Level 200: Automated Deployment of VPC
- Ben Potter, Security Lead, Well-Architected
Table of Contents
This step will create the VPC and all components using the example CloudFormation template.
- Download the latest version of the vpc-alb-app-db.yaml CloudFormation template from file from GitHub raw, or by cloning this repository.
- Sign in to the AWS Management Console, select your preferred region, and open the CloudFormation console at https://console.aws.amazon.com/cloudformation/. Note if your CloudFormation console does not look the same, you can enable the redesigned console by clicking New Console in the CloudFormation menu.
- Click Create Stack, then With new resources (standard).
- Click Upload a template file and then click Choose file.
- Choose the CloudFormation template you downloaded in step 1, return to the CloudFormation console page and click Next.
- Enter the following details:
- Stack name: The name of this stack. For this lab, use WebApp1-VPC and match the case. The parameters may be left as defaults, you can find out more in the description for each. If you change the default name take note as you will need to use it for other labs including "Automated Deployment of EC2 Web Application".
- At the bottom of the page click Next.
- In this lab, we won't add any tags, permissions or advanced options. Click Next. Tags, which are key-value pairs, can help you identify your stacks. For more information, see Adding Tags to Your AWS CloudFormation Stack.
- Review the information for the stack. When you're satisfied with the configuration, check I acknowledge that AWS CloudFormation might create IAM resources with custom names then click Create stack.
- After a few minutes the final stack status should change from CREATE_IN_PROGRESS to CREATE_COMPLETE. You have now created the VPC stack (well actually CloudFormation did it for you).
- Now you have a new VPC, check out 200_Automated_Deployment_of_EC2_Web_Application to deploy a web application inside it.
- Grant least privileges: The roles are scoped with minimum privileges to accomplish the task.
- Implement new security services and features: New features including secrets manager have been adopted.
- Limit exposure: Security groups restrict network traffic to a minimum. Use of Internet Gateways and NAT Gateways in use to control traffic flows.
- Automate configuration management: CloudFormation is being used to deploy the networking constructs.
- Control traffic at all layers: Traffic is controlled in multiple tiers, using subnets with different route tables.
The following instructions will remove the resources that you have created in this lab.
Note: If you are planning on completing the lab 200_Automated_Deployment_of_EC2_Web_Application we recommend you only tear down this lab after completing both, as there is a dependency on this VPC.
Delete the VPC CloudFormation stack:
- Sign in to the AWS Management Console, select your preferred region, and open the CloudFormation console at https://console.aws.amazon.com/cloudformation/.
- Click the radio button on the left of the WebApp1-VPC stack.
- Click the Actions button then click Delete stack.
- Confirm the stack and then click Delete button.
Delete the CloudWatch Logs:
- Sign in to the AWS Management Console, select your preferred region, and open the CloudFormation console at https://console.aws.amazon.com/cloudwatch/.
- Click Logs in the left navigation.
- Click the radio button on the left of the WebApp1-VPC-VPCFlowLogGroup-\<some unique ID>.
- Click the Actions Button then click Delete Log Group.
- Verify the log group name then click Yes, Delete.
References & useful resources
Licensed under the Apache 2.0 and MITnoAttr License.
Copyright 2019-2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at
or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.