My goal is to have a Cloud Formation template which not only automatically creates a VPC with a NAT host and bastion host, but which deploys a .NET app pulled from S3 into an Elastic Beanstalk which is load balanced and more importantly only allows access to the app from my office, NOT the whole internet. It seems that even though the app might be in a VPC in a Private subnet and the ELB is in the Public subnet, that the Network ACL on the Public subnet is irrelevant. If I lock down the Public subnet to only my office, connections from outside the office can still come into the ELB and hit the application.
What seems to work is applying a Security group to the ELB, but I do not see any way to force the creation of a specific ELB with a specific SG inside a "AWS::ElasticBeanstalk::Environment" object. The ELB and ELB SG are created automatically by beanstalk and must be manually altered after CF runs. I don't want that. I want a way to create everything in CF in an automated way with no manual steps after the fact. yes, I've tried Cloud Former on a manually created stakc. No, it doesn't give me what I want.
Here's an excerpt from my CF Template:
"MyWebApp": {
"Type": "AWS::ElasticBeanstalk::Application",
"Properties": {
"ApplicationName" : "AlmDemoWebApp",
"Description": "MyWebapp"
}
},
"MyWebAppVersion": {
"Type": "AWS::ElasticBeanstalk::ApplicationVersion",
"Properties": {
"ApplicationName": {"Ref": "MyWebApp"},
"SourceBundle": {
"S3Bucket": "mywebapp",
"S3Key": {"Fn::Join" : ["", ["MyWebApp.", {"Ref":"Version"}, ".zip"]]}
}
}
},
"MyWebAppEnvironment" : {
"DependsOn" : ["MyWebApp", "MyWebAppVersion", "BastionSecurityGroup", "BeanstalkSecurityGroup", "VPC", "EBLoadBalancer", "EBLoadBalancerSecurityGroup", "PrivateSubnet", "PublicSubnet"],
"Type" : "AWS::ElasticBeanstalk::Environment",
"Properties" : {
"ApplicationName" : { "Ref" : "MyWebApp" },
"Description" : "MyWebApp Target Environment",
"SolutionStackName": "64bit Windows Server 2012 R2 running IIS 8.5",
"OptionSettings" : [
{"Namespace" : "aws:autoscaling:launchconfiguration", "OptionName" : "SecurityGroups", "Value" : { "Ref" : "BeanstalkSecurityGroup" }},
{"Namespace" : "aws:autoscaling:launchconfiguration", "OptionName" : "EC2KeyName", "Value" : { "Ref" : "InstanceKeyName" }},
{"Namespace" : "aws:ec2:vpc", "OptionName" : "VPCId", "Value" : { "Ref" : "VPC" }},
{"Namespace" : "aws:ec2:vpc", "OptionName" : "Subnets", "Value" : { "Ref" : "PrivateSubnet" }},
{"Namespace" : "aws:ec2:vpc", "OptionName" : "ELBSubnets", "Value" : { "Ref" : "PublicSubnet" }}],
"VersionLabel": {"Ref": "MyWebAppVersion"}
}
}
Is there some mysterious and poorly documented option that I can put in the AWS::ElasticBeanstalk::Environment -> Properties -> OptionSettings that will force the Elastic Beanstalk to use a specific ELB configured previously in the CF template ("EBLoadBalancer") rather than automatically create one with a random name? Applying ingress rules to the "BeanstalkSecurityGroup" doesn't seem to help. The SG rules have to be on the ELB to actually work, apparently.
Aucun commentaire:
Enregistrer un commentaire