This VPC template is a complete CloudFormation template to build out a VPC network with public and private subnets in three AWS Availability Zones.
"Public" means subnets can receive traffic directly from the Internet. Traffic outbound from a public subnet usually goes through an Internet Gateway. "Private" means that a subnet cannot receive traffic directly from the Internet. Traffic outbound from a private subnet usually goes through a NAT Gateway.
Most of the subnetting ideas come from this excellent AWS blog post on Practical VPC Design.
You'll first need to determine your IP Address CIDR block for your VPC. In this example, we are using the 10.0.0.0/8 private address space.
We have carved the example 10.0.0.0/8 address space into four /10 address spaces. A /10 address space is assigned to a given AWS Region. This means we could be in four different AWS Regions. In practice we will use only two Regions, US-West-2 and US-East-1. This will support up to 64 /16 VPCs in each Region.
Location | AWS Region | IP CIDR | Address Range |
---|---|---|---|
Oregon | us-west-2 | 10.0.0.0/10 | 10.0.0.1 - 10.63.255.255 |
Virginia | us-east-1 | 10.64.0.0/10 | 10.64.0.1 - 10.127.255.255 |
reserved | 10.128.0.0/10 | 10.128.0.0 - 10.191.255.255 | |
reserved | 10.192.0.0/10 | 10.192.0.1 - 10.255.255.255 |
Here are the example VPC CIDR blocks we'll be using:
Oregon (us-west-2): 10.0.0.0/16
Virginia (us-east-1): 10.64.0.0/16
See the AWS VPC sizing docs for more info.
You are free to use any /16 to /28 CIDR block in the RFC 1918 private address range, but the VPC CIDR range you pick for this template should not overlap with any existing IP CIDR address ranges, either on-prem or in another AWS VPC.
To deploy this VPC template, you'll need to know the VPC CIDR block, the three public, and three private subnet CIDR blocks.
Parameter | Description | Example |
---|---|---|
VpcCidrParam | IPv4 CIDR block (/16 to /28) | 10.0.0.0/16 |
PublicAZASubnetBlock | AZ A public subnet block | 10.0.32.0/20 |
PublicAZBSubnetBlock | AZ B public subnet block | "" |
PublicAZCSubnetBlock | AZ C public subnet block | "" |
PrivateAZASubnetBlock | AZ A private subnet block | 10.0.64.0/19 |
PrivateAZBSubnetBlock | AZ B private subnet block | "" |
PrivateAZCSubnetBlock | AZ C private subnet block | "" |
To make it easier to specify these parameters on the command line, you can use the example Parameters files included in the parameters/
directory.
If you'd like to deploy this stack via the command line, you'll need the AWS CLI.
aws cloudformation validate-template --template-body file://network.yaml
You will need to verify you have the appropriate parameters file for the AWS Region and account/environment you want to deploy to. See ./parameters/<region>/<acct>.json
. For example parameters/us-west-2/dev.json
.
aws cloudformation create-stack --template-body file://network.yaml --stack-name main-vpc --parameters file://parameters/us-west-2/dev.json
aws cloudformation update-stack --template-body file://network.yaml --stack-name main-vpc --parameters file://parameters/us-west-2/dev.json
AWS CloudFormation supports exporting Resource names and properties. You can import these Cross-Stack References in other templates.
This VPC template exports the following values for use in other CloudFormaton templates. Each export is prefixed with the Stack Name. For example, if you name the stack "main-vpc" when you launch it, the VPC's public route table will be exported as "main-vpc-public-rtb"
Export | Description | Example |
---|---|---|
main-vpc-VpcId | VPC Id | vpc-1234abcd |
main-vpc-public-rtb | Public Route table Id (shared by all public subnets) | rtb-1234abcd |
main-vpc-public-AZ-A-subnet | AZ A public subnet Id | subnet-1234abcd |
main-vpc-public-AZ-B-subnet | AZ B public subnet Id | "" |
main-vpc-public-AZ-C-subnet | AZ C public subnet Id | "" |
main-vpc-private-AZ-A-subnet | AZ A private subnet Id | subnet-abcd1234 |
main-vpc-private-AZ-B-subnet | AZ A private subnet Id | "" |
main-vpc-private-AZ-C-subnet | AZ A private subnet Id | "" |
main-vpc-private-AZ-A-rtb | Route table for private subnets in AZ A | rtb-abcd1234 |
main-vpc-private-AZ-B-rtb | Route table for private subnets in AZ B | "" |
main-vpc-private-AZ-C-rtb | Route table for private subnets in AZ C | "" |
Licensed under the Apache License, Version 2.0.