- [Decoupling](#Decoupling) - [Creating Database + VPC + Subnets in Cloudformation](#CreatingDatabaseVPCSubnetsinCloudformation) - [Single instance (no load balancer)](#Singleinstancenoloadbalancer) _ [EC2::VPC](#EC2::VPC) _ [Enable DNS](#EnableDNS) _ [EC2::Subnet](#EC2::Subnet) _ [EC2::InternetGateway](#EC2::InternetGateway) _ [EC2::VPCGatewayAttachment](#EC2::VPCGatewayAttachment) _ [AWS::EC2::RouteTable](#AWS::EC2::RouteTable) _ [AWS::EC2::Route](#AWS::EC2::Route) _ [AWS::EC2::SubnetRouteTableAssociation](#AWS::EC2::SubnetRouteTableAssociation) - [Running notes](#Runningnotes) - [Reference an input parameter, or a resource ID from inside current template](#ReferenceaninputparameteroraresourceIDfrominsidecurrenttemplate) \* [Using `Fn::Sub`](#UsingFn::Sub) - [Dynamically referencing resources from another stack.](#Dynamicallyreferencingresourcesfromanotherstack.) # Temp Notes ## Decoupling When creating an ELB instance with `--single` and `--database` the following is created as part of the ELB deployment: - security group - EIP - RDS database Is the security group created without a databse? (probably yes...) ## Creating Database + VPC + Subnets in Cloudformation Template from AWS showing cross-stack referencing and creating and referencing a VPC: . Export these in the CF template with stackname () A security group is a resource that defines what IPs/Ports are allowed on inbound/outbound for an AWS resource. You can have one for EC2 instance, or RDS among others. ELB will create a VPC for your EC2 instances. You should use this VPC for you RDS instance. Creating a VPC for ELB (with RDS) ## Single instance (no load balancer) Example cloudformation template that ELB uses: . Create a VPC - this is an object that spans all availability zones in a region. You assign a VPC a CIDR block. This is a set of IP addresses that this VPC has access to. You should create public subnets inside this VPC - these subnets should cover all availablility zones in your region. The CIDR block you specified in the VPC defines all the ips, you should create N subnets that equally contain these IP addresses for your region. For example a VPC in `eu-west-1` has a CIDR block of `172.31.0.0/16`. There are 3 availablity zones in `eu-west-1`: `eu-west-1a`, `eu-west-1b` and `eu-west-1c`. To find other availablity zones you should go to the EC2 Dashboard for the region you want to work in, and scroll down to the Service health header. Here, a list of all availability zones will be shown. You should create subnets with the following: | Availability Zone | Subnet CIDR | Real IP Range | | ----------------- | -------------- | --------------------------- | | `eu-west-1a` | 172.31.0.0/20 | 172.31.0.0 - 172.31.15.255 | | `eu-west-1b` | 172.31.16.0/20 | 172.31.16.0 - 172.31.31.255 | | `eu-west-1c` | 172.31.32.0/20 | 172.31.32.0 - 172.31.47.255 | This covers all IP addresses across all availability zones in the VPC. To make these subnets actually public, you should associate them with an internet gateway. An internet gateway is an object that allows communication to the internet. In Cloudformation you should create an internet gateway and a VPC Gateway attachment. This attachment should reference the VPC you have created and reference the internet gateway object you create as well. Then, in your subnets (which are public) you can use `MapPublicIpOnLaunch: true` in the `Properties` block for each subnet. You should then create a public route table and associate it with the VPC you have created. You should then create a public route. You can then attach the internet gateway attachment to this route and specify a list of IPs that will go out to the internet. To allow all trafic to the internet set a `DestinationCidrBlock` of `0.0.0.0/0`. ### EC2::VPC #### Enable DNS Enable `EnableDnsHostnames` + `EnableDnsSupport` - this allows resources in the VPC to use DNS in AWS. ### EC2::Subnet Go to the EC2 dashboard to find all availability zones. Create a subnet for each zone. - `AvailabilityZone` - `VpcId` - `CidrBlock` - `MapPublicIpOnLaunch` ### EC2::InternetGateway ### EC2::VPCGatewayAttachment - `VpcId` - `InternetGatewayId` ### AWS::EC2::RouteTable - `VpcId` ### AWS::EC2::Route - `RouteTableId` - `DestinationCidrBlock` - `GatewayId` ### AWS::EC2::SubnetRouteTableAssociation - `SubnetId` - `RouteTableId` ## Running notes If we specify the VPC + Subnets from Cloudformation in a config file, will it create the security groups automatically for the EC2 instances? - Yes Database can use existing subnets. Database needs a security group creating EC2 security groups automatically created and associated with the VPC. Use aws:ec2:vpc (https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html#command-options-general-ec2vpc) ### Database Needs: - `AWS::RDS::DBSubnetGroup` - `AWS::EC2::SecurityGroupIngress` - `AWS::RDS::DBInstance` Default ports: | Database Engine | Default Port | | -------------------- | ------------ | | Aurora/MySQL/MariaDB | 3306 | | PostgreSQL | 5432 | | Oracle | 1521 | | SQL Server | 1433 | | DynamoDB | 8000 | ## Work Commands ### tags `--tags git=web-dev owner=home project=strapi-elb test=true deployment=cloudformation` ### deploy `aws --profile admin cloudformation deploy --template-file ./02-stack-vpc.yaml --stack-name strapi-vpc --tags git=web-dev owner=home project=strapi-elb test=true deployment=cloudformation` `aws --profile admin cloudformation deploy --template-file ./02-stack-vpc.yaml --stack-name new-temp-vpc --tags git=web-dev owner=home project=strapi-elb test=true deployment=cloudformation` `aws --profile admin cloudformation deploy --template-file ./03-stack-rdsinstance.yaml --stack-name strapi-rds --parameter-overrides StackName=strapi-vpc` ### delete `aws --profile admin cloudformation delete-stack --stack-name temp-vpc` `aws --profile admin cloudformation delete-stack --stack-name new-temp-vpc` `aws --profile admin cloudformation delete-stack --stack-name temp` List of all RDS Engines available under "Engine" header: . ### descrive-stack-resources Will print a json list of all resources in the stack `aws --profile admin cloudformation describe-stack-resources --stack-name strapi-vpc`