Level 200: Automated Deployment of VPC
Last Updated: July 2020
Authors: Ben Potter, Security Lead, Well-Architected
Introduction
This hands-on lab will use AWS CloudFormation to create an Amazon VPC to outline some of the AWS security features available. Using CloudFormation to automate the deployment provides a repeatable way to create and update, and you can re-use the template after this lab.
The example template will deploy a completely new VPC incorporating a number of AWS security best practices which include:
Networking subnets created in 3 availability zones for the following network tiers:
- Application Load Balancer - named ALB1
- Application instances - named App1
- Shared services - named Shared1
- Database - named DB1
VPC Architecture:
- VPC endpoints are created for private connectivity to AWS services. Additional endpoints can be enabled for the application tier using the App1SubnetsPrivateLinkEndpoints CloudFormation parameter.
- NAT Gateways are created to allow subnets in the VPC to connect to the internet, without any direct ingress access as defined by the Route Table .
- Network ACLs control access at each subnet tier.
- VPC Flow Logs captures information about IP traffic and stores it in Amazon CloudWatch Logs.
Requirements
- An AWS account that you are able to use for testing, that is not used for production or other purposes.
- An IAM user or role in your AWS account with access to CloudFormation, EC2, VPC, IAM.
- Basic understanding of AWS CloudFormation , visit the Getting Started section of the user guide.
NOTE: You will be billed for any applicable AWS resources used if you complete this lab that are not covered in the AWS Free Tier . It is recommended to delete the CloudFormation stack when you have completed the lab.