Blog

Home / AWS / Using Amazon CloudFormation Service to Set Up your Virtual Private Cloud

Using Amazon CloudFormation Service to Set Up your Virtual Private Cloud

In AWS, Cloud computing, IaaS
0

Are you looking to automate service provisioning and resource updates in AWS? The CloudFormation Service automates procedures that create and manage collections of AWS resources. CloudFormation can deploy simple and complex setups, handling options to scale and install instances with third party software.

This post provides clear instructions about how to incorporate Cloud Formation. In the next posts I’ll discuss how you can use CloudFormation with the 40Cloud service, so you’ll be able to automate all of your Network Security needs in one click. The 40Cloud solution integrates CloudFormation and APIs to provide the missing network security elements in a cloud environment. For quick and easy installation of our solution use the 40Cloud AMIs available on the AWS Marketplace.

CloudFormation utilizes Templates, which are JSON formatted files that describe all the AWS required resources. The CloudFormation Framework converts these Templates to create Stacks. Templates are a “factory” of the Stacks, comprising customizable, configured AWS services that automatically place dependencies and data flows in the correct sequence.

Template
(JSON formatted file)
Arrow CloudFormation
(framework)
Arrow Stack
(Configured AWS services)
Defines parameters and resources; provides configuration operations Creates and updates stacks, detects errors and provides rollback capabilities Set of resources and the created by CloudFormation according to the parameters passed in the Template

Before we get started, just wanted to let you know that in a future post I’ll discuss the many ways in which we can utilize this powerful tool – to scale environments; for fast recovery following a crisis; to update instance OS’s with applications and other situations. For example, one option is to use the AWS SDK to launch a Template and pass parameters as required. This can be done programmatically, taking advantage of AWS threaded processes. The different Stacks can be used to deploy hundreds of VPC’s with instances, name them “on the fly”, receive outputs and test the instances automatically.

Creating a VPC with the Required Resources

In this article, I will focus on how to use the CloudFormation Template to create a VPC. This method enables deployment of the VPC and all required resources in one or more different regions. The following instructions and parameters relate to the VPCSampleTemplate provided.

The VPC Sample Template is based on the sample provided by Amazon documentation, with modifications and enhancements. Use the AWS console, Command Line Interface (CLI) or API to launch the Template.

Step 1 – Setting up the CloudFormation Template

The CloudFormation Template is a JSON file that describes what we want CloudFormation to create in a Stack – in this case the VPC, Security Groups and Routing Tables. It also describes what to install on an instance once it is launched, and so on.

The Template has the following structure, and can contain special functions inside it:

{
AWSTemplateFormatVersion: “version date”, “Description” : “JSON string”,
Metadata” : { template metadata},
Parameters” : { Parameters used for creating the stack, like key pair, subnet etc},
Mapping” : { Mapping is used for a bi-directional array so we can choose a value according to the region the template is running on, for example AMI according to region},
Resources” : { all resources required for creating a Stack, like VPC, route tables, route instructions etc.},
Outputs” : { all values we want the CloudFormation to display after the template runs, like the public IP of the instance created, etc. }
}

Please Note: Only the “Resources” section is mandatory and that not all of the sections are presented here.

Resources Description

Here is a description of what needs to be inside the “Resources” Section and the way it is built:

“Resources” :{
“Logical ID” : {
“Type” : “Resource type”,
“Properties” : { Parameters ……. }
}
}

Logical ID: a name you give to your resource and it must be unique
Type: one of the AWS resources like: AWS::EC2::Instance or AWS::EC2::Route or else

(See the full list at http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html)

Properties: all the relevant properties according to the resource required, for example for AWS::EC2::Instance.

Some of the properties are:

“ImageId” :”ami-1234”,”InstanceType” : { “Ref” : “InstanceType” },
“KeyName” : { “Ref” : “KeyName” },
“Tags” : “Key” : “Name”, “Value” : “my-key-pair”

InstanceType: defined by a parameter

Using Intrinsic Functions

It is possible to use intrinsic functions on resources such as properties and metadata attributes. This is useful for several purposes including parsing strings, combining strings, returning resource attributes, returning objects, etc.

Examples of Useful Functions

Area Function Name Summary
String Handling Fn::Base64 Returns the Base64 representation of the input string. This function is typically used to pass encoded data to Amazon EC2 instances by way of the UserData property.
Fn::Join Appends a set of values into a single value, separated by the specified delimiter. If a delimiter is the empty string, the set of values are concatenated with no delimiter.
Managing data and variables inside the Template Fn::FindInMap Returns the value corresponding to keys in a two-level map that is declared in the Mappings section.
Fn::GetAtt Returns the value of an attribute from a resource in the template.
Ref Returns the value of the specified parameter or resource.
Region Selection Fn::GetAZs Returns an array that lists Availability Zones for a specified region.

Please Note: Not all functions are described here.
See the VPCSampleTemplate.

Please Note:

  • This sample is defined to work on a subset of instance types and subset of regions (Virginia, Oregon and California); you can add types and regions to support more options.
  • Before running the Stack you will need to establish a Key Pair

Step 2 – Creating a Stack

You can run a CloudFormation Template that is located on an AWS S3 service. You can either use an existing Template, or upload a file, such as the VPCSampleTemplate.

To run a CloudFormation template by uploading a file:

  1. In the AWS Management Console, navigate to Amazon Web Services.
  2. Under Services, click “CloudFormation”.

Service - CloudFormation 1

3. The following Screen opens. If no CloudFormation Stack exists for that region, click “Create New Stack”.

Create New Stack 2

4. Fill in the “Name” for the Stack and choose your template file.

5. Click “Next”. AWS checks the validity of the Template and will notify if there are problems.

Select Template 3

  1. The Specify Parameters Screen displays; you can change default values (as defined on the Sample Template) to the required settings, then click “Next”:
  • GWNumber parameter: the prefix of the instance name, useful when deploying multiple stacks using AWS SDK (to be detailed in future posts).
  • Instance Type: can be changed to any other type supported by the Amazon Region
  • KeyName: select your required Key Pair (Key Pair needs to be created ahead)
  • SSHLocation: the IP/Range IP that is permitted to use SSH to the instance (adds a rule on Security Group)
  • VPC Subnet: – enter the required VPC subnet

Specify Parameters 4

  1. The Tag Options screen displays, you can add more Tags if required, then click “Next”.

Subnet created 13 Options Tags 5

  1. The Review summary screen displays all the Stack parameters; ensure that the data is correct.
  2. In the Options pane, add more Tags if required, then click “Create”.

Review Stack 55

Note: When you run the Stack you can only create resources up to the Regional limit as defined in your AWS Account.

Step 3 – Check Stack Events and Results

During Stack creation, the status will be displayed in the Status column and creation events are displayed on the lower pane.

Create Stack Status 6

Create Stack Status Details 8

Create Stack Complete 7

After the Stack has been created, click the “Outputs” tab on the lower pane to see the Outputs that were defined on the Template.

In this example, you can take the Public IP of Instance created; this IP is reachable by SSH (as defined in the “SSHLocation” parameter.

Create Stack Status Output 9

Step 4 – Accessing VPC Resources

Once the Stack has been created you can see your created resources in the AWS Console.

  1. In the AWS Console, in the AWS services choose “VPC”.
  2. Click the “VPC” link; the number of links will vary according to your environment.

Resources 10

In the list you will see VPC@[Region where you ran the CloudFormation]

VPC Dashboard create vpc 11-12

  1. Go back to the VPC dashboard and click “Internet Gateways” to see the created Internet Gateway that enables your instances to connect to the internet. The name will be IGW__[Region where you ran the CloudFormation].

Create Internet Gateway - 12

4. Go back to the VPC dashboard and click “Subnets” to see created the subnet. The following row will display with the following name “SUB_[Region where you ran the CloudFormation]”.

Sub Virginia 15 -16

5. Go back to VPC dashboard and click “Route Tables” to see the created Route Tables and created routes. The following row will appear with the following name “RT_[Region where you ran the CloudFormation]. You can see the Routes added for all traffic to the Internet through Amazon Internet gateway (as defined in the Template).

Edit Route Table 14

  1. Click the Subnets Associations pane to see the associated subnets, the SUB__[Region where you ran the CloudFormation] has been added.

Subnets association 15

  1. Go back to the VPC dashboard and click “Security Groups” to see the created Security Groups. A default Security Group (created automatically when a VPC is created) and SG_GW_[Region where you ran the CloudFormation] which is created by Template should be present.
  2. Click “Inbound Rules” to see the rules added to the Security Group. In our sample the SSHLocation was 0.0.0.0/0 which means it is possible to SSH the instance from all IP’s.

Inbound rules 16

  1. Finally let’s check a created instance; go to Services and then to “EC2”.

Created Instance Resources 17

  1. Click “Instances”. The instance named GW@[Region where you ran the CloudFormation] will appear with all its details. Check that the public IP is the same as on the Stack outputs. Check that the Security Groups associated to it are as described above, and that the subnet ID and other important details on the Description tab are correct.

Launch instance Description 18

Summary

CloudFormation provides an efficient way to deploy complex environments in a simple manner, as it coordinates all the resources, Security Groups and the interactions between them. The Service enables you to deploy the same environment on various regions, and delete all Stacks together when the resources are no longer required. Take advantage of this tool to streamline procedures such as scaling, development and testing.

CloudFormation Sample to Create a VPC and all its Required Resources

Please Note:

  • This sample is defined to work on a subset of instance types and subset of regions (Virginia, Oregon and California); you can add types and regions to support more options.
  • Before running the Stack you will need to establish a Key Pair

CloudFormation Sample – Create VPC with Resources

Subscribe to newsletter

Recommended Posts

Free Trial

Request a Demo