AWS VPC 流量集中检测系列--(4)利用CloudFormation自动化部署AWS GWLB集成FortiGate防火墙
B站视频: https://www.bilibili.com/video/BV1LG411j7v4/?spm_id_from=333.999.0.0
上一篇文章讲过了AWS GWLB如何集成FortiGate防火墙,来对流量做集中检测。上一次实验是通过AWS 控制台操作的,这里分享一下实验环境的CloudFormation代码,帮助大家快速部署一下实验环境。
一、CloudFormation代码部署
这里的CloudFormation代码在Tokyo区域部署的,如果要在其他Region部署,请修改FortiGate和Windows2022Base的AMI ID(参考我之前的文章《如何寻找EC2特定版本的AMI ID》)。
这次CloudFormation是全自动化代码,堆栈运行完成以后,可以直接测试现象,不需要再做任何额外的配置。默认防火墙使用6.4.10
的版本部署,如果要使用7.2.2
参考第四部分修改关于防火墙的代码。
AWSTemplateFormatVersion: "2010-09-09"
Mappings:
RegionMap:
ap-northeast-1:
FortiGate722: ami-08479d0bce02ca48b
FortiGate6410: ami-0abf1a002258e8077
Windows2022Base: ami-06ac5e650e049a48f
FirewallInstanceType:
FortiGate722:
InstanceType: c6i.xlarge
FortiGate6410:
InstanceType: c6i.xlarge
Parameters:
EC2InstanceAmiId:
Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'
Environment:
Type: String
AllowedValues:
- dev
- prod
Default: dev
MyKeyPair:
Description: Amazon EC2 Key Pair
Type: AWS::EC2::KeyPair::KeyName
Default: Global_Tokyo_KeyPair
WebServerPort:
Description: Apache Http Server Port
Type: String
Default: 8443
AllowedValues:
- 8443
- 8888
- 8088
FortigateVersion:
Description: Choice Fortigate Firewall Version Type
Type: String
Default: FortiGate722
AllowedValues:
- FortiGate722
- FortiGate6410
Resources:
#=========================================创建VPC、IGW========================================#
# 创建一SecVpc
SecVpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.20.0.0/16
EnableDnsSupport: 'true'
EnableDnsHostnames: 'true'
Tags:
- Key: Name
Value: SecVpc
# 创建IGW并且关联到VPC
SecVpcIGW:
Type: "AWS::EC2::InternetGateway"
Properties:
Tags:
- Key: Name
Value: SecVpcIGW
SecVpcAttachIgw:
Type: "AWS::EC2::VPCGatewayAttachment"
Properties:
VpcId: !Ref SecVpc
InternetGatewayId: !Ref SecVpcIGW
#---------------------------SecVpc创建4个子网-------------------------------------#
# SecVpc AZ1内创建GWLB子网
Az1GwlbSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref SecVpc
CidrBlock: 10.20.10.0/24
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
Tags:
- Key: Name
Value: SecVpc-GWLB-AZ1-GWLB-Subnet
# SecVpc AZ2内创建GWLB子网
Az2GwlbSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref SecVpc
CidrBlock: 10.20.30.0/24
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ""
Tags:
- Key: Name
Value: SecVpc-GWLB-AZ2-GWLB-Subnet
# SecVpc AZ1内创建MGT子网
Az1MgtSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref SecVpc
CidrBlock: 10.20.20.0/24
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
Tags:
- Key: Name
Value: SecVpc-GWLB-AZ1-MGT-Subnet
# SecVpc AZ2内创建MGT子网
Az2MgtSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref SecVpc
CidrBlock: 10.20.40.0/24
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ""
Tags:
- Key: Name
Value: SecVpc-GWLB-AZ2-MGT-Subnet
#---------------------------SecVpc创建路由表-------------------------------------#
# SecVpc创建管理网段的路由表
MgtRouteTable:
Type: "AWS::EC2::RouteTable"
Properties:
VpcId: !Ref SecVpc
Tags:
- Key: Name
Value: SecVpc-Mgt-route-table
# Mgt路由表关联子网
Az1MgtSubnetAssociation:
Type: "AWS::EC2::SubnetRouteTableAssociation"
Properties:
RouteTableId: !Ref MgtRouteTable
SubnetId: !Ref Az1MgtSubnet
Az2MgtSubnetAssociation:
Type: "AWS::EC2::SubnetRouteTableAssociation"
Properties:
RouteTableId: !Ref MgtRouteTable
SubnetId: !Ref Az2MgtSubnet
# SecVpc创建Gwlb的路由表
GwlbRouteTable:
Type: "AWS::EC2::RouteTable"
Properties:
VpcId: !Ref SecVpc
Tags:
- Key: Name
Value: SecVpc-Gwlb-route-table
# Gwlb路由表关联子网
Az1GwlbSubnetAssociation:
Type: "AWS::EC2::SubnetRouteTableAssociation"
Properties:
RouteTableId: !Ref GwlbRouteTable
SubnetId: !Ref Az1GwlbSubnet
Az2GwlbSubnetAssociation:
Type: "AWS::EC2::SubnetRouteTableAssociation"
Properties:
RouteTableId: !Ref GwlbRouteTable
SubnetId: !Ref Az2GwlbSubnet
# 管理网段添加默认路由去往IGW
MgtToInternetRoute:
Type: "AWS::EC2::Route"
DependsOn: SecVpcIGW
Properties:
RouteTableId: !Ref MgtRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref SecVpcIGW
#---------------------------SecVpc创建安全组------------------------------------#
# 在SEC VPC内创建一个安全组
SecVpcSg:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: SG to test ping
VpcId: !Ref SecVpc
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
- IpProtocol: icmp
FromPort: -1
ToPort: -1
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 8443
ToPort: 8443
CidrIp: 0.0.0.0/0
- IpProtocol: -1
FromPort: -1
ToPort: -1
CidrIp: 10.20.0.0/16
- IpProtocol: -1
FromPort: -1
ToPort: -1
CidrIp: 10.10.0.0/16
- IpProtocol: tcp
FromPort: 3389
ToPort: 3389
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: SecVpcSg
#---------------------------SecVpc创建Fortigate接口------------------------------------#
Fortigate1MgmtEip:
Type: "AWS::EC2::EIP"
Properties:
Tags:
- Key: Name
Value: SecVpc-fortigate1-mgmt-eip
Fortigate1MgmtEni: # 创建Fortigate1管理接口
Type: "AWS::EC2::NetworkInterface"
Properties:
SourceDestCheck: false
PrivateIpAddress: 10.20.20.100
GroupSet:
- Ref: "SecVpcSg"
SubnetId:
Ref: "Az1MgtSubnet"
Tags:
- Key: Name
Value: SecVpc-fortigate1-mgmt-eni
Fortigate1MgmtEniAssociation: # 关联公网IP到Mgt弹性接口
Type: AWS::EC2::EIPAssociation
Properties:
AllocationId: !GetAtt Fortigate1MgmtEip.AllocationId # 这里是EIP
NetworkInterfaceId: !Ref Fortigate1MgmtEni
Fortigate1DataEni: # 创建Fortigate1数据接口
Type: "AWS::EC2::NetworkInterface"
Properties:
SourceDestCheck: false
PrivateIpAddress: 10.20.10.100
GroupSet:
- Ref: "SecVpcSg"
SubnetId:
Ref: "Az1GwlbSubnet"
Tags:
- Key: Name
Value: SecVpc-fortigate1-data-eni
Fortigate2MgmtEip:
Type: "AWS::EC2::EIP"
Properties:
Tags:
- Key: Name
Value: SecVpc-fortigate2-mgmt-eip
Fortigate2MgmtEni: # 创建Fortigate2管理接口
Type: "AWS::EC2::NetworkInterface"
Properties:
SourceDestCheck: false
PrivateIpAddress: 10.20.40.100
GroupSet:
- Ref: "SecVpcSg"
SubnetId:
Ref: "Az2MgtSubnet"
Tags:
-