A CloudFormation Template that demonstrates how to create a Virtual Private Network VPC with a few steps!

The main design of this VPC has been created following these considerations:

• Public And Private Subnets
• High Availability
• NAT Gateway for private instances
• SSH Bastion Auto Scaling Group for Management

You can customize some of the configuration of the VPC with these parameters:

For now, the CloudFormation stack is only ready to be deployed in us-east-1 as mappings only contains the AMI ID for this region. But if you want to deploy it to another region Pull Requests are welcome! :)

public:
      az1: "10.0.10.0/24"
      az2: "10.0.20.0/24"
private:
      az1: "10.0.30.0/24"
      az2: "10.0.40.0/24"

us-east-1:
    HVM64: ami-035be7bafff33b6b6

The VPC is configured following the standards that are described in AWS documentation for Scenario 2, with the addition of the High Availabilty and the Bastion Auto Scaling group. Let's dive in!

• A VPC with a size /16 IPv4 CIDR block (10.0.0.0/16). This provides 65,536 private IPv4 addresses.

• Two public subnets with a size /24 IPv4 CIDR block (10.0.10.0/24 and 10.0.20.0/24). This provides 256 private IPv4 addresses in each subnet. Public subnets are subnets that's associated with a route table that has a route to an Internet gateway.

• Two private subnets with a size /24 IPv4 CIDR block (10.0.30.0/24 and 10.0.40.0/24). This provides 256 private IPv4 addresses in each subnet.

• An Internet gateway. This connects the VPC to the Internet and to other AWS services.

• Instances with private IPv4 addresses in the subnet range (examples: 10.0.0.5, 10.0.1.5). This enables them to communicate with each other and other instances in the VPC.

• Instances in the public subnet with Elastic IPv4 addresses (example: 198.51.100.1), which are public IPv4 addresses that enable them to be reached from the Internet. The instances can have public IP addresses assigned at launch instead of Elastic IP addresses. Instances in the private subnet are back-end servers that don't need to accept incoming traffic from the Internet and therefore do not have public IP addresses; however, they can send requests to the Internet using the NAT gateway.

• A NAT gateway with its own Elastic IPv4 address. Instances in the private subnet can send requests to the Internet through the NAT gateway over IPv4 (for example, for software updates).

• A public route table associated with public subnets. This route table contains entries that allows instances in public subnets to communicate with other instances in the VPC, and communicate directly with the internet.

• A private route table associated with private subnets. This route table contains entries that allows instances in private subnets to communicate with other instances in the VPC, and communicate to internet through NAT Gateway

• VPC Subnets are split in two Availability Zones (AZ), each availability zone contains one public subnet and one private subnet. These allows to design an infrastructure that is highly available. (It can be discussed that it's not a pure 100% High Availability Design as NAT Gateway is only deployed in one AZ to cut costs, it will depend on your RTO or RPO if you need these component to be highly available)

Network Access Control List based in AWS Recommended Rules for your VPC

If you need a default security group to allow updates from Internet you can use this predefined group.

Some parameters are outputted and also exported. Exported parameters allows you to use these VPC in other stacks if you need it. Other way to use this stack is using Nested Stacks.