使用 Amazon CloudFormation 配置 Amazon VPC 资源 - Amazon CloudFormation
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

使用 Amazon CloudFormation 配置 Amazon VPC 资源

本节提供使用 Amazon CloudFormation 配置 Amazon VPC 资源的示例。VPC 允许您在 Amazon 中创建一个虚拟网络,这些代码段展示了如何配置 VPC 各个方面来满足自己的网络要求。

在 VPC 中启用 IPv6 仅出口互联网访问

仅出口互联网网关允许 VPC 中的实例访问互联网并阻止互联网上的资源与实例通信。以下代码段支持在 VPC 中启用 IPv6 仅出口互联网访问。它使用 AWS::EC2::VPC 资源创建 IPv4 地址范围为 10.0.0/16 的 VPC。将路由表与使用 AWS::EC2::RouteTable 资源的 VPC 资源关联起来。路由表会管理 VPC 内实例的路由。AWS::EC2::EgressOnlyInternetGateway 用于创建仅出口互联网网关,为来自 VPC 中实例的出站流量启用 IPv6 通信,同时阻止入站流量。AWS::EC2::Route 资源用于在路由表中创建 IPv6 路由,该路由会将所有出站 IPv6 流量 (::/0) 定向到仅出口互联网网关。

有关仅出口互联网网关的更多信息,请参阅使用仅出口互联网网关允许出站 IPv6 流量

JSON

"DefaultIpv6Route": { "Type": "AWS::EC2::Route", "Properties": { "DestinationIpv6CidrBlock": "::/0", "EgressOnlyInternetGatewayId": { "Ref": "EgressOnlyInternetGateway" }, "RouteTableId": { "Ref": "RouteTable" } } }, "EgressOnlyInternetGateway": { "Type": "AWS::EC2::EgressOnlyInternetGateway", "Properties": { "VpcId": { "Ref": "VPC" } } }, "RouteTable": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" } } }, "VPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.0.0/16" } }

YAML

DefaultIpv6Route: Type: "AWS::EC2::Route" Properties: DestinationIpv6CidrBlock: "::/0" EgressOnlyInternetGatewayId: Ref: "EgressOnlyInternetGateway" RouteTableId: Ref: "RouteTable" EgressOnlyInternetGateway: Type: "AWS::EC2::EgressOnlyInternetGateway" Properties: VpcId: Ref: "VPC" RouteTable: Type: "AWS::EC2::RouteTable" Properties: VpcId: Ref: "VPC" VPC: Type: "AWS::EC2::VPC" Properties: CidrBlock: "10.0.0.0/16"

弹性网络接口 (ENI) 模板代码段

创建带有附加弹性网络接口(ENI)的 Amazon EC2 实例

以下示例代码段使用 AWS::EC2::Instance 资源在指定的 Amazon VPC 和子网中创建 Amazon EC2 实例。它将两个网络接口(ENI)连接到实例,通过附加的 ENI 将弹性 IP 地址关联到实例,并针对 SSH 和 HTTP 访问配置安全组。创建实例时,用户数据作为启动配置的一部分提供给实例。用户数据包括以 base64 格式编码的脚本,可确保将其传递到实例。当实例启动时,脚本会作为引导过程的一部分自动运行。它会安装 ec2-net-utils、配置网络接口并启动 HTTP 服务。

为了根据所选区域确定合适的亚马逊机器映像(AMI),该代码段使用了一个可在 RegionMap 映射中查找值的 Fn::FindInMap 函数。此映射必须在较大的模板中定义。这两个网络接口都是使用 AWS::EC2::NetworkInterface 资源创建的。使用分配给 vpc 域的 AWS::EC2::EIP 资源指定弹性 IP 地址。这些弹性 IP 地址将使用 AWS::EC2::EIPAssociation 资源与网络接口关联。

Outputs 部分定义了您想在堆栈创建后访问的值或资源。在此代码段中,定义的输出是 InstancePublicIp,表示堆栈创建的 EC2 实例的公有 IP 地址。您可以使用 Amazon CloudFormation 控制台的输出选项卡或 aws cloudformation describe-stacks 命令来检索此输出内容。

有关弹性网络接口的更多信息,请参阅弹性网络接口

JSON

"Resources": { "ControlPortAddress": { "Type": "AWS::EC2::EIP", "Properties": { "Domain": "vpc" } }, "AssociateControlPort": { "Type": "AWS::EC2::EIPAssociation", "Properties": { "AllocationId": { "Fn::GetAtt": [ "ControlPortAddress", "AllocationId" ] }, "NetworkInterfaceId": { "Ref": "controlXface" } } }, "WebPortAddress": { "Type": "AWS::EC2::EIP", "Properties": { "Domain": "vpc" } }, "AssociateWebPort": { "Type": "AWS::EC2::EIPAssociation", "Properties": { "AllocationId": { "Fn::GetAtt": [ "WebPortAddress", "AllocationId" ] }, "NetworkInterfaceId": { "Ref": "webXface" } } }, "SSHSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": { "Ref": "VpcId" }, "GroupDescription": "Enable SSH access via port 22", "SecurityGroupIngress": [ { "CidrIp": "0.0.0.0/0", "FromPort": 22, "IpProtocol": "tcp", "ToPort": 22 } ] } }, "WebSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": { "Ref": "VpcId" }, "GroupDescription": "Enable HTTP access via user-defined port", "SecurityGroupIngress": [ { "CidrIp": "0.0.0.0/0", "FromPort": 80, "IpProtocol": "tcp", "ToPort": 80 } ] } }, "controlXface": { "Type": "AWS::EC2::NetworkInterface", "Properties": { "SubnetId": { "Ref": "SubnetId" }, "Description": "Interface for controlling traffic such as SSH", "GroupSet": [ { "Fn::GetAtt": [ "SSHSecurityGroup", "GroupId" ] } ], "SourceDestCheck": true, "Tags": [ { "Key": "Network", "Value": "Control" } ] } }, "webXface": { "Type": "AWS::EC2::NetworkInterface", "Properties": { "SubnetId": { "Ref": "SubnetId" }, "Description": "Interface for web traffic", "GroupSet": [ { "Fn::GetAtt": [ "WebSecurityGroup", "GroupId" ] } ], "SourceDestCheck": true, "Tags": [ { "Key": "Network", "Value": "Web" } ] } }, "Ec2Instance": { "Type": "AWS::EC2::Instance", "Properties": { "ImageId": { "Fn::FindInMap": [ "RegionMap", { "Ref": "AWS::Region" }, "AMI" ] }, "KeyName": { "Ref": "KeyName" }, "NetworkInterfaces": [ { "NetworkInterfaceId": { "Ref": "controlXface" }, "DeviceIndex": "0" }, { "NetworkInterfaceId": { "Ref": "webXface" }, "DeviceIndex": "1" } ], "Tags": [ { "Key": "Role", "Value": "Test Instance" } ], "UserData": { "Fn::Base64": { "Fn::Sub": "#!/bin/bash -xe\nyum install ec2-net-utils -y\nec2ifup eth1\nservice httpd start\n" } } } } }, "Outputs": { "InstancePublicIp": { "Description": "Public IP Address of the EC2 Instance", "Value": { "Fn::GetAtt": [ "Ec2Instance", "PublicIp" ] } } }

YAML

Resources: ControlPortAddress: Type: 'AWS::EC2::EIP' Properties: Domain: vpc AssociateControlPort: Type: 'AWS::EC2::EIPAssociation' Properties: AllocationId: Fn::GetAtt: - ControlPortAddress - AllocationId NetworkInterfaceId: Ref: controlXface WebPortAddress: Type: 'AWS::EC2::EIP' Properties: Domain: vpc AssociateWebPort: Type: 'AWS::EC2::EIPAssociation' Properties: AllocationId: Fn::GetAtt: - WebPortAddress - AllocationId NetworkInterfaceId: Ref: webXface SSHSecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: VpcId: Ref: VpcId GroupDescription: Enable SSH access via port 22 SecurityGroupIngress: - CidrIp: 0.0.0.0/0 FromPort: 22 IpProtocol: tcp ToPort: 22 WebSecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: VpcId: Ref: VpcId GroupDescription: Enable HTTP access via user-defined port SecurityGroupIngress: - CidrIp: 0.0.0.0/0 FromPort: 80 IpProtocol: tcp ToPort: 80 controlXface: Type: 'AWS::EC2::NetworkInterface' Properties: SubnetId: Ref: SubnetId Description: Interface for controlling traffic such as SSH GroupSet: - Fn::GetAtt: - SSHSecurityGroup - GroupId SourceDestCheck: true Tags: - Key: Network Value: Control webXface: Type: 'AWS::EC2::NetworkInterface' Properties: SubnetId: Ref: SubnetId Description: Interface for web traffic GroupSet: - Fn::GetAtt: - WebSecurityGroup - GroupId SourceDestCheck: true Tags: - Key: Network Value: Web Ec2Instance: Type: AWS::EC2::Instance Properties: ImageId: Fn::FindInMap: - RegionMap - Ref: AWS::Region - AMI KeyName: Ref: KeyName NetworkInterfaces: - NetworkInterfaceId: Ref: controlXface DeviceIndex: "0" - NetworkInterfaceId: Ref: webXface DeviceIndex: "1" Tags: - Key: Role Value: Test Instance UserData: Fn::Base64: !Sub | #!/bin/bash -xe yum install ec2-net-utils -y ec2ifup eth1 service httpd start Outputs: InstancePublicIp: Description: Public IP Address of the EC2 Instance Value: Fn::GetAtt: - Ec2Instance - PublicIp