AWS - CloudFormation - Create VPC

If you have worked with AWS networking, you know there is a laundry list of items that need to be initally configured so the environment is ready for use:

  • VPC
  • Internet Gateway
  • VPN Gateway
  • Public Subnets
  • Private Subnets
  • Public Route Tables
  • Private Route Tables
  • NAT Gateways
  • and more depending on your environment

Since AWS is a software defined cloud datacenter, you will get more and more requests for a Prod environment, then Dev environment, then QA environment, then DevOps environment, etc...but wait, this also needs to be done in every region! Instead of spending your time pointing and clicking your way through the AWS GUI, Amazon has provided an infrastructure automation solution called CloudFormation. CloudFormation uses the AWS API's to automate the provisioning of AWS resources, and its very simple to use.

  1. Set up your YAML or JSON file that describes your infrastructure
  2. Use the AWS-CLI or GUI to launch (or delete) your infrastructure

Luckily AWS has great sample docs, and I have added VPN Gateway parts, extra subnets, and my naming scheme to the code below (also available on my github). YAML is easy to read, so feel free to take and change what you need for your environment:

Description: 

    This template deploys a VPC, with three public and private subnets spread 
    across three Availability Zones. It deploys an Internet Gateway, with a default 
    route in the public subnets. It deploys three NAT Gateways (one in each AZ), 
    and default routes for them in the private subnets. It deploys a VPN gateway,
    attaches the gateway to the VPC and enables route propagation in all route tables.

Parameters:
    EnvironmentName:
        Description: An environment name that will be prefixed to resource names
        Type: String
        Default: thenetworkstack
    EnvironmentLocation:
        Description: Name of the AWS region that is being used (ex. us-west-2)
        Type: String
        Default: us-west-2
    VpcCIDR:
        Description: Please enter the IP range (CIDR notation) for this VPC
        Type: String
        Default: 10.64.0.0/19
    PublicSubnet1CIDR:
        Description: Please enter the IP range (CIDR notation) for the public subnet in the first Availability Zone
        Type: String
        Default: 10.64.0.0/22
    PublicSubnet2CIDR:
        Description: Please enter the IP range (CIDR notation) for the public subnet in the second Availability Zone
        Type: String
        Default: 10.64.4.0/22
    PublicSubnet3CIDR:
        Description: Please enter the IP range (CIDR notation) for the public subnet in the third Availability Zone
        Type: String
        Default: 10.64.8.0/22
    PrivateSubnet1CIDR:
        Description: Please enter the IP range (CIDR notation) for the private subnet in the first Availability Zone
        Type: String
        Default: 10.64.16.0/22
    PrivateSubnet2CIDR:
        Description: Please enter the IP range (CIDR notation) for the private subnet in the second Availability Zone
        Type: String
        Default: 10.64.20.0/22
    PrivateSubnet3CIDR:
        Description: Please enter the IP range (CIDR notation) for the private subnet in the third Availability Zone
        Type: String
        Default: 10.64.24.0/22
Resources:
    VPC: 
        Type: AWS::EC2::VPC
        Properties:
            CidrBlock: !Ref VpcCIDR
            EnableDnsSupport: True
            EnableDnsHostnames: True
            Tags: 
                - Key: Name 
                  Value: !Sub ${EnvironmentName}-vpc
    InternetGateway:
        Type: AWS::EC2::InternetGateway
        Properties:
            Tags:
                - Key: Name
                  Value: !Sub ${EnvironmentName}-igw
    VPNGateway: 
        Type: AWS::EC2::VPNGateway
        Properties: 
            Type: ipsec.1
            Tags: 
                - Key: Name
                  Value: !Sub ${EnvironmentName}-vpg
    InternetGatewayAttachment:
        Type: AWS::EC2::VPCGatewayAttachment
        Properties:
            InternetGatewayId: !Ref InternetGateway
            VpcId: !Ref VPC
    VPNGatewayAttachment:
        Type: AWS::EC2::VPCGatewayAttachment
        Properties:
            VpnGatewayId: !Ref VPNGateway
            VpcId: !Ref VPC
    PublicSubnet1: 
        Type: AWS::EC2::Subnet
        Properties:
            VpcId: !Ref VPC
            AvailabilityZone: !Select [ 0, !GetAZs '' ]
            CidrBlock: !Ref PublicSubnet1CIDR
            MapPublicIpOnLaunch: true
            Tags: 
                - Key: Name 
                  Value: !Sub ${EnvironmentName}-public-${EnvironmentLocation}a
    PublicSubnet2: 
        Type: AWS::EC2::Subnet
        Properties:
            VpcId: !Ref VPC
            AvailabilityZone: !Select [ 1, !GetAZs '' ]
            CidrBlock: !Ref PublicSubnet2CIDR
            MapPublicIpOnLaunch: true
            Tags: 
                - Key: Name 
                  Value: !Sub ${EnvironmentName}-public-${EnvironmentLocation}b
    PublicSubnet3: 
        Type: AWS::EC2::Subnet
        Properties:
            VpcId: !Ref VPC
            AvailabilityZone: !Select [ 2, !GetAZs '' ]
            CidrBlock: !Ref PublicSubnet3CIDR
            MapPublicIpOnLaunch: true
            Tags: 
                - Key: Name 
                  Value: !Sub ${EnvironmentName}-public-${EnvironmentLocation}c
    PrivateSubnet1: 
        Type: AWS::EC2::Subnet
        Properties:
            VpcId: !Ref VPC
            AvailabilityZone: !Select [ 0, !GetAZs '' ]
            CidrBlock: !Ref PrivateSubnet1CIDR
            MapPublicIpOnLaunch: false
            Tags: 
                - Key: Name 
                  Value: !Sub ${EnvironmentName}-private-${EnvironmentLocation}a
    PrivateSubnet2: 
        Type: AWS::EC2::Subnet
        Properties:
            VpcId: !Ref VPC
            AvailabilityZone: !Select [ 1, !GetAZs '' ]
            CidrBlock: !Ref PrivateSubnet2CIDR
            MapPublicIpOnLaunch: false
            Tags: 
                - Key: Name 
                  Value: !Sub ${EnvironmentName}-private-${EnvironmentLocation}b
    PrivateSubnet3: 
        Type: AWS::EC2::Subnet
        Properties:
            VpcId: !Ref VPC
            AvailabilityZone: !Select [ 2, !GetAZs '' ]
            CidrBlock: !Ref PrivateSubnet3CIDR
            MapPublicIpOnLaunch: false
            Tags: 
                - Key: Name 
                  Value: !Sub ${EnvironmentName}-private-${EnvironmentLocation}c
    NatGateway1EIP:
        Type: AWS::EC2::EIP
        DependsOn: InternetGatewayAttachment
        Properties: 
            Domain: vpc
    NatGateway2EIP:
        Type: AWS::EC2::EIP
        DependsOn: InternetGatewayAttachment
        Properties:
            Domain: vpc
    NatGateway3EIP:
        Type: AWS::EC2::EIP
        DependsOn: InternetGatewayAttachment
        Properties:
            Domain: vpc
    NatGateway1: 
        Type: AWS::EC2::NatGateway
        Properties: 
            AllocationId: !GetAtt NatGateway1EIP.AllocationId
            SubnetId: !Ref PublicSubnet1
            Tags:
                - Key: Name
                  Value: !Sub ${EnvironmentName}-${EnvironmentLocation}a
    NatGateway2: 
        Type: AWS::EC2::NatGateway
        Properties:
            AllocationId: !GetAtt NatGateway2EIP.AllocationId
            SubnetId: !Ref PublicSubnet2
            Tags:
                - Key: Name
                  Value: !Sub ${EnvironmentName}-${EnvironmentLocation}b
    NatGateway3: 
        Type: AWS::EC2::NatGateway
        Properties:
            AllocationId: !GetAtt NatGateway3EIP.AllocationId
            SubnetId: !Ref PublicSubnet3
            Tags:
                - Key: Name
                  Value: !Sub ${EnvironmentName}-${EnvironmentLocation}c
    PublicRouteTable:
        Type: AWS::EC2::RouteTable
        Properties: 
            VpcId: !Ref VPC
            Tags: 
                - Key: Name 
                  Value: !Sub ${EnvironmentName}-public
    DefaultPublicRoute: 
        Type: AWS::EC2::Route
        DependsOn: InternetGatewayAttachment
        Properties: 
            RouteTableId: !Ref PublicRouteTable
            DestinationCidrBlock: 0.0.0.0/0
            GatewayId: !Ref InternetGateway
    PublicSubnet1RouteTableAssociation:
        Type: AWS::EC2::SubnetRouteTableAssociation
        Properties:
            RouteTableId: !Ref PublicRouteTable
            SubnetId: !Ref PublicSubnet1
    PublicSubnet2RouteTableAssociation:
        Type: AWS::EC2::SubnetRouteTableAssociation
        Properties:
            RouteTableId: !Ref PublicRouteTable
            SubnetId: !Ref PublicSubnet2
    PublicSubnet3RouteTableAssociation:
        Type: AWS::EC2::SubnetRouteTableAssociation
        Properties:
            RouteTableId: !Ref PublicRouteTable
            SubnetId: !Ref PublicSubnet3
    PrivateRouteTable1:
        Type: AWS::EC2::RouteTable
        Properties: 
            VpcId: !Ref VPC
            Tags: 
                - Key: Name 
                  Value: !Sub ${EnvironmentName}-private-${EnvironmentLocation}a
    DefaultPrivateRoute1:
        Type: AWS::EC2::Route
        Properties:
            RouteTableId: !Ref PrivateRouteTable1
            DestinationCidrBlock: 0.0.0.0/0
            NatGatewayId: !Ref NatGateway1
    PrivateSubnet1RouteTableAssociation:
        Type: AWS::EC2::SubnetRouteTableAssociation
        Properties:
            RouteTableId: !Ref PrivateRouteTable1
            SubnetId: !Ref PrivateSubnet1
    PrivateRouteTable2:
        Type: AWS::EC2::RouteTable
        Properties: 
            VpcId: !Ref VPC
            Tags: 
                - Key: Name 
                  Value: !Sub ${EnvironmentName}-private-${EnvironmentLocation}b
    DefaultPrivateRoute2:
        Type: AWS::EC2::Route
        Properties:
            RouteTableId: !Ref PrivateRouteTable2
            DestinationCidrBlock: 0.0.0.0/0
            NatGatewayId: !Ref NatGateway2
    PrivateSubnet2RouteTableAssociation:
        Type: AWS::EC2::SubnetRouteTableAssociation
        Properties:
            RouteTableId: !Ref PrivateRouteTable2
            SubnetId: !Ref PrivateSubnet2
    PrivateRouteTable3:
        Type: AWS::EC2::RouteTable
        Properties: 
            VpcId: !Ref VPC
            Tags: 
                - Key: Name 
                  Value: !Sub ${EnvironmentName}-private-${EnvironmentLocation}c
    DefaultPrivateRoute3:
        Type: AWS::EC2::Route
        Properties:
            RouteTableId: !Ref PrivateRouteTable3
            DestinationCidrBlock: 0.0.0.0/0
            NatGatewayId: !Ref NatGateway3
    PrivateSubnet3RouteTableAssociation:
        Type: AWS::EC2::SubnetRouteTableAssociation
        Properties:
            RouteTableId: !Ref PrivateRouteTable3
            SubnetId: !Ref PrivateSubnet3
    VPNGatewayRouteProp: 
        Type: "AWS::EC2::VPNGatewayRoutePropagation"
        Properties:
            RouteTableIds: [!Ref PublicRouteTable, !Ref PrivateRouteTable1, !Ref PrivateRouteTable2, !Ref PrivateRouteTable3]
            VpnGatewayId: !Ref VPNGateway
        DependsOn: VPNGatewayAttachment
Outputs: 
    VPC: 
        Description: A reference to the created VPC
        Value: !Ref VPC
    PublicSubnets:
        Description: A list of the public subnets
        Value: !Join [ ",", [ !Ref PublicSubnet1, !Ref PublicSubnet2, !Ref PublicSubnet3 ]]
    PrivateSubnets:
        Description: A list of the private subnets
        Value: !Join [ ",", [ !Ref PrivateSubnet1, !Ref PrivateSubnet2, !Ref PrivateSubnet3 ]]
    PublicSubnet1:
        Description: A reference to the public subnet in the 1st Availability Zone
        Value: !Ref PublicSubnet1
    PublicSubnet2: 
        Description: A reference to the public subnet in the 2nd Availability Zone
        Value: !Ref PublicSubnet2
    PublicSubnet3: 
        Description: A reference to the public subnet in the 3rd Availability Zone
        Value: !Ref PublicSubnet3
    PrivateSubnet1:
        Description: A reference to the private subnet in the 1st Availability Zone
        Value: !Ref PrivateSubnet1
    PrivateSubnet2: 
        Description: A reference to the private subnet in the 2nd Availability Zone
        Value: !Ref PrivateSubnet2
    PrivateSubnet3: 
        Description: A reference to the private subnet in the 3rd Availability Zone
        Value: !Ref PrivateSubnet3
    VPNGateway:
        Description: A reference to the VPNGateway created in the VPC
        Value: !Ref VPNGateway

Once your YAML file is setup the way you want, you can log into your AWS account and then:

  1. Click Services -> CloudFormation -> Create new stack
  2. Click "Upload a template to Amazon S3" and choose your YAML file
  3. Give the stack a name, ex: prod-us-west-vpc
  4. Change any default parameters if needed, then click "Next" and "Create"

Your VPC will be created in the region the GUI is set to, and you can easily delete everything you created by deleting the CloudFormation stack.