Creating AWS VPC Endpoints with CloudFormation

amazon-cloudformationamazon-vpcamazon-web-services

I'm currently looking into automating the creation of VPC endpoints within our stack using CloudFormation (The purpose is so that our stack can access S3 without creating outbound traffic). The problem is, I can't seem to find any documentation indicating how to declare the resource. This page seems to be full of warnings about using VPC endpoints with cloudformation, which I'll be sure to heed, but I can't seem to find any documentation on the CFN resource itself.

Best Answer

This is what you're looking for:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcendpoint.html

AWS::EC2::VPCEndpoint

The AWS::EC2::VPCEndpoint resource creates a VPC endpoint that you can use to establish a private connection between your VPC and another AWS service without requiring access over the Internet, a VPN connection, or AWS Direct Connect.

Quick sample:

"S3Enpoint" : {
    "Type" : "AWS::EC2::VPCEndpoint",
    "Properties" : {
        "PolicyDocument" : {
            "Version":"2012-10-17",
            "Statement":[{
                "Effect":"Allow",
                "Principal": "*",
                "Action":["s3:GetObject"],
                "Resource":["arn:aws:s3:::examplebucket/*"]
            }]
        },
        "RouteTableIds" : [ {"Ref" : "routetableA"}, {"Ref" : "routetableB"} ],
        "ServiceName" : { "Fn::Join": [ "", [ "com.amazonaws.", { "Ref": "AWS::Region" }, ".s3" ] ] },
        "VpcId" : {"Ref" : "VPCID"}
    }
}

Related Solutions

CloudFormation – How to start a Windows Service with cfn-init

I got the following response to my respective post on the AWS CloudFormation Forum:

Posted by: Adam@AWS Posted on: Nov 7, 2012 9:05 AM in response to: Edwin G. Landy Reply Helpful Edwin,

You can install an MSI package in much the same way as a yum package. For instance:
"packages" : {
   "msi" : { 
      "mysql" : "URL or path to file on disk",
      "package2" : "path to another MSI"
   }
}
Note that the names do not matter - cfn-init will extract the ProductCode from the MSI in order to determine if the package is already installed or not. MSIs are also installed for all users with reboots suppressed.

I'm afraid we do not actually support services on Windows yet, but it is a feature that is definitely on our roadmap. Until then you can use the "net" command from within the command section to start services from cfn-init.

Thanks, Adam

AWS CloudFormation: VPC default security group

Referencing the default security group is possible using:

{ "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] }

Where "VPC" is your VPC resource name.

With AWS::EC2::SecurityGroupIngress and AWS::EC2::SecurityGroupEgress, you can augment the permissions of this default security group.

I think this is what you want:

"VPCDefaultSecurityGroupIngress": {
  "Type" : "AWS::EC2::SecurityGroupIngress",
  "Properties" : {
    "GroupId": { "Fn::GetAtt" : ["VPC", "DefaultSecurityGroup"] },
    "IpProtocol":"tcp",
    "FromPort":"22",
    "ToPort":"22",
    "CidrIp":"0.0.0.0/0"
  }
},

As mentioned by @artbristol and @gabriel, this allows Ingress/Egress rules to be added to the default security group for the VPC in a single stack deployment.

I'm pretty sure that the self-referential problem still impacts any attempts at changing any of the other properties on the default security group of the VPC. A good example of this would be adding Tags, or a Description. If you wish to change these things, you'll have to deal with extraneous security groups laying around.

Best Answer

Related Solutions

CloudFormation – How to start a Windows Service with cfn-init

AWS CloudFormation: VPC default security group

Related Topic