🐙
【AWS学習記録1回目】Amazon VPC間およびAmazon VPCとオンプレミスのプライベートネットワークのハンズオンをやってみた
概要
学習として「AWS Hands-on for Beginners
Network編#2 Amazon VPC間およびAmazon VPCとオンプレミスのプライベートネットワーク接続」をcloudformationでハンズオンしてみました
学習される方の参考になれば幸いです
※記述内容が動画の内容と全て一致していないので、注意してください
cloudformation
AWSTemplateFormatVersion: 2010-09-09
Resources:
#======================
# VPC
#======================
MainVpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
EnableDnsSupport: true
PeeringVpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.1.0.0/16
EnableDnsHostnames: true
EnableDnsSupport: true
OnPremisesVpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 192.168.0.0/16
EnableDnsHostnames: true
EnableDnsSupport: true
#======================
# InternetGateway
#======================
MainInternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: MainInternetGateway
PeeringInternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: PeeringInternetGateway
OnPremisesInternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: OnPremisesInternetGateway
#======================
# VPCGatewayAttachment
#======================
MainVPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref MainVpc
InternetGatewayId: !Ref MainInternetGateway
PeeringVpcGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref PeeringVpc
InternetGatewayId: !Ref PeeringInternetGateway
OnPremisesVpcGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref OnPremisesVpc
InternetGatewayId: !Ref OnPremisesInternetGateway
#======================
# Subnet
#======================
MainPublicSubnet:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: ap-northeast-1a
VpcId: !Ref MainVpc
CidrBlock: 10.0.0.0/24
PeeringPublicSubnet:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: ap-northeast-1a
VpcId: !Ref PeeringVpc
CidrBlock: 10.1.0.0/24
OnPremisesPublicSubnet:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: ap-northeast-1a
VpcId: !Ref OnPremisesVpc
CidrBlock: 192.168.0.0/24
#======================
# RouteTable
#======================
MainPublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref MainVpc
PeeringPublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref PeeringVpc
OnPremisesPublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref OnPremisesVpc
#======================
# Route
#======================
MainPublicDefaultRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref MainPublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref MainInternetGateway
MainPublicToPeeringPublicRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref MainPublicRouteTable
DestinationCidrBlock: 10.1.0.0/16
VpcPeeringConnectionId: !Ref VPCPeeringConnection
MainPublicToOnPPublicRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref MainPublicRouteTable
DestinationCidrBlock: 192.168.0.0/16
GatewayId: !Ref VPNGateway
PeeringPublicDefaultRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PeeringPublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref PeeringInternetGateway
PeeringPublicToMainPublicRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PeeringPublicRouteTable
DestinationCidrBlock: 10.0.0.0/16
VpcPeeringConnectionId: !Ref VPCPeeringConnection
OnPremisesPublicDefaultRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref OnPremisesPublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref OnPremisesInternetGateway
OnPremisesPublicToMainPublicRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref OnPremisesPublicRouteTable
DestinationCidrBlock: 10.0.0.0/16
InstanceId: !Ref CGWPEc2
#======================
# SubnetRouteTableAssociation
#======================
MainPublicRouteTableAssoc:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref MainPublicSubnet
RouteTableId: !Ref MainPublicRouteTable
PeeringPublicRouteTableAssoc:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PeeringPublicSubnet
RouteTableId: !Ref PeeringPublicRouteTable
OnPremisesPublicRouteTableAssoc:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref OnPremisesPublicSubnet
RouteTableId: !Ref OnPremisesPublicRouteTable
#======================
# VPCPeeringConnection
#======================
VPCPeeringConnection:
Type: AWS::EC2::VPCPeeringConnection
Properties:
PeerVpcId: !Ref PeeringVpc
VpcId: !Ref MainVpc
#======================
# Instance
#======================
PerringEc2:
Type: AWS::EC2::Instance
Properties:
AvailabilityZone: ap-northeast-1a
ImageId: ami-0b5c74e235ed808b9
InstanceType: t2.micro
KeyName: keypair
NetworkInterfaces:
- DeleteOnTermination: true
DeviceIndex: 0
GroupSet:
- !Ref PerringEc2SecGroup
PrivateIpAddress: 10.1.0.100
SubnetId: !Ref PeeringPublicSubnet
CGWPEc2:
Type: AWS::EC2::Instance
Properties:
AvailabilityZone: ap-northeast-1a
ImageId: ami-0906a66122aad8c23
InstanceType: c5n.large
KeyName: keypair
NetworkInterfaces:
- AssociatePublicIpAddress: false
DeleteOnTermination: true
DeviceIndex: 0
GroupSet:
- !Ref CGWEc2SecGroup
PrivateIpAddress: 192.168.0.200
SubnetId: !Ref OnPremisesPublicSubnet
SourceDestCheck: false
OnPEc2:
Type: AWS::EC2::Instance
Properties:
AvailabilityZone: ap-northeast-1a
ImageId: ami-0b5c74e235ed808b9
InstanceType: t2.micro
KeyName: keypair
NetworkInterfaces:
- AssociatePublicIpAddress: false
DeleteOnTermination: true
DeviceIndex: 0
GroupSet:
- !Ref OnPEc2SecGroup
PrivateIpAddress: 192.168.0.100
SubnetId: !Ref OnPremisesPublicSubnet
#======================
# EIP
#======================
EIP:
Type: AWS::EC2::EIP
Properties:
InstanceId: !Ref CGWPEc2
#======================
# SecurityGroup
#======================
PerringEc2SecGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: PerringEc2SecGroup
GroupDescription: PerringEc2SecGroup
VpcId: !Ref PeeringVpc
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 10.0.0.0/16
CGWEc2SecGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: CGWEc2SecGroup
GroupDescription: CGWEc2SecGroup
VpcId: !Ref OnPremisesVpc
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
OnPEc2SecGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: OnPEc2SecGroup
GroupDescription: OnPEc2SecGroup
VpcId: !Ref OnPremisesVpc
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 10.0.0.0/16
#======================
# EnvironmentEC2
#======================
EnvironmentEC2:
Type: AWS::Cloud9::EnvironmentEC2
Properties:
ConnectionType: CONNECT_SSH
ImageId: amazonlinux-2023-x86_64
InstanceType: t2.micro
SubnetId: !Ref MainPublicSubnet
#======================
# CustomerGateway
#======================
CustomerGateway:
Type: AWS::EC2::CustomerGateway
Properties:
BgpAsn: 65000
IpAddress: !GetAtt EIP.PublicIp
Type: ipsec.1
#======================
# VPNGateway
#======================
VPNGateway:
Type: AWS::EC2::VPNGateway
Properties:
Type: ipsec.1
#======================
# VPCGatewayAttachment
#======================
VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref MainVpc
VpnGatewayId: !Ref VPNGateway
#======================
# VPNConnection
#======================
VPNConnection:
Type: AWS::EC2::VPNConnection
Properties:
CustomerGatewayId: !Ref CustomerGateway
StaticRoutesOnly: false
Type: ipsec.1
VpnGatewayId: !Ref VPNGateway
#======================
# VPNGatewayRoutePropagation
#======================
VPNGatewayRoutePropagation:
Type: AWS::EC2::VPNGatewayRoutePropagation
Properties:
RouteTableIds:
- !Ref MainPublicRouteTable
VpnGatewayId: !Ref VPNGateway
Vyatta設定ファイル
set vpn ipsec ike-group AWS lifetime '28800'
set vpn ipsec ike-group AWS proposal 1 dh-group '2'
set vpn ipsec ike-group AWS proposal 1 encryption 'aes128'
set vpn ipsec ike-group AWS proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer 18.177.18.53 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 18.177.18.53 authentication pre-shared-secret 'DcslYLlHERI2qEopY4oAoR7jy7aPRAxe'
set vpn ipsec site-to-site peer 18.177.18.53 description 'VPC tunnel 1'
set vpn ipsec site-to-site peer 18.177.18.53 ike-group 'AWS'
set vpn ipsec site-to-site peer 18.177.18.53 local-address '192.168.0.200'
set vpn ipsec site-to-site peer 18.177.18.53 vti bind 'vti0'
set vpn ipsec site-to-site peer 18.177.18.53 vti esp-group 'AWS'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec esp-group AWS compression 'disable'
set vpn ipsec esp-group AWS lifetime '3600'
set vpn ipsec esp-group AWS mode 'tunnel'
set vpn ipsec esp-group AWS pfs 'enable'
set vpn ipsec esp-group AWS proposal 1 encryption 'aes128'
set vpn ipsec esp-group AWS proposal 1 hash 'sha1'
set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
set vpn ipsec ike-group AWS dead-peer-detection interval '15'
set vpn ipsec ike-group AWS dead-peer-detection timeout '30'
set interfaces vti vti0 address '169.254.28.238/30'
set interfaces vti vti0 description 'VPC tunnel 1'
set interfaces vti vti0 mtu '1436'
set protocols bgp 65000 neighbor 169.254.28.237 remote-as '64512'
set protocols bgp 65000 neighbor 169.254.28.237 address-family ipv4-unicast soft-reconfiguration 'inbound'
set protocols bgp 65000 neighbor 169.254.28.237 timers holdtime '30'
set protocols bgp 65000 neighbor 169.254.28.237 timers keepalive '10'
set protocols bgp 65000 address-family ipv4-unicast network 192.168.0.0/16
set vpn ipsec site-to-site peer 54.64.91.11 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 54.64.91.11 authentication pre-shared-secret 'iaVqaIBgfeFaHthY0.PQcWVglcd4Hbt4'
set vpn ipsec site-to-site peer 54.64.91.11 description 'VPC tunnel 2'
set vpn ipsec site-to-site peer 54.64.91.11 ike-group 'AWS'
set vpn ipsec site-to-site peer 54.64.91.11 local-address '192.168.0.200'
set vpn ipsec site-to-site peer 54.64.91.11 vti bind 'vti1'
set vpn ipsec site-to-site peer 54.64.91.11 vti esp-group 'AWS'
set interfaces vti vti1 address '169.254.90.122/30'
set interfaces vti vti1 description 'VPC tunnel 2'
set interfaces vti vti1 mtu '1436'
set protocols bgp 65000 neighbor 169.254.90.121 remote-as '64512'
set protocols bgp 65000 neighbor 169.254.90.121 192.168.0.0/16 soft-reconfiguration 'inbound'
set protocols bgp 65000 neighbor 169.254.90.121 timers holdtime '30'
set protocols bgp 65000 neighbor 169.254.90.121 timers keepalive '10'
Discussion