AWS Single Gateway Deployment
This CloudFormation (CFN) template, named aws-enforza-boilerplate-single-az-landing-zone, creates the foundational infrastructure for deploying a simple AWS landing zone with a single instance of an enforza Gateway - suitable for development and non-critical environments. It includes several key AWS resources, such as VPC, subnets, security groups, route tables, and EC2 instances.
Download the AWS Single Gateway CloudFormation template here.
These templates are open source and licensed under the GNU General Public License, version 3 (GPLv3).
This means you are free to:
- Use these templates for any purpose, whether personal or commercial.
- Distribute copies of the templates, whether in their original form or modified versions.
- Modify the templates to suit your needs.
If you distribute modified versions, you must keep them licensed under GPLv3, ensuring that others have the same freedom to use, modify, and distribute.
For more details, see the GPLv3 License.
Below is a detailed explanation of the infrastructure and resources created:
1. VPC Creation
- A new Virtual Private Cloud (VPC) is created with a custom CIDR block (default
10.1.0.0/16), which defines the IP address range for the network. This VPC serves as the foundation for other resources. - DNS Hostnames and DNS Support are enabled to allow DNS resolution within the VPC.
2. Subnets
- Public Subnet: A publicly accessible subnet is created using the first /24 range of the VPC's CIDR. It is configured to assign public IP addresses to instances automatically.
- Private Subnets (1, 2, 3): Three private subnets are created using the next three /24 ranges of the VPC's CIDR block. These subnets are isolated from direct internet access, used for internal resources.
3. Internet Gateway and Route Tables
- Internet Gateway (IGW): An Internet Gateway is attached to the VPC, allowing resources in the public subnet to communicate with the internet.
- Public Route Table: A public route table is associated with the public subnet. It contains a route directing all traffic (
0.0.0.0/0) to the Internet Gateway. - Private Route Table: A route table for the private subnets is created. The traffic in these subnets is routed through a specific Elastic Network Interface (ENI) attached to the EC2 instance, allowing controlled outbound internet access via the firewall. This provides east/west (lateral) and internet access control.
4. Security Groups
- A security group is created to control inbound and outbound traffic to the EC2 instance. It permits:
- All traffic from within the VPC.
- SSH, ICMP, and SNMP access from Trusted Management IPs (specified by the user).
- Tags the security group with a unique identifier for easy management.
5. EC2 Instance
- An EC2 instance is created in the public subnet, which serves as the enforza firewall instance. It uses the latest Ubuntu image, fetched from AWS SSM Parameter Store.
- A custom Elastic Network Interface (ENI) is created and attached to the EC2 instance, enabling communication between the public and private subnets.
- A role and instance profile are created to allow the EC2 instance to perform actions like tagging itself after installation.
- User Data is provided to automatically install necessary tools, set up an
efzadminuser with passwordless sudo access, and run the enforza Agent installation script. The password for theefzadminuser is the AWS EC2 instance ID (including thei-) - The instance is tagged with important details like the Claim Key, generated from the enforza installation, and login information for serial console access.
6. Routes
- Public Route: A route is created in the public route table, allowing all traffic to go through the Internet Gateway for internet access.
- Private Routes: Each private subnet gets routes created to direct its traffic through the EC2 instance via its ENI. This creates a controlled access point between private subnets and the internet.
7. Outputs
The template provides output details such as:
- VPC ID
- Public Subnet ID
- IDs of the private subnets
- EC2 Instance ID
Summary
This CFN template sets up a single-AZ landing zone for enforza, creating a secure and isolated network environment with both public and private subnets. It deploys an EC2 instance as a firewall, configures secure communication between subnets, and restricts access to trusted management IPs. This foundational setup is ideal for small and medium-sized enterprises (SMEs) looking to protect their cloud environments with minimal complexity.