使用 Amazon CloudFormation 配置 Amazon VPC 资源
本节提供使用 Amazon CloudFormation 配置 Amazon VPC 资源的示例。VPC 允许您在 Amazon 中创建一个虚拟网络,这些代码段展示了如何配置 VPC 各个方面来满足自己的网络要求。
在 VPC 中启用 IPv6 仅出口互联网访问
仅出口互联网网关允许 VPC 中的实例访问互联网并阻止互联网上的资源与实例通信。以下代码段支持在 VPC 中启用 IPv6 仅出口互联网访问。它使用 AWS::EC2::VPC 资源创建 IPv4 地址范围为 10.0.0/16 的 VPC。将路由表与使用 AWS::EC2::RouteTable 资源的 VPC 资源关联起来。路由表会管理 VPC 内实例的路由。AWS::EC2::EgressOnlyInternetGateway 用于创建仅出口互联网网关,为来自 VPC 中实例的出站流量启用 IPv6 通信,同时阻止入站流量。AWS::EC2::Route 资源用于在路由表中创建 IPv6 路由,该路由会将所有出站 IPv6 流量 (::/0) 定向到仅出口互联网网关。
有关仅出口互联网网关的更多信息,请参阅使用仅出口互联网网关允许出站 IPv6 流量。
JSON
"DefaultIpv6Route": { "Type": "AWS::EC2::Route", "Properties": { "DestinationIpv6CidrBlock": "::/0", "EgressOnlyInternetGatewayId": { "Ref": "EgressOnlyInternetGateway" }, "RouteTableId": { "Ref": "RouteTable" } } }, "EgressOnlyInternetGateway": { "Type": "AWS::EC2::EgressOnlyInternetGateway", "Properties": { "VpcId": { "Ref": "VPC" } } }, "RouteTable": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" } } }, "VPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.0.0/16" } }
YAML
DefaultIpv6Route: Type: "AWS::EC2::Route" Properties: DestinationIpv6CidrBlock: "::/0" EgressOnlyInternetGatewayId: Ref: "EgressOnlyInternetGateway" RouteTableId: Ref: "RouteTable" EgressOnlyInternetGateway: Type: "AWS::EC2::EgressOnlyInternetGateway" Properties: VpcId: Ref: "VPC" RouteTable: Type: "AWS::EC2::RouteTable" Properties: VpcId: Ref: "VPC" VPC: Type: "AWS::EC2::VPC" Properties: CidrBlock: "10.0.0.0/16"
弹性网络接口 (ENI) 模板代码段
创建带有附加弹性网络接口(ENI)的 Amazon EC2 实例
以下示例代码段使用 AWS::EC2::Instance 资源在指定的 Amazon VPC 和子网中创建 Amazon EC2 实例。它将两个网络接口(ENI)连接到实例,通过附加的 ENI 将弹性 IP 地址关联到实例,并针对 SSH 和 HTTP 访问配置安全组。创建实例时,用户数据作为启动配置的一部分提供给实例。用户数据包括以 base64 格式编码的脚本,可确保将其传递到实例。当实例启动时,脚本会作为引导过程的一部分自动运行。它会安装 ec2-net-utils、配置网络接口并启动 HTTP 服务。
为了根据所选区域确定合适的亚马逊机器映像(AMI),该代码段使用了一个可在 RegionMap 映射中查找值的 Fn::FindInMap 函数。此映射必须在较大的模板中定义。这两个网络接口都是使用 AWS::EC2::NetworkInterface 资源创建的。使用分配给 vpc 域的 AWS::EC2::EIP 资源指定弹性 IP 地址。这些弹性 IP 地址将使用 AWS::EC2::EIPAssociation 资源与网络接口关联。
Outputs 部分定义了您想在堆栈创建后访问的值或资源。在此代码段中,定义的输出是 InstancePublicIp,表示堆栈创建的 EC2 实例的公有 IP 地址。您可以使用 Amazon CloudFormation 控制台的输出选项卡或 aws cloudformation describe-stacks 命令来检索此输出内容。
有关弹性网络接口的更多信息,请参阅弹性网络接口。
JSON
"Resources": { "ControlPortAddress": { "Type": "AWS::EC2::EIP", "Properties": { "Domain": "vpc" } }, "AssociateControlPort": { "Type": "AWS::EC2::EIPAssociation", "Properties": { "AllocationId": { "Fn::GetAtt": [ "ControlPortAddress", "AllocationId" ] }, "NetworkInterfaceId": { "Ref": "controlXface" } } }, "WebPortAddress": { "Type": "AWS::EC2::EIP", "Properties": { "Domain": "vpc" } }, "AssociateWebPort": { "Type": "AWS::EC2::EIPAssociation", "Properties": { "AllocationId": { "Fn::GetAtt": [ "WebPortAddress", "AllocationId" ] }, "NetworkInterfaceId": { "Ref": "webXface" } } }, "SSHSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": { "Ref": "VpcId" }, "GroupDescription": "Enable SSH access via port 22", "SecurityGroupIngress": [ { "CidrIp": "0.0.0.0/0", "FromPort": 22, "IpProtocol": "tcp", "ToPort": 22 } ] } }, "WebSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": { "Ref": "VpcId" }, "GroupDescription": "Enable HTTP access via user-defined port", "SecurityGroupIngress": [ { "CidrIp": "0.0.0.0/0", "FromPort": 80, "IpProtocol": "tcp", "ToPort": 80 } ] } }, "controlXface": { "Type": "AWS::EC2::NetworkInterface", "Properties": { "SubnetId": { "Ref": "SubnetId" }, "Description": "Interface for controlling traffic such as SSH", "GroupSet": [ { "Fn::GetAtt": [ "SSHSecurityGroup", "GroupId" ] } ], "SourceDestCheck": true, "Tags": [ { "Key": "Network", "Value": "Control" } ] } }, "webXface": { "Type": "AWS::EC2::NetworkInterface", "Properties": { "SubnetId": { "Ref": "SubnetId" }, "Description": "Interface for web traffic", "GroupSet": [ { "Fn::GetAtt": [ "WebSecurityGroup", "GroupId" ] } ], "SourceDestCheck": true, "Tags": [ { "Key": "Network", "Value": "Web" } ] } }, "Ec2Instance": { "Type": "AWS::EC2::Instance", "Properties": { "ImageId": { "Fn::FindInMap": [ "RegionMap", { "Ref": "AWS::Region" }, "AMI" ] }, "KeyName": { "Ref": "KeyName" }, "NetworkInterfaces": [ { "NetworkInterfaceId": { "Ref": "controlXface" }, "DeviceIndex": "0" }, { "NetworkInterfaceId": { "Ref": "webXface" }, "DeviceIndex": "1" } ], "Tags": [ { "Key": "Role", "Value": "Test Instance" } ], "UserData": { "Fn::Base64": { "Fn::Sub": "#!/bin/bash -xe\nyum install ec2-net-utils -y\nec2ifup eth1\nservice httpd start\n" } } } } }, "Outputs": { "InstancePublicIp": { "Description": "Public IP Address of the EC2 Instance", "Value": { "Fn::GetAtt": [ "Ec2Instance", "PublicIp" ] } } }
YAML
Resources: ControlPortAddress: Type: 'AWS::EC2::EIP' Properties: Domain: vpc AssociateControlPort: Type: 'AWS::EC2::EIPAssociation' Properties: AllocationId: Fn::GetAtt: - ControlPortAddress - AllocationId NetworkInterfaceId: Ref: controlXface WebPortAddress: Type: 'AWS::EC2::EIP' Properties: Domain: vpc AssociateWebPort: Type: 'AWS::EC2::EIPAssociation' Properties: AllocationId: Fn::GetAtt: - WebPortAddress - AllocationId NetworkInterfaceId: Ref: webXface SSHSecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: VpcId: Ref: VpcId GroupDescription: Enable SSH access via port 22 SecurityGroupIngress: - CidrIp: 0.0.0.0/0 FromPort: 22 IpProtocol: tcp ToPort: 22 WebSecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: VpcId: Ref: VpcId GroupDescription: Enable HTTP access via user-defined port SecurityGroupIngress: - CidrIp: 0.0.0.0/0 FromPort: 80 IpProtocol: tcp ToPort: 80 controlXface: Type: 'AWS::EC2::NetworkInterface' Properties: SubnetId: Ref: SubnetId Description: Interface for controlling traffic such as SSH GroupSet: - Fn::GetAtt: - SSHSecurityGroup - GroupId SourceDestCheck: true Tags: - Key: Network Value: Control webXface: Type: 'AWS::EC2::NetworkInterface' Properties: SubnetId: Ref: SubnetId Description: Interface for web traffic GroupSet: - Fn::GetAtt: - WebSecurityGroup - GroupId SourceDestCheck: true Tags: - Key: Network Value: Web Ec2Instance: Type: AWS::EC2::Instance Properties: ImageId: Fn::FindInMap: - RegionMap - Ref: AWS::Region - AMI KeyName: Ref: KeyName NetworkInterfaces: - NetworkInterfaceId: Ref: controlXface DeviceIndex: "0" - NetworkInterfaceId: Ref: webXface DeviceIndex: "1" Tags: - Key: Role Value: Test Instance UserData: Fn::Base64: !Sub | #!/bin/bash -xe yum install ec2-net-utils -y ec2ifup eth1 service httpd start Outputs: InstancePublicIp: Description: Public IP Address of the EC2 Instance Value: Fn::GetAtt: - Ec2Instance - PublicIp