Follow these steps to create a CloudFormation template that launches a stack with a new security group, a load balancer, and an EC2 instance:
- Open up your text editor and create a new CloudFormation template. We're going to start by adding a few Parameters, as follows:
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
AmiId:
Type: AWS::EC2::AMI::Id
Description: AMI ID to launch instances from
VPCID:
Type: AWS::EC2::VPC::Id
Description: VPC where load balancer and instance will launch
SubnetIDs:
Type: List<AWS::EC2::Subnet::Id>
Description: Subnets (pick at least 2)
- Let's take a look at a security group we'll be applying to a public load balancer:
Resources:
ExampleELBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for example ELB
SecurityGroupIngress:
- IpProtocol: tcp
CidrIp: 0.0.0.0/0
FromPort: 80
ToPort: 80
Anything that resides in this security group will allow inbound TCP connections on port 80 from anywhere (0.0.0.0/0). Note that a security group can contain more than one rule; we'd almost certainly want to also allow HTTPS (443), but we've left it out to simplify this recipe.
- Now, let's look at a security group for a web server sitting behind our load balancer:
ExampleEC2InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for example Instance
SecurityGroupIngress:
- IpProtocol: tcp
SourceSecurityGroupName:
Ref: ExampleELBSecurityGroup
FromPort: 80
ToPort: 80
Here, you can see that we aren't specifying a source IP range. Instead, we're specifying a source security group, which we will accept connections from. In this case, we're saying that we want to allow anything from our ELB security group to connect to anything in our EC2 instance security group on port 80.
Since this is the only rule we're specifying, our web server will not accept connections from anywhere except our load balancer, to port 80 or otherwise. Our web server isn't wide open to the internet, and it is even isolated from other instances in our VPC.
This is where the power of security groups really comes in. If an EC2 instance is serving multiple roles – let's say you have an outbound HTTP proxy server in your VPC that you also want to act as an SMTP relay – then you can simply apply multiple security groups to it.
- Next, we need to add our load balancer. This is probably the most basic load balancer configuration you'll come across. The following code will give you a load balancer and a listener:
ExampleLoadBalancer:
Type:
AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Subnets:
- Fn::Select: [ 0, Ref: SubnetIDs ]
- Fn::Select: [ 1, Ref: SubnetIDs ]
SecurityGroups:
- Fn::GetAtt: ExampleELBSecurityGroup.GroupId
ExampleListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
LoadBalancerArn:
Ref: ExampleLoadBalancer
DefaultActions:
- Type: forward
TargetGroupArn:
Ref: ExampleTargetGroup
Port: 80
Protocol: HTTP
- Then, we need to add the target group:
ExampleTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
Port: 80
Protocol: HTTP
VpcId:
Ref: VPCID
Targets:
- Id:
Ref: ExampleEC2Instance
- The last resource we'll add to our template is an EC2 server. This server will install and start nginx when it boots:
ExampleEC2Instance:
Type: AWS::EC2::Instance
Properties:
InstanceType: t2.nano
UserData:
Fn::Base64:
Fn::Sub: |
#!/bin/bash -ex
yum install -y nginx
service nginx start
exit 0
ImageId:
Ref: AmiId
SecurityGroupIds:
- Fn::GetAtt: ExampleEC2InstanceSecurityGroup.GroupId
SubnetId:
Fn::Select: [ 0, Ref: SubnetIDs ]
- Lastly, we're going to add some Outputs to the template to make it a little more convenient to use our ELB and EC2 instances after the stack is created:
Outputs:
ExampleEC2InstanceHostname:
Value:
Fn::GetAtt: [ ExampleEC2Instance, PublicDnsName ]
ExampleELBURL:
Value:
Fn::Join:
- ''
- [ 'http://', { 'Fn::GetAtt': [ ExampleLoadBalancer, DNSName ] }, '/' ]
- Go ahead and launch this template using the CloudFormation web console or the AWS CLI.