利用CloudFormation自动化部署AWS GWLB集成Palo Alto防火墙_assumerolepolicydocument update-优快云博客

本文档介绍了如何利用CloudFormation模板在AWS VPC中快速部署GWLB，并与Palo Alto防火墙集成，实现流量集中检测。提供了CloudFormation代码示例，以及通过命令行配置Palo Alto的步骤。测试部分包括HTTP访问和RDP连接的验证，确保环境的正确配置。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

AWS VPC 流量集中检测系列--(2)利用CloudFormation自动化部署AWS GWLB集成Palo Alto防火墙

B站视频：https://www.bilibili.com/video/BV1EP411N73r/?spm_id_from=333.999.0.0

上一篇文章讲过了AWS GWLB如何集成Palo Alto防火墙，来对流量做集中检测。上一次实验是通过AWS 控制台操作的，部署起来还是比较繁琐的，这里分享一下实验环境的CloudFormation代码，帮助大家快速部署一下实验环境。

一、CloudFormation 代码部署

这里的CloudFormation代码在Tokyo区域(ap-northeast-1)部署的，如果要在其他Region部署，请修改paloalto和windows的ami id。堆栈大概会在8分钟创建完成。

AWSTemplateFormatVersion: "2010-09-09"

Mappings:
  RegionMap:
    ap-northeast-1:
      PaBundle1: ami-0bcddfc3678d5a897
      PaBundle2: ami-0c4d901d7a5370b78
    us-west-2:
      PaBundle1: ami-01d7ef8ff7ddaff25
      PaBundle2: ami-0d45d840ed2fe3eba
Parameters:
  EC2InstanceAmiId:
    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
    Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'

  MyKeyPair:
    Description: Amazon EC2 Key Pair
    Type: AWS::EC2::KeyPair::KeyName

  PaVmType:
    Description: Choice PA Firewall License Type
    Type: String
    Default: PaBundle2
    AllowedValues:
      - PaBundle1
      - PaBundle2

Resources:
#=========================================创建SSM Role========================================#

  BastionSsmRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /

  BastionSsmPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: ApplianceInstanceAccess
      PolicyDocument:
        Statement:
          - Effect: Allow
            Action:
              - ssm:DescribeAssociation
              - ssm:GetDeployablePatchSnapshotForInstance
              - ssm:GetDocument
              - ssm:DescribeDocument
              - ssm:GetManifest
              - ssm:GetParameter
              - ssm:GetParameters
              - ssm:ListAssociations
              - ssm:ListInstanceAssociations
              - ssm:PutInventory
              - ssm:PutComplianceItems
              - ssm:PutConfigurePackageResult
              - ssm:UpdateAssociationStatus
              - ssm:UpdateInstanceAssociationStatus
              - ssm:UpdateInstanceInformation
            Resource: "*"
          - Effect: Allow
            Action:
              - ssmmessages:CreateControlChannel
              - ssmmessages:CreateDataChannel
              - ssmmessages:OpenControlChannel
              - ssmmessages:OpenDataChannel
            Resource: "*"
          - Effect: Allow
            Action:
              - ec2messages:AcknowledgeMessage
              - ec2messages:DeleteMessage
              - ec2messages:FailMessage
              - ec2messages:GetEndpoint
              - ec2messages:GetMessages
              - ec2messages:SendReply
            Resource: "*"
      Roles:
        - !Ref BastionSsmRole

  BastionSsmProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: /
      Roles:
        - !Ref BastionSsmRole
#=========================================创建VPC、IGW========================================#
# 创建一SecVpc
  SecVpc:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.20.0.0/16
      EnableDnsSupport: 'true'
      EnableDnsHostnames: 'true'
      Tags:
       - Key: Name
         Value: SecVpc

# 创建IGW并且关联到VPC
  SecVpcIGW:
    Type: "AWS::EC2::InternetGateway"
    Properties:
      Tags:
        - Key: Name
          Value: SecVpcIGW

  SecVpcAttachIgw:
    Type: "AWS::EC2::VPCGatewayAttachment"
    Properties:
      VpcId: !Ref SecVpc
      InternetGatewayId: !Ref SecVpcIGW

#---------------------------SecVpc创建4个子网-------------------------------------#

# SecVpc AZ1内创建GWLB子网
  Az1GwlbSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref SecVpc
      CidrBlock: 10.20.10.0/24
      AvailabilityZone:
        Fn::Select:
          - 0
          - Fn::GetAZs: ""
      Tags:
      - Key: Name
        Value: SecVpc-GWLB1-Subnet

# SecVpc AZ2内创建GWLB子网
  Az2GwlbSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref SecVpc
      CidrBlock: 10.20.30.0/24
      AvailabilityZone:
        Fn::Select:
          - 1
          - Fn::GetAZs: ""
      Tags:
      - Key: Name
        Value: SecVpc-GWLB2-Subnet

# SecVpc AZ1内创建MGT子网
  Az1MgtSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref SecVpc
      CidrBlock: 10.20.20.0/24
      AvailabilityZone:
        Fn::Select:
          - 0
          - Fn::GetAZs: ""
      Tags:
      - Key: Name
        Value: SecVpc-MGT1-Subnet

# SecVpc AZ2内创建MGT子网
  Az2MgtSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref SecVpc
      CidrBlock: 10.20.40.0/24
      AvailabilityZone:
        Fn::Select:
          - 1
          - Fn::GetAZs: ""
      Tags:
      - Key: Name
        Value: SecVpc-MGT2-Subnet

#---------------------------SecVpc创建路由表-------------------------------------#

# SecVpc创建管理网段的路由表
  MgtRouteTable:
    Type: "AWS::EC2::RouteTable"
    Properties:
      VpcId: !Ref SecVpc
      Tags:
        - Key: Name
          Value: SecVpc-Mgt-route-table

# Mgt路由表关联子网
  Az1MgtSubnetAssociation:
    Type: "AWS: