NATインスタンスをゾーン毎に配置するようにCloudformationファイルを作成しています。
NATインスタンス生成
NATインスタンス(Amazon Linux 版2015.03)のCloudformationファイルを作成しています。
インスタンスはAWSドキュメント通りに作成して、セキュリティグループも設定します。
ストレージの部分はTagを入れるために、あとで追加するとして・・・・こんな感じでどうかな。
"NATSRV1a" : {
"Type" : "AWS::EC2::Instance",
"DependsOn" : "GatewayToInternet",
"Properties" : {
"InstanceType" : { "Ref" : "NATInstanceType" },
"KeyName" : { "Ref" : "KeyName" },
"SecurityGroups" : [ { "Ref" : "SGNATSRV1a" } ],
"SourceDestCheck" : "false",
"ImageId" : { "Fn::FindInMap" : [ "NAT2AMI", "ap-northeast-1", {"Fn::FindInMap":["AWSInstanceType2Arch",{"Ref":"NATInstanceType"},"Arch"]}]},
"NetworkInterfaces" : [{
"AssociatePublicIpAddress" : "true",
"DeviceIndex" : "0",
"DeleteOnTermination" : "true",
"SubnetId" : { "Ref" : "NAT1a" }
}],
"Tags" : [
{ "Key" : "Application", "Value" : {"Ref":"AWS::StackId"} },
{ "Key" : "Network", "Value" : "VPC" },
{ "Key" : "Name", "Value" : "NAT Instance 1a" }
]
}
},
"NATSRV1c" : {
"Type" : "AWS::EC2::Instance",
"DependsOn" : "GatewayToInternet",
"Properties" : {
"InstanceType" : { "Ref" : "NATInstanceType" },
"KeyName" : { "Ref" : "KeyName" },
"SecurityGroups" : [ { "Ref" : "SGNATSRV1c" } ],
"SourceDestCheck" : "false",
"ImageId" : { "Fn::FindInMap" : [ "NAT2AMI", "ap-northeast-1", {"Fn::FindInMap":["AWSInstanceType2Arch",{"Ref":"NATInstanceType"},"Arch"]}]},
"NetworkInterfaces" : [{
"AssociatePublicIpAddress" : "true",
"DeviceIndex" : "0",
"DeleteOnTermination" : "true",
"SubnetId" : { "Ref" : "NAT1c" }
}],
"Tags" : [
{ "Key" : "Application", "Value" : {"Ref":"AWS::StackId"} },
{ "Key" : "Network", "Value" : "VPC" },
{ "Key" : "Name", "Value" : "NAT Instance 1c" }
]
}
},
"SGPRIVATE1a" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Source instances of private zone 1a for NAT access",
"VpcId" : { "Ref":"VPC" },
"SecurityGroupEgress" : [ {
"IpProtocol" : "tcp",
"FromPort" : "80",
"ToPort" : "80",
"DestinationSecurityGroupName" : { "Ref":"SGNATSRV1a" }
}, {
"IpProtocol" : "tcp",
"FromPort" : "443",
"ToPort" : "443",
"DestinationSecurityGroupName" : { "Ref":"SGNATSRV1a" }
}]
}
},
"SGPRIVATE1c" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Source instances of private zone 1a for NAT access",
"VpcId" : { "Ref":"VPC" },
"SecurityGroupEgress" : [ {
"IpProtocol" : "tcp",
"FromPort" : "80",
"ToPort" : "80",
"DestinationSecurityGroupName" : { "Ref":"SGNATSRV1c" }
}, {
"IpProtocol" : "tcp",
"FromPort" : "443",
"ToPort" : "443",
"DestinationSecurityGroupName" : { "Ref":"SGNATSRV1c" }
}]
}
},
"SGNATSRV1a" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Enable global access to the EC2 host in AZ-1a",
"VpcId" : { "Ref" : "VPC" },
"SecurityGroupIngress" : [ {
"IpProtocol" : "tcp",
"FromPort" : "22",
"ToPort" : "22",
"CidrIp" : { "Ref" : "SSHLocation" }
}, {
"IpProtocol" : "tcp",
"FromPort" : "80",
"ToPort" : "80",
"SourceSecurityGroupName" : [ {"Ref":"SGPRIVATE1a"} ]
}, {
"IpProtocol" : "tcp",
"FromPort" : "443",
"ToPort" : "443",
"SourceSecurityGroupName" : [ {"Ref":"SGPRIVATE1a"} ]
} ]
}
},
"SGNATSRV1c" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Enable global access to the EC2 host in AZ-1c",
"VpcId" : { "Ref" : "VPC" },
"SecurityGroupIngress" : [ {
"IpProtocol" : "tcp",
"FromPort" : "22",
"ToPort" : "22",
"CidrIp" : { "Ref" : "SSHLocation" }
}, {
"IpProtocol" : "tcp",
"FromPort" : "80",
"ToPort" : "80",
"SourceSecurityGroupName" : [ {"Ref":"SGPRIVATE1c"} ]
}, {
"IpProtocol" : "tcp",
"FromPort" : "443",
"ToPort" : "443",
"SourceSecurityGroupName" : [ {"Ref":"SGPRIVATE1c"} ]
} ]
}
}
インラインegressで書けばいいや〜くらいで書いてみたところで、
セキュリティ・グループの記述がCircular dependecyになっていることに気がつきました。
とうことで、セキュリティ・グループは書き直しが必要です。
AWSの流儀はなかなかめんどくさい。