aws(学习笔记第六课) AWS的虚拟私有,共有子网以及ACL,定义公网碉堡主机子网以及varnish反向代理
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "(VPC)",
"Parameters": {
"KeyName": {
"Description": "Key Pair name",
"Type": "AWS::EC2::KeyPair::KeyName",
"Default": "my-cli-key"
}
},
"Mappings": {
"EC2RegionMap": {
"ap-northeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-cbf90ecb", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-03cf3903"},
"ap-southeast-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-68d8e93a", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-b49dace6"},
"ap-southeast-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-fd9cecc7", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-e7ee9edd"},
"eu-central-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a8221fb5", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-46073a5b"},
"eu-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-a10897d6", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-6975eb1e"},
"sa-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-b52890a8", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-fbfa41e6"},
"us-east-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-1ecae776", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-303b1458"},
"us-west-1": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-d114f295", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-7da94839"},
"us-west-2": {"AmazonLinuxAMIHVMEBSBacked64bit": "ami-e7527ed7", "AmazonLinuxNATAMIHVMEBSBacked64bit": "ami-69ae8259"}
}
},
"Resources": {
"SecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "My security group",
"VpcId": {"Ref": "VPC"}
}
},
"SecurityGroupIngress": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties":{
"IpProtocol": "-1",
"FromPort": "-1",
"ToPort": "-1",
"CidrIp": "0.0.0.0/0",
"GroupId": {"Ref": "SecurityGroup"}
}
},
"SecurityGroupEgress": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties":{
"IpProtocol": "-1",
"FromPort": "-1",
"ToPort": "-1",
"CidrIp": "0.0.0.0/0",
"GroupId": {"Ref": "SecurityGroup"}
}
},
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16",
"EnableDnsHostnames": "true"
}
},
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway",
"Properties": {
}
},
"VPCGatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": {"Ref": "VPC"},
"InternetGatewayId": {"Ref": "InternetGateway"}
}
},
"SubnetPublicSSHBastion": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]},
"CidrBlock": "10.0.1.0/24",
"VpcId": {"Ref": "VPC"}
}
},
"RouteTablePublicSSHBastion": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {"Ref": "VPC"}
}
},
"RouteTableAssociationPublicSSHBastion": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {"Ref": "SubnetPublicSSHBastion"},
"RouteTableId": {"Ref": "RouteTablePublicSSHBastion"}
}
},
"RoutePublicSSHBastionToInternet": {
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {"Ref": "RouteTablePublicSSHBastion"},
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {"Ref": "InternetGateway"}
},
"DependsOn": "VPCGatewayAttachment"
},
"NetworkAclPublicSSHBastion": {
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": {"Ref": "VPC"}
}
},
"SubnetNetworkAclAssociationPublicSSHBastion": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"SubnetId": {"Ref": "SubnetPublicSSHBastion"},
"NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"}
}
},
"NetworkAclEntryInPublicSSHBastionSSH": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"},
"RuleNumber": "100",
"Protocol": "6",
"PortRange": {
"From": "22",
"To": "22"
},
"RuleAction": "allow",
"Egress": "false",
"CidrBlock": "0.0.0.0/0"
}
},
"NetworkAclEntryInPublicSSHBastionEphemeralPorts": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"},
"RuleNumber": "200",
"Protocol": "6",
"PortRange": {
"From": "1024",
"To": "65535"
},
"RuleAction": "allow",
"Egress": "false",
"CidrBlock": "10.0.0.0/16"
}
},
"NetworkAclEntryOutPublicSSHBastionSSH": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"},
"RuleNumber": "100",
"Protocol": "6",
"PortRange": {
"From": "22",
"To": "22"
},
"RuleAction": "allow",
"Egress": "true",
"CidrBlock": "10.0.0.0/16"
}
},
"NetworkAclEntryOutPublicSSHBastionEphemeralPorts": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {"Ref": "NetworkAclPublicSSHBastion"},
"RuleNumber": "200",
"Protocol": "6",
"PortRange": {
"From": "1024",
"To": "65535"
},
"RuleAction": "allow",
"Egress": "true",
"CidrBlock": "0.0.0.0/0"
}
},
"SubnetPublicVarnish": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]},
"CidrBlock": "10.0.2.0/24",
"VpcId": {"Ref": "VPC"}
}
},
"RouteTablePublicVarnish": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {"Ref": "VPC"}
}
},
"RouteTableAssociationPublicVarnish": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {"Ref": "SubnetPublicVarnish"},
"RouteTableId": {"Ref": "RouteTablePublicVarnish"}
}
},
"RoutePublicVarnishToInternet": {
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {"Ref": "RouteTablePublicVarnish"},
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {"Ref": "InternetGateway"}
},
"DependsOn": "VPCGatewayAttachment"
},
"NetworkAclPublicVarnish": {
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": {"Ref": "VPC"}
}
},
"SubnetNetworkAclAssociationPublicVarnish": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"SubnetId": {"Ref": "SubnetPublicVarnish"},
"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"}
}
},
"NetworkAclEntryInPublicVarnishSSH": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
"RuleNumber": "100",
"Protocol": "6",
"PortRange": {
"From": "22",
"To": "22"
},
"RuleAction": "allow",
"Egress": "false",
"CidrBlock": "10.0.1.0/24"
}
},
"NetworkAclEntryInPublicVarnishHTTP": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
"RuleNumber": "110",
"Protocol": "6",
"PortRange": {
"From": "80",
"To": "80"
},
"RuleAction": "allow",
"Egress": "false",
"CidrBlock": "0.0.0.0/0"
}
},
"NetworkAclEntryInPublicVarnishEphemeralPorts": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
"RuleNumber": "200",
"Protocol": "6",
"PortRange": {
"From": "1024",
"To": "65535"
},
"RuleAction": "allow",
"Egress": "false",
"CidrBlock": "0.0.0.0/0"
}
},
"NetworkAclEntryOutPublicVarnishHTTP": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
"RuleNumber": "100",
"Protocol": "6",
"PortRange": {
"From": "80",
"To": "80"
},
"RuleAction": "allow",
"Egress": "true",
"CidrBlock": "0.0.0.0/0"
}
},
"NetworkAclEntryOutPublicVarnishHTTPS": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
"RuleNumber": "110",
"Protocol": "6",
"PortRange": {
"From": "443",
"To": "443"
},
"RuleAction": "allow",
"Egress": "true",
"CidrBlock": "0.0.0.0/0"
}
},
"NetworkAclEntryOutPublicVarnishEphemeralPorts": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {"Ref": "NetworkAclPublicVarnish"},
"RuleNumber": "200",
"Protocol": "6",
"PortRange": {
"From": "1024",
"To": "65535"
},
"RuleAction": "allow",
"Egress": "true",
"CidrBlock": "0.0.0.0/0"
}
},
"SubnetPrivateApache": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": {"Fn::Select": ["0", {"Fn::GetAZs": ""}]},
"CidrBlock": "10.0.3.0/24",
"VpcId": {"Ref": "VPC"}
}
},
"RouteTablePrivateApache": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {"Ref": "VPC"}
}
},
"RouteTableAssociationPrivateApache": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": {"Ref": "SubnetPrivateApache"},
"RouteTableId": {"Ref": "RouteTablePrivateApache"}
}
},
"NetworkAclPrivateApache": {
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": {"Ref": "VPC"}
}
},
"SubnetNetworkAclAssociationPrivateApache": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"SubnetId": {"Ref": "SubnetPrivateApache"},
"NetworkAclId": {"Ref": "NetworkAclPrivateApache"}
}
},
"NetworkAclEntryInPrivateApacheSSH": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {"Ref": "NetworkAclPrivateApache"},
"RuleNumber": "100",
"Protocol": "6",
"PortRange": {
"From": "22",
"To": "22"
},
"RuleAction": "allow",
"Egress": "false",
"CidrBlock": "10.0.1.0/24"
}
},
"NetworkAclEntryInPrivateApacheHTTP": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {"Ref": "NetworkAclPrivateApache"},
"RuleNumber": "110",
"Protocol": "6",
"PortRange": {
"From": "80",
"To": "80"
},
"RuleAction": "allow",
"Egress": "false",
"CidrBlock": "10.0.2.0/24"
}
},
"NetworkAclEntryInPrivateApacheEphemeralPorts": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {"Ref": "NetworkAclPrivateApache"},
"RuleNumber": "200",
"Protocol": "6",
"PortRange": {
"From": "1024",
"To": "65535"
},
"RuleAction": "allow",
"Egress": "false",
"CidrBlock": "0.0.0.0/0"
}
},
"NetworkAclEntryOutPrivateApacheHTTP": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": {"Ref": "NetworkAclPrivateApache"},
"RuleNumber"<