Change VPC-config to allow setting a custom NAT-gateway. Add Router.y…

templates/Router.yaml

@@ -0,0 +1,62 @@
+Description: VPC-Router. The instance-id from this template can be configured in the VPC as a gateway to reach internet from the private-networks (so tcpdump and similar can be used)
+Parameters:
+  KeyName:
+    Description: Name of an existing EC2 KeyPair to enable SSH access to the instances
+    Type: AWS::EC2::KeyPair::KeyName
+    ConstraintDescription: must be the name of an existing EC2 KeyPair.
+  VPCStackName:
+    Description: Name of the VPC stack to deploy into.
+    Type: String
+    ConstraintDescription: Must be a name of an existing stack
+Conditions:
+  Ipv4PoolIsBYOIP: !Equals [ !Ref Ipv4Pool, 2]
+Mappings:
+  RegionMap:
+    us-east-1:
+      AMI: ami-0dba2cb6798deb6d8
+    us-west-1:
+      AMI: ami-021809d9177640a20
+    eu-west-1:
+      AMI: ami-06fd8a495a537da8b
+    eu-north-1:
+      AMI: ami-008dea09a148cea39
+    eu-central-1:
+      AMI: ami-0c960b947cbb2dd16
+    ap-southeast-1:
+      AMI: ami-093da183b859d5a4b
+    ap-northeast-1:
+      AMI: ami-09b86f9709b3c33d4
+Resources:
+  MyEC2Instance:
+    Type: AWS::EC2::Instance
+    Properties:
+      ImageId: !FindInMap
+        - RegionMap
+        - !Ref 'AWS::Region'
+        - AMI
+      InstanceType: t3.micro
+      KeyName: !Ref 'KeyName'
+      SubnetId:
+        Fn::ImportValue:
+          Fn::Sub: "${VPCStackName}-PuSID"
+      GroupSet:
+        - Fn::ImportValue:
+            Fn::Sub: "${VPCStackName}-VPCSGID"
+        - Fn::ImportValue:
+            Fn::Sub: "${VPCStackName}-DNSSGID"
+        - Fn::ImportValue:
+            Fn::Sub: "${VPCStackName}-MailSGID"
+        - Fn::ImportValue:
+            Fn::Sub: "${VPCStackName}-WebbSGID"
+      # Disable sourcedestcheck
+      SourceDestCheck: false
+      Tags:
+        - Key: Role
+          Value: Proxy
+      UserData:
+        Fn::Base64: !Sub |
+          #!/bin/bash -xe
+          # This is just a bash-script that the instance runs on boot.
+          echo "1" > /proc/sys/net/ip_forward
+          # Very generic iptables nat-rule. Anything this box forwards from a 10/8 ip should be NAT'ed to whatever IP this box has.
+          iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -j MASQUERADE

templates/VPC_updated.yaml

@@ -7,9 +7,22 @@ Parameters:
   Ipv6CidrBlock:
     Description: /56 cidr block of your own Ipv6 address pool, only fill this field if you chose to bring your own Ipv6 pool (2)
     Type: String
+
+  RouterInstanceId:
+    Description: An instance-id if AWS Hosted NAT-gateway shouldn't be used, ex i-xxxxxxxxxxx to route traffic from lan and dmz through when going outside VPC (towards internet.)
+    Type: String
+    Default: NONE
+
 Conditions:
   Ipv6PoolIsAmazon: !Equals [ !Ref Ipv6Pool, 1]
   Ipv6PoolIsBYOIP: !Equals [ !Ref Ipv6Pool, 2]
+
+  RouterInstanceIdSet: !Not
+    - Fn::Equals: ["NONE", !Ref RouterInstanceId]
+
+  UseNatGateway:
+    - Fn::Equals: ["NONE", !Ref RouterInstanceId]
+
 Resources:
   VPC:
     Type: AWS::EC2::VPC
@@ -90,6 +103,7 @@ Resources:
           Value: EIP
   NatGateway:
     Type: AWS::EC2::NatGateway
+    Condition: UseNatGateway
     Properties:
       AllocationId:
         Fn::GetAtt:
@@ -145,8 +159,16 @@ Resources:
       RouteTableId:
         Ref: PrivateRouteTable
       DestinationCidrBlock: 0.0.0.0/0
-      NatGatewayId:
-        Ref: NatGateway
+      # If no instance-id configured in stack parameters, use natgateway
+      # else, route traffic through instance-id
+      NatGatewayId: !If
+        - UseNatGateway
+        - !Ref NatGateway
+        - !Ref AWS::NoValue
+      InstanceId: !If
+        - RouterInstanceIdSet
+        - !Ref RouterInstanceId
+        - !Ref AWS::NoValue
   PrivateIpv6Route:
     Type: AWS::EC2::Route
     DependsOn: InternetGatewayAttachment