{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "VPC Failover template: 3-AZ, 6 subnets (Test/Prod variants), IGW, two NAT Gateways (one per env), S3 gateway endpoint, SQS interface endpoint, route tables, NACL, SQS endpoint SG.", "Parameters": { "VPCCidr": { "Type": "String", "Default": "172.31.0.0/16", "Description": "CIDR block for the VPC", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$", "ConstraintDescription": "Must be a valid IPv4 CIDR block with prefix length between /16 and /28" }, "TestNoInternetSubnetCidr": { "Type": "String", "Default": "172.31.0.0/24", "Description": "CIDR block for Test-NoInternet subnet (must be within VPC CIDR)", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" }, "ProdIGWSubnetCidr": { "Type": "String", "Default": "172.31.1.0/24", "Description": "CIDR block for Prod-IGW subnet (must be within VPC CIDR)", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" }, "TestIGWSubnetCidr": { "Type": "String", "Default": "172.31.2.0/24", "Description": "CIDR block for Test-IGW subnet (must be within VPC CIDR)", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" }, "ProdNoInternetSubnetCidr": { "Type": "String", "Default": "172.31.3.0/24", "Description": "CIDR block for Prod-NoInternet subnet (must be within VPC CIDR)", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" }, "TestNATSubnetCidr": { "Type": "String", "Default": "172.31.4.0/24", "Description": "CIDR block for Test-NAT subnet (must be within VPC CIDR)", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" }, "ProdNATSubnetCidr": { "Type": "String", "Default": "172.31.5.0/24", "Description": "CIDR block for Prod-NAT subnet (must be within VPC CIDR)", "AllowedPattern": "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" } }, "Resources": { "VPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": { "Ref": "VPCCidr" }, "EnableDnsSupport": true, "EnableDnsHostnames": true, "Tags": [{ "Key": "Name", "Value": "Druva-FailoverVPC" }] } }, "InternetGateway": { "Type": "AWS::EC2::InternetGateway", "Properties": { "Tags": [{ "Key": "Name", "Value": "FailoverVPC-IGW" }] } }, "AttachIGW": { "Type": "AWS::EC2::VPCGatewayAttachment", "Properties": { "VpcId": { "Ref": "VPC" }, "InternetGatewayId": { "Ref": "InternetGateway" } } }, "TestNoInternetSubnet": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "VPC" }, "CidrBlock": { "Ref": "TestNoInternetSubnetCidr" }, "AvailabilityZone": { "Fn::Select": [ 0, { "Fn::GetAZs": "" } ] }, "Tags": [{ "Key": "Name", "Value": "Test-NoInternet" }] } }, "ProdIGWSubnet": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "VPC" }, "CidrBlock": { "Ref": "ProdIGWSubnetCidr" }, "AvailabilityZone": { "Fn::Select": [ 0, { "Fn::GetAZs": "" } ] }, "Tags": [{ "Key": "Name", "Value": "Prod-IGW" }] } }, "TestIGWSubnet": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "VPC" }, "CidrBlock": { "Ref": "TestIGWSubnetCidr" }, "AvailabilityZone": { "Fn::Select": [ 1, { "Fn::GetAZs": "" } ] }, "Tags": [{ "Key": "Name", "Value": "Test-IGW" }] } }, "ProdNoInternetSubnet": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "VPC" }, "CidrBlock": { "Ref": "ProdNoInternetSubnetCidr" }, "AvailabilityZone": { "Fn::Select": [ 1, { "Fn::GetAZs": "" } ] }, "Tags": [{ "Key": "Name", "Value": "Prod-NoInternet" }] } }, "TestNATSubnet": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "VPC" }, "CidrBlock": { "Ref": "TestNATSubnetCidr" }, "AvailabilityZone": { "Fn::Select": [ 2, { "Fn::GetAZs": "" } ] }, "Tags": [{ "Key": "Name", "Value": "Test-NAT" }] } }, "ProdNATSubnet": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "VPC" }, "CidrBlock": { "Ref": "ProdNATSubnetCidr" }, "AvailabilityZone": { "Fn::Select": [ 2, { "Fn::GetAZs": "" } ] }, "Tags": [{ "Key": "Name", "Value": "Prod-NAT" }] } }, "PublicRouteTable": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [{ "Key": "Name", "Value": "PublicRouteTable" }] } }, "PublicDefaultRoute": { "Type": "AWS::EC2::Route", "DependsOn": "AttachIGW", "Properties": { "RouteTableId": { "Ref": "PublicRouteTable" }, "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "InternetGateway" } } }, "PublicRouteAssocProdIGW": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "ProdIGWSubnet" }, "RouteTableId": { "Ref": "PublicRouteTable" } } }, "PublicRouteAssocTestIGW": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "TestIGWSubnet" }, "RouteTableId": { "Ref": "PublicRouteTable" } } }, "NoInternetRouteTable": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [{ "Key": "Name", "Value": "NoInternetRouteTable" }] } }, "NoInternetAssocTestNoInternet": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "TestNoInternetSubnet" }, "RouteTableId": { "Ref": "NoInternetRouteTable" } } }, "NoInternetAssocProdNoInternet": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "ProdNoInternetSubnet" }, "RouteTableId": { "Ref": "NoInternetRouteTable" } } }, "EIPForNATProd": { "Type": "AWS::EC2::EIP", "Properties": { "Domain": "vpc" } }, "ProdNATGateway": { "Type": "AWS::EC2::NatGateway", "DependsOn": "PublicRouteAssocProdIGW", "Properties": { "AllocationId": { "Fn::GetAtt": [ "EIPForNATProd", "AllocationId" ] }, "SubnetId": { "Ref": "ProdIGWSubnet" }, "Tags": [{ "Key": "Name", "Value": "Prod-NAT-GW" }] } }, "EIPForNATTest": { "Type": "AWS::EC2::EIP", "Properties": { "Domain": "vpc" } }, "TestNATGateway": { "Type": "AWS::EC2::NatGateway", "DependsOn": "PublicRouteAssocTestIGW", "Properties": { "AllocationId": { "Fn::GetAtt": [ "EIPForNATTest", "AllocationId" ] }, "SubnetId": { "Ref": "TestIGWSubnet" }, "Tags": [{ "Key": "Name", "Value": "Test-NAT-GW" }] } }, "ProdNatRouteTable": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [{ "Key": "Name", "Value": "ProdNatRouteTable" }] } }, "ProdNatDefaultRoute": { "Type": "AWS::EC2::Route", "DependsOn": "ProdNATGateway", "Properties": { "RouteTableId": { "Ref": "ProdNatRouteTable" }, "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": { "Ref": "ProdNATGateway" } } }, "NatAssocProdNAT": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "ProdNATSubnet" }, "RouteTableId": { "Ref": "ProdNatRouteTable" } } }, "TestNatRouteTable": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [{ "Key": "Name", "Value": "TestNatRouteTable" }] } }, "TestNatDefaultRoute": { "Type": "AWS::EC2::Route", "DependsOn": "TestNATGateway", "Properties": { "RouteTableId": { "Ref": "TestNatRouteTable" }, "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": { "Ref": "TestNATGateway" } } }, "NatAssocTestNAT": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "TestNATSubnet" }, "RouteTableId": { "Ref": "TestNatRouteTable" } } }, "S3VpcEndpoint": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.s3" }, "VpcId": { "Ref": "VPC" }, "VpcEndpointType": "Gateway", "RouteTableIds": [ { "Ref": "NoInternetRouteTable" } ], "Tags": [{ "Key": "Name", "Value": "S3-VPCEndpoint" }] } }, "SQSSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "SG for SQS VPC Endpoint - allow inbound 443 from VPC CIDR", "VpcId": { "Ref": "VPC" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "CidrIp": { "Ref": "VPCCidr" } } ], "SecurityGroupEgress": [ { "IpProtocol": "-1", "FromPort": 0, "ToPort": 65535, "CidrIp": "0.0.0.0/0" } ], "Tags": [{ "Key": "Name", "Value": "SQS-Endpoint-SG" }] } }, "SQSVpcEndpoint": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.sqs" }, "VpcId": { "Ref": "VPC" }, "VpcEndpointType": "Interface", "SubnetIds": [ { "Ref": "TestNoInternetSubnet" }, { "Ref": "ProdNoInternetSubnet" }, { "Ref": "TestNATSubnet" } ], "SecurityGroupIds": [{ "Ref": "SQSSecurityGroup" }], "PrivateDnsEnabled": true, "Tags": [{ "Key": "Name", "Value": "SQS-InterfaceEndpoint" }] } }, "NACL": { "Type": "AWS::EC2::NetworkAcl", "Properties": { "VpcId": { "Ref": "VPC" }, "Tags": [{ "Key": "Name", "Value": "VPC-NACL" }] } }, "NACLInboundAllowAll": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "NACL" }, "RuleNumber": 100, "Protocol": -1, "RuleAction": "allow", "Egress": false, "CidrBlock": "0.0.0.0/0", "PortRange": { "From": 0, "To": 65535 } } }, "NACLOutboundAllowAll": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "NACL" }, "RuleNumber": 100, "Protocol": -1, "RuleAction": "allow", "Egress": true, "CidrBlock": "0.0.0.0/0", "PortRange": { "From": 0, "To": 65535 } } } }, "Outputs": { "VPCId": { "Description": "VPC Id", "Value": { "Ref": "VPC" } }, "VPCCidr": { "Description": "VPC CIDR Block", "Value": { "Ref": "VPCCidr" } }, "TestNoInternetSubnetId": { "Description": "Test No Internet Subnet", "Value": { "Ref": "TestNoInternetSubnet" } }, "TestNoInternetSubnetCidr": { "Description": "Test No Internet Subnet CIDR", "Value": { "Fn::GetAtt": ["TestNoInternetSubnet", "CidrBlock"] } }, "ProdIGWSubnetId": { "Description": "Prod Public Subnet (IGW & NAT host)", "Value": { "Ref": "ProdIGWSubnet" } }, "ProdIGWSubnetCidr": { "Description": "Prod IGW Subnet CIDR", "Value": { "Fn::GetAtt": ["ProdIGWSubnet", "CidrBlock"] } }, "TestIGWSubnetId": { "Description": "Test Public Subnet (IGW & NAT host)", "Value": { "Ref": "TestIGWSubnet" } }, "TestIGWSubnetCidr": { "Description": "Test IGW Subnet CIDR", "Value": { "Fn::GetAtt": ["TestIGWSubnet", "CidrBlock"] } }, "ProdNoInternetSubnetId": { "Description": "Prod No Internet Subnet", "Value": { "Ref": "ProdNoInternetSubnet" } }, "ProdNoInternetSubnetCidr": { "Description": "Prod No Internet Subnet CIDR", "Value": { "Fn::GetAtt": ["ProdNoInternetSubnet", "CidrBlock"] } }, "TestNATSubnetId": { "Description": "Test NAT Subnet", "Value": { "Ref": "TestNATSubnet" } }, "TestNATSubnetCidr": { "Description": "Test NAT Subnet CIDR", "Value": { "Fn::GetAtt": ["TestNATSubnet", "CidrBlock"] } }, "ProdNATSubnetId": { "Description": "Prod NAT Subnet", "Value": { "Ref": "ProdNATSubnet" } }, "ProdNATSubnetCidr": { "Description": "Prod NAT Subnet CIDR", "Value": { "Fn::GetAtt": ["ProdNATSubnet", "CidrBlock"] } }, "ProdNATGatewayId": { "Description": "Prod NAT Gateway Id", "Value": { "Ref": "ProdNATGateway" } }, "TestNATGatewayId": { "Description": "Test NAT Gateway Id", "Value": { "Ref": "TestNATGateway" } }, "S3EndpointId": { "Description": "S3 VPC Endpoint", "Value": { "Ref": "S3VpcEndpoint" } }, "SQSEndpointId": { "Description": "SQS VPC Endpoint", "Value": { "Ref": "SQSVpcEndpoint" } } } }