diff --git a/templates/Router.yaml b/templates/Router.yaml new file mode 100644 index 0000000..9455d5c --- /dev/null +++ b/templates/Router.yaml @@ -0,0 +1,62 @@ +Description: VPC-Router. The instance-id from this template can be configured in the VPC as a gateway to reach internet from the private-networks (so tcpdump and similar can be used) +Parameters: + KeyName: + Description: Name of an existing EC2 KeyPair to enable SSH access to the instances + Type: AWS::EC2::KeyPair::KeyName + ConstraintDescription: must be the name of an existing EC2 KeyPair. + VPCStackName: + Description: Name of the VPC stack to deploy into. + Type: String + ConstraintDescription: Must be a name of an existing stack +Conditions: + Ipv4PoolIsBYOIP: !Equals [ !Ref Ipv4Pool, 2] +Mappings: + RegionMap: + us-east-1: + AMI: ami-0dba2cb6798deb6d8 + us-west-1: + AMI: ami-021809d9177640a20 + eu-west-1: + AMI: ami-06fd8a495a537da8b + eu-north-1: + AMI: ami-008dea09a148cea39 + eu-central-1: + AMI: ami-0c960b947cbb2dd16 + ap-southeast-1: + AMI: ami-093da183b859d5a4b + ap-northeast-1: + AMI: ami-09b86f9709b3c33d4 +Resources: + MyEC2Instance: + Type: AWS::EC2::Instance + Properties: + ImageId: !FindInMap + - RegionMap + - !Ref 'AWS::Region' + - AMI + InstanceType: t3.micro + KeyName: !Ref 'KeyName' + SubnetId: + Fn::ImportValue: + Fn::Sub: "${VPCStackName}-PuSID" + GroupSet: + - Fn::ImportValue: + Fn::Sub: "${VPCStackName}-VPCSGID" + - Fn::ImportValue: + Fn::Sub: "${VPCStackName}-DNSSGID" + - Fn::ImportValue: + Fn::Sub: "${VPCStackName}-MailSGID" + - Fn::ImportValue: + Fn::Sub: "${VPCStackName}-WebbSGID" + # Disable sourcedestcheck + SourceDestCheck: false + Tags: + - Key: Role + Value: Proxy + UserData: + Fn::Base64: !Sub | + #!/bin/bash -xe + # This is just a bash-script that the instance runs on boot. + echo "1" > /proc/sys/net/ip_forward + # Very generic iptables nat-rule. Anything this box forwards from a 10/8 ip should be NAT'ed to whatever IP this box has. + iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -j MASQUERADE diff --git a/templates/VPC_updated.yaml b/templates/VPC_updated.yaml index 30b05a7..962f082 100644 --- a/templates/VPC_updated.yaml +++ b/templates/VPC_updated.yaml @@ -7,9 +7,22 @@ Parameters: Ipv6CidrBlock: Description: /56 cidr block of your own Ipv6 address pool, only fill this field if you chose to bring your own Ipv6 pool (2) Type: String + + RouterInstanceId: + Description: An instance-id if AWS Hosted NAT-gateway shouldn't be used, ex i-xxxxxxxxxxx to route traffic from lan and dmz through when going outside VPC (towards internet.) + Type: String + Default: NONE + Conditions: Ipv6PoolIsAmazon: !Equals [ !Ref Ipv6Pool, 1] Ipv6PoolIsBYOIP: !Equals [ !Ref Ipv6Pool, 2] + + RouterInstanceIdSet: !Not + - Fn::Equals: ["NONE", !Ref RouterInstanceId] + + UseNatGateway: + - Fn::Equals: ["NONE", !Ref RouterInstanceId] + Resources: VPC: Type: AWS::EC2::VPC @@ -90,6 +103,7 @@ Resources: Value: EIP NatGateway: Type: AWS::EC2::NatGateway + Condition: UseNatGateway Properties: AllocationId: Fn::GetAtt: @@ -145,8 +159,16 @@ Resources: RouteTableId: Ref: PrivateRouteTable DestinationCidrBlock: 0.0.0.0/0 - NatGatewayId: - Ref: NatGateway + # If no instance-id configured in stack parameters, use natgateway + # else, route traffic through instance-id + NatGatewayId: !If + - UseNatGateway + - !Ref NatGateway + - !Ref AWS::NoValue + InstanceId: !If + - RouterInstanceIdSet + - !Ref RouterInstanceId + - !Ref AWS::NoValue PrivateIpv6Route: Type: AWS::EC2::Route DependsOn: InternetGatewayAttachment