本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
設定 Amazon VPC 資源 AWS CloudFormation
本節提供使用 AWS CloudFormation設定 Amazon VPC 資源的範例。VPC 可讓您在其中建立虛擬網路 AWS,而這些程式碼片段會示範如何設定 VPC 的各個層面以符合您的網路需求。
在 VPC 中啟用僅限 IPv6 傳入網際網路存取
僅限傳入網際網路閘道允許 VPC 內的執行個體存取網際網路,並阻止網際網路上的資源與執行個體通訊。下列程式碼片段會從 VPC 內啟用僅限 IPv6 傳入網際網路存取。它會使用 AWS::EC2::VPC 資源建立具有 10.0.0/16 IPv4 地址範圍的 VPC。路由表與使用資源的此 VPC 資源相關聯AWS::EC2::RouteTable。路由表會管理 VPC 內執行個體的路由。用AWS::EC2::EgressOnlyInternetGateway於建立僅限輸出的網際網路閘道,以針對 VPC 內執行個體的輸出流量啟用 IPv6 通訊,同時防止輸入流量。指定AWS::EC2::Route資源以在路由表中建立 IPv6 路由,將所有輸出 IPv6 流量 (::/0) 導向至僅輸出的網際網路閘道。
如需僅限傳出網際網路閘道的詳細資訊,請參閱使用僅限傳出網際網路閘道啟用傳出 IPv6 流量。
JSON
"DefaultIpv6Route": { "Type": "AWS::EC2::Route", "Properties": { "DestinationIpv6CidrBlock": "::/0", "EgressOnlyInternetGatewayId": { "Ref": "EgressOnlyInternetGateway" }, "RouteTableId": { "Ref": "RouteTable" } } }, "EgressOnlyInternetGateway": { "Type": "AWS::EC2::EgressOnlyInternetGateway", "Properties": { "VpcId": { "Ref": "VPC" } } }, "RouteTable": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "VPC" } } }, "VPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.0.0/16" } }
YAML
DefaultIpv6Route: Type: "AWS::EC2::Route" Properties: DestinationIpv6CidrBlock: "::/0" EgressOnlyInternetGatewayId: Ref: "EgressOnlyInternetGateway" RouteTableId: Ref: "RouteTable" EgressOnlyInternetGateway: Type: "AWS::EC2::EgressOnlyInternetGateway" Properties: VpcId: Ref: "VPC" RouteTable: Type: "AWS::EC2::RouteTable" Properties: VpcId: Ref: "VPC" VPC: Type: "AWS::EC2::VPC" Properties: CidrBlock: "10.0.0.0/16"
彈性網路介面 (ENI) 範本程式碼片段
使用附接的彈性網絡介面 (ENI) 建立 Amazon EC2 執行個體
下列範例程式碼片段會使用指定 Amazon VPC 和子網路中的AWS::EC2::Instance資源建立 Amazon EC2 執行個體。它會將兩個網路介面 (ENI) 附接至執行個體,透過附接的 ENI 將彈性 IP 地址與執行個體建立關聯,以及設定安全群組進行 SSH 和 HTTP 存取。建立執行個體時,會將使用者資料做為啟動組態的一部分提供給執行個體。使用者資料包括以 base64 格式編碼的指令碼,以確保將其傳遞至執行個體。啟動執行個體後,指令碼會在引導程序中自動執行。它會安裝 ec2-net-utils、設定網路介面,以及啟動 HTTP 服務。
若要根據選取的區域確定適當的 Amazon Machine Image (AMI),程式碼片段會使用可在 RegionMap 映射中查詢值的 Fn::FindInMap 函數。此映射必須在較大的範本中定義。這兩個網路介面是使用AWS::EC2::NetworkInterface 資源建立的。使用配置給 vpc 網域的 AWS::EC2::EIP 資源指定彈性 IP 地址。這些彈性 IP 地址與使用 AWS::EC2::EIPAssociation 資源的網路介面相關聯。
Outputs 區段定義您想要在建立堆疊之後存取的值或資源。在此程式碼片段中,定義的輸出為 InstancePublicIp,代表堆疊建立的 EC2 執行個體的公有 IP 地址。您可以在 AWS CloudFormation 主控台的 [輸出] 索引標籤中擷取此輸出,或使用aws cloudformation describe-stacks指令。
如需彈性網路介面的詳細資訊,請參閱彈性網路介面。
JSON
"Resources": { "ControlPortAddress": { "Type": "AWS::EC2::EIP", "Properties": { "Domain": "vpc" } }, "AssociateControlPort": { "Type": "AWS::EC2::EIPAssociation", "Properties": { "AllocationId": { "Fn::GetAtt": [ "ControlPortAddress", "AllocationId" ] }, "NetworkInterfaceId": { "Ref": "controlXface" } } }, "WebPortAddress": { "Type": "AWS::EC2::EIP", "Properties": { "Domain": "vpc" } }, "AssociateWebPort": { "Type": "AWS::EC2::EIPAssociation", "Properties": { "AllocationId": { "Fn::GetAtt": [ "WebPortAddress", "AllocationId" ] }, "NetworkInterfaceId": { "Ref": "webXface" } } }, "SSHSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": { "Ref": "VpcId" }, "GroupDescription": "Enable SSH access via port 22", "SecurityGroupIngress": [ { "CidrIp": "0.0.0.0/0", "FromPort": 22, "IpProtocol": "tcp", "ToPort": 22 } ] } }, "WebSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId": { "Ref": "VpcId" }, "GroupDescription": "Enable HTTP access via user-defined port", "SecurityGroupIngress": [ { "CidrIp": "0.0.0.0/0", "FromPort": 80, "IpProtocol": "tcp", "ToPort": 80 } ] } }, "controlXface": { "Type": "AWS::EC2::NetworkInterface", "Properties": { "SubnetId": { "Ref": "SubnetId" }, "Description": "Interface for controlling traffic such as SSH", "GroupSet": [ { "Fn::GetAtt": [ "SSHSecurityGroup", "GroupId" ] } ], "SourceDestCheck": true, "Tags": [ { "Key": "Network", "Value": "Control" } ] } }, "webXface": { "Type": "AWS::EC2::NetworkInterface", "Properties": { "SubnetId": { "Ref": "SubnetId" }, "Description": "Interface for web traffic", "GroupSet": [ { "Fn::GetAtt": [ "WebSecurityGroup", "GroupId" ] } ], "SourceDestCheck": true, "Tags": [ { "Key": "Network", "Value": "Web" } ] } }, "Ec2Instance": { "Type": "AWS::EC2::Instance", "Properties": { "ImageId": { "Fn::FindInMap": [ "RegionMap", { "Ref": "AWS::Region" }, "AMI" ] }, "KeyName": { "Ref": "KeyName" }, "NetworkInterfaces": [ { "NetworkInterfaceId": { "Ref": "controlXface" }, "DeviceIndex": "0" }, { "NetworkInterfaceId": { "Ref": "webXface" }, "DeviceIndex": "1" } ], "Tags": [ { "Key": "Role", "Value": "Test Instance" } ], "UserData": { "Fn::Base64": { "Fn::Sub": "#!/bin/bash -xe\nyum install ec2-net-utils -y\nec2ifup eth1\nservice httpd start\n" } } } } }, "Outputs": { "InstancePublicIp": { "Description": "Public IP Address of the EC2 Instance", "Value": { "Fn::GetAtt": [ "Ec2Instance", "PublicIp" ] } } }
YAML
Resources: ControlPortAddress: Type: 'AWS::EC2::EIP' Properties: Domain: vpc AssociateControlPort: Type: 'AWS::EC2::EIPAssociation' Properties: AllocationId: Fn::GetAtt: - ControlPortAddress - AllocationId NetworkInterfaceId: Ref: controlXface WebPortAddress: Type: 'AWS::EC2::EIP' Properties: Domain: vpc AssociateWebPort: Type: 'AWS::EC2::EIPAssociation' Properties: AllocationId: Fn::GetAtt: - WebPortAddress - AllocationId NetworkInterfaceId: Ref: webXface SSHSecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: VpcId: Ref: VpcId GroupDescription: Enable SSH access via port 22 SecurityGroupIngress: - CidrIp: 0.0.0.0/0 FromPort: 22 IpProtocol: tcp ToPort: 22 WebSecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: VpcId: Ref: VpcId GroupDescription: Enable HTTP access via user-defined port SecurityGroupIngress: - CidrIp: 0.0.0.0/0 FromPort: 80 IpProtocol: tcp ToPort: 80 controlXface: Type: 'AWS::EC2::NetworkInterface' Properties: SubnetId: Ref: SubnetId Description: Interface for controlling traffic such as SSH GroupSet: - Fn::GetAtt: - SSHSecurityGroup - GroupId SourceDestCheck: true Tags: - Key: Network Value: Control webXface: Type: 'AWS::EC2::NetworkInterface' Properties: SubnetId: Ref: SubnetId Description: Interface for web traffic GroupSet: - Fn::GetAtt: - WebSecurityGroup - GroupId SourceDestCheck: true Tags: - Key: Network Value: Web Ec2Instance: Type: AWS::EC2::Instance Properties: ImageId: Fn::FindInMap: - RegionMap - Ref: AWS::Region - AMI KeyName: Ref: KeyName NetworkInterfaces: - NetworkInterfaceId: Ref: controlXface DeviceIndex: "0" - NetworkInterfaceId: Ref: webXface DeviceIndex: "1" Tags: - Key: Role Value: Test Instance UserData: Fn::Base64: !Sub | #!/bin/bash -xe yum install ec2-net-utils -y ec2ifup eth1 service httpd start Outputs: InstancePublicIp: Description: Public IP Address of the EC2 Instance Value: Fn::GetAtt: - Ec2Instance - PublicIp
