8.8 KiB
- Decoupling
- Creating Database + VPC + Subnets in Cloudformation
- Single instance (no load balancer) _ EC2::VPC _ Enable DNS _ EC2::Subnet _ EC2::InternetGateway _ EC2::VPCGatewayAttachment _ AWS::EC2::RouteTable _ AWS::EC2::Route _ AWS::EC2::SubnetRouteTableAssociation
- Running notes
- Reference an input parameter, or a resource ID from inside current template * Using
Fn::Sub - Dynamically referencing resources from another stack.
Temp Notes
Decoupling
When creating an ELB instance with --single and --database the following is created as part of the ELB deployment:
- security group
- EIP
- RDS database
Is the security group created without a databse? (probably yes...)
Creating Database + VPC + Subnets in Cloudformation
Template from AWS showing cross-stack referencing and creating and referencing a VPC: https://s3.amazonaws.com/cloudformation-examples/user-guide/cross-stack/SampleNetworkCrossStack.template.
Export these in the CF template with stackname (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-importvalue.html)
A security group is a resource that defines what IPs/Ports are allowed on inbound/outbound for an AWS resource. You can have one for EC2 instance, or RDS among others.
ELB will create a VPC for your EC2 instances.
You should use this VPC for you RDS instance.
Creating a VPC for ELB (with RDS) https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/vpc-rds.html
Single instance (no load balancer)
Example cloudformation template that ELB uses: https://raw.githubusercontent.com/awslabs/elastic-beanstalk-samples/master/cfn-templates/vpc-public.yaml.
Create a VPC - this is an object that spans all availability zones in a region. You assign a VPC a CIDR block. This is a set of IP addresses that this VPC has access to.
You should create public subnets inside this VPC - these subnets should cover all availablility zones in your region. The CIDR block you specified in the VPC defines all the ips, you should create N subnets that equally contain these IP addresses for your region.
For example a VPC in eu-west-1 has a CIDR block of 172.31.0.0/16.
There are 3 availablity zones in eu-west-1: eu-west-1a, eu-west-1b and eu-west-1c.
To find other availablity zones you should go to the EC2 Dashboard for the region you want to work in, and scroll down to the Service health header. Here, a list of all availability zones will be shown.
You should create subnets with the following:
| Availability Zone | Subnet CIDR | Real IP Range |
|---|---|---|
eu-west-1a |
172.31.0.0/20 | 172.31.0.0 - 172.31.15.255 |
eu-west-1b |
172.31.16.0/20 | 172.31.16.0 - 172.31.31.255 |
eu-west-1c |
172.31.32.0/20 | 172.31.32.0 - 172.31.47.255 |
This covers all IP addresses across all availability zones in the VPC.
To make these subnets actually public, you should associate them with an internet gateway.
An internet gateway is an object that allows communication to the internet. In Cloudformation you should create an internet gateway and a VPC Gateway attachment. This attachment should reference the VPC you have created and reference the internet gateway object you create as well. Then, in your subnets (which are public) you can use MapPublicIpOnLaunch: true in the Properties block for each subnet.
You should then create a public route table and associate it with the VPC you have created.
You should then create a public route. You can then attach the internet gateway attachment to this route and specify a list of IPs that will go out to the internet. To allow all trafic to the internet set a DestinationCidrBlock of 0.0.0.0/0.
EC2::VPC
Enable DNS
Enable EnableDnsHostnames + EnableDnsSupport - this allows resources in the VPC to use DNS in AWS.
EC2::Subnet
Go to the EC2 dashboard to find all availability zones. Create a subnet for each zone.
AvailabilityZoneVpcIdCidrBlockMapPublicIpOnLaunch
EC2::InternetGateway
EC2::VPCGatewayAttachment
VpcIdInternetGatewayId
AWS::EC2::RouteTable
VpcId
AWS::EC2::Route
RouteTableIdDestinationCidrBlockGatewayId
AWS::EC2::SubnetRouteTableAssociation
SubnetIdRouteTableId
Running notes
If we specify the VPC + Subnets from Cloudformation in a config file, will it create the security groups automatically for the EC2 instances? - Yes
Database can use existing subnets. Database needs a security group creating EC2 security groups automatically created and associated with the VPC. Use aws:ec2:vpc (https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html#command-options-general-ec2vpc)
Database
Needs:
AWS::RDS::DBSubnetGroupAWS::EC2::SecurityGroupIngressAWS::RDS::DBInstance
Default ports:
| Database Engine | Default Port |
|---|---|
| Aurora/MySQL/MariaDB | 3306 |
| PostgreSQL | 5432 |
| Oracle | 1521 |
| SQL Server | 1433 |
| DynamoDB | 8000 |
Work Commands
tags
--tags git=web-dev owner=home project=strapi-elb test=true deployment=cloudformation
deploy
aws --profile admin cloudformation deploy --template-file ./02-stack-vpc.yaml --stack-name strapi-vpc --tags git=web-dev owner=home project=strapi-elb test=true deployment=cloudformation
aws --profile admin cloudformation deploy --template-file ./02-stack-vpc.yaml --stack-name new-temp-vpc --tags git=web-dev owner=home project=strapi-elb test=true deployment=cloudformation
aws --profile admin cloudformation deploy --template-file ./03-stack-rdsinstance.yaml --stack-name strapi-rds --parameter-overrides StackName=strapi-vpc
delete
aws --profile admin cloudformation delete-stack --stack-name temp-vpc
aws --profile admin cloudformation delete-stack --stack-name new-temp-vpc
aws --profile admin cloudformation delete-stack --stack-name temp
List of all RDS Engines available under "Engine" header: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html.
describe-stack-resources
Will print a json list of all resources in the stack
aws --profile admin cloudformation describe-stack-resources --stack-name strapi-vpc
Using jq for formatting:
aws --profile admin cloudformation describe-stack-resources --stack-name strapi-vpc | jq -r '.StackResources[] | .ResourceType + ": " + .PhysicalResourceId'
Good repo for examples: https://github.com/awsdocs/elastic-beanstalk-samples
Doc: Add the ELB subnets to the VPC config
Create another custom security group for the EC2 instance - should be private autoscaling should have current public security group
Load balancer should have the current subnets
Loadbalancer security group should have inbound + outbound to 80+443 on 0.0.0.0/0
The option_settings: aws:elbv2:loadbalancer has two options for security groups
ManagedSecurityGroup - defines the security group that is used for the load balancer itself. SecurityGroups - is a list of additional security groups you want to attach.
If you define a ManagedSecurityGroup you should set SecurityGroups as well to the same one.
Load balancer needs a security group that allows incoming 80 + 443 from anywhere It should also set the same for outbound as well
This security group should be set in aws:elbv2:loadbalancer under
ManagedSecurityGroup and SecurityGroups
Additional security groups (in addition to the default one created by ELB) for the EC2 instances are defined in aws:autoscaling:launchconfiguration under SecurityGroups
A security group will be created for you. You can ammend this (add 443 for https for example) by using .config file and creating a AWS::EC2::SecurityGroupIngress resource. (see 06-https.config)