ページ

2015年4月22日

CloudformationでVPCを作ってみる練習、5回目:NetworkACLの追加


NetworkACLを追加すると、VPCの枠組みがだいぶ見えてくるようになりました。



セキュリティ・グループを追加してもいいのですがEC2インスタンス毎のセキュリティ・グループはインスタンス生成しつつ考えましょう。

ひとまずNetworkACLを追加してVPC枠組みもう少し形にします。

NetworkACLを追加


シンプルなNetworkACLを追加します。

AWS::EC2::SubnetNetworkAclAssociationがやはりSubnetIDにリスト指定できないので複数のサブネットに割り当てる際には複数行記述する必要がありますね。 どんどん行が長くなっていってます。

{
  "AWSTemplateFormatVersion" : "2010-09-09",
  "Description" : "AWS CloudFormation Sample Template Simple VPC.",

  "Parameters" : {

    "InstanceType" : {
      "Description" : "WebServer EC2 instance type",
      "Type" : "String",
      "Default" : "t2.micro",
      "AllowedValues" : [ "t2.micro", "t2.small", "t2.medium"],
      "ConstraintDescription" : "must be a valid EC2 instance type."
    },

    "NetworkStructure" : {
      "Type" : "String",
      "Default" : "TEST1",
      "AllowedValues" : [ "TEST1", "TEST2" ],
      "ConstraintDescription" : ""
    }
   },

  "Mappings" : {
     "VPCConfig" : {
       "VPCCidr" : { "TEST1" : "10.181.0.0/16", "TEST2" : "10.81.0.0/16" }
     },
     
    "SubnetConfig" : {
        "ELB1a"   : { "TEST1" : "10.181.254.0/28" , "TEST2" : "10.81.254.0/28"  },
        "NAT1a"   : { "TEST1" : "10.181.254.32/28", "TEST2" : "10.81.254.32/28" },
        "LOGIN1a" : { "TEST1" : "10.181.254.64/28", "TEST2" : "10.81.254.64/28" },
        "WEB1a"   : { "TEST1" : "10.181.80.0/25"  , "TEST2" : "10.81.80.0/25"   },
        "Priv11a" : { "TEST1" : "10.181.100.0/24" , "TEST2" : "10.81.100.0/24"  },
        "Priv21a" : { "TEST1" : "10.181.120.0/24" , "TEST2" : "10.81.120.0/24"  },
        "ELB1c"   : { "TEST1" : "10.181.254.16/28", "TEST2" : "10.81.254.0/28"  },
        "NAT1c"   : { "TEST1" : "10.181.254.48/28", "TEST2" : "10.81.254.32/28" },
        "LOGIN1c" : { "TEST1" : "10.181.254.80/28", "TEST2" : "10.81.254.64/28" },
        "WEB1c"   : { "TEST1" : "10.181.80.128/25", "TEST2" : "10.81.80.0/25"   },
        "Priv11c" : { "TEST1" : "10.181.110.0/24" , "TEST2" : "10.81.100.0/24"  },
        "Priv21c" : { "TEST1" : "10.181.130.0/24" , "TEST2" : "10.81.120.0/24"  }
    },
    
    "AZConfig" : {
        "AZ"  : { "ELB1a"   : "ap-northeast-1a",
                  "NAT1a"   : "ap-northeast-1a",
                  "LOGIN1a" : "ap-northeast-1a", 
                  "WEB1a"   : "ap-northeast-1a",
                  "Priv11a" : "ap-northeast-1a",
                  "Priv21a" : "ap-northeast-1a",
                  "ELB1c"   : "ap-northeast-1c", 
                  "NAT1c"   : "ap-northeast-1c",
                  "LOGIN1c" : "ap-northeast-1c",
                  "WEB1c"   : "ap-northeast-1c",
                  "Priv11c" : "ap-northeast-1c",
                  "Priv21c" : "ap-northeast-1c"       
       }
   }
 },

  "Resources" : {
    "VPC" : {
      "Type" : "AWS::EC2::VPC",
      "Properties" : {
        "CidrBlock" : { "Fn::FindInMap" : [ "VPCConfig", "VPCCidr", { "Ref" : "NetworkStructure" } ] },
        "EnableDnsSupport" : "true",
        "EnableDnsHostnames" : "true",
        "Tags" : [
          { "Key"  : "Application", "Value" : { "Ref" : "AWS::StackId" } },
          { "Key"  : "Network", "Value" : "Public" },
          { "Key" : "Name", "Value" : "VPC" }
        ]
      }
    },
    "SubnetELB1a" : {
      "Type" : "AWS::EC2::Subnet",
      "Properties" : {
        "VpcId" : { "Ref" : "VPC" },
        "AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "ELB1a"]},
        "CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "ELB1a", { "Ref" : "NetworkStructure" } ] },
        "Tags" : [
          { "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
          { "Key" : "Network", "Value" : "Public" },
          { "Key" : "Name", "Value" : "ELB1a"}
        ]
      }
    },
    "SubnetNAT1a" : {
      "Type" : "AWS::EC2::Subnet",
      "Properties" : {
        "VpcId" : { "Ref" : "VPC" },
        "AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "NAT1a" ]},
        "CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "NAT1a", { "Ref" : "NetworkStructure" } ] },
        "Tags" : [
          { "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
          { "Key" : "Network", "Value" : "Public" },
          { "Key" : "Name", "Value" : "NAT1a" }
        ]
      }
    },
    "SubnetLOGIN1a" : {
      "Type" : "AWS::EC2::Subnet",
      "Properties" : {
        "VpcId" : { "Ref" : "VPC" },
        "AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "LOGIN1a" ]},
        "CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "LOGIN1a", { "Ref" : "NetworkStructure" } ] },
        "Tags" : [
          { "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
          { "Key" : "Network", "Value" : "Public" },
          { "Key" : "Name", "Value" : "LOGIN1a" }
        ]
      }
    },
    "SubnetWEB1a" : {
       "Type" : "AWS::EC2::Subnet",
       "Properties" : {
         "VpcId" : { "Ref" : "VPC" },
        "AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "WEB1a" ]},
         "CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "WEB1a", { "Ref" : "NetworkStructure" } ] },
         "Tags" : [
           { "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
           { "Key" : "Network", "Value" : "Private" },
           { "Key" : "Name", "Value" : "WEB1a" }
         ]
       }
    },
    "SubnetPriv11a" : {
       "Type" : "AWS::EC2::Subnet",
       "Properties" : {
         "VpcId" : { "Ref" : "VPC" },
        "AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "Priv11a" ]},
         "CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "Priv11a", { "Ref" : "NetworkStructure" } ] },
         "Tags" : [
           { "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
           { "Key" : "Network", "Value" : "Private" },
           { "Key" : "Name", "Value" : "Private1 1a"}
         ]
       }
    },
    "SubnetPriv21a" : {
       "Type" : "AWS::EC2::Subnet",
       "Properties" : {
         "VpcId" : { "Ref" : "VPC" },
        "AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "Priv21a" ]},
         "CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "Priv21a", { "Ref" : "NetworkStructure" } ] },
         "Tags" : [
           { "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
           { "Key" : "Network", "Value" : "Private" },
           { "Key" : "Name", "Value" : "Private2 1a" }
         ]
       }
    },    
    "SubnetELB1c" : {
      "Type" : "AWS::EC2::Subnet",
      "Properties" : {
        "VpcId" : { "Ref" : "VPC" },
        "AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "ELB1c" ]},
        "CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "ELB1c", { "Ref" : "NetworkStructure" } ] },
        "Tags" : [
          { "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
          { "Key" : "Network", "Value" : "Public" },
          { "Key" : "Name", "Value" : "ELB1c" }
        ]
      }
    },
    "SubnetNAT1c" : {
      "Type" : "AWS::EC2::Subnet",
      "Properties" : {
        "VpcId" : { "Ref" : "VPC" },
        "AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "NAT1c" ]},
        "CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "NAT1c", { "Ref" : "NetworkStructure" } ] },
        "Tags" : [
          { "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
          { "Key" : "Network", "Value" : "Public" },
          { "Key" : "Name", "Value" : "NAT1c" }
        ]
      }
    },
    "SubnetLOGIN1c" : {
      "Type" : "AWS::EC2::Subnet",
      "Properties" : {
        "VpcId" : { "Ref" : "VPC" },
        "AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "LOGIN1c" ]},
        "CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "LOGIN1c", { "Ref" : "NetworkStructure" } ] },
        "Tags" : [
          { "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
          { "Key" : "Network", "Value" : "Public" },
          { "Key" : "Name", "Value" : "LOGIN1c" }
        ]
      }
    },
    "SubnetWEB1c" : {
       "Type" : "AWS::EC2::Subnet",
       "Properties" : {
         "VpcId" : { "Ref" : "VPC" },
        "AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "WEB1c" ]},
         "CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "WEB1c", { "Ref" : "NetworkStructure" } ] },
         "Tags" : [
           { "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
           { "Key" : "Network", "Value" : "Private" },
           { "Key" : "Name", "Value" : "WEB1c" }
         ]
       }
    },
    "SubnetPriv11c" : {
       "Type" : "AWS::EC2::Subnet",
       "Properties" : {
         "VpcId" : { "Ref" : "VPC" },
        "AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "Priv11c" ]},
         "CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "Priv11c", { "Ref" : "NetworkStructure" } ] },
         "Tags" : [
           { "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
           { "Key" : "Network", "Value" : "Private" },
           { "Key" : "Name", "Value" : "Private1 1c" }
         ]
       }
    },
    "SubnetPriv21c" : {
       "Type" : "AWS::EC2::Subnet",
       "Properties" : {
         "VpcId" : { "Ref" : "VPC" },
        "AvailabilityZone" : { "Fn::FindInMap" : [ "AZConfig", "AZ", "Priv21c" ]},
         "CidrBlock" : { "Fn::FindInMap" : [ "SubnetConfig", "Priv21c", { "Ref" : "NetworkStructure" } ] },
         "Tags" : [
           { "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
           { "Key" : "Network", "Value" : "Private" },
           { "Key" : "Name", "Value" : "Private2 1c" }
         ]
       }
    }, 

    "InternetGateway" : {
      "Type" : "AWS::EC2::InternetGateway",
      "Properties" : {
        "Tags" : [
          { "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
          { "Key" : "Network", "Value" : "Public" },
          { "Key" : "Name", "Value" : "InternetGateway" }
        ]
      }
    },
    "GatewayToInternet" : {
       "Type" : "AWS::EC2::VPCGatewayAttachment",
       "Properties" : {
         "VpcId" : { "Ref" : "VPC" },
         "InternetGatewayId" : { "Ref" : "InternetGateway" }
       }
    },

    "PublicRouteTable" : {
      "Type" : "AWS::EC2::RouteTable",
      "Properties" : {
        "VpcId" : { "Ref" : "VPC" },
        "Tags" : [
          { "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
          { "Key" : "Network", "Value" : "Public" },
          { "Key" : "Name", "Value" : "Public Network" }
        ]
      }
    },
    "PublicRoute" : {
      "Type" : "AWS::EC2::Route",
      "DependsOn" : "GatewayToInternet",
      "Properties" : {
        "RouteTableId" : { "Ref" : "PublicRouteTable" },
        "DestinationCidrBlock" : "0.0.0.0/0",
        "GatewayId" : { "Ref" : "InternetGateway" }
      }
    },

    "PublicSubnetRouteTableAssociation1" : {
      "Type" : "AWS::EC2::SubnetRouteTableAssociation",
      "Properties" : {
        "SubnetId" : {"Ref":"SubnetELB1a"},
        "RouteTableId" : { "Ref" : "PublicRouteTable" }
      }
    },
    "PublicSubnetRouteTableAssociation2" : {
      "Type" : "AWS::EC2::SubnetRouteTableAssociation",
      "Properties" : {
        "SubnetId" : {"Ref":"SubnetNAT1a"},
        "RouteTableId" : { "Ref" : "PublicRouteTable" }
      }
    },
    "PublicSubnetRouteTableAssociation3" : {
      "Type" : "AWS::EC2::SubnetRouteTableAssociation",
      "Properties" : {
        "SubnetId" : {"Ref":"SubnetLOGIN1a"},
        "RouteTableId" : { "Ref" : "PublicRouteTable" }
      }
    },
    "PublicSubnetRouteTableAssociation4" : {
      "Type" : "AWS::EC2::SubnetRouteTableAssociation",
      "Properties" : {
        "SubnetId" : {"Ref":"SubnetELB1c"},
        "RouteTableId" : { "Ref" : "PublicRouteTable" }
      }
    },
    "PublicSubnetRouteTableAssociation5" : {
      "Type" : "AWS::EC2::SubnetRouteTableAssociation",
      "Properties" : {
        "SubnetId" : {"Ref":"SubnetNAT1c"},
        "RouteTableId" : { "Ref" : "PublicRouteTable" }
      }
    },
    "PublicSubnetRouteTableAssociation6" : {
      "Type" : "AWS::EC2::SubnetRouteTableAssociation",
      "Properties" : {
        "SubnetId" : {"Ref":"SubnetLOGIN1c"},
        "RouteTableId" : { "Ref" : "PublicRouteTable" }
      }
    },

    "PrivateRouteTable" : {
      "Type" : "AWS::EC2::RouteTable",
      "Properties" : {
        "VpcId" : { "Ref" : "VPC" },
        "Tags" : [
          { "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
          { "Key" : "Network", "Value" : "Private" },
          { "Key" : "Name", "Value" : "Private Network" }
        ]
      }
    },
    "PrivateRoute" : {
      "Type" : "AWS::EC2::Route",
      "Properties" : {
        "RouteTableId" : { "Ref" : "PrivateRouteTable" },
        "DestinationCidrBlock" : "0.0.0.0/0",
        "GatewayId" : { "Ref" : "InternetGateway" }
      }
    },
    "PrivateSubnetRouteTableAssociation1" : {
      "Type" : "AWS::EC2::SubnetRouteTableAssociation",
      "Properties" : {
        "SubnetId" : {"Ref":"SubnetWEB1a"},
        "RouteTableId" : { "Ref" : "PrivateRouteTable" }
      }
    },
    "PrivateSubnetRouteTableAssociation2" : {
      "Type" : "AWS::EC2::SubnetRouteTableAssociation",
      "Properties" : {
        "SubnetId" : {"Ref":"SubnetPriv11a"},
        "RouteTableId" : { "Ref" : "PrivateRouteTable" }
      }
    },
    "PrivateSubnetRouteTableAssociation3" : {
      "Type" : "AWS::EC2::SubnetRouteTableAssociation",
      "Properties" : {
        "SubnetId" : {"Ref":"SubnetPriv21a"},
        "RouteTableId" : { "Ref" : "PrivateRouteTable" }
      }
    },
    "PrivateSubnetRouteTableAssociation4" : {
      "Type" : "AWS::EC2::SubnetRouteTableAssociation",
      "Properties" : {
        "SubnetId" : {"Ref":"SubnetWEB1c"},
        "RouteTableId" : { "Ref" : "PrivateRouteTable" }
      }
    },
    "PrivateSubnetRouteTableAssociation5" : {
      "Type" : "AWS::EC2::SubnetRouteTableAssociation",
      "Properties" : {
        "SubnetId" : {"Ref":"SubnetPriv11c"},
        "RouteTableId" : { "Ref" : "PrivateRouteTable" }
      }
    },
    "PrivateSubnetRouteTableAssociation6" : {
      "Type" : "AWS::EC2::SubnetRouteTableAssociation",
      "Properties" : {
        "SubnetId" : {"Ref":"SubnetPriv21c"},
        "RouteTableId" : { "Ref" : "PrivateRouteTable" }
      }
    },
    
    "PublicNetworkAcl" : {
      "Type" : "AWS::EC2::NetworkAcl",
      "Properties" : {
        "VpcId" : { "Ref" : "VPC" },
        "Tags" : [
          { "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
          { "Key" : "Network", "Value" : "Public" },
          { "Key" : "Name", "Value" : "PublicNetworkAcl" }
        ]
      }
    },

    "InboundHTTPPublicNetworkAclEntry" : {
      "Type" : "AWS::EC2::NetworkAclEntry",
      "Properties" : {
        "NetworkAclId" : { "Ref" : "PublicNetworkAcl" },
        "RuleNumber" : "100",
        "Protocol" : "6",
        "RuleAction" : "allow",
        "Egress" : "false",
        "CidrBlock" : "0.0.0.0/0",
        "PortRange" : { "From" : "80", "To" : "80" }
      }
    },

    "InboundDynamicPortPublicNetworkAclEntry" : {
      "Type" : "AWS::EC2::NetworkAclEntry",
      "Properties" : {
        "NetworkAclId" : { "Ref" : "PublicNetworkAcl" },
        "RuleNumber" : "110",
        "Protocol" : "6",
        "RuleAction" : "allow",
        "Egress" : "false",
        "CidrBlock" : "0.0.0.0/0",
        "PortRange" : { "From" : "1024", "To" : "65535" }
      }
    },

    "InboundSSHPublicNetworkAclEntry" : {
      "Type" : "AWS::EC2::NetworkAclEntry",
      "Properties" : {
        "NetworkAclId" : { "Ref" : "PublicNetworkAcl" },
        "RuleNumber" : "120",
        "Protocol" : "6",
        "RuleAction" : "allow",
        "Egress" : "false",
        "CidrBlock" : { "Ref" : "SSHLocation" },
        "PortRange" : { "From" : "22", "To" : "22" }
      }
    },

    "OutboundPublicNetworkAclEntry" : {
      "Type" : "AWS::EC2::NetworkAclEntry",
      "Properties" : {
        "NetworkAclId" : { "Ref" : "PublicNetworkAcl" },
        "RuleNumber" : "100",
        "Protocol" : "6",
        "RuleAction" : "allow",
        "Egress" : "true",
        "CidrBlock" : "0.0.0.0/0",
        "PortRange" : { "From" : "0", "To" : "65535" }
      }
    },

    "PublicSubnetNetworkAclAssociation1" : {
      "Type" : "AWS::EC2::SubnetNetworkAclAssociation",
      "Properties" : {
        "SubnetId" : { "Ref" : "SubnetELB1a" },
        "NetworkAclId" : { "Ref" : "PublicNetworkAcl" }
      }
    },
    "PublicSubnetNetworkAclAssociation2" : {
      "Type" : "AWS::EC2::SubnetNetworkAclAssociation",
      "Properties" : {
        "SubnetId" : { "Ref" : "SubnetNAT1a" },
        "NetworkAclId" : { "Ref" : "PublicNetworkAcl" }
      }
    },
    "PublicSubnetNetworkAclAssociation3" : {
      "Type" : "AWS::EC2::SubnetNetworkAclAssociation",
      "Properties" : {
        "SubnetId" : { "Ref" : "SubnetLOGIN1a" },
        "NetworkAclId" : { "Ref" : "PublicNetworkAcl" }
      }
    },
    "PublicSubnetNetworkAclAssociation4" : {
      "Type" : "AWS::EC2::SubnetNetworkAclAssociation",
      "Properties" : {
        "SubnetId" : { "Ref" : "SubnetELB1c" },
        "NetworkAclId" : { "Ref" : "PublicNetworkAcl" }
      }
    },    
    "PublicSubnetNetworkAclAssociation5" : {
      "Type" : "AWS::EC2::SubnetNetworkAclAssociation",
      "Properties" : {
        "SubnetId" : { "Ref" : "SubnetNAT1c" },
        "NetworkAclId" : { "Ref" : "PublicNetworkAcl" }
      }
    },
    "PublicSubnetNetworkAclAssociation6" : {
      "Type" : "AWS::EC2::SubnetNetworkAclAssociation",
      "Properties" : {
        "SubnetId" : { "Ref" : "SubnetLOGIN1c" },
        "NetworkAclId" : { "Ref" : "PublicNetworkAcl" }
      }
    },    
    
    "PrivateNetworkAcl" : {
      "Type" : "AWS::EC2::NetworkAcl",
      "Properties" : {
        "VpcId" : { "Ref" : "VPC" },
        "Tags" : [
          { "Key" : "Application", "Value" : { "Ref" : "AWS::StackId" } },
          { "Key" : "Network", "Value" : "Private" },
          { "Key" : "Name", "Value" : "PrivateNetworkAcl" }
        ]
      }
    },

    "InboundPrivateNetworkAclEntry" : {
      "Type" : "AWS::EC2::NetworkAclEntry",
      "Properties" : {
        "NetworkAclId" : { "Ref" : "PrivateNetworkAcl" },
        "RuleNumber" : "100",
        "Protocol" : "6",
        "RuleAction" : "allow",
        "Egress" : "false",
        "CidrBlock" : "0.0.0.0/0",
        "PortRange" : { "From" : "0", "To" : "65535" }
      }
    },

    "OutboundPrivateNetworkAclEntry" : {
      "Type" : "AWS::EC2::NetworkAclEntry",
      "Properties" : {
        "NetworkAclId" : { "Ref" : "PrivateNetworkAcl" },
        "RuleNumber" : "100",
        "Protocol" : "6",
        "RuleAction" : "allow",
        "Egress" : "true",
        "CidrBlock" : "0.0.0.0/0",
        "PortRange" : { "From" : "0", "To" : "65535" }
      }
    },

    "PrivateSubnetNetworkAclAssociation1" : {
      "Type" : "AWS::EC2::SubnetNetworkAclAssociation",
      "Properties" : {
        "SubnetId" : { "Ref" : "SubnetWEB1a" },
        "NetworkAclId" : { "Ref" : "PrivateNetworkAcl" }
      }
    },
    "PrivateSubnetNetworkAclAssociation2" : {
      "Type" : "AWS::EC2::SubnetNetworkAclAssociation",
      "Properties" : {
        "SubnetId" : { "Ref" : "SubnetPriv11a" },
        "NetworkAclId" : { "Ref" : "PrivateNetworkAcl" }
      }
    },
    "PrivateSubnetNetworkAclAssociation3" : {
      "Type" : "AWS::EC2::SubnetNetworkAclAssociation",
      "Properties" : {
        "SubnetId" : { "Ref" : "SubnetPriv21a" },
        "NetworkAclId" : { "Ref" : "PrivateNetworkAcl" }
      }
    },    
    "PrivateSubnetNetworkAclAssociation4" : {
      "Type" : "AWS::EC2::SubnetNetworkAclAssociation",
      "Properties" : {
        "SubnetId" : { "Ref" : "SubnetWEB1c" },
        "NetworkAclId" : { "Ref" : "PrivateNetworkAcl" }
      }
    },
    "PrivateSubnetNetworkAclAssociation5" : {
      "Type" : "AWS::EC2::SubnetNetworkAclAssociation",
      "Properties" : {
        "SubnetId" : { "Ref" : "SubnetPriv11c" },
        "NetworkAclId" : { "Ref" : "PrivateNetworkAcl" }
      }
    },
    "PrivateSubnetNetworkAclAssociation6" : {
      "Type" : "AWS::EC2::SubnetNetworkAclAssociation",
      "Properties" : {
        "SubnetId" : { "Ref" : "SubnetPriv21c" },
        "NetworkAclId" : { "Ref" : "PrivateNetworkAcl" }
      }
    }    
  },

  "Outputs" : {
    "VPC" : {
      "Description" : "VPC CIDR",
      "Value" : { "Fn::FindInMap" : [ "VPCConfig", "VPCCidr", { "Ref" : "NetworkStructure" } ] }
    },
    "Public"  : {
      "Description" : "Public Subnet CIDR",
      "Value" : { "Fn::FindInMap" : [ "SubnetConfig", "ELB1a", { "Ref" : "NetworkStructure" } ] }
    },
    "Private" : {
      "Description" : "Private Subnet CIDR",
      "Value" : { "Fn::FindInMap" : [ "SubnetConfig", "WEB1a", { "Ref" : "NetworkStructure" } ] }
    }
  }
}

NetworkACLを追加したので、枠組みがだいぶできてきたような感じでしょうか。 セキュリティ・グループを個別に設定するかインスタンス毎に設定するかちょっと迷うところです。

NATインスタンスを作成しますけど・・・


プライベート・ゾーンからのアクセスは、NATインスタンスを経由して外部との通信を行わせようと考えています。 NATインスタンスをどのように構成するかをちょっとだけ考えてみました。

AWSのブログにNATインスタンスのHA化についた記事があります: High Availability for Amazon VPC NAT Instances (Using AWS CloudFormation Templates)

NAT用のサブネットはAZ毎に用意していますのでNATインスタンスを2つ用意すると、この記事にあるようなHA構造にすることも可能です。

「可能です」というのは、迷いが少しあるためでAWSの場合AZ間の通信には課金対象になりますから経路としてAZ間をまたいだ通信は避けたいところでしょう。

そこで、AZ間通信コストがいったいどれくらいか確認してみました。

AWSの料金表から、東京リージョンのAZ間通信のコストをピックアップすると:
「同じ AWS リージョンの別のアベイラビリティーゾーンまたはピアリング接続された VPC にある Amazon EC2、Amazon RDS、Amazon Redshift および Amazon ElastiCache インスタンスまたは Elastic Network Interface $0.01 /GB」

なるほど、1GB毎に0.01米ドルかかるんですね。

yumでアップデートすると、このコストがかかるようになるんですよね。 AWSの通信費用では、EC2へのデータインには費用がかかりませんのでアップデート時の通信量が多いとコストが上がってしまうということですか。

データイン方向には課金がありませんが、データアウトに課金がかかります。 そうするとAZ-1aからAZ-1cへのNAT通信には課金がかかると考えてよいのでしょう。

単純には毎月10GBのアップデートがあると、12円/月程度のコストがかかることになりますね。

AWSブログの記事のようなHA構造とすると、わずかではありますがAZ間通信に課金が発生してしまいますね。

NATインスタンスを生成するコストと比較すると小さいかもしれませんが、2つのNATインスタンスを生成するのならアベイラビリティ・ゾーン毎に割った方が気持ちお得のようにおもいます。

というところで、NAT経路はAZ毎に分離する構造にしましょう。

次回からNATインスタンス関連の追加を行ってみます。