AWSTemplateFormatVersion: "2010-09-09" Description: vRX Stack # ------------------------------------------------------------ # # パラメータのグループ化 # ------------------------------------------------------------ # Metadata: "AWS::CloudFormation::Interface": ParameterGroups: - Label: default: "Common Configuration" Parameters: - Prefix - Label: default: "Network" Parameters: - VPCAddressClass - Label: default: "EC2" Parameters: - KeyPair - InstanceType - Label: default: "vRX" Parameters: - LicenseUserName - LicensePassword - License1stLine - License2ndLine - PPPAuthUserName - PPPAuthPassword - L2TPClientAddressRange - PreSharedKey ParameterLabels: VPCAddressClass: default: "VPC Network Address Class" KeyPair: default: "EC2 Key Pair" InstanceType: default: "EC2 Instance Type" LicenseUserName: default: "License User Name" LicensePassword: default: "License Password" License1stLine: default: "vRX Basic License" License2ndLine: default: "vRX Option License" PPPAuthUserName: default: "PPP Auth User Name" PPPAuthPassword: default: "PPP Auth Password" L2TPClientAddressRange: default: "L2TP Client Address Range" PreSharedKey: default: "Pre-Shared Key" # ------------------------------------------------------------# # 入力パラメータ設定 # ------------------------------------------------------------# Parameters: Prefix: Type: String Description: "Name of your vRX (Any word)" Default: Default-vRX VPCAddressClass: Type: String Description: "Select network-address Class for VPC (ClassA:10.0.0.0/16, ClassB:172.16.0.0/16, ClassC:192.168.0.0/16)" Default: ClassB AllowedValues: - ClassA - ClassB - ClassC KeyPair: Description: "Select SSH key-pair to vRX" Type: AWS::EC2::KeyPair::KeyName MinLength: 1 ConstraintDescription: "Select the SSH key-pair to vRX" InstanceType: Description: "Select EC2 Instance Type supported by vRX" Type: String Default: t3.medium AllowedValues: - t3.medium - c5.large - c5.xlarge ConstraintDescription: "Must be a valid EC2 instance type" LicenseUserName: Description: "Copy User ID of vRX license and paste here" Type: String LicensePassword: Description: "Copy Password of vRX license and paste here" NoEcho: true Type: String License1stLine: Description: "Copy 1st line in license file and paste here" NoEcho: true Type: String License2ndLine: Description: "Copy 2nd line in license file and paste here" NoEcho: true Type: String PPPAuthUserName: Description: "L2TP/IPsec client user name for authentication" MinLength: 1 Type: String PPPAuthPassword: Description: "L2TP/IPsec client password for authentication" NoEcho: true Type: String L2TPClientAddressRange: Type: String Description: Please do not select the same network address as VPC Default: 192.168.10.10-192.168.10.100 AllowedValues: - 10.0.0.10-10.0.10.100 - 172.16.10.10-172.16.10.100 - 192.168.10.10-192.168.10.100 PreSharedKey: Description: "Must be same as Physical Yamaha router's parameter (Check command: ipsec_ike_pre-shared-key KEY)" NoEcho: true Type: String # ------------------------------------------------------------# # マッピング # ------------------------------------------------------------# Mappings: ClassMap: ClassA: VPCCidrBlock: 10.0.0.0/16 Lan1CidrBlock: 10.0.1.0/24 Lan2CidrBlock: 10.0.2.0/24 Lan1vRXIPaddress: 10.0.1.254 Lan2vRXIPaddress: 10.0.2.254 ClassB: VPCCidrBlock: 172.16.0.0/16 Lan1CidrBlock: 172.16.1.0/24 Lan2CidrBlock: 172.16.2.0/24 Lan1vRXIPaddress: 172.16.1.254 Lan2vRXIPaddress: 172.16.2.254 ClassC: VPCCidrBlock: 192.168.0.0/16 Lan1CidrBlock: 192.168.1.0/24 Lan2CidrBlock: 192.168.2.0/24 Lan1vRXIPaddress: 192.168.1.254 Lan2vRXIPaddress: 192.168.2.254 Resources: # ------------------------------------------------------------# # VPC # ------------------------------------------------------------# # VPC 作成 VPC: Type: "AWS::EC2::VPC" Properties: CidrBlock: !FindInMap [ ClassMap, !Ref VPCAddressClass, VPCCidrBlock ] EnableDnsSupport: "true" EnableDnsHostnames: "true" InstanceTenancy: default Tags: - Key: Name Value: !Sub "${Prefix}_vpc" # インターネットゲートウェイ作成 InternetGateway: Type: "AWS::EC2::InternetGateway" Properties: Tags: - Key: Name Value: !Sub "${Prefix}_internet-gw" # インターネットゲートウェイをVPCにアタッチ InternetGatewayAttachment: Type: "AWS::EC2::VPCGatewayAttachment" Properties: InternetGatewayId: !Ref InternetGateway VpcId: !Ref VPC # ------------------------------------------------------------# # Subnet # ------------------------------------------------------------# # LAN1サブネットの作成 SubnetLan1: Type: "AWS::EC2::Subnet" Properties: AvailabilityZone: !Select - 0 - Fn::GetAZs: !Ref AWS::Region CidrBlock: !FindInMap [ ClassMap, !Ref VPCAddressClass, Lan1CidrBlock ] VpcId: !Ref VPC Tags: - Key: Name Value: !Sub "${Prefix}_subnet-lan1" # LAN2サブネットの作成 SubnetLan2: Type: "AWS::EC2::Subnet" Properties: AvailabilityZone: !Select - 0 - Fn::GetAZs: !Ref AWS::Region CidrBlock: !FindInMap [ ClassMap, !Ref VPCAddressClass, Lan2CidrBlock ] VpcId: !Ref VPC Tags: - Key: Name Value: !Sub "${Prefix}_subnet-lan2" # ------------------------------------------------------------# # ルートテーブル # ------------------------------------------------------------# # LAN1用ルートテーブルの作成 RouteTableLan1: Type: "AWS::EC2::RouteTable" Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub "${Prefix}_route_table_lan1" # LAN2用ルートテーブルの作成 RouteTableLan2: Type: "AWS::EC2::RouteTable" Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub "${Prefix}_route_table_lan2" # ------------------------------------------------------------# # Routing # ------------------------------------------------------------# # LAN2用ルートテーブルへのルート追加 Lan2Route: Type: "AWS::EC2::Route" Properties: RouteTableId: !Ref RouteTableLan2 DestinationCidrBlock: "0.0.0.0/0" GatewayId: !Ref InternetGateway DependsOn: InternetGatewayAttachment # ------------------------------------------------------------# # ルートテーブルのアタッチ # ------------------------------------------------------------# # LAN1用ルートテーブルのサブネットへのアタッチ RouteTableLan1Association: Type: "AWS::EC2::SubnetRouteTableAssociation" Properties: SubnetId: !Ref SubnetLan1 RouteTableId: !Ref RouteTableLan1 # LAN2用ルートテーブルのサブネットへのアタッチ RouteTableLan2Association: Type: "AWS::EC2::SubnetRouteTableAssociation" Properties: SubnetId: !Ref SubnetLan2 RouteTableId: !Ref RouteTableLan2 # ------------------------------------------------------------# # EC2 # ------------------------------------------------------------# # vRX EC2インスタンス作成 EC2vRX: Type: AWS::EC2::Instance Properties: ImageId: ami-xxxxxxxxxxxxxxxxx InstanceType: !Ref InstanceType KeyName: !Ref KeyPair NetworkInterfaces: - NetworkInterfaceId: !Ref NetworkInterfaceLan1 DeviceIndex: 0 - NetworkInterfaceId: !Ref NetworkInterfaceLan2 DeviceIndex: 1 UserData: Fn::Base64: !Sub - l administrator vrx user ${licuser} ${licpass} import vrx license key ${lic1} y import vrx license key ${lic2} y ip route default gateway dhcp lan2 ip lan1 address dhcp ip lan2 address dhcp ip lan2 nat descriptor 1 pp select anonymous pp bind tunnel1 pp auth request mschap-v2 pp auth username ${pppuser} ${ppppass} ppp ipcp ipaddress on ppp ipcp msext on ip pp remote address pool ${remoterange} ip pp mtu 1258 pp enable anonymous tunnel select 1 tunnel encapsulation l2tp ipsec tunnel 1 ipsec sa policy 1 1 esp aes-cbc sha-hmac ipsec ike keepalive use 1 off ipsec ike nat-traversal 1 on ipsec ike pre-shared-key 1 text ${pskey} ipsec ike remote address 1 any l2tp tunnel disconnect time off l2tp syslog on ip tunnel tcp mss limit auto tunnel enable 1 nat descriptor type 1 masquerade nat descriptor address outer 1 primary nat descriptor masquerade static 1 1 ${vRXip} udp 500 nat descriptor masquerade static 1 2 ${vRXip} udp 4500 nat descriptor masquerade static 1 3 ${vRXip} tcp 22 ipsec auto refresh on ipsec transport 1 1 udp 1701 l2tp service on save - licuser: !Ref LicenseUserName licpass: !Ref LicensePassword lic1: !Ref License1stLine lic2: !Ref License2ndLine pskey: !Ref PreSharedKey pppuser: !Ref PPPAuthUserName ppppass: !Ref PPPAuthPassword remoterange: !Ref L2TPClientAddressRange vRXip: !FindInMap [ ClassMap, !Ref VPCAddressClass, Lan1vRXIPaddress ] Tags: - Key: Name Value: !Sub "${Prefix}" DependsOn: - NetworkInterfaceLan1 - NetworkInterfaceLan2 # ------------------------------------------------------------# # ネットワークインターフェース # ------------------------------------------------------------# # vRX インスタンス用 LAN1 NetworkInterface 作成 NetworkInterfaceLan1: Type: AWS::EC2::NetworkInterface Properties: SourceDestCheck: 'false' GroupSet: - !Ref SecurityGroupLan1 SubnetId: !Ref SubnetLan1 PrivateIpAddress: !FindInMap [ ClassMap, !Ref VPCAddressClass, Lan1vRXIPaddress ] # vRX インスタンス用 LAN2 NetworkInterface 作成 NetworkInterfaceLan2: Type: AWS::EC2::NetworkInterface Properties: SourceDestCheck: 'false' GroupSet: - !Ref SecurityGroupLan2 SubnetId: !Ref SubnetLan2 PrivateIpAddress: !FindInMap [ ClassMap, !Ref VPCAddressClass, Lan2vRXIPaddress ] # ------------------------------------------------------------# # SecurityGroup # ------------------------------------------------------------# # LAN1 SecurityGroup 作成 SecurityGroupLan1: Type: AWS::EC2::SecurityGroup Properties: GroupName: !Sub ${Prefix}_lan1_sg GroupDescription: !Sub ${Prefix}_lan1_sg SecurityGroupIngress: - IpProtocol: -1 CidrIp: !FindInMap [ ClassMap, !Ref VPCAddressClass, VPCCidrBlock ] Tags: - Key: Name Value: !Sub "${Prefix}_lan1_sg" VpcId: !Ref VPC # LAN2 SecurityGroup 作成 SecurityGroupLan2: Type: AWS::EC2::SecurityGroup Properties: GroupName: !Sub ${Prefix}_lan2_sg GroupDescription: !Sub ${Prefix}_lan2_sg SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 - IpProtocol: udp FromPort: 500 ToPort: 500 CidrIp: 0.0.0.0/0 - IpProtocol: udp FromPort: 4500 ToPort: 4500 CidrIp: 0.0.0.0/0 Tags: - Key: Name Value: !Sub "${Prefix}_lan2_sg" VpcId: !Ref VPC # ------------------------------------------------------------# # ElasticIp # ------------------------------------------------------------# # ElasticIp 作成 ElasticIp: Type: AWS::EC2::EIP Properties: Domain: !Ref VPC # ElasticIpを vRX LAN2 ネットワークインターフェースに割当 AssociateElasticIp: Type: AWS::EC2::EIPAssociation Properties: AllocationId: !GetAtt ElasticIp.AllocationId NetworkInterfaceId: !Ref NetworkInterfaceLan2 # ------------------------------------------------------------# # Output Parameters # ------------------------------------------------------------# Outputs: # VPC VPC: Value: !Ref VPC Export: Name: !Sub "${Prefix}-vpc" VPCCIDR: Value: !FindInMap [ ClassMap, !Ref VPCAddressClass, VPCCidrBlock ] Export: Name: !Sub "${Prefix}-vpc-cidr" # Subnet Lan1SubnetCIDR: Value: !FindInMap [ ClassMap, !Ref VPCAddressClass, Lan1CidrBlock ] Export: Name: !Sub "${Prefix}-lan1-cidr" Lan2SubnetCIDR: Value: !FindInMap [ ClassMap, !Ref VPCAddressClass, Lan2CidrBlock ] Export: Name: !Sub "${Prefix}-lan2-cidr" # EC2 vRXLAN1IP: Value: !FindInMap [ ClassMap, !Ref VPCAddressClass, Lan1vRXIPaddress ] Export: Name: !Sub "${Prefix}-vrx-lan1-ip" vRXLAN2IP: Value: !FindInMap [ ClassMap, !Ref VPCAddressClass, Lan2vRXIPaddress ] Export: Name: !Sub "${Prefix}-vrx-lan2-ip" # ElasticIP ElasticIP: Value: !Ref ElasticIp Export: Name: !Sub "${Prefix}-ElasticIp" # L2TPClient L2TPClientIPaddress: Value: !Ref L2TPClientAddressRange Export: Name: !Sub "${Prefix}-l2tp-ip-range"