forked from medianotion/hipaa
-
Notifications
You must be signed in to change notification settings - Fork 0
/
nat-instance.template
executable file
·116 lines (116 loc) · 3.81 KB
/
nat-instance.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
AWSTemplateFormatVersion: 2010-09-09
Description: 'Launches a NAT instance for external outbound connectivity (qs-1nb14cqca)'
Metadata:
Stack:
Value: 2
VersionDate:
Value: 20160510
Identifier:
Value: template-nat-instance
Input:
Description: CIDR blocks, VPC names, KeyName, EC2 instance size
Output:
Description: Outputs ID of all deployed resources
Parameters:
pDMZSubnetA:
Description: Subnet for the DMZ
Type: String
Default: ''
pSecurityGroupSSHFromVpc:
Description: Enable SSH access via port 22
Type: String
Default: ''
pSecurityGroupVpcNat:
Description: Allow NAT from production
Type: String
Default: ''
pEC2KeyPair:
Description: Key Name for Instance
Type: String
Default: ''
pNatInstanceType:
Description: NAT EC2 instance type
Type: String
Default: m3.large
pNatAmi:
Description: AMI to use for the NAT instnace
Type: String
Default: ''
pVpcName:
Description: Name of VPC used for naming resources
Type: String
Default: ''
pVpcId:
Description: ID of VPC used for routing
Type: String
Default: ''
pRouteTablePrivateA:
Description: Routing table used for the NAT instance
Type: String
Default: ''
pRouteTablePrivateB:
Description: Routing table used for the NAT instance
Type: String
Default: ''
pEipNatAllocationId:
Description: Allocation ID for NAT EIP
Type: String
Conditions:
cAddRouteForSecondSubnet: !Not [!Equals [!Ref pRouteTablePrivateB, '']]
Resources:
rNatInstanceEni:
Type: AWS::EC2::NetworkInterface
Properties:
SubnetId: !Ref pDMZSubnetA
GroupSet:
- !Ref pSecurityGroupSSHFromVpc
- !Ref pSecurityGroupVpcNat
Description: Interface for ProductionNat device
Tags:
- Key: Network
Value: ProductionNatDevice
rNatInstance:
Type: AWS::EC2::Instance
Properties:
InstanceType: !Ref pNatInstanceType
SourceDestCheck: false
KeyName: !Ref pEC2KeyPair
Tags:
- Key: Name
Value: !Sub ${pVpcName} NAT device used for patching
UserData: !Base64
'Fn::Sub': |
#!/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 0.0.0.0/0 -j MASQUERADE
/sbin/iptables-save > /etc/sysconfig/iptables
mkdir -p /etc/sysctl.d/
cat <<EOF > /etc/sysctl.d/nat.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.send_redirects = 0
EOF
ImageId: !Ref pNatAmi
NetworkInterfaces:
- NetworkInterfaceId: !Ref rNatInstanceEni
DeviceIndex: 0
AssociateEipNat:
Type: AWS::EC2::EIPAssociation
DependsOn:
- rNatInstance
Properties:
AllocationId: !Ref pEipNatAllocationId
NetworkInterfaceId: !Ref rNatInstanceEni
rRouteProdPrivateANatInstance:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock: 0.0.0.0/0
RouteTableId: !Ref pRouteTablePrivateA
InstanceId: !Ref rNatInstance
rRouteProdPrivateBNatInstance:
Type: AWS::EC2::Route
Condition: cAddRouteForSecondSubnet
Properties:
DestinationCidrBlock: 0.0.0.0/0
RouteTableId: !Ref pRouteTablePrivateB
InstanceId: !Ref rNatInstance