBcidr - SubnetPublicCcidr - Label: default: Private Subnets Parameters: - SubnetPrivateAcidr - SubnetPrivateBcidr - SubnetPrivateCcidr - Label: default: Tagging and Cost Management Parameters: - ServiceTag - EnvironmentTag - ContactNetidTag - AccountNumberTag - SubaccountTag - TicketNumberTag ParameterLabels: ServiceTag: default: "Service Name:" EnvironmentTag: default: 'Environment Type:' ContactNetidTag: default: 'Contact NetID:' AccountNumberTag: default: 'Financial Account Number:' SubaccountTag: default: 'Sub Account:' TicketNumberTag: default: 'Ticket Number:'

Parameters

These are the input parameters for this template. All of these parameters must be supplied for this template to be deployed.

Parameters: VPCName: Type: String Description: Enter the name of the VPC. Used for descriptive purposes. VPCcidr: Type: String Description: VPC CIDR Block. i.e. 10.0.0.0/16 SubnetPublicAcidr: Type: String Description: Public Zone A Subnet Range. i.e. 10.0.1.0/24 SubnetPublicBcidr: Type: String Description: Public Zone B Subnet Range. i.e. 10.0.2.0/24 SubnetPublicCcidr: Type: String Description: (OPTIONAL) Public Zone C Subnet Range. i.e. 10.0.3.0/24 SubnetPrivateAcidr: Type: String Description: Private Zone A Subnet Range. i.e. 10.0.11.0/24 SubnetPrivateBcidr: Type: String Description: Private Zone B Subnet Range. i.e. 10.0.12.0/24 SubnetPrivateCcidr: Type: String Description: (OPTIONAL) Private Zone C Subnet Range. i.e. 10.0.13.0/24

Tags

The following tags are applied to all resources created by this template.

ServiceTag: Type: String Description: Exact name of the Service as defined in the service catalog. EnvironmentTag: Type: String Description: Used to distinguish between development, test, production,etc. environment types. AllowedValues: [dev, tst, prd, trn, stg, cfg, sup, rpt] Default: dev ContactNetidTag: Type: String Description: Used to identify the netid of the person most familiar with the usage of the resource. AccountNumberTag: Type: String Description: Identifies the financial system account number. SubaccountTag: Type: String Description: Identifies the financial system subaccount. TicketNumberTag: Type: String Description: Used to identify the Jira, Cherwell, or other ticketing system ticket number to link to more information about the need for the resource.

Mappings

Mappings:

!FindInMap [RegionAZs, !Ref "AWS::Region", zoneA]

RegionAZs: us-west-2: "zoneA": "us-west-2a" "zoneB": "us-west-2b" "zoneC": "us-west-2c" us-east-1: "zoneA": "us-east-1a" "zoneB": "us-east-1b" "zoneB": "us-east-1c"

Conditions

Conditions: IsUsingPublicAzC: !Not [!Equals [!Ref SubnetPublicCcidr, ""]] IsUsingPrivateAzC: !Not [!Equals [!Ref SubnetPrivateCcidr, ""]]

Resources

These are all of the resources deployed by this template.

Resources:

VPC

This is the VPC itself. Mostly just naming things here

VpcEcsEas: Type: AWS::EC2::VPC Properties: CidrBlock: Ref: VPCcidr

Be sure to enable DNS support, otherwise the EFS service doesn't work.

EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: !Ref VPCName - Key: service Value: !Ref ServiceTag - Key: environment Value: !Ref EnvironmentTag - Key: contactnetid Value: !Ref ContactNetidTag - Key: accountnumber Value: !Ref AccountNumberTag - Key: subaccount Value: !Ref SubaccountTag - Key: ticketnumber Value: !Ref TicketNumberTag

InternetGateway

Create an InternetGateway

InternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: !Sub "${VPCName} Internet Gateway" - Key: service Value: !Ref ServiceTag - Key: environment Value: !Ref EnvironmentTag - Key: contactnetid Value: !Ref ContactNetidTag - Key: accountnumber Value: !Ref AccountNumberTag - Key: subaccount Value: !Ref SubaccountTag - Key: ticketnumber Value: !Ref TicketNumberTag

InternetGatewayAttachment

Attach the InternetGateway to the VPC

InternetGatewayAttachment: Type: AWS::EC2::VPCGatewayAttachment Properties: InternetGatewayId: !Ref InternetGateway VpcId: !Ref VpcEcsEas

SubnetPublicZoneA

Create a Public Subnet in Availability Zone A

SubnetPublicZoneA: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VpcEcsEas CidrBlock: !Ref SubnetPublicAcidr AvailabilityZone: !FindInMap [RegionAZs, !Ref "AWS::Region", zoneA] Tags: - Key: Name Value: !Sub "${VPCName} Public Zone A" - Key: service Value: !Ref ServiceTag - Key: environment Value: !Ref EnvironmentTag - Key: contactnetid Value: !Ref ContactNetidTag - Key: accountnumber Value: !Ref AccountNumberTag - Key: subaccount Value: !Ref SubaccountTag - Key: ticketnumber Value: !Ref TicketNumberTag

SubnetPublicZoneB

Create a Public Subnet in Availability Zone B

SubnetPublicZoneB: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VpcEcsEas CidrBlock: !Ref SubnetPublicBcidr AvailabilityZone: !FindInMap [RegionAZs, !Ref "AWS::Region", zoneB] Tags: - Key: Name Value: !Sub "${VPCName} Public Zone B" - Key: service Value: !Ref ServiceTag - Key: environment Value: !Ref EnvironmentTag - Key: contactnetid Value: !Ref ContactNetidTag - Key: accountnumber Value: !Ref AccountNumberTag - Key: subaccount Value: !Ref SubaccountTag - Key: ticketnumber Value: !Ref TicketNumberTag

SubnetPublicZoneC

Create a Public Subnet in Availability Zone C (if used)

SubnetPublicZoneC: Type: AWS::EC2::Subnet Condition: IsUsingPublicAzC Properties: VpcId: !Ref VpcEcsEas CidrBlock: !Ref SubnetPublicCcidr AvailabilityZone: !FindInMap [RegionAZs, !Ref "AWS::Region", zoneC] Tags: - Key: Name Value: !Sub "${VPCName} Public Zone C" - Key: service Value: !Ref ServiceTag - Key: environment Value: !Ref EnvironmentTag - Key: contactnetid Value: !Ref ContactNetidTag - Key: accountnumber Value: !Ref AccountNumberTag - Key: subaccount Value: !Ref SubaccountTag - Key: ticketnumber Value: !Ref TicketNumberTag

SubnetPrivateZoneA

Create a Private Subnet in Availability Zone A

SubnetPrivateZoneA: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VpcEcsEas CidrBlock: !Ref SubnetPrivateAcidr AvailabilityZone: !FindInMap [RegionAZs, !Ref "AWS::Region", zoneA] Tags: - Key: Name Value: !Sub "${VPCName} Private Zone A" - Key: service Value: !Ref ServiceTag - Key: environment Value: !Ref EnvironmentTag - Key: contactnetid Value: !Ref ContactNetidTag - Key: accountnumber Value: !Ref AccountNumberTag - Key: subaccount Value: !Ref SubaccountTag - Key: ticketnumber Value: !Ref TicketNumberTag

SubnetPrivateZoneB

Create a Private Subnet in Availability Zone B

SubnetPrivateZoneB: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VpcEcsEas CidrBlock: !Ref SubnetPrivateBcidr AvailabilityZone: !FindInMap [RegionAZs, !Ref "AWS::Region", zoneB] Tags: - Key: Name Value: !Sub "${VPCName} Private Zone B" - Key: service Value: !Ref ServiceTag - Key: environment Value: !Ref EnvironmentTag - Key: contactnetid Value: !Ref ContactNetidTag - Key: accountnumber Value: !Ref AccountNumberTag - Key: subaccount Value: !Ref SubaccountTag - Key: ticketnumber Value: !Ref TicketNumberTag

SubnetPrivateZoneC

Create a Private Subnet in Availability Zone C (if used)

SubnetPrivateZoneC: Type: AWS::EC2::Subnet Condition: IsUsingPrivateAzC Properties: VpcId: !Ref VpcEcsEas CidrBlock: !Ref SubnetPrivateCcidr AvailabilityZone: !FindInMap [RegionAZs, !Ref "AWS::Region", zoneC] Tags: - Key: Name Value: !Sub "${VPCName} Private Zone C" - Key: service Value: !Ref ServiceTag - Key: environment Value: !Ref EnvironmentTag - Key: contactnetid Value: !Ref ContactNetidTag - Key: accountnumber Value: !Ref AccountNumberTag - Key: subaccount Value: !Ref SubaccountTag - Key: ticketnumber Value: !Ref TicketNumberTag

Public Subnet Configurations

NetworkACLPublic

Create an ACL for the public subnets

NetworkACLPublic: Type: AWS::EC2::NetworkAcl Properties: VpcId: !Ref VpcEcsEas Tags: - Key: Name Value: !Sub "${VPCName} Public ACL" - Key: service Value: !Ref ServiceTag - Key: environment Value: !Ref EnvironmentTag - Key: contactnetid Value: !Ref ContactNetidTag - Key: accountnumber Value: !Ref AccountNumberTag - Key: subaccount Value: !Ref SubaccountTag - Key: ticketnumber Value: !Ref TicketNumberTag

Allow in TCP traffic to the public subnet on port 443 (HTTPS)

ACLEntryPublicRuleAllowIn443: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: !Ref NetworkACLPublic RuleNumber: '100' CidrBlock: 0.0.0.0/0 Protocol: '6' RuleAction: allow Egress: 'false' PortRange: From: '443' To: '443'

Allow in TCP traffic to the public subnet on port 80 (HTTP)

ACLEntryPublicRuleAllowIn80: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: !Ref NetworkACLPublic RuleNumber: '105' CidrBlock: 0.0.0.0/0 Protocol: '6' RuleAction: allow Egress: 'false' PortRange: From: '80' To: '80'

Allow in TCP traffic to the public subnet on port 22 (SSH)

We allow it in here at the ACL level, but it should be further restricted by security groups.

ACLEntryPublicRuleAllowInSSH: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: !Ref NetworkACLPublic RuleNumber: '110' CidrBlock: 0.0.0.0/0 Protocol: '6' RuleAction: allow Egress: 'false' PortRange: From: '22' To: '22'

Allow in TCP traffic to the public subnet on port 3389 (RDP)

We allow it in here at the ACL level, but it should be further restricted by security groups.

ACLEntryPublicRuleAllowInRDP: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: !Ref NetworkACLPublic RuleNumber: '112' CidrBlock: 0.0.0.0/0 Protocol: '6' RuleAction: allow Egress: 'false' PortRange: From: '3389' To: '3389'

Allow in TCP return traffic on ephemeral ports

ACLEntryPublicRuleAllowInReturns: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: !Ref NetworkACLPublic RuleNumber: '120' CidrBlock: 0.0.0.0/0 Protocol: '6' RuleAction: allow Egress: 'false' PortRange: From: '1024' To: '65535'

Allow in UDP return traffic on ephemeral ports Required for DNS and other things.

ACLEntryPublicRuleAllowUDP: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: !Ref NetworkACLPublic RuleNumber: '130' CidrBlock: 0.0.0.0/0 Protocol: '17' RuleAction: allow Egress: 'false' PortRange: From: '1024' To: '65535'

Allow all traffic out of the public ACL

ACLEntryPublicRuleAllowOutAll: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: !Ref NetworkACLPublic RuleNumber: '100' CidrBlock: 0.0.0.0/0 Protocol: '-1' RuleAction: allow Egress: 'true'

Associate The Public ACL with Public Subnet A

AclPublicSubnetA: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: NetworkAclId: !Ref NetworkACLPublic SubnetId: !Ref SubnetPublicZoneA

Associate The Public ACL with Public Subnet B

AclPublicSubnetB: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: NetworkAclId: !Ref NetworkACLPublic SubnetId: !Ref SubnetPublicZoneB

Associate The Public ACL with Public Subnet C (if used)

AclPublicSubnetC: Type: AWS::EC2::SubnetNetworkAclAssociation Condition: IsUsingPublicAzC Properties: NetworkAclId: !Ref NetworkACLPublic SubnetId: !Ref SubnetPublicZoneC

Public Subnet Configurations

NetworkACLPrivate

Create an ACL for the private subnets

NetworkACLPrivate: Type: AWS::EC2::NetworkAcl Properties: VpcId: !Ref VpcEcsEas Tags: - Key: Name Value: !Sub "${VPCName} Private ACL" - Key: service Value: !Ref ServiceTag - Key: environment Value: !Ref EnvironmentTag - Key: contactnetid Value: !Ref ContactNetidTag - Key: accountnumber Value: !Ref AccountNumberTag - Key: subaccount Value: !Ref SubaccountTag - Key: ticketnumber Value: !Ref TicketNumberTag

Allow in all traffic to the private subnets

ACLEntryPrivateRuleAllowInAll: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: !Ref NetworkACLPrivate RuleNumber: '100' CidrBlock: 0.0.0.0/0 Protocol: '-1' RuleAction: allow Egress: 'false'

Allow all traffic out of the private subnets

ACLEntryPrivateRuleAllowOutAll: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: !Ref NetworkACLPrivate RuleNumber: '100' CidrBlock: 0.0.0.0/0 Protocol: '-1' RuleAction: allow Egress: 'true'

Associate the Private ACL with Private Subnet A

AclPrivateSubnetA: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: NetworkAclId: !Ref NetworkACLPrivate SubnetId: !Ref SubnetPrivateZoneA

Associate the Private ACL with Private Subnet B

AclPrivateSubnetB: Type: AWS::EC2::SubnetNetworkAclAssociation Properties: NetworkAclId: !Ref NetworkACLPrivate SubnetId: !Ref SubnetPrivateZoneB

Associate the Private ACL with Private Subnet C (if used)

AclPrivateSubnetC: Type: AWS::EC2::SubnetNetworkAclAssociation Condition: IsUsingPrivateAzC Properties: NetworkAclId: !Ref NetworkACLPrivate SubnetId: !Ref SubnetPrivateZoneC

Route Tables

Create a Public Route table

RouteTablePublic: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VpcEcsEas Tags: - Key: Name Value: !Sub "${VPCName} Public Route Table" - Key: service Value: !Ref ServiceTag - Key: environment Value: !Ref EnvironmentTag - Key: contactnetid Value: !Ref ContactNetidTag - Key: accountnumber Value: !Ref AccountNumberTag - Key: subaccount Value: !Ref SubaccountTag - Key: ticketnumber Value: !Ref TicketNumberTag

Default route for the public subnets

RoutePublicDefault: Type: AWS::EC2::Route Properties: RouteTableId: !Ref RouteTablePublic DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway

Associate the public route table with Public Subnet A

RoutePublicSubnetA: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref RouteTablePublic SubnetId: !Ref SubnetPublicZoneA

Associate the public route table with Public Subnet B

RoutePublicSubnetB: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref RouteTablePublic SubnetId: !Ref SubnetPublicZoneB

Associate the public route table with Public Subnet C (if used)

RoutePublicSubnetC: Type: AWS::EC2::SubnetRouteTableAssociation Condition: IsUsingPublicAzC Properties: RouteTableId: !Ref RouteTablePublic SubnetId: !Ref SubnetPublicZoneC

Create a Private Route Table

RouteTablePrivate: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VpcEcsEas Tags: - Key: Name Value: !Sub "${VPCName} Private Route Table"

Associate the private route table with Private Subnet A

RoutePrivateSubnetA: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref RouteTablePrivate SubnetId: !Ref SubnetPrivateZoneA

Associate the private route table with Private Subnet B

RoutePrivateSubnetB: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref RouteTablePrivate SubnetId: !Ref SubnetPrivateZoneB

Associate the private route table with Private Subnet C (if used)

RoutePrivateSubnetC: Type: AWS::EC2::SubnetRouteTableAssociation Condition: IsUsingPrivateAzC Properties: RouteTableId: !Ref RouteTablePrivate SubnetId: !Ref SubnetPrivateZoneC

Create a VPC Endpoint for S3 access

S3Enpoint: Type: AWS::EC2::VPCEndpoint Properties: VpcId: !Ref VpcEcsEas PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: "*" Action: - "*" Resource: - "*" RouteTableIds: - Ref: RouteTablePublic - Ref: RouteTablePrivate ServiceName: !Sub "com.amazonaws.${AWS::Region}.s3"

Create a VPC Endpoint for DynamoDB access

DynamoDBEnpoint: Type: AWS::EC2::VPCEndpoint Properties: VpcId: !Ref VpcEcsEas PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: "*" Action: - "*" Resource: - "*" RouteTableIds: - Ref: RouteTablePublic - Ref: RouteTablePrivate ServiceName: !Sub "com.amazonaws.${AWS::Region}.dynamodb"

Outputs

Output values that can be viewed from the AWS CloudFormation console. Exported names can be used by other stacks via Fn::ImportValue

Outputs: VPCID: Value: !Ref VpcEcsEas Export: Name: !Sub "${AWS::StackName}-vpcid" PublicSubnetA: Value: !Ref SubnetPublicZoneA Export: Name: !Sub "${AWS::StackName}-public-subnet-a" PublicSubnetB: Value: !Ref SubnetPublicZoneB Export: Name: !Sub "${AWS::StackName}-public-subnet-b" PublicSubnetC: Value: !Ref SubnetPublicZoneC Condition: IsUsingPublicAzC Export: Name: !Sub "${AWS::StackName}-public-subnet-c" PrivateSubnetA: Value: !Ref SubnetPrivateZoneA Export: Name: !Sub "${AWS::StackName}-private-subnet-a" PrivateSubnetB: Value: !Ref SubnetPrivateZoneB Export: Name: !Sub "${AWS::StackName}-private-subnet-b" PrivateSubnetC: Value: !Ref SubnetPrivateZoneC Condition: IsUsingPrivateAzC Export: Name: !Sub "${AWS::StackName}-private-subnet-c"