2018年1月29日

AWS Cloudformationでネットワークの基本設定

Share

基本的な使い方

設定内容

ざっくりですが、こんな項目を設定します。詳細はCloudformationのテンプレートの内容を見てもらった方が早いです。

  • VPC設定
  • Internet Gateway設定
  • Subnetの設定
  • DHCP Optionの設定
  • Route Tableの設定
  • ACLの設定

※設定値は参考までに。

テンプレート

AWSTemplateFormatVersion: "2010-09-09"
Description: "Basic Network Setting"
Parameters:
  pramStackNamePrefic:
    Description: "Common stack name prefix"
    Type: String
    Default: ""
Resources:
  VPC:
    Type: "AWS::EC2::VPC"
    Properties:
      CidrBlock: "192.168.0.0/16"
      InstanceTenancy: default
      EnableDnsSupport: true
      EnableDnsHostnames: true
      Tags:
        - Key: Name
          Value: !Join
              - ""
              - - !Ref pramStackNamePrefic
                - vpc
  igw:
    Type: "AWS::EC2::InternetGateway"
    Properties:
      Tags:
        - Key: Name
          Value: !Join
              - ""
              - - !Ref pramStackNamePrefic
                - igw
  vpcgwattc:
    Type: "AWS::EC2::VPCGatewayAttachment"
    Properties:
      VpcId: !Ref VPC
      InternetGatewayId: !Ref igw
  subnetA:
    Type: "AWS::EC2::Subnet"
    Properties:
      CidrBlock: "192.168.0.0/20"
      AvailabilityZone: "ap-northeast-1a"
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: !Join
              - ""
              - - !Ref pramStackNamePrefic
                - subnet
  subnetC:
    Type: "AWS::EC2::Subnet"
    Properties:
      CidrBlock: "192.168.16.0/20"
      AvailabilityZone: "ap-northeast-1c"
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: !Join
              - ""
              - - !Ref pramStackNamePrefic
                - subnet
  DHCPOpt:
    Type: "AWS::EC2::DHCPOptions"
    Properties:
      DomainName: "ap-northeast-1.compute.internal"
      DomainNameServers:
        - AmazonProvidedDNS
      Tags:
        - Key: Name
          Value: !Join
              - ""
              - - !Ref pramStackNamePrefic
                - dhcp-ops
  rtb:
    Type: "AWS::EC2::RouteTable"
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: !Join
              - ""
              - - !Ref pramStackNamePrefic
                - rtb
  SubnetRouteTableAssociationA:
    Type: "AWS::EC2::SubnetRouteTableAssociation"
    Properties:
      SubnetId: !Ref subnetA
      RouteTableId: !Ref rtb
  SubnetRouteTableAssociationC:
    Type: "AWS::EC2::SubnetRouteTableAssociation"
    Properties:
      SubnetId: !Ref subnetC
      RouteTableId: !Ref rtb
  # out-bound
  aclOutAll:
    Type: "AWS::EC2::NetworkAclEntry"
    Properties:
      CidrBlock: "0.0.0.0/0"
      Egress: true  # out-bound
      Protocol: "-1"
      RuleAction: allow
      RuleNumber: 100
      NetworkAclId: !GetAtt VPC.DefaultNetworkAcl
  aclOut2:
    Type: "AWS::EC2::NetworkAclEntry"
    Properties:
      Ipv6CidrBlock: "::/0"
      Egress: true  # out-bound
      Protocol: "-1"
      RuleAction: allow
      RuleNumber: 101
      NetworkAclId: !GetAtt VPC.DefaultNetworkAcl
  # in-bound
  aclInHttp:
    Type: "AWS::EC2::NetworkAclEntry"
    Properties:
      CidrBlock: "0.0.0.0/0"
      Egress: false  # in-bound
      Protocol: "6"
      PortRange:
        From: 80
        To: 80
      RuleAction: allow
      RuleNumber: 200
      NetworkAclId: !GetAtt VPC.DefaultNetworkAcl
  aclInHttp2:
    Type: "AWS::EC2::NetworkAclEntry"
    Properties:
      CidrBlock: "0.0.0.0/0"
      Egress: false  # in-bound
      Protocol: "6"
      PortRange:
        From: 8080
        To: 8080
      RuleAction: allow
      RuleNumber: 300
      NetworkAclId: !GetAtt VPC.DefaultNetworkAcl
  aclInHttps:
    Type: "AWS::EC2::NetworkAclEntry"
    Properties:
      CidrBlock: "0.0.0.0/0"
      Egress: false  # in-bound
      Protocol: "6"
      PortRange:
        From: 443
        To: 443
      RuleAction: allow
      RuleNumber: 400
      NetworkAclId: !GetAtt VPC.DefaultNetworkAcl
  aclInSSH:
    Type: "AWS::EC2::NetworkAclEntry"
    Properties:
      CidrBlock: "0.0.0.0/0"
      Egress: false  # in-bound
      Protocol: "6"
      PortRange:
        From: 22
        To: 22
      RuleAction: allow
      RuleNumber: 500
      NetworkAclId: !GetAtt VPC.DefaultNetworkAcl
  aclInEphemeral:
    Type: "AWS::EC2::NetworkAclEntry"
    Properties:
      CidrBlock: "0.0.0.0/0"
      Egress: false  # in-bound
      Protocol: "6"
      PortRange:
        From: 1024
        To: 65535
      RuleAction: allow
      RuleNumber: 600
      NetworkAclId: !GetAtt VPC.DefaultNetworkAcl
  subnetacl1:
    Type: "AWS::EC2::SubnetNetworkAclAssociation"
    Properties:
      NetworkAclId: !GetAtt VPC.DefaultNetworkAcl
      SubnetId: !Ref subnetA
  subnetacl2:
    Type: "AWS::EC2::SubnetNetworkAclAssociation"
    Properties:
      NetworkAclId: !GetAtt VPC.DefaultNetworkAcl
      SubnetId: !Ref subnetC
  route1:
    Type: "AWS::EC2::Route"
    Properties:
      DestinationCidrBlock: "0.0.0.0/0"
      RouteTableId: !Ref rtb
      GatewayId: !Ref igw
    DependsOn: vpcgwattc
  dchpassoc1:
    Type: "AWS::EC2::VPCDHCPOptionsAssociation"
    Properties:
      VpcId: !Ref VPC
      DhcpOptionsId: !Ref DHCPOpt
Outputs:
  VPCId:
    Value: !Ref VPC
    Export:
      Name: !Join
          - ""
          - - !Ref pramStackNamePrefic
            - VPC-ID
  VPCCidrBlock:
    Value: !GetAtt
        - VPC
        - CidrBlock
    Export:
      Name: !Join
          - ""
          - - !Ref pramStackNamePrefic
            - VPC-CidrBlockD
  VPCDefaultNetworkAcl:
    Value: !GetAtt
        - VPC
        - DefaultNetworkAcl
    Export:
      Name: !Join
          - ""
          - - !Ref pramStackNamePrefic
            - VPC-DefaultNetworkAcl
  VPCDefaultSecurityGroup:
    Value: !GetAtt
        - VPC
        - DefaultSecurityGroup
    Export:
      Name: !Join
          - ""
          - - !Ref pramStackNamePrefic
            - VPC-DefaultSecurityGroup
  igwId:
    Value: !Ref igw
    Export:
      Name: !Join
          - ""
          - - !Ref pramStackNamePrefic
            - IGW-ID
  subnetAId:
    Value: !Ref subnetA
    Export:
      Name: !Join
          - ""
          - - !Ref pramStackNamePrefic
            - Subnet-apne1a-ID
  subnetCId:
    Value: !Ref subnetC
    Export:
      Name: !Join
          - ""
          - - !Ref pramStackNamePrefic
            - Subnet-apne1c-ID
  subnetAAZ:
    Value: !GetAtt
        - subnetA
        - AvailabilityZone
    Export:
      Name: !Join
          - ""
          - - !Ref pramStackNamePrefic
            - Subnet-apne1a-AvailabilityZone
  subnetCAZ:
    Value: !GetAtt
        - subnetC
        - AvailabilityZone
    Export:
      Name: !Join
          - ""
          - - !Ref pramStackNamePrefic
            - Subnet-apne1c-AvailabilityZone
  DHCPOptID:
    Value: !Ref DHCPOpt
    Export:
      Name: !Join
          - ""
          - - !Ref pramStackNamePrefic
            - DHCPOptions-ID
  aclId:
    Value: !GetAtt
        - VPC
        - DefaultNetworkAcl
    Export:
      Name: !Join
          - ""
          - - !Ref pramStackNamePrefic
            - ACL-ID
  rtbId:
    Value: !Ref rtb
    Export:
      Name: !Join
          - ""
          - - !Ref pramStackNamePrefic
            - RTB-ID

実行

パラメータ

$ CF_TAG_KEY=service
$ CF_TAG_NAME=sample
$ CF_STACK_NAME_PREFIX=sample-
$ CF_STACK_NAME=${CF_STACK_NAME_PREFIX}network
$ CF_FILE_NAME=cftemplate.yaml
$ aws cloudformation \
create-stack \
--tags Key=${CF_TAG_KEY},Value=${CF_TAG_NAME} \
--stack-name ${CF_STACK_NAME} \
--template-body file://./${CF_FILE_NAME} \
--parameters \
ParameterKey=pramStackNamePrefic,ParameterValue=${CF_STACK_NAME_PREFIX} \
| jq .

ちなみに,ACLにはタグがつけられなかったので、強引に、VPC ID取得→ACL ID取得→タグ付けをしてみる。

$ VpcId=`aws ec2 describe-vpcs \
> --filters "Name=tag:Name,Values=${CF_STACK_NAME_PREFIX}vpc" \
> | jq -r '.Vpcs[].VpcId'`
$ echo $VpcId
vpc-XXXXXXXX
$ AclId=`aws ec2 describe-network-acls \
> --filters "Name=vpc-id,Values=${VpcId}" \
> | jq -r '.NetworkAcls[].NetworkAclId'`
$ echo $AclId
acl-XXXXXXXXX
$ aws ec2 create-tags --resources ${AclId} \
--tags Key=Name,Value=${CF_STACK_NAME_PREFIX}acl \
Key=${CF_TAG_KEY},Value=${CF_TAG_NAME}

ACLのデフォルト削除

ACLのインバウンドはデフォルトですべて許可されているので、削除しておくことを推奨

$ aws ec2 delete-network-acl-entry \
--network-acl-id ${AclId} \
--ingress \
--rule-number 100