├── .gitignore ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── aws-cli ├── README.md ├── gwlb │ ├── configure_iptables_al2.md │ ├── create_gwlb_sample.md │ ├── create_listener_sample.md │ ├── create_tg_sample.md │ ├── delete_gwlb_sample.md │ ├── delete_tg_sample.md │ ├── disable_crosszone_lb_gwlb_sample.md │ ├── enable_crosszone_lb_gwlb_sample.md │ └── register_targets_sample.md └── vpce │ ├── create_gwlb_endpoint_sample.md │ ├── create_vpc_endpoint_service_configuration_sample.md │ ├── delete_gwlb_endpoint_sample.md │ ├── delete_vpc_endpoint_service_sample.md │ ├── modify_vpc_endpoint_service_configuration_sample.md │ └── modify_vpc_endpoint_service_permissions_sample.md ├── aws-cloudformation ├── README.md ├── centralized_architecture │ ├── CentralizedArchitectureApplianceVpc2Az.yaml │ ├── CentralizedArchitectureSpokeVpc2Az.yaml │ ├── CentralizedArchitectureTgw.yaml │ ├── CentralizedArchitectureValidation.md │ ├── README.md │ ├── centralized_architecture_patterns │ │ ├── README.md │ │ └── onpremises_vpc │ │ │ ├── CentralizedArchitectureInspectionVpc2Az.yaml │ │ │ ├── CentralizedArchitectureSpokeVpc2Az.yaml │ │ │ ├── CentralizedArchitectureTgw.yaml │ │ │ └── README.md │ ├── images │ │ ├── access_appliances.jpg │ │ ├── access_application.jpg │ │ ├── appliance_vpc_stack_outputs.jpg │ │ ├── appliance_vpc_stack_outputs_tgw.jpg │ │ ├── appliance_vpc_stack_outputs_unedited.jpg │ │ ├── enable_appliancemode.jpg │ │ ├── gwlb_centralized_architecture.jpg │ │ ├── gwlb_centralized_architecture_onpremises_vpc.jpg │ │ ├── http_access.jpg │ │ ├── ping_access.jpg │ │ ├── spoke1_vpc_stack_outputs.jpg │ │ ├── spoke1_vpc_stack_outputs_tgw.jpg │ │ ├── spoke1_vpc_stack_outputs_unedited.jpg │ │ ├── spoke2_vpc_stack_outputs.jpg │ │ ├── spoke2_vpc_stack_outputs_tgw.jpg │ │ ├── spoke2_vpc_stack_outputs_unedited.jpg │ │ ├── ssh_access_spoke2_application1_appliancemode_disable.jpg │ │ ├── ssh_access_spoke2_application1_appliancemode_enable.jpg │ │ ├── ssh_access_spoke2_application2_appliancemode_disable.jpg │ │ ├── ssh_access_spoke2_application2_appliancemode_enable.jpg │ │ ├── tgw_stack_output_unedited.jpg │ │ └── tgw_stack_outputs.jpg │ └── nested-stack │ │ ├── ApplianceVpc2Az.yaml │ │ ├── CentralizedArchitecturePrimary.yaml │ │ ├── SpokeVpc2Az.yaml │ │ └── Tgw.yaml ├── distributed_architecture │ ├── DistributedArchitectureApplianceVpc2Az.yaml │ ├── DistributedArchitectureSpokeVpc2Az.yaml │ ├── README.md │ └── images │ │ └── gwlb_distributed_architecture.jpg ├── gwlb │ └── GwlbWithTargetGroupAndListenerSample.yaml ├── vpc_routing_enhancement_architectures │ ├── EgressVpcNatGw.md │ ├── IngressVpcAlb.md │ ├── IngressVpcNlb.md │ ├── README.md │ ├── images │ │ ├── connect_appliance_1_a.jpg │ │ ├── connect_appliance_1_b.jpg │ │ ├── connect_appliance_1_c.jpg │ │ ├── connect_appliance_2_a.jpg │ │ ├── connect_appliance_2_b.jpg │ │ ├── connect_appliance_2_c.jpg │ │ ├── egress │ │ │ ├── egress_acccess_internet_resource.jpg │ │ │ ├── egress_appliance_1_tcpdump.jpg │ │ │ ├── egress_connect_server_1_a.jpg │ │ │ ├── egress_connect_server_1_b.jpg │ │ │ ├── egress_connect_server_1_c.jpg │ │ │ ├── egress_inspection_natgw_vpc_re_gwlbe.jpg │ │ │ ├── egress_server_1_ip.jpg │ │ │ └── egress_verify_appliance_1.jpg │ │ ├── ingress-nlb │ │ │ ├── connect_appliance_1_a.png │ │ │ ├── connect_appliance_1_b.png │ │ │ ├── connect_appliance_1_c.png │ │ │ ├── ingress_access_nlb_fqdn_server1.png │ │ │ ├── ingress_connect_server_1_a.png │ │ │ ├── ingress_connect_server_1_b.png │ │ │ ├── ingress_connect_server_1_c.png │ │ │ ├── ingress_connect_server_2_a.png │ │ │ ├── ingress_connect_server_2_b.png │ │ │ ├── ingress_connect_server_2_c.png │ │ │ ├── ingress_inspection_nlb_vpc_re_gwlbe.png │ │ │ ├── ingress_server_1_ip.png │ │ │ ├── ingress_server_2_ip.png │ │ │ ├── ingress_tcpdump_appliance_1.png │ │ │ ├── ingress_tcpdump_appliance_1_verify_1.png │ │ │ ├── nlb-target-group-preserve-client-ip-off.png │ │ │ └── nlb-target-group-target-instance-id.png │ │ ├── ingress │ │ │ ├── ingress_access_alb_fqdn_server1.jpg │ │ │ ├── ingress_access_alb_fqdn_server2.jpg │ │ │ ├── ingress_alb_fqdn_1.jpg │ │ │ ├── ingress_connect_server_1_a.jpg │ │ │ ├── ingress_connect_server_1_b.jpg │ │ │ ├── ingress_connect_server_1_c.jpg │ │ │ ├── ingress_connect_server_2_a.jpg │ │ │ ├── ingress_connect_server_2_b.jpg │ │ │ ├── ingress_connect_server_2_c.jpg │ │ │ ├── ingress_inspection_elb_vpc_re_gwlbe.jpg │ │ │ ├── ingress_inspection_elb_vpc_re_gwlbe_delete.jpg │ │ │ ├── ingress_server_1_ip.jpg │ │ │ ├── ingress_server_2_ip.jpg │ │ │ ├── ingress_tcpdump_appliance_1.jpg │ │ │ ├── ingress_tcpdump_appliance_1_verify_1.jpg │ │ │ └── ingress_tcpdump_appliance_1_verify_2.jpg │ │ ├── inspection_vpc.jpg │ │ └── inter_subnet.jpg │ └── templates │ │ ├── EgressVpcNatGw.yaml │ │ ├── IngressVpcAlb.yaml │ │ ├── IngressVpcNlb.yaml │ │ └── InspectionVpc.yaml └── vpce │ ├── GwlbVpcEndpointSample.yaml │ └── GwlbVpcEndpointServiceSample.yaml ├── go ├── README.md ├── gwlb │ ├── createGwlbSample.md │ ├── createGwlbTgListnerSample.md │ ├── createListenerSample.md │ ├── createTgSample.md │ ├── deleteGwlbSample.md │ ├── deleteGwlbTgSample.md │ ├── deleteTgSample.md │ └── registerTargetsSample.md └── vpce │ ├── createGwlbVpceSample.md │ ├── createVpceServiceConfigurationSample.md │ ├── deleteGwlbVpceSample.md │ ├── deleteVpceServiceSample.md │ ├── modifyVpceServiceConfigurationSample.md │ └── modifyVpceServicePermissionsSample.md └── python ├── README.md ├── gwlb ├── create_gwlb_sample.py ├── create_gwlb_tg_listener_sample.py ├── create_listener_sample.py ├── create_tg_sample.py ├── delete_gwlb_sample.py ├── delete_gwlb_tg_sample.py ├── delete_tg_sample.py └── register_targets_sample.py └── vpce ├── create_gwlb_endpoint_sample.py ├── create_vpce_service_configuration_sample.py ├── delete_gwlb_endpoint_sample.py ├── delete_vpce_service_sample.py ├── modify_vpce_service_configuration_sample.py └── modify_vpce_service_permissions_sample.py /.gitignore: -------------------------------------------------------------------------------- 1 | .ropeproject 2 | .DS_Store 3 | *.pyc 4 | __pycache__ 5 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *main* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal in 5 | the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 7 | the Software, and to permit persons to whom the Software is furnished to do so. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 10 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 11 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 12 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 13 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 14 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 15 | 16 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## AWS Code Sample for AWS Gateway Load Balancer 2 | 3 | ### Welcome 4 | 5 | This is a respository for code examples to help accelerate your development of 6 | AWS Gateway Load Balancer (GWLB). The repository is organized by programming language or technology: 7 | 8 | * [AWS CloudFormation](aws-cloudformation/) 9 | * [AWS SDK for Python (Boto3)](python/) 10 | * [AWS SDK for Go](go/) 11 | * [AWS CLI](aws-cli/) 12 | 13 | To learn more about Gateway Load Balancer, checkout the [Gateway Load Balancer](https://aws.amazon.com/elasticloadbalancing/gateway-load-balancer/) page and the [documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/introduction.html). 14 | 15 | ### Note: 16 | 17 | * **While code samples in this repository has been tested and believe it works well, as always, be sure to test it in your environment before using it in production!** 18 | 19 | ## Security 20 | 21 | See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information. 22 | 23 | ## License 24 | 25 | This library is licensed under the MIT-0 License. See the LICENSE file. 26 | -------------------------------------------------------------------------------- /aws-cli/README.md: -------------------------------------------------------------------------------- 1 | ### AWS CLI sample for AWS Gateway Load Balancer: 2 | 3 | Refer to [AWS CLI](https://aws.amazon.com/cli/) for details 4 | 5 | ## Welcome 6 | 7 | ### Uses AWS CLI version 1 8 | 9 | ### **Gateway Load Balancer:** 10 | * [Create GWLB Sample](gwlb/create_gwlb_sample.md) 11 | * [Create Target Group Sample](gwlb/create_tg_sample.md) 12 | * [Create Listener Sample](gwlb/create_listener_sample.md) 13 | * [Register Targets Sample](gwlb/register_targets_sample.md) 14 | * [Enable Cross-Zone Load Balancing Sample](gwlb/enable_crosszone_lb_gwlb_sample.md) 15 | * [Disable Cross-Zone Load Balancing Sample](gwlb/disable_crosszone_lb_gwlb_sample.md) 16 | * [Delete GWLB Sample](gwlb/delete_gwlb_sample.md) 17 | * [Delete Target Group Sample](gwlb/delete_tg_sample.md) 18 | * [Amazon Linxu 2 iptables Sample](gwlb/configure_iptables_al2.md) 19 | 20 | ### **VPC Endpoint Service:** 21 | 22 | * [Create VPC Endpoint Service Configuration Sample](vpce/create_vpc_endpoint_service_configuration_sample.md) 23 | * [Modify VPC Endpoint Service Configuration Sample](vpce/modify_vpc_endpoint_service_configuration_sample.md) 24 | * [Modify VPC Endpoint Service Permissions Sample](vpce/modify_vpc_endpoint_service_permissions_sample.md) 25 | * [Delete VPC Endpoint Service Sample](vpce/delete_vpc_endpoint_service_sample.md) 26 | 27 | ### **VPC Endpoint:** 28 | 29 | * [Create GWLB Endpoint Sample](vpce/create_gwlb_endpoint_sample.md) 30 | * [Delete GWLB Endpoint Sample](vpce/delete_gwlb_endpoint_sample.md) 31 | -------------------------------------------------------------------------------- /aws-cli/gwlb/configure_iptables_al2.md: -------------------------------------------------------------------------------- 1 | * Following example shows how to configure iptables on Amazon Linux 2 instance acting as a target behind an AWS Gateway Load Balancer (GWLB). 2 | 3 | * iptables configuration creates a hairpin setup. The hairpin setup allows traffic coming from GWLB on Amazon Linux 2 appliance to be sent back to GWLB. 4 | 5 | * iptables configuration is for **sample purpose only. It allows all the traffic! Use it for GWLB POC only** 6 | 7 | ```bash 8 | # instance IP: 9 | # Replace with appropriate instance IP 10 | export instance_ip= 11 | 12 | # Retrieve GWLB IP: 13 | # Replace with appropriate GWLB IP. It should be from the same AZ as the instance. 14 | export gwlb_ip= 15 | 16 | # Enable IP Forwarding and persist across reboot 17 | # Enabling using sysctl -w net.ipv4.ip_forward=1, won't persist across reboot. 18 | sudo echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/00-defaults.conf 19 | sudo sysctl -p /etc/sysctl.d/00-defaults.conf 20 | 21 | # Install iptables-services: 22 | sudo yum install iptables-services -y; 23 | 24 | # Start and configure iptables: 25 | sudo systemctl enable iptables; 26 | sudo systemctl start iptables; 27 | 28 | # Configuration below allows allows all traffic: 29 | # Set the default policies for each of the built-in chains to ACCEPT: 30 | sudo iptables -P INPUT ACCEPT; 31 | sudo iptables -P FORWARD ACCEPT; 32 | sudo iptables -P OUTPUT ACCEPT; 33 | 34 | # Flush the nat and mangle tables, flush all chains (-F), and delete all non-default chains (-X): 35 | sudo iptables -t nat -F; 36 | sudo iptables -t mangle -F; 37 | sudo iptables -F; 38 | sudo iptables -X; 39 | 40 | # Configure nat table to hairpin traffic back to GWLB: 41 | for gwlb_ip in $(aws ec2 describe-network-interfaces --filters Name=vpc-id,Values=$instance_vpcid --region $instance_region | jq ' .NetworkInterfaces[] | select(.InterfaceType=="gateway_load_balancer") |.PrivateIpAddress' -r) 42 | do 43 | sudo iptables -t nat -A PREROUTING -p udp -s $gwlb_ip -d $instance_ip -i eth0 -j DNAT --to-destination $gwlb_ip:6081 44 | sudo iptables -t nat -A POSTROUTING -p udp --dport 6081 -s $gwlb_ip -d $gwlb_ip -o eth0 -j MASQUERADE 45 | done 46 | 47 | # Save iptables: 48 | sudo service iptables save; 49 | ``` 50 | -------------------------------------------------------------------------------- /aws-cli/gwlb/create_gwlb_sample.md: -------------------------------------------------------------------------------- 1 | Following example shows how to create AWS Gateway Load Balancer using 2 | [elbv2 create-load-balancer](https://docs.aws.amazon.com/cli/latest/reference/elbv2/create-load-balancer.html) command using AWS CLI version 1. Replace the parameter values inside '< >' with appropriate values. 3 | 4 | * Command: 5 | 6 | ```bash 7 | aws elbv2 create-load-balancer \ 8 | --type gateway \ 9 | --subnets \ 10 | --name 11 | ``` 12 | 13 | * Output: 14 | 15 | ```bash 16 | { 17 | "LoadBalancers": [ 18 | { 19 | "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-west-2:xxxxxxxxxxxx:loadbalancer/gwy/cli-gwlb1/dabd816b54d028e1", 20 | "CreatedTime": "2020-11-11T01:16:45.568Z", 21 | "LoadBalancerName": "cli-gwlb1", 22 | "VpcId": "vpc-xxxx", 23 | "State": { 24 | "Code": "provisioning" 25 | }, 26 | "Type": "gateway", 27 | "AvailabilityZones": [ 28 | { 29 | "ZoneName": "us-west-2b", 30 | "SubnetId": "subnet-1xxx" 31 | }, 32 | { 33 | "ZoneName": "us-west-2a", 34 | "SubnetId": "subnet-2yyy" 35 | } 36 | ] 37 | } 38 | ] 39 | } 40 | ``` -------------------------------------------------------------------------------- /aws-cli/gwlb/create_listener_sample.md: -------------------------------------------------------------------------------- 1 | Following example shows how to listener for Gateway Load Balancer using [elbv2 create-listener](https://docs.aws.amazon.com/cli/latest/reference/elbv2/create-listener.html) command using AWS CLI version 1. Replace the parameter values inside '< >' with appropriate values 2 | 3 | * Command: 4 | 5 | ```bash 6 | aws elbv2 create-listener \ 7 | --load-balancer-arn \ 8 | --default-actions Type=forward,TargetGroupArn= 9 | ``` 10 | 11 | * Output: 12 | 13 | ```bash 14 | { 15 | "Listeners": [ 16 | { 17 | "ListenerArn": "arn:aws:elasticloadbalancing:us-west-2:xxxxxxxxxxxx:listener/gwy/cli-gwlb1/dabd816b54d028e1/b1041679d4e16af2", 18 | "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-west-2:xxxxxxxxxxxx:loadbalancer/gwy/cli-gwlb1/dabd816b54d028e1", 19 | "DefaultActions": [ 20 | { 21 | "Type": "forward", 22 | "TargetGroupArn": "arn:aws:elasticloadbalancing:us-west-2:xxxxxxxxxxxx:targetgroup/cli-gwlb1-tg1/00acf64b4f3c5bdee6", 23 | "ForwardConfig": { 24 | "TargetGroups": [ 25 | { 26 | "TargetGroupArn": "arn:aws:elasticloadbalancing:us-west-2:xxxxxxxxxxxx:targetgroup/cli-gwlb1-tg1/00acf64b4f3c5bdee6" 27 | } 28 | ] 29 | } 30 | } 31 | ] 32 | } 33 | ] 34 | } 35 | ``` -------------------------------------------------------------------------------- /aws-cli/gwlb/create_tg_sample.md: -------------------------------------------------------------------------------- 1 | Following example shows how to create target group for Gateway Load Balancer (GWLB) using [elbv2 create-target-group](https://docs.aws.amazon.com/cli/latest/reference/elbv2/create-target-group.html) command using AWS CLI version 1. Replace the parameter values inside '< >' with appropriate values. 2 | 3 | * Command: 4 | 5 | ```bash 6 | aws elbv2 create-target-group \ 7 | --protocol GENEVE \ 8 | --port 6081 \ 9 | --name \ 10 | --vpc-id \ 11 | --target-type instance 12 | ``` 13 | 14 | * Output: 15 | 16 | ```bash 17 | { 18 | "TargetGroups": [ 19 | { 20 | "TargetGroupArn": "arn:aws:elasticloadbalancing:us-west-2:xxxxxxxxxxxx:targetgroup/cli-gwlb1-tg1/00acf64b4f3c5bdee6", 21 | "TargetGroupName": "cli-gwlb1-tg1", 22 | "Protocol": "GENEVE", 23 | "Port": 6081, 24 | "VpcId": "vpc-xxxx", 25 | "HealthCheckProtocol": "TCP", 26 | "HealthCheckPort": "80", 27 | "HealthCheckEnabled": true, 28 | "HealthCheckIntervalSeconds": 10, 29 | "HealthCheckTimeoutSeconds": 5, 30 | "HealthyThresholdCount": 3, 31 | "UnhealthyThresholdCount": 3, 32 | "TargetType": "instance" 33 | } 34 | ] 35 | } 36 | ``` 37 | 38 | * As shown above, by default target group gets created with healthcheck configured for protocol: TCP, port:80. If you don't have anything configured on appliances to listen on TCP:80, your health checks will fail and instances will be marked unhealthy. For more details, refer to [Target Groups for your Gateway Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/target-groups.html) 39 | 40 | * In the example below, for healthcheck, we overide the port and use HTTP, port 80. Appliances should be listening and respodning to HTTP, or else healthcheck will fail. Replace the parameter values inside '< >' with appropriate values. 41 | 42 | * Command: 43 | 44 | ```bash 45 | aws elbv2 create-target-group \ 46 | --protocol GENEVE \ 47 | --port 6081 \ 48 | --health-check-protocol HTTP \ 49 | --health-check-port 80 \ 50 | --name \ 51 | --vpc-id \ 52 | --target-type instance 53 | ``` 54 | 55 | * Output: 56 | 57 | ```bash 58 | { 59 | "TargetGroups": [ 60 | { 61 | "TargetGroupArn": "arn:aws:elasticloadbalancing:us-west-2:xxxxxxxxxxxx:targetgroup/test-tg1/0074d92ab52ead8356", 62 | "TargetGroupName": "test-tg1", 63 | "Protocol": "GENEVE", 64 | "Port": 6081, 65 | "VpcId": "vpc-0f3a17d40aeade194", 66 | "HealthCheckProtocol": "HTTP", 67 | "HealthCheckPort": "80", 68 | "HealthCheckEnabled": true, 69 | "HealthCheckIntervalSeconds": 10, 70 | "HealthCheckTimeoutSeconds": 5, 71 | "HealthyThresholdCount": 3, 72 | "UnhealthyThresholdCount": 3, 73 | "HealthCheckPath": "/", 74 | "Matcher": { 75 | "HttpCode": "200-399" 76 | }, 77 | "TargetType": "instance" 78 | } 79 | ] 80 | } 81 | ``` -------------------------------------------------------------------------------- /aws-cli/gwlb/delete_gwlb_sample.md: -------------------------------------------------------------------------------- 1 | Following example shows how to delete Gateway Load Balancer using [elbv2 delete-load-balancer](https://docs.aws.amazon.com/cli/latest/reference/elbv2/delete-load-balancer.html) command. Replace the parameter values inside '< >' with appropriate values. 2 | 3 | * Command: 4 | 5 | ```bash 6 | aws elbv2 delete-load-balancer \ 7 | --load-balancer-arn 8 | ``` 9 | 10 | * Output: 11 | ```bash 12 | ``` -------------------------------------------------------------------------------- /aws-cli/gwlb/delete_tg_sample.md: -------------------------------------------------------------------------------- 1 | Following example shows how to delete target group for Gateway Load Balancer using [elbv2 delete-target-group](https://docs.aws.amazon.com/cli/latest/reference/elbv2/delete-target-group.html) command. Replace the parameter values inside '< >' with appropriate values. 2 | 3 | * Command: 4 | 5 | ```bash 6 | aws elbv2 delete-target-group \ 7 | --target-group-arn 8 | ``` 9 | 10 | * Output: 11 | 12 | ```bash 13 | ``` -------------------------------------------------------------------------------- /aws-cli/gwlb/disable_crosszone_lb_gwlb_sample.md: -------------------------------------------------------------------------------- 1 | Following example shows how to enbable cross-zone load balancing on Gateway Load Balancer using [elbv2 modify-load-balancer-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-load-balancer-attributes.html) command using AWS CLI version 1. Replace the parameter values inside '< >' with appropriate values. 2 | 3 | * Command: 4 | 5 | ```bash 6 | aws --profile elbv2 modify-load-balancer-attributes \ 7 | --load-balancer-arn \ 8 | --attributes Key=load_balancing.cross_zone.enabled,Value=false 9 | ``` 10 | 11 | * Output: 12 | 13 | ```bash 14 | { 15 | "Attributes": [ 16 | { 17 | "Key": "deletion_protection.enabled", 18 | "Value": "false" 19 | }, 20 | { 21 | "Key": "load_balancing.cross_zone.enabled", 22 | "Value": "false" 23 | } 24 | ] 25 | } 26 | ``` -------------------------------------------------------------------------------- /aws-cli/gwlb/enable_crosszone_lb_gwlb_sample.md: -------------------------------------------------------------------------------- 1 | Following example shows how to enbable cross-zone load balancing on Gateway Load Balancer using [elbv2 modify-load-balancer-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-load-balancer-attributes.html) command using AWS CLI version 1. Replace the parameter values inside '< >' with appropriate values. 2 | 3 | * Command: 4 | 5 | ```bash 6 | aws elbv2 modify-load-balancer-attributes \ 7 | --load-balancer-arn \ 8 | --attributes Key=load_balancing.cross_zone.enabled,Value=true 9 | ``` 10 | 11 | * Output: 12 | 13 | ```bash 14 | { 15 | "Attributes": [ 16 | { 17 | "Key": "deletion_protection.enabled", 18 | "Value": "false" 19 | }, 20 | { 21 | "Key": "load_balancing.cross_zone.enabled", 22 | "Value": "true" 23 | } 24 | ] 25 | } 26 | ``` -------------------------------------------------------------------------------- /aws-cli/gwlb/register_targets_sample.md: -------------------------------------------------------------------------------- 1 | Following example shows how to register targets with target group using [elbv2 register-targets](https://docs.aws.amazon.com/cli/latest/reference/elbv2/register-targets.html) command. Replace the parameter values inside '< >' with your own. 2 | 3 | 4 | * Command: 5 | 6 | ``` 7 | aws elbv2 register-targets \ 8 | --target-group-arn \ 9 | --targets Id= Id= 10 | ``` 11 | 12 | * Output: 13 | 14 | ```bash 15 | empty 16 | ``` 17 | -------------------------------------------------------------------------------- /aws-cli/vpce/create_gwlb_endpoint_sample.md: -------------------------------------------------------------------------------- 1 | Following example shows how to create Gateway Load Balancer Endpoint using VPC Endpoint Service Name using [ec2 create-vpc-endpoint](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-endpoint.html) command. Replace the parameter values inside '< >' with appropriate values. Only one subnet per GWLBe is supported. 2 | 3 | * Command 4 | 5 | ```bash 6 | aws ec2 create-vpc-endpoint \ 7 | --vpc-endpoint-type GatewayLoadBalancer \ 8 | --vpc-id \ 9 | --subnet-ids \ 10 | --service-name 11 | ``` 12 | 13 | * Output: 14 | 15 | ```bash 16 | { 17 | "VpcEndpoint": { 18 | "VpcEndpointId": "vpce-1xxx", 19 | "VpcEndpointType": "GatewayLoadBalancer", 20 | "VpcId": "vpc-xxxx", 21 | "ServiceName": "com.amazonaws.vpce.us-west-2.vpce-svc-xxxx", 22 | "State": "pending", 23 | "SubnetIds": [ 24 | "subnet-xxxx" 25 | ], 26 | "RequesterManaged": false, 27 | "NetworkInterfaceIds": [ 28 | "eni-xxxx" 29 | ], 30 | "CreationTimestamp": "2020-11-11T02:49:15.638Z", 31 | "OwnerId": "xxxxxxxxxxxx" 32 | } 33 | } 34 | ``` -------------------------------------------------------------------------------- /aws-cli/vpce/create_vpc_endpoint_service_configuration_sample.md: -------------------------------------------------------------------------------- 1 | Following example shows how to create VPC Endpoint Service using Gateway Load Balancer ARN using [ec2 create-vpc-endpoint-service-configuration](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-endpoint-service-configuration.html) command using AWS CLI version 1. Replace the parameter values inside '< >' with appropriate values. 2 | 3 | * Command: 4 | 5 | ```bash 6 | aws ec2 create-vpc-endpoint-service-configuration \ 7 | --gateway-load-balancer-arns \ 8 | --no-acceptance-required 9 | ``` 10 | 11 | * Output: 12 | 13 | ```bash 14 | { 15 | "ServiceConfiguration": { 16 | "ServiceType": [ 17 | { 18 | "ServiceType": "GatewayLoadBalancer" 19 | } 20 | ], 21 | "ServiceId": "vpce-svc-xxxx", 22 | "ServiceName": "com.amazonaws.vpce.us-west-2.vpce-svc-xxxx", 23 | "ServiceState": "Available", 24 | "AvailabilityZones": [ 25 | "us-west-2a", 26 | "us-west-2b" 27 | ], 28 | "AcceptanceRequired": false, 29 | "ManagesVpcEndpoints": false, 30 | "GatewayLoadBalancerArns": [ 31 | "arn:aws:elasticloadbalancing:us-west-2:xxxxxxxxxxxx:loadbalancer/gwy/cli-gwlb1/dabd816b54d028e1" 32 | ] 33 | } 34 | } 35 | ``` 36 | 37 | -------------------------------------------------------------------------------- /aws-cli/vpce/delete_gwlb_endpoint_sample.md: -------------------------------------------------------------------------------- 1 | Following example shows how to delete Gateway Load Balancer Endpoint using [ec2 delete-vpc-endpoints](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpc-endpoints.html) command using AWS CLI version 1. Replace the parameter values inside '< >' with appropriate values. 2 | 3 | * Command: 4 | 5 | ```bash 6 | aws ec2 delete-vpc-endpoints \ 7 | --vpc-endpoint-ids 8 | ``` 9 | 10 | * Output: 11 | 12 | ```bash 13 | { 14 | "Unsuccessful": [] 15 | } 16 | ``` -------------------------------------------------------------------------------- /aws-cli/vpce/delete_vpc_endpoint_service_sample.md: -------------------------------------------------------------------------------- 1 | Following example shows how to delete VPC Endpoint Service [ec2 delete-vpc-endpoint-service-configurations](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpc-endpoint-service-configurations.html) command. Replace the parameter values inside '< >' with appropriate values. 2 | 3 | * Command 4 | 5 | ```bash 6 | aws ec2 delete-vpc-endpoint-service-configurations \ 7 | --service-ids 8 | ``` 9 | 10 | * Output: 11 | 12 | ```bash 13 | { 14 | "Unsuccessful": [] 15 | } 16 | ``` 17 | -------------------------------------------------------------------------------- /aws-cli/vpce/modify_vpc_endpoint_service_configuration_sample.md: -------------------------------------------------------------------------------- 1 | Following example shows how to modify VPC Endpoint Service configuration using [ec2 modify-vpc-endpoint-service-configuration](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-vpc-endpoint-service-configuration.html) command using AWS CLI version 1. Replace the parameter values inside '< >' with appropriate values. 2 | 3 | * Command 4 | 5 | ```bash 6 | aws ec2 modify-vpc-endpoint-service-configuration \ 7 | --service-id \ 8 | --acceptance-required 9 | ``` 10 | 11 | * Output: 12 | 13 | ```bash 14 | { 15 | "Return": true 16 | } 17 | ``` -------------------------------------------------------------------------------- /aws-cli/vpce/modify_vpc_endpoint_service_permissions_sample.md: -------------------------------------------------------------------------------- 1 | Following example shows how to modify VPC Endpoint Service permissions using [ec2 modify-vpc-endpoint-service-permissions](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-vpc-endpoint-service-permissions.html) command using AWS CLI version 1. Replace the parameter values inside '< >' with appropriate values. 2 | 3 | * Command: 4 | 5 | ```bash 6 | aws ec2 modify-vpc-endpoint-service-permissions \ 7 | --service-id \ 8 | --add-allowed-principals 9 | ``` 10 | 11 | * Output: 12 | 13 | ```bash 14 | { 15 | "ReturnValue": true 16 | } 17 | ``` -------------------------------------------------------------------------------- /aws-cloudformation/README.md: -------------------------------------------------------------------------------- 1 | ## AWS CloudFormation samples for AWS Gateway Load Balancer (GWLB) 2 | 3 | ### Welcome 4 | 5 | * The following section contains sample AWS CloudFormation templates that demonstrate how to provision and manage AWS Gateway Load Balancer from templates that are written in YAML. 6 | 7 | * More [AWS CloudFormation Templates](https://aws.amazon.com/cloudformation/resources/templates/) are available in the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-sample-templates.html) 8 | 9 | * For more information about developing application using AWS CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) 10 | 11 | ### **GWLB:** 12 | 13 | * [GWLB Sample](gwlb/GwlbWithTargetGroupAndListenerSample.yaml) 14 | 15 | ### **GWLB VPC Endpoint Service:** 16 | * [GWLB VPC Endpoint Service Sample](vpce/GwlbVpcEndpointServiceSample.yaml) 17 | 18 | ### **GWLB VPC Endpoint:** 19 | * [GWLB VPC Endpoint Sample](vpce/GwlbVpcEndpointSample.yaml) 20 | 21 | ### **GWLB Architectures** 22 | * [GWLB Distributed Architecture](distributed_architecture/) 23 | * [GWLB Centralized Architecture](centralized_architecture/) 24 | * [GWLB VPC Routing Enhancements based Architectures](vpc_routing_enhancement_architectures/) 25 | -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/CentralizedArchitectureTgw.yaml: -------------------------------------------------------------------------------- 1 | # Following example shows how to create AWS Transit Gateway and connect with 2 | # Spoke VPCs and with Appliance VPC - hosting virtual appliances behind 3 | # AWS Gateway Load Balancer (GWLB) using AWS CloudFormation. 4 | 5 | # For architecture details refer to blog: 6 | # https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-inspection-architecture-with-aws-gateway-load-balancer-and-aws-transit-gateway/ 7 | 8 | AWSTemplateFormatVersion: "2010-09-09" 9 | 10 | Description: >- 11 | AWS CloudFormation sample template for TGW setup for Gateway Load Balancer 12 | (GWLB) in centralized architecture. TGW is created in the same AWS account 13 | as Appliance and Spoke VPCs. 14 | 15 | This template creates: 16 | - 1 TGW 17 | - 3 VPC attachments, 2 for Spoke VPCs and one for Appliance VPC 18 | - 2 route tables: Egress and Transit Route Table 19 | - 3 Associations, 2 Spoke VPCs associated with Egress Route Table 20 | and Appliance VPC associated with Transit Route Table 21 | - Creates default route with Appliance VPC attachment as the target in 22 | Egress Route Table 23 | - Creates Spoke VPCs network address routes with appropriate Spoke VPC 24 | attachment as the target in Transit Route Table 25 | - Creates routes in Appliance VPC's Appliacetion Route Table with Transit 26 | Gateway as the target 27 | 28 | **WARNING** This template creates Transit Gateway with 3 VPC attachments. You 29 | will be billed for the AWS resources used if you create a stack from this template. 30 | 31 | Metadata: 32 | AWS::CloudFormation::Interface: 33 | ParameterGroups: 34 | - Label: 35 | default: TGW Appliance VPC Configuration 36 | Parameters: 37 | - ApplianceVpcId 38 | - ApplianceVpcTgwAttachSubnet1Id 39 | - ApplianceVpcTgwAttachSubnet2Id 40 | - ApplianceVpcApplianceRtb1Id 41 | - ApplianceVpcApplianceRtb2Id 42 | - Label: 43 | default: TGW Spoke1 VPC Configuration 44 | Parameters: 45 | - Spoke1VpcId 46 | - Spoke1VpcCidr 47 | - Spoke1VpcTgwAttachSubnet1Id 48 | - Spoke1VpcTgwAttachSubnet2Id 49 | - Spoke1VpcRtb1Id 50 | - Label: 51 | default: TGW Spoke2 VPC Configuration 52 | Parameters: 53 | - Spoke2VpcId 54 | - Spoke2VpcCidr 55 | - Spoke2VpcTgwAttachSubnet1Id 56 | - Spoke2VpcTgwAttachSubnet2Id 57 | - Spoke2VpcRtb1Id 58 | - Label: 59 | default: Network CIDR for access 60 | Parameters: 61 | - AccessLocation 62 | ParameterLabels: 63 | # Appliance VPC Parameter Labels: 64 | ApplianceVpcId: 65 | default: Appliane VPC ID 66 | ApplianceVpcTgwAttachSubnet1Id: 67 | default: Appliance VPC Transit Gateway Subnet 1 ID 68 | ApplianceVpcTgwAttachSubnet2Id: 69 | default: Appliance VPC Transit Gateway Subnet 2 ID 70 | ApplianceVpcApplianceRtb1Id: 71 | default: Appliance VPC Appliance Route Table 1 ID 72 | ApplianceVpcApplianceRtb2Id: 73 | default: Appliance VPC Appliance Route Table 2 ID 74 | # Spoke1 VPC Parameter Labels: 75 | Spoke1VpcId: 76 | default: Spoke1 VPC ID 77 | Spoke1VpcCidr: 78 | default: Spoke1 VPC CIDR 79 | Spoke1VpcTgwAttachSubnet1Id: 80 | default: Spoke1 VPC Subnet1 ID 81 | Spoke1VpcTgwAttachSubnet2Id: 82 | default: Spoke1 VPC Subnet2 ID 83 | Spoke1VpcRtb1Id: 84 | default: Spoke1 VPC Application Route Table ID 85 | # Spoke2 VPC Parameter Labels: 86 | Spoke2VpcId: 87 | default: Spoke2 VPC ID 88 | Spoke2VpcCidr: 89 | default: Spoke2 VPC CIDR 90 | Spoke2VpcTgwAttachSubnet1Id: 91 | default: Spoke2 VPC Subnet1 ID 92 | Spoke2VpcTgwAttachSubnet2Id: 93 | default: Spoke2 VPC Subnet2 ID 94 | Spoke2VpcRtb1Id: 95 | default: Spoke2 VPC Application Route Table ID 96 | # Network CIDR Location: 97 | AccessLocation: 98 | default: Network CIDR for Routing and Access 99 | 100 | Parameters: 101 | # Appliance VPC Parameters: 102 | ApplianceVpcId: 103 | Description: Appliance VPC ID 104 | Type: String 105 | ConstraintDescription: Must be a valid VPC ID 106 | ApplianceVpcTgwAttachSubnet1Id: 107 | Description: Appliance VPC Subnet1 ID for TGW attachment in AZ1 108 | Type: String 109 | ConstraintDescription: Must be a valid Subnet ID 110 | ApplianceVpcTgwAttachSubnet2Id: 111 | Description: Appliance VPC Subnet2 ID for TGW attachment in AZ2 112 | Type: String 113 | ConstraintDescription: Must be a valid Subnet ID 114 | ApplianceVpcApplianceRtb1Id: 115 | Description: Appliance VPC Appliance Route Table 1 ID 116 | Type: String 117 | ConstraintDescription: Must be a valid Route Table ID 118 | ApplianceVpcApplianceRtb2Id: 119 | Description: Appliance VPC Appliance Route Table 2 ID 120 | Type: String 121 | ConstraintDescription: Must be a valid Route Table ID 122 | # Spoke1 VPC Parameters: 123 | Spoke1VpcId: 124 | Description: Spoke1 VPC ID 125 | Type: String 126 | ConstraintDescription: Must be a valid VPC ID 127 | Spoke1VpcCidr: 128 | AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" 129 | Default: 10.0.0.0/24 130 | Description: Spoke1 VPC Network CIDR 131 | Type: String 132 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/y 133 | Spoke1VpcTgwAttachSubnet1Id: 134 | Description: Spoke1 VPC Subnet1 ID for TGW attachment in AZ1 135 | Type: String 136 | ConstraintDescription: Must be a valid Subnet ID 137 | Spoke1VpcTgwAttachSubnet2Id: 138 | Description: Spoke1 VPC Subnet2 ID for TGW attachment in AZ2 139 | Type: String 140 | ConstraintDescription: Must be a valid Subnet ID 141 | Spoke1VpcRtb1Id: 142 | Description: Spoke1 VPC Application Route Table ID 143 | Type: String 144 | ConstraintDescription: Must be a valid Route Table ID 145 | # Spoke2 VPC Parameters: 146 | Spoke2VpcId: 147 | Description: Spoke2 VPC ID 148 | Type: String 149 | ConstraintDescription: Must be a valid VPC ID 150 | Spoke2VpcCidr: 151 | AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" 152 | Default: 10.0.1.0/24 153 | Description: Spoke2 VPC Network CIDR 154 | Type: String 155 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/y 156 | Spoke2VpcTgwAttachSubnet1Id: 157 | Description: Spoke2 VPC Subnet1 ID for TGW attachment in AZ1 158 | Type: String 159 | ConstraintDescription: Must be a valid Subnet ID 160 | Spoke2VpcTgwAttachSubnet2Id: 161 | Description: Spoke2 VPC Subnet2 ID for TGW attachment in AZ2 162 | Type: String 163 | ConstraintDescription: Must be a valid Subnet ID 164 | Spoke2VpcRtb1Id: 165 | Description: Spoke2 VPC Application Route Table ID 166 | Type: String 167 | ConstraintDescription: Must be a valid Route Table ID 168 | # Network CIDR Parameter: 169 | AccessLocation: 170 | Description: >- 171 | Enter desired Network CIDR to access Bastion Host. Default is set to 172 | access from anywhere (0.0.0.0/0) and it is not recommended 173 | AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})" 174 | MinLength: "9" 175 | MaxLength: "18" 176 | Default: 0.0.0.0/0 177 | Type: String 178 | ConstraintDescription: Must be a valid Network CIDR of the form x.x.x.x/y 179 | 180 | Resources: 181 | # Create Transit Gateway: 182 | Tgw1: 183 | Type: AWS::EC2::TransitGateway 184 | Properties: 185 | AmazonSideAsn: 64512 186 | AutoAcceptSharedAttachments: enable 187 | DefaultRouteTableAssociation: disable 188 | DefaultRouteTablePropagation: disable 189 | Description: Transit Gateway 1 for GWLB Centralized Architecture 190 | DnsSupport: enable 191 | Tags: 192 | - Key: Name 193 | Value: !Sub "${AWS::StackName}-tgw-1" 194 | VpnEcmpSupport: enable 195 | 196 | # Create Transit Gateway Attachments: 197 | Tgw1ApplianceVpcAttachment: 198 | Type: AWS::EC2::TransitGatewayAttachment 199 | Properties: 200 | Options: 201 | ApplianceModeSupport: "enable" 202 | SubnetIds: 203 | - !Ref ApplianceVpcTgwAttachSubnet1Id 204 | - !Ref ApplianceVpcTgwAttachSubnet2Id 205 | TransitGatewayId: !Ref Tgw1 206 | VpcId: !Ref ApplianceVpcId 207 | Tags: 208 | - Key: Name 209 | Value: !Sub "${AWS::StackName}-appliance-vpc-attachment" 210 | 211 | Tgw1Spoke1VpcAttachment: 212 | Type: AWS::EC2::TransitGatewayAttachment 213 | Properties: 214 | SubnetIds: 215 | - !Ref Spoke1VpcTgwAttachSubnet1Id 216 | - !Ref Spoke1VpcTgwAttachSubnet2Id 217 | TransitGatewayId: !Ref Tgw1 218 | VpcId: !Ref Spoke1VpcId 219 | Tags: 220 | - Key: Name 221 | Value: !Sub "${AWS::StackName}-spoke1-vpc-attachment" 222 | 223 | Tgw1Spoke2VpcAttachment: 224 | Type: AWS::EC2::TransitGatewayAttachment 225 | Properties: 226 | SubnetIds: 227 | - !Ref Spoke2VpcTgwAttachSubnet1Id 228 | - !Ref Spoke2VpcTgwAttachSubnet2Id 229 | TransitGatewayId: !Ref Tgw1 230 | VpcId: !Ref Spoke2VpcId 231 | Tags: 232 | - Key: Name 233 | Value: !Sub "${AWS::StackName}-spoke2-vpc-attachment" 234 | 235 | # Create Transit Gateway Route Tables: 236 | Tgw1TransitRtb: 237 | Type: AWS::EC2::TransitGatewayRouteTable 238 | Properties: 239 | Tags: 240 | - Key: Name 241 | Value: !Sub "${AWS::StackName}-tgw-transit-rtb" 242 | TransitGatewayId: !Ref Tgw1 243 | 244 | Tgw1EgressRtb: 245 | Type: AWS::EC2::TransitGatewayRouteTable 246 | Properties: 247 | Tags: 248 | - Key: Name 249 | Value: !Sub "${AWS::StackName}-tgw-egress-rtb" 250 | TransitGatewayId: !Ref Tgw1 251 | 252 | # Create Transit Gateway Attachment Associations: 253 | Tgw1ApplianceVpcAttachmentAssociation: 254 | Type: AWS::EC2::TransitGatewayRouteTableAssociation 255 | Properties: 256 | TransitGatewayAttachmentId: !Ref Tgw1ApplianceVpcAttachment 257 | TransitGatewayRouteTableId: !Ref Tgw1TransitRtb 258 | 259 | Tgw1Spoke1VpcAttachmentAssociation: 260 | Type: AWS::EC2::TransitGatewayRouteTableAssociation 261 | Properties: 262 | TransitGatewayAttachmentId: !Ref Tgw1Spoke1VpcAttachment 263 | TransitGatewayRouteTableId: !Ref Tgw1EgressRtb 264 | 265 | Tgw1Spoke2VpcAttachmentAssociation: 266 | Type: AWS::EC2::TransitGatewayRouteTableAssociation 267 | Properties: 268 | TransitGatewayAttachmentId: !Ref Tgw1Spoke2VpcAttachment 269 | TransitGatewayRouteTableId: !Ref Tgw1EgressRtb 270 | 271 | # Create Transit Gateway Routes: 272 | Tgw1Route1: 273 | Type: AWS::EC2::TransitGatewayRoute 274 | Properties: 275 | TransitGatewayAttachmentId: !Ref Tgw1Spoke1VpcAttachment 276 | DestinationCidrBlock: !Ref Spoke1VpcCidr 277 | TransitGatewayRouteTableId: !Ref Tgw1TransitRtb 278 | 279 | Tgw1Route2: 280 | Type: AWS::EC2::TransitGatewayRoute 281 | Properties: 282 | TransitGatewayAttachmentId: !Ref Tgw1Spoke2VpcAttachment 283 | DestinationCidrBlock: !Ref Spoke2VpcCidr 284 | TransitGatewayRouteTableId: !Ref Tgw1TransitRtb 285 | 286 | Tgw1Route3: 287 | Type: AWS::EC2::TransitGatewayRoute 288 | Properties: 289 | TransitGatewayAttachmentId: !Ref Tgw1ApplianceVpcAttachment 290 | DestinationCidrBlock: !Ref AccessLocation 291 | TransitGatewayRouteTableId: !Ref Tgw1EgressRtb 292 | 293 | # Add TGW as Target to VPC Route Tables: 294 | # Appliance VPC route table configuration: 295 | # AZ1: 296 | AddRoute1ApplianceVpc: 297 | DependsOn: 298 | - Tgw1 299 | - Tgw1ApplianceVpcAttachment 300 | Type: AWS::EC2::Route 301 | Properties: 302 | DestinationCidrBlock: !Ref Spoke1VpcCidr 303 | TransitGatewayId: !Ref Tgw1 304 | RouteTableId: !Ref ApplianceVpcApplianceRtb1Id 305 | 306 | AddRoute2ApplianceVpc: 307 | DependsOn: [Tgw1, Tgw1ApplianceVpcAttachment] 308 | Type: AWS::EC2::Route 309 | Properties: 310 | DestinationCidrBlock: !Ref Spoke2VpcCidr 311 | TransitGatewayId: !Ref Tgw1 312 | RouteTableId: !Ref ApplianceVpcApplianceRtb1Id 313 | # AZ2: 314 | AddRoute3ApplianceVpc: 315 | DependsOn: [Tgw1, Tgw1ApplianceVpcAttachment] 316 | Type: AWS::EC2::Route 317 | Properties: 318 | DestinationCidrBlock: !Ref Spoke1VpcCidr 319 | TransitGatewayId: !Ref Tgw1 320 | RouteTableId: !Ref ApplianceVpcApplianceRtb2Id 321 | 322 | AddRoute4ApplianceVpc: 323 | DependsOn: [Tgw1, Tgw1ApplianceVpcAttachment] 324 | Type: AWS::EC2::Route 325 | Properties: 326 | DestinationCidrBlock: !Ref Spoke2VpcCidr 327 | TransitGatewayId: !Ref Tgw1 328 | RouteTableId: !Ref ApplianceVpcApplianceRtb2Id 329 | 330 | # Spoke1 VPC route table configuration: 331 | AddRoute1Spoke1Vpc: 332 | DependsOn: [Tgw1, Tgw1Spoke1VpcAttachment] 333 | Type: AWS::EC2::Route 334 | Properties: 335 | DestinationCidrBlock: !Ref AccessLocation 336 | TransitGatewayId: !Ref Tgw1 337 | RouteTableId: !Ref Spoke1VpcRtb1Id 338 | 339 | # Spoke2 VPC route table configuration: 340 | AddRoute1Spoke2Vpc: 341 | DependsOn: [Tgw1, Tgw1Spoke1VpcAttachment] 342 | Type: AWS::EC2::Route 343 | Properties: 344 | DestinationCidrBlock: !Ref AccessLocation 345 | TransitGatewayId: !Ref Tgw1 346 | RouteTableId: !Ref Spoke2VpcRtb1Id 347 | 348 | Outputs: 349 | TgwId: 350 | Description: TGW ID 351 | Value: !Ref Tgw1 352 | TgwApplianceVpcAttachmendId: 353 | Description: Appliance VPC Attachment ID 354 | Value: !Ref Tgw1ApplianceVpcAttachment -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/CentralizedArchitectureValidation.md: -------------------------------------------------------------------------------- 1 | ## AWS Gateway Load Balancer Centralized Architecture Validation 2 | 3 | ### Welcome 4 | 5 | * This section walks you through steps to validate AWS Gateway Load Balancer Centralized Architecture. 6 | 7 | ### Validate access to resource on Internet from application running in Spoke1 VPC: 8 | 9 | * From Appliance VPC stack Outputs tab, get the public IP address of the bastion host and private IP addresses of the two appliances: 10 | 11 | ![](images/appliance_vpc_stack_outputs.jpg) 12 | 13 | * Access appliances through bastion host: 14 | 15 | ![](images/access_appliances.jpg) 16 | 17 | * From Spoke1 VPC stack Outputs tab, get the public IP address of the bastion host and private IP addresses of the application instance: 18 | 19 | ![](images/spoke1_vpc_stack_outputs.jpg) 20 | 21 | * Access application instance through bastion host: 22 | 23 | ![](images/access_application.jpg) 24 | 25 | #### Ping: 26 | 27 | * On both the appliances capture GENEVE traffic using tcpdump. 28 | * From application instance running in Spoke1 VPC, ping a resource on the internet. 29 | * Ping is successful and ICMP traffic is sent to appliance using GENEVE. 30 | 31 | ![](images/ping_access.jpg) 32 | 33 | #### HTTP: 34 | 35 | * On both the appliances capture GENEVE traffic using tcpdump. 36 | * From application instance running in Spoke1 VPC, access a resource on the Internet over HTTP. 37 | * Example below uses a curl command to access simple webserver running on an EC2 instance. Command is successfull. HTTP traffic is sent to appliance using GENEVE. 38 | 39 | ![](images/http_access.jpg) 40 | 41 | ### Validate access to application running in Spoke2 VPC from application running in Spoke1 VPC (East-West/VPC-to-VPC): 42 | 43 | * As explained in the [ Centralized inspection architecture with AWS Gateway Load Balancer and AWS Transit Gateway blog](https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-inspection-architecture-with-aws-gateway-load-balancer-and-aws-transit-gateway/), to ensure flow symmetry, Transit Gateway appliance mode should be enabled on the Appliance VPC attachment. In example below, application instance in Availability Zone (AZ) A of Spoke1 VPC tries to SSH into application instances in AZ A and AZ C of Spoke2 VPC. 44 | 45 | * From Spoke2 VPC stack Outputs tab, get the private IP addresses of the application instances: 46 | 47 | ![](images/spoke2_vpc_stack_outputs.jpg) 48 | 49 | #### Transit Gateway appliance mode disabled: 50 | 51 | * With Transit Gateway appliance mode disabled, application instance in AZ A of Spoke1 VPC is able to access application instance in AZ A of Spoke2 VPC over SSH. 52 | 53 | ![](images/ssh_access_spoke2_application1_appliancemode_disable.jpg) 54 | 55 | * Since application instance in AZ C of Spoke2 VPC is in a different AZ, it is not accessible. 56 | 57 | ![](images/ssh_access_spoke2_application2_appliancemode_disable.jpg) 58 | 59 | #### Transit Gateway appliance mode enabled: 60 | 61 | * From Transit Gateway stack Outputs tab, get the Appliance VPC attahcment ID: 62 | 63 | ![](images/tgw_stack_outputs.jpg) 64 | 65 | * Enable Tranist Gateway appliance mode for the Appliance VPC attachment: 66 | 67 | ![](images/enable_appliancemode.jpg) 68 | 69 | * With Transit Gateway appliance mode enabled, application instance in AZ A of Spoke1 VPC is able to access both the application instances in Spoke2 VPC over SSH. 70 | 71 | * Application instance in AZ A of Spoke2 VPC: 72 | 73 | ![](images/ssh_access_spoke2_application1_appliancemode_enable.jpg) 74 | 75 | * Application instance in AZ C of Spoke2 VPC: 76 | 77 | ![](images/ssh_access_spoke2_application2_appliancemode_enable.jpg) -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/README.md: -------------------------------------------------------------------------------- 1 | ## AWS Gateway Load Balancer In Centralized Architecture 2 | 3 | ### Welcome 4 | 5 | This section contains sample AWS CloudFormation templates that demonstrates how to create centralized inspection architecture using AWS Gateway Load Balancer (GWLB) AWS Gateway Load Balancer Endpoints (GWLBe), virtual appliances and AWS Transit Gateway (TGW) from templates that are written in YAML. 6 | 7 | Here you will find sample AWS CloudFormation templates for centralized architecture described in the blog **[Centralized inspection architecture with AWS Gateway Load Balancer and AWS Transit Gateway](https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-inspection-architecture-with-aws-gateway-load-balancer-and-aws-transit-gateway/)** 8 | 9 | **Note:** For other architecture patterns, refer to [Centralized Architecture Patterns](centralized_architecture_patterns) 10 | 11 | ![Figure 1: GWLB Centralized Architecture](images/gwlb_centralized_architecture.jpg) 12 | _Figure 1: GWLB Centralized Architecture_ 13 | 14 | * **Launch CloudFormation templates in following order:** 15 | 1. Appliance VPC Template 16 | 2. Spoke1 VPC Template 17 | 3. Spoke2 VPC Template 18 | 4. Transit Gateway Template. Transit Gateway Template is dependent on Appliance VPC, Spoke1 VPC and Spoke2 VPC templates. Template will fail if launched before successfuly deployments of above 3 templates. 19 | 20 | ### **Appliance VPC:** 21 | * [GWLB Appliance VPC Sample](CentralizedArchitectureApplianceVpc2Az.yaml) 22 | 23 | ### **Spoke VPCs:** 24 | * We use the same spoke VPC template for both Spoke1 VPC and Spoke2 VPC. When deploying the template for Spoke2 VPC, make sure you have changed the default values so that Spoke2 VPC has different VPC and related subnet network addresses. 25 | 26 | * [GWLB Spoke1 VPC Sample](CentralizedArchitectureSpokeVpc2Az.yaml) 27 | * [GWLB Spoke2 VPC Sample](CentralizedArchitectureSpokeVpc2Az.yaml) 28 | 29 | ### **Transit Gateway:** 30 | * [GWLB Transit Gateway Sample](CentralizedArchitectureTgw.yaml) 31 | * Use appropriate values for the parameters. 32 | * Use Appliance VPC and Spoke VPCs stack Outputs section to retrieve the values. 33 | * Template enables Transit Gateway appliance mode. 34 | 35 | ### Enable Transit Gateway Appliance Mode: 36 | 37 | * To ensure flow symmetry, Transit Gateway appliance mode should be enabled on the Appliance VPC’s attachment. 38 | 39 | * [GWLB Transit Gateway Sample](CentralizedArchitectureTgw.yaml) enables appliance mode for the Appliance VPC attachment. 40 | 41 | * You can also enable/disable appliance mode using AWS CLI. Once Transit Gateway template has been successfully deployed, fetch the Appliance VPC Attachment ID from stack's Outputs tab and enable/disable applince mode using AWS CLI as shown below. Replace the parameter values inside '< >' with appropriate values. 42 | 43 | ```bash 44 | aws ec2 modify-transit-gateway-vpc-attachment \ 45 | --transit-gateway-attachment-id 46 | --options ApplianceModeSupport=enable 47 | ``` 48 | 49 | ### 1-Click Deployment: 50 | 51 | * Alternatively, you can deploy [gwlb centralized architecture stack](https://us-west-2.console.aws.amazon.com/cloudformation/home?region=us-west-2#/stacks/create/template?stackName=GwlbCentralizedDemo&templateURL=https://tech-content-us-west-2.s3-us-west-2.amazonaws.com/aws-gwlb-cloudformation-samples/centralized-architecture/nested-stack/CentralizedArchitecturePrimary.yaml) and it will provision the resources as described in _Figure 1: GWLB Centralized Architecture_. 52 | * While the link above launches the stack in Oregon (us-west-2) region, you can change the region to your choice. Make sure GWLB is supported in the region you choose to deploy the stack in. 53 | 54 | ### Validation Steps: 55 | * [GWLB Centralized Architecture Validation](CentralizedArchitectureValidation.md) 56 | -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/centralized_architecture_patterns/README.md: -------------------------------------------------------------------------------- 1 | ## AWS Gateway Load Balancer In Centralized Architecture 2 | 3 | ### Welcome 4 | 5 | * [Inspecting traffic between on-premises and VPC](onpremises_vpc) -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/centralized_architecture_patterns/onpremises_vpc/CentralizedArchitectureTgw.yaml: -------------------------------------------------------------------------------- 1 | # Following example shows how to create AWS Transit Gateway and connect with 2 | # Spoke VPCs and with Inspection VPC - hosting virtual appliances behind 3 | # AWS Gateway Load Balancer (GWLB) using AWS CloudFormation. 4 | 5 | # For architecture details refer to blog: 6 | # https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-inspection-architecture-with-aws-gateway-load-balancer-and-aws-transit-gateway/ 7 | 8 | AWSTemplateFormatVersion: "2010-09-09" 9 | 10 | Description: >- 11 | AWS CloudFormation sample template for TGW setup for Gateway Load Balancer 12 | (GWLB) in centralized architecture. TGW is created in the same AWS account 13 | as Inspection and Spoke VPCs. 14 | 15 | This template creates: 16 | - 1 TGW 17 | - 2 VPC attachments, one for Spoke VPC and one for Inspection VPC 18 | - 3 route tables: On premises, spoke and inspection Route Table 19 | - 2 Associations, 1 Spoke VPC associated with Spoke Route Table 20 | and Inspection VPC associated with Inspection Route Table 21 | - Creates default route with Inspection VPC attachment as the target in 22 | Spoke Route Table and On Premises Route Table 23 | - Creates Spoke VPC network address routes with appropriate Spoke VPC 24 | attachment as the target in Inspection Route Table 25 | - Creates routes in Inspection VPC's Appliance Route Table with Transit 26 | Gateway as the target 27 | 28 | **WARNING** This template creates Transit Gateway with 3 VPC attachments. You 29 | will be billed for the AWS resources used if you create a stack from this template. 30 | 31 | Metadata: 32 | AWS::CloudFormation::Interface: 33 | ParameterGroups: 34 | - Label: 35 | default: TGW Inspection VPC Configuration 36 | Parameters: 37 | - InspectionVpcId 38 | - InspectionVpcTgwAttachSubnet1Id 39 | - InspectionVpcTgwAttachSubnet2Id 40 | - InspectionVpcApplianceRtb1Id 41 | - InspectionVpcApplianceRtb2Id 42 | - Label: 43 | default: TGW Spoke1 VPC Configuration 44 | Parameters: 45 | - Spoke1VpcId 46 | - Spoke1VpcCidr 47 | - Spoke1VpcTgwAttachSubnet1Id 48 | - Spoke1VpcTgwAttachSubnet2Id 49 | - Spoke1VpcRtb1Id 50 | - Label: 51 | default: Network CIDR for access 52 | Parameters: 53 | - AccessLocation 54 | ParameterLabels: 55 | # Inspection VPC Parameter Labels: 56 | InspectionVpcId: 57 | default: Appliane VPC ID 58 | InspectionVpcTgwAttachSubnet1Id: 59 | default: Inspection VPC Transit Gateway Subnet 1 ID 60 | InspectionVpcTgwAttachSubnet2Id: 61 | default: Inspection VPC Transit Gateway Subnet 2 ID 62 | InspectionVpcApplianceRtb1Id: 63 | default: Inspection VPC Appliance Route Table 1 ID 64 | InspectionVpcApplianceRtb2Id: 65 | default: Inspection VPC Appliance Route Table 2 ID 66 | # Spoke1 VPC Parameter Labels: 67 | Spoke1VpcId: 68 | default: Spoke1 VPC ID 69 | Spoke1VpcCidr: 70 | default: Spoke1 VPC CIDR 71 | Spoke1VpcTgwAttachSubnet1Id: 72 | default: Spoke1 VPC Subnet1 ID 73 | Spoke1VpcTgwAttachSubnet2Id: 74 | default: Spoke1 VPC Subnet2 ID 75 | Spoke1VpcRtb1Id: 76 | default: Spoke1 VPC Application Route Table ID 77 | # Network CIDR Location: 78 | AccessLocation: 79 | default: Network CIDR for Routing and Access 80 | 81 | Parameters: 82 | # Inspection VPC Parameters: 83 | InspectionVpcId: 84 | Description: Inspection VPC ID 85 | Type: String 86 | ConstraintDescription: Must be a valid VPC ID 87 | InspectionVpcTgwAttachSubnet1Id: 88 | Description: Inspection VPC Subnet1 ID for TGW attachment in AZ1 89 | Type: String 90 | ConstraintDescription: Must be a valid Subnet ID 91 | InspectionVpcTgwAttachSubnet2Id: 92 | Description: Inspection VPC Subnet2 ID for TGW attachment in AZ2 93 | Type: String 94 | ConstraintDescription: Must be a valid Subnet ID 95 | InspectionVpcApplianceRtb1Id: 96 | Description: Inspection VPC Appliance Route Table 1 ID 97 | Type: String 98 | ConstraintDescription: Must be a valid Route Table ID 99 | InspectionVpcApplianceRtb2Id: 100 | Description: Inspection VPC Appliance Route Table 2 ID 101 | Type: String 102 | ConstraintDescription: Must be a valid Route Table ID 103 | # Spoke1 VPC Parameters: 104 | Spoke1VpcId: 105 | Description: Spoke1 VPC ID 106 | Type: String 107 | ConstraintDescription: Must be a valid VPC ID 108 | Spoke1VpcCidr: 109 | AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" 110 | Default: 10.0.1.0/24 111 | Description: Spoke1 VPC Network CIDR 112 | Type: String 113 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/y 114 | Spoke1VpcTgwAttachSubnet1Id: 115 | Description: Spoke1 VPC Subnet1 ID for TGW attachment in AZ1 116 | Type: String 117 | ConstraintDescription: Must be a valid Subnet ID 118 | Spoke1VpcTgwAttachSubnet2Id: 119 | Description: Spoke1 VPC Subnet2 ID for TGW attachment in AZ2 120 | Type: String 121 | ConstraintDescription: Must be a valid Subnet ID 122 | Spoke1VpcRtb1Id: 123 | Description: Spoke1 VPC Application Route Table ID 124 | Type: String 125 | ConstraintDescription: Must be a valid Route Table ID 126 | # Network CIDR Parameter: 127 | AccessLocation: 128 | Description: >- 129 | Enter desired Network CIDR to access Bastion Host. Default is set to 130 | access from anywhere (0.0.0.0/0) and it is not recommended 131 | AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})" 132 | MinLength: "9" 133 | MaxLength: "18" 134 | Default: 0.0.0.0/0 135 | Type: String 136 | ConstraintDescription: Must be a valid Network CIDR of the form x.x.x.x/y 137 | 138 | Resources: 139 | # Create Transit Gateway: 140 | Tgw1: 141 | Type: AWS::EC2::TransitGateway 142 | Properties: 143 | AmazonSideAsn: 64512 144 | AutoAcceptSharedAttachments: enable 145 | DefaultRouteTableAssociation: disable 146 | DefaultRouteTablePropagation: disable 147 | Description: Transit Gateway 1 for GWLB Centralized Architecture 148 | DnsSupport: enable 149 | Tags: 150 | - Key: Name 151 | Value: !Sub "${AWS::StackName}-tgw-1" 152 | VpnEcmpSupport: enable 153 | 154 | # Create Transit Gateway Attachments: 155 | Tgw1InspectionVpcAttachment: 156 | Type: AWS::EC2::TransitGatewayAttachment 157 | Properties: 158 | Options: 159 | ApplianceModeSupport: "enable" 160 | SubnetIds: 161 | - !Ref InspectionVpcTgwAttachSubnet1Id 162 | - !Ref InspectionVpcTgwAttachSubnet2Id 163 | TransitGatewayId: !Ref Tgw1 164 | VpcId: !Ref InspectionVpcId 165 | Tags: 166 | - Key: Name 167 | Value: !Sub "${AWS::StackName}-inspection-vpc-attachment" 168 | 169 | Tgw1Spoke1VpcAttachment: 170 | Type: AWS::EC2::TransitGatewayAttachment 171 | Properties: 172 | SubnetIds: 173 | - !Ref Spoke1VpcTgwAttachSubnet1Id 174 | - !Ref Spoke1VpcTgwAttachSubnet2Id 175 | TransitGatewayId: !Ref Tgw1 176 | VpcId: !Ref Spoke1VpcId 177 | Tags: 178 | - Key: Name 179 | Value: !Sub "${AWS::StackName}-spoke1-vpc-attachment" 180 | 181 | # Create Transit Gateway Route Tables: 182 | Tgw1InspectionRtb: 183 | Type: AWS::EC2::TransitGatewayRouteTable 184 | Properties: 185 | Tags: 186 | - Key: Name 187 | Value: !Sub "${AWS::StackName}-tgw-inspection-rtb" 188 | TransitGatewayId: !Ref Tgw1 189 | 190 | Tgw1SpokeRtb: 191 | Type: AWS::EC2::TransitGatewayRouteTable 192 | Properties: 193 | Tags: 194 | - Key: Name 195 | Value: !Sub "${AWS::StackName}-tgw-spoke-rtb" 196 | TransitGatewayId: !Ref Tgw1 197 | 198 | Tgw1OnPremisesRtb: 199 | Type: AWS::EC2::TransitGatewayRouteTable 200 | Properties: 201 | Tags: 202 | - Key: Name 203 | Value: !Sub "${AWS::StackName}-tgw-onpremises-rtb" 204 | TransitGatewayId: !Ref Tgw1 205 | 206 | # Create Transit Gateway Attachment Associations: 207 | Tgw1InspectionVpcAttachmentAssociation: 208 | Type: AWS::EC2::TransitGatewayRouteTableAssociation 209 | Properties: 210 | TransitGatewayAttachmentId: !Ref Tgw1InspectionVpcAttachment 211 | TransitGatewayRouteTableId: !Ref Tgw1InspectionRtb 212 | 213 | Tgw1Spoke1VpcAttachmentAssociation: 214 | Type: AWS::EC2::TransitGatewayRouteTableAssociation 215 | Properties: 216 | TransitGatewayAttachmentId: !Ref Tgw1Spoke1VpcAttachment 217 | TransitGatewayRouteTableId: !Ref Tgw1SpokeRtb 218 | 219 | # Create Transit Gateway Routes: 220 | Tgw1Route1: 221 | Type: AWS::EC2::TransitGatewayRoute 222 | Properties: 223 | TransitGatewayAttachmentId: !Ref Tgw1Spoke1VpcAttachment 224 | DestinationCidrBlock: !Ref Spoke1VpcCidr 225 | TransitGatewayRouteTableId: !Ref Tgw1InspectionRtb 226 | 227 | Tgw1Route2: 228 | Type: AWS::EC2::TransitGatewayRoute 229 | Properties: 230 | TransitGatewayAttachmentId: !Ref Tgw1InspectionVpcAttachment 231 | DestinationCidrBlock: !Ref AccessLocation 232 | TransitGatewayRouteTableId: !Ref Tgw1SpokeRtb 233 | 234 | Tgw1Route3: 235 | Type: AWS::EC2::TransitGatewayRoute 236 | Properties: 237 | TransitGatewayAttachmentId: !Ref Tgw1InspectionVpcAttachment 238 | DestinationCidrBlock: !Ref AccessLocation 239 | TransitGatewayRouteTableId: !Ref Tgw1OnPremisesRtb 240 | 241 | # Add TGW as Target to VPC Route Tables: 242 | # Inspection VPC route table configuration: 243 | # AZ1: 244 | AddRoute1InspectionVpc: 245 | DependsOn: 246 | # - Tgw1 247 | - Tgw1InspectionVpcAttachment 248 | Type: AWS::EC2::Route 249 | Properties: 250 | DestinationCidrBlock: !Ref Spoke1VpcCidr 251 | TransitGatewayId: !Ref Tgw1 252 | RouteTableId: !Ref InspectionVpcApplianceRtb1Id 253 | 254 | # AZ2: 255 | AddRoute2InspectionVpc: 256 | DependsOn: [Tgw1InspectionVpcAttachment] 257 | Type: AWS::EC2::Route 258 | Properties: 259 | DestinationCidrBlock: !Ref Spoke1VpcCidr 260 | TransitGatewayId: !Ref Tgw1 261 | RouteTableId: !Ref InspectionVpcApplianceRtb2Id 262 | 263 | # Spoke1 VPC route table configuration: 264 | AddRoute1Spoke1Vpc: 265 | DependsOn: [Tgw1Spoke1VpcAttachment] 266 | Type: AWS::EC2::Route 267 | Properties: 268 | DestinationCidrBlock: !Ref AccessLocation 269 | TransitGatewayId: !Ref Tgw1 270 | RouteTableId: !Ref Spoke1VpcRtb1Id 271 | 272 | Outputs: 273 | TgwId: 274 | Description: TGW ID 275 | Value: !Ref Tgw1 276 | TgwInspectionVpcAttachmendId: 277 | Description: Inspection VPC Attachment ID 278 | Value: !Ref Tgw1InspectionVpcAttachment -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/centralized_architecture_patterns/onpremises_vpc/README.md: -------------------------------------------------------------------------------- 1 | ### Welcome 2 | This section contains sample AWS CloudFormation templates for inspecting traffic between On Premises and Amazon VPC. 3 | 4 | **Note:** It is end users responsibility to provision and configure AWS Direct Connect connection, transit virtual interface (VIF) and AWS Direct Connect gateway to enable communication between On Premises and Amazon VPC. Refer to following additional resources for more details: 5 | 6 | * [What is AWS Direct Connect?](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html) 7 | * [AWS Direct Connect + AWS Transit Gateway](https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect-aws-transit-gateway.html) 8 | * [AWS Transit Gateway Associations](https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-transit-gateways.html) 9 | 10 | ### Sample AWS CloudFormation templates 11 | 12 | ![Figure 1](../../images/gwlb_centralized_architecture_onpremises_vpc.jpg) 13 | _Figure 1: GWLB Centralized Architecture_ 14 | 15 | * **Launch CloudFormation templates in following order:** 16 | 1. Inspection VPC Template 17 | 2. Spoke1 VPC Template 18 | 3. Transit Gateway Template. Transit Gateway Template is dependent on Inspection VPC and Spoke1 VPC templates. Template will fail if launched before successful deployments of above 2 templates. 19 | 20 | #### **Inspection VPC:** 21 | * [GWLB Inspection VPC Sample](CentralizedArchitectureInspectionVpc2Az.yaml) 22 | 23 | #### **Spoke VPCs:** 24 | 25 | * [GWLB Spoke1 VPC Sample](CentralizedArchitectureSpokeVpc2Az.yaml) 26 | 27 | #### **Transit Gateway:** 28 | * [GWLB Transit Gateway Sample](CentralizedArchitectureTgw.yaml) 29 | * Use appropriate values for the parameters. 30 | * Use Appliance VPC and Spoke VPCs stack Outputs section to retrieve the values. 31 | * Template enables Transit Gateway appliance mode. 32 | 33 | -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/images/access_appliances.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/centralized_architecture/images/access_appliances.jpg -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/images/access_application.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/centralized_architecture/images/access_application.jpg -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/images/appliance_vpc_stack_outputs.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/centralized_architecture/images/appliance_vpc_stack_outputs.jpg -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/images/appliance_vpc_stack_outputs_tgw.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/centralized_architecture/images/appliance_vpc_stack_outputs_tgw.jpg -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/images/appliance_vpc_stack_outputs_unedited.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/centralized_architecture/images/appliance_vpc_stack_outputs_unedited.jpg -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/images/enable_appliancemode.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/centralized_architecture/images/enable_appliancemode.jpg -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/images/gwlb_centralized_architecture.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/centralized_architecture/images/gwlb_centralized_architecture.jpg -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/images/gwlb_centralized_architecture_onpremises_vpc.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/centralized_architecture/images/gwlb_centralized_architecture_onpremises_vpc.jpg -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/images/http_access.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/centralized_architecture/images/http_access.jpg -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/images/ping_access.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/centralized_architecture/images/ping_access.jpg -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/images/spoke1_vpc_stack_outputs.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/centralized_architecture/images/spoke1_vpc_stack_outputs.jpg -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/images/spoke1_vpc_stack_outputs_tgw.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/centralized_architecture/images/spoke1_vpc_stack_outputs_tgw.jpg -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/images/spoke1_vpc_stack_outputs_unedited.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/centralized_architecture/images/spoke1_vpc_stack_outputs_unedited.jpg -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/images/spoke2_vpc_stack_outputs.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/centralized_architecture/images/spoke2_vpc_stack_outputs.jpg -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/images/spoke2_vpc_stack_outputs_tgw.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/centralized_architecture/images/spoke2_vpc_stack_outputs_tgw.jpg -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/images/spoke2_vpc_stack_outputs_unedited.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/centralized_architecture/images/spoke2_vpc_stack_outputs_unedited.jpg -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/images/ssh_access_spoke2_application1_appliancemode_disable.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/centralized_architecture/images/ssh_access_spoke2_application1_appliancemode_disable.jpg -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/images/ssh_access_spoke2_application1_appliancemode_enable.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/centralized_architecture/images/ssh_access_spoke2_application1_appliancemode_enable.jpg -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/images/ssh_access_spoke2_application2_appliancemode_disable.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/centralized_architecture/images/ssh_access_spoke2_application2_appliancemode_disable.jpg -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/images/ssh_access_spoke2_application2_appliancemode_enable.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/centralized_architecture/images/ssh_access_spoke2_application2_appliancemode_enable.jpg -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/images/tgw_stack_output_unedited.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/centralized_architecture/images/tgw_stack_output_unedited.jpg -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/images/tgw_stack_outputs.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/centralized_architecture/images/tgw_stack_outputs.jpg -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/nested-stack/SpokeVpc2Az.yaml: -------------------------------------------------------------------------------- 1 | # Following example shows how to create Spoke VPC and integrate with 2 | # AWS Gateway Load Balancer (GWLB) centralized architecture 3 | # using AWS CloudFormation. 4 | 5 | 6 | # For architecture details refer to blog: 7 | # https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-inspection-architecture-with-aws-gateway-load-balancer-and-aws-transit-gateway/ 8 | 9 | AWSTemplateFormatVersion: "2010-09-09" 10 | 11 | Description: >- 12 | AWS CloudFormation sample template for Spoke VPC for Gateway Load Balancer 13 | (GWLB) in centralize architecture. Template is deployed across 2 14 | Availability Zones (AZ) and is created in same account as Appliance VPC and 15 | Transit Gateay. 16 | 17 | This template creates: 18 | - 1 VPC 19 | - 1 IGW 20 | - 4 private subnets, one in each AZ for application instances and TGW attachments 21 | - 2 public subnet, one in each AZ 22 | - 1 private route table and 1 public route table 23 | - 2 Security group: Application and Bastion 24 | - 2 Amazon Linux 2 instance acting as applications, one in each AZ 25 | - 1 Amazon Linux 2 instance acting as bastion host to access Application instances. 26 | 27 | **WARNING** This template creates one or more Amazon EC2 instances. You will 28 | be billed for the AWS resources used if you create a stack from this template. 29 | 30 | Metadata: 31 | AWS::CloudFormation::Interface: 32 | ParameterGroups: 33 | - Label: 34 | default: Network Configuration 35 | Parameters: 36 | - VpcCidr 37 | - AvailabilityZone1 38 | - ApplicationSubnet1Cidr 39 | - TgwAttachSubnet1Cidr 40 | - BastionSubnet1Cidr 41 | - AvailabilityZone2 42 | - ApplicationSubnet2Cidr 43 | - TgwAttachSubnet2Cidr 44 | - BastionSubnet2Cidr 45 | - Label: 46 | default: Application Configuration 47 | Parameters: 48 | - ApplicationInstanceType 49 | - ApplicationInstanceAmiId 50 | - ApplicationInstanceDiskSize 51 | - KeyPairName 52 | - AccessLocation 53 | 54 | ParameterLabels: 55 | VpcCidr: 56 | default: Spoke VPC - VPC CIDR 57 | AvailabilityZone1: 58 | default: Spoke VPC - Availability Zone 1 59 | ApplicationSubnet1Cidr: 60 | default: Spoke VPC - Application Subnet 1 CIDR 61 | TgwAttachSubnet1Cidr: 62 | default: Spoke VPC - TGW Attachment Subnet 1 CIDR 63 | BastionSubnet1Cidr: 64 | default: Spoke VPC - Bastion Subnet 1 CIDR 65 | AvailabilityZone2: 66 | default: Spoke VPC - Availability Zone 2 67 | ApplicationSubnet2Cidr: 68 | default: Spoke VPC - Application Subnet 2 CIDR 69 | TgwAttachSubnet2Cidr: 70 | default: Spoke VPC - TGW Attachment Subnet 2 CIDR 71 | BastionSubnet2Cidr: 72 | default: Spoke VPC - Bastion Subnet 2 CIDR 73 | ApplicationInstanceType: 74 | default: Application Instance Type 75 | ApplicationInstanceAmiId: 76 | default: Latest AMI ID for application (ec2 instance) 77 | ApplicationInstanceDiskSize: 78 | default: Application Instance Size in GB 79 | KeyPairName: 80 | default: KeyPair required for accessing application instance 81 | AccessLocation: 82 | default: Network CIDR to access application instance 83 | 84 | Parameters: 85 | VpcCidr: 86 | AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" 87 | Default: 10.0.0.0/24 88 | Description: Spoke VPC - CIDR block for the VPC 89 | Type: String 90 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 91 | AvailabilityZone1: 92 | Description: Spoke VPC - Availability Zone 1 93 | Type: AWS::EC2::AvailabilityZone::Name 94 | ConstraintDescription: Valid Availability Zone Id 95 | ApplicationSubnet1Cidr: 96 | AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" 97 | Default: 10.0.0.0/28 98 | Description: Spoke VPC - Application Subnet 1 CIDR in Availability Zone 1 99 | Type: String 100 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 101 | TgwAttachSubnet1Cidr: 102 | AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" 103 | Default: 10.0.0.16/28 104 | Description: Spoke VPC - TGW Attachment Subnet 1 CIDR in Availability Zone 1 105 | Type: String 106 | ConstraintDescription: Subnet CIDR parameter must be in the form x.x.x.x/16-28 107 | BastionSubnet1Cidr: 108 | AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" 109 | Default: 10.0.0.64/28 110 | Description: Spoke VPC - Bastion Subnet 1 CIDR in Availability Zone 1 111 | Type: String 112 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 113 | AvailabilityZone2: 114 | Description: Availability Zone to use for the Public Subnet 2 in the VPC 115 | Type: AWS::EC2::AvailabilityZone::Name 116 | ConstraintDescription: Valid Availability Zone Id 117 | ApplicationSubnet2Cidr: 118 | AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" 119 | Default: 10.0.0.32/28 120 | Description: Spoke VPC - Application Subnet 2 CIDR in Availability Zone 2 121 | Type: String 122 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 123 | TgwAttachSubnet2Cidr: 124 | AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" 125 | Default: 10.0.0.48/28 126 | Description: Spoke VPC - TGW Attachment Subnet 2 CIDR in Availability Zone 1 127 | Type: String 128 | ConstraintDescription: Subnet CIDR parameter must be in the form x.x.x.x/16-28 129 | BastionSubnet2Cidr: 130 | AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" 131 | Default: 10.0.0.80/28 132 | Description: Spoke VPC - Bastion Subnet 2 CIDR in Availability Zone 2 133 | Type: String 134 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 135 | ApplicationInstanceType: 136 | Description: Select EC2 instance type for Application instance. Default is set to t2.micro 137 | Default: t2.micro 138 | AllowedValues: 139 | - t2.micro 140 | Type: String 141 | ApplicationInstanceAmiId: 142 | Description: EC2 Instance AMI ID retrieved using SSM 143 | Type: String 144 | ApplicationInstanceDiskSize: 145 | Description: Application instance disk size in GB. Default is set to 8GB 146 | Default: 8 147 | AllowedValues: [8] 148 | Type: Number 149 | ConstraintDescription: Should be a valid instance size in GB 150 | KeyPairName: 151 | Description: EC2 KeyPair required for accessing EC2 instance 152 | Type: AWS::EC2::KeyPair::KeyName 153 | ConstraintDescription: Must be the name of an existing EC2 KeyPair 154 | AccessLocation: 155 | Description: >- 156 | Enter desired Network CIDR to access Bastion Host. Default is set to 157 | access from anywhere (0.0.0.0/0) and it is not recommended 158 | AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})" 159 | MinLength: "9" 160 | MaxLength: "18" 161 | Default: 0.0.0.0/0 162 | Type: String 163 | ConstraintDescription: Must be a valid Network CIDR of the form x.x.x.x/y 164 | 165 | Resources: 166 | # Create VPC: 167 | Vpc: 168 | Type: AWS::EC2::VPC 169 | Properties: 170 | CidrBlock: !Ref VpcCidr 171 | EnableDnsSupport: "true" 172 | EnableDnsHostnames: "true" 173 | InstanceTenancy: default 174 | Tags: 175 | - Key: Name 176 | Value: !Join 177 | - "" 178 | - - !Ref AWS::StackName 179 | - "-vpc" 180 | 181 | # Create IGW and attach to the VPC: 182 | InternetGateway: 183 | Type: AWS::EC2::InternetGateway 184 | Properties: 185 | Tags: 186 | - Key: Name 187 | Value: !Sub "${AWS::StackName}-igw" 188 | 189 | AttachInternetGateway: 190 | Type: AWS::EC2::VPCGatewayAttachment 191 | Properties: 192 | VpcId: !Ref Vpc 193 | InternetGatewayId: !Ref InternetGateway 194 | 195 | # Create Subnets: 196 | # AZ1: 197 | BastionSubnet1: 198 | Type: AWS::EC2::Subnet 199 | Properties: 200 | AvailabilityZone: !Ref AvailabilityZone1 201 | CidrBlock: !Ref BastionSubnet1Cidr 202 | VpcId: !Ref Vpc 203 | MapPublicIpOnLaunch: "true" 204 | Tags: 205 | - Key: Name 206 | Value: !Sub "${AWS::StackName}-bastion-subnet-1" 207 | 208 | ApplicationSubnet1: 209 | Type: AWS::EC2::Subnet 210 | Properties: 211 | AvailabilityZone: !Ref AvailabilityZone1 212 | CidrBlock: !Ref ApplicationSubnet1Cidr 213 | VpcId: !Ref Vpc 214 | MapPublicIpOnLaunch: "true" 215 | Tags: 216 | - Key: Name 217 | Value: !Sub "${AWS::StackName}-application-subnet-1" 218 | 219 | TgwAttachSubnet1: 220 | Type: AWS::EC2::Subnet 221 | Properties: 222 | AvailabilityZone: !Ref AvailabilityZone1 223 | CidrBlock: !Ref TgwAttachSubnet1Cidr 224 | VpcId: !Ref Vpc 225 | MapPublicIpOnLaunch: "true" 226 | Tags: 227 | - Key: Name 228 | Value: !Sub "${AWS::StackName}-tgw-attach-subnet-1" 229 | 230 | # AZ2: 231 | BastionSubnet2: 232 | Type: AWS::EC2::Subnet 233 | Properties: 234 | AvailabilityZone: !Ref AvailabilityZone2 235 | CidrBlock: !Ref BastionSubnet2Cidr 236 | VpcId: !Ref Vpc 237 | MapPublicIpOnLaunch: "true" 238 | Tags: 239 | - Key: Name 240 | Value: !Sub "${AWS::StackName}-bastion-subnet-2" 241 | 242 | ApplicationSubnet2: 243 | Type: AWS::EC2::Subnet 244 | Properties: 245 | AvailabilityZone: !Ref AvailabilityZone2 246 | CidrBlock: !Ref ApplicationSubnet2Cidr 247 | VpcId: !Ref Vpc 248 | MapPublicIpOnLaunch: "true" 249 | Tags: 250 | - Key: Name 251 | Value: !Sub "${AWS::StackName}-application-subnet-2" 252 | 253 | TgwAttachSubnet2: 254 | Type: AWS::EC2::Subnet 255 | Properties: 256 | AvailabilityZone: !Ref AvailabilityZone2 257 | CidrBlock: !Ref TgwAttachSubnet2Cidr 258 | VpcId: !Ref Vpc 259 | MapPublicIpOnLaunch: "true" 260 | Tags: 261 | - Key: Name 262 | Value: !Sub "${AWS::StackName}-tgw-attach-subnet-2" 263 | 264 | # Create Route Tables: 265 | ApplicationRouteTable: 266 | Type: AWS::EC2::RouteTable 267 | Properties: 268 | VpcId: !Ref Vpc 269 | Tags: 270 | - Key: Name 271 | Value: !Sub "${AWS::StackName}-applicaiton-rtb" 272 | 273 | BastionRouteTable: 274 | Type: AWS::EC2::RouteTable 275 | Properties: 276 | VpcId: !Ref Vpc 277 | Tags: 278 | - Key: Name 279 | Value: !Sub "${AWS::StackName}-bastion-rtb" 280 | 281 | # Associate Subnets with Route Tables: 282 | # AZ1: 283 | ApplicationSubnet1RouteTableAssociation: 284 | Type: AWS::EC2::SubnetRouteTableAssociation 285 | Properties: 286 | SubnetId: !Ref ApplicationSubnet1 287 | RouteTableId: !Ref ApplicationRouteTable 288 | 289 | TgwAttachSubnet1RouteTableAssociation: 290 | Type: AWS::EC2::SubnetRouteTableAssociation 291 | Properties: 292 | SubnetId: !Ref TgwAttachSubnet1 293 | RouteTableId: !Ref ApplicationRouteTable 294 | 295 | BastionSubnet1RouteTableAssociation: 296 | Type: AWS::EC2::SubnetRouteTableAssociation 297 | Properties: 298 | SubnetId: !Ref BastionSubnet1 299 | RouteTableId: !Ref BastionRouteTable 300 | 301 | # AZ2: 302 | ApplicationSubnet2RouteTableAssociation: 303 | Type: AWS::EC2::SubnetRouteTableAssociation 304 | Properties: 305 | SubnetId: !Ref ApplicationSubnet2 306 | RouteTableId: !Ref ApplicationRouteTable 307 | 308 | TgwAttachSubnet2RouteTableAssociation: 309 | Type: AWS::EC2::SubnetRouteTableAssociation 310 | Properties: 311 | SubnetId: !Ref TgwAttachSubnet2 312 | RouteTableId: !Ref ApplicationRouteTable 313 | 314 | BastionSubnet2RouteTableAssociation: 315 | Type: AWS::EC2::SubnetRouteTableAssociation 316 | Properties: 317 | SubnetId: !Ref BastionSubnet2 318 | RouteTableId: !Ref BastionRouteTable 319 | 320 | # Create Routes. Routes with TGW as the target are created through TGW template: 321 | BastionRoute: 322 | Type: AWS::EC2::Route 323 | DependsOn: AttachInternetGateway 324 | Properties: 325 | DestinationCidrBlock: 0.0.0.0/0 326 | GatewayId: !Ref InternetGateway 327 | RouteTableId: !Ref BastionRouteTable 328 | 329 | # Create Security Group: 330 | ApplicationSg: 331 | Type: AWS::EC2::SecurityGroup 332 | Properties: 333 | VpcId: !Ref Vpc 334 | GroupName: !Sub "${AWS::StackName}-application-sg" 335 | GroupDescription: >- 336 | Access to application instance: allow TCP, UDP and ICMP from appropriate 337 | location. Allow all traffic from VPC CIDR. 338 | SecurityGroupIngress: 339 | - CidrIp: !Ref AccessLocation 340 | IpProtocol: tcp 341 | FromPort: 0 342 | ToPort: 65535 343 | - CidrIp: !Ref AccessLocation 344 | IpProtocol: ICMP 345 | FromPort: -1 346 | ToPort: -1 347 | - CidrIp: !Ref AccessLocation 348 | IpProtocol: udp 349 | FromPort: 0 350 | ToPort: 65535 351 | - CidrIp: !Ref VpcCidr 352 | IpProtocol: "-1" 353 | FromPort: -1 354 | ToPort: -1 355 | SecurityGroupEgress: 356 | - CidrIp: 0.0.0.0/0 357 | IpProtocol: "-1" 358 | FromPort: -1 359 | ToPort: -1 360 | Tags: 361 | - Key: Name 362 | Value: !Sub "${AWS::StackName}-application-sg" 363 | 364 | # Create Application Instances: 365 | 366 | Application1: 367 | Type: AWS::EC2::Instance 368 | Properties: 369 | ImageId: !Ref ApplicationInstanceAmiId 370 | KeyName: !Ref KeyPairName 371 | InstanceType: !Ref ApplicationInstanceType 372 | SecurityGroupIds: 373 | - !Ref ApplicationSg 374 | SubnetId: !Ref ApplicationSubnet1 375 | BlockDeviceMappings: 376 | - DeviceName: /dev/xvda 377 | Ebs: 378 | VolumeSize: !Ref ApplicationInstanceDiskSize 379 | Tags: 380 | - Key: Name 381 | Value: !Sub "${AWS::StackName}-application-instance-1" 382 | UserData: 383 | Fn::Base64: !Sub | 384 | #!/bin/bash -ex 385 | 386 | # Configure hostname: 387 | hostnamectl set-hostname ${AWS::StackName}-application1; 388 | 389 | # Configure SSH client alive interval for ssh session timeout: 390 | echo 'ClientAliveInterval 60' | sudo tee --append /etc/ssh/sshd_config; 391 | service sshd restart; 392 | 393 | # Set dark background for vim: 394 | touch /home/ec2-user/.vimrc; 395 | echo "set background=dark" >> /home/ec2-user/.vimrc; 396 | 397 | Application2: 398 | Type: AWS::EC2::Instance 399 | Properties: 400 | ImageId: !Ref ApplicationInstanceAmiId 401 | KeyName: !Ref KeyPairName 402 | InstanceType: !Ref ApplicationInstanceType 403 | SecurityGroupIds: 404 | - !Ref ApplicationSg 405 | SubnetId: !Ref ApplicationSubnet2 406 | BlockDeviceMappings: 407 | - DeviceName: /dev/xvda 408 | Ebs: 409 | VolumeSize: !Ref ApplicationInstanceDiskSize 410 | Tags: 411 | - Key: Name 412 | Value: !Sub "${AWS::StackName}-application-instance-2" 413 | UserData: 414 | Fn::Base64: !Sub | 415 | #!/bin/bash -ex 416 | 417 | # Configure hostname: 418 | hostnamectl set-hostname ${AWS::StackName}-application2; 419 | 420 | # Configure SSH client alive interval for ssh session timeout: 421 | echo 'ClientAliveInterval 60' | sudo tee --append /etc/ssh/sshd_config; 422 | service sshd restart; 423 | 424 | # Set dark background for vim: 425 | touch /home/ec2-user/.vimrc; 426 | echo "set background=dark" >> /home/ec2-user/.vimrc; 427 | 428 | # Create security group for bastion host: 429 | BastionSg: 430 | Type: AWS::EC2::SecurityGroup 431 | Properties: 432 | VpcId: !Ref Vpc 433 | GroupName: !Sub "${AWS::StackName}-bastion-sg" 434 | GroupDescription: >- 435 | Access to bastion instance: allow SSH and ICMP access from appropriate 436 | location. Allow all traffic from VPC CIDR 437 | SecurityGroupIngress: 438 | - CidrIp: !Ref AccessLocation 439 | IpProtocol: tcp 440 | FromPort: 22 441 | ToPort: 22 442 | - CidrIp: !Ref AccessLocation 443 | IpProtocol: ICMP 444 | FromPort: -1 445 | ToPort: -1 446 | - CidrIp: !Ref VpcCidr 447 | IpProtocol: "-1" 448 | FromPort: -1 449 | ToPort: -1 450 | SecurityGroupEgress: 451 | - CidrIp: 0.0.0.0/0 452 | IpProtocol: "-1" 453 | FromPort: -1 454 | ToPort: -1 455 | Tags: 456 | - Key: Name 457 | Value: !Sub "${AWS::StackName}-bastion-sg" 458 | 459 | # Create Bastion Host (creates only one bastion host in one AZ): 460 | BastionHost: 461 | Type: AWS::EC2::Instance 462 | Properties: 463 | ImageId: !Ref ApplicationInstanceAmiId 464 | KeyName: !Ref KeyPairName 465 | InstanceType: !Ref ApplicationInstanceType 466 | SecurityGroupIds: 467 | - !Ref BastionSg 468 | SubnetId: !Ref BastionSubnet1 469 | BlockDeviceMappings: 470 | - DeviceName: /dev/xvda 471 | Ebs: 472 | VolumeSize: !Ref ApplicationInstanceDiskSize 473 | Tags: 474 | - Key: Name 475 | Value: !Sub "${AWS::StackName}-bastion-host-1" 476 | UserData: 477 | Fn::Base64: !Sub | 478 | #!/bin/bash -ex 479 | 480 | # Install packages: 481 | yum update -y; 482 | yum install htop -y; 483 | 484 | # Configure hostname: 485 | hostnamectl set-hostname ${AWS::StackName}-bastion-host1; 486 | 487 | # Configure SSH client alive interval for ssh session timeout: 488 | echo 'ClientAliveInterval 60' | sudo tee --append /etc/ssh/sshd_config; 489 | service sshd restart; 490 | 491 | # Set dark background for vim: 492 | touch /home/ec2-user/.vimrc; 493 | echo "set background=dark" >> /home/ec2-user/.vimrc; 494 | 495 | # Edit applicaiton security group to allow access from bastion host: 496 | ApplicationSgIngress: 497 | Type: AWS::EC2::SecurityGroupIngress 498 | Properties: 499 | GroupId: !Ref ApplicationSg 500 | IpProtocol: tcp 501 | FromPort: 22 502 | ToPort: 22 503 | SourceSecurityGroupId: !GetAtt BastionSg.GroupId 504 | 505 | Outputs: 506 | SpokeVpcCidr: 507 | Description: Spoke VPC CIDR 508 | Value: !Ref VpcCidr 509 | SpokeVpcId: 510 | Description: Spoke VPC ID 511 | Value: !Ref Vpc 512 | SpokeApplication1PrivateIp: 513 | Description: Spoke VPC Application Instance Private IP 514 | Value: !GetAtt Application1.PrivateIp 515 | SpokeApplication2PrivateIp: 516 | Description: Spoke VPC Application Instance Private IP 517 | Value: !GetAtt Application2.PrivateIp 518 | SpokeApplication1PublicIp: 519 | Description: Spoke VPC Application Instance Public IP 520 | Value: !GetAtt Application1.PublicIp 521 | SpokeApplication2PublicIp: 522 | Description: Spoke VPC Application Instance Public IP 523 | Value: !GetAtt Application2.PublicIp 524 | SpokeBastionHostPublicIp: 525 | Description: Spoke VPC Bastion Instance Public IP 526 | Value: !GetAtt BastionHost.PublicIp 527 | SpokeTgwAttachSubnet1Id: 528 | Description: Spoke VPC TgwAttachSubnet1 ID 529 | Value: !Ref TgwAttachSubnet1 530 | SpokeTgwAttachSubnet2Id: 531 | Description: Spoke VPC TgwAttachSubnet2 ID 532 | Value: !Ref TgwAttachSubnet2 533 | SpokeApplicationRouteTableId: 534 | Description: Application Route Table ID 535 | Value: !Ref ApplicationRouteTable 536 | -------------------------------------------------------------------------------- /aws-cloudformation/centralized_architecture/nested-stack/Tgw.yaml: -------------------------------------------------------------------------------- 1 | # Following example shows how to create AWS Transit Gateway and connect with 2 | # Spoke VPCs and with Appliance VPC - hosting virtual appliances behind 3 | # AWS Gateway Load Balancer (GWLB) using AWS CloudFormation. 4 | 5 | # For architecture details refer to blog: 6 | # https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-inspection-architecture-with-aws-gateway-load-balancer-and-aws-transit-gateway/ 7 | 8 | AWSTemplateFormatVersion: "2010-09-09" 9 | 10 | Description: >- 11 | AWS CloudFormation sample template for TGW setup for Gateway Load Balancer 12 | (GWLB) in centralized architecture. TGW is created in the same AWS account 13 | as Appliance and Spoke VPCs. 14 | 15 | This template creates: 16 | - 1 TGW 17 | - 3 VPC attachments, 2 for Spoke VPCs and one for Appliance VPC 18 | - 2 route tables: Egress and Transit Route Table 19 | - 3 Associations, 2 Spoke VPCs associated with Egress Route Table 20 | and Appliance VPC associated with Transit Route Table 21 | - Creates default route with Appliance VPC attachment as the target in 22 | Egress Route Table 23 | - Creates Spoke VPCs network address routes with appropriate Spoke VPC 24 | attachment as the target in Transit Route Table 25 | - Creates routes in Appliance VPC's Appliacetion Route Table with Transit 26 | Gateway as the target 27 | 28 | **WARNING** This template creates Transit Gateway with 3 VPC attachments. You 29 | will be billed for the AWS resources used if you create a stack from this template. 30 | 31 | Metadata: 32 | AWS::CloudFormation::Interface: 33 | ParameterGroups: 34 | - Label: 35 | default: TGW Appliance VPC Configuration 36 | Parameters: 37 | - ApplianceVpcId 38 | - ApplianceVpcTgwAttachSubnet1Id 39 | - ApplianceVpcTgwAttachSubnet2Id 40 | - ApplianceVpcApplianceRtb1Id 41 | - ApplianceVpcApplianceRtb2Id 42 | - Label: 43 | default: TGW Spoke1 VPC Configuration 44 | Parameters: 45 | - Spoke1VpcId 46 | - Spoke1VpcCidr 47 | - Spoke1VpcTgwAttachSubnet1Id 48 | - Spoke1VpcTgwAttachSubnet2Id 49 | - Spoke1VpcRtb1Id 50 | - Label: 51 | default: TGW Spoke2 VPC Configuration 52 | Parameters: 53 | - Spoke2VpcId 54 | - Spoke2VpcCidr 55 | - Spoke2VpcTgwAttachSubnet1Id 56 | - Spoke2VpcTgwAttachSubnet2Id 57 | - Spoke2VpcRtb1Id 58 | - Label: 59 | default: Network CIDR for access 60 | Parameters: 61 | - AccessLocation 62 | ParameterLabels: 63 | # Appliance VPC Parameter Labels: 64 | ApplianceVpcId: 65 | default: Appliane VPC ID 66 | ApplianceVpcTgwAttachSubnet1Id: 67 | default: Appliance VPC Transit Gateway Subnet 1 ID 68 | ApplianceVpcTgwAttachSubnet2Id: 69 | default: Appliance VPC Transit Gateway Subnet 2 ID 70 | ApplianceVpcApplianceRtb1Id: 71 | default: Appliance VPC Appliance Route Table 1 ID 72 | ApplianceVpcApplianceRtb2Id: 73 | default: Appliance VPC Appliance Route Table 2 ID 74 | # Spoke1 VPC Parameter Labels: 75 | Spoke1VpcId: 76 | default: Spoke1 VPC ID 77 | Spoke1VpcCidr: 78 | default: Spoke1 VPC CIDR 79 | Spoke1VpcTgwAttachSubnet1Id: 80 | default: Spoke1 VPC Subnet1 ID 81 | Spoke1VpcTgwAttachSubnet2Id: 82 | default: Spoke1 VPC Subnet2 ID 83 | Spoke1VpcRtb1Id: 84 | default: Spoke1 VPC Application Route Table ID 85 | # Spoke2 VPC Parameter Labels: 86 | Spoke2VpcId: 87 | default: Spoke2 VPC ID 88 | Spoke2VpcCidr: 89 | default: Spoke2 VPC CIDR 90 | Spoke2VpcTgwAttachSubnet1Id: 91 | default: Spoke2 VPC Subnet1 ID 92 | Spoke2VpcTgwAttachSubnet2Id: 93 | default: Spoke2 VPC Subnet2 ID 94 | Spoke2VpcRtb1Id: 95 | default: Spoke2 VPC Application Route Table ID 96 | # Network CIDR Location: 97 | AccessLocation: 98 | default: Network CIDR for Routing and Access 99 | 100 | Parameters: 101 | # Appliance VPC Parameters: 102 | ApplianceVpcId: 103 | Description: Appliance VPC ID 104 | Type: String 105 | ConstraintDescription: Must be a valid VPC ID 106 | ApplianceVpcTgwAttachSubnet1Id: 107 | Description: Appliance VPC Subnet1 ID for TGW attachment in AZ1 108 | Type: String 109 | ConstraintDescription: Must be a valid Subnet ID 110 | ApplianceVpcTgwAttachSubnet2Id: 111 | Description: Appliance VPC Subnet2 ID for TGW attachment in AZ2 112 | Type: String 113 | ConstraintDescription: Must be a valid Subnet ID 114 | ApplianceVpcApplianceRtb1Id: 115 | Description: Appliance VPC Appliance Route Table 1 ID 116 | Type: String 117 | ConstraintDescription: Must be a valid Route Table ID 118 | ApplianceVpcApplianceRtb2Id: 119 | Description: Appliance VPC Appliance Route Table 2 ID 120 | Type: String 121 | ConstraintDescription: Must be a valid Route Table ID 122 | # Spoke1 VPC Parameters: 123 | Spoke1VpcId: 124 | Description: Spoke1 VPC ID 125 | Type: String 126 | ConstraintDescription: Must be a valid VPC ID 127 | Spoke1VpcCidr: 128 | AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" 129 | Default: 10.0.0.0/24 130 | Description: Spoke1 VPC Network CIDR 131 | Type: String 132 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/y 133 | Spoke1VpcTgwAttachSubnet1Id: 134 | Description: Spoke1 VPC Subnet1 ID for TGW attachment in AZ1 135 | Type: String 136 | ConstraintDescription: Must be a valid Subnet ID 137 | Spoke1VpcTgwAttachSubnet2Id: 138 | Description: Spoke1 VPC Subnet2 ID for TGW attachment in AZ2 139 | Type: String 140 | ConstraintDescription: Must be a valid Subnet ID 141 | Spoke1VpcRtb1Id: 142 | Description: Spoke1 VPC Application Route Table ID 143 | Type: String 144 | ConstraintDescription: Must be a valid Route Table ID 145 | # Spoke2 VPC Parameters: 146 | Spoke2VpcId: 147 | Description: Spoke2 VPC ID 148 | Type: String 149 | ConstraintDescription: Must be a valid VPC ID 150 | Spoke2VpcCidr: 151 | AllowedPattern: "^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(1[6-9]|2[0-8]))$" 152 | Default: 10.0.1.0/24 153 | Description: Spoke2 VPC Network CIDR 154 | Type: String 155 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/y 156 | Spoke2VpcTgwAttachSubnet1Id: 157 | Description: Spoke2 VPC Subnet1 ID for TGW attachment in AZ1 158 | Type: String 159 | ConstraintDescription: Must be a valid Subnet ID 160 | Spoke2VpcTgwAttachSubnet2Id: 161 | Description: Spoke2 VPC Subnet2 ID for TGW attachment in AZ2 162 | Type: String 163 | ConstraintDescription: Must be a valid Subnet ID 164 | Spoke2VpcRtb1Id: 165 | Description: Spoke2 VPC Application Route Table ID 166 | Type: String 167 | ConstraintDescription: Must be a valid Route Table ID 168 | # Network CIDR Parameter: 169 | AccessLocation: 170 | Description: >- 171 | Enter desired Network CIDR to access Bastion Host. Default is set to 172 | access from anywhere (0.0.0.0/0) and it is not recommended 173 | AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})" 174 | MinLength: "9" 175 | MaxLength: "18" 176 | Default: 0.0.0.0/0 177 | Type: String 178 | ConstraintDescription: Must be a valid Network CIDR of the form x.x.x.x/y 179 | 180 | Resources: 181 | # Create Transit Gateway: 182 | Tgw1: 183 | Type: AWS::EC2::TransitGateway 184 | Properties: 185 | AmazonSideAsn: 64512 186 | AutoAcceptSharedAttachments: enable 187 | DefaultRouteTableAssociation: disable 188 | DefaultRouteTablePropagation: disable 189 | Description: Transit Gateway 1 for GWLB Centralized Architecture 190 | DnsSupport: enable 191 | Tags: 192 | - Key: Name 193 | Value: !Sub "${AWS::StackName}-tgw-1" 194 | VpnEcmpSupport: enable 195 | 196 | # Create Transit Gateway Attachments: 197 | Tgw1ApplianceVpcAttachment: 198 | Type: AWS::EC2::TransitGatewayAttachment 199 | Properties: 200 | Options: 201 | ApplianceModeSupport: "enable" 202 | SubnetIds: 203 | - !Ref ApplianceVpcTgwAttachSubnet1Id 204 | - !Ref ApplianceVpcTgwAttachSubnet2Id 205 | TransitGatewayId: !Ref Tgw1 206 | VpcId: !Ref ApplianceVpcId 207 | Tags: 208 | - Key: Name 209 | Value: !Sub "${AWS::StackName}-appliance-vpc-attachment" 210 | 211 | Tgw1Spoke1VpcAttachment: 212 | Type: AWS::EC2::TransitGatewayAttachment 213 | Properties: 214 | SubnetIds: 215 | - !Ref Spoke1VpcTgwAttachSubnet1Id 216 | - !Ref Spoke1VpcTgwAttachSubnet2Id 217 | TransitGatewayId: !Ref Tgw1 218 | VpcId: !Ref Spoke1VpcId 219 | Tags: 220 | - Key: Name 221 | Value: !Sub "${AWS::StackName}-spoke1-vpc-attachment" 222 | 223 | Tgw1Spoke2VpcAttachment: 224 | Type: AWS::EC2::TransitGatewayAttachment 225 | Properties: 226 | SubnetIds: 227 | - !Ref Spoke2VpcTgwAttachSubnet1Id 228 | - !Ref Spoke2VpcTgwAttachSubnet2Id 229 | TransitGatewayId: !Ref Tgw1 230 | VpcId: !Ref Spoke2VpcId 231 | Tags: 232 | - Key: Name 233 | Value: !Sub "${AWS::StackName}-spoke2-vpc-attachment" 234 | 235 | # Create Transit Gateway Route Tables: 236 | Tgw1TransitRtb: 237 | Type: AWS::EC2::TransitGatewayRouteTable 238 | Properties: 239 | Tags: 240 | - Key: Name 241 | Value: !Sub "${AWS::StackName}-tgw-transit-rtb" 242 | TransitGatewayId: !Ref Tgw1 243 | 244 | Tgw1EgressRtb: 245 | Type: AWS::EC2::TransitGatewayRouteTable 246 | Properties: 247 | Tags: 248 | - Key: Name 249 | Value: !Sub "${AWS::StackName}-tgw-egress-rtb" 250 | TransitGatewayId: !Ref Tgw1 251 | 252 | # Create Transit Gateway Attachment Associations: 253 | Tgw1ApplianceVpcAttachmentAssociation: 254 | Type: AWS::EC2::TransitGatewayRouteTableAssociation 255 | Properties: 256 | TransitGatewayAttachmentId: !Ref Tgw1ApplianceVpcAttachment 257 | TransitGatewayRouteTableId: !Ref Tgw1TransitRtb 258 | 259 | Tgw1Spoke1VpcAttachmentAssociation: 260 | Type: AWS::EC2::TransitGatewayRouteTableAssociation 261 | Properties: 262 | TransitGatewayAttachmentId: !Ref Tgw1Spoke1VpcAttachment 263 | TransitGatewayRouteTableId: !Ref Tgw1EgressRtb 264 | 265 | Tgw1Spoke2VpcAttachmentAssociation: 266 | Type: AWS::EC2::TransitGatewayRouteTableAssociation 267 | Properties: 268 | TransitGatewayAttachmentId: !Ref Tgw1Spoke2VpcAttachment 269 | TransitGatewayRouteTableId: !Ref Tgw1EgressRtb 270 | 271 | # Create Transit Gateway Routes: 272 | Tgw1Route1: 273 | Type: AWS::EC2::TransitGatewayRoute 274 | Properties: 275 | TransitGatewayAttachmentId: !Ref Tgw1Spoke1VpcAttachment 276 | DestinationCidrBlock: !Ref Spoke1VpcCidr 277 | TransitGatewayRouteTableId: !Ref Tgw1TransitRtb 278 | 279 | Tgw1Route2: 280 | Type: AWS::EC2::TransitGatewayRoute 281 | Properties: 282 | TransitGatewayAttachmentId: !Ref Tgw1Spoke2VpcAttachment 283 | DestinationCidrBlock: !Ref Spoke2VpcCidr 284 | TransitGatewayRouteTableId: !Ref Tgw1TransitRtb 285 | 286 | Tgw1Route3: 287 | Type: AWS::EC2::TransitGatewayRoute 288 | Properties: 289 | TransitGatewayAttachmentId: !Ref Tgw1ApplianceVpcAttachment 290 | DestinationCidrBlock: !Ref AccessLocation 291 | TransitGatewayRouteTableId: !Ref Tgw1EgressRtb 292 | 293 | # Add TGW as Target to VPC Route Tables: 294 | # Appliance VPC route table configuration: 295 | # AZ1: 296 | AddRoute1ApplianceVpc: 297 | DependsOn: 298 | - Tgw1 299 | - Tgw1ApplianceVpcAttachment 300 | Type: AWS::EC2::Route 301 | Properties: 302 | DestinationCidrBlock: !Ref Spoke1VpcCidr 303 | TransitGatewayId: !Ref Tgw1 304 | RouteTableId: !Ref ApplianceVpcApplianceRtb1Id 305 | 306 | AddRoute2ApplianceVpc: 307 | DependsOn: [Tgw1, Tgw1ApplianceVpcAttachment] 308 | Type: AWS::EC2::Route 309 | Properties: 310 | DestinationCidrBlock: !Ref Spoke2VpcCidr 311 | TransitGatewayId: !Ref Tgw1 312 | RouteTableId: !Ref ApplianceVpcApplianceRtb1Id 313 | # AZ2: 314 | AddRoute3ApplianceVpc: 315 | DependsOn: [Tgw1, Tgw1ApplianceVpcAttachment] 316 | Type: AWS::EC2::Route 317 | Properties: 318 | DestinationCidrBlock: !Ref Spoke1VpcCidr 319 | TransitGatewayId: !Ref Tgw1 320 | RouteTableId: !Ref ApplianceVpcApplianceRtb2Id 321 | 322 | AddRoute4ApplianceVpc: 323 | DependsOn: [Tgw1, Tgw1ApplianceVpcAttachment] 324 | Type: AWS::EC2::Route 325 | Properties: 326 | DestinationCidrBlock: !Ref Spoke2VpcCidr 327 | TransitGatewayId: !Ref Tgw1 328 | RouteTableId: !Ref ApplianceVpcApplianceRtb2Id 329 | 330 | # Spoke1 VPC route table configuration: 331 | AddRoute1Spoke1Vpc: 332 | DependsOn: [Tgw1, Tgw1Spoke1VpcAttachment] 333 | Type: AWS::EC2::Route 334 | Properties: 335 | DestinationCidrBlock: !Ref AccessLocation 336 | TransitGatewayId: !Ref Tgw1 337 | RouteTableId: !Ref Spoke1VpcRtb1Id 338 | 339 | # Spoke2 VPC route table configuration: 340 | AddRoute1Spoke2Vpc: 341 | DependsOn: [Tgw1, Tgw1Spoke1VpcAttachment] 342 | Type: AWS::EC2::Route 343 | Properties: 344 | DestinationCidrBlock: !Ref AccessLocation 345 | TransitGatewayId: !Ref Tgw1 346 | RouteTableId: !Ref Spoke2VpcRtb1Id 347 | 348 | Outputs: 349 | TgwId: 350 | Description: TGW ID 351 | Value: !Ref Tgw1 352 | TgwApplianceVpcAttachmendId: 353 | Description: Appliance VPC Attachment ID 354 | Value: !Ref Tgw1ApplianceVpcAttachment -------------------------------------------------------------------------------- /aws-cloudformation/distributed_architecture/README.md: -------------------------------------------------------------------------------- 1 | ### AWS Gateway Load Balancer In Distributed Architecture 2 | 3 | ## Welcome 4 | 5 | * For more details, refer to blog: **[Scaling network traffic inspection using AWS Gateway Load Balancer](https://aws.amazon.com/blogs/networking-and-content-delivery/scaling-network-traffic-inspection-using-aws-gateway-load-balancer/)** 6 | 7 | * This section contains sample AWS Cloudformation templates that demonstrates how to create distributed architecture using AWS Gateway Load Balancer and Gateway Load Balancer Endpoints from templates that are written in YAML. 8 | 9 | ![](images/gwlb_distributed_architecture.jpg) 10 | 11 | * **Launch GWLB Appliance VPC Sample template before launching GWLB Spoke VPC Sample template.** 12 | * Appliance creates VPC Endpoint Service Name required for the Spoke VPC. Spoke VPC creates Gateway Load Balancer Endpoint using the VPC Endpoint Service created by Appliance VPC 13 | 14 | ### **Appliance VPC:** 15 | * [GWLB Appliance VPC Sample](DistributedArchitectureApplianceVpc2Az.yaml) 16 | 17 | ### **Spoke VPC:** 18 | * [GWLB Spoke VPC Sample](DistributedArchitectureSpokeVpc2Az.yaml) 19 | -------------------------------------------------------------------------------- /aws-cloudformation/distributed_architecture/images/gwlb_distributed_architecture.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/distributed_architecture/images/gwlb_distributed_architecture.jpg -------------------------------------------------------------------------------- /aws-cloudformation/gwlb/GwlbWithTargetGroupAndListenerSample.yaml: -------------------------------------------------------------------------------- 1 | # Following example shows how to create AWS Gateway Load Balancer, 2 | # target group and listener using AWS CloudFormation. It also registers 3 | # targets with target group. 4 | 5 | AWSTemplateFormatVersion: "2010-09-09" 6 | 7 | Description: >- 8 | AWS CloudFormation Sample Template for Gateway Load Balancer (GWLB). 9 | 10 | This template creates: 11 | - 1 GWLB 12 | - 1 Target group for GWLB 13 | - 1 Listner for GWLB 14 | - Register intance to target group assigned to GWLB 15 | 16 | **WARNING** This template creates a Gateway Load Balancer You will be billed 17 | for the AWS resources used if you create a stack from this template. 18 | 19 | Metadata: 20 | AWS::CloudFormation::Interface: 21 | ParameterGroups: 22 | - Label: 23 | default: 'Gateway Load Balancer Configuration' 24 | Parameters: 25 | - GwlbName 26 | - GwlbSubnets 27 | - Label: 28 | default: 'Target Group Configuration' 29 | Parameters: 30 | - TargetGroupName 31 | - HealthPort 32 | - HealthProtocol 33 | - VpcId 34 | - Appliance1InstanceId 35 | - Appliance2InstanceId 36 | ParameterLabels: 37 | GwlbName: 38 | default: Gateway Load Balancer Name 39 | GwlbSubnets: 40 | default: List of Subnet Ids for GWLB 41 | TargetGroupName: 42 | default: Target Group Name 43 | HealthPort: 44 | default: Health Check Port 45 | HealthProtocol: 46 | default: Health Check Protocol 47 | VpcId: 48 | default: VPC Id for target group 49 | Appliance1InstanceId: 50 | default: Appliance 1 instance id 51 | Appliance2InstanceId: 52 | default: Appliance 2 instance id 53 | 54 | Parameters: 55 | GwlbName: 56 | Description: >- 57 | Gateway Load Balancer name. This name must be unique within your AWS 58 | account and can have a maximum of 32 alphanumeric characters and 59 | hyphens. A name cannot begin or end with a hyphen. 60 | Type: String 61 | Default: gwlb1 62 | ConstraintDescription: Must be a valid GWLB Name 63 | GwlbSubnets: 64 | Description: >- 65 | List of subnets to associate with your GWLB. 66 | (e.g., ['subnet-123a351e', subnet-456a351e]) 67 | Type: List 68 | ConstraintDescription: Must be a valid list of subnet ids 69 | TargetGroupName: 70 | Description: Target Group Name 71 | Type: String 72 | Default: tg1 73 | ConstraintDescription: Must be a valid target group name 74 | HealthProtocol: 75 | Description: >- 76 | The protocol the appliane gateway uses when performing health checks on 77 | targets. The default is HTTP. 78 | Type: String 79 | Default: HTTP 80 | AllowedValues: ['TCP', 'HTTP', 'HTTPS'] 81 | ConstraintDescription: Must be a valid health check protocol 82 | HealthPort: 83 | Description: >- 84 | The port the load balancer uses when performing health checks 85 | on targets. For Gateway Load Balance specify port other then the 86 | traffic port. 87 | Type: String 88 | Default: '80' 89 | ConstraintDescription: Must be a valid health check port 90 | VpcId: 91 | Description: VPC Id to associate with target group. (e.g. vpc-a123baa3 ) 92 | Type: AWS::EC2::VPC::Id 93 | ConstraintDescription: Must be a valid VPC Id 94 | Appliance1InstanceId: 95 | Description: Appliance1 instnace id to register with target group. (e.g. i-02aff411247212745 ) 96 | Type: AWS::EC2::Instance::Id 97 | ConstraintDescription: Must be a valid EC2 instane id 98 | Appliance2InstanceId: 99 | Description: Appliance2 instnace id to register with target group. (e.g. i-02aff411247212745 ) 100 | Type: AWS::EC2::Instance::Id 101 | ConstraintDescription: Must be a valid EC2 instane id 102 | 103 | Resources: 104 | Gwlb: 105 | Type: AWS::ElasticLoadBalancingV2::LoadBalancer 106 | Properties: 107 | Name: !Ref GwlbName 108 | Type: gateway 109 | Subnets: !Ref GwlbSubnets 110 | 111 | TargetGroup: 112 | Type: AWS::ElasticLoadBalancingV2::TargetGroup 113 | Properties: 114 | Name: !Ref TargetGroupName 115 | Port: 6081 116 | Protocol: GENEVE 117 | HealthCheckPort: !Ref HealthPort 118 | HealthCheckProtocol: !Ref HealthProtocol 119 | TargetGroupAttributes: 120 | - Key: deregistration_delay.timeout_seconds 121 | Value: 20 122 | VpcId: !Ref VpcId 123 | TargetType: instance 124 | Targets: 125 | - Id: !Ref Appliance1InstanceId 126 | - Id: !Ref Appliance2InstanceId 127 | Tags: 128 | - Key: Name 129 | Value: !Join 130 | - "" 131 | - - !Ref AWS::StackName 132 | - "-tg1" 133 | 134 | Listener: 135 | Type: AWS::ElasticLoadBalancingV2::Listener 136 | Properties: 137 | DefaultActions: 138 | - Type: forward 139 | TargetGroupArn: !Ref TargetGroup 140 | LoadBalancerArn: !Ref Gwlb 141 | 142 | Outputs: 143 | SpGwlbArn: 144 | Description: Service Provider Gwlb ARN 145 | Value: !Ref Gwlb 146 | SpTgArn: 147 | Description: Service Provider Target Group ARN 148 | Value: !Ref TargetGroup -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/EgressVpcNatGw.md: -------------------------------------------------------------------------------- 1 | ## AWS GWLB + VPC Routing Enhancement + NAT GW Validation: 2 | 3 | ### Welcome 4 | 5 | * This section walks you through steps to validate traffic inspection between private resources and NAT gateway using VPC routing enhancemnts and GWLB endpoint. 6 | 7 | ### Testing: 8 | 9 | 1. Using Session Manager, connect to Appliance 1 running in Inspection VPC: 10 | 11 | ![](images/connect_appliance_1_a.jpg) 12 | *Figure 1: Select appliance 1 and click on Connect* 13 | 14 | ![](images/connect_appliance_1_b.jpg) 15 | *Figure 2: Select Session Manager and click on Connect* 16 | 17 | ![](images/connect_appliance_1_c.jpg) 18 | *Figure 3: Appliance 1* 19 | 20 | 21 | 2. Using Session Manager, connection to Server 1 running in Egress VPC: 22 | 23 | ![](images/egress/egress_connect_server_1_a.jpg) 24 | *Figure 4: Select server 1 and click on Connect* 25 | 26 | 27 | ![](images/egress/egress_connect_server_1_b.jpg) 28 | *Figure 5: Select Session Manager and click on Connect* 29 | 30 | 31 | ![](images/egress/egress_connect_server_1_c.jpg) 32 | *Figure 6: Server 1* 33 | 34 | 35 | 3. Verify the IP address for the server: 36 | 37 | ![](images/egress/egress_server_1_ip.jpg) 38 | *Figure 7: Server 1 IP address* 39 | 40 | 41 | 4. Capture GENEVE traffic using tcpdump: 42 | 43 | The following tcpdump command filters traffic based inside packet source and destination IP and protocol. 44 | 45 | * 0x0a0015f3 = 10.0.21.243, IP address of server 1 46 | * 0x6354434a = 99.84.67.74, IP address for aws.amzazon.com 47 | * 0x01 = ICMP 48 | 49 | ```bash 50 | sudo tcpdump -ni eth0 "(ether[94:4]=0x0a0015f3 or ether[94:4]=0x6354434a) and (ether[91:1]=0x01)" 51 | ``` 52 | 53 | ![](images/egress/egress_appliance_1_tcpdump.jpg) 54 | *Figure 8: Capture GENEVE traffic on appliance 1* 55 | 56 | 57 | 5. From Server 1, access a resource on Internet: 58 | 59 | ![](images/egress/egress_acccess_internet_resource.jpg) 60 | *Figure 9: Access Internet resource from server 1* 61 | 62 | 63 | 6. Verify traffic being processed by Appliance 1: 64 | 65 | * In Figure 10 below, you can see server 1's IP address. 66 | * While veryifying traffic on inspection appliance, you notice 2 packets. This is because inspection appliance is set up in an [hairpin mode](../../aws-cli/gwlb/configure_iptables_al2.md). In this mode, it sends all the traffic that it receives from GWLB back to GWLB on same interface. 67 | 68 | ![](images/egress/egress_verify_appliance_1.jpg) 69 | *Figure 10: Verify traffic is being processed by appliance 1* 70 | -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/IngressVpcAlb.md: -------------------------------------------------------------------------------- 1 | ## AWS GWLB + VPC Routing Enhancement + ALB Validation: 2 | 3 | ### Welcome 4 | 5 | * This section walks you through steps to validate ingress traffic inspection with ALB - using VPC routing enhancemnts and GWLB endpoint. 6 | 7 | ### Testing: 8 | 9 | 1. Using Session Manager, connect to Appliance 1 running in Inspection VPC: 10 | 11 | ![](images/connect_appliance_1_a.jpg) 12 | *Figure 1: Select appliance 1 and click on Connect* 13 | 14 | ![](images/connect_appliance_1_b.jpg) 15 | *Figure 2: Select Session Manager and click on Connect* 16 | 17 | ![](images/connect_appliance_1_c.jpg) 18 | *Figure 3: Appliance 1* 19 | 20 | 2. Using Session Manager, connection to Server 1 and Server 2 running in Ingress VPC: 21 | 22 | ![](images/ingress/ingress_connect_server_1_a.jpg) 23 | *Figure 7: Select server 1 and click on Connect* 24 | 25 | ![](images/ingress/ingress_connect_server_1_b.jpg) 26 | *Figure 8: Select Session Manager and click on Connect* 27 | 28 | ![](images/ingress/ingress_connect_server_1_c.jpg) 29 | *Figure 9: Server 1* 30 | 31 | ![](images/ingress_connect_server_2_a.jpg) 32 | *Figure 10: Select server 2 and click on Connect* 33 | 34 | ![](images/ingress/ingress_connect_server_2_b.jpg) 35 | *Figure 11: Select Session Manager and click on Connect* 36 | 37 | ![](images/ingress/ingress_connect_server_2_c.jpg) 38 | *Figure 12: Server 2* 39 | 40 | 3. Verify the IP address for the servers: 41 | 42 | ![](images/ingress/ingress_server_1_ip.jpg) 43 | *Figure 13: Server 1 IP address* 44 | 45 | ![](images/ingress/ingress_server_2_ip.jpg) 46 | *Figure 14: Server 2 IP address* 47 | 48 | 4. Capture GENEVE traffic using tcpdump. 49 | 50 | The following tcpdump command filters traffic based inside packet source and destination IP and protocol. 51 | 52 | * 0x0a011544 = 10.1.21.68, server 1's IP address 53 | * 0x0a011696 = 10.1.22.150, server 2's IP address 54 | * 0x0a010b10 = 10.1.11.16, ALB's AZ1 private IP address 55 | 56 | ```bash 57 | sudo tcpdump -ni eth0 "(ether[94:4]=0x0a010b10 and ether[98:4]=0x0a011544) or (ether[94:4]=0x0a010b10 and ether[98:4]=0x0a011696) or (ether[94:4]=0x0a011544 and ether[98:4]=0x0a010b10) or (ether[94:4]=0x0a011696 and ether[98:4]=0x0a010b10) and (ether[91:1]=0x06)" 58 | ``` 59 | 60 | ![](images/ingress/ingress_tcpdump_appliance_1.jpg) 61 | *Figure 15: Capture GENEVE traffic on appliance 1* 62 | 63 | 5. Access ALB's FQDN: 64 | 65 | ![](images/ingress/ingress_access_alb_fqdn_server1.jpg) 66 | *Figure 17: Access ALB* 67 | 68 | 4. Verify traffic being processed by respective appliances 69 | 70 | * While veryifying traffic on inspection appliance, you notice 2 packets. This is because inspection appliance is set up in an [hairpin mode](../../aws-cli/gwlb/configure_iptables_al2.md). In this mode, it sends all the traffic that it receives from GWLB back to GWLB on same interface. 71 | 72 | ![](images/ingress/ingress_tcpdump_appliance_1_verify_1.jpg) 73 | *Figure 18: Verifying Traffic on Appliance 1* 74 | -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/IngressVpcNlb.md: -------------------------------------------------------------------------------- 1 | ## AWS GWLB + VPC Routing Enhancement + NLB Validation: 2 | 3 | ### Welcome 4 | 5 | * This section walks you through steps to validate ingress traffic inspection with NLB - using VPC routing enhancements and GWLB endpoint. 6 | 7 | The NLB is configured as follows: 8 | 9 | - NLB has `Preserve client IP addresses` `off` 10 | 11 | ![NLB Preserve client IP addresses off](./images/ingress-nlb/nlb-target-group-preserve-client-ip-off.png) 12 | 13 | - NLB targets instances using their IDs 14 | 15 | ![NLB target instances by ID](./images/ingress-nlb/nlb-target-group-target-instance-id.png) 16 | 17 | ### Testing: 18 | 19 | 1. Using Session Manager, connect to Appliance 1 running in the Inspection VPC: 20 | 21 | ![EC2 console connect to appliance 1](images/ingress-nlb/connect_appliance_1_a.png) 22 | 23 | *Figure 1: Select appliance 1 and click on Connect* 24 | 25 | ![appliance 1 session manager connect](images/ingress-nlb/connect_appliance_1_b.png) 26 | 27 | *Figure 2: Select Session Manager and click on Connect* 28 | 29 | ![appliance 1 session manager](images/ingress-nlb/connect_appliance_1_c.png) 30 | 31 | *Figure 3: Appliance 1* 32 | 33 | 2. Using Session Manager, connection to Server 1 and Server 2 running in Ingress VPC: 34 | 35 | ![EC2 console connect to server 1](images/ingress-nlb/ingress_connect_server_1_a.png) 36 | 37 | *Figure 7: Select server 1 and click on Connect* 38 | 39 | ![server 1 session manager connect](images/ingress-nlb/ingress_connect_server_1_b.png) 40 | 41 | *Figure 8: Select Session Manager and click on Connect* 42 | 43 | ![server 1 session manager](images/ingress-nlb/ingress_connect_server_1_c.png) 44 | 45 | *Figure 9: Server 1* 46 | 47 | ![EC2 console connect to server 2](images/ingress-nlb/ingress_connect_server_2_a.png) 48 | 49 | *Figure 10: Select server 2 and click on Connect* 50 | 51 | ![server 2 session manager connect](images/ingress-nlb/ingress_connect_server_2_b.png) 52 | 53 | *Figure 11: Select Session Manager and click on Connect* 54 | 55 | ![server 2 session manager](images/ingress-nlb/ingress_connect_server_2_c.png) 56 | 57 | *Figure 12: Server 2* 58 | 59 | 3. Verify the IP address for the servers: 60 | 61 | ![Server 1 IP address](images/ingress-nlb/ingress_server_1_ip.png) 62 | 63 | *Figure 13: Server 1 IP address* 64 | 65 | ![Server 2 IP address](images/ingress-nlb/ingress_server_2_ip.png) 66 | 67 | *Figure 14: Server 2 IP address* 68 | 69 | 4. Capture GENEVE traffic using tcpdump. 70 | 71 | The following tcpdump command filters traffic based inside packet source and destination IP and protocol. 72 | 73 | * 0x0a0115c8 = 10.1.21.200, server 1's IP address 74 | * 0x0a0116e1 = 10.1.22.225, server 2's IP address 75 | * 0x0a010bfc = 10.1.11.252, NLB's AZ1 private IP address 76 | 77 | ```bash 78 | sudo tcpdump -ni eth0 "(ether[94:4]=0x0a010bfc and ether[98:4]=0x0a0115c8) or (ether[94:4]=0x0a010bfc and ether[98:4]=0x0a0116e1) or (ether[94:4]=0x0a0115c8 and ether[98:4]=0x0a010bfc) or (ether[94:4]=0x0a0116e1 and ether[98:4]=0x0a010bfc) and (ether[91:1]=0x06)" 79 | ``` 80 | 81 | ![tcp dump command on appliance 1](images/ingress-nlb/ingress_tcpdump_appliance_1.png) 82 | 83 | *Figure 15: Capture GENEVE traffic on appliance 1* 84 | 85 | 5. Access NLB's FQDN on HTTP: 86 | 87 | ![NLB FQDN on browser](images/ingress-nlb/ingress_access_nlb_fqdn_server1.png) 88 | *Figure 17: Access NLB* 89 | 90 | 4. Verify traffic being processed by respective appliances 91 | 92 | * While verifying traffic on inspection appliance, you notice 2 packets. This is because inspection appliance is set up in an [hairpin mode](../../aws-cli/gwlb/configure_iptables_al2.md). In this mode, it sends all the traffic that it receives from GWLB back to GWLB on same interface. 93 | 94 | ![tcp dump result on appliance 1](images/ingress-nlb/ingress_tcpdump_appliance_1_verify_1.png) 95 | *Figure 18: Verifying Traffic on Appliance 1* 96 | -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/README.md: -------------------------------------------------------------------------------- 1 | ### VPC Routing Enhancement Based Architectures 2 | 3 | ## Welcome 4 | 5 | * [Introduction](#introduction) 6 | * [Deploying templates](#deploying-templates) 7 | * [Inspection VPC](#inspection-vpc) 8 | * [Spoke VPCs](#spoke-vpcs) 9 | * [Inspect traffic between resources in private subnet and NAT gateway](#inspect-traffic-between-resources-in-private-subnet-and-nat-gateway) 10 | * [Application Load Balancer based ingress traffic inspection](#application-load-balancer-based-ingress-traffic-inspection) 11 | 12 | ## Introduction: 13 | 14 | * [New VPC routing enhancements](https://aws.amazon.com/about-aws/whats-new/2021/08/amazon-vpc-subnets/) allows you to configure routes in your subnet route tables to forward traffic between two subnets in a VPC, via virtual appliances such as network firewalls, intrusion detection and protection systems, etc. Routing enhancements allow you to route traffic between two subnets to a middlebox appliance. You can do so by creating a route for one subnet route table that matches the subnet CIDR of the other subnet and specifies a Gateway Load Balancer (GWLB) endpoint, NAT gateway, Network Firewall endpoint, or the network interface for an appliance as a target. Alternatively, to redirect all traffic from the subnet to any other subnet, replace the target of the local route with a Gateway Load Balancer endpoint, NAT gateway, or network interface. 15 | 16 | For more details, refer to [Routing for a middlebox appliance Example](https://docs.aws.amazon.com/vpc/latest/userguide/route-table-options.html#route-tables-appliance-routing), [Amazon VPC Routing Enhancements Allow You to Inspect Traffic Between Subnets In a VPC blog](https://aws.amazon.com/blogs/aws/inspect-subnet-to-subnet-traffic-with-amazon-vpc-more-specific-routing/) and [VPC Routing Enhancements and GWLB Deployment Patterns blog](https://aws.amazon.com/blogs/networking-and-content-delivery/vpc-routing-enhancements-and-gwlb-deployment-patterns/). 17 | 18 | * This section contains sample AWS Cloudformation templates that demonstrates how to create inspection architecture using AWS Gateway Load Balancer, Gateway Load Balancer Endpoints and VPC routing enhancements from templates that are written in YAML. Templates are for sample purpose. 19 | 20 | ## Deploying templates: 21 | 22 | * VPC routing enhancements based architectures are deployed using a distributed model. In a distributed model 23 | * GWLB and inspection appliances are hosted in a separate VPC. In this section, this vpc is referred to as *Inspection VPC* 24 | * GWLB endpoints are created/distributed across different VPCs whose traffic needs to be inspected. In this section, these different VPCs are referred to as *Egress VPC, Ingress VPC, Spoke VPC* etc. 25 | * These distributed endpoints are connected to GWLB based VPC endpoint service hosted Inspection VPC 26 | 27 | * **You first need to create/deploy Inspection VPC sample template followed by Spoke VPCs.** 28 | 29 | ## Inspection VPC: 30 | 31 | * [Sample template: Inspection VPC](templates/InspectionVpc.yaml) when deployed, creates architecture as depicted in Figure 1. The architecture creates Inspection VPC consisting of GWLB, inspection appliances and GWLB based endpoint service. 32 | 33 | ![](images/inspection_vpc.jpg) 34 | *Figure 1: Inspection VPC* 35 | 36 | Inspection appliance consists of [Amazon Linux 2 EC2 instances configured in hairpin mode](../../aws-cli/gwlb/configure_iptables_al2.md). In this mode, appliance sends all the traffic that it receives from GWLB back to GWLB on same interface. 37 | 38 | ## Spoke VPCs: 39 | 40 | * ### Inspect traffic between resources in private subnet and NAT gateway: 41 | 42 | * ***Note:** Before deploying the following template, make sure you have created/deployed Inspection VPC template* 43 | 44 | * [Sample template: Inspect traffic between private resource and NAT gateway](templates/EgressVpcNatGw.yaml) when deployed, creates architecture as depicted in Figure 2. The architecture allows you to inspect traffic between private resources and NAT gateway using VPC routing enhancements and GWLB endpoint. 45 | 46 | ![](images/egress/egress_inspection_natgw_vpc_re_gwlbe.jpg) 47 | *Figure 2: Inspecting traffic between private workload and NAT gateway* 48 | 49 | * Validation Steps: 50 | * [Validation: Inspect traffic between private resource and NAT gateway](EgressVpcNatGw.md) 51 | 52 | * ### Application Load Balancer based ingress traffic inspection: 53 | 54 | * ***Note:** Before deploying the following template, make sure you have created/deployed Inspection VPC template* 55 | 56 | * [Sample template: Inspect ingress traffic with ALB](templates/IngressVpcAlb.yaml) template when deployed successfully, creates architecture as depicted in Figure 3. The architecture allows you to inspect ingress traffic with ALB. Using VPC routing enhancements, GWLB endpoint traffic between ALB and application is routed to inspection appliance in Inspection VPC. Spoke VPC in the Figure 3 is referred to as Ingress VPC. 57 | 58 | Architecture also consists of NAT GW. NAT GW allows resources in private subnet to communicate with resources on Internet. Traffic between private resources and NAT GW is also routed to inspection appliance. 59 | 60 | ![](images/ingress/ingress_inspection_elb_vpc_re_gwlbe.jpg) 61 | *Figure 3: Ingress traffic inspection with ALB* 62 | 63 | * Validation Steps: 64 | * [Validation: Inspect ingress traffic with ALB](IngressVpcAlb.md) 65 | 66 | * ### Network Load Balancer based ingress traffic inspection: 67 | 68 | * ***Note:** Before deploying the following template, make sure you have created/deployed Inspection VPC template* 69 | 70 | * [Sample template: Inspect ingress traffic with NLB](templates/IngressVpcNlb.yaml) template when deployed successfully, creates architecture as depicted in Figure 4. The architecture allows you to inspect ingress traffic with NLB. Using VPC routing enhancements, GWLB endpoint traffic between NLB and application is routed to inspection appliance in Inspection VPC. Spoke VPC in the Figure 4 is referred to as Ingress VPC. 71 | 72 | Architecture also consists of NAT GW. NAT GW allows resources in private subnet to communicate with resources on Internet. Traffic between private resources and NAT GW is also routed to inspection appliance. 73 | 74 | > [!NOTE] 75 | > The target group must have client IP preservation **disabled** for this architecture to work 76 | 77 | > [!NOTE] 78 | > In the provided CloudFormation template, the target group uses the Ec2 instance ID for its targets. However, using the EC2 instance's private IP will also work. 79 | 80 | ![ingress inspection with NLB for VPC routing enhancements with GWLBE](images/ingress-nlb/ingress_inspection_nlb_vpc_re_gwlbe.png) 81 | *Figure 4: Ingress traffic inspection with NLB* 82 | 83 | * Validation Steps: 84 | * [Validation: Inspect ingress traffic with NLB](IngressVpcNlb.md) 85 | -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/connect_appliance_1_a.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/connect_appliance_1_a.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/connect_appliance_1_b.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/connect_appliance_1_b.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/connect_appliance_1_c.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/connect_appliance_1_c.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/connect_appliance_2_a.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/connect_appliance_2_a.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/connect_appliance_2_b.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/connect_appliance_2_b.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/connect_appliance_2_c.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/connect_appliance_2_c.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/egress/egress_acccess_internet_resource.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/egress/egress_acccess_internet_resource.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/egress/egress_appliance_1_tcpdump.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/egress/egress_appliance_1_tcpdump.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/egress/egress_connect_server_1_a.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/egress/egress_connect_server_1_a.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/egress/egress_connect_server_1_b.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/egress/egress_connect_server_1_b.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/egress/egress_connect_server_1_c.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/egress/egress_connect_server_1_c.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/egress/egress_inspection_natgw_vpc_re_gwlbe.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/egress/egress_inspection_natgw_vpc_re_gwlbe.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/egress/egress_server_1_ip.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/egress/egress_server_1_ip.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/egress/egress_verify_appliance_1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/egress/egress_verify_appliance_1.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/connect_appliance_1_a.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/connect_appliance_1_a.png -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/connect_appliance_1_b.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/connect_appliance_1_b.png -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/connect_appliance_1_c.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/connect_appliance_1_c.png -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_access_nlb_fqdn_server1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_access_nlb_fqdn_server1.png -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_connect_server_1_a.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_connect_server_1_a.png -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_connect_server_1_b.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_connect_server_1_b.png -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_connect_server_1_c.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_connect_server_1_c.png -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_connect_server_2_a.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_connect_server_2_a.png -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_connect_server_2_b.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_connect_server_2_b.png -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_connect_server_2_c.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_connect_server_2_c.png -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_inspection_nlb_vpc_re_gwlbe.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_inspection_nlb_vpc_re_gwlbe.png -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_server_1_ip.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_server_1_ip.png -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_server_2_ip.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_server_2_ip.png -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_tcpdump_appliance_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_tcpdump_appliance_1.png -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_tcpdump_appliance_1_verify_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/ingress_tcpdump_appliance_1_verify_1.png -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/nlb-target-group-preserve-client-ip-off.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/nlb-target-group-preserve-client-ip-off.png -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/nlb-target-group-target-instance-id.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress-nlb/nlb-target-group-target-instance-id.png -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_access_alb_fqdn_server1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_access_alb_fqdn_server1.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_access_alb_fqdn_server2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_access_alb_fqdn_server2.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_alb_fqdn_1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_alb_fqdn_1.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_connect_server_1_a.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_connect_server_1_a.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_connect_server_1_b.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_connect_server_1_b.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_connect_server_1_c.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_connect_server_1_c.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_connect_server_2_a.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_connect_server_2_a.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_connect_server_2_b.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_connect_server_2_b.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_connect_server_2_c.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_connect_server_2_c.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_inspection_elb_vpc_re_gwlbe.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_inspection_elb_vpc_re_gwlbe.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_inspection_elb_vpc_re_gwlbe_delete.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_inspection_elb_vpc_re_gwlbe_delete.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_server_1_ip.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_server_1_ip.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_server_2_ip.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_server_2_ip.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_tcpdump_appliance_1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_tcpdump_appliance_1.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_tcpdump_appliance_1_verify_1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_tcpdump_appliance_1_verify_1.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_tcpdump_appliance_1_verify_2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/ingress/ingress_tcpdump_appliance_1_verify_2.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/inspection_vpc.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/inspection_vpc.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpc_routing_enhancement_architectures/images/inter_subnet.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-samples/aws-gateway-load-balancer-code-samples/5000a54a281d73f3fcba094b90a50d541f59ed31/aws-cloudformation/vpc_routing_enhancement_architectures/images/inter_subnet.jpg -------------------------------------------------------------------------------- /aws-cloudformation/vpce/GwlbVpcEndpointSample.yaml: -------------------------------------------------------------------------------- 1 | # Following example shows how to create Gateway Load Balancer Endpoint using 2 | # VPC Endpoint Service name using AWS CloudFormation. 3 | 4 | AWSTemplateFormatVersion: '2010-09-09' 5 | 6 | Description: >- 7 | This template creates a Gateway Load Balancer VPC Endpoint. 8 | 9 | **WARNING** This template creates one gateway load balancer endpoint 10 | associated with 1 subnet. You will be billed for the AWS resources used 11 | if you create a stack from this template. 12 | 13 | Metadata: 14 | AWS::CloudFormation::Interface: 15 | ParameterGroups: 16 | - Label: 17 | default: Gateway Load Balancer Endpoint Configuration 18 | Parameters: 19 | - VpcId 20 | - VpceSubnetId 21 | - ServiceName 22 | ParameterLabels: 23 | VpcId: 24 | default: The ID of the VPC in which the Gateway Load Balancer endpoint will be created 25 | VpceSubnetId: 26 | default: Subnet Id for Gateway Load Balancer VPC Endpoint 27 | ServiceName: 28 | default: VPC Endpoint Service Name For Gateway Load Balancer Endpoint 29 | 30 | Parameters: 31 | VpcId: 32 | Description: Select VPC Id in which gateway load balancer endpoint will be created 33 | Type: AWS::EC2::VPC::Id 34 | ConstraintDescription: Must be a valid VPC Id 35 | VpceSubnetId: 36 | Description: Select subnet id for gateway load balancer endpoint, only one subnet per AZ 37 | Type: AWS::EC2::Subnet::Id 38 | ConstraintDescription: Must be a valid subnet id 39 | ServiceName: 40 | Description: >- 41 | Enter the name of the service for which you want to create gateway load balancer endpoint. 42 | Example service name: com.amazonaws.vpce.us-west-2.vpce-svc-0a76331bc5d6cc4cd 43 | Type: String 44 | ConstraintDescription: Must be a valid service name 45 | 46 | Resources: 47 | GwlbVpcEndpoint: 48 | Type: AWS::EC2::VPCEndpoint 49 | Properties: 50 | VpcId: !Ref VpcId 51 | ServiceName: !Ref ServiceName 52 | VpcEndpointType: GatewayLoadBalancer 53 | SubnetIds: 54 | - !Ref VpceSubnetId 55 | 56 | Outputs: 57 | GwlbVpcEndpointId: 58 | Description: Gateway Load Balancer VPC Endpoint ID 59 | Value: !Ref GwlbVpcEndpoint 60 | -------------------------------------------------------------------------------- /aws-cloudformation/vpce/GwlbVpcEndpointServiceSample.yaml: -------------------------------------------------------------------------------- 1 | # Following example shows how to create VPC Endpoint Service using 2 | # Gateway Load Balancer ARN using AWS CloudFormation. It also creates custom 3 | # resource to output the service name. 4 | 5 | AWSTemplateFormatVersion: "2010-09-09" 6 | 7 | Description: This template creates Amazon VPC Endpoint Service. 8 | 9 | Metadata: 10 | AWS::CloudFormation::Interface: 11 | ParameterGroups: 12 | - Label: 13 | default: Endpoint Service Configuration 14 | Parameters: 15 | - ElbArn 16 | - ConnectionAcceptance 17 | - Label: 18 | default: Endpoint Service Permissions 19 | Parameters: 20 | - AwsAccountToWhitelist 21 | ParameterLabels: 22 | ElbArn: 23 | default: >- 24 | ELB Amazon Resource Names (ARNs)for your service. 25 | ConnectionAcceptance: 26 | default: >- 27 | Indicate whether requests from service consumers to create an 28 | endpoint to your service must be accepted. 29 | AwsAccountToWhitelist: 30 | default: >- 31 | The Amazon Resource Names (ARN) of one or more principals (IAM users, 32 | IAM roles, and AWS accounts). Permissions are granted to the 33 | principals in this list. 34 | 35 | Parameters: 36 | ElbArn: 37 | Description: >- 38 | Enter Elastic load balancer ARN for your service. Network and Gateway 39 | Load Balancer are the two supported types. 40 | Type: String 41 | ConstraintDescription: Must be a valid ELB ARN 42 | ConnectionAcceptance: 43 | Description: >- 44 | Acceptance required for endpoint connection or not. Select true or 45 | false to either acceptance required or acceptance not required 46 | default is set to false: acceptance not required 47 | Default: "false" 48 | AllowedValues: ["true", "false"] 49 | Type: String 50 | ConstraintDescription: Must be true or false 51 | AwsAccountToWhitelist: 52 | Description: >- 53 | Enter ARN of one or more prinicapls: IAM user, IAM roles and AWS accounts. 54 | To grant permissions to all principals, specify an asterisk (*). 55 | Type: String 56 | ConstraintDescription: Must be a valid AWS ARN of one or more principals 57 | 58 | Resources: 59 | VpcEndpointService: 60 | Type: AWS::EC2::VPCEndpointService 61 | Properties: 62 | GatewayLoadBalancerArns: 63 | - !Ref ElbArn 64 | AcceptanceRequired: !Ref ConnectionAcceptance 65 | 66 | VpcEndpointServicePermissions: 67 | Type: AWS::EC2::VPCEndpointServicePermissions 68 | Properties: 69 | AllowedPrincipals: 70 | - !Ref AwsAccountToWhitelist 71 | ServiceId: !Ref VpcEndpointService 72 | 73 | LambdaExecutionRole: 74 | Type: AWS::IAM::Role 75 | Properties: 76 | AssumeRolePolicyDocument: 77 | Version: 2012-10-17 78 | Statement: 79 | - Effect: Allow 80 | Principal: 81 | Service: 82 | - lambda.amazonaws.com 83 | Action: 84 | - sts:AssumeRole 85 | Path: / 86 | Policies: 87 | - PolicyName: root 88 | PolicyDocument: 89 | Version: 2012-10-17 90 | Statement: 91 | - Effect: Allow 92 | Action: 93 | - logs:CreateLogGroup 94 | - logs:CreateLogStream 95 | - logs:PutLogEvents 96 | Resource: arn:aws:logs:*:*:* 97 | - Effect: Allow 98 | Action: 99 | - ec2:DescribeVpcEndpointServiceConfigurations 100 | - ec2:DescribeVpcEndpointServicePermissions 101 | - ec2:DescribeVpcEndpointServices 102 | Resource: "*" 103 | 104 | DescribeVpceService: 105 | Type: AWS::Lambda::Function 106 | Properties: 107 | Handler: "index.handler" 108 | Role: !GetAtt 109 | - LambdaExecutionRole 110 | - Arn 111 | Code: 112 | ZipFile: | 113 | import boto3 114 | import cfnresponse 115 | import json 116 | import logging 117 | def handler(event, context): 118 | logger = logging.getLogger() 119 | logger.setLevel(logging.INFO) 120 | responseData = {} 121 | responseStatus = cfnresponse.FAILED 122 | logger.info('Received event: {}'.format(json.dumps(event))) 123 | if event["RequestType"] == "Delete": 124 | responseStatus = cfnresponse.SUCCESS 125 | cfnresponse.send(event, context, responseStatus, responseData) 126 | if event["RequestType"] == "Create": 127 | try: 128 | VpceServiceId = event["ResourceProperties"]["Input"] 129 | except Exception as e: 130 | logger.info('VPC Endpoint Service Id retrival failure: {}'.format(e)) 131 | try: 132 | ec2 = boto3.client('ec2') 133 | except Exception as e: 134 | logger.info('boto3.client failure: {}'.format(e)) 135 | try: 136 | response = ec2.describe_vpc_endpoint_service_configurations( 137 | Filters=[ 138 | { 139 | 'Name': 'service-id', 140 | 'Values': [VpceServiceId] 141 | } 142 | ] 143 | ) 144 | except Exception as e: 145 | logger.info('ec2.describe_vpc_endpoint_service_configurations failure: {}'.format(e)) 146 | ServiceName = response['ServiceConfigurations'][0]['ServiceName'] 147 | responseData['Data'] = ServiceName 148 | responseStatus = cfnresponse.SUCCESS 149 | cfnresponse.send(event, context, responseStatus, responseData) 150 | Runtime: python3.7 151 | Timeout: 30 152 | 153 | VpceServiceName: 154 | DependsOn: VpcEndpointService 155 | Type: Custom::DescribeVpcEndpointServiceConfigurations 156 | Properties: 157 | ServiceToken: !GetAtt DescribeVpceService.Arn 158 | Input: !Ref VpcEndpointService 159 | 160 | Outputs: 161 | SecurityVpcEndpointServiceId: 162 | Description: Security VPC Endpoint Service ID 163 | Value: !Ref VpcEndpointService 164 | SecurityVpcEndpointServiceName: 165 | Description: Security VPC Endpoint Service Name. Required to create VPC endpoint 166 | Value: !GetAtt VpceServiceName.Data -------------------------------------------------------------------------------- /go/README.md: -------------------------------------------------------------------------------- 1 | ### Go sample for AWS Gateway Load Balancer 2 | 3 | ## Welcome 4 | 5 | The following section contains code samples that demonstrate how to manage AWS Gateway Load Balancer from code that is written in the Go programming language using the AWS SDK for Go. 6 | 7 | For more information about developing applications using Go, see the [AWS SDK for Go Developer Guide](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/welcome.html). 8 | 9 | ### **Gateway Load Balancer:** 10 | 11 | * [Create GWLB Sample](gwlb/createGwlbSample.md) 12 | * [Create Target Group Sample](gwlb/createTgSample.md) 13 | * [Create Listener Sample](gwlb/createListenerSample.md) 14 | * [Create GWLB, Target Group and Listener Sample](gwlb/createGwlbTgListnerSample.md) 15 | * [Register Targets Sample](gwlb/registerTargetsSample.md) 16 | * [Delete GWLB Sample](gwlb/deleteGwlbSample.md) 17 | * [Delete Target Group Sample](gwlb/deleteTgSample.md) 18 | * [Delete GWLB and Target Group Sample](gwlb/deleteGwlbTgSample.md) 19 | 20 | ### **VPC Endpoint Service:** 21 | 22 | * [Create VPC Endpoint Service Configuration Sample](vpce/createVpceServiceConfigurationSample.md) 23 | * [Modify VPC Endpoint Service Configuration Sample](vpce/modifyVpceServiceConfigurationSample.md) 24 | * [Modify VPC Endpoint Service Permissions Sample](vpce/modifyVpceServicePermissionsSample.md) 25 | * [Delete VPC Endpoint Service Sample](vpce/deleteVpceServiceSample.md) 26 | 27 | ### **Gateway Load Balancer Endpoint:** 28 | 29 | * [Create GWLB Endpoint](vpce/createGwlbVpceSample.md) 30 | * [Delete GWLB Endpoint](vpce/deleteGwlbVpceSample.md) -------------------------------------------------------------------------------- /go/gwlb/createGwlbSample.md: -------------------------------------------------------------------------------- 1 | * Following example show how to create Gateway Load Balancer using AWS SDK for Go. 2 | 3 | ```go 4 | // Create Gateway Load Balancer 5 | package main 6 | 7 | import ( 8 | "github.com/aws/aws-sdk-go/aws" 9 | "github.com/aws/aws-sdk-go/aws/session" 10 | "github.com/aws/aws-sdk-go/service/elbv2" 11 | 12 | "fmt" 13 | "os" 14 | ) 15 | 16 | func main() { 17 | sess, err := session.NewSessionWithOptions(session.Options{ 18 | // Force enable Shared Config support 19 | SharedConfigState: session.SharedConfigEnable, 20 | }) 21 | 22 | elbv2Client := elbv2.New(sess) 23 | 24 | gwlbName := os.Args[1] 25 | subnet1Id := os.Args[2] 26 | subnet2Id := os.Args[3] 27 | 28 | // Specify the details of the GWLB that you want to create. 29 | createGwlb, err := elbv2Client.CreateLoadBalancer(&elbv2.CreateLoadBalancerInput{ 30 | Name: aws.String(gwlbName), 31 | Subnets: []*string{ 32 | aws.String(subnet1Id), 33 | aws.String(subnet2Id), 34 | }, 35 | Tags: []*elbv2.Tag{ 36 | { 37 | Key: aws.String("Name"), 38 | Value: aws.String(gwlbName), 39 | }, 40 | }, 41 | Type: aws.String("gateway"), 42 | }) 43 | 44 | if err != nil { 45 | fmt.Println("Could not create gateway load balancer", err) 46 | return 47 | } 48 | 49 | fmt.Println("Created GWLB", createGwlb) 50 | 51 | } 52 | ``` -------------------------------------------------------------------------------- /go/gwlb/createGwlbTgListnerSample.md: -------------------------------------------------------------------------------- 1 | * Following example show how to create Gateway Load Balancer, target group and listener using AWS SDK for Go. 2 | 3 | ```go 4 | // Creates Target Group, Gateway Load Balancer and Listner 5 | package main 6 | 7 | import ( 8 | "github.com/aws/aws-sdk-go/aws" 9 | "github.com/aws/aws-sdk-go/aws/session" 10 | "github.com/aws/aws-sdk-go/service/elbv2" 11 | 12 | "fmt" 13 | "os" 14 | ) 15 | 16 | func main(){ 17 | 18 | sess, sessErr := session.NewSessionWithOptions(session.Options{ 19 | // Force enable Shared Config support 20 | SharedConfigState: session.SharedConfigEnable, 21 | }) 22 | 23 | if sessErr != nil { 24 | fmt.Println("Could not create session", sessErr) 25 | return 26 | } 27 | 28 | elbv2Client := elbv2.New(sess) 29 | 30 | tgName := os.Args[1] 31 | vpcId := os.Args[2] 32 | gwlbName := os.Args[3] 33 | subnet1Id := os.Args[4] 34 | subnet2Id := os.Args[5] 35 | target1Id := os.Args[6] 36 | 37 | // Create target group 38 | tg, tgErr := elbv2Client.CreateTargetGroup(&elbv2.CreateTargetGroupInput{ 39 | Name: aws.String(tgName), 40 | Port: aws.Int64(6081), 41 | Protocol: aws.String("GENEVE"), 42 | VpcId: aws.String(vpcId), 43 | HealthCheckPort: aws.String("80"), 44 | HealthCheckProtocol: aws.String("HTTP"), 45 | HealthCheckPath: aws.String("/test.html"), 46 | TargetType: aws.String("instance"), 47 | }) 48 | 49 | if tgErr != nil { 50 | fmt.Println("Could not create target group", tgErr) 51 | return 52 | } 53 | 54 | // Register Targets: 55 | registerTargets, registerErr := elbv2Client.RegisterTargets(&elbv2.RegisterTargetsInput{ 56 | TargetGroupArn: tg.TargetGroups[0].TargetGroupArn, 57 | Targets: []*elbv2.TargetDescription{ 58 | { 59 | Id: aws.String(target1Id), 60 | }, 61 | }, 62 | }) 63 | 64 | if registerErr != nil { 65 | fmt.Println("Could not register targets", registerErr) 66 | return 67 | } 68 | 69 | fmt.Println("Registered targets:", registerTargets) 70 | 71 | // Create gateway load balancer 72 | gwlb, gwlbErr := elbv2Client.CreateLoadBalancer(&elbv2.CreateLoadBalancerInput{ 73 | Name: aws.String(gwlbName), 74 | Subnets: []*string{ 75 | aws.String(subnet1Id), 76 | aws.String(subnet2Id), 77 | }, 78 | Tags: []*elbv2.Tag{ 79 | { 80 | Key: aws.String("Name"), 81 | Value: aws.String(gwlbName), 82 | }, 83 | }, 84 | Type: aws.String("gateway"), 85 | }) 86 | 87 | if gwlbErr != nil { 88 | fmt.Println("Could not create GWLB", gwlbErr) 89 | return 90 | } 91 | 92 | fmt.Println("Created GWLB:", gwlb) 93 | 94 | // Use a waiter function to wait until the gateway load balancer is available 95 | describeGwlbInput := &elbv2.DescribeLoadBalancersInput{ 96 | LoadBalancerArns: []*string{ 97 | gwlb.LoadBalancers[0].LoadBalancerArn, 98 | }, 99 | } 100 | if err := elbv2Client.WaitUntilLoadBalancerAvailable(describeGwlbInput); err != nil { 101 | panic(err) 102 | } 103 | fmt.Println("GWLB is available.") 104 | 105 | // Create listener 106 | listener, listenerErr := elbv2Client.CreateListener(&elbv2.CreateListenerInput{ 107 | LoadBalancerArn: gwlb.LoadBalancers[0].LoadBalancerArn, 108 | DefaultActions: []*elbv2.Action{ 109 | { 110 | TargetGroupArn: tg.TargetGroups[0].TargetGroupArn, 111 | Type: aws.String("forward"), 112 | }, 113 | }, 114 | }) 115 | 116 | if listenerErr != nil { 117 | fmt.Println("Could not create listener", listenerErr) 118 | return 119 | } 120 | 121 | fmt.Println("Created listener:", listener) 122 | } 123 | ``` -------------------------------------------------------------------------------- /go/gwlb/createListenerSample.md: -------------------------------------------------------------------------------- 1 | * Following example show how to create listener using AWS SDK for Go. 2 | 3 | ```go 4 | //Create Listener: 5 | package main 6 | 7 | import ( 8 | "github.com/aws/aws-sdk-go/aws" 9 | "github.com/aws/aws-sdk-go/aws/session" 10 | "github.com/aws/aws-sdk-go/service/elbv2" 11 | 12 | "fmt" 13 | "os" 14 | ) 15 | 16 | func main(){ 17 | 18 | sess, sessErr := session.NewSessionWithOptions(session.Options{ 19 | // Force enable Shared Config support 20 | SharedConfigState: session.SharedConfigEnable, 21 | }) 22 | 23 | if sessErr != nil { 24 | fmt.Println("Could not create session", sessErr) 25 | return 26 | } 27 | 28 | elbv2Client := elbv2.New(sess) 29 | 30 | tgArn := os.Args[1] 31 | gwlbArn := os.Args[2] 32 | 33 | // Create listener 34 | listener, listenerErr := elbv2Client.CreateListener(&elbv2.CreateListenerInput{ 35 | LoadBalancerArn: aws.String(gwlbArn), 36 | DefaultActions: []*elbv2.Action{ 37 | { 38 | TargetGroupArn: aws.String(tgArn), 39 | Type: aws.String("forward"), 40 | }, 41 | }, 42 | // Port: aws.Int64(6081), 43 | // Protocol: aws.String("GENEVE"), 44 | }) 45 | 46 | if listenerErr != nil { 47 | fmt.Println("Could not create listener", listenerErr) 48 | return 49 | } 50 | 51 | fmt.Println("Created listener:", listener) 52 | } 53 | ``` -------------------------------------------------------------------------------- /go/gwlb/createTgSample.md: -------------------------------------------------------------------------------- 1 | * Following example show how to create target group using AWS SDK for Go. 2 | 3 | ```go 4 | // Creates Target Group 5 | package main 6 | 7 | import ( 8 | "github.com/aws/aws-sdk-go/aws" 9 | "github.com/aws/aws-sdk-go/aws/session" 10 | "github.com/aws/aws-sdk-go/service/elbv2" 11 | 12 | "fmt" 13 | "os" 14 | ) 15 | 16 | func main(){ 17 | 18 | sess, sessErr := session.NewSessionWithOptions(session.Options{ 19 | // Force enable Shared Config support 20 | SharedConfigState: session.SharedConfigEnable, 21 | }) 22 | 23 | if sessErr != nil { 24 | fmt.Println("Could not create session", sessErr) 25 | return 26 | } 27 | 28 | elbv2Client := elbv2.New(sess) 29 | 30 | tgName := os.Args[1] 31 | vpcId := os.Args[2] 32 | 33 | // Create target group 34 | tg, tgErr := elbv2Client.CreateTargetGroup(&elbv2.CreateTargetGroupInput{ 35 | Name: aws.String(tgName), 36 | Port: aws.Int64(6081), 37 | Protocol: aws.String("GENEVE"), 38 | VpcId: aws.String(vpcId), 39 | HealthCheckPort: aws.String("80"), 40 | HealthCheckProtocol: aws.String("HTTP"), 41 | HealthCheckPath: aws.String("/test.html"), 42 | TargetType: aws.String("instance"), 43 | }) 44 | 45 | if tgErr != nil { 46 | fmt.Println("Could not create target group", tgErr) 47 | return 48 | } 49 | 50 | fmt.Println("Created target group:", tg) 51 | } 52 | ``` -------------------------------------------------------------------------------- /go/gwlb/deleteGwlbSample.md: -------------------------------------------------------------------------------- 1 | * Following example show how to delete Gateway Load Balancer using AWS SDK for Go. 2 | 3 | ```go 4 | // Delete Gateway Load Balancer: 5 | package main 6 | 7 | import ( 8 | "github.com/aws/aws-sdk-go/aws" 9 | "github.com/aws/aws-sdk-go/aws/session" 10 | "github.com/aws/aws-sdk-go/service/elbv2" 11 | 12 | "fmt" 13 | "os" 14 | ) 15 | 16 | func main() { 17 | sess, err := session.NewSessionWithOptions(session.Options{ 18 | // Force enable Shared Config support 19 | SharedConfigState: session.SharedConfigEnable, 20 | }) 21 | 22 | elbv2Client := elbv2.New(sess) 23 | 24 | gwlbArn := os.Args[1] 25 | 26 | // Specify the details of the GWLB that you want to delete. 27 | deleteGwlb, err := elbv2Client.DeleteLoadBalancer(&elbv2.DeleteLoadBalancerInput{ 28 | LoadBalancerArn: aws.String(gwlbArn), 29 | }) 30 | 31 | if err != nil { 32 | fmt.Println("Could not delete gateway load balancer", err) 33 | return 34 | } 35 | 36 | fmt.Println("Deleted GWLB", deleteGwlb) 37 | 38 | } 39 | ``` -------------------------------------------------------------------------------- /go/gwlb/deleteGwlbTgSample.md: -------------------------------------------------------------------------------- 1 | * Following example show how to delete target group and Gateway Load Balancer using AWS SDK for Go. 2 | 3 | ```go 4 | // Delete Gateway Load Balancer and target group: 5 | package main 6 | 7 | import ( 8 | "github.com/aws/aws-sdk-go/aws" 9 | "github.com/aws/aws-sdk-go/aws/session" 10 | "github.com/aws/aws-sdk-go/service/elbv2" 11 | 12 | "fmt" 13 | "os" 14 | ) 15 | 16 | func main() { 17 | sess, err := session.NewSessionWithOptions(session.Options{ 18 | // Force enable Shared Config support 19 | SharedConfigState: session.SharedConfigEnable, 20 | }) 21 | 22 | elbv2Client := elbv2.New(sess) 23 | 24 | tgarn := os.Args[1] 25 | gwlbarn := os.Args[2] 26 | 27 | // Specify the details of the GWLB that you want to delete. 28 | deleteGwlb, gwlbErr := elbv2Client.DeleteLoadBalancer(&elbv2.DeleteLoadBalancerInput{ 29 | LoadBalancerArn: aws.String(gwlbarn), 30 | }) 31 | 32 | if gwlbErr != nil { 33 | fmt.Println("Could not delete gateway load balancer", err) 34 | return 35 | } 36 | 37 | fmt.Println("Deleted GWLB", deleteGwlb) 38 | 39 | // Specify the details of the target group that you want to delete. 40 | deleteTg, tgErr := elbv2Client.DeleteTargetGroup(&elbv2.DeleteTargetGroupInput{ 41 | TargetGroupArn: aws.String(tgarn), 42 | }) 43 | 44 | if tgErr != nil { 45 | fmt.Println("Could not delete target group", tgErr) 46 | return 47 | } 48 | 49 | fmt.Println("Deleted target group", deleteTg) 50 | 51 | } 52 | ``` -------------------------------------------------------------------------------- /go/gwlb/deleteTgSample.md: -------------------------------------------------------------------------------- 1 | * Following example show how to delete target group using AWS SDK for Go. 2 | 3 | ```go 4 | // Delete target group: 5 | package main 6 | 7 | import ( 8 | "github.com/aws/aws-sdk-go/aws" 9 | "github.com/aws/aws-sdk-go/aws/session" 10 | "github.com/aws/aws-sdk-go/service/elbv2" 11 | 12 | "fmt" 13 | "os" 14 | ) 15 | 16 | func main() { 17 | sess, err := session.NewSessionWithOptions(session.Options{ 18 | // Force enable Shared Config support 19 | SharedConfigState: session.SharedConfigEnable, 20 | }) 21 | 22 | if err != nil { 23 | fmt.Println("Could not create session", err) 24 | return 25 | } 26 | 27 | elbv2Client := elbv2.New(sess) 28 | 29 | tgArn := os.Args[1] 30 | 31 | // Specify the details of the target group that you want to delete. 32 | deleteTg, tgErr := elbv2Client.DeleteTargetGroup(&elbv2.DeleteTargetGroupInput{ 33 | TargetGroupArn: aws.String(tgArn), 34 | }) 35 | 36 | if tgErr != nil { 37 | fmt.Println("Could not delete target group", tgErr) 38 | return 39 | } 40 | 41 | fmt.Println("Deleted target group", deleteTg) 42 | 43 | } 44 | ``` -------------------------------------------------------------------------------- /go/gwlb/registerTargetsSample.md: -------------------------------------------------------------------------------- 1 | * Following example show how to register targets to target group using AWS SDK for Go. 2 | 3 | ```go 4 | // Register targets: 5 | package main 6 | 7 | import ( 8 | "github.com/aws/aws-sdk-go/aws" 9 | "github.com/aws/aws-sdk-go/aws/session" 10 | "github.com/aws/aws-sdk-go/service/elbv2" 11 | 12 | "fmt" 13 | "os" 14 | ) 15 | 16 | func main(){ 17 | 18 | sess, sessErr := session.NewSessionWithOptions(session.Options{ 19 | // Force enable Shared Config support 20 | SharedConfigState: session.SharedConfigEnable, 21 | }) 22 | 23 | if sessErr != nil { 24 | fmt.Println("Could not create session", sessErr) 25 | return 26 | } 27 | 28 | elbv2Client := elbv2.New(sess) 29 | 30 | tgArn := os.Args[1] 31 | target1Id := os.Args[2] 32 | 33 | // Register Targets: 34 | registerTargets, registerErr := elbv2Client.RegisterTargets(&elbv2.RegisterTargetsInput{ 35 | TargetGroupArn: aws.String(tgArn), 36 | Targets: []*elbv2.TargetDescription{ 37 | { 38 | Id: aws.String(target1Id), 39 | }, 40 | }, 41 | }) 42 | 43 | if registerErr != nil { 44 | fmt.Println("Could not register targets", registerErr) 45 | return 46 | } 47 | 48 | fmt.Println("Registered targets:", registerTargets) 49 | } 50 | ``` -------------------------------------------------------------------------------- /go/vpce/createGwlbVpceSample.md: -------------------------------------------------------------------------------- 1 | * Following example show how to create Gateway Load Balancer Endpoint using VPC Endpoint Service Name using AWS SDK for Go. 2 | 3 | ```go 4 | // Creates VPC Endpoint 5 | package main 6 | 7 | import ( 8 | "github.com/aws/aws-sdk-go/aws" 9 | "github.com/aws/aws-sdk-go/aws/session" 10 | "github.com/aws/aws-sdk-go/service/ec2" 11 | 12 | "fmt" 13 | "os" 14 | ) 15 | 16 | func main() { 17 | sess, sessErr := session.NewSessionWithOptions(session.Options{ 18 | // Force enable Shared Config support 19 | SharedConfigState: session.SharedConfigEnable, 20 | }) 21 | 22 | if sessErr != nil{ 23 | fmt.Println("Could not create session", sessErr) 24 | return 25 | } 26 | 27 | ec2Client := ec2.New(sess) 28 | 29 | serviceName := os.Args[1] 30 | vpcId := os.Args[2] 31 | subnet1Id := os.Args[3] 32 | 33 | createVpce, vpceErr := ec2Client.CreateVpcEndpoint(&ec2.CreateVpcEndpointInput{ 34 | VpcEndpointType: aws.String("GatewayLoadBalancer"), 35 | ServiceName: aws.String(serviceName), 36 | VpcId: aws.String(vpcId), 37 | SubnetIds: []*string{ 38 | aws.String(subnet1Id), 39 | }, 40 | TagSpecifications: []*ec2.TagSpecification{ 41 | { 42 | ResourceType: aws.String("vpc-endpoint"), 43 | Tags: []*ec2.Tag{ 44 | { 45 | Key: aws.String("Name"), 46 | Value: aws.String("gwlbe1"), 47 | }, 48 | }, 49 | }, 50 | }, 51 | }) 52 | 53 | if vpceErr != nil{ 54 | fmt.Println("Could not create vpce", vpceErr) 55 | return 56 | } 57 | 58 | fmt.Println("Create vpce service:", createVpce) 59 | 60 | } 61 | ``` -------------------------------------------------------------------------------- /go/vpce/createVpceServiceConfigurationSample.md: -------------------------------------------------------------------------------- 1 | * Following example show how to create VPC Endpoint Service using Gateway Load Balancer ARN using AWS SDK for Go. 2 | 3 | ```go 4 | // Creates VPC Endpoint Service: 5 | package main 6 | 7 | import ( 8 | "github.com/aws/aws-sdk-go/aws" 9 | "github.com/aws/aws-sdk-go/aws/session" 10 | "github.com/aws/aws-sdk-go/service/ec2" 11 | 12 | "fmt" 13 | "os" 14 | ) 15 | 16 | func main() { 17 | sess, sessErr := session.NewSessionWithOptions(session.Options{ 18 | // Force enable Shared Config support 19 | SharedConfigState: session.SharedConfigEnable, 20 | }) 21 | 22 | if sessErr != nil{ 23 | fmt.Println("Could not create session", sessErr) 24 | return 25 | } 26 | 27 | ec2Client := ec2.New(sess) 28 | 29 | gwlbArn := os.Args[1] 30 | 31 | createVpceService, serviceErr := ec2Client.CreateVpcEndpointServiceConfiguration(&ec2.CreateVpcEndpointServiceConfigurationInput{ 32 | AcceptanceRequired: aws.Bool(false), 33 | GatewayLoadBalancerArns: []*string{ 34 | aws.String(gwlbArn), 35 | }, 36 | TagSpecifications: []*ec2.TagSpecification{ 37 | { 38 | ResourceType: aws.String("vpc-endpoint-service"), 39 | Tags: []*ec2.Tag{ 40 | { 41 | Key: aws.String("Name"), 42 | Value: aws.String("gwlb1-service1"), 43 | }, 44 | }, 45 | }, 46 | }, 47 | }) 48 | 49 | if serviceErr != nil{ 50 | fmt.Println("Could not create vpce service", serviceErr) 51 | return 52 | } 53 | 54 | fmt.Println("Create vpce service:", createVpceService) 55 | 56 | } 57 | ``` -------------------------------------------------------------------------------- /go/vpce/deleteGwlbVpceSample.md: -------------------------------------------------------------------------------- 1 | * Following example show how to delete Gateway Load Balancer Endpoint using AWS SDK for Go. 2 | 3 | ```go 4 | // Delete VPC Endpoint(s): 5 | package main 6 | 7 | import ( 8 | "github.com/aws/aws-sdk-go/aws" 9 | "github.com/aws/aws-sdk-go/aws/session" 10 | "github.com/aws/aws-sdk-go/service/ec2" 11 | 12 | "fmt" 13 | "os" 14 | ) 15 | 16 | func main() { 17 | sess, sessErr := session.NewSessionWithOptions(session.Options{ 18 | // Force enable Shared Config support 19 | SharedConfigState: session.SharedConfigEnable, 20 | }) 21 | 22 | if sessErr != nil{ 23 | fmt.Println("Could not create session", sessErr) 24 | return 25 | } 26 | 27 | ec2Client := ec2.New(sess) 28 | 29 | vpce1Id := os.Args[1] 30 | 31 | deleteVpce, vpceErr := ec2Client.DeleteVpcEndpoints(&ec2.DeleteVpcEndpointsInput{ 32 | VpcEndpointIds: []*string{ 33 | aws.String(vpce1Id), 34 | //aws.String(vpce2Id), 35 | }, 36 | }) 37 | 38 | if vpceErr != nil{ 39 | fmt.Println("Could not delete vpce:", vpceErr) 40 | return 41 | } 42 | fmt.Println("Delete vpce:", deleteVpce) 43 | 44 | } 45 | ``` -------------------------------------------------------------------------------- /go/vpce/deleteVpceServiceSample.md: -------------------------------------------------------------------------------- 1 | * Following example show how to delete VPC Endpoint Service using AWS SDK for Go. 2 | 3 | ```go 4 | // Delete VPC Endpoint Service(s): 5 | package main 6 | 7 | import ( 8 | "github.com/aws/aws-sdk-go/aws" 9 | "github.com/aws/aws-sdk-go/aws/session" 10 | "github.com/aws/aws-sdk-go/service/ec2" 11 | 12 | "fmt" 13 | "os" 14 | ) 15 | 16 | func main() { 17 | sess, sessErr := session.NewSessionWithOptions(session.Options{ 18 | // Force enable Shared Config support 19 | SharedConfigState: session.SharedConfigEnable, 20 | }) 21 | 22 | if sessErr != nil{ 23 | fmt.Println("Could not create session", sessErr) 24 | return 25 | } 26 | 27 | ec2Client := ec2.New(sess) 28 | 29 | service1Id := os.Args[1] 30 | 31 | deleteVpceService, serviceErr := ec2Client.DeleteVpcEndpointServiceConfigurations(&ec2.DeleteVpcEndpointServiceConfigurationsInput{ 32 | ServiceIds: []*string{ 33 | aws.String(service1Id), 34 | }, 35 | }) 36 | 37 | if serviceErr != nil{ 38 | fmt.Println("Could not delete vpce service", serviceErr) 39 | return 40 | } 41 | fmt.Println("Deleted vpce service:", deleteVpceService) 42 | 43 | } 44 | ``` -------------------------------------------------------------------------------- /go/vpce/modifyVpceServiceConfigurationSample.md: -------------------------------------------------------------------------------- 1 | * Following example show how to modify VPC Endpoint Service Configuration using AWS SDK for Go. 2 | 3 | ```go 4 | // Modify VPC Endpoint Service Configuration 5 | package main 6 | 7 | import ( 8 | "github.com/aws/aws-sdk-go/aws" 9 | "github.com/aws/aws-sdk-go/aws/session" 10 | "github.com/aws/aws-sdk-go/service/ec2" 11 | 12 | "fmt" 13 | "os" 14 | ) 15 | 16 | func main() { 17 | sess, sessErr := session.NewSessionWithOptions(session.Options{ 18 | // Force enable Shared Config support 19 | SharedConfigState: session.SharedConfigEnable, 20 | }) 21 | 22 | if sessErr != nil{ 23 | fmt.Println("Could not create session", sessErr) 24 | return 25 | } 26 | 27 | ec2Client := ec2.New(sess) 28 | 29 | service1Id := os.Args[1] 30 | 31 | modifyVpceService, serviceErr := ec2Client.ModifyVpcEndpointServiceConfiguration(&ec2.ModifyVpcEndpointServiceConfigurationInput{ 32 | ServiceId: aws.String(service1Id), 33 | AcceptanceRequired: aws.Bool(false), 34 | }) 35 | 36 | if serviceErr != nil{ 37 | fmt.Println("Could not modify vpce service", serviceErr) 38 | return 39 | } 40 | 41 | fmt.Println("Modify vpce service:", modifyVpceService) 42 | 43 | } 44 | ``` -------------------------------------------------------------------------------- /go/vpce/modifyVpceServicePermissionsSample.md: -------------------------------------------------------------------------------- 1 | * Following example show how to modify VPC Endpoint Service Permissions using AWS SDK for Go. 2 | 3 | ```go 4 | // Modify VPC Endpoint Service Configuration 5 | package main 6 | 7 | import ( 8 | "github.com/aws/aws-sdk-go/aws" 9 | "github.com/aws/aws-sdk-go/aws/session" 10 | "github.com/aws/aws-sdk-go/service/ec2" 11 | 12 | "fmt" 13 | "os" 14 | ) 15 | 16 | func main() { 17 | sess, sessErr := session.NewSessionWithOptions(session.Options{ 18 | // Force enable Shared Config support 19 | SharedConfigState: session.SharedConfigEnable, 20 | }) 21 | 22 | if sessErr != nil{ 23 | fmt.Println("Could not create session", sessErr) 24 | return 25 | } 26 | 27 | ec2Client := ec2.New(sess) 28 | 29 | service1Id := os.Args[1] 30 | 31 | modifyVpceService, serviceErr := ec2Client.ModifyVpcEndpointServicePermissions(&ec2.ModifyVpcEndpointServicePermissionsInput{ 32 | ServiceId: aws.String(service1Id), 33 | AddAllowedPrincipals: []*string{ 34 | aws.String("arn:aws:iam::account-id:root"), 35 | }, 36 | // RemoveAllowedPrincipals: []*string{ 37 | // aws.String("arn:aws:iam::account-id:root"), 38 | // }, 39 | }) 40 | 41 | if serviceErr != nil{ 42 | fmt.Println("Could not modify vpce service", serviceErr) 43 | return 44 | } 45 | 46 | fmt.Println("Modify vpce service:", modifyVpceService) 47 | 48 | } 49 | ``` -------------------------------------------------------------------------------- /python/README.md: -------------------------------------------------------------------------------- 1 | ### Python (Boto3) sample for AWS Gateway Load Balancer 2 | 3 | ## Welcome 4 | 5 | The following section contains code samples that demonstrate how to manage AWS Gateway Load Balancer from code that is written in the Python programming language using the Boto3 library. 6 | 7 | For more information about developing applications using Python and Boto3, see the [AWS SDK for Python (Boto3) Getting Started](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html). 8 | 9 | ### **Gateway Load Balancer:** 10 | 11 | * [Create GWLB Sample](gwlb/create_gwlb_sample.py) 12 | * [Create Target Group Sample](gwlb/create_tg_sample.py) 13 | * [Create Listener Sample](gwlb/create_listener_sample.py) 14 | * [Create GWLB, Target Group and Listener Sample](gwlb/create_gwlb_tg_listener_sample.py) 15 | * [Register Targets Sample](gwlb/register_targets_sample.py) 16 | * [Delete GWLB Sample](gwlb/delete_gwlb_sample.py) 17 | * [Delete Target Group Sample](gwlb/delete_tg_sample.py) 18 | * [Delete GWLB and Target Group Sample](gwlb/delete_gwlb_tg_sample.py) 19 | 20 | ### **VPC Endpoint Service:** 21 | 22 | * [Create VPC Endpoint Service Configuration Sample](vpce/create_vpce_service_configuration_sample.py) 23 | * [Modify VPC Endpoint Service Configuration Sample](vpce/modify_vpce_service_configuration_sample.py) 24 | * [Modify VPC Endpoint Service Permissions Sample](vpce/modify_vpce_service_permissions_sample.py) 25 | * [Delete VPC Endpoint Service Sample](vpce/delete_vpce_service_sample.py) 26 | 27 | ### **Gateway Load Balancer Endpoint:** 28 | 29 | * [Create GWLB Endpoint Sample](vpce/create_gwlb_endpoint_sample.py) 30 | * [Delete GWLB Endpoint Sample](vpce/delete_gwlb_endpoint_sample.py) 31 | -------------------------------------------------------------------------------- /python/gwlb/create_gwlb_sample.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python3 2 | 3 | """ 4 | Purpose: 5 | 6 | Following sample shows you how to create Gateway Load Balancer (GWLB) using 7 | Python (Boto3) Library. 8 | """ 9 | 10 | import argparse 11 | import boto3 12 | import logging 13 | from botocore.exceptions import ClientError 14 | 15 | # create required boto3 clients and resources: 16 | elbv2 = boto3.client('elbv2') 17 | 18 | def create_gwlb(gwlb_name, subnet_id_list): 19 | """ 20 | Creates a Gateway Load Balancer and resturns response and ARN 21 | 22 | Accepts: 23 | - gwlb_name: Gateway Load Balancer name. 24 | - subnet_id_list: List of subnet id to be assigned to GWLB 25 | 26 | Usage: 27 | - create_gwlb('gwlb123', ['subnet-123', 'subnet-456']) 28 | """ 29 | logging.info(f"Creating gateway load balancer: {gwlb_name}") 30 | waiter = elbv2.get_waiter('load_balancer_available') 31 | try: 32 | response = elbv2.create_load_balancer( 33 | Name=gwlb_name, 34 | Subnets=subnet_id_list, 35 | Tags=[{'Key': 'Name', 'Value': gwlb_name}], 36 | Type='gateway' 37 | ) 38 | gwlb_arn = response['LoadBalancers'][0]['LoadBalancerArn'] 39 | logging.info(f"Waiting for GWLB's state to change to available") 40 | waiter.wait( 41 | LoadBalancerArns=[gwlb_arn], 42 | WaiterConfig={ 43 | 'Delay': 15, 44 | 'MaxAttempts': 40 45 | } 46 | ) 47 | return response, gwlb_arn 48 | except ClientError as e: 49 | logging.error(e) 50 | return None 51 | 52 | 53 | def main(): 54 | """ 55 | Creates Gateway Load Balancer (GWLB) 56 | 57 | Accepts: 58 | --gwlb_name: GWLB name 59 | --subnet_ids: Subnet ids to be assocated with GWLB 60 | 61 | Usage: 62 | python create_gwlb_sample.py --gwlb_name boto3-gwlb1 \ 63 | --subnet_ids 'subnet-0348ec3f4869e2a1f' 'subnet-04132654a0e466491' 64 | """ 65 | parser = argparse.ArgumentParser() 66 | parser.add_argument('--gwlb_name', required=True, 67 | help='specify gateway load balancer name', type=str) 68 | parser.add_argument('--subnet_ids', nargs='+', required=True, 69 | help='specify subnet ids') 70 | 71 | args = parser.parse_args() 72 | ############################ 73 | # Define script variables: 74 | ############################ 75 | gwlb_name = args.gwlb_name 76 | subnet_ids = args.subnet_ids 77 | ############################# 78 | # GWLB: 79 | gwlb1 = create_gwlb(gwlb_name, subnet_ids) 80 | gwlb1_arn = gwlb1[0]['LoadBalancers'][0]['LoadBalancerArn'] 81 | print(f"GWLB ARN: {gwlb1_arn}") 82 | 83 | 84 | if __name__ == '__main__': 85 | main() -------------------------------------------------------------------------------- /python/gwlb/create_gwlb_tg_listener_sample.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python3 2 | 3 | """ 4 | Purpose: 5 | 6 | Following sample shows you how to create Gateway Load Balancer (GWLB), 7 | target group and listener using Python (Boto3) Library. 8 | 9 | Listener: For Gateway Load Balancer (GWLB), listener doesn't support protocol 10 | and port attribute. 11 | 12 | Target Group: By default gets created with healthcheck configured for protocol: 13 | TCP, port:80. If you don't have anything configured on appliances to listen on 14 | TCP:80, your health checks will fail and instances will be marked unhealthy. 15 | 16 | In the example below, for healthcheck, we overide the port and use HTTP, port 17 | 80. Appliances should be listening and respodning to HTTP, or else healthcheck 18 | will fail. Replace the parameter values inside '< >' with appropriate values. 19 | 20 | For more details, refer to Target Groups for your Gateway Load Balancers 21 | https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/target-groups.html 22 | """ 23 | 24 | import argparse 25 | import boto3 26 | import logging 27 | from botocore.exceptions import ClientError 28 | 29 | # create required boto3 clients and resources: 30 | elbv2 = boto3.client('elbv2') 31 | 32 | 33 | def create_tg(**tg_args): 34 | """ 35 | Creates target group. 36 | 37 | Accepts: 38 | - tg_args: tg_args is dictionary with required key:value 39 | pair. You can add values to dictionary as required. Dictionary should 40 | strictly follow the naming convention as below: 41 | tg_args = { 42 | 'name': 'tg1', 43 | 'protocol': 'GENEVE', 44 | 'port': 6081, 45 | 'healthchkproto': 'HTTP', 46 | 'healthchkport': '80', 47 | 'healthchkpath': '/', 48 | 'vpc_id': 'vpc-xxxx', 49 | 'type': 'instance' 50 | } 51 | 52 | Usage: 53 | - create_tg(**tg_args) 54 | """ 55 | logging.info(f"Creating target group: {tg_args['name']}") 56 | try: 57 | response = elbv2.create_target_group( 58 | Name=tg_args['name'], 59 | Protocol=tg_args['protocol'], 60 | Port=tg_args['port'], 61 | HealthCheckProtocol=tg_args['healthchkproto'], 62 | HealthCheckPort=tg_args['healthchkport'], 63 | HealthCheckPath=tg_args['healthchkpath'], 64 | VpcId=tg_args['vpc_id'], 65 | TargetType=tg_args['type'] 66 | ) 67 | tg_arn = response['TargetGroups'][0]['TargetGroupArn'] 68 | return response, tg_arn 69 | except ClientError as e: 70 | logging.error(e) 71 | return None 72 | 73 | 74 | def create_gwlb(gwlb_name, subnet_id_list): 75 | """ 76 | Creates a Gateway Load Balancer and resturns response and ARN 77 | 78 | Accepts: 79 | - gwlb_name: Gateway Load Balancer name. 80 | - subnet_id_list: List of subnet id to be assigned to GWLB 81 | 82 | Usage: 83 | - create_gwlb('gwlb123', ['subnet-123']) 84 | """ 85 | logging.info(f"Creating gateway load balancer: {gwlb_name}") 86 | waiter = elbv2.get_waiter('load_balancer_available') 87 | try: 88 | response = elbv2.create_load_balancer( 89 | Name=gwlb_name, 90 | Subnets=subnet_id_list, 91 | Tags=[{'Key': 'Name', 'Value': gwlb_name}], 92 | Type='gateway' 93 | ) 94 | gwlb_arn = response['LoadBalancers'][0]['LoadBalancerArn'] 95 | logging.info("Waiting for GWLB's state to change to available") 96 | waiter.wait( 97 | LoadBalancerArns=[gwlb_arn], 98 | WaiterConfig={ 99 | 'Delay': 15, 100 | 'MaxAttempts': 40 101 | } 102 | ) 103 | return response, gwlb_arn 104 | except ClientError as e: 105 | logging.error(e) 106 | return None 107 | 108 | 109 | def create_fwd_listener(gwlb_arn, tg_arn): 110 | """ 111 | Creates a listener for the specified GWLB. 112 | 113 | Accepts: 114 | - gwlb_arn: Load balancer ARN 115 | - tg_arn: Target group ARN 116 | 117 | Usage: 118 | - create_fwd_listener('gwlb-arn', 'tg-arn') 119 | """ 120 | try: 121 | response = elbv2.create_listener( 122 | LoadBalancerArn=gwlb_arn, 123 | DefaultActions=[ 124 | { 125 | 'Type': 'forward', 126 | 'TargetGroupArn': tg_arn, 127 | } 128 | ] 129 | ) 130 | listener_arn = response['Listeners'][0]['ListenerArn'] 131 | return response, listener_arn 132 | except ClientError as e: 133 | logging.error(e) 134 | return None 135 | 136 | 137 | def register_targets(tg_arn, target_string): 138 | """ 139 | Registers targets with a target group: 140 | 141 | Accepts: 142 | - target_string: The ID of the target. If the target type of the target 143 | group is instance , specify an instance ID. 144 | - tg_arn: Target group ARN. Not required if retrieving from DynamoDB 145 | 146 | Usage: 147 | - register_targets(tg_arn='arn:aws:elasticloadbalancing:xxxxx', 'i-xxxx') 148 | """ 149 | logging.info(f"Registering targets with target group: {tg_arn}") 150 | # waiter = elb.get_waiter('target_in_service') 151 | try: 152 | response = elbv2.register_targets( 153 | TargetGroupArn=tg_arn, 154 | Targets=[ 155 | { 156 | 'Id': target_string 157 | }, 158 | ] 159 | ) 160 | return response 161 | except ClientError as e: 162 | logging.error(e) 163 | return None 164 | 165 | 166 | def main(): 167 | """ 168 | Creates Appliance Gateway (GWLB) and associated Target Group (TG) and 169 | Listener and registers target(s) 170 | 171 | Accepts: 172 | --tg_name: TG name 173 | --gwlb_name: GWLB name 174 | --vpc_id: VPC id to associate TG with 175 | --subnet_ids: Subnet ids to be assocated with GWLB 176 | --target_ids: Target ids to be registered with GWLB's TG 177 | 178 | Usage: 179 | ./create_gwlb_tg_listener.py \ 180 | --tg_name provider-gwlb-tg1 \ 181 | --gwlb_name provider-gwlb1 \ 182 | --vpc_id vpc-xxxx \ 183 | --subnet_ids subnet-xxxx subnet-yyyy \ 184 | --target_ids i-xxxx i-yyyy 185 | """ 186 | parser = argparse.ArgumentParser() 187 | parser.add_argument('--tg_name', required=True, 188 | help='specify target group name', type=str) 189 | parser.add_argument('--gwlb_name', required=True, 190 | help='specify gateway load balancer name', type=str) 191 | parser.add_argument('--vpc_id', required=True, 192 | help='specify vpc id', type=str) 193 | parser.add_argument('--subnet_ids', nargs='+', required=True, 194 | help='specify subnet ids') 195 | parser.add_argument('--target_ids', nargs='+', required=True, 196 | help='specify target ids') 197 | 198 | args = parser.parse_args() 199 | ############################ 200 | # Define script variables: 201 | ############################ 202 | tg_name = args.tg_name 203 | gwlb_name = args.gwlb_name 204 | vpc_id = args.vpc_id 205 | subnet_ids = args.subnet_ids 206 | target_ids = args.target_ids 207 | 208 | tg1_args = { 209 | 'name': tg_name, 210 | 'protocol': 'GENEVE', 211 | 'port': 6081, 212 | 'healthchkproto': 'HTTP', 213 | 'healthchkport': '80', 214 | 'healthchkpath': '/', 215 | 'vpc_id': vpc_id, 216 | 'type': 'instance' 217 | } 218 | ############################# 219 | # Target Group: 220 | tg1 = create_tg(**tg1_args) 221 | print(f"TG ARN: {tg1[1]}") 222 | # GWLB: 223 | gwlb1 = create_gwlb(gwlb_name, subnet_ids) 224 | print(f"GWLB ARN: {gwlb1[1]}") 225 | # Listener: 226 | listener1 = create_fwd_listener(gwlb1[1], tg1[1]) 227 | print(f"LISTENER ARN: {listener1[1]}") 228 | # Register Targets: 229 | register_targets(tg1[1], target_ids[0]) 230 | 231 | 232 | if __name__ == '__main__': 233 | main() 234 | -------------------------------------------------------------------------------- /python/gwlb/create_listener_sample.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python3 2 | 3 | """ 4 | Purpose: 5 | 6 | Following sample shows you how to create listener using Python (Boto3) Library. 7 | 8 | For Gateway Load Balancer (GWLB), listener doesn't support protocol and port 9 | attribute. 10 | """ 11 | 12 | import argparse 13 | import boto3 14 | import logging 15 | from botocore.exceptions import ClientError 16 | 17 | # create required boto3 clients and resources: 18 | elbv2 = boto3.client('elbv2') 19 | 20 | 21 | def create_fwd_listener(gwlb_arn, tg_arn): 22 | """ 23 | Creates a listener for the specified GWLB. 24 | 25 | Accepts: 26 | - gwlb_arn: Load balancer ARN 27 | - tg_arn: Target group ARN 28 | 29 | Usage: 30 | - create_fwd_listener('gwlb-arn', 'tg-arn') 31 | """ 32 | try: 33 | response = elbv2.create_listener( 34 | LoadBalancerArn=gwlb_arn, 35 | DefaultActions=[ 36 | { 37 | 'Type': 'forward', 38 | 'TargetGroupArn': tg_arn, 39 | } 40 | ] 41 | ) 42 | listener_arn = response['Listeners'][0]['ListenerArn'] 43 | return response, listener_arn 44 | except ClientError as e: 45 | logging.error(e) 46 | return None 47 | 48 | 49 | def main(): 50 | """ 51 | Creates Listener: 52 | 53 | Accepts: 54 | --gwlb_arn: GWLB ARN 55 | --tg_arn: TG ARN 56 | 57 | Usage: 58 | python create_listener_sample.py \ 59 | --gwlb_arn \ 60 | --tg_arn 61 | """ 62 | parser = argparse.ArgumentParser() 63 | parser.add_argument('--gwlb_arn', required=True, 64 | help='specify gateway load balancer ARN', type=str) 65 | parser.add_argument('--tg_arn', required=True, 66 | help='specify target group ARN', type=str) 67 | 68 | args = parser.parse_args() 69 | ############################ 70 | # Define script variables: 71 | ############################ 72 | gwlb_arn = args.gwlb_arn 73 | tg_arn = args.tg_arn 74 | ############################# 75 | # Listener: 76 | listener1 = create_fwd_listener(gwlb_arn, tg_arn) 77 | print(f"LISTENER ARN: {listener1[1]}") 78 | 79 | 80 | if __name__ == '__main__': 81 | main() -------------------------------------------------------------------------------- /python/gwlb/create_tg_sample.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python3 2 | 3 | """ 4 | Purpose: 5 | 6 | Following sample shows you how to create target group using Python (Boto3) 7 | Library. 8 | 9 | By default target group gets created with healthcheck configured for protocol: 10 | TCP, port:80. If you don't have anything configured on appliances to listen on 11 | TCP:80, your health checks will fail and instances will be marked unhealthy. 12 | 13 | In the example below, for healthcheck, we overide the port and use HTTP, port 14 | 80. Appliances should be listening and respodning to HTTP, or else healthcheck 15 | will fail. Replace the parameter values inside '< >' with appropriate values. 16 | 17 | For more details, refer to Target Groups for your Gateway Load Balancers 18 | https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/target-groups.html 19 | """ 20 | 21 | import argparse 22 | import boto3 23 | import logging 24 | from botocore.exceptions import ClientError 25 | 26 | # create required boto3 clients and resources: 27 | elbv2 = boto3.client('elbv2') 28 | 29 | 30 | def create_tg(**tg_args): 31 | """ 32 | Creates target group. 33 | 34 | Accepts: 35 | - tg_args: tg_args is dictionary with required key:value 36 | pair. You can add values to dictionary as required. Dictionary should 37 | strictly follow the naming convention as below: 38 | tg_args = { 39 | 'name': 'tg1', 40 | 'protocol': 'GENEVE', 41 | 'port': 6081, 42 | 'healthchkproto': 'HTTP', 43 | 'healthchkport': '80', 44 | 'healthchkpath': '/', 45 | 'vpc_id': 'vpc-xxxx', 46 | 'type': 'instance' 47 | } 48 | 49 | Usage: 50 | - create_tg(**tg_args) 51 | """ 52 | logging.info(f"Creating target group: {tg_args['name']}") 53 | try: 54 | response = elbv2.create_target_group( 55 | Name=tg_args['name'], 56 | Protocol=tg_args['protocol'], 57 | Port=tg_args['port'], 58 | HealthCheckProtocol=tg_args['healthchkproto'], 59 | HealthCheckPort=tg_args['healthchkport'], 60 | HealthCheckPath=tg_args['healthchkpath'], 61 | VpcId=tg_args['vpc_id'], 62 | TargetType=tg_args['type'] 63 | ) 64 | tg_arn = response['TargetGroups'][0]['TargetGroupArn'] 65 | return response, tg_arn 66 | except ClientError as e: 67 | logging.error(e) 68 | return None 69 | 70 | 71 | def main(): 72 | """ 73 | Creates Target Group (TG) 74 | 75 | Accepts: 76 | --tg_name: TG name 77 | --vpc_id: VPC id to associate TG with 78 | 79 | Usage: 80 | python create_tg_sample.py \ 81 | --tg_name boto3-gwlb1-tg1 \ 82 | --vpc_id vpc-xxxx 83 | """ 84 | parser = argparse.ArgumentParser() 85 | parser.add_argument('--tg_name', required=True, 86 | help='specify target group name', type=str) 87 | parser.add_argument('--vpc_id', required=True, 88 | help='specify vpc id', type=str) 89 | 90 | args = parser.parse_args() 91 | ############################ 92 | # Define script variables: 93 | ############################ 94 | tg_name = args.tg_name 95 | vpc_id = args.vpc_id 96 | 97 | tg1_args = { 98 | 'name': tg_name, 99 | 'protocol': 'GENEVE', 100 | 'port': 6081, 101 | 'healthchkproto': 'HTTP', 102 | 'healthchkport': '80', 103 | 'healthchkpath': '/', 104 | 'vpc_id': vpc_id, 105 | 'type': 'instance' 106 | } 107 | ############################# 108 | # Target Group: 109 | tg1 = create_tg(**tg1_args) 110 | print(f"TG ARN: {tg1[1]}") 111 | 112 | 113 | if __name__ == '__main__': 114 | main() -------------------------------------------------------------------------------- /python/gwlb/delete_gwlb_sample.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python3 2 | 3 | """ 4 | Purpose: 5 | 6 | Following sample shows you how to delete Gateway Load Balancer (GWLB) using 7 | Python (Boto3) Library. 8 | """ 9 | 10 | import argparse 11 | import boto3 12 | import logging 13 | from botocore.exceptions import ClientError 14 | 15 | # create required boto3 clients and resources: 16 | elbv2 = boto3.client('elbv2') 17 | 18 | 19 | def delete_gwlb(gwlb_arn): 20 | """ 21 | Deletes specified GWLB and its attached listeners. 22 | 23 | Accepts: 24 | - gwlb_arn: GWLB ARN. 25 | 26 | Usage: 27 | - delete_elb('gwlb-arn') 28 | """ 29 | logging.info(f"Deleting GWLB:") 30 | waiter = elbv2.get_waiter('load_balancers_deleted') 31 | try: 32 | response = elbv2.delete_load_balancer(LoadBalancerArn=gwlb_arn) 33 | logging.info(f"Waiting for GWLB's state to change to deleted") 34 | waiter.wait( 35 | LoadBalancerArns=[gwlb_arn], 36 | WaiterConfig={ 37 | 'Delay': 15, 38 | 'MaxAttempts': 40 39 | } 40 | ) 41 | return response 42 | except ClientError as e: 43 | logging.error(e) 44 | return None 45 | 46 | 47 | def main(): 48 | """ 49 | Deletes GWLB and associated listener: 50 | 51 | Accepts: 52 | --gwlb_arn: ARN of Gateway Load Balancer to be deleted 53 | 54 | Usage: 55 | python delete_gwlb.py \ 56 | --gwlb_arn arn:aws:elasticloadbalancing:us-west-2:xxxxxxxxxxxx:loadbalancer/gwlb/boto3-gwlb1/8b4c4f9ff8dfc05f 57 | """ 58 | parser = argparse.ArgumentParser() 59 | parser.add_argument('--gwlb_arn', required=True, 60 | help='specify Gateway Load Balancer ARN', type=str) 61 | args = parser.parse_args() 62 | ############################ 63 | # Define script variables: 64 | ############################ 65 | gwlb_arn = args.gwlb_arn 66 | ############################ 67 | delete_gwlb(gwlb_arn) 68 | 69 | 70 | if __name__ == '__main__': 71 | main() 72 | -------------------------------------------------------------------------------- /python/gwlb/delete_gwlb_tg_sample.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python3 2 | 3 | """ 4 | Purpose: 5 | 6 | Following sample shows you how to delete Gateway Load Balancer (GWLB) and 7 | target group using Python (Boto3) Library. 8 | """ 9 | 10 | import argparse 11 | import boto3 12 | import logging 13 | from botocore.exceptions import ClientError 14 | 15 | # create required boto3 clients and resources: 16 | elbv2 = boto3.client('elbv2') 17 | 18 | 19 | def delete_tg(tg_arn): 20 | """ 21 | Deletes target group and returns response 22 | 23 | Accepts: 24 | - tg_arn: Target group ARN. Not required if retrieving from DynamoDB 25 | 26 | Usage: 27 | - delete_tg('arn:aws:elasticloadbalancing:xxxxx') 28 | """ 29 | logging.info("Deleting target group:") 30 | try: 31 | response = elbv2.delete_target_group(TargetGroupArn=tg_arn) 32 | return response 33 | except ClientError as e: 34 | logging.error(e) 35 | return None 36 | 37 | 38 | def delete_gwlb(gwlb_arn): 39 | """ 40 | Deletes specified GWLB and its attached listeners. 41 | 42 | Accepts: 43 | - gwlb_arn: GWLB ARN. 44 | 45 | Usage: 46 | - delete_elb('gwlb-arn') 47 | """ 48 | logging.info("Deleting GWLB:") 49 | waiter = elbv2.get_waiter('load_balancers_deleted') 50 | try: 51 | response = elbv2.delete_load_balancer(LoadBalancerArn=gwlb_arn) 52 | logging.info("Waiting for GWLB's state to change to deleted") 53 | waiter.wait( 54 | LoadBalancerArns=[gwlb_arn], 55 | WaiterConfig={ 56 | 'Delay': 15, 57 | 'MaxAttempts': 40 58 | } 59 | ) 60 | return response 61 | except ClientError as e: 62 | logging.error(e) 63 | return None 64 | 65 | 66 | def main(): 67 | """ 68 | Delete GWLB and associated Target Group and Listener: 69 | 70 | Accepts: 71 | --gwlb_arn: ARN of Gateway Load Balancer to be deleted 72 | --tg_arn: ARN of Target Group to be deleted 73 | 74 | Usage: 75 | python delete_gwlb_tg.py \ 76 | --gwlb_arn arn:aws:elasticloadbalancing:us-west-2:xxxxxxxxxxxx:loadbalancer/gwlb/provider-gwlb1/8b4c4f9ff8dfc05f \ 77 | --tg_arn arn:aws:elasticloadbalancing:us-west-2:xxxxxxxxxxxx:targetgroup/gwlb-tg1/002138d5900763b08b 78 | """ 79 | parser = argparse.ArgumentParser() 80 | parser.add_argument('--gwlb_arn', required=True, 81 | help='specify Gateway Load Balancer ARN', type=str) 82 | parser.add_argument('--tg_arn', required=True, 83 | help='specify Target Group ARN', type=str) 84 | args = parser.parse_args() 85 | ############################ 86 | # Define script variables: 87 | ############################ 88 | tg_arn = args.tg_arn 89 | gwlb_arn = args.gwlb_arn 90 | ############################ 91 | delete_gwlb(gwlb_arn) 92 | delete_tg(tg_arn) 93 | 94 | 95 | if __name__ == '__main__': 96 | main() 97 | -------------------------------------------------------------------------------- /python/gwlb/delete_tg_sample.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python3 2 | 3 | """ 4 | Purpose: 5 | 6 | Following sample shows you how to delete target group using Python (Boto3) 7 | Library. 8 | """ 9 | 10 | import argparse 11 | import boto3 12 | import logging 13 | from botocore.exceptions import ClientError 14 | 15 | # create required boto3 clients and resources: 16 | elbv2 = boto3.client('elbv2') 17 | 18 | 19 | def delete_tg(tg_arn): 20 | """ 21 | Deletes target group and returns response 22 | 23 | Accepts: 24 | - tg_arn: Target group ARN. Not required if retrieving from DynamoDB 25 | 26 | Usage: 27 | - delete_tg('arn:aws:elasticloadbalancing:xxxxx') 28 | """ 29 | logging.info("Deleting target group:") 30 | try: 31 | response = elbv2.delete_target_group(TargetGroupArn=tg_arn) 32 | return response 33 | except ClientError as e: 34 | logging.error(e) 35 | return None 36 | 37 | 38 | def main(): 39 | """ 40 | Deletes Target Group: 41 | 42 | Accepts: 43 | --tg_arn: ARN of Target Group to be deleted 44 | 45 | Usage: 46 | python delete_tg_sample.py \ 47 | --tg_arn arn:aws:elasticloadbalancing:us-west-2:xxxxxxxxxxxx:targetgroup/boto3-gwlb1-tg1/002138d5900763b08b 48 | """ 49 | parser = argparse.ArgumentParser() 50 | parser.add_argument('--tg_arn', required=True, 51 | help='specify Target Group ARN', type=str) 52 | args = parser.parse_args() 53 | ############################ 54 | # Define script variables: 55 | ############################ 56 | tg_arn = args.tg_arn 57 | ############################ 58 | delete_tg(tg_arn) 59 | 60 | 61 | if __name__ == '__main__': 62 | main() 63 | -------------------------------------------------------------------------------- /python/gwlb/register_targets_sample.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python3 2 | 3 | """ 4 | Purpose: 5 | 6 | Following sample shows you how to register targets to target group using 7 | Python (Boto3) Library. 8 | """ 9 | ############################################################################## 10 | 11 | ############################################################################## 12 | 13 | import argparse 14 | import boto3 15 | import logging 16 | from botocore.exceptions import ClientError 17 | 18 | # create required boto3 clients and resources: 19 | elbv2 = boto3.client('elbv2') 20 | 21 | 22 | def register_targets(tg_arn, target_string): 23 | """ 24 | Registers targets with a target group: 25 | 26 | Accepts: 27 | - target_string: The ID of the target. If the target type of the target 28 | group is instance , specify an instance ID. 29 | - tg_arn: Target group ARN. Not required if retrieving from DynamoDB 30 | 31 | Usage: 32 | - register_targets(tg_arn='arn:aws:elasticloadbalancing:xxxxx', 'i-xxxx') 33 | """ 34 | logging.info(f"Registering targets with target group: {tg_arn}") 35 | # waiter = elb.get_waiter('target_in_service') 36 | try: 37 | response = elbv2.register_targets( 38 | TargetGroupArn=tg_arn, 39 | Targets=[ 40 | { 41 | 'Id': target_string 42 | }, 43 | ] 44 | ) 45 | return response 46 | except ClientError as e: 47 | logging.error(e) 48 | return None 49 | 50 | 51 | def main(): 52 | """ 53 | Creates Appliance Gateway (GWLB) and associated Target Group (TG) and 54 | Listener and registers target(s) 55 | 56 | Accepts: 57 | --tg_arn: TG ARN 58 | --target_string: target as string 59 | 60 | Usage: 61 | ./create_gwlb_tg_listener.py \ 62 | --tg_arn \ 63 | --target_string 64 | """ 65 | parser = argparse.ArgumentParser() 66 | parser.add_argument('--tg_arn', required=True, 67 | help='specify target group name', type=str) 68 | parser.add_argument('--target_id', required=True, 69 | help='specify target ids') 70 | 71 | args = parser.parse_args() 72 | ############################ 73 | # Define script variables: 74 | ############################ 75 | tg_arn = args.tg_arn 76 | target_id = args.target_id 77 | ############################# 78 | # Register Targets: 79 | register_targets(tg_arn, target_id) 80 | 81 | 82 | if __name__ == '__main__': 83 | main() -------------------------------------------------------------------------------- /python/vpce/create_gwlb_endpoint_sample.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python3 2 | 3 | """ 4 | Purpose: 5 | 6 | Following sample shows you how to create Gateway Load Balance (GWLB) Endpoint 7 | using VPC Endpoint Service Name using Python (Boto3) Library. 8 | 9 | Only one subnet per GWLB Endpoint is supported 10 | """ 11 | 12 | import argparse 13 | import boto3 14 | import logging 15 | from botocore.exceptions import ClientError 16 | 17 | # create required boto3 clients and resources: 18 | ec2 = boto3.client('ec2') 19 | 20 | 21 | def create_gwlbe(service_name, vpc_id, subnet_ids): 22 | """ 23 | Creates VPC Endpoint Service. 24 | 25 | Accepts: 26 | - service_name (str): VPCE Service name. 27 | - vpc_id : 'vpc-xxxx' 28 | - subnet_ids (list of str): ['subnet-xxxx'], only one subnet id for GWLBe 29 | 30 | Usage: 31 | - create_gwlbe('service_name', 'vpc-xxxx', ['subnet-xxxx'] 32 | """ 33 | logging.info("Creating VPC Endpoint of Type GatewayLoadBalancer:") 34 | try: 35 | response = ec2.create_vpc_endpoint( 36 | VpcEndpointType='GatewayLoadBalancer', 37 | VpcId=vpc_id, 38 | SubnetIds=subnet_ids, 39 | ServiceName=service_name 40 | ) 41 | vpce_id = response['VpcEndpoint']['VpcEndpointId'] 42 | vpce_id_type = response['VpcEndpoint']['VpcEndpointType'] 43 | return response, vpce_id, vpce_id_type 44 | except ClientError as e: 45 | logging.error(e) 46 | return None 47 | 48 | 49 | def main(): 50 | """ 51 | Creates VPC Endpoint Type GatewayLoadBalancer (GWLBE): 52 | 53 | Accepts: 54 | --service_name: VPC-E Service name 55 | --vpc_id: vpc id to with GWLBE is associated 56 | --subnet_id: list of subnet id. As of now only one subnet id supported for 57 | GWLBe 58 | 59 | Usage: 60 | python create_gwlb_endpoint_sample.py \ 61 | --service_name com.amazonaws.vpce.sa-east-1.vpce-svc-05c11ebdfc1b84593 \ 62 | --vpc_id vpc-09a8e887492790aea 63 | --subnet_id subnet-002136cca79d6bba3 64 | """ 65 | parser = argparse.ArgumentParser() 66 | parser.add_argument('--service_name', required=True, 67 | help='specify service name', type=str) 68 | parser.add_argument('--vpc_id', required=True, 69 | help='specify vpc id', type=str) 70 | parser.add_argument('--subnet_id', nargs='+', required=True, 71 | help='specify subnet id') 72 | 73 | args = parser.parse_args() 74 | 75 | ############################ 76 | # Define script variables: 77 | ############################ 78 | service_name = args.service_name 79 | vpc_id = args.vpc_id 80 | subnet_id = args.subnet_id 81 | ############################# 82 | 83 | # GWLBE: 84 | gwlbe1 = create_gwlbe(service_name, vpc_id, subnet_id) 85 | print(f"GWLBE1 ID: {gwlbe1[1]}") 86 | print(f"GWLBE1 TYPE: {gwlbe1[2]}") 87 | 88 | 89 | if __name__ == '__main__': 90 | main() 91 | -------------------------------------------------------------------------------- /python/vpce/create_vpce_service_configuration_sample.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python3 2 | 3 | """ 4 | Purpose: 5 | 6 | Following sample shows you how to create VPC Endpoint Service using Gateway 7 | Load Balancer (GWLB) ARN using Python (Boto3) Library. 8 | """ 9 | 10 | import argparse 11 | import boto3 12 | import logging 13 | from botocore.exceptions import ClientError 14 | 15 | # create required boto3 clients and resources: 16 | ec2 = boto3.client('ec2') 17 | 18 | 19 | def create_vpce_service(gwlb_arns, acceptance=True): 20 | """ 21 | Creates VPC Endpoint Service. 22 | 23 | Accepts: 24 | - gwlb_arns : ['gwlb1_arn'] 25 | - acceptance (bool): True|False. Default is True 26 | 27 | Usage: 28 | - create_vpce_service(['gwlb1_arn'], True) 29 | """ 30 | logging.info("Creating VPC Endpoint Service:") 31 | try: 32 | response = ec2.create_vpc_endpoint_service_configuration( 33 | AcceptanceRequired=acceptance, 34 | GatewayLoadBalancerArns=gwlb_arns, 35 | ) 36 | service_id = response['ServiceConfiguration']['ServiceId'] 37 | service_name = response['ServiceConfiguration']['ServiceName'] 38 | return response, service_id, service_name 39 | except ClientError as e: 40 | logging.error(e) 41 | return None 42 | 43 | 44 | def main(): 45 | """ 46 | Creates VPC Endpoint Service (VPC-E Service) 47 | 48 | Accepts: 49 | --gwlb_arns: gwlb1_arn 50 | 51 | Usage: 52 | Acceptance not required: 53 | python create_vpce_service_configuration_sample.py \ 54 | --gwlb_arn gwlb1-arn 55 | --no_acceptance 56 | 57 | Acceptance required: 58 | python create_vpce_service_configuration_sample.py \ 59 | --gwlb_arn gwlb1-arn 60 | """ 61 | parser = argparse.ArgumentParser() 62 | parser.add_argument('--gwlb_arns', nargs='+', required=True, 63 | help='specify gwlb arns') 64 | parser.add_argument('--no_acceptance', action='store_false', help='Specify' 65 | ' whether to accept or not. If you want to use False,' 66 | ' specify --no_acceptance with no value. If you want to' 67 | ' use True, do not specity the --no_acceptance at all') 68 | 69 | args = parser.parse_args() 70 | 71 | ############################ 72 | # Define script variables: 73 | ############################ 74 | gwlb_arns = args.gwlb_arns 75 | no_acceptance = args.no_acceptance 76 | ############################# 77 | 78 | # VPC-E Service: 79 | service1 = create_vpce_service(gwlb_arns, no_acceptance) 80 | print(f"SERVICE1 ID: {service1[1]}") 81 | print(f"SERVICE1 NAME: {service1[2]}") 82 | 83 | 84 | if __name__ == '__main__': 85 | main() 86 | -------------------------------------------------------------------------------- /python/vpce/delete_gwlb_endpoint_sample.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python3 2 | 3 | """ 4 | Purpose: 5 | 6 | Following sample shows you how to delete Gateway Load Balancer (GWLB) Endpoint 7 | using Python (Boto3) Library. 8 | """ 9 | import argparse 10 | import boto3 11 | import logging 12 | from botocore.exceptions import ClientError 13 | 14 | # create required boto3 clients and resources: 15 | ec2 = boto3.client('ec2') 16 | 17 | 18 | def delete_gwlbe(gwlbe_ids): 19 | """ 20 | Deletes VPC Endpoint (GWLB-E). 21 | 22 | Accepts: 23 | - gwlbe_ids (list of str): ['vpce-svc-xxxx', 'vpce-svc-yyyy'] 24 | 25 | Usage: 26 | - delete_gwlbe(['vpce-xxxx', 'vpce-yyyy']) 27 | """ 28 | logging.info("Deleting VPC Endpoint Service:") 29 | try: 30 | response = ec2.delete_vpc_endpoints( 31 | VpcEndpointIds=gwlbe_ids 32 | ) 33 | return response 34 | except ClientError as e: 35 | logging.error(e) 36 | return None 37 | 38 | 39 | def main(): 40 | """ 41 | Deletes GWLB Endpoint (GWLB-E) 42 | 43 | Accepts: 44 | --gwlbe_ids: GWLB-E ids 45 | 46 | Usage: 47 | python delete_gwlb_endpoint_sample.py \ 48 | --gwlbe_ids vpce-0916122bdbd1ca93e 49 | """ 50 | parser = argparse.ArgumentParser() 51 | parser.add_argument('--gwlbe_ids', nargs='+', required=True, 52 | help='specify gwlbe ids') 53 | 54 | args = parser.parse_args() 55 | 56 | ############################ 57 | # Define script variables: 58 | ############################ 59 | gwlbe_ids = args.gwlbe_ids 60 | ############################# 61 | 62 | # GWLB-E: 63 | gwlbe1 = delete_gwlbe(gwlbe_ids) 64 | print(gwlbe1) 65 | 66 | 67 | if __name__ == '__main__': 68 | main() 69 | -------------------------------------------------------------------------------- /python/vpce/delete_vpce_service_sample.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python3 2 | 3 | """ 4 | Purpose: 5 | 6 | Following sample shows you how to delete VPC Endpoint Service using Python 7 | (Boto3) Library. 8 | """ 9 | 10 | import argparse 11 | import boto3 12 | import logging 13 | from botocore.exceptions import ClientError 14 | 15 | # create required boto3 clients and resources: 16 | ec2 = boto3.client('ec2') 17 | 18 | 19 | def delete_vpce_service(service_ids): 20 | """ 21 | Deletes VPC Endpoint Service. 22 | 23 | Accepts: 24 | - service_id (str): ['vpce-svc-xxxx', 'vpce-svc-yyyy'] 25 | 26 | Usage: 27 | - delete_vpce_service(['vpce-svc-xxxx', 'vpce-svc-yyyy']) 28 | """ 29 | logging.info("Creating VPC Endpoint Service:") 30 | try: 31 | response = ec2.delete_vpc_endpoint_service_configurations( 32 | ServiceIds=service_ids 33 | ) 34 | return response 35 | except ClientError as e: 36 | logging.error(e) 37 | return None 38 | 39 | 40 | def main(): 41 | """ 42 | Deletes VPC Endpoint Service (VPC-E Service) 43 | 44 | Accepts: 45 | --service_ids: VPC-E Service id 46 | 47 | Usage: 48 | python delete_vpce_service_sample.py \ 49 | --service_ids vpce-svc-xxxx vpce-svc-yyyy 50 | """ 51 | parser = argparse.ArgumentParser() 52 | parser.add_argument('--service_ids', nargs='+', required=True, 53 | help='specify service ids') 54 | 55 | args = parser.parse_args() 56 | 57 | ############################ 58 | # Define script variables: 59 | ############################ 60 | service_ids = args.service_ids 61 | ############################# 62 | 63 | # VPC-E Service: 64 | service1 = delete_vpce_service(service_ids) 65 | 66 | 67 | if __name__ == '__main__': 68 | main() 69 | -------------------------------------------------------------------------------- /python/vpce/modify_vpce_service_configuration_sample.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python3 2 | 3 | """ 4 | Purpose: 5 | 6 | Following sample shows you how to modify VPC Endpoint Service Configuration 7 | using Python (Boto3) Library. 8 | """ 9 | 10 | import argparse 11 | import boto3 12 | import logging 13 | from botocore.exceptions import ClientError 14 | 15 | # create required boto3 clients and resources: 16 | ec2 = boto3.client('ec2') 17 | 18 | 19 | def modify_vpce_service_acceptance(service_id, accept=True): 20 | """ 21 | Allows to either accept (True) or reject(False) requests to 22 | create an endpoint to the service. 23 | 24 | Accepts 25 | - service_id: Service id. 26 | - accept (bool): True|False: Default is True (accept) 27 | 28 | Usage: 29 | - modify_vpce_service_acceptance('service1', True, True, db_dict) 30 | - modify_vpce_service_acceptance('service-xxxx', False) 31 | """ 32 | logging.info(f"Changing AcceptaneRequired to {accept} for" 33 | f" VPCE Service:") 34 | try: 35 | response = ec2.modify_vpc_endpoint_service_configuration( 36 | ServiceId=service_id, 37 | AcceptanceRequired=accept 38 | ) 39 | return response 40 | except ClientError as e: 41 | logging.error(e) 42 | return None 43 | 44 | 45 | def main(): 46 | """ 47 | Creates VPC Endpoint Service (VPC-E Service) 48 | 49 | Accepts: 50 | --service_id: vpce-svc-xxxx 51 | --no_accept 52 | 53 | Usage: 54 | Acceptance not required: 55 | python modify_vpce_service_configuration_sample.py \ 56 | --service_id service-id 57 | --no_acceptance 58 | 59 | Acceptance required: 60 | python modify_vpce_service_configuration_sample.py \ 61 | --service_id service-id 62 | """ 63 | parser = argparse.ArgumentParser() 64 | parser.add_argument('--service_id', required=True, 65 | help='specify service id', type=str) 66 | parser.add_argument('--no_acceptance', action='store_false', help='Specify' 67 | ' whether to accept or not. If you want to use False,' 68 | ' specify --no_acceptance with no value. If you want to' 69 | ' use True, do not specity the --no_acceptance at all') 70 | 71 | args = parser.parse_args() 72 | 73 | ############################ 74 | # Define script variables: 75 | ############################ 76 | service_id = args.service_id 77 | no_acceptance = args.no_acceptance 78 | ############################# 79 | 80 | # VPC-E Service: 81 | service1 = modify_vpce_service_acceptance(service_id, no_acceptance) 82 | 83 | 84 | if __name__ == '__main__': 85 | main() 86 | -------------------------------------------------------------------------------- /python/vpce/modify_vpce_service_permissions_sample.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python3 2 | 3 | """ 4 | Purpose: 5 | 6 | Following sample shows you how to modify VPC Endpoint Service Permissions 7 | using Python (Boto3) Library. 8 | """ 9 | 10 | import argparse 11 | import boto3 12 | import logging 13 | from botocore.exceptions import ClientError 14 | 15 | # create required boto3 clients and resources: 16 | ec2 = boto3.client('ec2') 17 | 18 | 19 | def modify_vpce_service_permissions(service_id, principal_arns, add_remove): 20 | """ 21 | Modifies the permissions for your VPC endpoint service. 22 | You can add or remove permissions for service consumers (IAM users, 23 | IAM roles, and AWS accounts) to connect to your endpoint service. 24 | If you grant permissions to all principals, the service is public. 25 | Any users who know the name of a public service can send a request 26 | to attach an endpoint. If the service does not require manual approval, 27 | attachments are automatically approved. 28 | 29 | Accepts 30 | - service_id: Service id. 31 | - principal_arns (list of str): List of principal arns ['iam_user1_arn'] 32 | - add_remove (str): Add or remove specified principal. 'add'|'remove' 33 | 34 | Usage: 35 | - modify_vpce_service_permissions('service1', ['principal_arn'], 'add', 36 | True, db_dict) 37 | - modify_vpce_service_permissions('vpce-svc-xxxx', ['principal_arn'], 38 | 'add') 39 | """ 40 | logging.info(f"Removing {principal_arns} from VPCE Service: {service_id}") 41 | try: 42 | if add_remove == 'add': 43 | response = ec2.modify_vpc_endpoint_service_permissions( 44 | ServiceId=service_id, 45 | AddAllowedPrincipals=principal_arns 46 | ) 47 | elif add_remove == 'remove': 48 | response = ec2.modify_vpc_endpoint_service_permissions( 49 | ServiceId=service_id, 50 | RemoveAllowedPrincipals=principal_arns 51 | ) 52 | return response 53 | except ClientError as e: 54 | logging.error(e) 55 | return None 56 | 57 | 58 | def main(): 59 | """ 60 | Adds/Removes AWS Principal to a VPC Endpoint Service (VPC-E Service) 61 | 62 | Accepts: service_id, principal_arns, add_remove 63 | --service_id: VPC-E Service id 64 | --principal_arns: iam_user1_arn 65 | --remove: remove arns 66 | 67 | Usage: 68 | python modify_vpce_service_permissions_sample.py \ 69 | --service_id vpce-svc-xxxx \ 70 | --principal_arns iam-user1-arn \ 71 | --add_remove add 72 | 73 | To remove: 74 | python modify_vpce_service_permissions_sample.py \ 75 | --service_id vpce-svc-xxxx \ 76 | --principal_arns iam-user1-arn \ 77 | --remove 78 | """ 79 | parser = argparse.ArgumentParser() 80 | parser.add_argument('--service_id', required=True, 81 | help='specify service id', type=str) 82 | parser.add_argument('--principal_arns', nargs='+', required=True, 83 | help='specify iam arns') 84 | parser.add_argument('--add_remove', required=True, 85 | help='add or remove principals', type=str) 86 | 87 | args = parser.parse_args() 88 | 89 | ############################ 90 | # Define script variables: 91 | ############################ 92 | service_id = args.service_id 93 | principal_arns = args.principal_arns 94 | add_remove = args.add_remove 95 | ############################# 96 | 97 | # VPC-E Service: 98 | service1 = modify_vpce_service_permissions(service_id, principal_arns, 99 | add_remove) 100 | 101 | 102 | if __name__ == '__main__': 103 | main() 104 | --------------------------------------------------------------------------------