# 使用 CloudFormation 配置 Amazon VPC 资源
本节提供使用 CloudFormation 配置 Amazon VPC 资源的示例。VPC 允许您在 AWS 中创建一个虚拟网络,这些代码段展示了如何配置 VPC 各个方面来满足自己的网络要求。
**Topics**
+ [在 VPC 中启用 IPv6 仅出口互联网访问](#quickref-ec2-route-egressonlyinternetgateway)
+ [弹性网络接口 (ENI) 模板代码段](#cfn-template-snippets-eni)
## 在 VPC 中启用 IPv6 仅出口互联网访问
仅出口互联网网关允许 VPC 中的实例访问互联网并阻止互联网上的资源与实例通信。以下代码段支持在 VPC 中启用 IPv6 仅出口互联网访问。它使用 [AWS::EC2::VPC](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-vpc.html) 资源创建 IPv4 地址范围为 `10.0.0/16` 的 VPC。将路由表与使用 [AWS::EC2::RouteTable](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-routetable.html) 资源的 VPC 资源关联起来。路由表会管理 VPC 内实例的路由。[AWS::EC2::EgressOnlyInternetGateway](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-egressonlyinternetgateway.html) 用于创建仅出口互联网网关,为来自 VPC 中实例的出站流量启用 IPv6 通信,同时阻止入站流量。[AWS::EC2::Route](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-route.html) 资源用于在路由表中创建 IPv6 路由,该路由会将所有出站 IPv6 流量 (`::/0`) 定向到仅出口互联网网关。
有关仅出口互联网网关的更多信息,请参阅《Amazon VPC 用户指南》**中的[使用仅出口互联网网关允许出站 IPv6 流量](https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html)。
### JSON
```
"DefaultIpv6Route": {
"Type": "AWS::EC2::Route",
"Properties": {
"DestinationIpv6CidrBlock": "::/0",
"EgressOnlyInternetGatewayId": {
"Ref": "EgressOnlyInternetGateway"
},
"RouteTableId": {
"Ref": "RouteTable"
}
}
},
"EgressOnlyInternetGateway": {
"Type": "AWS::EC2::EgressOnlyInternetGateway",
"Properties": {
"VpcId": {
"Ref": "VPC"
}
}
},
"RouteTable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPC"
}
}
},
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16"
}
}
```
### YAML
```
DefaultIpv6Route:
Type: AWS::EC2::Route
Properties:
DestinationIpv6CidrBlock: "::/0"
EgressOnlyInternetGatewayId:
Ref: "EgressOnlyInternetGateway"
RouteTableId:
Ref: "RouteTable"
EgressOnlyInternetGateway:
Type: AWS::EC2::EgressOnlyInternetGateway
Properties:
VpcId:
Ref: "VPC"
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: "VPC"
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: "10.0.0.0/16"
```
## 弹性网络接口 (ENI) 模板代码段
### 创建带有附加弹性网络接口(ENI)的 Amazon EC2 实例
以下示例代码段使用 [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html) 资源在指定的 Amazon VPC 和子网中创建 Amazon EC2 实例。它将两个网络接口(ENI)连接到实例,通过附加的 ENI 将弹性 IP 地址关联到实例,并针对 SSH 和 HTTP 访问配置安全组。创建实例时,用户数据作为启动配置的一部分提供给实例。用户数据包括以 `base64` 格式编码的脚本,可确保将其传递到实例。当实例启动时,脚本会作为引导过程的一部分自动运行。它会安装 `ec2-net-utils`、配置网络接口并启动 HTTP 服务。
为了根据所选区域确定合适的亚马逊机器映像(AMI),该代码段使用了一个可在 `RegionMap` 映射中查找值的 `Fn::FindInMap` 函数。此映射必须在较大的模板中定义。这两个网络接口是使用 [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-networkinterface.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-networkinterface.html) 资源创建的。使用分配给 `vpc` 域的 [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eip.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eip.html) 资源指定弹性 IP 地址。这些弹性 IP 地址与使用 [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eipassociation.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-eipassociation.html) 资源的网络接口关联。
`Outputs` 部分定义了您想在堆栈创建后访问的值或资源。在此代码段中,定义的输出是 `InstancePublicIp`,表示堆栈创建的 EC2 实例的公有 IP 地址。您可以使用 CloudFormation 控制台的**输出**选项卡或使用 [describe-stacks](https://docs.aws.amazon.com/cli/latest/reference/cloudformation/describe-stacks.html) 命令来检索此输出。
有关弹性网络接口的更多信息,请参阅[弹性网络接口](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html)。
#### JSON
```
"Resources": {
"ControlPortAddress": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc"
}
},
"AssociateControlPort": {
"Type": "AWS::EC2::EIPAssociation",
"Properties": {
"AllocationId": {
"Fn::GetAtt": [
"ControlPortAddress",
"AllocationId"
]
},
"NetworkInterfaceId": {
"Ref": "controlXface"
}
}
},
"WebPortAddress": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc"
}
},
"AssociateWebPort": {
"Type": "AWS::EC2::EIPAssociation",
"Properties": {
"AllocationId": {
"Fn::GetAtt": [
"WebPortAddress",
"AllocationId"
]
},
"NetworkInterfaceId": {
"Ref": "webXface"
}
}
},
"SSHSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "VpcId"
},
"GroupDescription": "Enable SSH access via port 22",
"SecurityGroupIngress": [
{
"CidrIp": "0.0.0.0/0",
"FromPort": 22,
"IpProtocol": "tcp",
"ToPort": 22
}
]
}
},
"WebSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "VpcId"
},
"GroupDescription": "Enable HTTP access via user-defined port",
"SecurityGroupIngress": [
{
"CidrIp": "0.0.0.0/0",
"FromPort": 80,
"IpProtocol": "tcp",
"ToPort": 80
}
]
}
},
"controlXface": {
"Type": "AWS::EC2::NetworkInterface",
"Properties": {
"SubnetId": {
"Ref": "SubnetId"
},
"Description": "Interface for controlling traffic such as SSH",
"GroupSet": [
{
"Fn::GetAtt": [
"SSHSecurityGroup",
"GroupId"
]
}
],
"SourceDestCheck": true,
"Tags": [
{
"Key": "Network",
"Value": "Control"
}
]
}
},
"webXface": {
"Type": "AWS::EC2::NetworkInterface",
"Properties": {
"SubnetId": {
"Ref": "SubnetId"
},
"Description": "Interface for web traffic",
"GroupSet": [
{
"Fn::GetAtt": [
"WebSecurityGroup",
"GroupId"
]
}
],
"SourceDestCheck": true,
"Tags": [
{
"Key": "Network",
"Value": "Web"
}
]
}
},
"Ec2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": {
"Fn::FindInMap": [
"RegionMap",
{
"Ref": "AWS::Region"
},
"AMI"
]
},
"KeyName": {
"Ref": "KeyName"
},
"NetworkInterfaces": [
{
"NetworkInterfaceId": {
"Ref": "controlXface"
},
"DeviceIndex": "0"
},
{
"NetworkInterfaceId": {
"Ref": "webXface"
},
"DeviceIndex": "1"
}
],
"Tags": [
{
"Key": "Role",
"Value": "Test Instance"
}
],
"UserData": {
"Fn::Base64": {
"Fn::Sub": "#!/bin/bash -xe\nyum install ec2-net-utils -y\nec2ifup eth1\nservice httpd start\n"
}
}
}
}
},
"Outputs": {
"InstancePublicIp": {
"Description": "Public IP Address of the EC2 Instance",
"Value": {
"Fn::GetAtt": [
"Ec2Instance",
"PublicIp"
]
}
}
}
```
#### YAML
```
Resources:
ControlPortAddress:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
AssociateControlPort:
Type: AWS::EC2::EIPAssociation
Properties:
AllocationId:
Fn::GetAtt:
- ControlPortAddress
- AllocationId
NetworkInterfaceId:
Ref: controlXface
WebPortAddress:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
AssociateWebPort:
Type: AWS::EC2::EIPAssociation
Properties:
AllocationId:
Fn::GetAtt:
- WebPortAddress
- AllocationId
NetworkInterfaceId:
Ref: webXface
SSHSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId:
Ref: VpcId
GroupDescription: Enable SSH access via port 22
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
FromPort: 22
IpProtocol: tcp
ToPort: 22
WebSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId:
Ref: VpcId
GroupDescription: Enable HTTP access via user-defined port
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
FromPort: 80
IpProtocol: tcp
ToPort: 80
controlXface:
Type: AWS::EC2::NetworkInterface
Properties:
SubnetId:
Ref: SubnetId
Description: Interface for controlling traffic such as SSH
GroupSet:
- Fn::GetAtt:
- SSHSecurityGroup
- GroupId
SourceDestCheck: true
Tags:
- Key: Network
Value: Control
webXface:
Type: AWS::EC2::NetworkInterface
Properties:
SubnetId:
Ref: SubnetId
Description: Interface for web traffic
GroupSet:
- Fn::GetAtt:
- WebSecurityGroup
- GroupId
SourceDestCheck: true
Tags:
- Key: Network
Value: Web
Ec2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId:
Fn::FindInMap:
- RegionMap
- Ref: AWS::Region
- AMI
KeyName:
Ref: KeyName
NetworkInterfaces:
- NetworkInterfaceId:
Ref: controlXface
DeviceIndex: "0"
- NetworkInterfaceId:
Ref: webXface
DeviceIndex: "1"
Tags:
- Key: Role
Value: Test Instance
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
yum install ec2-net-utils -y
ec2ifup eth1
service httpd start
Outputs:
InstancePublicIp:
Description: Public IP Address of the EC2 Instance
Value:
Fn::GetAtt:
- Ec2Instance
- PublicIp
```