如何在 AWS 中使用 cloudformation 设置 "Remote IPv4 Network CIDR" VPN 属性
How to set "Remote IPv4 Network CIDR" VPN properties using cloudformation in AWS
我们使用 cloudformation 作为基础设施即代码,用于本地和 AWS 账户之间的 VPN 连接。我们需要设置一个记录为 (complete docs):
的参数
Remote IPv4 Network CIDR
(IPv4 VPN connection only) The IPv4 CIDR range on the AWS side that is allowed to communicate over the VPN tunnels.
Default: 0.0.0.0/0
我们已经在互联网上进行了搜索,但没有关于如何设置该变量的 cloudformation 的真正语法。
我们想将默认值 0.0.0.0/0 的值设置为另一个更具体的 /24 范围。
在某些 VPN 软件中,这是指流量选择器、代理 ID 或加密域。
可以使用 sdk 更改远程 IPv4 网络 CIDR。下面的云层将更改远程 IPv4 网络 CIDR。
lambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
Policies:
- PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:*
Resource: arn:aws:logs:*:*:* // Set appropriate value
- Effect: Allow
Action:
- ec2:ModifyVpnConnectionOptions
Resource: !Sub "arn:aws:ec2:*:..." // Refere to your AWS::EC2::VPNConnection
# A Lambda that changes the remote Ipv4 property of VPN using the aws sdk.
# Asynchronous, so it will finish before the modification of the VPN is done.
customResourceSetRemoteIp:
Type: AWS::Lambda::Function
Properties:
Runtime: nodejs14.x
Role: !GetAtt lambdaExecutionRole.Arn
Handler: index.handler
Code:
ZipFile: |
var response = require('cfn-response')
var aws = require('aws-sdk')
exports.handler = function (event, context) {
console.log("REQUEST RECEIVED:\n" + JSON.stringify(event))
// For Delete requests, immediately send a SUCCESS response.
// You need to run this job with the new value if you want a rollback.
if (event.RequestType == "Delete") {
response.send(event, context, "SUCCESS")
return
}
var responseStatus = "FAILED"
var responseData = {}
var vpnConnection = event.ResourceProperties.VpnConnection;
var remoteIpv4NetworkCidr = event.ResourceProperties.RemoteIpv4NetworkCidr;
console.log("Set remote ipv4 cidr to '" + remoteIpv4NetworkCidr +
"' at vpn connection '" + vpnConnection + "'");
var ec2 = new aws.EC2();
var params = {
VpnConnectionId: vpnConnection, /* required */
DryRun: false,
RemoteIpv4NetworkCidr: remoteIpv4NetworkCidr
};
ec2.modifyVpnConnectionOptions(params, function(err, data) {
if (err) {
console.log(err, err.stack); // an error occurred
responseData = {Error: err}
console.log(responseData.Error + ":\n", err)
} else {
responseStatus = "SUCCESS"
console.log(data); // successful response
}
response.send(event, context, responseStatus, responseData)
});
}
Description: Set VPN options in cloudformation
TracingConfig:
Mode: PassThrough
setRemoteIpOnVpnCustomResource:
Type: AWS::CloudFormation::CustomResource
Version: "1.0"
Properties:
ServiceToken: !GetAtt customResourceSetRemoteIp.Arn
VpnConnection: !Ref vpcVpnConnection
RemoteIpv4NetworkCidr: "10.0.0.0/24"
我们使用 cloudformation 作为基础设施即代码,用于本地和 AWS 账户之间的 VPN 连接。我们需要设置一个记录为 (complete docs):
的参数Remote IPv4 Network CIDR (IPv4 VPN connection only) The IPv4 CIDR range on the AWS side that is allowed to communicate over the VPN tunnels. Default: 0.0.0.0/0
我们已经在互联网上进行了搜索,但没有关于如何设置该变量的 cloudformation 的真正语法。
我们想将默认值 0.0.0.0/0 的值设置为另一个更具体的 /24 范围。
在某些 VPN 软件中,这是指流量选择器、代理 ID 或加密域。
可以使用 sdk 更改远程 IPv4 网络 CIDR。下面的云层将更改远程 IPv4 网络 CIDR。
lambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
Policies:
- PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:*
Resource: arn:aws:logs:*:*:* // Set appropriate value
- Effect: Allow
Action:
- ec2:ModifyVpnConnectionOptions
Resource: !Sub "arn:aws:ec2:*:..." // Refere to your AWS::EC2::VPNConnection
# A Lambda that changes the remote Ipv4 property of VPN using the aws sdk.
# Asynchronous, so it will finish before the modification of the VPN is done.
customResourceSetRemoteIp:
Type: AWS::Lambda::Function
Properties:
Runtime: nodejs14.x
Role: !GetAtt lambdaExecutionRole.Arn
Handler: index.handler
Code:
ZipFile: |
var response = require('cfn-response')
var aws = require('aws-sdk')
exports.handler = function (event, context) {
console.log("REQUEST RECEIVED:\n" + JSON.stringify(event))
// For Delete requests, immediately send a SUCCESS response.
// You need to run this job with the new value if you want a rollback.
if (event.RequestType == "Delete") {
response.send(event, context, "SUCCESS")
return
}
var responseStatus = "FAILED"
var responseData = {}
var vpnConnection = event.ResourceProperties.VpnConnection;
var remoteIpv4NetworkCidr = event.ResourceProperties.RemoteIpv4NetworkCidr;
console.log("Set remote ipv4 cidr to '" + remoteIpv4NetworkCidr +
"' at vpn connection '" + vpnConnection + "'");
var ec2 = new aws.EC2();
var params = {
VpnConnectionId: vpnConnection, /* required */
DryRun: false,
RemoteIpv4NetworkCidr: remoteIpv4NetworkCidr
};
ec2.modifyVpnConnectionOptions(params, function(err, data) {
if (err) {
console.log(err, err.stack); // an error occurred
responseData = {Error: err}
console.log(responseData.Error + ":\n", err)
} else {
responseStatus = "SUCCESS"
console.log(data); // successful response
}
response.send(event, context, responseStatus, responseData)
});
}
Description: Set VPN options in cloudformation
TracingConfig:
Mode: PassThrough
setRemoteIpOnVpnCustomResource:
Type: AWS::CloudFormation::CustomResource
Version: "1.0"
Properties:
ServiceToken: !GetAtt customResourceSetRemoteIp.Arn
VpnConnection: !Ref vpcVpnConnection
RemoteIpv4NetworkCidr: "10.0.0.0/24"