本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
配置 Amazon VPC 資源 AWS CloudFormation
本節提供使用設定 Amazon VPC 資源的範例 AWS CloudFormation。VPCs可讓您在中建立虛擬網路 AWS,而這些程式碼片段顯示如何設定的各個層面VPCs以符合您的網路需求。
啟用IPv6僅輸出的網際網路存取 VPC
僅限輸出的網際網路閘道允許中的執行個體存VPC取網際網路,並防止網際網路上的資源與執行個體通訊。以下代碼片段啟用了IPv6僅限輸出的互聯網訪問。VPC它創建一VPC個10.0.0/16使用AWS::EC2: 資VPC源的IPv4地址範圍。路由表使用AWS:EC2: VPC 資源與此資RouteTable源相關聯。路由表管理中例證的路由VPC。答AWS::EC2: EgressOnlyInternetGateway 用於建立僅限輸出的網際網路閘道,以啟用來自執行個體的輸出流量IPv6通訊VPC,同時防止輸入流量。答:AWS:EC2: Route 資源被指定為在路由表中創建IPv6路由,該路由將所有輸出IPv6流量(::/0)引導到僅限輸出的 Internet 網關。
如需有關僅限輸出的網際網路閘道的詳細資訊,請參閱使用僅限輸出的網際網路閘道啟用輸出IPv6流量。
JSON
"DefaultIpv6Route": { "Type": "AWS::EC2::Route", "Properties": { "DestinationIpv6CidrBlock": "::/0", "EgressOnlyInternetGatewayId": { "Ref": "EgressOnlyInternetGateway" }, "RouteTableId": { "Ref": "RouteTable" } } }, "EgressOnlyInternetGateway": { "Type": "AWS::EC2::EgressOnlyInternetGateway", "Properties": { "VpcId": { "Ref": "VPC" } } }, "RouteTable": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" } } }, "VPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.0.0/16" } }
YAML
DefaultIpv6Route: Type: "AWS::EC2::Route" Properties: DestinationIpv6CidrBlock: "::/0" EgressOnlyInternetGatewayId: Ref: "EgressOnlyInternetGateway" RouteTableId: Ref: "RouteTable" EgressOnlyInternetGateway: Type: "AWS::EC2::EgressOnlyInternetGateway" Properties: VpcId: Ref: "VPC" RouteTable: Type: "AWS::EC2::RouteTable" Properties: VpcId: Ref: "VPC" VPC: Type: "AWS::EC2::VPC" Properties: CidrBlock: "10.0.0.0/16"
彈性網路介面 (ENI) 範本片段
使用連接的彈性網路界面建立 Amazon EC2 執行個體 (ENIs)
下列範例程式碼片段會使用指定 Amazon VPC 和子網路中的AWS::EC2::Instance資源建立 Amazon EC2 執行個體。它會將兩個網路介面 (ENIs) 連接至執行個體,透過連接的將彈性 IP 位址與執行個體建立關聯ENIs,以及設定安全性群組SSH和HTTP存取權。建立執行個體時,會將使用者資料做為啟動組態的一部分提供給執行個體。使用者資料包括以 base64 格式編碼的指令碼,以確保將其傳遞至執行個體。啟動執行個體後,指令碼會在引導程序中自動執行。它會安裝ec2-net-utils、設定網路介面並啟動服務。HTTP
若要根據選取的區域判斷適當的 Amazon Machine Image (AMI),程式碼片段會使用在RegionMap對應中查詢值的Fn::FindInMap函數。此映射必須在較大的範本中定義。這兩個網路介面是使用AWS::EC2::NetworkInterface資源建立的。使用配置給vpc網域的AWS::EC2::EIP資源來指定彈性 IP 位址。這些彈性 IP 位址與使用AWS::EC2::EIPAssociation資源的網路介面相關聯。
Outputs 區段定義您想要在建立堆疊之後存取的值或資源。在此程式碼片段中,定義的輸出為InstancePublicIp,代表堆疊所建立之EC2執行個體的公用 IP 位址。您可以在 AWS CloudFormation 主控台的 [輸出] 索引標籤中擷取此輸出,或使用 describe- stack 指令。
如需彈性網路介面的詳細資訊,請參閱彈性網路介面。
JSON
"Resources": { "ControlPortAddress": { "Type": "AWS::EC2::EIP", "Properties": { "Domain": "vpc" } }, "AssociateControlPort": { "Type": "AWS::EC2::EIPAssociation", "Properties": { "AllocationId": { "Fn::GetAtt": [ "ControlPortAddress", "AllocationId" ] }, "NetworkInterfaceId": { "Ref": "controlXface" } } }, "WebPortAddress": { "Type": "AWS::EC2::EIP", "Properties": { "Domain": "vpc" } }, "AssociateWebPort": { "Type": "AWS::EC2::EIPAssociation", "Properties": { "AllocationId": { "Fn::GetAtt": [ "WebPortAddress", "AllocationId" ] }, "NetworkInterfaceId": { "Ref": "webXface" } } }, "SSHSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": { "Ref": "VpcId" }, "GroupDescription": "Enable SSH access via port 22", "SecurityGroupIngress": [ { "CidrIp": "0.0.0.0/0", "FromPort": 22, "IpProtocol": "tcp", "ToPort": 22 } ] } }, "WebSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": { "Ref": "VpcId" }, "GroupDescription": "Enable HTTP access via user-defined port", "SecurityGroupIngress": [ { "CidrIp": "0.0.0.0/0", "FromPort": 80, "IpProtocol": "tcp", "ToPort": 80 } ] } }, "controlXface": { "Type": "AWS::EC2::NetworkInterface", "Properties": { "SubnetId": { "Ref": "SubnetId" }, "Description": "Interface for controlling traffic such as SSH", "GroupSet": [ { "Fn::GetAtt": [ "SSHSecurityGroup", "GroupId" ] } ], "SourceDestCheck": true, "Tags": [ { "Key": "Network", "Value": "Control" } ] } }, "webXface": { "Type": "AWS::EC2::NetworkInterface", "Properties": { "SubnetId": { "Ref": "SubnetId" }, "Description": "Interface for web traffic", "GroupSet": [ { "Fn::GetAtt": [ "WebSecurityGroup", "GroupId" ] } ], "SourceDestCheck": true, "Tags": [ { "Key": "Network", "Value": "Web" } ] } }, "Ec2Instance": { "Type": "AWS::EC2::Instance", "Properties": { "ImageId": { "Fn::FindInMap": [ "RegionMap", { "Ref": "AWS::Region" }, "AMI" ] }, "KeyName": { "Ref": "KeyName" }, "NetworkInterfaces": [ { "NetworkInterfaceId": { "Ref": "controlXface" }, "DeviceIndex": "0" }, { "NetworkInterfaceId": { "Ref": "webXface" }, "DeviceIndex": "1" } ], "Tags": [ { "Key": "Role", "Value": "Test Instance" } ], "UserData": { "Fn::Base64": { "Fn::Sub": "#!/bin/bash -xe\nyum install ec2-net-utils -y\nec2ifup eth1\nservice httpd start\n" } } } } }, "Outputs": { "InstancePublicIp": { "Description": "Public IP Address of the EC2 Instance", "Value": { "Fn::GetAtt": [ "Ec2Instance", "PublicIp" ] } } }
YAML
Resources: ControlPortAddress: Type: 'AWS::EC2::EIP' Properties: Domain: vpc AssociateControlPort: Type: 'AWS::EC2::EIPAssociation' Properties: AllocationId: Fn::GetAtt: - ControlPortAddress - AllocationId NetworkInterfaceId: Ref: controlXface WebPortAddress: Type: 'AWS::EC2::EIP' Properties: Domain: vpc AssociateWebPort: Type: 'AWS::EC2::EIPAssociation' Properties: AllocationId: Fn::GetAtt: - WebPortAddress - AllocationId NetworkInterfaceId: Ref: webXface SSHSecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: VpcId: Ref: VpcId GroupDescription: Enable SSH access via port 22 SecurityGroupIngress: - CidrIp: 0.0.0.0/0 FromPort: 22 IpProtocol: tcp ToPort: 22 WebSecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: VpcId: Ref: VpcId GroupDescription: Enable HTTP access via user-defined port SecurityGroupIngress: - CidrIp: 0.0.0.0/0 FromPort: 80 IpProtocol: tcp ToPort: 80 controlXface: Type: 'AWS::EC2::NetworkInterface' Properties: SubnetId: Ref: SubnetId Description: Interface for controlling traffic such as SSH GroupSet: - Fn::GetAtt: - SSHSecurityGroup - GroupId SourceDestCheck: true Tags: - Key: Network Value: Control webXface: Type: 'AWS::EC2::NetworkInterface' Properties: SubnetId: Ref: SubnetId Description: Interface for web traffic GroupSet: - Fn::GetAtt: - WebSecurityGroup - GroupId SourceDestCheck: true Tags: - Key: Network Value: Web Ec2Instance: Type: AWS::EC2::Instance Properties: ImageId: Fn::FindInMap: - RegionMap - Ref: AWS::Region - AMI KeyName: Ref: KeyName NetworkInterfaces: - NetworkInterfaceId: Ref: controlXface DeviceIndex: "0" - NetworkInterfaceId: Ref: webXface DeviceIndex: "1" Tags: - Key: Role Value: Test Instance UserData: Fn::Base64: !Sub | #!/bin/bash -xe yum install ec2-net-utils -y ec2ifup eth1 service httpd start Outputs: InstancePublicIp: Description: Public IP Address of the EC2 Instance Value: Fn::GetAtt: - Ec2Instance - PublicIp
