TRANSIT GW간의 피어링 연결 시 각 연결되 VPC간 통신 가능
Parameters:
KeyName:
Type: AWS::EC2::KeyPair::KeyName
LatestAmiId:
Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
Default: /aws/service/ami-amazon-linux-latest/amzn2-ami-kernel-5.10-hvm-x86_64-gp2
Resources:
MyVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.1.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: MyVPC
MyIGW1:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: MyIGW1
MyIGW1Attachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref MyIGW1
VpcId: !Ref MyVPC
MyPublicSubnet1:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: !Select [0, !GetAZs '']
VpcId: !Ref MyVPC
CidrBlock: 10.1.1.0/24
Tags:
- Key: Name
Value: MyPublicSubnet1
MyPublicRouting1:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref MyVPC
Tags:
- Key: Name
Value: MyPublicRouting1
MyPublicSubnet1RoutingAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref MyPublicRouting1
SubnetId: !Ref MyPublicSubnet1
MyPublicDefault1:
Type: AWS::EC2::Route
DependsOn: MyIGW1Attachment
Properties:
RouteTableId: !Ref MyPublicRouting1
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref MyIGW1
MyPublicSecuGroup1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow HTTP HTTPS SSH squid icmp
VpcId: !Ref MyVPC
Tags:
- Key: Name
Value: MyPublicSecuGroup1
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 3128
ToPort: 3128
CidrIp: 0.0.0.0/0
- IpProtocol: icmp
FromPort: -1
ToPort: -1
CidrIp: 0.0.0.0/0
MyWeb1:
Type: AWS::EC2::Instance
DependsOn: MyIGW1Attachment
Properties:
InstanceType: t3.micro
ImageId: !Ref LatestAmiId
KeyName: !Ref KeyName
Tags:
- Key: Name
Value: MyWeb1
NetworkInterfaces:
- DeviceIndex: 0
SubnetId: !Ref MyPublicSubnet1
GroupSet:
- !Ref MyPublicSecuGroup1
AssociatePublicIpAddress: true
PrivateIpAddress: 10.1.1.101
UserData:
Fn::Base64:
!Sub |
#!/bin/bash
echo "root:aws1234!" | chpasswd
sed -i 's/^PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin no/PermitRootLogin yes/' /etc/ssh/sshd_config
systemctl restart sshd
service sshd restart
yum update -y
yum -y install tcpdump squid
cat << EOF > /etc/squid/squid.conf
http_port 3128
acl all src 0.0.0.0/0
http_access allow all
http_access deny all
EOF
systemctl enable --now squid
cat << EOF > /home/ec2-user/EC2_list.txt
10.1.1.101
10.2.1.101
10.3.1.101
EOF
yum -y install httpd
systemctl enable --now httpd
echo "<h1>Welcome to AWS WEB Server 01</h1>" > /var/www/html/index.html
cp -p /home/ec2-user/EC2_list.txt /var/www/html/EC2_list.txt
MyVPC2:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.2.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: MyVPC2
MyIGW2:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: MyIGW2
MyIGW2Attachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref MyIGW2
VpcId: !Ref MyVPC2
NATGateway2:
Type: AWS::EC2::NatGateway
Properties:
AllocationId: !GetAtt EIP.AllocationId
SubnetId: !Ref PublicSubnet1
MyPublicSubnet2:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: !Select [0, !GetAZs '']
VpcId: !Ref MyVPC2
CidrBlock: 10.2.1.0/24
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: MyPublicSubnet2
MyPublicRouting2:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref MyVPC2
Tags:
- Key: Name
Value: MyPublicRouting2
MyPublicSubnet2RoutingAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref MyPublicRouting2
SubnetId: !Ref MyPublicSubnet2
MyPublicDefault2:
Type: AWS::EC2::Route
DependsOn: MyIGW2Attachment
Properties:
RouteTableId: !Ref MyPublicRouting2
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref MyIGW2
MyPublicSecuGroup2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow HTTP HTTPS SSH squid icmp
VpcId: !Ref MyVPC2
Tags:
- Key: Name
Value: MyPublicSecuGroup1
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 3128
ToPort: 3128
CidrIp: 0.0.0.0/0
- IpProtocol: icmp
FromPort: -1
ToPort: -1
CidrIp: 0.0.0.0/0
MyWeb2:
Type: AWS::EC2::Instance
DependsOn: MyIGW2Attachment
Properties:
InstanceType: t3.micro
ImageId: !Ref LatestAmiId
KeyName: !Ref KeyName
Tags:
- Key: Name
Value: MyWeb2
NetworkInterfaces:
- DeviceIndex: 0
SubnetId: !Ref MyPublicSubnet2
GroupSet:
- !Ref MyPublicSecuGroup2
AssociatePublicIpAddress: true
PrivateIpAddress: 10.2.1.101
UserData:
Fn::Base64:
!Sub |
#!/bin/bash
echo "root:aws1234!" | chpasswd
sed -i 's/^PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin no/PermitRootLogin yes/' /etc/ssh/sshd_config
systemctl restart sshd
service sshd restart
yum update -y
yum -y install tcpdump squid
cat << EOF > /etc/squid/squid.conf
http_port 3128
acl all src 0.0.0.0/0
http_access allow all
http_access deny all
EOF
systemctl enable --now squid
cat << EOF > /home/ec2-user/EC2_list.txt
10.1.1.101
10.2.1.101
10.3.1.101
EOF
yum -y install httpd
systemctl enable --now httpd
echo "<h1>Welcome to AWS WEB Server 02</h1>" > /var/www/html/index.html
cp -p /home/ec2-user/EC2_list.txt /var/www/html/EC2_list.txt
MyVPC3:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.3.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: MyVPC3
MyIGW3:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: MyIGW3
MyIGW3Attachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref MyIGW3
VpcId: !Ref MyVPC3
EIP:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
NATGateway3:
Type: AWS::EC2::NatGateway
Properties:
AllocationId: !GetAtt EIP.AllocationId
SubnetId: !Ref PublicSubnet1
MyPublicSubnet3:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: !Select [0, !GetAZs '']
VpcId: !Ref MyVPC3
CidrBlock: 10.3.1.0/24
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: MyPublicSubnet3
MyPublicRouting3:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref MyVPC3
Tags:
- Key: Name
Value: MyPublicRouting3
MyPublicSubnet3RoutingAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref MyPublicRouting3
SubnetId: !Ref MyPublicSubnet3
MyPublicDefault3:
Type: AWS::EC2::Route
DependsOn: MyIGW3Attachment
Properties:
RouteTableId: !Ref MyPublicRouting3
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref MyIGW3
MyPublicSecuGroup3:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow HTTP HTTPS SSH squid icmp
VpcId: !Ref MyVPC3
Tags:
- Key: Name
Value: MyPublicSecuGroup3
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 3128
ToPort: 3128
CidrIp: 0.0.0.0/0
- IpProtocol: icmp
FromPort: -1
ToPort: -1
CidrIp: 0.0.0.0/0
MyWeb3:
Type: AWS::EC2::Instance
DependsOn: MyIGW3Attachment
Properties:
InstanceType: t3.micro
ImageId: !Ref LatestAmiId
KeyName: !Ref KeyName
Tags:
- Key: Name
Value: MyWeb3
NetworkInterfaces:
- DeviceIndex: 0
SubnetId: !Ref MyPublicSubnet3
GroupSet:
- !Ref MyPublicSecuGroup3
AssociatePublicIpAddress: true
PrivateIpAddress: 10.3.1.101
UserData:
Fn::Base64:
!Sub |
#!/bin/bash
echo "root:aws1234!" | chpasswd
sed -i 's/^PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin no/PermitRootLogin yes/' /etc/ssh/sshd_config
systemctl restart sshd
service sshd restart
yum update -y
yum -y install tcpdump squid
cat << EOF > /etc/squid/squid.conf
http_port 3128
acl all src 0.0.0.0/0
http_access allow all
http_access deny all
EOF
systemctl enable --now squid
yum -y install httpd
systemctl enable --now httpd
echo "<h1>Welcome to AWS WEB Server 03</h1>" > /var/www/html/index.html
1. 퍼블릭 프라이빗 VPC 생성
2. Transit GW 생성
3. 각각 VPC Transit Gateway Attachment 생성
3. 라우팅 테이블 10.0.0.0/8
각각의 프라이빗 서브넷 간 통신 가능
NAT 없이 통신 가능
Tranist 게이트웨이로 통신 가능
SQUID 프록시 통해서 외부 통신 가능
curl -x <https://www.google.com>
❌ 외부 통신이 안 된다면?
가장 흔한 원인:
Squid 인스턴스가 퍼블릭 IP가 없거나 IGW가 연결 안 된 경우
Squid EC2의 보안 그룹에서 인바운드 포트 3128이 막혀 있는 경우
Transit Gateway 라우팅 미설정
Transit GateWay로 외부 통신 가능 / www.google.com
Transit GateWay로 외부 통신 가능 / google.com
Parameters:
KeyName:
Type: AWS::EC2::KeyPair::KeyName
LatestAmiId:
Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
Default: /aws/service/ami-amazon-linux-latest/amzn2-ami-kernel-5.10-hvm-x86_64-gp2
Resources:
MyVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.1.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: MyVPC
MyIGW1:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: MyIGW1
MyIGW1Attachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref MyIGW1
VpcId: !Ref MyVPC
MyPublicSubnet1:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: !Select [0, !GetAZs '']
VpcId: !Ref MyVPC
CidrBlock: 10.1.1.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: MyPublicSubnet1
MyPublicRouting1:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref MyVPC
Tags:
- Key: Name
Value: MyPublicRouting1
MyPublicSubnet1RoutingAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref MyPublicRouting1
SubnetId: !Ref MyPublicSubnet1
MyPublicDefault1:
Type: AWS::EC2::Route
DependsOn: MyIGW1Attachment
Properties:
RouteTableId: !Ref MyPublicRouting1
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref MyIGW1
MyPublicSecuGroup1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow HTTP HTTPS SSH squid icmp
VpcId: !Ref MyVPC
Tags:
- Key: Name
Value: MyPublicSecuGroup1
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 3128
ToPort: 3128
CidrIp: 0.0.0.0/0
- IpProtocol: icmp
FromPort: -1
ToPort: -1
CidrIp: 0.0.0.0/0
MyWeb1:
Type: AWS::EC2::Instance
DependsOn: MyIGW1Attachment
Properties:
InstanceType: t3.micro
ImageId: !Ref LatestAmiId
KeyName: !Ref KeyName
Tags:
- Key: Name
Value: MyWeb1
NetworkInterfaces:
- DeviceIndex: 0
SubnetId: !Ref MyPublicSubnet1
GroupSet:
- !Ref MyPublicSecuGroup1
AssociatePublicIpAddress: true
PrivateIpAddress: 10.1.1.101
UserData:
Fn::Base64:
!Sub |
#!/bin/bash
echo "root:aws1234!" | chpasswd
sed -i 's/^PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin no/PermitRootLogin yes/' /etc/ssh/sshd_config
systemctl restart sshd
yum update -y
yum -y install tcpdump squid
cat << EOF > /etc/squid/squid.conf
http_port 3128
acl all src 0.0.0.0/0
http_access allow all
EOF
systemctl enable --now squid
echo "10.1.1.101" > /var/www/html/EC2_list.txt
echo "10.2.1.101" >> /var/www/html/EC2_list.txt
echo "10.3.1.101" >> /var/www/html/EC2_list.txt
yum -y install httpd
systemctl enable --now httpd
echo "<h1>Welcome to AWS WEB Server 01</h1>" > /var/www/html/index.html
MyVPC2:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.2.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: MyVPC2
MyPrivateSubnet2:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: !Select [0, !GetAZs '']
VpcId: !Ref MyVPC2
CidrBlock: 10.2.1.0/24
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: MyPrivateSubnet2
MyPrivateSecuGroup2:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow internal traffic only
VpcId: !Ref MyVPC2
Tags:
- Key: Name
Value: MyPrivateSecuGroup2
SecurityGroupIngress:
- IpProtocol: -1
CidrIp: 10.0.0.0/8
MyWeb2:
Type: AWS::EC2::Instance
Properties:
InstanceType: t3.micro
ImageId: !Ref LatestAmiId
KeyName: !Ref KeyName
Tags:
- Key: Name
Value: MyWeb2
NetworkInterfaces:
- DeviceIndex: 0
SubnetId: !Ref MyPrivateSubnet2
GroupSet:
- !Ref MyPrivateSecuGroup2
AssociatePublicIpAddress: false
PrivateIpAddress: 10.2.1.101
UserData:
Fn::Base64:
!Sub |
#!/bin/bash
echo "root:aws1234!" | chpasswd
sed -i 's/^PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin no/PermitRootLogin yes/' /etc/ssh/sshd_config
systemctl restart sshd
yum update -y
echo "export http_proxy=http://10.1.1.101:3128" >> /etc/profile.d/proxy.sh
echo "export https_proxy=http://10.1.1.101:3128" >> /etc/profile.d/proxy.sh
echo "export no_proxy=127.0.0.1,localhost,169.254.169.254,10.0.0.0/8,.internal" >> /etc/profile.d/proxy.sh
source /etc/profile.d/proxy.sh
MyVPC3:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.3.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: MyVPC3
MyPrivateSubnet3:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: !Select [0, !GetAZs '']
VpcId: !Ref MyVPC3
CidrBlock: 10.3.1.0/24
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: MyPrivateSubnet3
MyPrivateSecuGroup3:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow internal traffic only
VpcId: !Ref MyVPC3
Tags:
- Key: Name
Value: MyPrivateSecuGroup3
SecurityGroupIngress:
- IpProtocol: -1
CidrIp: 10.0.0.0/8
MyWeb3:
Type: AWS::EC2::Instance
Properties:
InstanceType: t3.micro
ImageId: !Ref LatestAmiId
KeyName: !Ref KeyName
Tags:
- Key: Name
Value: MyWeb3
NetworkInterfaces:
- DeviceIndex: 0
SubnetId: !Ref MyPrivateSubnet3
GroupSet:
- !Ref MyPrivateSecuGroup3
AssociatePublicIpAddress: false
PrivateIpAddress: 10.3.1.101
UserData:
Fn::Base64:
!Sub |
#!/bin/bash
echo "root:aws1234!" | chpasswd
sed -i 's/^PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin no/PermitRootLogin yes/' /etc/ssh/sshd_config
systemctl restart sshd
yum update -y
echo "export http_proxy=http://10.1.1.101:3128" >> /etc/profile.d/proxy.sh
echo "export https_proxy=http://10.1.1.101:3128" >> /etc/profile.d/proxy.sh
echo "export no_proxy=127.0.0.1,localhost,169.254.169.254,10.0.0.0/8,.internal" >> /etc/profile.d/proxy.sh
source /etc/profile.d/proxy.sh
