20탄-9. CF -Pub1,Pri1,EC2 1개,EC

<1> Public에 EC2 1대를 생성, Private에 EC2 2대를 생성하는 것이다.

<2> CloudFormation 파일

<1> Public에 EC2 1대를 생성, Private에 EC2 2대를 생성하는 것이다.

로드밸런서 테스트시 사용한다.

public ec2에 접속후, private ec2에 접속한다!!!

ec2 keypair 1개 - ec2를 생성하므로 keypair가 필요하다.

필요 리소스 ?

VPC 1개

Public Subnet 1개

Private Sunet 1개

Pub에 EC2 1개

Private에 EC2 2개

공통 3개

VPC

IGW

IGW Attatch

pub 관련 4개

PublicSubnet1

PublicRouteTable 테이블

PublicRoute 0.0.0.0

PublicSubnetRouteTableAssociation1

private 관련 3개

PrivateSubnet1

PrivateRouteTable: 테이블

PrivateSubnetRouteTableAssociation1:

EC2 관련 3개

KeyName

Instance

SecurityGroup

<2> CloudFormation 파일

# EC2 1/3

Parameters:

KeyName:

Description: Name of an existing EC2 KeyPair to enable SSH access to the instances. Linked to AWS Parameter

Type: AWS::EC2::KeyPair::KeyName

ConstraintDescription: must be the name of an existing EC2 KeyPair.

Resources:

VPC1:

Type: AWS::EC2::VPC

Properties:

CidrBlock: 10.40.0.0/16

EnableDnsSupport: true

EnableDnsHostnames: true

Tags:

- Key: Name

Value: NATInstance-VPC1

InternetGateway1:

Type: AWS::EC2::InternetGateway

Properties:

Tags:

- Key: Name

Value: NATInstance-IGW1

InternetGatewayAttachment1:

Type: AWS::EC2::VPCGatewayAttachment

Properties:

InternetGatewayId: !Ref InternetGateway1

VpcId: !Ref VPC1

RouteTable1:

Type: AWS::EC2::RouteTable

Properties:

VpcId: !Ref VPC1

Tags:

- Key: Name

Value: NATInstance-PublicRouteTable1

DefaultRoute1:

Type: AWS::EC2::Route

DependsOn: InternetGatewayAttachment1

Properties:

RouteTableId: !Ref RouteTable1

DestinationCidrBlock: 0.0.0.0/0

GatewayId: !Ref InternetGateway1

Subnet1:

Type: AWS::EC2::Subnet

Properties:

VpcId: !Ref VPC1

AvailabilityZone: !Select [ 0, !GetAZs '' ]

CidrBlock: 10.40.1.0/24

Tags:

- Key: Name

Value: NATInstance-VPC1-Subnet1

Subnet1RouteTableAssociation:

Type: AWS::EC2::SubnetRouteTableAssociation

Properties:

RouteTableId: !Ref RouteTable1

SubnetId: !Ref Subnet1

RouteTable2:

Type: AWS::EC2::RouteTable

Properties:

VpcId: !Ref VPC1

Tags:

- Key: Name

Value: NATInstance-PrivateRouteTable1

Subnet2:

Type: AWS::EC2::Subnet

Properties:

VpcId: !Ref VPC1

AvailabilityZone: !Select [ 0, !GetAZs '' ]

CidrBlock: 10.40.2.0/24

Tags:

- Key: Name

Value: NATInstance-VPC1-Subnet2

Subnet2RouteTableAssociation:

Type: AWS::EC2::SubnetRouteTableAssociation

Properties:

RouteTableId: !Ref RouteTable2

SubnetId: !Ref Subnet2

Instance1ENIEth0:

Type: AWS::EC2::NetworkInterface

Properties:

SubnetId: !Ref Subnet1

Description: Instance1 eth0

GroupSet:

- !Ref SG1

PrivateIpAddress: 10.40.1.100

Tags:

- Key: Name

Value: NAT-Instance eth0

VPCEIP1:

Type: AWS::EC2::EIP

Properties:

Domain: vpc

VPCAssociateEIP1:

Type: AWS::EC2::EIPAssociation

Properties:

AllocationId: !GetAtt VPCEIP1.AllocationId

NetworkInterfaceId: !Ref Instance1ENIEth0

# EC2 2/3

Instance1:

Type: AWS::EC2::Instance

Properties:

ImageId: ami-0ded5b0f6eeead568

InstanceType: t2.micro

KeyName: !Ref KeyName

Tags:

- Key: Name

Value: NAT-Instance

NetworkInterfaces:

- NetworkInterfaceId: !Ref Instance1ENIEth0

DeviceIndex: 0

UserData:

Fn::Base64: |

#!/bin/bash

hostname NAT-Instance

yum -y install tcpdump iptraf

Instance2:

Type: AWS::EC2::Instance

DependsOn: Instance1

Properties:

ImageId: ami-03b42693dc6a7dc35

InstanceType: t2.micro

KeyName: !Ref KeyName

Tags:

- Key: Name

Value: Private-EC2-1

NetworkInterfaces:

- DeviceIndex: 0

SubnetId: !Ref Subnet2

GroupSet:

- !Ref SG2

PrivateIpAddress: 10.40.2.101

UserData:

Fn::Base64: |

#!/bin/bash

(

echo "qwe3"

echo "qwe3"

) | passwd --stdin root

sed -i "s/^PasswordAuthentication no/PasswordAuthentication yes/g" /etc/ssh/sshd_config

sed -i "s/^#PermitRootLogin yes/PermitRootLogin yes/g" /etc/ssh/sshd_config

service sshd restart

hostnamectl --static set-hostname Private-EC2-1

Instance3:

Type: AWS::EC2::Instance

DependsOn: Instance1

Properties:

ImageId: ami-03b42693dc6a7dc35

InstanceType: t2.micro

KeyName: !Ref KeyName

Tags:

- Key: Name

Value: Private-EC2-2

NetworkInterfaces:

- DeviceIndex: 0

SubnetId: !Ref Subnet2

GroupSet:

- !Ref SG2

PrivateIpAddress: 10.40.2.102

UserData:

Fn::Base64: |

#!/bin/bash

(

echo "qwe123"

echo "qwe123"

) | passwd --stdin root

sed -i "s/^PasswordAuthentication no/PasswordAuthentication yes/g" /etc/ssh/sshd_config

sed -i "s/^#PermitRootLogin yes/PermitRootLogin yes/g" /etc/ssh/sshd_config

service sshd restart

hostnamectl --static set-hostname Private-EC2-2

# EC2 3/3

SG1:

Type: AWS::EC2::SecurityGroup

Properties:

VpcId: !Ref VPC1

GroupDescription: VPC1-NATInstance-SecurityGroup

Tags:

- Key : Name

Value : VPC1-NATInstance-SecurityGroup

SecurityGroupIngress:

- IpProtocol: tcp

FromPort: '22'

ToPort: '22'

CidrIp: 0.0.0.0/0

- IpProtocol: tcp

FromPort: '80'

ToPort: '80'

CidrIp: 10.40.0.0/16

- IpProtocol: tcp

FromPort: '443'

ToPort: '443'

CidrIp: 10.40.0.0/16

- IpProtocol: udp

FromPort: '0'

ToPort: '65535'

CidrIp: 10.40.0.0/16

- IpProtocol: icmp

FromPort: -1

ToPort: -1

CidrIp: 0.0.0.0/0

SG2:

Type: AWS::EC2::SecurityGroup

Properties:

VpcId: !Ref VPC1

GroupDescription: VPC1-PrivateEC2-SecurityGroup

Tags:

- Key : Name

Value : VPC1-PrivateEC2-SecurityGroup

SecurityGroupIngress:

- IpProtocol: tcp

FromPort: '22'

ToPort: '22'

CidrIp: 10.40.0.0/0

- IpProtocol: icmp

FromPort: -1

ToPort: -1

CidrIp: 0.0.0.0/0

4-vpc1-pub1-pri1-ec2-3ea-nat-instance1 -password change.yaml

https://brunch.co.kr/@topasvga/1781

(몰아보기) CloudFormation