-
Notifications
You must be signed in to change notification settings - Fork 581
/
Copy pathvpn-bgp.yml
314 lines (314 loc) · 8.14 KB
/
vpn-bgp.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
---
AWSTemplateFormatVersion: '2010-09-09'
Description: BGP Site-to-Site VPN Connection by Levon Becker v20160425-1400
Parameters:
Owner:
Description: Enter Team or Individual Name Responsible for the Stack.
Type: String
Default: FirstName LastName
Project:
Description: Enter Project Name.
Type: String
Default: VPN Connection Creation
DeleteAfter:
Description: Enter Date It's Ok to Delete the Stack or 'Never' if meant to be
persistent.
Type: String
Default: 00/00/201x
VPC:
Description: Select VPC.
Type: AWS::EC2::VPC::Id
PublicRouteTable:
Description: Enter Public Route Table ID. (Skip if Not Including Public)
Type: String
Default: rtb-0000000
PrivateRouteTable:
Description: Enter Private Route Table ID.
Type: String
Default: rtb-0000000
PublicNetworkAcl:
Description: Enter Public Network ACL ID. (Skip if Not Including Public)
Type: String
Default: acl-0000000
PrivateNetworkAcl:
Description: Enter Private Network ACL ID.
Type: String
Default: acl-0000000
RemoteVpnDeviceIp:
Description: Enter External IP Address of the Customer VPN Device.
Type: String
MinLength: '7'
MaxLength: '12'
Default: 0.0.0.0
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})"
ConstraintDescription: Must be a valid IP Address x.x.x.x
RemoteNetworkCidr:
Description: Enter Remote Network IP Range CIDR (i.e. 192.168.100.0/24).
Type: String
MinLength: '11'
MaxLength: '18'
Default: 192.168.100.0/24
AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
ConstraintDescription: Must be a valid CIDR range of the form x.x.x.x/x.
RemoteBgpAsn:
Description: Enter Remote VPN Device BGP ASN.
Type: String
MinLength: '4'
MaxLength: '5'
Default: '65000'
AllowedPattern: "(\\d{4,5})"
ConstraintDescription: Must be a valid CIDR range of the form x.x.x.x/x.
IncludePublicSubnets:
Description: Select whether to include the Public Subnets in VPN Access or not.
Type: String
Default: 'true'
AllowedValues:
- 'true'
- 'false'
AllowOfficeNetworktoPublicRuleNumber:
Description: Enter Public Network ACL Rule Number to Allow Office Network. (Skip
if Not Including Public)
Type: Number
Default: '125'
AllowOfficeNetworktoPrivateRuleNumber:
Description: Enter Private Network ACL Rule Number to Allow Office Network.
Type: Number
Default: '125'
Conditions:
IncludePublic:
Fn::Equals:
- Ref: IncludePublicSubnets
- 'true'
ExcludePublic:
Fn::Equals:
- Ref: IncludePublicSubnets
- 'false'
Resources:
VPNGateway:
Type: AWS::EC2::VPNGateway
Properties:
Type: ipsec.1
Tags:
- Key: Name
Value:
Ref: AWS::StackName
- Key: Owner
Value:
Ref: Owner
- Key: Project
Value:
Ref: Project
- Key: DeleteAfter
Value:
Ref: DeleteAfter
VPNGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: VPC
VpnGatewayId:
Ref: VPNGateway
CustomerGateway:
Type: AWS::EC2::CustomerGateway
Properties:
Type: ipsec.1
BgpAsn:
Ref: RemoteBgpAsn
IpAddress:
Ref: RemoteVpnDeviceIp
Tags:
- Key: Name
Value:
Ref: AWS::StackName
- Key: Owner
Value:
Ref: Owner
- Key: Project
Value:
Ref: Project
- Key: DeleteAfter
Value:
Ref: DeleteAfter
- Key: VPN
Value:
Fn::Join:
- ''
- - 'Gateway to '
- Ref: RemoteVpnDeviceIp
VPNConnection:
Type: AWS::EC2::VPNConnection
DependsOn:
- CustomerGateway
- VPNGateway
Properties:
Type: ipsec.1
StaticRoutesOnly: 'false'
CustomerGatewayId:
Ref: CustomerGateway
VpnGatewayId:
Ref: VPNGateway
Tags:
- Key: Name
Value:
Ref: AWS::StackName
- Key: Owner
Value:
Ref: Owner
- Key: Project
Value:
Ref: Project
- Key: DeleteAfter
Value:
Ref: DeleteAfter
- Key: VPN
Value:
Fn::Join:
- ''
- - 'Connection to '
- Ref: RemoteNetworkCidr
VPNGatewayRoutePropagationBoth:
Condition: IncludePublic
Type: AWS::EC2::VPNGatewayRoutePropagation
DependsOn:
- VPNGateway
- VPNConnection
Properties:
RouteTableIds:
- Ref: PrivateRouteTable
- Ref: PublicRouteTable
VpnGatewayId:
Ref: VPNGateway
VPNGatewayRoutePropagationPrivateOnly:
Condition: ExcludePublic
Type: AWS::EC2::VPNGatewayRoutePropagation
DependsOn:
- VPNGateway
- VPNConnection
Properties:
RouteTableIds:
- Ref: PrivateRouteTable
VpnGatewayId:
Ref: VPNGateway
InboundPublicNetworkAclEntryOfficeNetwork:
Condition: IncludePublic
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: PublicNetworkAcl
RuleNumber:
Ref: AllowOfficeNetworktoPublicRuleNumber
Protocol: "-1"
RuleAction: allow
Egress: 'false'
CidrBlock:
Ref: RemoteNetworkCidr
PortRange:
From: '0'
To: '65535'
InboundPrivateNetworkAclEntryOfficeNetwork:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId:
Ref: PrivateNetworkAcl
RuleNumber:
Ref: AllowOfficeNetworktoPrivateRuleNumber
Protocol: "-1"
RuleAction: allow
Egress: 'false'
CidrBlock:
Ref: RemoteNetworkCidr
PortRange:
From: '0'
To: '65535'
Outputs:
Owner:
Description: Team or Individual that Owns this Formation.
Value:
Ref: Owner
Project:
Description: The project name
Value:
Ref: Project
VPC:
Description: VPC Used
Value:
Ref: VPC
RemoteVpnDeviceIp:
Description: Remote VPN Device IP Used.
Value:
Ref: RemoteVpnDeviceIp
RemoteNetworkCidr:
Description: Remote Network CIDR Used.
Value:
Ref: RemoteNetworkCidr
IncludePublic:
Description: Include Public Subnets?
Value:
Ref: IncludePublicSubnets
AllowOfficeToPublicRuleNumber:
Condition: IncludePublic
Description: Allow Office Network to Public Subnets Rule Number Used.
Value:
Ref: AllowOfficeNetworktoPublicRuleNumber
AllowOfficeToPrivateRuleNumber:
Description: Allow Office Network to Private Subnets Rule Number Used.
Value:
Ref: AllowOfficeNetworktoPrivateRuleNumber
DeleteAfter:
Description: It is ok to delete the Formation after this date
Value:
Ref: DeleteAfter
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Ownership
Parameters:
- Owner
- Project
- DeleteAfter
- Label:
default: Remote Network Configuration
Parameters:
- RemoteVpnDeviceIp
- RemoteNetworkCidr
- RemoteBgpAsn
- Label:
default: AWS Network Configuration
Parameters:
- VPC
- PrivateRouteTable
- PrivateNetworkAcl
- AllowOfficeNetworktoPrivateRuleNumber
- Label:
default: Include Public Subnet Access (Optional)
Parameters:
- IncludePublicSubnets
- PublicRouteTable
- PublicNetworkAcl
- AllowOfficeNetworktoPublicRuleNumber
ParameterLabels:
Owner:
default: Team or Individual Owner
DeleteAfter:
default: Delete After Date
PublicRouteTable:
default: Public Route Table
PrivateRouteTable:
default: Private Route Table
PublicNetworkAcl:
default: Public Network ACL
PrivateNetworkAcl:
default: Private Network ACL
IncludePublicSubnets:
default: Include Public Subnets?
AllowOfficeNetworktoPublicRuleNumber:
default: Public Rule Number
AllowOfficeNetworktoPrivateRuleNumber:
default: Private Rule Number
RemoteVpnDeviceIp:
default: VPN Device IP
RemoteNetworkCidr:
default: Network CIDR Block
RemoteBgpAsn:
default: VPN Device BGP ASN