New: Manage Free Templates for AWS CloudFormation with the widdix CLI

A VPC is a virtual network inside AWS where you can isolate your setup using private IP addresses. A VPC consists of several subnets. Each subnet is bound to an Availability Zone. A public subnet has a direct route to the Internet. As long as your EC2 instances have an public IP they can communicate (in and out) with the Internet. A private subnet does not have a route to the Internet. Instances in private subnets can not be accessed from the public Internet. If you want to access the Internet from a private subnet you need to create a NAT gateway/instance. You can deploy a bastion host/instance to reduce the attack surface of internal applications.

VPC with private and public subnets in two Availability Zones

This template describes a VPC with two private and two public subnets.

Architecture

Installation Guide

  1. Launch Stack
  2. Click Next to proceed with the next step of the wizard.
  3. Specify a name and all parameters for the stack.
  4. Click Next to proceed with the next step of the wizard.
  5. Click Next to skip the Options step of the wizard.
  6. Click Create to start the creation of the stack.
  7. Wait until the stack reaches the state CREATE_COMPLETE

If you have an existing VPC you can wrap it into our required form using a legacy VPC wrapper: Launch Stack

VPC with private and public subnets in three Availability Zones

This template describes a VPC with three private and three public subnets.

Architecture

Installation Guide

  1. Launch Stack
  2. Click Next to proceed with the next step of the wizard.
  3. Specify a name and all parameters for the stack.
  4. Click Next to proceed with the next step of the wizard.
  5. Click Next to skip the Options step of the wizard.
  6. Click Create to start the creation of the stack.
  7. Wait until the stack reaches the state CREATE_COMPLETE

If you have an existing VPC you can wrap it into our required form using a legacy VPC wrapper: Launch Stack

VPC with private and public subnets in four Availability Zones

This template describes a VPC with four private and four public subnets.

Architecture

Installation Guide

  1. Launch Stack
  2. Click Next to proceed with the next step of the wizard.
  3. Specify a name and all parameters for the stack.
  4. Click Next to proceed with the next step of the wizard.
  5. Click Next to skip the Options step of the wizard.
  6. Click Create to start the creation of the stack.
  7. Wait until the stack reaches the state CREATE_COMPLETE

If you have an existing VPC you can wrap it into our required form using a legacy VPC wrapper: Launch Stack

NAT Gateway

This template describes a NAT Gateway that forwards HTTP, HTTPS and NTP traffic from a single private subnet to the Internet. You need one stack per availability zone. Example: If you use the vpc-2azs.yaml template, you will need two Nat Gateway stack in A and B.

You need one Gateway in each SubnetZone (e.g. A and B in vpc-2azs.yaml).

Architecture

Installation Guide

  1. This templates depends on one of our vpc-*azs.yaml templates. Launch Stack
  2. Launch Stack
  3. Click Next to proceed with the next step of the wizard.
  4. Specify a name and all parameters for the stack.
  5. Click Next to proceed with the next step of the wizard.
  6. Click Next to skip the Options step of the wizard.
  7. Click Create to start the creation of the stack.
  8. Wait until the stack reaches the state CREATE_COMPLETE

Dependencies

NAT instance

This template describes a highly available Network Address Translation (NAT) instance that forwards HTTP, HTTPS and NTP traffic from a single private subnet to the Internet. You need one stack per availability zone. Example: If you use the vpc-2azs.yaml template, you will need two Nat Gateway stack in A and B.

You need one Instance in each SubnetZone (e.g. A and B in vpc-2azs.yaml).

Architecture

Installation Guide

  1. This templates depends on one of our vpc-*azs.yaml templates. Launch Stack
  2. Launch Stack
  3. Click Next to proceed with the next step of the wizard.
  4. Specify a name and all parameters for the stack.
  5. Click Next to proceed with the next step of the wizard.
  6. Click Next to skip the Options step of the wizard.
  7. Check the I acknowledge that this template might cause AWS CloudFormation to create IAM resources. checkbox.
  8. Click Create to start the creation of the stack.
  9. Wait until the stack reaches the state CREATE_COMPLETE

Dependencies

SSH bastion host/instance

This template describes a highly available SSH bastion host/instance. SSH Port 22 is open to the world.

Users must not be able to become root on the bastion host/instance! That's very important for security. Why? SSH places a SSH_AUTH_SOCK file into the /tmp directoy only accessible by the user. If you have root you could use any of those files and jump to other machines as another user!

Architecture

Single user: ec2-user

Specify the same KeyName parameter for the bastion host and all other stacks you want to connect to.

Use ssh -J [email protected]$bastion [email protected]$target and replace $bastion with the IPAddress output of the stack; $target with the private IP address of the EC2 instance you want to connect to.

Personalized users

Enable the IAMUserSSHAccess parameter for the bastion host and all other stack you want to connect to.

Use ssh -J [email protected]$bastion $target and replace $user with your IAM user name; $bastion with the IPAddress output of the stack; $target with the private IP address of the EC2 instance you want to connect to.

Installation Guide

  1. This templates depends on one of our vpc-*azs.yaml templates. Launch Stack
  2. Launch Stack
  3. Click Next to proceed with the next step of the wizard.
  4. Specify a name and all parameters for the stack.
  5. Click Next to proceed with the next step of the wizard.
  6. Click Next to skip the Options step of the wizard.
  7. Check the I acknowledge that this template might cause AWS CloudFormation to create IAM resources. checkbox.
  8. Click Create to start the creation of the stack.
  9. Wait until the stack reaches the state CREATE_COMPLETE

Dependencies

Limitations

VPN bastion host/instance

This template describes a highly available VPN bastion host/instance based on the SoftEther VPN Project.

Installation Guide

  1. This templates depends on one of our vpc-*azs.yaml templates. Launch Stack
  2. Launch Stack
  3. Click Next to proceed with the next step of the wizard.
  4. Specify a name and all parameters for the stack.
  5. Click Next to proceed with the next step of the wizard.
  6. Click Next to skip the Options step of the wizard.
  7. Check the I acknowledge that this template might cause AWS CloudFormation to create IAM resources. checkbox.
  8. Click Create to start the creation of the stack.
  9. Wait until the stack reaches the state CREATE_COMPLETE

Administration guide

During installation, the pre shared key (VPNPSK parameter), and the admin password (VPNAdminPassword parameter) are set. A first VPN user is also created (VPNUserName, and VPNUserPassword parameters). To add further users or make further changes to the configuration you have to configure SoftEther VPN Server.

Windows

Windows step 1

Windows step 2

  1. Download and install SoftEther VPN Server and VPN Bridge (Ver 4.25, Build 9656, rtm)
    1. Select the component SoftEther VPN Server Manager (Admin Tools Only)
  2. Add a new setting
  3. Set host name to
    1. the domain name (if ParentZoneStack parameter was set)
    2. the IPAddress output of the stack
  4. Set the password to the admin password (VPNAdminPassword parameter)
  5. Save with OK button
  6. Select newly created setting and click the connect button

MacOS

MacOS

  1. Download and install the SoftEther VPN Server Manager for Mac OS X (Ver 4.21, Build 9613, beta)
  2. Add a new setting
  3. Set host name to
    1. the domain name (if ParentZoneStack parameter was set)
    2. the IPAddress output of the stack
  4. Set the password to the admin password (VPNAdminPassword parameter)
  5. Save with OK button
  6. Select newly created setting and click the connect button

Linux

There is no graphical tool available for Linux. You can establish an SSH connection to the VPN server and use the /usr/local/vpnserver/vpncmd tool to configure SoftEther VPN Server as documented.

Dependencies

Limitations

VPC Endpoint to S3

This template describes a VPC endpoint to securely route traffic within a VPC for private instances to access S3 without the need of a NAT Gateway, NAT instance, or public internet. Refer to AWS VPC endpoint documentation if this is necessary for your stack. By default, access to all S3 actions and buckets is allowed, but may be constrained with a policy document.

Architecture

Installation Guide

  1. This templates depends on one of our vpc-*azs.yaml templates. Launch Stack
  2. Launch Stack
  3. Click Next to proceed with the next step of the wizard.
  4. Specify a name and all parameters for the stack.
  5. Click Next to proceed with the next step of the wizard.
  6. Click Next to skip the Options step of the wizard.
  7. Check the I acknowledge that this template might cause AWS CloudFormation to create IAM resources. checkbox.
  8. Click Create to start the creation of the stack.
  9. Wait until the stack reaches the state CREATE_COMPLETE

Dependencies

VPC Endpoint to DynamoDB

This template describes a VPC endpoint to securely route traffic within a VPC for private instances to access DynamoDB without the need of a NAT Gateway, NAT instance, or public internet. Refer to AWS VPC endpoint documentation if this is necessary for your stack. By default, access to all DynamoDB actions and tables is allowed, but may be constrained with a policy document.

Installation Guide

  1. This templates depends on one of our vpc-*azs.yaml templates. Launch Stack
  2. Launch Stack
  3. Click Next to proceed with the next step of the wizard.
  4. Specify a name and all parameters for the stack.
  5. Click Next to proceed with the next step of the wizard.
  6. Click Next to skip the Options step of the wizard.
  7. Check the I acknowledge that this template might cause AWS CloudFormation to create IAM resources. checkbox.
  8. Click Create to start the creation of the stack.
  9. Wait until the stack reaches the state CREATE_COMPLETE

Dependencies

VPC Flow Logs to CloudWatch Logs

This template enables Flow Logs for the specified VPC. Flow Logs contain aggregated network traffic data in your VPC.

Installation Guide

  1. This templates depends on one of our vpc-*azs.yaml templates. Launch Stack
  2. Launch Stack
  3. Click Next to proceed with the next step of the wizard.
  4. Specify a name and all parameters for the stack.
  5. Click Next to proceed with the next step of the wizard.
  6. Click Next to skip the Options step of the wizard.
  7. Check the I acknowledge that this template might cause AWS CloudFormation to create IAM resources. checkbox.
  8. Click Create to start the creation of the stack.
  9. Wait until the stack reaches the state CREATE_COMPLETE

Flow Logs will show up in CloudWatch Logs a few minutes after activation.

Public DNS Zone

This template creates a Route53 hosted zone that is resolvable from the public Internet. Other templates depend on this template to register their DNS entries (record sets).

Installation Guide

  1. Launch Stack
  2. Click Next to proceed with the next step of the wizard.
  3. Specify a name and all parameters for the stack.
  4. Click Next to proceed with the next step of the wizard.
  5. Click Next to skip the Options step of the wizard.
  6. Click Create to start the creation of the stack.
  7. Wait until the stack reaches the state CREATE_COMPLETE

If you have an existing Route53 Hosted Zone you can wrap it into our required form using a legacy zone wrapper: Launch Stack

Private DNS Zone

This template creates a Route53 hosted zone that is resolvable only from within a VPC. Other templates depend on this template to register their DNS entries (record sets).

Installation Guide

  1. This templates depends on one of our vpc-*azs.yaml templates. Launch Stack
  2. Launch Stack
  3. Click Next to proceed with the next step of the wizard.
  4. Specify a name and all parameters for the stack.
  5. Click Next to proceed with the next step of the wizard.
  6. Click Next to skip the Options step of the wizard.
  7. Click Create to start the creation of the stack.
  8. Wait until the stack reaches the state CREATE_COMPLETE

If you have an existing Route53 Hosted Zone you can wrap it into our required form using a legacy zone wrapper: Launch Stack

Dependencies