NetworkACLを追加すると、VPCの枠組みがだいぶ見えてくるようになりました。
セキュリティ・グループを追加してもいいのですがEC2インスタンス毎のセキュリティ・グループはインスタンス生成しつつ考えましょう。
ひとまずNetworkACLを追加してVPC枠組みもう少し形にします。
NetworkACLを追加
シンプルなNetworkACLを追加します。
AWS::EC2::SubnetNetworkAclAssociationがやはりSubnetIDにリスト指定できないので複数のサブネットに割り当てる際には複数行記述する必要がありますね。 どんどん行が長くなっていってます。
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" : "AWS CloudFormation Sample Template Simple VPC.",
"Parameters" : {
"InstanceType" : {
"Description" : "WebServer EC2 instance type",
"Type" : "String",
"Default" : "t2.micro",
"AllowedValues" : [ "t2.micro", "t2.small", "t2.medium"],
"ConstraintDescription" : "must be a valid EC2 instance type."
},
"NetworkStructure" : {
"Type" : "String",
"Default" : "TEST1",
"AllowedValues" : [ "TEST1", "TEST2" ],
"ConstraintDescription" : ""
}
},
"Mappings" : {
"VPCConfig" : {
"VPCCidr" : { "TEST1" : "10.181.0.0/16", "TEST2" : "10.81.0.0/16" }
},
"SubnetConfig" : {
"ELB1a" : { "TEST1" : "10.181.254.0/28" , "TEST2" : "10.81.254.0/28" },
"NAT1a" : { "TEST1" : "10.181.254.32/28", "TEST2" : "10.81.254.32/28" },
"LOGIN1a" : { "TEST1" : "10.181.254.64/28", "TEST2" : "10.81.254.64/28" },
"WEB1a" : { "TEST1" : "10.181.80.0/25" , "TEST2" : "10.81.80.0/25" },
"Priv11a" : { "TEST1" : "10.181.100.0/24" , "TEST2" : "10.81.100.0/24" },
"Priv21a" : { "TEST1" : "10.181.120.0/24" , "TEST2" : "10.81.120.0/24" },
"ELB1c" : { "TEST1" : "10.181.254.16/28", "TEST2" : "10.81.254.0/28" },
"NAT1c" : { "TEST1" : "10.181.254.48/28", "TEST2" : "10.81.254.32/28" },
"LOGIN1c" : { "TEST1" : "10.181.254.80/28", "TEST2" : "10.81.254.64/28" },
"WEB1c" : { "TEST1" : "10.181.80.128/25", "TEST2" : "10.81.80.0/25" },
"Priv11c" : { "TEST1" : "10.181.110.0/24" , "TEST2" : "10.81.100.0/24" },
"Priv21c" : { "TEST1" : "10.181.130.0/24" , "TEST2" : "10.81.120.0/24" }
},
"AZConfig" : {
"AZ" : { "ELB1a" : "ap-northeast-1a",
"NAT1a" : "ap-northeast-1a",
"LOGIN1a" : "ap-northeast-1a",
"WEB1a" : "ap-northeast-1a",
"Priv11a" : "ap-northeast-1a",
"Priv21a" : "ap-northeast-1a",
"ELB1c" : "ap-northeast-1c",
"NAT1c" : "ap-northeast-1c",
"LOGIN1c" : "ap-northeast-1c",
"WEB1c" : "ap-northeast-1c",
"Priv11c" : "ap-northeast-1c",
"Priv21c" : "ap-northeast-1c"
}
}
},
"Resources" : {
"VPC" : {
"Type" : "AWS::EC2::VPC",
"Properties" : {
"CidrBlock" : { "Fn::FindInMap" : [ "VPCConfig", "VPCCidr", { "Ref" : "NetworkStructure" } ] },
"EnableDnsSupport" : "true",
"EnableDnsHostnames" : "true",
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Public" },
{ "Key" : "Name", "Value" : "VPC" }
]
}
},
"SubnetELB1a" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "ELB1a"]},
"CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "ELB1a", { "Ref" : "NetworkStructure" } ] },
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Public" },
{ "Key" : "Name", "Value" : "ELB1a"}
]
}
},
"SubnetNAT1a" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "NAT1a" ]},
"CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "NAT1a", { "Ref" : "NetworkStructure" } ] },
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Public" },
{ "Key" : "Name", "Value" : "NAT1a" }
]
}
},
"SubnetLOGIN1a" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "LOGIN1a" ]},
"CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "LOGIN1a", { "Ref" : "NetworkStructure" } ] },
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Public" },
{ "Key" : "Name", "Value" : "LOGIN1a" }
]
}
},
"SubnetWEB1a" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "WEB1a" ]},
"CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "WEB1a", { "Ref" : "NetworkStructure" } ] },
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Private" },
{ "Key" : "Name", "Value" : "WEB1a" }
]
}
},
"SubnetPriv11a" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "Priv11a" ]},
"CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "Priv11a", { "Ref" : "NetworkStructure" } ] },
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Private" },
{ "Key" : "Name", "Value" : "Private1 1a"}
]
}
},
"SubnetPriv21a" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "Priv21a" ]},
"CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "Priv21a", { "Ref" : "NetworkStructure" } ] },
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Private" },
{ "Key" : "Name", "Value" : "Private2 1a" }
]
}
},
"SubnetELB1c" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "ELB1c" ]},
"CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "ELB1c", { "Ref" : "NetworkStructure" } ] },
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Public" },
{ "Key" : "Name", "Value" : "ELB1c" }
]
}
},
"SubnetNAT1c" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "NAT1c" ]},
"CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "NAT1c", { "Ref" : "NetworkStructure" } ] },
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Public" },
{ "Key" : "Name", "Value" : "NAT1c" }
]
}
},
"SubnetLOGIN1c" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "LOGIN1c" ]},
"CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "LOGIN1c", { "Ref" : "NetworkStructure" } ] },
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Public" },
{ "Key" : "Name", "Value" : "LOGIN1c" }
]
}
},
"SubnetWEB1c" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "WEB1c" ]},
"CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "WEB1c", { "Ref" : "NetworkStructure" } ] },
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Private" },
{ "Key" : "Name", "Value" : "WEB1c" }
]
}
},
"SubnetPriv11c" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "Priv11c" ]},
"CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "Priv11c", { "Ref" : "NetworkStructure" } ] },
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Private" },
{ "Key" : "Name", "Value" : "Private1 1c" }
]
}
},
"SubnetPriv21c" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "Priv21c" ]},
"CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "Priv21c", { "Ref" : "NetworkStructure" } ] },
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Private" },
{ "Key" : "Name", "Value" : "Private2 1c" }
]
}
},
"InternetGateway" : {
"Type" : "AWS::EC2::InternetGateway",
"Properties" : {
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Public" },
{ "Key" : "Name", "Value" : "InternetGateway" }
]
}
},
"GatewayToInternet" : {
"Type" : "AWS::EC2::VPCGatewayAttachment",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"InternetGatewayId" : { "Ref" : "InternetGateway" }
}
},
"PublicRouteTable" : {
"Type" : "AWS::EC2::RouteTable",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Public" },
{ "Key" : "Name", "Value" : "Public Network" }
]
}
},
"PublicRoute" : {
"Type" : "AWS::EC2::Route",
"DependsOn" : "GatewayToInternet",
"Properties" : {
"RouteTableId" : { "Ref" : "PublicRouteTable" },
"DestinationCidrBlock" : "0.0.0.0/0",
"GatewayId" : { "Ref" : "InternetGateway" }
}
},
"PublicSubnetRouteTableAssociation1" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : {"Ref":"SubnetELB1a"},
"RouteTableId" : { "Ref" : "PublicRouteTable" }
}
},
"PublicSubnetRouteTableAssociation2" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : {"Ref":"SubnetNAT1a"},
"RouteTableId" : { "Ref" : "PublicRouteTable" }
}
},
"PublicSubnetRouteTableAssociation3" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : {"Ref":"SubnetLOGIN1a"},
"RouteTableId" : { "Ref" : "PublicRouteTable" }
}
},
"PublicSubnetRouteTableAssociation4" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : {"Ref":"SubnetELB1c"},
"RouteTableId" : { "Ref" : "PublicRouteTable" }
}
},
"PublicSubnetRouteTableAssociation5" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : {"Ref":"SubnetNAT1c"},
"RouteTableId" : { "Ref" : "PublicRouteTable" }
}
},
"PublicSubnetRouteTableAssociation6" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : {"Ref":"SubnetLOGIN1c"},
"RouteTableId" : { "Ref" : "PublicRouteTable" }
}
},
"PrivateRouteTable" : {
"Type" : "AWS::EC2::RouteTable",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Private" },
{ "Key" : "Name", "Value" : "Private Network" }
]
}
},
"PrivateRoute" : {
"Type" : "AWS::EC2::Route",
"Properties" : {
"RouteTableId" : { "Ref" : "PrivateRouteTable" },
"DestinationCidrBlock" : "0.0.0.0/0",
"GatewayId" : { "Ref" : "InternetGateway" }
}
},
"PrivateSubnetRouteTableAssociation1" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : {"Ref":"SubnetWEB1a"},
"RouteTableId" : { "Ref" : "PrivateRouteTable" }
}
},
"PrivateSubnetRouteTableAssociation2" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : {"Ref":"SubnetPriv11a"},
"RouteTableId" : { "Ref" : "PrivateRouteTable" }
}
},
"PrivateSubnetRouteTableAssociation3" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : {"Ref":"SubnetPriv21a"},
"RouteTableId" : { "Ref" : "PrivateRouteTable" }
}
},
"PrivateSubnetRouteTableAssociation4" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : {"Ref":"SubnetWEB1c"},
"RouteTableId" : { "Ref" : "PrivateRouteTable" }
}
},
"PrivateSubnetRouteTableAssociation5" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : {"Ref":"SubnetPriv11c"},
"RouteTableId" : { "Ref" : "PrivateRouteTable" }
}
},
"PrivateSubnetRouteTableAssociation6" : {
"Type" : "AWS::EC2::SubnetRouteTableAssociation",
"Properties" : {
"SubnetId" : {"Ref":"SubnetPriv21c"},
"RouteTableId" : { "Ref" : "PrivateRouteTable" }
}
},
"PublicNetworkAcl" : {
"Type" : "AWS::EC2::NetworkAcl",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Public" },
{ "Key" : "Name", "Value" : "PublicNetworkAcl" }
]
}
},
"InboundHTTPPublicNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : { "Ref" : "PublicNetworkAcl" },
"RuleNumber" : "100",
"Protocol" : "6",
"RuleAction" : "allow",
"Egress" : "false",
"CidrBlock" : "0.0.0.0/0",
"PortRange" : { "From" : "80", "To" : "80" }
}
},
"InboundDynamicPortPublicNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : { "Ref" : "PublicNetworkAcl" },
"RuleNumber" : "110",
"Protocol" : "6",
"RuleAction" : "allow",
"Egress" : "false",
"CidrBlock" : "0.0.0.0/0",
"PortRange" : { "From" : "1024", "To" : "65535" }
}
},
"InboundSSHPublicNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : { "Ref" : "PublicNetworkAcl" },
"RuleNumber" : "120",
"Protocol" : "6",
"RuleAction" : "allow",
"Egress" : "false",
"CidrBlock" : { "Ref" : "SSHLocation" },
"PortRange" : { "From" : "22", "To" : "22" }
}
},
"OutboundPublicNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : { "Ref" : "PublicNetworkAcl" },
"RuleNumber" : "100",
"Protocol" : "6",
"RuleAction" : "allow",
"Egress" : "true",
"CidrBlock" : "0.0.0.0/0",
"PortRange" : { "From" : "0", "To" : "65535" }
}
},
"PublicSubnetNetworkAclAssociation1" : {
"Type" : "AWS::EC2::SubnetNetworkAclAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "SubnetELB1a" },
"NetworkAclId" : { "Ref" : "PublicNetworkAcl" }
}
},
"PublicSubnetNetworkAclAssociation2" : {
"Type" : "AWS::EC2::SubnetNetworkAclAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "SubnetNAT1a" },
"NetworkAclId" : { "Ref" : "PublicNetworkAcl" }
}
},
"PublicSubnetNetworkAclAssociation3" : {
"Type" : "AWS::EC2::SubnetNetworkAclAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "SubnetLOGIN1a" },
"NetworkAclId" : { "Ref" : "PublicNetworkAcl" }
}
},
"PublicSubnetNetworkAclAssociation4" : {
"Type" : "AWS::EC2::SubnetNetworkAclAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "SubnetELB1c" },
"NetworkAclId" : { "Ref" : "PublicNetworkAcl" }
}
},
"PublicSubnetNetworkAclAssociation5" : {
"Type" : "AWS::EC2::SubnetNetworkAclAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "SubnetNAT1c" },
"NetworkAclId" : { "Ref" : "PublicNetworkAcl" }
}
},
"PublicSubnetNetworkAclAssociation6" : {
"Type" : "AWS::EC2::SubnetNetworkAclAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "SubnetLOGIN1c" },
"NetworkAclId" : { "Ref" : "PublicNetworkAcl" }
}
},
"PrivateNetworkAcl" : {
"Type" : "AWS::EC2::NetworkAcl",
"Properties" : {
"VpcId" : { "Ref" : "VPC" },
"Tags" : [
{ "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
{ "Key" : "Network", "Value" : "Private" },
{ "Key" : "Name", "Value" : "PrivateNetworkAcl" }
]
}
},
"InboundPrivateNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : { "Ref" : "PrivateNetworkAcl" },
"RuleNumber" : "100",
"Protocol" : "6",
"RuleAction" : "allow",
"Egress" : "false",
"CidrBlock" : "0.0.0.0/0",
"PortRange" : { "From" : "0", "To" : "65535" }
}
},
"OutboundPrivateNetworkAclEntry" : {
"Type" : "AWS::EC2::NetworkAclEntry",
"Properties" : {
"NetworkAclId" : { "Ref" : "PrivateNetworkAcl" },
"RuleNumber" : "100",
"Protocol" : "6",
"RuleAction" : "allow",
"Egress" : "true",
"CidrBlock" : "0.0.0.0/0",
"PortRange" : { "From" : "0", "To" : "65535" }
}
},
"PrivateSubnetNetworkAclAssociation1" : {
"Type" : "AWS::EC2::SubnetNetworkAclAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "SubnetWEB1a" },
"NetworkAclId" : { "Ref" : "PrivateNetworkAcl" }
}
},
"PrivateSubnetNetworkAclAssociation2" : {
"Type" : "AWS::EC2::SubnetNetworkAclAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "SubnetPriv11a" },
"NetworkAclId" : { "Ref" : "PrivateNetworkAcl" }
}
},
"PrivateSubnetNetworkAclAssociation3" : {
"Type" : "AWS::EC2::SubnetNetworkAclAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "SubnetPriv21a" },
"NetworkAclId" : { "Ref" : "PrivateNetworkAcl" }
}
},
"PrivateSubnetNetworkAclAssociation4" : {
"Type" : "AWS::EC2::SubnetNetworkAclAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "SubnetWEB1c" },
"NetworkAclId" : { "Ref" : "PrivateNetworkAcl" }
}
},
"PrivateSubnetNetworkAclAssociation5" : {
"Type" : "AWS::EC2::SubnetNetworkAclAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "SubnetPriv11c" },
"NetworkAclId" : { "Ref" : "PrivateNetworkAcl" }
}
},
"PrivateSubnetNetworkAclAssociation6" : {
"Type" : "AWS::EC2::SubnetNetworkAclAssociation",
"Properties" : {
"SubnetId" : { "Ref" : "SubnetPriv21c" },
"NetworkAclId" : { "Ref" : "PrivateNetworkAcl" }
}
}
},
"Outputs" : {
"VPC" : {
"Description" : "VPC CIDR",
"Value" : { "Fn::FindInMap" : [ "VPCConfig", "VPCCidr", { "Ref" : "NetworkStructure" } ] }
},
"Public" : {
"Description" : "Public Subnet CIDR",
"Value" : { "Fn::FindInMap" : [ "SubnetConfig", "ELB1a", { "Ref" : "NetworkStructure" } ] }
},
"Private" : {
"Description" : "Private Subnet CIDR",
"Value" : { "Fn::FindInMap" : [ "SubnetConfig", "WEB1a", { "Ref" : "NetworkStructure" } ] }
}
}
}
NetworkACLを追加したので、枠組みがだいぶできてきたような感じでしょうか。 セキュリティ・グループを個別に設定するかインスタンス毎に設定するかちょっと迷うところです。
NATインスタンスを作成しますけど・・・
プライベート・ゾーンからのアクセスは、NATインスタンスを経由して外部との通信を行わせようと考えています。 NATインスタンスをどのように構成するかをちょっとだけ考えてみました。
AWSのブログにNATインスタンスのHA化についた記事があります: High Availability for Amazon VPC NAT Instances (Using AWS CloudFormation Templates)
NAT用のサブネットはAZ毎に用意していますのでNATインスタンスを2つ用意すると、この記事にあるようなHA構造にすることも可能です。
「可能です」というのは、迷いが少しあるためでAWSの場合AZ間の通信には課金対象になりますから経路としてAZ間をまたいだ通信は避けたいところでしょう。
そこで、AZ間通信コストがいったいどれくらいか確認してみました。
AWSの料金表から、東京リージョンのAZ間通信のコストをピックアップすると:
「同じ AWS リージョンの別のアベイラビリティーゾーンまたはピアリング接続された VPC にある Amazon EC2、Amazon RDS、Amazon Redshift および Amazon ElastiCache インスタンスまたは Elastic Network Interface $0.01 /GB」
なるほど、1GB毎に0.01米ドルかかるんですね。
yumでアップデートすると、このコストがかかるようになるんですよね。 AWSの通信費用では、EC2へのデータインには費用がかかりませんのでアップデート時の通信量が多いとコストが上がってしまうということですか。
データイン方向には課金がありませんが、データアウトに課金がかかります。 そうするとAZ-1aからAZ-1cへのNAT通信には課金がかかると考えてよいのでしょう。
単純には毎月10GBのアップデートがあると、12円/月程度のコストがかかることになりますね。
AWSブログの記事のようなHA構造とすると、わずかではありますがAZ間通信に課金が発生してしまいますね。
というところで、NAT経路はAZ毎に分離する構造にしましょう。
次回からNATインスタンス関連の追加を行ってみます。