20탄-9. CF -Pub1,Pri1,EC2 1개,EC
<1> Public에 EC2 1대를 생성, Private에 EC2 2대를 생성하는 것이다.
<2> CloudFormation 파일
<1> Public에 EC2 1대를 생성, Private에 EC2 2대를 생성하는 것이다.
로드밸런서 테스트시 사용한다.
public ec2에 접속후, private ec2에 접속한다!!!
ec2 keypair 1개 - ec2를 생성하므로 keypair가 필요하다.
필요 리소스 ?
VPC 1개
Public Subnet 1개
Private Sunet 1개
Pub에 EC2 1개
Private에 EC2 2개
공통 3개
VPC
IGW
IGW Attatch
pub 관련 4개
PublicSubnet1
PublicRouteTable 테이블
PublicRoute 0.0.0.0
PublicSubnetRouteTableAssociation1
private 관련 3개
PrivateSubnet1
PrivateRouteTable: 테이블
PrivateSubnetRouteTableAssociation1:
EC2 관련 3개
KeyName
Instance
SecurityGroup
<2> CloudFormation 파일
# EC2 1/3
Parameters:
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the instances. Linked to AWS Parameter
Type: AWS::EC2::KeyPair::KeyName
ConstraintDescription: must be the name of an existing EC2 KeyPair.
Resources:
VPC1:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.40.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: NATInstance-VPC1
InternetGateway1:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: NATInstance-IGW1
InternetGatewayAttachment1:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway1
VpcId: !Ref VPC1
RouteTable1:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC1
Tags:
- Key: Name
Value: NATInstance-PublicRouteTable1
DefaultRoute1:
Type: AWS::EC2::Route
DependsOn: InternetGatewayAttachment1
Properties:
RouteTableId: !Ref RouteTable1
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway1
Subnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC1
AvailabilityZone: !Select [ 0, !GetAZs '' ]
CidrBlock: 10.40.1.0/24
Tags:
- Key: Name
Value: NATInstance-VPC1-Subnet1
Subnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable1
SubnetId: !Ref Subnet1
RouteTable2:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC1
Tags:
- Key: Name
Value: NATInstance-PrivateRouteTable1
Subnet2:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC1
AvailabilityZone: !Select [ 0, !GetAZs '' ]
CidrBlock: 10.40.2.0/24
Tags:
- Key: Name
Value: NATInstance-VPC1-Subnet2
Subnet2RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable2
SubnetId: !Ref Subnet2
Instance1ENIEth0:
Type: AWS::EC2::NetworkInterface
Properties:
SubnetId: !Ref Subnet1
Description: Instance1 eth0
GroupSet:
- !Ref SG1
PrivateIpAddress: 10.40.1.100
Tags:
- Key: Name
Value: NAT-Instance eth0
VPCEIP1:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
VPCAssociateEIP1:
Type: AWS::EC2::EIPAssociation
Properties:
AllocationId: !GetAtt VPCEIP1.AllocationId
NetworkInterfaceId: !Ref Instance1ENIEth0
# EC2 2/3
Instance1:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0ded5b0f6eeead568
InstanceType: t2.micro
KeyName: !Ref KeyName
Tags:
- Key: Name
Value: NAT-Instance
NetworkInterfaces:
- NetworkInterfaceId: !Ref Instance1ENIEth0
DeviceIndex: 0
UserData:
Fn::Base64: |
#!/bin/bash
hostname NAT-Instance
yum -y install tcpdump iptraf
Instance2:
Type: AWS::EC2::Instance
DependsOn: Instance1
Properties:
ImageId: ami-03b42693dc6a7dc35
InstanceType: t2.micro
KeyName: !Ref KeyName
Tags:
- Key: Name
Value: Private-EC2-1
NetworkInterfaces:
- DeviceIndex: 0
SubnetId: !Ref Subnet2
GroupSet:
- !Ref SG2
PrivateIpAddress: 10.40.2.101
UserData:
Fn::Base64: |
#!/bin/bash
(
echo "qwe3"
echo "qwe3"
) | passwd --stdin root
sed -i "s/^PasswordAuthentication no/PasswordAuthentication yes/g" /etc/ssh/sshd_config
sed -i "s/^#PermitRootLogin yes/PermitRootLogin yes/g" /etc/ssh/sshd_config
service sshd restart
hostnamectl --static set-hostname Private-EC2-1
Instance3:
Type: AWS::EC2::Instance
DependsOn: Instance1
Properties:
ImageId: ami-03b42693dc6a7dc35
InstanceType: t2.micro
KeyName: !Ref KeyName
Tags:
- Key: Name
Value: Private-EC2-2
NetworkInterfaces:
- DeviceIndex: 0
SubnetId: !Ref Subnet2
GroupSet:
- !Ref SG2
PrivateIpAddress: 10.40.2.102
UserData:
Fn::Base64: |
#!/bin/bash
(
echo "qwe123"
echo "qwe123"
) | passwd --stdin root
sed -i "s/^PasswordAuthentication no/PasswordAuthentication yes/g" /etc/ssh/sshd_config
sed -i "s/^#PermitRootLogin yes/PermitRootLogin yes/g" /etc/ssh/sshd_config
service sshd restart
hostnamectl --static set-hostname Private-EC2-2
# EC2 3/3
SG1:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VPC1
GroupDescription: VPC1-NATInstance-SecurityGroup
Tags:
- Key : Name
Value : VPC1-NATInstance-SecurityGroup
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 10.40.0.0/16
- IpProtocol: tcp
FromPort: '443'
ToPort: '443'
CidrIp: 10.40.0.0/16
- IpProtocol: udp
FromPort: '0'
ToPort: '65535'
CidrIp: 10.40.0.0/16
- IpProtocol: icmp
FromPort: -1
ToPort: -1
CidrIp: 0.0.0.0/0
SG2:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VPC1
GroupDescription: VPC1-PrivateEC2-SecurityGroup
Tags:
- Key : Name
Value : VPC1-PrivateEC2-SecurityGroup
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: 10.40.0.0/0
- IpProtocol: icmp
FromPort: -1
ToPort: -1
CidrIp: 0.0.0.0/0
https://brunch.co.kr/@topasvga/1781
