New: Become a sponsor via GitHub Sponsors!
A VPC is a virtual network inside AWS where you can isolate your workload. A VPC consists of several subnets. Each subnet is bound to an Availability Zone. A public subnet has a direct route to/from the Internet. As long as your EC2 instances have an public IPv4 address (default) or IPv6 address, they can communicate (in and out) with the Internet. A private subnet does not have a IPv4 route to/from the Internet but an Ipv6 route to the Internet exists. Instances in private subnets can not be accessed from the public Internet. If you want to access the Internet from a private subnet, you need to create a NAT gateway/instance or assign an IPv6 address. You can deploy a bastion host/instance to reduce the attack surface of internal applications.
VPC with private and public subnets in two Availability Zones
This template describes a VPC with two private and two public subnets.
Amazon S3 URL: https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/v14.12.0/vpc/vpc-2azs.yaml
Installation Guide
- Click Next to proceed with the next step of the wizard.
- Specify a name and all parameters for the stack.
- Click Next to proceed with the next step of the wizard.
- Click Next to skip the Options step of the wizard.
- Click Create to start the creation of the stack.
- Wait until the stack reaches the state CREATE_COMPLETE
If you have an existing VPC you can wrap it into our required form using a legacy VPC wrapper:
VPC with private and public subnets in three Availability Zones
This template describes a VPC with three private and three public subnets.
Amazon S3 URL: https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/v14.12.0/vpc/vpc-3azs.yaml
Installation Guide
- Click Next to proceed with the next step of the wizard.
- Specify a name and all parameters for the stack.
- Click Next to proceed with the next step of the wizard.
- Click Next to skip the Options step of the wizard.
- Click Create to start the creation of the stack.
- Wait until the stack reaches the state CREATE_COMPLETE
If you have an existing VPC you can wrap it into our required form using a legacy VPC wrapper:
VPC with private and public subnets in four Availability Zones
This template describes a VPC with four private and four public subnets.
Amazon S3 URL: https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/v14.12.0/vpc/vpc-4azs.yaml
Installation Guide
- Click Next to proceed with the next step of the wizard.
- Specify a name and all parameters for the stack.
- Click Next to proceed with the next step of the wizard.
- Click Next to skip the Options step of the wizard.
- Click Create to start the creation of the stack.
- Wait until the stack reaches the state CREATE_COMPLETE
If you have an existing VPC you can wrap it into our required form using a legacy VPC wrapper:
NAT Gateway
This template describes a NAT Gateway that forwards HTTP, HTTPS and NTP traffic from a single private subnet to the Internet. You need one stack per availability zone. Example: If you use the vpc-2azs.yaml
template, you will need two Nat Gateway stack in A
and B
.
You need one Gateway in each
SubnetZone
(e.g.A
andB
invpc-2azs.yaml
).
Amazon S3 URL: https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/v14.12.0/vpc/vpc-nat-gateway.yaml
Installation Guide
- This template depends on one of our
vpc-*azs.yaml
templates. - Click Next to proceed with the next step of the wizard.
- Specify a name and all parameters for the stack.
- Click Next to proceed with the next step of the wizard.
- Click Next to skip the Options step of the wizard.
- Click Create to start the creation of the stack.
- Wait until the stack reaches the state CREATE_COMPLETE
Dependencies
vpc/vpc-*azs.yaml
(required)operations/alert.yaml
(recommended)
NAT instance
This template describes a highly available Network Address Translation (NAT) instance that forwards HTTP, HTTPS and NTP traffic from a single private subnet to the Internet. You need one stack per availability zone. Example: If you use the vpc-2azs.yaml
template, you will need two Nat Gateway stack in A
and B
.
You need one Instance in each
SubnetZone
(e.g.A
andB
invpc-2azs.yaml
).
Amazon S3 URL: https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/v14.12.0/vpc/vpc-nat-instance.yaml
Installation Guide
- This template depends on one of our
vpc-*azs.yaml
templates. - Click Next to proceed with the next step of the wizard.
- Specify a name and all parameters for the stack.
- Click Next to proceed with the next step of the wizard.
- Click Next to skip the Options step of the wizard.
- Check the I acknowledge that this template might cause AWS CloudFormation to create IAM resources. checkbox.
- Click Create to start the creation of the stack.
- Wait until the stack reaches the state CREATE_COMPLETE
Dependencies
vpc/vpc-*azs.yaml
(required)vpc/vpc-*-bastion.yaml
(recommended)operations/alert.yaml
(recommended)
SSH bastion host/instance
This template describes a highly available SSH bastion host/instance. SSH Port 22 is open to the world.
Users must not be able to become root on the bastion host/instance! That's very important for security. Why? SSH places a SSH_AUTH_SOCK file into the /tmp directoy only accessible by the user. If you have root you could use any of those files and jump to other machines as another user!
Amazon S3 URL: https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/v14.12.0/vpc/vpc-ssh-bastion.yaml
Single user: ec2-user
Specify the same KeyName
parameter for the bastion host and all other stacks you want to connect to.
Use ssh -J ec2-user@$bastion ec2-user@$target
and replace $bastion
with the IPAddress
output of the stack; $target
with the private IP address of the EC2 instance you want to connect to.
Personalized users
Enable the IAMUserSSHAccess
parameter for the bastion host and all other stack you want to connect to.
Use ssh -J $user@$bastion $target
and replace $user
with your IAM user name; $bastion
with the IPAddress
output of the stack; $target
with the private IP address of the EC2 instance you want to connect to.
Installation Guide
- This template depends on one of our
vpc-*azs.yaml
templates. - Click Next to proceed with the next step of the wizard.
- Specify a name and all parameters for the stack.
- Click Next to proceed with the next step of the wizard.
- Click Next to skip the Options step of the wizard.
- Check the I acknowledge that this template might cause AWS CloudFormation to create IAM resources. checkbox.
- Click Create to start the creation of the stack.
- Wait until the stack reaches the state CREATE_COMPLETE
Dependencies
vpc/vpc-*azs.yaml
(required)operations/alert.yaml
(recommended)vpc/zone-*.yaml
Limitations
- Only one EC2 instance is managed by the ASG. In case of an outage the instance will be replaced within 5 minutes.
No bastion host/instance
If you leave the ParentSSHBastionStack
parameter blank in other templates, port 22 is open to the world 0.0.0.0/0
. This template can be used to disable SSH access by deploying an "empty" / non-existent bastion host (e.g., when using SSM Session Manager).
Amazon S3 URL: https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/v14.12.0/vpc/vpc-no-bastion.yaml
Installation Guide
- Click Next to proceed with the next step of the wizard.
- Specify a name and all parameters for the stack.
- Click Next to proceed with the next step of the wizard.
- Click Next to skip the Options step of the wizard.
- Click Create to start the creation of the stack.
- Wait until the stack reaches the state CREATE_COMPLETE
VPN bastion host/instance
This template describes a highly available VPN bastion host/instance based on the SoftEther VPN Project.
Amazon S3 URL: https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/v14.12.0/vpc/vpc-vpn-bastion.yaml
Installation Guide
- This template depends on one of our
vpc-*azs.yaml
templates. - Click Next to proceed with the next step of the wizard.
- Specify a name and all parameters for the stack.
- Click Next to proceed with the next step of the wizard.
- Click Next to skip the Options step of the wizard.
- Check the I acknowledge that this template might cause AWS CloudFormation to create IAM resources. checkbox.
- Click Create to start the creation of the stack.
- Wait until the stack reaches the state CREATE_COMPLETE
Administration guide
During installation, the pre shared key (VPNPSK
parameter), and the admin password (VPNAdminPassword
parameter) are set. A first VPN user is also created (VPNUserName
, and VPNUserPassword
parameters). To add further users or make further changes to the configuration you have to configure SoftEther VPN Server.
Windows
- Download and install SoftEther VPN Server and VPN Bridge (Ver 4.42, Build 9798, rtm)
- Select the component
SoftEther VPN Server Manager (Admin Tools Only)
- Select the component
- Add a new setting
- Set host name to
- the domain name (if
ParentZoneStack
parameter was set) - the
IPAddress
output of the stack
- the domain name (if
- Set the password to the admin password (
VPNAdminPassword
parameter) - Save with OK button
- Select newly created setting and click the connect button
MacOS
- Download and install the SoftEther VPN Server Manager for Mac OS X (Ver 4.21, Build 9613, beta)
- Add a new setting
- Set host name to
- the domain name (if
ParentZoneStack
parameter was set) - the
IPAddress
output of the stack
- the domain name (if
- Set the password to the admin password (
VPNAdminPassword
parameter) - Save with OK button
- Select newly created setting and click the connect button
Linux
There is no graphical tool available for Linux. You can establish an SSH connection to the VPN server and use the /usr/local/vpnserver/vpncmd
tool to configure SoftEther VPN Server as documented.
Dependencies
vpc/vpc-*azs.yaml
(required)operations/alert.yaml
(recommended)vpc/zone-*.yaml
Limitations
- Only one EC2 instance is managed by the ASG. In case of an outage the instance will be replaced within 5 minutes.
Gateway Endpoint (S3)
This template describes a Gateway VPC endpoint to securely access S3 without the need of a NAT Gateway, NAT instance, or public internet. Refer to AWS documentation if this is necessary for your stack. By default, access to all S3 actions and buckets is allowed, but may be constrained with a policy document.
Amazon S3 URL: https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/v14.12.0/vpc/vpc-endpoint-s3.yaml
Installation Guide
- This template depends on one of our
vpc-*azs.yaml
templates. - Click Next to proceed with the next step of the wizard.
- Specify a name and all parameters for the stack.
- Click Next to proceed with the next step of the wizard.
- Click Next to skip the Options step of the wizard.
- Click Create to start the creation of the stack.
- Wait until the stack reaches the state CREATE_COMPLETE
Dependencies
vpc/vpc-*azs.yaml
(required)
Gateway Endpoint (DynamoDB)
This template describes a Gateway VPC endpoint to securely access DynamoDB without the need of a NAT Gateway, NAT instance, or public internet. Refer to AWS documentation if this is necessary for your stack. By default, access to all DynamoDB actions and tables is allowed, but may be constrained with a policy document.
Amazon S3 URL: https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/v14.12.0/vpc/vpc-endpoint-dynamodb.yaml
Installation Guide
- This template depends on one of our
vpc-*azs.yaml
templates. - Click Next to proceed with the next step of the wizard.
- Specify a name and all parameters for the stack.
- Click Next to proceed with the next step of the wizard.
- Click Next to skip the Options step of the wizard.
- Click Create to start the creation of the stack.
- Wait until the stack reaches the state CREATE_COMPLETE
Dependencies
vpc/vpc-*azs.yaml
(required)
Interface Endpoint
This template describes a Interface VPC endpoint to securely access services without the need of a NAT Gateway, NAT instance, or public internet. Refer to AWS documentation if this is necessary for your stack.
Amazon S3 URL: https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/v14.12.0/vpc/vpc-endpoint.yaml
Installation Guide
- This template depends on one of our
vpc-*azs.yaml
templates. - Click Next to proceed with the next step of the wizard.
- Specify a name and all parameters for the stack.
- Click Next to proceed with the next step of the wizard.
- Click Next to skip the Options step of the wizard.
- Click Create to start the creation of the stack.
- Wait until the stack reaches the state CREATE_COMPLETE
Dependencies
vpc/vpc-*azs.yaml
(required)
VPC Flow Logs to CloudWatch Logs
This template enables Flow Logs for the specified VPC. Flow Logs contain aggregated network traffic data in your VPC.
Amazon S3 URL: https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/v14.12.0/vpc/vpc-flow-logs.yaml
Installation Guide
- This template depends on one of our
vpc-*azs.yaml
templates. - Click Next to proceed with the next step of the wizard.
- Specify a name and all parameters for the stack.
- Click Next to proceed with the next step of the wizard.
- Click Next to skip the Options step of the wizard.
- Check the I acknowledge that this template might cause AWS CloudFormation to create IAM resources. checkbox.
- Click Create to start the creation of the stack.
- Wait until the stack reaches the state CREATE_COMPLETE
Flow Logs will show up in CloudWatch Logs a few minutes after activation.
Dependencies
vpc/vpc-*azs.yaml
(required)
Public DNS Zone
This template creates a Route53 hosted zone that is resolvable from the public Internet. Other templates depend on this template to register their DNS entries (record sets).
Amazon S3 URL: https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/v14.12.0/vpc/zone-public.yaml
Installation Guide
- Click Next to proceed with the next step of the wizard.
- Specify a name and all parameters for the stack.
- Click Next to proceed with the next step of the wizard.
- Click Next to skip the Options step of the wizard.
- Click Create to start the creation of the stack.
- Wait until the stack reaches the state CREATE_COMPLETE
If you have an existing Route53 Hosted Zone you can wrap it into our required form using a legacy zone wrapper:
Private DNS Zone
This template creates a Route53 hosted zone that is resolvable only from within a VPC. Other templates depend on this template to register their DNS entries (record sets).
Amazon S3 URL: https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/v14.12.0/vpc/zone-private.yaml
Installation Guide
- This template depends on one of our
vpc-*azs.yaml
templates. - Click Next to proceed with the next step of the wizard.
- Specify a name and all parameters for the stack.
- Click Next to proceed with the next step of the wizard.
- Click Next to skip the Options step of the wizard.
- Click Create to start the creation of the stack.
- Wait until the stack reaches the state CREATE_COMPLETE
If you have an existing Route53 Hosted Zone you can wrap it into our required form using a legacy zone wrapper:
Dependencies
vpc/vpc-*azs.yaml
(required)
DNSSEC
This template enables DNSSEC for a Route53 hosted zone. DNSSEC works for public hoted zones only.
Deploy this template to region
us-east-1
only.In case you deployed the hosted zone stack based on
vpc/zone-public.yaml
in a region other thanus-east-1
deploy a wrapper stack based onvpc/zone-legacy.yaml
tous-east-1
.
Amazon S3 URL: https://s3-eu-west-1.amazonaws.com/widdix-aws-cf-templates-releases-eu-west-1/v14.12.0/vpc/zone-dnssec.yaml
Installation Guide
- This template depends the
zone-public.yaml
template. - This template depends on the
kms-key.yaml
template. - Click Next to proceed with the next step of the wizard.
- Click Next to skip the Options step of the wizard.
- Click Create to start the creation of the stack.
- Wait until the stack reaches the state CREATE_COMPLETE
Dependencies
vpc/zone-public.yaml
(required)security/kms-key.yaml
(required)operations/alert.yaml
(recommended)