AWS CloudFormation - VPC Nested Stack-Security Groups

In this section, I have provided the YAML Script for Security Groups. The script will create the security groups for the following;

a. Web Servers

b. Load Balancer

We shall create the security groups in 2 simple steps.

1. Please add the following code to the Master.yaml that I have provided in my previous post, save it and upload in the S3 folder that we have created in the previous post.

  SecurityGroups:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: https://mycfstack.s3.amazonaws.com/securitygroups.yaml
      Parameters:
        EnvironmentName: !Ref AWS::StackName
        VPC: !GetAtt VPC.Outputs.VPC

2. The following is the script for creation of security groups. Upload the script in the S3 folder that we have created in the previous post.


Few points to be noted here

  1. The security groups for web servers is set to receive traffic only from Load Balancer

  2. Inbound rule for Port 22 SSH has also been enabled so that one can interact with web servers through CLI

  3. internet traffic has been opened at Load Balancer side only from HTTP (Port:80). If you want to open HTTPS traffic (Port: 443), you can add the same in the below script. However, you would need to buy and download the security certificate.

Description: >
  This template contains the security groups required by our entire stack.
  We create them in a seperate nested template, so they can be referenced
  by all of the other nested templates.
Parameters:
  EnvironmentName:
    Description: Our environment name will be prefixed to resource names
    Type: String

  VPC:
    Type: AWS::EC2::VPC::Id
    Description: VPC which the security groups should be deployed to

  SSHLocation:
    Description: The IP address range that can be used to SSH to the EC2 instances
    Type: String
    MinLength: '9'
    MaxLength: '18'
    Default: 0.0.0.0/0
    AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})'
    ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.

Resources:
  # This security group defines who/where is allowed to access the EC2 Servers directly.
  # By default we're just allowing access from the load balancer.  If you want to SSH
  # into the hosts, or expose non-load balanced services you can open their ports here.
#============================================================
# Security Group for Webservers
#============================================================
  WSSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: !Ref VPC
      GroupDescription: Access to the EC2 Servres that run
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: '22'
          ToPort: '22'
          CidrIp: !Ref SSHLocation
        # Only allow inbound access to Web Servers from the ELB
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          SourceSecurityGroupId: !Ref LoadBalancerSecurityGroup
      Tags:
        - Key: Name
          Value: !Sub ${EnvironmentName}-WebServers
#============================================================
# Security Group for Load Balancer
#============================================================
  LoadBalancerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: !Ref VPC
      GroupDescription: Access to the load balancer that sits in front of Web Servers
      SecurityGroupIngress:
        # Allow internet traffic to our Web servers in the following port
        - CidrIp: 0.0.0.0/0
          IpProtocol: tcp
          FromPort: 80
          ToPort: 80
      Tags:
        - Key: Name
          Value: !Sub ${EnvironmentName}-LoadBalancers

Outputs:
  WSSecurityGroup:
    Description: A reference to the security group for Web Servers
    Value: !Ref WSSecurityGroup

  LoadBalancerSecurityGroup:
    Description: A reference to the security group for load balancers
    Value: !Ref LoadBalancerSecurityGroup

How to upload and run the script?


- Copy the master file as master.yaml and child script as vpc.yml and securitygroups.yaml

- Create a bucket in S3 and name it as you wish (the script has the name as mycfstack)

- Upload all the scripts in the created bucket

- Go to Cloud Formation

- Create New Stack

- Click Next and provide a stack name. Click next and then click create stack button.

- Your stack will be executed in less than 5 mins.

Please navigate to Network section of your AWS console to confirm if Security Groups have been created properly.

I hope the above script will be useful to AWS beginners who are working or practicing cloud formation. In my next post, I will share the script for creation of Load Balancers and Web Servers with Auto-Scaling group, along with execution steps.

Please provide your valuable comments on this article if this is of any help. Kindly share this with your known groups if you like it. Thanks.

456 views0 comments