irfan-aws-notes

VPC-Stackset

A setup for deploying VPC resources across multiple AWS accounts and regions in a consistent way. It helps create and manage network resources like VPCs and subnets centrally, making it easier to maintain a uniform network setup across different environments.

ESSENTIAL

Basic Configuration

This architecture sets up a bare minimum of AWS VPC with both public and private subnets in a single AZ. The public subnet has internet access via an Internet Gateway. The private subnet, on the other hand, is isolated for internal use only.

Two security groups are included: one to allow internal VPC traffic only and another for the Bastion host to accept SSH connection specifically from a whitelisted IP.

Required resources

  • Name
    VPC
    Description

    Defines the main VPC with a CIDR block of 10.0.0.0/27, enabling DNS support and hostnames.

    This CIDR config is too tight. Only 11 usable IPs for each 2 subnets configured. Please consider change to a more flexible range.

  • Name
    PublicSubnet
    Description

    Creates a public subnet within the VPC, using the CIDR block 10.0.0.0/28 in Availability Zone 'ap-southeast-5a', with automatic public IP assignment enabled.

  • Name
    PrivateSubnet
    Description

    Creates a private subnet in the VPC with CIDR block 10.0.0.16/28 in Availability Zone 'ap-southeast-5a', without public IP assignment.

  • Name
    IGW
    Description

    Defines an Internet Gateway (IGW) to allow internet access for public subnets.

  • Name
    AttachGateway
    Description

    Attaches the Internet Gateway (IGW) to the VPC to enable internet access for the VPC's public subnets.

  • Name
    PublicRT
    Description

    Creates a route table for the public subnet within the VPC, allowing internet-bound traffic via the attached Internet Gateway.

  • Name
    PrivateRT
    Description

    Defines a route table for private subnets within the VPC, ensuring isolation from direct internet access.

  • Name
    PublicRoute
    Description

    Sets up a route within the Public Route Table, directing traffic bound for '0.0.0.0/0' (all IP addresses) to the Internet Gateway, enabling public internet access.

  • Name
    RTAssociationPublic
    Description

    Associates the public subnet with the public route table, enabling internet access for resources in this subnet.

  • Name
    RTAssociationPrivate
    Description

    Associates the private subnet with the private route table, maintaining network isolation from direct internet access.

  • Name
    GlobalSG
    Description

    Creates a security group to allow unrestricted inbound traffic within the VPC CIDR range (10.0.0.0/16), providing secure internal communication.

  • Name
    BastionSG
    Description

    Creates a security group for the bastion host, allowing inbound SSH access (port 22) only from the specified IP address. This setup restricts access to the bastion for secure management purposes.

This template is intended for a reference of basic single AZ setup with a tightly constrained CIDR block range. It serves as an example configuration and is not recommended for production use.

VPC Configuration

VPC:
  Type: AWS::EC2::VPC
  Properties:
    CidrBlock: "10.0.0.0/27"
    EnableDnsSupport: true
    EnableDnsHostnames: true
    Tags:
      - Key: Name
        Value: VPC

PublicSubnet:
  Type: AWS::EC2::Subnet
  Properties:
    VpcId: !Ref VPC
    CidrBlock: "10.0.0.0/28"
    AvailabilityZone: ap-southeast-5a
    MapPublicIpOnLaunch: true
    Tags:
      - Key: Name
        Value: PublicSubnet

PrivateSubnet:
  Type: AWS::EC2::Subnet
  Properties:
    VpcId: !Ref VPC
    CidrBlock: "10.0.0.16/28"
    AvailabilityZone: ap-southeast-5a
    MapPublicIpOnLaunch: false
    Tags:
      - Key: Name
        Value: PrivateSubnet

IGW Configuration

IGW:
  Type: AWS::EC2::InternetGateway
  Properties:
    Tags:
      - Key: Name
        Value: IGW

AttachGateway:
  Type: AWS::EC2::VPCGatewayAttachment
  Properties:
    VpcId: !Ref VPC
    InternetGatewayId: !Ref IGW

PublicRT:
  Type: AWS::EC2::RouteTable
  Properties:
    VpcId: !Ref VPC
    Tags:
      - Key: Name
        Value: PublicRT

PrivateRT:
  Type: AWS::EC2::RouteTable
  Properties:
    VpcId: !Ref VPC
    Tags:
      - Key: Name
        Value: PrivateRT

PublicRoute:
  Type: AWS::EC2::Route
  Properties:
    RouteTableId: !Ref PublicRT
    DestinationCidrBlock: "0.0.0.0/0"
    GatewayId: !Ref IGW

RTAssociationPublic:
  Type: AWS::EC2::SubnetRouteTableAssociation
  Properties:
    SubnetId: !Ref PublicSubnet
    RouteTableId: !Ref PublicRT

RTAssociationPrivate:
  Type: AWS::EC2::SubnetRouteTableAssociation
  Properties:
    SubnetId: !Ref PrivateSubnet
    RouteTableId: !Ref PrivateRT

Security Group Configuration

GlobalSG:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupDescription: Allow inbound connection only from within VPC network
    VpcId: !Ref VPC
    SecurityGroupIngress:
      - IpProtocol: -1
        CidrIp: "10.0.0.0/27"
    Tags:
      - Key: Name
        Value: SG-Global

BastionSG:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupDescription: Allow inbound SSH only from specified IP
    VpcId: !Ref VPC
    SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 22
        ToPort: 22
        CidrIp: "115.135.117.81/32" # change to correct IP address
    Tags:
      - Key: Name
        Value: SG-Bastion
OPTIONAL

NAT Gateway

To add NAT gateway (NGW) to the previous configuration, add this template. An elastic IP resource is created to be associated to the NGW, and a route is sets up to route the NGW to the internet.

Required resources

  • Name
    EIP
    Description

    Creates an Elastic IP (EIP) for use with the NAT Gateway, allowing a static public IP address to be associated with the gateway for consistent external access.

  • Name
    NGW
    Description

    Defines a NAT Gateway in the public subnet, allowing resources in the private subnet to access the internet while keeping them isolated from inbound traffic.

  • Name
    NGWRoute
    Description

    Sets up a route in the private route table, directing outbound internet traffic (0.0.0.0/0) to the NAT Gateway.

NGW also should be configured to multi AZ; providing HA to the infrastructure. This is just a reference template.

Elastic IP Configuration

EIP:
  Type: AWS::EC2::EIP
  Properties:
    Domain: vpc
    Tags:
      - Key: Name
        Value: EIP

NAT Gateway Configuration

NGW:
  Type: AWS::EC2::NatGateway
  Properties:
    AllocationId: !GetAtt EIP.AllocationId
    SubnetId: !Ref PublicSubnet
    ConnectivityType: public
    Tags:
      - Key: Name
        Value: NATGateway

NGWRoute:
  Type: AWS::EC2::Route
  Properties:
    RouteTableId: !Ref PrivateRT
    DestinationCidrBlock: "0.0.0.0/0"
    NatGatewayId: !Ref NGW
OPTIONAL

SSM Support

To use SSM with EC2 instances, there are two compulsory VPC endpoints need to be configured:

  1. SSM, and;
  2. SSM Messages.
  • Name
    SSM
    Description

    Creates a VPC interface endpoint for the SSM service within the VPC, enabling secure and private communication with SSM without traversing the public internet.

  • Name
    SSMMessages
    Description

    Creates a VPC Interface Endpoint for the SSM messages service within the VPC, allowing private communication with SSM Messages for managing EC2 instances.

VPC Endpoint Configuration

SSM:
  Type: AWS::EC2::VPCEndpoint
  Properties:
    VpcId: !Ref VPC
    ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssm"
    VpcEndpointType: Interface
    SubnetIds:
      - !Ref PrivateSubnet
    SecurityGroupIds:
      - !Ref GlobalSG

SSMMessages:
  Type: AWS::EC2::VPCEndpoint
  Properties:
    VpcId: !Ref VPC
    ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssmmessages"
    VpcEndpointType: Interface
    SubnetIds:
      - !Ref PrivateSubnet
    SecurityGroupIds:
      - !Ref GlobalSG