bartvanremortele
6/16/2016 - 10:54 PM

desc.md

{
  "Resources": {
    "VpcLambda": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "CidrBlock": "10.15.0.0/16"
      }
    },
    "SubnetLambdaPublic1": {
      "Type": "AWS::EC2::Subnet",
      "Properties": {
        "CidrBlock": "10.15.0.0/18",
        "AvailabilityZone": "us-east-1a",
        "MapPublicIpOnLaunch": true,
        "VpcId": {
          "Ref": "VpcLambda"
        }
      }
    },
    "SubnetLambdaPublic2": {
      "Type": "AWS::EC2::Subnet",
      "Properties": {
        "CidrBlock": "10.15.64.0/18",
        "AvailabilityZone": "us-east-1b",
        "MapPublicIpOnLaunch": true,
        "VpcId": {
          "Ref": "VpcLambda"
        }
      }
    },
    "SubnetLambdaPrivate1": {
      "Type": "AWS::EC2::Subnet",
      "Properties": {
        "CidrBlock": "10.15.128.0/18",
        "AvailabilityZone": "us-east-1a",
        "MapPublicIpOnLaunch": false,
        "VpcId": {
          "Ref": "VpcLambda"
        }
      }
    },
    "SubnetLambdaPrivate2": {
      "Type": "AWS::EC2::Subnet",
      "Properties": {
        "CidrBlock": "10.15.192.0/18",
        "AvailabilityZone": "us-east-1b",
        "MapPublicIpOnLaunch": false,
        "VpcId": {
          "Ref": "VpcLambda"
        }
      }
    },
    "InternetGatewayLambda": {
      "Type": "AWS::EC2::InternetGateway"
    },
    "VPCGatewayAttachmentLambda": {
      "Type": "AWS::EC2::VPCGatewayAttachment",
      "Properties": {
        "VpcId": {
          "Ref": "VpcLambda"
        },
        "InternetGatewayId": {
          "Ref": "InternetGatewayLambda"
        }
      }
    },
    "ElasticIpLambda1": {
      "Type": "AWS::EC2::EIP",
      "Properties": {
        "Domain": "vpc"
      }
    },
    "ElasticIpLambda2": {
      "Type": "AWS::EC2::EIP",
      "Properties": {
        "Domain": "vpc"
      }
    },
    "NatGatewayLambda1": {
      "DependsOn": "VPCGatewayAttachmentLambda",
      "Type": "AWS::EC2::NatGateway",
      "Properties": {
        "AllocationId": {
          "Fn::GetAtt": [
            "ElasticIpLambda1",
            "AllocationId"
          ]
        },
        "SubnetId": {
          "Ref": "SubnetLambdaPublic1"
        }
      }
    },
    "NatGatewayLambda2": {
      "DependsOn": "VPCGatewayAttachmentLambda",
      "Type": "AWS::EC2::NatGateway",
      "Properties": {
        "AllocationId": {
          "Fn::GetAtt": [
            "ElasticIpLambda2",
            "AllocationId"
          ]
        },
        "SubnetId": {
          "Ref": "SubnetLambdaPublic2"
        }
      }
    },
    "RouteTableLambdaPublic1": {
      "Type": "AWS::EC2::RouteTable",
      "Properties": {
        "VpcId": {
          "Ref": "VpcLambda"
        }
      }
    },
    "RouteTableLambdaPublic2": {
      "Type": "AWS::EC2::RouteTable",
      "Properties": {
        "VpcId": {
          "Ref": "VpcLambda"
        }
      }
    },
    "RouteTableLambdaPrivate1": {
      "Type": "AWS::EC2::RouteTable",
      "Properties": {
        "VpcId": {
          "Ref": "VpcLambda"
        }
      }
    },
    "RouteTableLambdaPrivate2": {
      "Type": "AWS::EC2::RouteTable",
      "Properties": {
        "VpcId": {
          "Ref": "VpcLambda"
        }
      }
    },
    "RouteLambdaPublic1": {
      "Type": "AWS::EC2::Route",
      "DependsOn": "VPCGatewayAttachmentLambda",
      "Properties": {
        "RouteTableId": {
          "Ref": "RouteTableLambdaPublic1"
        },
        "DestinationCidrBlock": "0.0.0.0/0",
        "GatewayId": {
          "Ref": "InternetGatewayLambda"
        }
      }
    },
    "RouteLambdaPublic2": {
      "Type": "AWS::EC2::Route",
      "DependsOn": "VPCGatewayAttachmentLambda",
      "Properties": {
        "RouteTableId": {
          "Ref": "RouteTableLambdaPublic2"
        },
        "DestinationCidrBlock": "0.0.0.0/0",
        "GatewayId": {
          "Ref": "InternetGatewayLambda"
        }
      }
    },
    "RouteLambdaPrivate1": {
      "Type": "AWS::EC2::Route",
      "Properties": {
        "RouteTableId": {
          "Ref": "RouteTableLambdaPrivate1"
        },
        "DestinationCidrBlock": "0.0.0.0/0",
        "NatGatewayId": {
          "Ref": "NatGatewayLambda1"
        }
      }
    },
    "RouteLambdaPrivate2": {
      "Type": "AWS::EC2::Route",
      "Properties": {
        "RouteTableId": {
          "Ref": "RouteTableLambdaPrivate2"
        },
        "DestinationCidrBlock": "0.0.0.0/0",
        "NatGatewayId": {
          "Ref": "NatGatewayLambda2"
        }
      }
    },
    "SubnetRouteTableAssociationLambdaPublic1": {
      "Type": "AWS::EC2::SubnetRouteTableAssociation",
      "Properties": {
        "SubnetId": {
          "Ref": "SubnetLambdaPublic1"
        },
        "RouteTableId": {
          "Ref": "RouteTableLambdaPublic1"
        }
      }
    },
    "SubnetRouteTableAssociationLambdaPublic2": {
      "Type": "AWS::EC2::SubnetRouteTableAssociation",
      "Properties": {
        "SubnetId": {
          "Ref": "SubnetLambdaPublic2"
        },
        "RouteTableId": {
          "Ref": "RouteTableLambdaPublic2"
        }
      }
    },
    "SubnetRouteTableAssociationLambdaPrivate1": {
      "Type": "AWS::EC2::SubnetRouteTableAssociation",
      "Properties": {
        "SubnetId": {
          "Ref": "SubnetLambdaPrivate1"
        },
        "RouteTableId": {
          "Ref": "RouteTableLambdaPrivate1"
        }
      }
    },
    "SubnetRouteTableAssociationLambdaPrivate2": {
      "Type": "AWS::EC2::SubnetRouteTableAssociation",
      "Properties": {
        "SubnetId": {
          "Ref": "SubnetLambdaPrivate2"
        },
        "RouteTableId": {
          "Ref": "RouteTableLambdaPrivate2"
        }
      }
    },
    "SecurityGroupLambda": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Security group for lambda functions",
        "VpcId": {
          "Ref": "VpcLambda"
        }
      }
    }
  },
  "Outputs": {
    "VpcSubnetIdLambda1": {
      "Description": "ID of subnet #1 to use for lambda functions",
      "Value": {
        "Ref": "SubnetLambdaPrivate1"
      }
    },
    "VpcSubnetIdLambda2": {
      "Description": "ID of subnet #2 to use for lambda functions",
      "Value": {
        "Ref": "SubnetLambdaPrivate2"
      }
    },
    "IpAddressLambda1": {
      "Description": "IP address #1 used by lambda functions in our VPC",
      "Value": {
        "Ref": "ElasticIpLambda1"
      }
    },
    "IpAddressLambda2": {
      "Description": "IP address #2 used by lambda functions in our VPC",
      "Value": {
        "Ref": "ElasticIpLambda2"
      }
    },
    "SecurityGroupIdLambda": {
      "Description": "ID of security group use for lambda functions",
      "Value": {
        "Ref": "SecurityGroupLambda"
      }
    }
  }
}

CloudFormation snippet to create a VPC to be used for lambda functions. Qualities of the VPC:

  • 4 subnets: 2 public, 2 private (lambda functions should be attached to the private ones).
  • 2 Elastic IPs that can be used to identify traffic coming from lambda functions (e.g. for firewall holes).
  • Security group that can be used for lambda functions.

Notes:

  • uses regions us-east-1a, us-east-1b
  • uses ip block of 10.15.0.0/16 for VPC