VPC Network Design
These templates were adapted from the 1Strategy AWS VPC template. It has been updated to include have a third tier of subnets for Data.
The template was deployed to the Shared Networking account via the AWS CLI using the specified parameters in the ./parameters folder. The template has been deployed to two separate CloudFormation stacks for prod and non-prod environments. These VPCs are designed to be shared to various accounts using AWS Resource Access Manager to reduce the amount of VPCs needed and to reduce overall networking operational overhead.
VPCs are shared to accounts using AWS Resource Access Manager from the Shared Networking account (374319930067). There are existing resource shares to current Miles Systems App accounts for the Prod VPC and the Non-Prod VPC. You can edit these existing resource shares to add new account IDs or OU IDs as Shared principals by updating the CloudFormation template (network-shares.yaml) and updating the network-resource-shares stack in the Networking account with the updated template.
Please note that subnet tags are not shared with the subnets themselves. Tags are account specific. To help make copying Name tags to new accounts easier, a script called copy-subnet-tags.py has been created. Please refer to the documentation for that script for more details.
| Environment | Region | CloudFormation Stack Name | VPC CIDR Block | HA NAT? | VPC Flow Logs? |
|---|---|---|---|---|---|
| Non-Prod | us-east-1 | non-prod-network | 10.1.0.0/16 | false |
false |
| Prod | us-east-1 | prod-network | 10.0.0.0/16 | true |
false |
To deploy this VPC template, you'll need to know the VPC CIDR block, the three public, and three private subnet CIDR blocks. You will need to choose whether the VPC will support highly available NAT Gateways, or, by default, a more cost effective single NAT Gateway. You will also need to choose whether VPC Flow Logs will be enabled, or disabled (default behavior is disabled to reduce costs).
| Parameter | Description | Example |
|---|---|---|
| VpcCidrParam | IPv4 CIDR block (/16 to /28) | 10.0.0.0/16 |
| PublicAZASubnetBlock | AZ A public subnet block | 10.0.32.0/20 |
| PublicAZBSubnetBlock | AZ B public subnet block | 10.0.96.0/20 |
| PublicAZCSubnetBlock | AZ C public subnet block | 10.0.160.0/20 |
| PrivateAZASubnetBlock | AZ A private subnet block | 10.0.0.0/19 |
| PrivateAZBSubnetBlock | AZ B private subnet block | 10.0.64.0/19 |
| PrivateAZCSubnetBlock | AZ C private subnet block | 10.0.128.0/19 |
| DataAZASubnetBlock | AZ A data subnet block | 10.1.48.0/21 |
| DataAZBSubnetBlock | AZ B data subnet block | 10.1.112.0/21 |
| DataAZCSubnetBlock | AZ C data subnet block | 10.1.176.0/21 |
| HighlyAvailable | Highly Available NAT config | true |
| EnableVpcFlowLogs | VPC Flow Logs | true |
To make it easier to specify these parameters on the command line, you can use the example Parameters files included in the parameters/ directory.
VPC Flow Logs is a feature that allows you to capture information about IP traffic going to and from network interfaces in your VPC. This template is configured to deliver this data to a CloudWatch Logs Group called FlowLogs/<CloudFormation Stack Name>. Enabling VPC Flow Logs will increase your monthly usage costs (see VPC Flow Logs Pricing and CloudWatch Pricing pages).
Per the AWS Docs, Flow logs can help you with a number of tasks, such as:
- Diagnosing overly restrictive security group rules
- Monitoring the traffic that is reaching your instance
- Determining the direction of the traffic to and from the network interfaces
VPC Flow Logs require an IAM role to give the VPC Flow Logs service permission to delivery flow logs to CloudWatch Logs. This IAM role only has permission to create and read CloudWatch log groups, log streams, and put log events.
If you'd like to deploy this stack via the command line, you'll need the AWS CLI. You'll need to have your CLI credentials configured properly by using either AWS SSO CLI login or Access Keys. You may also want to configure an AWS CLI Named Profile for the specific account you want to deploy to.
aws cloudformation validate-template --template-body file://vpc.yamlYou will need to verify you have the appropriate parameters file for the AWS Region and account/environment you want to deploy to. See ./parameters/<region>/<acct>.json. For example parameters/us-east-1/non-prod.json.
Change directories to the parent of this repository (vpc-starter-template/)
Run this command in the AWS CLI (make sure to add --profile <profile name> if you're using a named profile):
# non-prod
aws cloudformation deploy --template-file vpc.yaml --stack-name non-prod-network --parameter-overrides file://parameters/us-east-1/non-prod.json
# prod
aws cloudformation deploy --template-file vpc.yaml --stack-name prod-network --parameter-overrides file://parameters/us-east-1/prod.json
Updates to the stack can also be done using the deploy command above.
AWS CloudFormation supports exporting Resource names and properties. You can import these Cross-Stack References in other templates. However, these outputs only exist in the same account and region as the CloudFormation stack. They will not work cross-account with shared VPCs.
This VPC template exports the following values for use in other CloudFormation templates. Each export is prefixed with the Stack Name. For example, if you name the stack "main-vpc" when you launch it, the VPC's public route table will be exported as "main-vpc-public-rtb"
| Export | Description | Example |
|---|---|---|
| main-vpc-vpc-id | VPC Id | vpc-1234abcd |
| main-vpc-vpc-cidr | VPC CIDR | 10.0.0.0/16 |
| main-vpc-public-rtb | Public Route table Id (shared by all public subnets) | rtb-1234abcd |
| main-vpc-public-az-a-subnet | AZ A public subnet Id | subnet-1234abcd |
| main-vpc-public-az-b-subnet | AZ B public subnet Id | "" |
| main-vpc-public-az-c-subnet | AZ C public subnet Id | "" |
| main-vpc-private-az-a-subnet | AZ A private subnet Id | subnet-abcd1234 |
| main-vpc-private-az-b-subnet | AZ A private subnet Id | "" |
| main-vpc-private-az-c-subnet | AZ A private subnet Id | "" |
| main-vpc-private-az-a-rtb | Route table for private subnets in AZ A | rtb-abcd1234 |
| main-vpc-private-az-b-rtb | Route table for private subnets in AZ B | "" |
| main-vpc-private-az-c-rtb | Route table for private subnets in AZ C | "" |