{
"AWSTemplateFormatVersion" : "2010-09-09",
"Parameters" : {
"BastionHostKeyName" : {
"Type" : "String",
"Description" : "The name of the private key file to use for SSH/RDP access to the bastion host."
},
"BastionSecurityCIDR" : {
"Type" : "String",
"Description" : "The CIDR range to use to lock down security on the bastion host.",
"Default" : "0.0.0.0/0"
},
"BastionInstanceType" : {
"Type" : "String",
"Description" : "The size of the instance to use for the bastion host."
}
},
"Mappings" : {
"AmazonLinuxAMI": {
"us-east-1": {
"AMI": "ami-1ecae776"
},
"us-west-1": {
"AMI": "ami-d114f295"
},
"us-west-2": {
"AMI": "ami-e7527ed7"
},
"eu-west-1": {
"AMI": "ami-a10897d6"
},
"eu-central-1": {
"AMI": "ami-a8221fb5"
},
"sa-east-1": {
"AMI": "ami-b52890a8"
},
"ap-southeast-1": {
"AMI": "ami-68d8e93a"
},
"ap-southeast-2": {
"AMI": "ami-fd9cecc7"
},
"ap-northeast-1": {
"AMI": "ami-cbf90ecb"
}
}
},
"Resources" : {
"VPC" : {
"Type" : "AWS::EC2::VPC",
"Properties" : {
"CidrBlock" : "10.1.0.0/16",
"EnableDnsSupport" : "true",
"EnableDnsHostnames" : "true",
"Tags" : [{
"Key" : "Name",
"Value" : "Lab VPC"
}
]
}
},
"InternetGateway" : {
"Type" : "AWS::EC2::InternetGateway",
"DependsOn" : "VPC"
},
"AttachGateway" : {
"Type" : "AWS::EC2::VPCGatewayAttachment",
"DependsOn" : ["VPC", "InternetGateway"],
"Properties" : {
"VpcId" : {
"Ref" : "VPC"
},
"InternetGatewayId" : {
"Ref" : "InternetGateway"
}
}
},
"PublicSubnet1" : {
"Type" : "AWS::EC2::Subnet",
"DependsOn" : "AttachGateway",
"Properties" : {
"VpcId" : {
"Ref" : "VPC"
},
"CidrBlock" : "10.1.10.0/24",
"MapPublicIpOnLaunch" : "true",
"AvailabilityZone" : {
"Fn::Select" : [
"0", {
"Fn::GetAZs" : ""
}
]
},
"Tags" : [{
"Key" : "Name",
"Value" : "Public Subnet 1"
}
]
}
},
"PrivateSubnet1" : {
"Type" : "AWS::EC2::Subnet",
"DependsOn" : "AttachGateway",
"Properties" : {
"VpcId" : {
"Ref" : "VPC"
},
"CidrBlock" : "10.1.50.0/24",
"AvailabilityZone" : {
"Fn::Select" : [
"0", {
"Fn::GetAZs" : ""
}
]
},
"Tags" : [{
"Key" : "Name",
"Value" : "Private Subnet 1"
}
]
}
},
"PublicRouteTable" : {
"Type" : "AWS::EC2::RouteTable",
"DependsOn" : ["VPC", "AttachGateway"],
"Properties" : {
"VpcId" : {
"Ref" : "VPC"
},
"Tags" : [{
"Key" : "Name",
"Value" : "Public"
}
]
}
},
"PublicRoute" : {
"Type" : "AWS::EC2::Route",
"DependsOn" : ["PublicRouteTable", "AttachGateway"],
"Properties" : {
"RouteTableId" : {
"Ref" : "PublicRouteTable"
},
"DestinationCidrBlock" : "0.0.0.0/0",
"GatewayId" : {
"Ref" : "InternetGateway"
}
}
},
"PublicSubnet1RouteTableAssociation" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"DependsOn" : ["PublicRouteTable", "PublicSubnet1", "AttachGateway"],
"Properties" : {
"SubnetId" : {
"Ref" : "PublicSubnet1"
},
"RouteTableId" : {
"Ref" : "PublicRouteTable"
}
}
},
"PrivateRouteTable" : {
"Type" : "AWS::EC2::RouteTable",
"DependsOn" : "AttachGateway",
"Properties" : {
"VpcId" : {
"Ref" : "VPC"
},
"Tags" : [{
"Key" : "Name",
"Value" : "Private"
}
]
}
},
"PrivateSubnet1RouteTableAssociation" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"DependsOn" : ["PublicRouteTable", "PrivateSubnet1", "AttachGateway"],
"Properties" : {
"SubnetId" : {
"Ref" : "PrivateSubnet1"
},
"RouteTableId" : {
"Ref" : "PrivateRouteTable"
}
}
},
"PrivateNetworkAcl" : {
"Type" : "AWS::EC2::NetworkAcl",
"DependsOn" : "AttachGateway",
"Properties" : {
"VpcId" : {
"Ref" : "VPC"
},
"Tags" : [{
"Key" : "Network",
"Value" : "Private"
}
]
}
},
"NATInstance" : {
"Type" : "AWS::EC2::Instance",
"DependsOn" : ["AttachGateway", "PublicRoute", "PublicSubnet1"],
"Properties" : {
"ImageId" : {
"Fn::FindInMap" : [
"AmazonLinuxAMI", {
"Ref" : "AWS::Region"
},
"AMI"
]
},
"InstanceType" : "t2.small",
"NetworkInterfaces" : [{
"DeviceIndex" : "0",
"AssociatePublicIpAddress" : "true",
"SubnetId" : {
"Ref" : "PublicSubnet1"
},
"GroupSet" : [{
"Ref" : "NATSecurityGroup"
}
]
}
],
"SourceDestCheck" : "false",
"Tags" : [{
"Key" : "Name",
"Value" : "NAT"
}
],
"UserData" : {
"Fn::Base64" : {
"Fn::Join" : [
"
",
[
"#!/bin/bash",
"yum -y update",
"echo 1 > /proc/sys/net/ipv4/ip_forward",
"echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects",
"/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 0.0.0.0/0 -j MASQUERADE",
"/sbin/iptables-save > /etc/sysconfig/iptables",
"mkdir -p /etc/sysctl.d/",
"cat <<EOF > /etc/sysctl.d/nat.conf",
"net.ipv4.ip_forward = 1",
"net.ipv4.conf.eth0.send_redirects = 0",
"EOF
"
]
]
}
}
}
},
"NATSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"DependsOn" : "AttachGateway",
"Properties" : {
"GroupDescription" : "Enable internal access to the NAT device",
"VpcId" : {
"Ref" : "VPC"
},
"SecurityGroupIngress" : [{
"IpProtocol" : "tcp",
"FromPort" : "0",
"ToPort" : "1024",
"CidrIp" : "10.1.50.0/24"
}, {
"IpProtocol" : "udp",
"FromPort" : "0",
"ToPort" : "1024",
"CidrIp" : "10.1.50.0/24"
}
],
"SecurityGroupEgress" : [{
"IpProtocol" : "tcp",
"FromPort" : "0",
"ToPort" : "65535",
"CidrIp" : "0.0.0.0/0"
}, {
"IpProtocol" : "udp",
"FromPort" : "0",
"ToPort" : "65535",
"CidrIp" : "0.0.0.0/0"
}
]
}
},
"PrivateRoute" : {
"Type" : "AWS::EC2::Route",
"DependsOn" : ["NATInstance", "PrivateRouteTable"],
"Properties" : {
"RouteTableId" : {
"Ref" : "PrivateRouteTable"
},
"DestinationCidrBlock" : "0.0.0.0/0",
"InstanceId" : {
"Ref" : "NATInstance"
}
}
},
"BastionServerSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"DependsOn" : "AttachGateway",
"Properties" : {
"GroupDescription" : "Security Group for bastion server",
"VpcId" : {
"Ref" : "VPC"
},
"Tags" : [{
"Key" : "Name",
"Value" : "BastionServerSecurityGroup"
}, {
"Key" : "ResourceGroup",
"Value" : "CloudFormationResource"
}
],
"SecurityGroupIngress" : [{
"IpProtocol" : "tcp",
"FromPort" : "22",
"ToPort" : "22",
"CidrIp" : {
"Ref" : "BastionSecurityCIDR"
}
}
]
}
},
"BastionServer" : {
"Type" : "AWS::EC2::Instance",
"DependsOn" : ["NATInstance"],
"Properties" : {
"ImageId" : {
"Fn::FindInMap" : [
"AmazonLinuxAMI", {
"Ref" : "AWS::Region"
},
"AMI"
]
},
"InstanceType" : {
"Ref" : "BastionInstanceType"
},
"KeyName" : {
"Ref" : "BastionHostKeyName"
},
"NetworkInterfaces" : [{
"DeviceIndex" : "0",
"AssociatePublicIpAddress" : "true",
"SubnetId" : {
"Ref" : "PrivateSubnet1"
},
"GroupSet" : [{
"Ref" : "BastionServerSecurityGroup"
}
]
}
],
"Tags" : [{
"Key" : "Name",
"Value" : "BastionServer"
}
],
"UserData" : {
"Fn::Base64" : {
"Fn::Join" : [
"",
[
"#!/bin/bash -ex
",
"yum -y update
"
]
]
}
}
}
}
}
}