利用CloudFormation自动化部署AWS GWLB集成FortiGate防火墙

AWS VPC 流量集中检测系列--(4)利用CloudFormation自动化部署AWS GWLB集成FortiGate防火墙

B站视频:​ https://www.bilibili.com/video/BV1LG411j7v4/?spm_id_from=333.999.0.0

上一篇文章讲过了AWS GWLB如何集成FortiGate防火墙,来对流量做集中检测。上一次实验是通过AWS 控制台操作的,这里分享一下实验环境的CloudFormation代码,帮助大家快速部署一下实验环境。

一、CloudFormation代码部署

这里的CloudFormation代码在Tokyo区域部署的,如果要在其他Region部署,请修改FortiGate和Windows2022Base的AMI ID(参考我之前的文章《如何寻找EC2特定版本的AMI ID》)。

这次CloudFormation是全自动化代码,堆栈运行完成以后,可以直接测试现象,不需要再做任何额外的配置。默认防火墙使用6.4.10的版本部署,如果要使用7.2.2参考第四部分修改关于防火墙的代码。

AWSTemplateFormatVersion: "2010-09-09"

Mappings:
  RegionMap:
    ap-northeast-1:
      FortiGate722: ami-08479d0bce02ca48b
      FortiGate6410: ami-0abf1a002258e8077
      Windows2022Base: ami-06ac5e650e049a48f
  FirewallInstanceType:
    FortiGate722:
      InstanceType: c6i.xlarge
    FortiGate6410:
      InstanceType: c6i.xlarge

Parameters:
  EC2InstanceAmiId:
    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
    Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'
  Environment:
    Type: String
    AllowedValues:
      - dev
      - prod
    Default: dev
  MyKeyPair:
    Description: Amazon EC2 Key Pair
    Type: AWS::EC2::KeyPair::KeyName
    Default: Global_Tokyo_KeyPair

  WebServerPort:
    Description: Apache Http Server Port
    Type: String
    Default: 8443
    AllowedValues:
      - 8443
      - 8888
      - 8088
  FortigateVersion:
    Description: Choice Fortigate Firewall Version Type
    Type: String
    Default: FortiGate722
    AllowedValues:
      - FortiGate722
      - FortiGate6410

Resources:
#=========================================创建VPC、IGW========================================#
# 创建一SecVpc
  SecVpc:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.20.0.0/16
      EnableDnsSupport: 'true'
      EnableDnsHostnames: 'true'
      Tags:
       - Key: Name
         Value: SecVpc

# 创建IGW并且关联到VPC
  SecVpcIGW:
    Type: "AWS::EC2::InternetGateway"
    Properties:
      Tags:
        - Key: Name
          Value: SecVpcIGW

  SecVpcAttachIgw:
    Type: "AWS::EC2::VPCGatewayAttachment"
    Properties:
      VpcId: !Ref SecVpc
      InternetGatewayId: !Ref SecVpcIGW

#---------------------------SecVpc创建4个子网-------------------------------------#

# SecVpc AZ1内创建GWLB子网
  Az1GwlbSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref SecVpc
      CidrBlock: 10.20.10.0/24
      AvailabilityZone:
        Fn::Select:
          - 0
          - Fn::GetAZs: ""
      Tags:
      - Key: Name
        Value: SecVpc-GWLB-AZ1-GWLB-Subnet

# SecVpc AZ2内创建GWLB子网
  Az2GwlbSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref SecVpc
      CidrBlock: 10.20.30.0/24
      AvailabilityZone:
        Fn::Select:
          - 1
          - Fn::GetAZs: ""
      Tags:
      - Key: Name
        Value: SecVpc-GWLB-AZ2-GWLB-Subnet

# SecVpc AZ1内创建MGT子网
  Az1MgtSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref SecVpc
      CidrBlock: 10.20.20.0/24
      AvailabilityZone:
        Fn::Select:
          - 0
          - Fn::GetAZs: ""
      Tags:
      - Key: Name
        Value: SecVpc-GWLB-AZ1-MGT-Subnet

# SecVpc AZ2内创建MGT子网
  Az2MgtSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref SecVpc
      CidrBlock: 10.20.40.0/24
      AvailabilityZone:
        Fn::Select:
          - 1
          - Fn::GetAZs: ""
      Tags:
      - Key: Name
        Value: SecVpc-GWLB-AZ2-MGT-Subnet

#---------------------------SecVpc创建路由表-------------------------------------#

# SecVpc创建管理网段的路由表
  MgtRouteTable:
    Type: "AWS::EC2::RouteTable"
    Properties:
      VpcId: !Ref SecVpc
      Tags:
        - Key: Name
          Value: SecVpc-Mgt-route-table

# Mgt路由表关联子网
  Az1MgtSubnetAssociation:
    Type: "AWS::EC2::SubnetRouteTableAssociation"
    Properties:
      RouteTableId: !Ref MgtRouteTable
      SubnetId: !Ref Az1MgtSubnet

  Az2MgtSubnetAssociation:
    Type: "AWS::EC2::SubnetRouteTableAssociation"
    Properties:
      RouteTableId: !Ref MgtRouteTable
      SubnetId: !Ref Az2MgtSubnet

# SecVpc创建Gwlb的路由表
  GwlbRouteTable:
    Type: "AWS::EC2::RouteTable"
    Properties:
      VpcId: !Ref SecVpc
      Tags:
        - Key: Name
          Value: SecVpc-Gwlb-route-table

# Gwlb路由表关联子网
  Az1GwlbSubnetAssociation:
    Type: "AWS::EC2::SubnetRouteTableAssociation"
    Properties:
      RouteTableId: !Ref GwlbRouteTable
      SubnetId: !Ref Az1GwlbSubnet

  Az2GwlbSubnetAssociation:
    Type: "AWS::EC2::SubnetRouteTableAssociation"
    Properties:
      RouteTableId: !Ref GwlbRouteTable
      SubnetId: !Ref Az2GwlbSubnet


# 管理网段添加默认路由去往IGW
  MgtToInternetRoute:
    Type: "AWS::EC2::Route"
    DependsOn: SecVpcIGW
    Properties:
     RouteTableId: !Ref MgtRouteTable
     DestinationCidrBlock: 0.0.0.0/0
     GatewayId: !Ref SecVpcIGW

#---------------------------SecVpc创建安全组------------------------------------#

# 在SEC VPC内创建一个安全组
  SecVpcSg:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: SG to test ping
      VpcId: !Ref SecVpc
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 22
        ToPort: 22
        CidrIp: 0.0.0.0/0
      - IpProtocol: icmp
        FromPort: -1
        ToPort: -1
        CidrIp: 0.0.0.0/0
      - IpProtocol: tcp
        FromPort: 443
        ToPort: 443
        CidrIp: 0.0.0.0/0
      - IpProtocol: tcp
        FromPort: 8443
        ToPort: 8443
        CidrIp: 0.0.0.0/0
      - IpProtocol: -1
        FromPort: -1
        ToPort: -1
        CidrIp: 10.20.0.0/16
      - IpProtocol: -1
        FromPort: -1
        ToPort: -1
        CidrIp: 10.10.0.0/16
      - IpProtocol: tcp
        FromPort: 3389
        ToPort: 3389
        CidrIp: 0.0.0.0/0
      Tags:
        - Key: Name
          Value: SecVpcSg

#---------------------------SecVpc创建Fortigate接口------------------------------------#

  Fortigate1MgmtEip:
    Type: "AWS::EC2::EIP"
    Properties:
      Tags:
        - Key: Name
          Value: SecVpc-fortigate1-mgmt-eip

  Fortigate1MgmtEni:  # 创建Fortigate1管理接口
    Type: "AWS::EC2::NetworkInterface"
    Properties:
      SourceDestCheck: false
      PrivateIpAddress: 10.20.20.100
      GroupSet:
        - Ref: "SecVpcSg"
      SubnetId:
        Ref: "Az1MgtSubnet"
      Tags:
        - Key: Name
          Value: SecVpc-fortigate1-mgmt-eni

  Fortigate1MgmtEniAssociation:  # 关联公网IP到Mgt弹性接口
    Type: AWS::EC2::EIPAssociation
    Properties:
      AllocationId: !GetAtt Fortigate1MgmtEip.AllocationId # 这里是EIP
      NetworkInterfaceId: !Ref Fortigate1MgmtEni

  Fortigate1DataEni:  # 创建Fortigate1数据接口
    Type: "AWS::EC2::NetworkInterface"
    Properties:
      SourceDestCheck: false
      PrivateIpAddress: 10.20.10.100
      GroupSet:
        - Ref: "SecVpcSg"
      SubnetId:
        Ref: "Az1GwlbSubnet"
      Tags:
        - Key: Name
          Value: SecVpc-fortigate1-data-eni

  Fortigate2MgmtEip:
    Type: "AWS::EC2::EIP"
    Properties:
      Tags:
        - Key: Name
          Value: SecVpc-fortigate2-mgmt-eip

  Fortigate2MgmtEni:  # 创建Fortigate2管理接口
    Type: "AWS::EC2::NetworkInterface"
    Properties:
      SourceDestCheck: false
      PrivateIpAddress: 10.20.40.100
      GroupSet:
        - Ref: "SecVpcSg"
      SubnetId:
        Ref: "Az2MgtSubnet"
      Tags:
        - 
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值