diff options
| author | aslanvyos <a.hajiyev@vyos.io> | 2024-10-31 10:04:05 +0400 |
|---|---|---|
| committer | aslanvyos <a.hajiyev@vyos.io> | 2025-04-10 06:45:48 +0400 |
| commit | cb2f5c86fd732a2d10a758bc3a90fc4ee33323de (patch) | |
| tree | f27518abd233c3620122a867a5043ff37fd334b4 | |
| parent | f731eacb91e2b5d9c51b76bae4364ceae5091280 (diff) | |
| download | vyos-automation-cb2f5c86fd732a2d10a758bc3a90fc4ee33323de.tar.gz vyos-automation-cb2f5c86fd732a2d10a758bc3a90fc4ee33323de.zip | |
Add Terraform project for VyOS instance with basic setup and with network services (VPN, NAT, DNS)
Added CloudFormation templates for VyOS deployment on AWS
27 files changed, 2907 insertions, 0 deletions
diff --git a/CloudFormation/readme.md b/CloudFormation/readme.md new file mode 100644 index 0000000..b437838 --- /dev/null +++ b/CloudFormation/readme.md @@ -0,0 +1,12 @@ +# CloudFormation Templates for Deploying VyOS on AWS
+
+## Overview
+These CloudFormation templates automate the deployment of a VyOS instance on AWS, configuring essential components such as VPC, public/private subnets, internet gateway, route tables, Elastic IPs, and security groups.
+
+### Templates
+- **VyOS Deployment with Basic Configuration**: Includes essential VyOS instance configurations (for quick deployment).
+- **VyOS Deployment with Advanced Configuration**: Includes advanced VyOS instance configurations.
+
+## Deployment Scenarios
+- **Existing VPC**: Deploys VyOS within an existing VPC and subnet structure.
+- **New VPC**: Creates a fully configured VPC and subnet environment for VyOS deployment and deploys VyOS instance.
diff --git a/CloudFormation/vyos-template-with-basic-configuration/readme.md b/CloudFormation/vyos-template-with-basic-configuration/readme.md new file mode 100644 index 0000000..5a953c1 --- /dev/null +++ b/CloudFormation/vyos-template-with-basic-configuration/readme.md @@ -0,0 +1,65 @@ +# VyOS Deployment with Basic Configuration
+
+## Template Overview
+
+This CloudFormation template automates the deployment of a VyOS instance, setting up:
+- A VPC with public and private subnets.
+- Internet Gateway, Route Tables, ENIs, Security Groups, and Elastic IP.
+- Configuration via cloud-init for a consistent, scalable setup.
+
+## Prerequisites
+
+Ensure the following prerequisites are met before deploying:
+- **AWS Account**: Active with necessary IAM permissions for VPCs, EC2 instances, etc.
+- **EC2 Key Pair**: Valid SSH key pair for instance access.
+- **AWS CLI/Console Access**: Familiarity with AWS Console or CLI for managing the CloudFormation stack.
+
+## Deployment Scenarios
+
+### Deploying to an Existing VPC
+
+1. Go to **AWS Console** > **CloudFormation**.
+2. Select **Create stack** - with new resources.
+3. Upload the `.yaml` template file.
+4. Specify stack details:
+ - **Stack name**.
+ - **Existing VPC and Subnet IDs** (must belong to the same AWS region and Availability Zone).
+5. Leave new VPC and Subnet CIDR fields empty.
+6. Configure VyOS Instance parameters:
+ - **Instance Type**.
+ - **EC2 Key Pair Name**.
+ - **ENI IPs** (according to the existing subnet CIDRs).
+ - **Primary and Secondary DNS** (optional).
+ - **SSH Allowed IP Subnet** (for remote access).
+
+ > **Note**: Setting `VyOS AMI Alias` to `latest` will deploy the latest version. Specify a specific version if needed, e.g., `/aws/service/marketplace/prod-ev235jujteaom/1.4.0`.
+
+7. Monitor stack creation until the **CREATE_COMPLETE** message appears.
+8. Retrieve the Public IP in the “Outputs” tab.
+
+### Deploying to a New VPC
+
+1. Go to **AWS Console** > **CloudFormation**.
+2. Select **Create stack** - with new resources.
+3. Upload the `.yaml` template file.
+4. Specify stack details:
+ - **New VPC name and CIDR**.
+ - **Public and Private Subnet CIDRs**.
+5. Leave existing VPC/Subnet IDs empty.
+6. Configure VyOS Instance parameters as listed above.
+7. Wait for **CREATE_COMPLETE** and find the Public IP under “Outputs”.
+
+## Access and Management
+
+To connect to the VyOS instance, use:
+- **VyOS Public IP** (from Outputs) and **EC2 Key Pair** with an SSH client.
+
+Sample command: `ssh vyos@<VyOS_Public_IP_Address> -i <test-key.pam>`
+
+### Common CLI Commands
+
+For VyOS configuration and interface checking:
+```bash
+show configuration commands
+show interfaces
+show ip route
diff --git a/CloudFormation/vyos-template-with-basic-configuration/single-instance-with-basic-configuration.yml b/CloudFormation/vyos-template-with-basic-configuration/single-instance-with-basic-configuration.yml new file mode 100644 index 0000000..2dda6ce --- /dev/null +++ b/CloudFormation/vyos-template-with-basic-configuration/single-instance-with-basic-configuration.yml @@ -0,0 +1,559 @@ +AWSTemplateFormatVersion: '2010-09-09'
+Description: VyOS Networks CloudFormation template to deploy a VPC with public
+ and private subnets, an Internet gateway, Route tables, ENIs, Elastic IP
+ Address and a VyOS instance with subscription (Pay As You Go) and configures
+ VyOS instance via user-data (cloud-init).
+
+Parameters:
+ ExistingVPCId:
+ Description: ID of an existing VPC
+ Type: String
+ Default: ''
+ AllowedPattern: ^$|^vpc-[0-9a-fA-F]{8,17}$
+ ConstraintDescription: Must be a valid VPC ID or empty.
+
+ ExistingPublicSubnetId:
+ Description: ID of an existing public subnet
+ Type: String
+ Default: ''
+ AllowedPattern: ^$|^subnet-[0-9a-fA-F]{8,17}$
+ ConstraintDescription: Must be a valid public subnet ID or empty.
+
+ ExistingPrivateSubnetId:
+ Description: ID of an existing private subnet
+ Type: String
+ Default: ''
+ AllowedPattern: ^$|^subnet-[0-9a-fA-F]{8,17}$
+ ConstraintDescription: Must be a valid private subnet ID or empty.
+
+ VPCName:
+ Description: Name of the VPC
+ Type: String
+ Default: ''
+ AllowedPattern: ^$|^.{1,128}$
+ MaxLength: 128
+ ConstraintDescription: Must be empty or between 1 and 128 characters.
+
+ VPCCidrBlock:
+ Description: CIDR block for the VPC
+ Type: String
+ Default: ''
+ AllowedPattern: ^$|^(10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\/([1-9]|[1-2][0-9]|3[0-2]))$|^(172\.(1[6-9]|2[0-9]|3[01])\.[0-9]{1,3}\.[0-9]{1,3}\/([1-9]|[1-2][0-9]|3[0-2]))$|^(192\.168\.[0-9]{1,3}\.[0-9]{1,3}\/([1-9]|[1-2][0-9]|3[0-2]))$
+ ConstraintDescription: Must be a valid IPv4 CIDR notation within private IP ranges based on RFC 1918, with subnet sizes between /16 and /28, or can be empty if we deploy VyOS instance to the existig VPC.
+
+ PublicSubnetCidr:
+ Description: CIDR block for the Public Subnet
+ Type: String
+ Default: ''
+ AllowedPattern: ^$|^(10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\/([1-9]|[1-2][0-9]|3[0-2]))$|^(172\.(1[6-9]|2[0-9]|3[01])\.[0-9]{1,3}\.[0-9]{1,3}\/([1-9]|[1-2][0-9]|3[0-2]))$|^(192\.168\.[0-9]{1,3}\.[0-9]{1,3}\/([1-9]|[1-2][0-9]|3[0-2]))$
+ ConstraintDescription: Must be a valid IPv4 CIDR notation within private IP ranges based on RFC 1918, with subnet sizes between /16 and /28.
+
+ PrivateSubnetCidr:
+ Description: CIDR block for the Private Subnet
+ Type: String
+ Default: ''
+ AllowedPattern: ^$|^(10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\/([1-9]|[1-2][0-9]|3[0-2]))$|^(172\.(1[6-9]|2[0-9]|3[01])\.[0-9]{1,3}\.[0-9]{1,3}\/([1-9]|[1-2][0-9]|3[0-2]))$|^(192\.168\.[0-9]{1,3}\.[0-9]{1,3}\/([1-9]|[1-2][0-9]|3[0-2]))$
+ ConstraintDescription: Must be a valid IPv4 CIDR notation within private IP ranges based on RFC 1918, with subnet sizes between /16 and /28.
+
+ InstanceType:
+ Description: EC2 instance type for VyOS deployment
+ Type: String
+ Default: c5n.large
+ AllowedValues:
+ - t3.small
+ - t3.medium
+ - t3.large
+ - t3.xlarge
+ - t3.2xlarge
+ - t3a.small
+ - t3a.medium
+ - t3a.large
+ - t3a.xlarge
+ - t3a.2xlarge
+ - m4.large
+ - m4.xlarge
+ - m4.2xlarge
+ - m4.4xlarge
+ - m4.10xlarge
+ - m4.16xlarge
+ - m5.large
+ - m5.xlarge
+ - m5.2xlarge
+ - m5.4xlarge
+ - m5.8xlarge
+ - m5a.large
+ - m5a.xlarge
+ - m5a.2xlarge
+ - m5a.4xlarge
+ - m5a.8xlarge
+ - m5a.12xlarge
+ - m5n.large
+ - m5n.xlarge
+ - m5n.2xlarge
+ - m5n.4xlarge
+ - m5n.8xlarge
+ - m5n.12xlarge
+ - m5zn.large
+ - m5zn.xlarge
+ - m5zn.2xlarge
+ - m5zn.3xlarge
+ - m5zn.6xlarge
+ - m5zn.12xlarge
+ - m6i.large
+ - m6i.xlarge
+ - m6i.2xlarge
+ - m6i.4xlarge
+ - m6i.8xlarge
+ - m6i.12xlarge
+ - m6i.16xlarge
+ - c4.large
+ - c4.xlarge
+ - c4.2xlarge
+ - c4.4xlarge
+ - c4.8xlarge
+ - c5.large
+ - c5.xlarge
+ - c5.2xlarge
+ - c5.4xlarge
+ - c5.9xlarge
+ - c5d.large
+ - c5d.xlarge
+ - c5d.2xlarge
+ - c5d.4xlarge
+ - c5d.9xlarge
+ - c5a.large
+ - c5a.xlarge
+ - c5a.2xlarge
+ - c5a.4xlarge
+ - c5a.8xlarge
+ - c5n.large
+ - c5n.xlarge
+ - c5n.2xlarge
+ - c5n.4xlarge
+ - c5n.9xlarge
+ - c6i.large
+ - c6i.xlarge
+ - c6i.2xlarge
+ - c6i.4xlarge
+ - c6i.8xlarge
+ - c6i.12xlarge
+ - c6i.16xlarge
+ - c6i.24xlarge
+ - m6a.large
+ - m6a.xlarge
+ - m6a.2xlarge
+ - m6a.4xlarge
+ - m6a.8xlarge
+ - m6a.12xlarge
+ - m6a.16xlarge
+ - m6in.large
+ - m6in.xlarge
+ - m6in.2xlarge
+ - m6in.4xlarge
+ - m6in.8xlarge
+ - m6in.12xlarge
+ - m6in.16xlarge
+ - m6in.24xlarge
+ - m6in.32xlarge
+ - m6in.metal
+ - m7i.large
+ - m7i.xlarge
+ - m7i.2xlarge
+ - m7i.4xlarge
+ - m7i.8xlarge
+ - m7i-flex.large
+ - m7i-flex.xlarge
+ - m7i-flex.2xlarge
+ - m7i-flex.4xlarge
+ - m7i-flex.8xlarge
+
+ KeyName:
+ Description: Name of an existing EC2 KeyPair to enable SSH access to the instances
+ Type: AWS::EC2::KeyPair::KeyName
+ ConstraintDescription: Must not be empty
+
+ VyOSPublicENIip:
+ Description: Private IP address for VyOS instance ENI
+ Type: String
+ AllowedPattern: ^(10\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])|172\.(?:1[6-9]|2[0-9]|3[01])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])|192\.168\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]))$
+ ConstraintDescription: Must be a valid IP address in the Public Subnet CIDR block
+
+ VyOSPrivENIip:
+ Description: Private IP address for VyOS instance ENI
+ Type: String
+ AllowedPattern: ^(10\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])|172\.(?:1[6-9]|2[0-9]|3[01])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])|192\.168\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]))$
+ ConstraintDescription: Must be a valid IP address in the Private Subnet CIDR block
+
+ SSHAllowedIP:
+ Description: The IP subnet allowed to SSH into the VyOS instance
+ Type: String
+ Default: 192.0.2.0/24
+ AllowedPattern: ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(2[4-9]|3[0-2]))$
+ ConstraintDescription: Must be a valid IPv4 CIDR within range /24 to /32
+
+ # VyOS AMI Aliase.
+ # If you set "latest" option CloudFormation will choose the latest version of the VyOS.
+ # But if you want to deploy a more specific version you should change the latest to part of the alias like /aws/.../1.3.6, /aws/.../1.4.0.
+ # After changing this please look at the Resources part "VyOSInstance"s User-Data field because there could be VyOS CLI commands changes.
+ # Check VyOS official documentation for command reference.
+
+ AmiAlias:
+ Type: "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>"
+ Default: "/aws/service/marketplace/prod-ev235jujteaom/latest"
+ Description: "AMI Alias of the VyOS instance"
+
+Metadata:
+ AWS::CloudFormation::Interface:
+ ParameterGroups:
+ - Label:
+ default: 'Current VPC configuration. If you want deploy instance to your
+ existing VPC please add VPC and Subnet IDs to regareded fields:'
+ Parameters:
+ - ExistingVPCId
+ - ExistingPublicSubnetId
+ - ExistingPrivateSubnetId
+ - Label:
+ default: 'New VPC and Subnet CIDRs configurations. If you want to deploy instance to new
+ VPC please fill regarded fields:'
+ Parameters:
+ - VPCName
+ - VPCCidrBlock
+ - PublicSubnetCidr
+ - PrivateSubnetCidr
+ - Label:
+ default: 'VyOS Instance Configuration:'
+ Parameters:
+ - InstanceType
+ - KeyName
+ - VyOSPublicENIip
+ - VyOSPrivENIip
+ - SSHAllowedIP
+
+ ParameterLabels:
+ ExistingVPCId:
+ default: Existing VPC ID (optional if deploy existing VPC)
+ ExistingPublicSubnetId:
+ default: Existing Public Subnet ID (optional if deploy existing VPC)
+ ExistingPrivateSubnetId:
+ default: Existing Private Subnet ID (optional if deploy existing VPC)
+ VPCName:
+ default: VPC Name (required if you deploy new VPC)
+ VPCCidrBlock:
+ default: VPC CIDR Block (required if you deploy new VPC)
+ PublicSubnetCidr:
+ default: Public Subnet CIDR (required if you deploy new VPC)
+ PrivateSubnetCidr:
+ default: Private Subnet CIDR (required if you deploy new VPC)
+ InstanceType:
+ default: Instance Type (required)
+ KeyName:
+ default: EC2 KeyPair Name (required)
+ VyOSPublicENIip:
+ default: VyOS Public ENI IP (required)
+ VyOSPrivENIip:
+ default: VyOS Private ENI IP (required)
+ OnPremPublicIPAddress:
+ default: On-Premies Public IP Address (required)
+ VyOSBGPASNumber:
+ default: VyOS BGP ASN (required)
+ OnPremBGPASNumber:
+ default: On-Premies BGP ASN (required)
+ SSHAllowedIP:
+ default: SSH Allowed IP Subnet (required)
+
+Conditions:
+ CreateVPC: !Equals
+ - !Ref ExistingVPCId
+ - ''
+ CreatePublicSubnet: !Equals
+ - !Ref ExistingPublicSubnetId
+ - ''
+ CreatePrivateSubnet: !Equals
+ - !Ref ExistingPrivateSubnetId
+ - ''
+
+Resources:
+ # VPC
+ VPC:
+ Type: AWS::EC2::VPC
+ Condition: CreateVPC
+ Properties:
+ CidrBlock: !Ref VPCCidrBlock
+ EnableDnsSupport: 'true'
+ EnableDnsHostnames: 'true'
+ Tags:
+ - Key: Name
+ Value: !Ref VPCName
+
+ # Subnets
+ PublicSubnet:
+ Type: AWS::EC2::Subnet
+ Condition: CreatePublicSubnet
+ DependsOn: VPC
+ Properties:
+ VpcId: !If
+ - CreateVPC
+ - !Ref VPC
+ - !Ref ExistingVPCId
+ CidrBlock: !Ref PublicSubnetCidr
+ MapPublicIpOnLaunch: 'true'
+ AvailabilityZone: !Select
+ - 0
+ - !GetAZs ''
+ Tags:
+ - Key: Name
+ Value: Public Subnet
+
+ PrivateSubnet:
+ Type: AWS::EC2::Subnet
+ Condition: CreatePrivateSubnet
+ DependsOn: VPC
+ Properties:
+ VpcId: !If
+ - CreateVPC
+ - !Ref VPC
+ - !Ref ExistingVPCId
+ CidrBlock: !Ref PrivateSubnetCidr
+ MapPublicIpOnLaunch: 'false'
+ AvailabilityZone: !Select
+ - 0
+ - !GetAZs ''
+ Tags:
+ - Key: Name
+ Value: Private Subnet
+
+ # Internet Gateway
+ InternetGateway:
+ Type: AWS::EC2::InternetGateway
+ Condition: CreateVPC
+ Properties:
+ Tags:
+ - Key: Name
+ Value: Internet Gateway
+ - Key: Created by
+ Value: CloudFormation
+
+ AttachGateway:
+ Type: AWS::EC2::VPCGatewayAttachment
+ Condition: CreateVPC
+ Properties:
+ VpcId: !Ref VPC
+ InternetGatewayId: !Ref InternetGateway
+
+ # Route Tables
+ PublicRouteTable:
+ Type: AWS::EC2::RouteTable
+ Condition: CreateVPC
+ Properties:
+ VpcId: !If
+ - CreateVPC
+ - !Ref VPC
+ - !Ref ExistingVPCId
+ Tags:
+ - Key: Name
+ Value: Public Route Table
+ - Key: Created by
+ Value: CloudFormation
+
+ PublicRoute:
+ Type: AWS::EC2::Route
+ Condition: CreateVPC
+ Properties:
+ RouteTableId: !Ref PublicRouteTable
+ DestinationCidrBlock: 0.0.0.0/0
+ GatewayId: !If
+ - CreateVPC
+ - !Ref InternetGateway
+ - !Ref ExistingPublicSubnetId
+
+ PublicSubnetRouteTableAssociation:
+ Type: AWS::EC2::SubnetRouteTableAssociation
+ Condition: CreateVPC
+ Properties:
+ SubnetId: !Ref PublicSubnet
+ RouteTableId: !Ref PublicRouteTable
+
+ # Security Groups
+ VyOSPublicSG:
+ Type: AWS::EC2::SecurityGroup
+ Properties:
+ GroupDescription: Enable access from outside
+ VpcId: !If
+ - CreateVPC
+ - !Ref VPC
+ - !Ref ExistingVPCId
+ SecurityGroupIngress:
+ - IpProtocol: tcp
+ FromPort: 22
+ ToPort: 22
+ CidrIp: !Ref SSHAllowedIP
+ Description: Allow SSH access
+ - IpProtocol: udp
+ FromPort: 51820
+ ToPort: 51820
+ CidrIp: 0.0.0.0/0
+ Description: Allow WireGuard VPN access
+ - IpProtocol: udp
+ FromPort: 1194
+ ToPort: 1194
+ CidrIp: 0.0.0.0/0
+ Description: Allow OpenVPN access
+ - IpProtocol: udp
+ FromPort: 500
+ ToPort: 500
+ CidrIp: 0.0.0.0/0
+ Description: Allow IPSec VPN access (ISAKMP)
+ - IpProtocol: udp
+ FromPort: 1701
+ ToPort: 1701
+ CidrIp: 0.0.0.0/0
+ Description: Allow L2TP VPN access
+ - IpProtocol: udp
+ FromPort: 4500
+ ToPort: 4500
+ CidrIp: 0.0.0.0/0
+ Description: Allow IPSec NAT Traversal
+ Tags:
+ - Key: Name
+ Value: PublicSG
+ - Key: Created by
+ Value: CloudFormation
+
+ VyOSPrivateSG:
+ Type: AWS::EC2::SecurityGroup
+ Properties:
+ GroupDescription: Enable access from inside
+ VpcId: !If
+ - CreateVPC
+ - !Ref VPC
+ - !Ref ExistingVPCId
+ SecurityGroupIngress:
+ - IpProtocol: -1
+ CidrIp: 0.0.0.0/0
+ Description: Allow all protocols and ports
+ Tags:
+ - Key: Name
+ Value: PrivateSG
+ - Key: Created by
+ Value: CloudFormation
+
+ # ENIs
+ PublicENI:
+ Type: AWS::EC2::NetworkInterface
+ Properties:
+ SubnetId: !If
+ - CreatePublicSubnet
+ - !Ref PublicSubnet
+ - !Ref ExistingPublicSubnetId
+ Description: Public Network Interface
+ PrivateIpAddress: !Ref VyOSPublicENIip
+ GroupSet:
+ - !Ref VyOSPublicSG
+ Tags:
+ - Key: Name
+ Value: PublicENI
+ - Key: Created by
+ Value: CloudFormation
+
+ PrivateENI:
+ Type: AWS::EC2::NetworkInterface
+ Properties:
+ SubnetId: !If
+ - CreatePrivateSubnet
+ - !Ref PrivateSubnet
+ - !Ref ExistingPrivateSubnetId
+ Description: Private Network Interface
+ PrivateIpAddress: !Ref VyOSPrivENIip
+ GroupSet:
+ - !Ref VyOSPrivateSG
+ Tags:
+ - Key: Name
+ Value: PrivateENI
+ - Key: Created by
+ Value: CloudFormation
+
+ # VyOS Instance
+ VyOSInstance:
+ Type: AWS::EC2::Instance
+ Properties:
+ InstanceType: !Ref InstanceType
+ KeyName: !Ref KeyName
+ ImageId: !Ref AmiAlias
+ NetworkInterfaces:
+ - NetworkInterfaceId: !Ref PublicENI
+ DeviceIndex: 0
+ - NetworkInterfaceId: !Ref PrivateENI
+ DeviceIndex: 1
+ UserData: !Base64
+ Fn::Sub: |
+ #cloud-config
+ vyos_config_commands:
+ # Basic VyOS Configuration
+ - set system host-name 'VyOS-on-AWS'
+ - set interfaces ethernet eth0 description 'OUTSIDE'
+ - set interfaces ethernet eth1 description 'INSIDE'
+ - set interfaces ethernet eth1 dhcp-options no-default-route
+ - set system login banner pre-login 'Welcome to the VyOS on AWS'
+ Tags:
+ - Key: Name
+ Value: VyOS-Instance
+ - Key: Created by
+ Value: CloudFormation
+
+ # Elastic IP
+ VyOSPublicIPAddress:
+ Type: AWS::EC2::EIP
+ Properties:
+ Domain: vpc
+ Tags:
+ - Key: Name
+ Value: VyOS-Instance-EIP
+ - Key: Created by
+ Value: CloudFormation
+
+ # Elastic IP Association
+ EIPAssociation:
+ Type: AWS::EC2::EIPAssociation
+ Properties:
+ NetworkInterfaceId: !Ref PublicENI
+ AllocationId: !GetAtt VyOSPublicIPAddress.AllocationId
+
+# Outputs
+Outputs:
+ VPCId:
+ Description: VPC Id
+ Value: !If
+ - CreateVPC
+ - !Ref VPC
+ - !Ref ExistingVPCId
+ VPCPublicSubnetId:
+ Description: Public Subnet Id
+ Value: !If
+ - CreatePublicSubnet
+ - !Ref PublicSubnet
+ - !Ref ExistingPublicSubnetId
+ VPCPrivateSubnetId:
+ Description: Private Subnet Id
+ Value: !If
+ - CreatePrivateSubnet
+ - !Ref PrivateSubnet
+ - !Ref ExistingPrivateSubnetId
+ VyOSInstanceId:
+ Description: Instance ID of the VyOS instance
+ Value: !Ref VyOSInstance
+ VyOSPublicIp:
+ Description: Public IP address of the VyOS instance
+ Value: !Ref VyOSPublicIPAddress
+ VyOSMgmtUsername:
+ Description: Username for SSH access to the VyOS instance
+ Value: vyos
+ VyOSMgmtKeyPair:
+ Description: Name of the KeyPair used for SSH access
+ Value: !Ref KeyName
+ VyOSMgmtInfo:
+ Description: VyOS managment information
+ Value: !Join
+ - "\n"
+ - - "Management allowed via SSH protocol default port 22. "
+ - "To access VyOS instance you need to have SSH client software (like Putty, MobaXterm etc). "
+ - "SSH access example: ssh vyos@192.0.2.1 -i /tmp/test.pem"
diff --git a/CloudFormation/vyos-vyos-template-with-advanced-configuration/opposide-side-vyos-instance-config-example.txt b/CloudFormation/vyos-vyos-template-with-advanced-configuration/opposide-side-vyos-instance-config-example.txt new file mode 100644 index 0000000..692feac --- /dev/null +++ b/CloudFormation/vyos-vyos-template-with-advanced-configuration/opposide-side-vyos-instance-config-example.txt @@ -0,0 +1,57 @@ + set system host-name 'VyOS-in-Corporate-Data-Center'
+ set system login banner pre-login 'Welcome to the VyOS on Corporate Data Center'
+ set interfaces ethernet eth0 description 'OUTSIDE'
+ set interfaces ethernet eth0 address '10.1.1.4/24'
+ set interfaces ethernet eth1 description 'INSIDE'
+ set interfaces ethernet eth1 address '10.1.11.4/24'
+ set system name-server '8.8.8.8'
+ set system name-server '8.8.4.8'
+ set service dns forwarding name-server '8.8.8.8'
+ set service dns forwarding listen-address '10.1.11.4'
+ set service dns forwarding allow-from '10.1.11.0/24'
+ set service dns forwarding no-serve-rfc1918
+ set nat source rule 10 outbound-interface name 'eth0'
+ set nat source rule 10 source address '10.1.11.0/24'
+ set nat source rule 10 translation address 'masquerade'
+ set vpn ipsec interface 'eth0'
+ set vpn ipsec esp-group AWS lifetime '3600'
+ set vpn ipsec esp-group AWS mode 'tunnel'
+ set vpn ipsec esp-group AWS pfs 'dh-group2'
+ set vpn ipsec esp-group AWS proposal 1 encryption 'aes256'
+ set vpn ipsec esp-group AWS proposal 1 hash 'sha1'
+ set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
+ set vpn ipsec ike-group AWS dead-peer-detection interval '15'
+ set vpn ipsec ike-group AWS dead-peer-detection timeout '30'
+ set vpn ipsec ike-group AWS ikev2-reauth
+ set vpn ipsec ike-group AWS key-exchange 'ikev2'
+ set vpn ipsec ike-group AWS lifetime '28800'
+ set vpn ipsec ike-group AWS proposal 1 dh-group '2'
+ set vpn ipsec ike-group AWS proposal 1 encryption 'aes256'
+ set vpn ipsec ike-group AWS proposal 1 hash 'sha1'
+ set vpn ipsec ike-group AWS close-action start
+ set vpn ipsec option disable-route-autoinstall
+ set interfaces vti vti1 address '10.2.100.11/32'
+ set interfaces vti vti1 description 'Tunnel to VyOS on AWS'
+ set interfaces vti vti1 ip adjust-mss '1350'
+ set protocols static route 10.1.100.11/32 interface vti1
+ set vpn ipsec authentication psk VyOS id '10.1.1.4'
+ set vpn ipsec authentication psk VyOS id '10.0.1.10'
+ set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk'
+ set vpn ipsec site-to-site peer VyOS-on-AWS authentication local-id '10.1.1.4'
+ set vpn ipsec site-to-site peer VyOS-on-AWS authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer VyOS-on-AWS authentication remote-id '10.0.1.10'
+ set vpn ipsec site-to-site peer VyOS-on-AWS connection-type 'initiate'
+ set vpn ipsec site-to-site peer VyOS-on-AWS description 'AWS TUNNEL to VyOS on AWS'
+ set vpn ipsec site-to-site peer VyOS-on-AWS ike-group 'AWS'
+ set vpn ipsec site-to-site peer VyOS-on-AWS ikev2-reauth 'inherit'
+ set vpn ipsec site-to-site peer VyOS-on-AWS local-address '10.1.1.4'
+ set vpn ipsec site-to-site peer VyOS-on-AWS remote-address '192.0.2.2'
+ set vpn ipsec site-to-site peer VyOS-on-AWS vti bind 'vti1'
+ set vpn ipsec site-to-site peer VyOS-on-AWS vti esp-group 'AWS'
+ set protocols bgp system-as '65002'
+ set protocols bgp address-family ipv4-unicast network 10.1.11.0/24
+ set protocols bgp neighbor 10.1.100.11 remote-as '192.0.2.1'
+ set protocols bgp neighbor 10.1.100.11 address-family ipv4-unicast soft-reconfiguration inbound
+ set protocols bgp neighbor 10.1.100.11 timers holdtime '30'
+ set protocols bgp neighbor 10.1.100.11 timers keepalive '10'
+ set protocols bgp neighbor 10.1.100.11 ebgp-multihop '10'
\ No newline at end of file diff --git a/CloudFormation/vyos-vyos-template-with-advanced-configuration/readme.md b/CloudFormation/vyos-vyos-template-with-advanced-configuration/readme.md new file mode 100644 index 0000000..7845fb4 --- /dev/null +++ b/CloudFormation/vyos-vyos-template-with-advanced-configuration/readme.md @@ -0,0 +1,95 @@ +# VyOS Deployment with Advanced Configuration
+
+## Overview
+This manual guides the deployment of a VyOS instance in AWS using CloudFormation. The template sets up:
+- VPC with public and private subnets
+- Internet Gateway, Route Tables, ENIs, Security Groups, Elastic IP
+- Configuration via cloud-init
+
+This automated setup ensures a consistent, efficient deployment process.
+
+## Prerequisites
+- **AWS Account**: Permissions to manage VPCs, EC2 instances, etc.
+- **EC2 Key Pair**: Valid SSH key for accessing VyOS.
+- **AWS Console/CLI**: Familiarity with AWS Console or CLI for stack management.
+
+## CloudFormation Template Overview
+
+### Parameters
+
+#### Existing VPC and Subnet Parameters
+For deployment to an existing VPC, provide VPC and Subnet IDs; leave blank for a new VPC.
+- **ExistingVPCId**: (Optional) VPC ID
+- **ExistingPublicSubnetId**: (Optional) Public Subnet ID
+- **ExistingPrivateSubnetId**: (Optional) Private Subnet ID
+
+#### New VPC Parameters
+For a new VPC, specify:
+- **VPCName**: Name of the new VPC
+- **VPCCidrBlock**: CIDR block (e.g., 10.0.0.0/16)
+
+#### Subnet Parameters
+- **PublicSubnetCidr**: CIDR for the public subnet
+- **PrivateSubnetCidr**: CIDR for the private subnet
+
+#### VyOS Instance Parameters
+- **InstanceType**: EC2 instance type (e.g., t3.medium)
+- **KeyName**: Name of EC2 KeyPair
+- **VyOSPublicENIip**: Private IP in the public subnet
+- **VyOSPrivENIip**: Private IP in the private subnet
+- **VyOSBGPASNumber**: BGP ASN for VyOS
+- **DNS1/DNS2**: Primary/Secondary DNS IP
+- **SSHAllowedIP**: CIDR for SSH access (e.g., 192.0.2.0/24)
+- **AmiAlias**: Specify VyOS AMI alias (e.g., `latest` or version `/aws/.../1.4.0`)
+
+#### BGP/VPN Peer Parameters
+- **OnPremPublicIPAddress**: Public IP of on-premise VPN endpoint
+- **OnPremBGPASNumber**: BGP ASN for on-premise endpoint
+
+### Resources
+1. **VPC**: Creates a new VPC or uses an existing one
+2. **Subnets**: Public and private subnets
+3. **Internet Gateway**: For public subnet internet access
+4. **Route Tables**: Routing configuration for traffic between subnets and Internet Gateway
+5. **ENIs**: Elastic Network Interfaces for public and private IPs
+6. **Security Groups**: Public/Private Security Groups
+7. **VyOS Instance**: Configured via cloud-init with specified AMI and instance type
+
+### Conditions
+Conditions determine whether to create a new VPC or use an existing one.
+
+## Deployment Scenarios
+
+### Existing VPC Deployment
+1. In **AWS Console**, go to **CloudFormation** > **Create Stack**
+2. Choose **Upload a template** and select the `.yaml` file
+3. Enter **Stack Details** and existing **VPC/Subnet IDs**
+4. Configure **VyOS Instance Parameters**
+5. Add on-prem VyOS parameters and finish deployment
+6. Confirm **CREATE_COMPLETE** status and retrieve Public IP from **Outputs**
+
+### New VPC Deployment
+1. Follow the steps above but add new **VPC name, CIDR, and Subnet CIDRs**
+2. Complete **VyOS Instance Configuration**
+3. Confirm deployment and retrieve Public IP from **Outputs**
+
+## Access and Management
+Use SSH to connect:
+```bash
+ssh vyos@<VyOS_Public_IP_Address> -i <test-key.pem>
+```
+
+## Common Commands for VyOS Management
+
+- **show configuration commands**: Displays the current configuration.
+- **show interfaces**: Lists all network interfaces and their status.
+- **show ip route**: Shows the IP routing table.
+- **show ip bgp summary**: Summarizes BGP neighbors and sessions.
+- **show vpn ipsec sa**: Displays the status of IPsec Security Associations.
+- **show vpn ike sa**: Shows the status of IKE Security Associations.
+- **show vpn ipsec connections**: Lists current IPsec VPN connections.
+- **show firewall summary**: Summarizes firewall rules and statistics.
+- **show firewall statistics**: Provides detailed firewall statistics.
+
+For additional commands and configurations, refer to the [VyOS Documentation](https://docs.vyos.io/en/sagitta/).
+
diff --git a/CloudFormation/vyos-vyos-template-with-advanced-configuration/single-instance-with-advanced-configuration.yml b/CloudFormation/vyos-vyos-template-with-advanced-configuration/single-instance-with-advanced-configuration.yml new file mode 100644 index 0000000..063712e --- /dev/null +++ b/CloudFormation/vyos-vyos-template-with-advanced-configuration/single-instance-with-advanced-configuration.yml @@ -0,0 +1,812 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: VyOS Networks CloudFormation template to deploy a VPC with public + and private subnets, an Internet gateway, Route tables, ENIs, Elastic IP + Address and a VyOS instance with subscription (Pay As You Go) and configures + VyOS instance via user-data (cloud-init). + +Parameters: + ExistingVPCId: + Description: ID of an existing VPC + Type: String + Default: '' + AllowedPattern: ^$|^vpc-[0-9a-fA-F]{8,17}$ + ConstraintDescription: Must be a valid VPC ID or empty. + + ExistingPublicSubnetId: + Description: ID of an existing public subnet + Type: String + Default: '' + AllowedPattern: ^$|^subnet-[0-9a-fA-F]{8,17}$ + ConstraintDescription: Must be a valid public subnet ID or empty. + + ExistingPrivateSubnetId: + Description: ID of an existing private subnet + Type: String + Default: '' + AllowedPattern: ^$|^subnet-[0-9a-fA-F]{8,17}$ + ConstraintDescription: Must be a valid private subnet ID or empty. + + VPCName: + Description: Name of the VPC + Type: String + Default: '' + AllowedPattern: ^$|^.{1,128}$ + MaxLength: 128 + ConstraintDescription: Must be empty or between 1 and 128 characters. + + VPCCidrBlock: + Description: CIDR block for the VPC + Type: String + Default: '' + AllowedPattern: ^$|^(10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\/([1-9]|[1-2][0-9]|3[0-2]))$|^(172\.(1[6-9]|2[0-9]|3[01])\.[0-9]{1,3}\.[0-9]{1,3}\/([1-9]|[1-2][0-9]|3[0-2]))$|^(192\.168\.[0-9]{1,3}\.[0-9]{1,3}\/([1-9]|[1-2][0-9]|3[0-2]))$ + ConstraintDescription: Must be a valid IPv4 CIDR notation within private IP + ranges based on RFC 1918, with subnet sizes between /16 and /28, or can be + empty if we deploy VyOS instance to the existig VPC. + + PublicSubnetCidr: + Description: CIDR block for the Public Subnet + Type: String + Default: '' + AllowedPattern: ^$|^(10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\/([1-9]|[1-2][0-9]|3[0-2]))$|^(172\.(1[6-9]|2[0-9]|3[01])\.[0-9]{1,3}\.[0-9]{1,3}\/([1-9]|[1-2][0-9]|3[0-2]))$|^(192\.168\.[0-9]{1,3}\.[0-9]{1,3}\/([1-9]|[1-2][0-9]|3[0-2]))$ + ConstraintDescription: Must be a valid IPv4 CIDR notation within private IP + ranges based on RFC 1918, with subnet sizes between /16 and /28. + + PrivateSubnetCidr: + Description: CIDR block for the Private Subnet + Type: String + Default: '' + AllowedPattern: ^$|^(10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\/([1-9]|[1-2][0-9]|3[0-2]))$|^(172\.(1[6-9]|2[0-9]|3[01])\.[0-9]{1,3}\.[0-9]{1,3}\/([1-9]|[1-2][0-9]|3[0-2]))$|^(192\.168\.[0-9]{1,3}\.[0-9]{1,3}\/([1-9]|[1-2][0-9]|3[0-2]))$ + ConstraintDescription: Must be a valid IPv4 CIDR notation within private IP + ranges based on RFC 1918, with subnet sizes between /16 and /28. + + InstanceType: + Description: EC2 instance type for VyOS deployment + Type: String + Default: c5n.large + AllowedValues: + - t3.small + - t3.medium + - t3.large + - t3.xlarge + - t3.2xlarge + - t3a.small + - t3a.medium + - t3a.large + - t3a.xlarge + - t3a.2xlarge + - m4.large + - m4.xlarge + - m4.2xlarge + - m4.4xlarge + - m4.10xlarge + - m4.16xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5a.large + - m5a.xlarge + - m5a.2xlarge + - m5a.4xlarge + - m5a.8xlarge + - m5a.12xlarge + - m5n.large + - m5n.xlarge + - m5n.2xlarge + - m5n.4xlarge + - m5n.8xlarge + - m5n.12xlarge + - m5zn.large + - m5zn.xlarge + - m5zn.2xlarge + - m5zn.3xlarge + - m5zn.6xlarge + - m5zn.12xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - c4.large + - c4.xlarge + - c4.2xlarge + - c4.4xlarge + - c4.8xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5a.large + - c5a.xlarge + - c5a.2xlarge + - c5a.4xlarge + - c5a.8xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6in.large + - m6in.xlarge + - m6in.2xlarge + - m6in.4xlarge + - m6in.8xlarge + - m6in.12xlarge + - m6in.16xlarge + - m6in.24xlarge + - m6in.32xlarge + - m6in.metal + - m7i.large + - m7i.xlarge + - m7i.2xlarge + - m7i.4xlarge + - m7i.8xlarge + - m7i-flex.large + - m7i-flex.xlarge + - m7i-flex.2xlarge + - m7i-flex.4xlarge + - m7i-flex.8xlarge + + KeyName: + Description: Name of an existing EC2 KeyPair to enable SSH access to the instances + Type: AWS::EC2::KeyPair::KeyName + ConstraintDescription: Must not be empty + + VyOSPublicENIip: + Description: Private IP address for VyOS instance ENI + Type: String + AllowedPattern: ^(10\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])|172\.(?:1[6-9]|2[0-9]|3[01])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])|192\.168\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]))$ + ConstraintDescription: Must be a valid IP address in the Public Subnet CIDR block + + VyOSPrivENIip: + Description: Private IP address for VyOS instance ENI + Type: String + AllowedPattern: ^(10\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])|172\.(?:1[6-9]|2[0-9]|3[01])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])|192\.168\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]))$ + ConstraintDescription: Must be a valid IP address in the Private Subnet CIDR block + + OnPremPublicIPAddress: + Description: The public IP address for the on-premise VPN endpoint + Type: String + Default: 192.0.2.1 + AllowedPattern: ^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ + ConstraintDescription: Must be a valid IPv4 public address. + + VyOSBGPASNumber: + Description: The BGP Autonomous System Number for VyOS + Type: Number + Default: 65001 + MinValue: 1 + MaxValue: 65535 + ConstraintDescription: Must be a valid BGP ASN between 1 and 65535. + + OnPremBGPASNumber: + Description: The BGP Autonomous System Number for the on-premise VPN endpoint + Type: Number + Default: 65002 + MinValue: 1 + MaxValue: 65535 + ConstraintDescription: Must be a valid BGP ASN between 1 and 65535. + + DNS1: + Description: Primary DNS server + Type: String + Default: 8.8.8.8 + AllowedPattern: ^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ + ConstraintDescription: Must be a valid DNS server IP address. + + DNS2: + Description: Secondary DNS server + Type: String + Default: 8.8.4.4 + AllowedPattern: ^$|^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ + ConstraintDescription: Must be a valid DNS server IP address. + + SSHAllowedIP: + Description: The IP subnet allowed to SSH into the VyOS instance + Type: String + Default: 192.0.2.0/24 + AllowedPattern: ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(2[4-9]|3[0-2]))$ + ConstraintDescription: Must be a valid IPv4 CIDR within range /24 to /32 + + # VyOS AMI Aliase. + # If you set "latest" option CloudFormation will choose the latest version of the VyOS. + # But if you want to deploy a more specific version you should change the latest to part of the alias like /aws/.../1.3.6, /aws/.../1.4.0. + # After changing this please look at the Resources part "VyOSInstance"s User-Data field because there could be VyOS CLI commands changes. + # Check VyOS official documentation for command reference. + + AmiAlias: + Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id> + Default: /aws/service/marketplace/prod-ev235jujteaom/latest + Description: AMI Alias of the VyOS instance + +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: 'Current VPC configuration. If you want deploy instance to your + existing VPC please add VPC and Subnet IDs to regareded fields:' + Parameters: + - ExistingVPCId + - ExistingPublicSubnetId + - ExistingPrivateSubnetId + - Label: + default: 'New VPC and CIDR configuration. If you want to deploy instance to new + VPC please fill regarded fields:' + Parameters: + - VPCName + - VPCCidrBlock + - Label: + default: 'Subnet CIDRs configurations. Add existing or new subnet CIDRs to the + regarded fields:' + Parameters: + - PublicSubnetCidr + - PrivateSubnetCidr + - Label: + default: 'VyOS Instance Configuration:' + Parameters: + - InstanceType + - KeyName + - VyOSPublicENIip + - VyOSPrivENIip + - VyOSBGPASNumber + - DNS1 + - DNS2 + - SSHAllowedIP + - Label: + default: 'On-Premise instance parameters:' + Parameters: + - OnPremPublicIPAddress + - OnPremBGPASNumber + + ParameterLabels: + ExistingVPCId: + default: Existing VPC ID (optional if deploy existing VPC) + ExistingPublicSubnetId: + default: Existing Public Subnet ID (optional if deploy existing VPC) + ExistingPrivateSubnetId: + default: Existing Private Subnet ID (optional if deploy existing VPC) + VPCName: + default: VPC Name (required if you deploy new VPC) + VPCCidrBlock: + default: VPC CIDR Block (required if you deploy new VPC) + PublicSubnetCidr: + default: Public Subnet CIDR (required) + PrivateSubnetCidr: + default: Private Subnet CIDR (required) + InstanceType: + default: Instance Type (required) + KeyName: + default: EC2 KeyPair Name (required) + VyOSPublicENIip: + default: VyOS Public ENI IP (required) + VyOSPrivENIip: + default: VyOS Private ENI IP (required) + OnPremPublicIPAddress: + default: On-Premies Public IP Address (required) + VyOSBGPASNumber: + default: VyOS BGP ASN (required) + OnPremBGPASNumber: + default: On-Premies BGP ASN (required) + DNS1: + default: Primary DNS Server IP Address (required) + DNS2: + default: Secondary DNS Server IP Address (optional) + SSHAllowedIP: + default: SSH Allowed IP Subnet (required) + +Conditions: + CreateVPC: !Equals + - !Ref ExistingVPCId + - '' + CreatePublicSubnet: !Equals + - !Ref ExistingPublicSubnetId + - '' + CreatePrivateSubnet: !Equals + - !Ref ExistingPrivateSubnetId + - '' + +Resources: + # VPC + VPC: + Type: AWS::EC2::VPC + Condition: CreateVPC + Properties: + CidrBlock: !Ref VPCCidrBlock + EnableDnsSupport: 'true' + EnableDnsHostnames: 'true' + Tags: + - Key: Name + Value: !Ref VPCName + + # Subnets + PublicSubnet: + Type: AWS::EC2::Subnet + Condition: CreatePublicSubnet + DependsOn: VPC + Properties: + VpcId: !If + - CreateVPC + - !Ref VPC + - !Ref ExistingVPCId + CidrBlock: !Ref PublicSubnetCidr + MapPublicIpOnLaunch: 'true' + AvailabilityZone: !Select + - 0 + - !GetAZs '' + Tags: + - Key: Name + Value: Public Subnet + + PrivateSubnet: + Type: AWS::EC2::Subnet + Condition: CreatePrivateSubnet + DependsOn: VPC + Properties: + VpcId: !If + - CreateVPC + - !Ref VPC + - !Ref ExistingVPCId + CidrBlock: !Ref PrivateSubnetCidr + MapPublicIpOnLaunch: 'false' + AvailabilityZone: !Select + - 0 + - !GetAZs '' + Tags: + - Key: Name + Value: Private Subnet + + # Internet Gateway + InternetGateway: + Type: AWS::EC2::InternetGateway + Condition: CreateVPC + Properties: + Tags: + - Key: Name + Value: Internet Gateway + - Key: Created by + Value: CloudFormation + + AttachGateway: + Type: AWS::EC2::VPCGatewayAttachment + Condition: CreateVPC + Properties: + VpcId: !Ref VPC + InternetGatewayId: !Ref InternetGateway + + # Route Tables + PublicRouteTable: + Type: AWS::EC2::RouteTable + Condition: CreateVPC + Properties: + VpcId: !If + - CreateVPC + - !Ref VPC + - !Ref ExistingVPCId + Tags: + - Key: Name + Value: Public Route Table + - Key: Created by + Value: CloudFormation + + PublicRoute: + Type: AWS::EC2::Route + Condition: CreateVPC + Properties: + RouteTableId: !Ref PublicRouteTable + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !If + - CreateVPC + - !Ref InternetGateway + - !Ref ExistingPublicSubnetId + + PublicSubnetRouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: CreateVPC + Properties: + SubnetId: !Ref PublicSubnet + RouteTableId: !Ref PublicRouteTable + + # Security Groups + VyOSPublicSG: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Enable access from outside + VpcId: !If + - CreateVPC + - !Ref VPC + - !Ref ExistingVPCId + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: !Ref SSHAllowedIP + Description: Allow SSH access + - IpProtocol: udp + FromPort: 51820 + ToPort: 51820 + CidrIp: 0.0.0.0/0 + Description: Allow WireGuard VPN access + - IpProtocol: udp + FromPort: 1194 + ToPort: 1194 + CidrIp: 0.0.0.0/0 + Description: Allow OpenVPN access + - IpProtocol: udp + FromPort: 500 + ToPort: 500 + CidrIp: 0.0.0.0/0 + Description: Allow IPSec VPN access (ISAKMP) + - IpProtocol: udp + FromPort: 1701 + ToPort: 1701 + CidrIp: 0.0.0.0/0 + Description: Allow L2TP VPN access + - IpProtocol: udp + FromPort: 4500 + ToPort: 4500 + CidrIp: 0.0.0.0/0 + Description: Allow IPSec NAT Traversal + Tags: + - Key: Name + Value: PublicSG + - Key: Created by + Value: CloudFormation + + VyOSPrivateSG: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Enable access from inside + VpcId: !If + - CreateVPC + - !Ref VPC + - !Ref ExistingVPCId + SecurityGroupIngress: + - IpProtocol: -1 + CidrIp: 0.0.0.0/0 + Description: Allow all protocols and ports + Tags: + - Key: Name + Value: PrivateSG + - Key: Created by + Value: CloudFormation + + # ENIs + PublicENI: + Type: AWS::EC2::NetworkInterface + Properties: + SubnetId: !If + - CreatePublicSubnet + - !Ref PublicSubnet + - !Ref ExistingPublicSubnetId + Description: Public Network Interface + PrivateIpAddress: !Ref VyOSPublicENIip + GroupSet: + - !Ref VyOSPublicSG + Tags: + - Key: Name + Value: PublicENI + - Key: Created by + Value: CloudFormation + + PrivateENI: + Type: AWS::EC2::NetworkInterface + Properties: + SubnetId: !If + - CreatePrivateSubnet + - !Ref PrivateSubnet + - !Ref ExistingPrivateSubnetId + Description: Private Network Interface + PrivateIpAddress: !Ref VyOSPrivENIip + GroupSet: + - !Ref VyOSPrivateSG + Tags: + - Key: Name + Value: PrivateENI + - Key: Created by + Value: CloudFormation + + # VyOS Instance + VyOSInstance: + Type: AWS::EC2::Instance + Properties: + InstanceType: !Ref InstanceType + KeyName: !Ref KeyName + ImageId: !Ref AmiAlias + NetworkInterfaces: + - NetworkInterfaceId: !Ref PublicENI + DeviceIndex: 0 + - NetworkInterfaceId: !Ref PrivateENI + DeviceIndex: 1 + UserData: !Base64 + Fn::Sub: | + #cloud-config + vyos_config_commands: + # Basic VyOS Configuration + - set system host-name 'VyOS-on-AWS' + - set interfaces ethernet eth0 description 'OUTSIDE' + - set interfaces ethernet eth1 description 'INSIDE' + - set system login banner pre-login 'Welcome to the VyOS on AWS' + - set interfaces ethernet eth1 dhcp-options no-default-route + # DNS and DNS Forwarding Configuration + - set system name-server '${DNS1}' + - set system name-server '${DNS2}' + - set service dns forwarding name-server '${DNS1}' + - set service dns forwarding listen-address '${VyOSPrivENIip}' + - set service dns forwarding allow-from '${PrivateSubnetCidr}' + - set service dns forwarding no-serve-rfc1918 + # Source NAT (SNAT) Configuration + - set nat source rule 10 outbound-interface name 'eth0' + - set nat source rule 10 source address '${PrivateSubnetCidr}' + - set nat source rule 10 translation address 'masquerade' + # Site-to-Site VPN Configuration + - set vpn ipsec interface 'eth0' + - set vpn ipsec esp-group AWS-POC lifetime '3600' + - set vpn ipsec esp-group AWS-POC mode 'tunnel' + - set vpn ipsec esp-group AWS-POC pfs 'dh-group2' + - set vpn ipsec esp-group AWS-POC proposal 1 encryption 'aes256' + - set vpn ipsec esp-group AWS-POC proposal 1 hash 'sha1' + - set vpn ipsec ike-group AWS-POC dead-peer-detection action 'restart' + - set vpn ipsec ike-group AWS-POC dead-peer-detection interval '15' + - set vpn ipsec ike-group AWS-POC dead-peer-detection timeout '30' + - set vpn ipsec ike-group AWS-POC ikev2-reauth + - set vpn ipsec ike-group AWS-POC key-exchange 'ikev2' + - set vpn ipsec ike-group AWS-POC lifetime '28800' + - set vpn ipsec ike-group AWS-POC proposal 1 dh-group '2' + - set vpn ipsec ike-group AWS-POC proposal 1 encryption 'aes256' + - set vpn ipsec ike-group AWS-POC proposal 1 hash 'sha1' + - set vpn ipsec ike-group AWS-POC close-action start + - set vpn ipsec option disable-route-autoinstall + - set interfaces vti vti1 address '10.1.100.11/32' + - set interfaces vti vti1 description 'Tunnel VyOS 02' + - set interfaces vti vti1 ip adjust-mss '1350' + - set protocols static route 10.2.100.11/32 interface vti1 + - set vpn ipsec authentication psk VyOS id '${VyOSPublicENIip}' + - set vpn ipsec authentication psk VyOS id '${OnPremPublicIPAddress}' + - set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk' + - set vpn ipsec site-to-site peer VyOS-on-Prem authentication local-id '${VyOSPublicENIip}' + - set vpn ipsec site-to-site peer VyOS-on-Prem authentication mode 'pre-shared-secret' + - set vpn ipsec site-to-site peer VyOS-on-Prem authentication remote-id '${OnPremPublicIPAddress}' + - set vpn ipsec site-to-site peer VyOS-on-Prem connection-type 'none' + - set vpn ipsec site-to-site peer VyOS-on-Prem description 'AWS-POC TUNNEL to VyOS on Prem' + - set vpn ipsec site-to-site peer VyOS-on-Prem ike-group 'AWS-POC' + - set vpn ipsec site-to-site peer VyOS-on-Prem ikev2-reauth 'inherit' + - set vpn ipsec site-to-site peer VyOS-on-Prem local-address '${VyOSPublicENIip}' + - set vpn ipsec site-to-site peer VyOS-on-Prem remote-address '${OnPremPublicIPAddress}' + - set vpn ipsec site-to-site peer VyOS-on-Prem vti bind 'vti1' + - set vpn ipsec site-to-site peer VyOS-on-Prem vti esp-group 'AWS-POC' + # BGP Configuration + - set protocols bgp system-as '${VyOSBGPASNumber}' + - set protocols bgp address-family ipv4-unicast network ${PrivateSubnetCidr} + - set protocols bgp neighbor 10.2.100.11 remote-as '${OnPremBGPASNumber}' + - set protocols bgp neighbor 10.2.100.11 address-family ipv4-unicast soft-reconfiguration inbound + - set protocols bgp neighbor 10.2.100.11 timers holdtime '30' + - set protocols bgp neighbor 10.2.100.11 timers keepalive '10' + - set protocols bgp neighbor 10.2.100.11 disable-connected-check + # Firewall Groups (Collections of IP addresses, networks, ports, MAC addresses, domains, or interfaces) + - set firewall group network-group Local network '${PrivateSubnetCidr}' + - set firewall group port-group dns_ports port '53' + - set firewall group port-group mail_ports port '110' + - set firewall group port-group mail_ports port '25' + - set firewall group port-group web_ports port '443' + - set firewall group port-group web_ports port '8080' + - set firewall group port-group web_ports port '80' + # Firewall Forwarding Rules (Traffic Transiting Through the VyOS Instance) + - set firewall ipv4 forward filter default-action 'drop' # Default-action 'drop' means drop non allowed (which allowed by rules) transit traffic. + # These rules blocks all traffic which was not initiated from the internal/LAN side first. + - set firewall ipv4 forward filter rule 10 action 'accept' + - set firewall ipv4 forward filter rule 10 state 'established' + - set firewall ipv4 forward filter rule 10 state 'related' + - set firewall ipv4 forward filter rule 11 action 'drop' + - set firewall ipv4 forward filter rule 11 state 'invalid' + # These rules allow ICMP traffic from outside in (from WAN to LAN) + - set firewall ipv4 forward filter rule 20 action 'accept' + - set firewall ipv4 forward filter rule 20 description 'Allow ICMP' + - set firewall ipv4 forward filter rule 20 icmp type-name 'echo-request' + - set firewall ipv4 forward filter rule 20 inbound-interface name 'eth0' + - set firewall ipv4 forward filter rule 20 protocol 'icmp' + - set firewall ipv4 forward filter rule 20 state 'new' + # These rules allow forward SSH traffic from outside in (from WAN to LAN) and rate limit it to 4 requests per minute. This blocks brute-forcing attempts + - set firewall ipv4 forward filter rule 30 action 'drop' + - set firewall ipv4 forward filter rule 30 description 'Mitigate SSH brute-forcing' + - set firewall ipv4 forward filter rule 30 destination port '22' + - set firewall ipv4 forward filter rule 30 inbound-interface name 'eth0' + - set firewall ipv4 forward filter rule 30 protocol 'tcp' + - set firewall ipv4 forward filter rule 30 recent count '4' + - set firewall ipv4 forward filter rule 30 recent time 'minute' + - set firewall ipv4 forward filter rule 30 state 'new' + - set firewall ipv4 forward filter rule 31 action 'accept' + - set firewall ipv4 forward filter rule 31 description 'Allow SSH' + - set firewall ipv4 forward filter rule 31 destination port '22' + - set firewall ipv4 forward filter rule 31 inbound-interface name 'eth0' + - set firewall ipv4 forward filter rule 31 protocol 'tcp' + - set firewall ipv4 forward filter rule 31 state 'new' + # These rules allow ICMP traffic from inside out (from LAN to WAN) + - set firewall ipv4 forward filter rule 110 action 'accept' + - set firewall ipv4 forward filter rule 110 description 'LAN clients ICMP' + - set firewall ipv4 forward filter rule 110 icmp type-name 'echo-request' + - set firewall ipv4 forward filter rule 110 inbound-interface name 'eth1' + - set firewall ipv4 forward filter rule 110 state 'new' + # These rules allow forward SSH traffic from indide out (from LAN to WAN) and rate limit it to 4 requests per minute. This blocks brute-forcing attempts + - set firewall ipv4 forward filter rule 120 action 'drop' + - set firewall ipv4 forward filter rule 120 description 'Mitigate clients SSH brute-forcing' + - set firewall ipv4 forward filter rule 120 destination port '22' + - set firewall ipv4 forward filter rule 120 inbound-interface name 'eth1' + - set firewall ipv4 forward filter rule 120 protocol 'tcp' + - set firewall ipv4 forward filter rule 120 recent count '4' + - set firewall ipv4 forward filter rule 120 recent time 'minute' + - set firewall ipv4 forward filter rule 120 state 'new' + - set firewall ipv4 forward filter rule 121 action 'accept' + - set firewall ipv4 forward filter rule 121 description 'Allow clients SSH' + - set firewall ipv4 forward filter rule 121 destination port '22' + - set firewall ipv4 forward filter rule 121 inbound-interface name 'eth1' + - set firewall ipv4 forward filter rule 121 protocol 'tcp' + - set firewall ipv4 forward filter rule 121 state 'new' + # Firewall input rules means firewall (VyOS instance) traffic toward the instance itself + - set firewall ipv4 input filter default-action 'drop' # Default-action 'drop' means drop non allowed (which allowed by rules) inbound traffic. + # This configuration creates a proper stateful firewall that blocks all traffic which was not initiated from the internal/LAN side first. + - set firewall ipv4 input filter rule 10 action 'accept' + - set firewall ipv4 input filter rule 10 description 'Allow established/related' + - set firewall ipv4 input filter rule 10 state 'established' + - set firewall ipv4 input filter rule 10 state 'related' + - set firewall ipv4 input filter rule 11 action 'drop' + - set firewall ipv4 input filter rule 11 state 'invalid' + # These rules allowes WireGuard, OpenVPN, ESP, ISAKMP, IPSec NAT Traversal, L2TP and ICMP traffic towards VyOS instance via eth0 interface (WAN interface) + - set firewall ipv4 input filter rule 20 action 'accept' + - set firewall ipv4 input filter rule 20 description 'WireGuard_IN' + - set firewall ipv4 input filter rule 20 destination port '51820' + - set firewall ipv4 input filter rule 20 inbound-interface name 'eth0' + - set firewall ipv4 input filter rule 20 log + - set firewall ipv4 input filter rule 20 protocol 'udp' + - set firewall ipv4 input filter rule 30 action 'accept' + - set firewall ipv4 input filter rule 30 description 'OpenVPN_IN' + - set firewall ipv4 input filter rule 30 destination port '1194' + - set firewall ipv4 input filter rule 30 inbound-interface name 'eth0' + - set firewall ipv4 input filter rule 30 log + - set firewall ipv4 input filter rule 30 protocol 'udp' + - set firewall ipv4 input filter rule 40 action 'accept' + - set firewall ipv4 input filter rule 40 description 'Allow ESP' + - set firewall ipv4 input filter rule 40 inbound-interface name 'eth0' + - set firewall ipv4 input filter rule 40 protocol 'esp' + - set firewall ipv4 input filter rule 50 action 'accept' + - set firewall ipv4 input filter rule 50 description 'Allow ISAKMP' + - set firewall ipv4 input filter rule 50 destination port '500' + - set firewall ipv4 input filter rule 50 inbound-interface name 'eth0' + - set firewall ipv4 input filter rule 50 protocol 'udp' + - set firewall ipv4 input filter rule 60 action 'accept' + - set firewall ipv4 input filter rule 60 description 'IPSec NAT Traversal' + - set firewall ipv4 input filter rule 60 destination port '4500' + - set firewall ipv4 input filter rule 60 inbound-interface name 'eth0' + - set firewall ipv4 input filter rule 60 protocol 'udp' + - set firewall ipv4 input filter rule 70 action 'accept' + - set firewall ipv4 input filter rule 70 description 'Allow L2TP' + - set firewall ipv4 input filter rule 70 destination port '1701' + - set firewall ipv4 input filter rule 70 inbound-interface name 'eth0' + - set firewall ipv4 input filter rule 70 ipsec match-ipsec + - set firewall ipv4 input filter rule 70 protocol 'udp' + - set firewall ipv4 input filter rule 80 action 'accept' + - set firewall ipv4 input filter rule 80 description 'Allow ICMP' + - set firewall ipv4 input filter rule 80 icmp type-name 'echo-request' + - set firewall ipv4 input filter rule 80 inbound-interface name 'eth0' + - set firewall ipv4 input filter rule 80 protocol 'icmp' + - set firewall ipv4 input filter rule 80 state 'new' + # These rules allow forward SSH traffic towards VyOS instance and rate limit it to 4 requests per minute. This blocks brute-forcing attempts + - set firewall ipv4 input filter rule 90 action 'drop' + - set firewall ipv4 input filter rule 90 description 'Mitigate SSH brute-forcing' + - set firewall ipv4 input filter rule 90 destination port '22' + - set firewall ipv4 input filter rule 90 inbound-interface name 'eth0' + - set firewall ipv4 input filter rule 90 protocol 'tcp' + - set firewall ipv4 input filter rule 90 recent count '4' + - set firewall ipv4 input filter rule 90 recent time 'minute' + - set firewall ipv4 input filter rule 90 state 'new' + - set firewall ipv4 input filter rule 91 action 'accept' + - set firewall ipv4 input filter rule 91 description 'Allow SSH' + - set firewall ipv4 input filter rule 91 destination port '22' + - set firewall ipv4 input filter rule 91 inbound-interface name 'eth0' + - set firewall ipv4 input filter rule 91 protocol 'tcp' + - set firewall ipv4 input filter rule 91 state 'new' + # These rules allowes ESP, ISAKMP, IPSec NAT Traversal, BGP and ICMP traffic towards VyOS instance via VTI interface + - set firewall ipv4 input filter rule 140 action 'accept' + - set firewall ipv4 input filter rule 140 description 'Allow ESP' + - set firewall ipv4 input filter rule 140 inbound-interface name 'vti1' + - set firewall ipv4 input filter rule 140 protocol 'esp' + - set firewall ipv4 input filter rule 150 action 'accept' + - set firewall ipv4 input filter rule 150 description 'Allow ISAKMP' + - set firewall ipv4 input filter rule 150 destination port '500' + - set firewall ipv4 input filter rule 150 inbound-interface name 'vti1' + - set firewall ipv4 input filter rule 150 protocol 'udp' + - set firewall ipv4 input filter rule 160 action 'accept' + - set firewall ipv4 input filter rule 160 description 'IPSec NAT Traversal' + - set firewall ipv4 input filter rule 160 destination port '4500' + - set firewall ipv4 input filter rule 160 inbound-interface name 'vti1' + - set firewall ipv4 input filter rule 160 protocol 'udp' + - set firewall ipv4 input filter rule 170 action 'accept' + - set firewall ipv4 input filter rule 170 description 'Allow ICMP' + - set firewall ipv4 input filter rule 170 icmp type-name 'echo-request' + - set firewall ipv4 input filter rule 170 inbound-interface name 'vti1' + - set firewall ipv4 input filter rule 170 protocol 'icmp' + - set firewall ipv4 input filter rule 170 state 'new' + - set firewall ipv4 input filter rule 180 action 'accept' + - set firewall ipv4 input filter rule 180 description 'Allow BGP' + - set firewall ipv4 input filter rule 180 destination port '179' + - set firewall ipv4 input filter rule 180 inbound-interface name 'vti1' + - set firewall ipv4 input filter rule 180 protocol 'tcp' + Tags: + - Key: Name + Value: VyOS-Instance + - Key: Created by + Value: CloudFormation + + # Elastic IP + VyOSPublicIPAddress: + Type: AWS::EC2::EIP + Properties: + Domain: vpc + Tags: + - Key: Name + Value: VyOS-Instance-EIP + - Key: Created by + Value: CloudFormation + + # Elastic IP Association + EIPAssociation: + Type: AWS::EC2::EIPAssociation + Properties: + NetworkInterfaceId: !Ref PublicENI + AllocationId: !GetAtt VyOSPublicIPAddress.AllocationId + +# Outputs +Outputs: + VPCId: + Description: VPC Id + Value: !If + - CreateVPC + - !Ref VPC + - !Ref ExistingVPCId + PublicSubnetId: + Description: Public Subnet Id + Value: !If + - CreatePublicSubnet + - !Ref PublicSubnet + - !Ref ExistingPublicSubnetId + PrivateSubnetId: + Description: Private Subnet Id + Value: !If + - CreatePrivateSubnet + - !Ref PrivateSubnet + - !Ref ExistingPrivateSubnetId + VyOSInstanceId: + Description: Instance ID of the VyOS instance + Value: !Ref VyOSInstance + VyOSPublicIp: + Description: Public IP address of the VyOS instance + Value: !Ref VyOSPublicIPAddress + VyOSUsername: + Description: Username for SSH access to the VyOS instance + Value: vyos + KeyPairName: + Description: Name of the KeyPair used for SSH access + Value: !Ref KeyName
\ No newline at end of file diff --git a/Terraform/AWS/instance-with-basic-configs/files/vyos_user_data.tfpl b/Terraform/AWS/instance-with-basic-configs/files/vyos_user_data.tfpl new file mode 100644 index 0000000..62b2892 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/files/vyos_user_data.tfpl @@ -0,0 +1,7 @@ +#cloud-config
+vyos_config_commands:
+ - set system host-name 'VyOS-for-Lab'
+ - set system login banner pre-login 'Welcome to the VyOS for Lab on AWS'
+ - set interfaces ethernet eth0 description 'WAN'
+ - set interfaces ethernet eth1 description 'LAN'
+ - set interfaces ethernet eth1 dhcp-options no-default-route
\ No newline at end of file diff --git a/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_private_key.pem b/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_private_key.pem new file mode 100644 index 0000000..4c8d388 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_private_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAvZj8U767XO84ws+eng0bviq0hUvc+iP2q5Gc+3XPDWEu3S9s +ajBsvtEuLzlZk5QThRxRfjFuB1h+rWLJN2qawv978qpcySqi9IhHfVWLLbIgDuPr +hh8qXkaZ9W/FpLsRR0m+jcrcA1Efvr8cpMSvjHpFfLoH6KI2mbRC05OyfOij7ccz +ahxgBV3G3nil53PkNa5lTDuBYurx3K3jmvmlsC6Du5MSA5dOZ6QXeOT6RTbqJbSj +vSoL9/ku1DjGzTS0bghXWk1l7MkAYG6egMXQkJQmnYlwken1dxSCsH5HaPv8vkEZ +rakdejfRWgqil+OlHrp6D3lWoQbok58WmHH/qQIDAQABAoIBAQCJQH2x1kpmnZr2 +lDxcaFrkEKA8Os4OmwhP7Yq6Eu+/3NGDN3iBaurePCn178tj5Xc4DmcENp5TXQHf +XLsTje3ZKgA9jIy86EutQBaYqdumSeOhQ+fVYSxXsT51CeQHO5DnjYAPv4IEOK8F +c+41bVk0FbPF9hoRk5R5MqCJ78rvVm7q8gpGxftWIKMwVc7lSi2IH9GkrUGe6Y/W +lR6EqXDUHWep7rZN59bHXa82HYy98TzydeQtxBIWTSqfL5X2MGwfOkgNcBI9N4gi +Gj37Ng9lCWLgTfN/bs7chHKo8GrEmzxmSwP7ly+8fEGSvOQOwQ8ITmXN7rrnlTA8 +L0T/1qNNAoGBAOrunMHaZZ6moFU86aBhEJcxth3n10YpXl7AjwrvuquWYa76Hczp +PVs+f4uUYHG4lHwxLtvMVAw89MxRQnLB860l85qkwotoA5s8HIkhANLC/PbY/uHc +rEtrMQEV9z2vtcpFvxHlxut3a8hKONRaXJGJpnOYxKn5vnm3xoVQ/nU7AoGBAM6Z +nqIkYbWOySKbiWy7lKy7jIXlaiNn+vM7hQ5OS60mzDY0Z+yqV2u8y4VeufhiFQd+ +PSXpvosmKGBO4SB3HfE67y4JUFd3Nli6T0884QqsAeL1RIC/H+YK0DAUXLl6/oBL +LKCRt9c99rCnk/8CxqLzYuRPmpSbf2hvgj9c1QBrAoGBALUmhI0dwBnTVfIj4+mc +rtRGqqzopiAdqfzZ8fJ247OHY48uoWftuTfwOxz/rlZCA4y3x/AH4A8HuaMKTXh7 +gU/T4cEupiwkahN7CG3cmuvpGnGk5PR32grVfpXdwCU6paxwl2JPkVDjZqKsSKHF +g3ddcpHUDGEch/kG8fa+e1cdAoGAeaVCHj5Fud1E2Le0Bu278KjNaNlX0VkcDbNx ++KZpMJ6zhwb8WgFCUBFt1C2eWn2F3E+cOYKTyuLAy1QmgjMg0jTdN8IMKDPtL/kj +UYiLCPmWcsfvec8PPSgIxQZ4Qk4FJA0fTbv+/yFg60sAfRppUvDzvXKRlgao0hk2 +G5DRadkCgYAvPYH5NCk/jOa5Mv/6VfUPPaIhzHwADBv9ZXxg8jxw23zwxmozOUHa +v8sZF60s/4Kfd8NKnRPWlFPuvBqEkMQhfbJmP9lUmZkqxnYsXBV8wlPKIx7XAi+3 +CUBSZqJ6SrVewKc2Dx0on5Tr4OFTscK4NdFlp5PrQzZK9cuEn9rWgA== +-----END RSA PRIVATE KEY----- diff --git a/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_public_key.pem b/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_public_key.pem new file mode 100644 index 0000000..2b662ee --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/keys/vyos_demo_public_key.pem @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9mPxTvrtc7zjCz56eDRu+KrSFS9z6I/arkZz7dc8NYS7dL2xqMGy+0S4vOVmTlBOFHFF+MW4HWH6tYsk3aprC/3vyqlzJKqL0iEd9VYstsiAO4+uGHypeRpn1b8WkuxFHSb6NytwDUR++vxykxK+MekV8ugfoojaZtELTk7J86KPtxzNqHGAFXcbeeKXnc+Q1rmVMO4Fi6vHcreOa+aWwLoO7kxIDl05npBd45PpFNuoltKO9Kgv3+S7UOMbNNLRuCFdaTWXsyQBgbp6AxdCQlCadiXCR6fV3FIKwfkdo+/y+QRmtqR16N9FaCqKX46UeunoPeVahBuiTnxaYcf+p Admin@DESKTOP-R1T9R87 diff --git a/Terraform/AWS/instance-with-basic-configs/main.tf b/Terraform/AWS/instance-with-basic-configs/main.tf new file mode 100644 index 0000000..ddc27ef --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/main.tf @@ -0,0 +1,84 @@ +# EC2 KEY PAIR
+
+resource "aws_key_pair" "ec2_key" {
+ key_name = "${var.prefix}-${var.key_pair_name}"
+ public_key = file(var.public_key_path)
+
+ tags = {
+ Name = "${var.prefix}-${var.key_pair_name}"
+ }
+}
+
+
+# THE LATEST AMAZON VYOS 1.4 IMAGE
+
+data "aws_ami" "vyos" {
+ most_recent = true
+ owners = ["679593333241"]
+
+ filter {
+ name = "name"
+ values = ["VyOS 1.4*"]
+ }
+
+ filter {
+ name = "virtualization-type"
+ values = ["hvm"]
+ }
+
+}
+
+
+# VYOS INSTANCE
+
+resource "aws_instance" "vyos" {
+ ami = data.aws_ami.vyos.id
+ instance_type = var.vyos_instance_type
+ key_name = "${var.prefix}-${var.key_pair_name}"
+ availability_zone = var.availability_zone
+
+ user_data_base64 = base64encode(templatefile("${path.module}/files/vyos_user_data.tfpl", {}))
+
+ depends_on = [
+ aws_network_interface.vyos_public_nic,
+ aws_network_interface.vyos_private_nic
+ ]
+
+ network_interface {
+ network_interface_id = aws_network_interface.vyos_public_nic.id
+ device_index = 0
+ }
+
+ network_interface {
+ network_interface_id = aws_network_interface.vyos_private_nic.id
+ device_index = 1
+ }
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}"
+ }
+}
+
+# NETWORK INTERFACES
+
+resource "aws_network_interface" "vyos_public_nic" {
+ subnet_id = aws_subnet.public_subnet.id
+ security_groups = [aws_security_group.public_sg.id]
+ private_ips = [var.vyos_pub_nic_ip_address]
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}-PublicNIC"
+ }
+}
+
+resource "aws_network_interface" "vyos_private_nic" {
+ subnet_id = aws_subnet.private_subnet.id
+ security_groups = [aws_security_group.private_sg.id]
+ private_ips = [var.vyos_priv_nic_address]
+
+ source_dest_check = false
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}-PrivateNIC"
+ }
+}
diff --git a/Terraform/AWS/instance-with-basic-configs/network.tf b/Terraform/AWS/instance-with-basic-configs/network.tf new file mode 100644 index 0000000..4e2ebc0 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/network.tf @@ -0,0 +1,84 @@ +# VPC
+
+resource "aws_vpc" "vpc" {
+ cidr_block = var.vpc_cidr
+ instance_tenancy = "default"
+
+ tags = {
+ Name = "${var.prefix}-${var.vpc_name}"
+ }
+}
+
+# PUBLIC SUBNET
+
+resource "aws_subnet" "public_subnet" {
+ vpc_id = aws_vpc.vpc.id
+ cidr_block = var.public_subnet_cidr
+ availability_zone = var.availability_zone
+ map_public_ip_on_launch = false
+
+ tags = {
+ Name = "${var.prefix}-${var.vpc_name}-${var.public_subnet_name}"
+ }
+
+ depends_on = [aws_internet_gateway.igw]
+}
+
+# PRIVATE SUBNET
+
+resource "aws_subnet" "private_subnet" {
+ vpc_id = aws_vpc.vpc.id
+ cidr_block = var.private_subnet_cidr
+ availability_zone = var.availability_zone
+ map_public_ip_on_launch = false
+
+ tags = {
+ Name = "${var.prefix}-${var.vpc_name}-${var.private_subnet_name}"
+ }
+}
+
+# INTERNET GATEWAY
+
+resource "aws_internet_gateway" "igw" {
+ vpc_id = aws_vpc.vpc.id
+
+ tags = {
+ Name = join("-", [var.prefix, var.igw_name])
+ }
+}
+
+# ELASTICS IP FOR VYOS
+
+resource "aws_eip" "vyos_eip" {
+ domain = "vpc"
+ depends_on = [aws_internet_gateway.igw]
+
+ tags = {
+ Name = join("-", [var.prefix, var.vyos_eip_name])
+ }
+}
+
+resource "aws_eip_association" "vyos_eip_association" {
+ allocation_id = aws_eip.vyos_eip.id
+ network_interface_id = aws_network_interface.vyos_public_nic.id
+}
+
+# PUBLIC ROUTE TABLE
+
+resource "aws_route_table" "public_rtb" {
+ vpc_id = aws_vpc.vpc.id
+
+ route {
+ cidr_block = "0.0.0.0/0"
+ gateway_id = aws_internet_gateway.igw.id
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.public_rtb_name])
+ }
+}
+
+resource "aws_route_table_association" "public_rtb_assn" {
+ subnet_id = aws_subnet.public_subnet.id
+ route_table_id = aws_route_table.public_rtb.id
+}
\ No newline at end of file diff --git a/Terraform/AWS/instance-with-basic-configs/output.tf b/Terraform/AWS/instance-with-basic-configs/output.tf new file mode 100644 index 0000000..047d9a7 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/output.tf @@ -0,0 +1,16 @@ +
+output "vyos_public_ip" {
+ value = aws_instance.vyos.public_ip
+}
+
+output "vyos_pub_nic_ip" {
+ value = aws_network_interface.vyos_public_nic.private_ip
+}
+
+output "vyos_priv_nic_01_ip" {
+ value = aws_network_interface.vyos_private_nic.private_ip
+}
+
+output "vyos_key_name" {
+ value = aws_instance.vyos.key_name
+}
diff --git a/Terraform/AWS/instance-with-basic-configs/provider.tf b/Terraform/AWS/instance-with-basic-configs/provider.tf new file mode 100644 index 0000000..c6b24ff --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/provider.tf @@ -0,0 +1,22 @@ +# AWS PROVIDER CONFIGURATION
+
+terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.0"
+ }
+ }
+}
+
+provider "aws" {
+ region = var.aws_region
+ default_tags {
+ tags = {
+ Company = "VyOS Inc"
+ Project = "VyOS-Demo"
+ Environment = "Lab"
+ ManagedBy = "Terraform"
+ }
+ }
+}
\ No newline at end of file diff --git a/Terraform/AWS/instance-with-basic-configs/readme.md b/Terraform/AWS/instance-with-basic-configs/readme.md new file mode 100644 index 0000000..c070d77 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/readme.md @@ -0,0 +1,119 @@ +# Terraform Project for deploying VyOS on AWS
+
+This Terraform project is designed to deploy VyOS instances on AWS. This script deploys a VyOS instance from the AWS Marketplace.
+
+## Prerequisites
+
+Before applying this module, ensure you have:
+
+### AWS Requirements
+
+- An active AWS account.
+- AWS CLI installed. [Installation link](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
+- Terraform installed. [Installation link](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli)
+
+### Set AWS environment variables
+
+- Run the following commands in your terminal to set the AWS environment variables:
+
+```sh
+export AWS_ACCESS_KEY_ID="<AWS_ACCESS_KEY_ID>"
+export AWS_SECRET_ACCESS_KEY="<WS_SECRET_ACCESS_KEY>"
+export AWS_SESSION_TOKEN="<AWS_SESSION_TOKEN>"
+export AWS_DEFAULT_REGION="<AWS_REGION>" # e.g us-east-1
+```
+
+### Fetch AMI ID and Owner ID (Required for main.tf)
+First, you must subscribe to VyOS in the AWS Marketplace.
+Then, use the following AWS CLI command to find the correct AMI ID, Owner ID, and ensure you're querying the correct region (e.g., `us-east-1`):
+
+```sh
+aws ec2 describe-images \
+ --owners aws-marketplace \
+ --filters "Name=product-code,Values=8wqdkv3u2b9sa0y73xob2yl90" \
+ --query 'Images[*].[ImageId,OwnerId,Name]' \
+ --output table
+```
+Alternatively, you can hardcode the latest AMI ID for your region in `variables.tf` adding the `vyos_ami_id` variable.
+
+### Generate SSH keypair
+
+A demo SSH keypair is included in the `keys/` folder.
+
+To generate a new key (optional):
+
+```sh
+ssh-keygen -b 2048 -t rsa -m PEM -f keys/vyos_custom_key.pem
+```
+
+## Project Structure
+
+```
+.
+├── files/ # VyOS user-data
+├── keys/ # Pre-generated SSH keys
+├── network.tf # Network setup
+├── provider.tf # Provider configuration
+├── security_groups.tf # Security group configurations
+├── variables.tf # Input variables for customization
+├── vyos_instance.tf # VyOS virtual machine deployment (AWS)
+└── README.md # Documentation
+```
+
+## Usage
+
+### Setup Variables
+
+All variables needed for customization are defined in `variables.tf`. Adjust them according to your requirements, such as EC2 instance type and networking configurations. Before deployment, ensure you check `aws_region`, `availability_zone`, and update `vyos_ami_id` as necessary.
+
+## How to Run the Module
+
+Follow these steps to initialize, plan, apply, and manage your infrastructure with Terraform:
+
+1. **Initialize the Module**
+ ```sh
+ terraform init
+ ```
+
+2. **Format the Terraform Code**
+ ```sh
+ terraform fmt
+ ```
+
+3. **Validate Configuration**
+ ```sh
+ terraform validate
+ ```
+
+4. **Preview Infrastructure Changes Before Deployment**
+ ```sh
+ terraform plan
+ ```
+
+5. **Apply the Configuration**
+ ```sh
+ terraform apply
+ ```
+ Confirm the execution when prompted to provision the infrastructure.
+
+6. **View Outputs**
+ ```sh
+ terraform output
+ ```
+ This will display the management IP and test results for the VyOS instance.
+
+## Management
+
+To manage the VyOS instance, use the `vyos_public_ip` from `terraform output`:
+```sh
+ssh vyos@<vyos_public_ip> -i keys/vyos_demo_private_key.pem
+```
+
+## Destroying Resources
+
+To clean up the deployed infrastructure:
+```sh
+terraform destroy
+```
+Confirm the execution when prompted to remove all provisioned resources.
+
diff --git a/Terraform/AWS/instance-with-basic-configs/security_groups.tf b/Terraform/AWS/instance-with-basic-configs/security_groups.tf new file mode 100644 index 0000000..d8653ae --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/security_groups.tf @@ -0,0 +1,111 @@ +# SECURITY GROUP FOR PUBLIC RESOURCES
+
+resource "aws_security_group" "public_sg" {
+ name = join("-", [var.prefix, var.public_sg_name])
+ description = "Security Group for public resources"
+ vpc_id = aws_vpc.vpc.id
+
+ # Allow SSH Traffic
+ ingress {
+ description = "Allow SSH"
+ from_port = 22
+ to_port = 22
+ protocol = "tcp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow Wireguard Traffic
+ ingress {
+ description = "Allow Wireguard"
+ from_port = 51820
+ to_port = 51820
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow OpenVPN Traffic
+ ingress {
+ description = "Allow OpenVPN"
+ from_port = 1194
+ to_port = 1194
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow ESP Traffic
+ ingress {
+ description = "Allow ESP"
+ from_port = 0
+ to_port = 0
+ protocol = "50"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow IKE Traffic
+ ingress {
+ description = "Allow IKE"
+ from_port = 500
+ to_port = 500
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow IPSEC Traffic
+ ingress {
+ description = "Allow IPSEC"
+ from_port = 1701
+ to_port = 1701
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow NAT Traversal
+ ingress {
+ description = "Allow NAT Traversal"
+ from_port = 4500
+ to_port = 4500
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow all outbound traffic
+ egress {
+ description = "Allow all outbound traffic"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.public_sg_name])
+ }
+}
+
+# SECURITY GROUP FOR PRIVATE RESOURCES
+
+resource "aws_security_group" "private_sg" {
+ name = join("-", [var.prefix, var.private_sg_name])
+ description = "Security Group for private resources"
+ vpc_id = aws_vpc.vpc.id
+
+ ingress {
+ description = "Allow all inbound traffic"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ egress {
+ description = "Allow all outbound traffic"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.private_sg_name])
+ }
+}
\ No newline at end of file diff --git a/Terraform/AWS/instance-with-basic-configs/variables.tf b/Terraform/AWS/instance-with-basic-configs/variables.tf new file mode 100644 index 0000000..3493252 --- /dev/null +++ b/Terraform/AWS/instance-with-basic-configs/variables.tf @@ -0,0 +1,116 @@ +variable "aws_region" {
+ description = "AWS Region"
+ type = string
+ default = "us-east-1"
+}
+
+variable "availability_zone" {
+ description = "AWS Availability Zone"
+ type = string
+ default = "us-east-1a"
+}
+
+variable "prefix" {
+ type = string
+ description = "Prefix for the resource names and Name tags"
+ default = "demo"
+}
+
+variable "key_pair_name" {
+ description = "SSH key pair name"
+ type = string
+ default = "vyos-demo-key"
+}
+
+variable "private_key_path" {
+ description = "Path to the private key file"
+ default = "keys/vyos_demo_private_key.pem"
+}
+
+variable "public_key_path" {
+ description = "Path to the private key file"
+ default = "keys/vyos_demo_public_key.pem"
+}
+
+variable "vpc_name" {
+ description = "Name for VPC"
+ default = "test-vpc"
+}
+
+variable "public_subnet_name" {
+ description = "The name of the public subnet"
+ type = string
+ default = "pub-subnet"
+}
+
+variable "private_subnet_name" {
+ description = "The name of the private subnet 01"
+ type = string
+ default = "priv-subnet"
+}
+
+variable "vpc_cidr" {
+ description = "CIDR block for VPC"
+ type = string
+ default = "172.16.0.0/16"
+}
+
+variable "public_subnet_cidr" {
+ description = "CIDR block for public subnet"
+ default = "172.16.1.0/24"
+}
+
+variable "private_subnet_cidr" {
+ description = "CIDR block for private subnet"
+ type = string
+ default = "172.16.11.0/24"
+}
+
+variable "vyos_pub_nic_ip_address" {
+ description = "VyOS Instance Public address"
+ type = string
+ default = "172.16.1.11"
+}
+
+variable "vyos_priv_nic_address" {
+ description = "VyOS Instance Private NIC address"
+ type = string
+ default = "172.16.11.11"
+}
+
+variable "vyos_instance_type" {
+ description = "The type of the VyOS Instance"
+ type = string
+ default = "c5n.xlarge"
+}
+
+variable "vyos_instance_name" {
+ type = string
+ default = "VyOS"
+}
+
+variable "igw_name" {
+ type = string
+ default = "igw"
+}
+
+variable "vyos_eip_name" {
+ type = string
+ default = "vyos"
+}
+
+variable "public_rtb_name" {
+ type = string
+ default = "public-rtb"
+
+}
+
+variable "public_sg_name" {
+ type = string
+ default = "public-sg"
+}
+
+variable "private_sg_name" {
+ type = string
+ default = "private-sg"
+}
diff --git a/Terraform/AWS/instance-with-configs/files/on-prem-vyos-config.txt b/Terraform/AWS/instance-with-configs/files/on-prem-vyos-config.txt new file mode 100644 index 0000000..6c52bcb --- /dev/null +++ b/Terraform/AWS/instance-with-configs/files/on-prem-vyos-config.txt @@ -0,0 +1,55 @@ +set system host-name 'VyOS-for-DEMO-On-Prem'
+set system login banner pre-login 'Welcome to the VyOS for DEMO on On-Prem'
+set interfaces ethernet eth0 description 'WAN'
+set interfaces ethernet eth1 description 'LAN'
+set interfaces ethernet eth1 dhcp-options no-default-route
+set system name-server '<DNS>'
+set service dns forwarding name-server '<DNS>'
+set service dns forwarding listen-address '<VYOS_PRIV_IP>'
+set service dns forwarding allow-from '<VYOS_CIDR>'
+set service dns forwarding no-serve-rfc1918
+set nat source rule 10 outbound-interface name 'eth0'
+set nat source rule 10 source address '<VYOS_CIDR>'
+set nat source rule 10 translation address 'masquerade'
+set vpn ipsec interface 'eth0'
+set vpn ipsec esp-group AWS lifetime '3600'
+set vpn ipsec esp-group AWS mode 'tunnel'
+set vpn ipsec esp-group AWS pfs 'dh-group2'
+set vpn ipsec esp-group AWS proposal 1 encryption 'aes256'
+set vpn ipsec esp-group AWS proposal 1 hash 'sha1'
+set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
+set vpn ipsec ike-group AWS dead-peer-detection interval '15'
+set vpn ipsec ike-group AWS dead-peer-detection timeout '30'
+set vpn ipsec ike-group AWS ikev2-reauth
+set vpn ipsec ike-group AWS key-exchange 'ikev2'
+set vpn ipsec ike-group AWS lifetime '28800'
+set vpn ipsec ike-group AWS proposal 1 dh-group '2'
+set vpn ipsec ike-group AWS proposal 1 encryption 'aes256'
+set vpn ipsec ike-group AWS proposal 1 hash 'sha1'
+set vpn ipsec ike-group AWS close-action start
+set vpn ipsec option disable-route-autoinstall
+set interfaces vti vti1 address '10.2.100.11/32'
+set interfaces vti vti1 description 'Tunnel for VyOS in AWS'
+set interfaces vti vti1 ip adjust-mss '1350'
+set protocols static route 10.1.100.11/32 interface vti1
+set vpn ipsec authentication psk VyOS id '<VYOS_AWS_PUB_IP>'
+set vpn ipsec authentication psk VyOS id '<VYOS_PUB_IP>'
+set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk'
+set vpn ipsec site-to-site peer AWS authentication local-id '<VYOS_PUB_IP>'
+set vpn ipsec site-to-site peer AWS authentication mode 'pre-shared-secret'
+set vpn ipsec site-to-site peer AWS authentication remote-id '<VYOS_AWS_PUB_IP>'
+set vpn ipsec site-to-site peer AWS connection-type 'initiate'
+set vpn ipsec site-to-site peer AWS description 'AWS TUNNEL to VyOS on NET 02'
+set vpn ipsec site-to-site peer AWS ike-group 'AWS'
+set vpn ipsec site-to-site peer AWS ikev2-reauth 'inherit'
+set vpn ipsec site-to-site peer AWS local-address '<VYOS_PUB_IP>'
+set vpn ipsec site-to-site peer AWS remote-address '<VYOS_AWS_PUB_IP>'
+set vpn ipsec site-to-site peer AWS vti bind 'vti1'
+set vpn ipsec site-to-site peer AWS vti esp-group 'AWS'
+set protocols bgp system-as '<VYOS_BGP_AS_NUMBER>'
+set protocols bgp address-family ipv4-unicast network <VYOS_CIDR>
+set protocols bgp neighbor 10.1.100.11 remote-as '<VYOS_AWS_BGP_AS_NUMBER>'
+set protocols bgp neighbor 10.1.100.11 address-family ipv4-unicast soft-reconfiguration inbound
+set protocols bgp neighbor 10.1.100.11 timers holdtime '30'
+set protocols bgp neighbor 10.1.100.11 timers keepalive '10'
+set protocols bgp neighbor 10.1.100.11 disable-connected-check
diff --git a/Terraform/AWS/instance-with-configs/files/vyos_user_data.tfpl b/Terraform/AWS/instance-with-configs/files/vyos_user_data.tfpl new file mode 100644 index 0000000..7240a2c --- /dev/null +++ b/Terraform/AWS/instance-with-configs/files/vyos_user_data.tfpl @@ -0,0 +1,57 @@ +#cloud-config
+vyos_config_commands:
+ - set system host-name 'VyOS-for-DEMO-AWS'
+ - set system login banner pre-login 'Welcome to the VyOS for DEMO on AWS'
+ - set interfaces ethernet eth0 description 'WAN'
+ - set interfaces ethernet eth1 description 'LAN'
+ - set interfaces ethernet eth1 dhcp-options no-default-route
+ - set system name-server '${dns_1}'
+ - set service dns forwarding name-server '${dns_1}'
+ - set service dns forwarding listen-address '${vyos_priv_nic_ip}'
+ - set service dns forwarding allow-from '${private_subnet_cidr}'
+ - set service dns forwarding no-serve-rfc1918
+ - set nat source rule 10 outbound-interface name 'eth0'
+ - set nat source rule 10 source address '${private_subnet_cidr}'
+ - set nat source rule 10 translation address 'masquerade'
+ - set vpn ipsec interface 'eth0'
+ - set vpn ipsec esp-group ON-PREM lifetime '3600'
+ - set vpn ipsec esp-group ON-PREM mode 'tunnel'
+ - set vpn ipsec esp-group ON-PREM pfs 'dh-group2'
+ - set vpn ipsec esp-group ON-PREM proposal 1 encryption 'aes256'
+ - set vpn ipsec esp-group ON-PREM proposal 1 hash 'sha1'
+ - set vpn ipsec ike-group ON-PREM dead-peer-detection action 'restart'
+ - set vpn ipsec ike-group ON-PREM dead-peer-detection interval '15'
+ - set vpn ipsec ike-group ON-PREM dead-peer-detection timeout '30'
+ - set vpn ipsec ike-group ON-PREM ikev2-reauth
+ - set vpn ipsec ike-group ON-PREM key-exchange 'ikev2'
+ - set vpn ipsec ike-group ON-PREM lifetime '28800'
+ - set vpn ipsec ike-group ON-PREM proposal 1 dh-group '2'
+ - set vpn ipsec ike-group ON-PREM proposal 1 encryption 'aes256'
+ - set vpn ipsec ike-group ON-PREM proposal 1 hash 'sha1'
+ - set vpn ipsec ike-group ON-PREM close-action start
+ - set vpn ipsec option disable-route-autoinstall
+ - set interfaces vti vti1 address '10.1.100.11/32'
+ - set interfaces vti vti1 description 'Tunnel for VyOS in ON-PREM'
+ - set interfaces vti vti1 ip adjust-mss '1350'
+ - set protocols static route 10.2.100.11/32 interface vti1
+ - set vpn ipsec authentication psk VyOS id '${vyos_public_ip_address}'
+ - set vpn ipsec authentication psk VyOS id '${on_prem_public_ip_address}'
+ - set vpn ipsec authentication psk VyOS secret 'ch00s3-4-s3cur3-psk'
+ - set vpn ipsec site-to-site peer ON-PREM authentication local-id '${vyos_public_ip_address}'
+ - set vpn ipsec site-to-site peer ON-PREM authentication mode 'pre-shared-secret'
+ - set vpn ipsec site-to-site peer ON-PREM authentication remote-id '${on_prem_public_ip_address}'
+ - set vpn ipsec site-to-site peer ON-PREM connection-type 'none'
+ - set vpn ipsec site-to-site peer ON-PREM description 'ON-PREM TUNNEL to VyOS on NET 02'
+ - set vpn ipsec site-to-site peer ON-PREM ike-group 'ON-PREM'
+ - set vpn ipsec site-to-site peer ON-PREM ikev2-reauth 'inherit'
+ - set vpn ipsec site-to-site peer ON-PREM local-address '${vyos_pub_nic_ip}'
+ - set vpn ipsec site-to-site peer ON-PREM remote-address '${on_prem_public_ip_address}'
+ - set vpn ipsec site-to-site peer ON-PREM vti bind 'vti1'
+ - set vpn ipsec site-to-site peer ON-PREM vti esp-group 'ON-PREM'
+ - set protocols bgp system-as '${vyos_bgp_as_number}'
+ - set protocols bgp address-family ipv4-unicast network ${private_subnet_cidr}
+ - set protocols bgp neighbor 10.2.100.11 remote-as '${on_prem_bgp_as_number}'
+ - set protocols bgp neighbor 10.2.100.11 address-family ipv4-unicast soft-reconfiguration inbound
+ - set protocols bgp neighbor 10.2.100.11 timers holdtime '30'
+ - set protocols bgp neighbor 10.2.100.11 timers keepalive '10'
+ - set protocols bgp neighbor 10.2.100.11 disable-connected-check
diff --git a/Terraform/AWS/instance-with-configs/keys/vyos_demo_private_key.pem b/Terraform/AWS/instance-with-configs/keys/vyos_demo_private_key.pem new file mode 100644 index 0000000..4c8d388 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/keys/vyos_demo_private_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAvZj8U767XO84ws+eng0bviq0hUvc+iP2q5Gc+3XPDWEu3S9s +ajBsvtEuLzlZk5QThRxRfjFuB1h+rWLJN2qawv978qpcySqi9IhHfVWLLbIgDuPr +hh8qXkaZ9W/FpLsRR0m+jcrcA1Efvr8cpMSvjHpFfLoH6KI2mbRC05OyfOij7ccz +ahxgBV3G3nil53PkNa5lTDuBYurx3K3jmvmlsC6Du5MSA5dOZ6QXeOT6RTbqJbSj +vSoL9/ku1DjGzTS0bghXWk1l7MkAYG6egMXQkJQmnYlwken1dxSCsH5HaPv8vkEZ +rakdejfRWgqil+OlHrp6D3lWoQbok58WmHH/qQIDAQABAoIBAQCJQH2x1kpmnZr2 +lDxcaFrkEKA8Os4OmwhP7Yq6Eu+/3NGDN3iBaurePCn178tj5Xc4DmcENp5TXQHf +XLsTje3ZKgA9jIy86EutQBaYqdumSeOhQ+fVYSxXsT51CeQHO5DnjYAPv4IEOK8F +c+41bVk0FbPF9hoRk5R5MqCJ78rvVm7q8gpGxftWIKMwVc7lSi2IH9GkrUGe6Y/W +lR6EqXDUHWep7rZN59bHXa82HYy98TzydeQtxBIWTSqfL5X2MGwfOkgNcBI9N4gi +Gj37Ng9lCWLgTfN/bs7chHKo8GrEmzxmSwP7ly+8fEGSvOQOwQ8ITmXN7rrnlTA8 +L0T/1qNNAoGBAOrunMHaZZ6moFU86aBhEJcxth3n10YpXl7AjwrvuquWYa76Hczp +PVs+f4uUYHG4lHwxLtvMVAw89MxRQnLB860l85qkwotoA5s8HIkhANLC/PbY/uHc +rEtrMQEV9z2vtcpFvxHlxut3a8hKONRaXJGJpnOYxKn5vnm3xoVQ/nU7AoGBAM6Z +nqIkYbWOySKbiWy7lKy7jIXlaiNn+vM7hQ5OS60mzDY0Z+yqV2u8y4VeufhiFQd+ +PSXpvosmKGBO4SB3HfE67y4JUFd3Nli6T0884QqsAeL1RIC/H+YK0DAUXLl6/oBL +LKCRt9c99rCnk/8CxqLzYuRPmpSbf2hvgj9c1QBrAoGBALUmhI0dwBnTVfIj4+mc +rtRGqqzopiAdqfzZ8fJ247OHY48uoWftuTfwOxz/rlZCA4y3x/AH4A8HuaMKTXh7 +gU/T4cEupiwkahN7CG3cmuvpGnGk5PR32grVfpXdwCU6paxwl2JPkVDjZqKsSKHF +g3ddcpHUDGEch/kG8fa+e1cdAoGAeaVCHj5Fud1E2Le0Bu278KjNaNlX0VkcDbNx ++KZpMJ6zhwb8WgFCUBFt1C2eWn2F3E+cOYKTyuLAy1QmgjMg0jTdN8IMKDPtL/kj +UYiLCPmWcsfvec8PPSgIxQZ4Qk4FJA0fTbv+/yFg60sAfRppUvDzvXKRlgao0hk2 +G5DRadkCgYAvPYH5NCk/jOa5Mv/6VfUPPaIhzHwADBv9ZXxg8jxw23zwxmozOUHa +v8sZF60s/4Kfd8NKnRPWlFPuvBqEkMQhfbJmP9lUmZkqxnYsXBV8wlPKIx7XAi+3 +CUBSZqJ6SrVewKc2Dx0on5Tr4OFTscK4NdFlp5PrQzZK9cuEn9rWgA== +-----END RSA PRIVATE KEY----- diff --git a/Terraform/AWS/instance-with-configs/keys/vyos_demo_public_key.pem b/Terraform/AWS/instance-with-configs/keys/vyos_demo_public_key.pem new file mode 100644 index 0000000..2b662ee --- /dev/null +++ b/Terraform/AWS/instance-with-configs/keys/vyos_demo_public_key.pem @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9mPxTvrtc7zjCz56eDRu+KrSFS9z6I/arkZz7dc8NYS7dL2xqMGy+0S4vOVmTlBOFHFF+MW4HWH6tYsk3aprC/3vyqlzJKqL0iEd9VYstsiAO4+uGHypeRpn1b8WkuxFHSb6NytwDUR++vxykxK+MekV8ugfoojaZtELTk7J86KPtxzNqHGAFXcbeeKXnc+Q1rmVMO4Fi6vHcreOa+aWwLoO7kxIDl05npBd45PpFNuoltKO9Kgv3+S7UOMbNNLRuCFdaTWXsyQBgbp6AxdCQlCadiXCR6fV3FIKwfkdo+/y+QRmtqR16N9FaCqKX46UeunoPeVahBuiTnxaYcf+p Admin@DESKTOP-R1T9R87 diff --git a/Terraform/AWS/instance-with-configs/main.tf b/Terraform/AWS/instance-with-configs/main.tf new file mode 100644 index 0000000..0d58e17 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/main.tf @@ -0,0 +1,91 @@ +# EC2 KEY PAIR
+
+resource "aws_key_pair" "ec2_key" {
+ key_name = "${var.prefix}-${var.key_pair_name}"
+ public_key = file(var.public_key_path)
+
+ tags = {
+ Name = "${var.prefix}-${var.key_pair_name}"
+ }
+}
+
+# THE LATEST AMAZON VYOS 1.4 IMAGE
+
+data "aws_ami" "vyos" {
+ most_recent = true
+ owners = ["679593333241"]
+
+ filter {
+ name = "name"
+ values = ["VyOS 1.4*"]
+ }
+
+ filter {
+ name = "virtualization-type"
+ values = ["hvm"]
+ }
+
+}
+
+# VYOS INSTANCE
+
+resource "aws_instance" "vyos" {
+ ami = data.aws_ami.vyos.id
+ instance_type = var.vyos_instance_type
+ key_name = "${var.prefix}-${var.key_pair_name}"
+ availability_zone = var.availability_zone
+
+ user_data_base64 = base64encode(templatefile("${path.module}/files/vyos_user_data.tfpl", {
+ private_subnet_cidr = var.private_subnet_cidr,
+ vyos_public_ip_address = aws_eip.vyos_eip.public_ip,
+ vyos_pub_nic_ip = aws_network_interface.vyos_public_nic.private_ip,
+ vyos_priv_nic_ip = aws_network_interface.vyos_private_nic.private_ip,
+ vyos_bgp_as_number = var.vyos_bgp_as_number,
+ dns_1 = var.dns,
+ on_prem_public_ip_address = var.on_prem_public_ip_address,
+ on_prem_bgp_as_number = var.on_prem_bgp_as_number
+ }))
+
+ depends_on = [
+ aws_network_interface.vyos_public_nic,
+ aws_network_interface.vyos_private_nic
+ ]
+
+ network_interface {
+ network_interface_id = aws_network_interface.vyos_public_nic.id
+ device_index = 0
+ }
+
+ network_interface {
+ network_interface_id = aws_network_interface.vyos_private_nic.id
+ device_index = 1
+ }
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}"
+ }
+}
+
+# NETWORK INTERFACES
+
+resource "aws_network_interface" "vyos_public_nic" {
+ subnet_id = aws_subnet.public_subnet.id
+ security_groups = [aws_security_group.public_sg.id]
+ private_ips = [var.vyos_pub_nic_ip_address]
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}-PublicNIC"
+ }
+}
+
+resource "aws_network_interface" "vyos_private_nic" {
+ subnet_id = aws_subnet.private_subnet.id
+ security_groups = [aws_security_group.private_sg.id]
+ private_ips = [var.vyos_priv_nic_address]
+
+ source_dest_check = false
+
+ tags = {
+ Name = "${var.prefix}-${var.vyos_instance_name}-PrivateNIC"
+ }
+}
diff --git a/Terraform/AWS/instance-with-configs/network.tf b/Terraform/AWS/instance-with-configs/network.tf new file mode 100644 index 0000000..b3513f6 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/network.tf @@ -0,0 +1,86 @@ +# VPC
+
+resource "aws_vpc" "vpc" {
+ cidr_block = var.vpc_cidr
+ instance_tenancy = "default"
+ # enable_dns_support = true # DNS resolution within VPC
+ # enable_dns_hostnames = true # Public DNS hostnames
+
+ tags = {
+ Name = "${var.prefix}-${var.vpc_name}"
+ }
+}
+
+# PUBLIC SUBNET
+
+resource "aws_subnet" "public_subnet" {
+ vpc_id = aws_vpc.vpc.id
+ cidr_block = var.public_subnet_cidr
+ availability_zone = var.availability_zone
+ map_public_ip_on_launch = false
+
+ tags = {
+ Name = "${var.prefix}-${var.vpc_name}-${var.public_subnet_name}"
+ }
+
+ depends_on = [aws_internet_gateway.igw]
+}
+
+# PRIVATE SUBNET
+
+resource "aws_subnet" "private_subnet" {
+ vpc_id = aws_vpc.vpc.id
+ cidr_block = var.private_subnet_cidr
+ availability_zone = var.availability_zone
+ map_public_ip_on_launch = false
+
+ tags = {
+ Name = "${var.prefix}-${var.vpc_name}-${var.private_subnet_name}"
+ }
+}
+
+# INTERNET GATEWAY
+
+resource "aws_internet_gateway" "igw" {
+ vpc_id = aws_vpc.vpc.id
+
+ tags = {
+ Name = join("-", [var.prefix, var.igw_name])
+ }
+}
+
+# ELASTICS IP FOR VYOS
+
+resource "aws_eip" "vyos_eip" {
+ domain = "vpc"
+ depends_on = [aws_internet_gateway.igw]
+
+ tags = {
+ Name = join("-", [var.prefix, var.vyos_eip_name])
+ }
+}
+
+resource "aws_eip_association" "vyos_eip_association" {
+ allocation_id = aws_eip.vyos_eip.id
+ network_interface_id = aws_network_interface.vyos_public_nic.id
+}
+
+# PUBLIC ROUTE TABLE
+
+resource "aws_route_table" "public_rtb" {
+ vpc_id = aws_vpc.vpc.id
+
+ route {
+ cidr_block = "0.0.0.0/0"
+ gateway_id = aws_internet_gateway.igw.id
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.public_rtb_name])
+ }
+}
+
+resource "aws_route_table_association" "public_rtb_assn" {
+ subnet_id = aws_subnet.public_subnet.id
+ route_table_id = aws_route_table.public_rtb.id
+}
\ No newline at end of file diff --git a/Terraform/AWS/instance-with-configs/output.tf b/Terraform/AWS/instance-with-configs/output.tf new file mode 100644 index 0000000..047d9a7 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/output.tf @@ -0,0 +1,16 @@ +
+output "vyos_public_ip" {
+ value = aws_instance.vyos.public_ip
+}
+
+output "vyos_pub_nic_ip" {
+ value = aws_network_interface.vyos_public_nic.private_ip
+}
+
+output "vyos_priv_nic_01_ip" {
+ value = aws_network_interface.vyos_private_nic.private_ip
+}
+
+output "vyos_key_name" {
+ value = aws_instance.vyos.key_name
+}
diff --git a/Terraform/AWS/instance-with-configs/provider.tf b/Terraform/AWS/instance-with-configs/provider.tf new file mode 100644 index 0000000..c6b24ff --- /dev/null +++ b/Terraform/AWS/instance-with-configs/provider.tf @@ -0,0 +1,22 @@ +# AWS PROVIDER CONFIGURATION
+
+terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.0"
+ }
+ }
+}
+
+provider "aws" {
+ region = var.aws_region
+ default_tags {
+ tags = {
+ Company = "VyOS Inc"
+ Project = "VyOS-Demo"
+ Environment = "Lab"
+ ManagedBy = "Terraform"
+ }
+ }
+}
\ No newline at end of file diff --git a/Terraform/AWS/instance-with-configs/readme.md b/Terraform/AWS/instance-with-configs/readme.md new file mode 100644 index 0000000..aca1d58 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/readme.md @@ -0,0 +1,120 @@ +# Terraform Project for deploying VyOS on AWS
+
+This Terraform project is designed to deploy VyOS instances on AWS. This script deploys a VyOS instance from the AWS Marketplace.
+
+## Prerequisites
+
+Before applying this module, ensure you have:
+
+### AWS Requirements
+
+- An active AWS account.
+- AWS CLI installed. [Installation link](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
+- Terraform installed. [Installation link](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli)
+
+### Set AWS environment variables
+
+- Run the following commands in your terminal to set the AWS environment variables:
+
+```sh
+export AWS_ACCESS_KEY_ID="<AWS_ACCESS_KEY_ID>"
+export AWS_SECRET_ACCESS_KEY="<WS_SECRET_ACCESS_KEY>"
+export AWS_SESSION_TOKEN="<AWS_SESSION_TOKEN>"
+export AWS_DEFAULT_REGION="<AWS_REGION>" # e.g us-east-1
+```
+
+### Fetch AMI ID and Owner ID (Required for main.tf)
+First, you must subscribe to VyOS in the AWS Marketplace.
+Then, use the following AWS CLI command to find the correct AMI ID, Owner ID, and ensure you're querying the correct region (e.g., `us-east-1`):
+
+```sh
+aws ec2 describe-images \
+ --owners aws-marketplace \
+ --filters "Name=product-code,Values=8wqdkv3u2b9sa0y73xob2yl90" \
+ --query 'Images[*].[ImageId,OwnerId,Name]' \
+ --output table
+```
+Alternatively, you can hardcode the latest AMI ID for your region in `variables.tf` adding the `vyos_ami_id` variable.
+
+### Generate SSH keypair
+
+A demo SSH keypair is included in the `keys/` folder.
+
+To generate a new key (optional):
+
+```sh
+ssh-keygen -b 2048 -t rsa -m PEM -f keys/vyos_custom_key.pem
+```
+
+## Project Structure
+
+```
+.
+├── files/ # VyOS user-data
+├── keys/ # Pre-generated SSH keys
+├── network.tf # Network setup
+├── provider.tf # Provider configuration
+├── security_groups.tf # Security group configurations
+├── variables.tf # Input variables for customization
+├── vyos_instance.tf # VyOS virtual machine deployment (AWS)
+└── README.md # Documentation
+```
+
+## Usage
+
+### Setup Variables
+
+All variables needed for customization are defined in `variables.tf`. Adjust them according to your requirements, such as EC2 instance type and networking configurations. Before deployment, ensure you check `aws_region`, `availability_zone`, and update `vyos_ami_id` as necessary.
+
+## How to Run the Module
+
+Follow these steps to initialize, plan, apply, and manage your infrastructure with Terraform:
+
+1. **Initialize the Module**
+ ```sh
+ terraform init
+ ```
+
+2. **Format the Terraform Code**
+ ```sh
+ terraform fmt
+ ```
+
+3. **Validate Configuration**
+ ```sh
+ terraform validate
+ ```
+
+4. **Preview Infrastructure Changes Before Deployment**
+ ```sh
+ terraform plan
+ ```
+
+5. **Apply the Configuration**
+ ```sh
+ terraform apply
+ ```
+ Confirm the execution when prompted to provision the infrastructure.
+
+6. **View Outputs**
+ ```sh
+ terraform output
+ ```
+ This will display the management IP and test results for the VyOS instance.
+
+## Management
+
+To manage the VyOS instance, use the `vyos_public_ip` from `terraform output`:
+```sh
+ssh vyos@<vyos_public_ip> -i keys/vyos_demo_private_key.pem
+```
+You can find op-premise (peer) side VyOS configuration reference from: `files/on-prem-vyos-config.txt`
+
+## Destroying Resources
+
+To clean up the deployed infrastructure:
+```sh
+terraform destroy
+```
+Confirm the execution when prompted to remove all provisioned resources.
+
diff --git a/Terraform/AWS/instance-with-configs/security_groups.tf b/Terraform/AWS/instance-with-configs/security_groups.tf new file mode 100644 index 0000000..d8653ae --- /dev/null +++ b/Terraform/AWS/instance-with-configs/security_groups.tf @@ -0,0 +1,111 @@ +# SECURITY GROUP FOR PUBLIC RESOURCES
+
+resource "aws_security_group" "public_sg" {
+ name = join("-", [var.prefix, var.public_sg_name])
+ description = "Security Group for public resources"
+ vpc_id = aws_vpc.vpc.id
+
+ # Allow SSH Traffic
+ ingress {
+ description = "Allow SSH"
+ from_port = 22
+ to_port = 22
+ protocol = "tcp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow Wireguard Traffic
+ ingress {
+ description = "Allow Wireguard"
+ from_port = 51820
+ to_port = 51820
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow OpenVPN Traffic
+ ingress {
+ description = "Allow OpenVPN"
+ from_port = 1194
+ to_port = 1194
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow ESP Traffic
+ ingress {
+ description = "Allow ESP"
+ from_port = 0
+ to_port = 0
+ protocol = "50"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow IKE Traffic
+ ingress {
+ description = "Allow IKE"
+ from_port = 500
+ to_port = 500
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow IPSEC Traffic
+ ingress {
+ description = "Allow IPSEC"
+ from_port = 1701
+ to_port = 1701
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow NAT Traversal
+ ingress {
+ description = "Allow NAT Traversal"
+ from_port = 4500
+ to_port = 4500
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ # Allow all outbound traffic
+ egress {
+ description = "Allow all outbound traffic"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.public_sg_name])
+ }
+}
+
+# SECURITY GROUP FOR PRIVATE RESOURCES
+
+resource "aws_security_group" "private_sg" {
+ name = join("-", [var.prefix, var.private_sg_name])
+ description = "Security Group for private resources"
+ vpc_id = aws_vpc.vpc.id
+
+ ingress {
+ description = "Allow all inbound traffic"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ egress {
+ description = "Allow all outbound traffic"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ tags = {
+ Name = join("-", [var.prefix, var.private_sg_name])
+ }
+}
\ No newline at end of file diff --git a/Terraform/AWS/instance-with-configs/variables.tf b/Terraform/AWS/instance-with-configs/variables.tf new file mode 100644 index 0000000..3ab7d09 --- /dev/null +++ b/Terraform/AWS/instance-with-configs/variables.tf @@ -0,0 +1,134 @@ +variable "aws_region" {
+ description = "AWS Region"
+ type = string
+ default = "us-east-1"
+}
+
+variable "availability_zone" {
+ description = "AWS Availability Zone"
+ type = string
+ default = "us-east-1a"
+}
+
+variable "prefix" {
+ type = string
+ description = "Prefix for the resource names and Name tags"
+ default = "demo"
+}
+
+variable "key_pair_name" {
+ description = "SSH key pair name"
+ type = string
+ default = "vyos-demo-key"
+}
+
+variable "private_key_path" {
+ description = "Path to the private key file"
+ default = "keys/vyos_demo_private_key.pem"
+}
+
+variable "public_key_path" {
+ description = "Path to the private key file"
+ default = "keys/vyos_demo_public_key.pem"
+}
+
+variable "vpc_name" {
+ description = "Name for VPC"
+ default = "test-vpc"
+}
+
+variable "public_subnet_name" {
+ description = "The name of the public subnet"
+ type = string
+ default = "pub-subnet"
+}
+
+variable "private_subnet_name" {
+ description = "The name of the private subnet 01"
+ type = string
+ default = "priv-subnet"
+}
+
+variable "vpc_cidr" {
+ description = "CIDR block for VPC"
+ type = string
+ default = "172.16.0.0/16"
+}
+
+variable "public_subnet_cidr" {
+ description = "CIDR block for public subnet"
+ default = "172.16.1.0/24"
+}
+
+variable "private_subnet_cidr" {
+ description = "CIDR block for private subnet"
+ type = string
+ default = "172.16.11.0/24"
+}
+
+variable "vyos_pub_nic_ip_address" {
+ description = "VyOS Instance Public address"
+ type = string
+ default = "172.16.1.11"
+}
+
+variable "vyos_priv_nic_address" {
+ description = "VyOS Instance Private NIC address"
+ type = string
+ default = "172.16.11.11"
+}
+
+variable "vyos_instance_type" {
+ description = "The type of the VyOS Instance"
+ type = string
+ default = "c5n.xlarge"
+}
+
+variable "vyos_instance_name" {
+ type = string
+ default = "VyOS"
+}
+
+variable "igw_name" {
+ type = string
+ default = "igw"
+}
+
+variable "vyos_eip_name" {
+ type = string
+ default = "vyos"
+}
+
+variable "public_rtb_name" {
+ type = string
+ default = "public-rtb"
+
+}
+
+variable "public_sg_name" {
+ type = string
+ default = "public-sg"
+}
+
+variable "private_sg_name" {
+ type = string
+ default = "private-sg"
+}
+
+variable "dns" {
+ default = "8.8.8.8"
+}
+
+variable "vyos_bgp_as_number" {
+ default = "65001"
+}
+
+# On Prem Data Center
+
+variable "on_prem_bgp_as_number" {
+ default = "65002"
+}
+
+variable "on_prem_public_ip_address" {
+ default = "192.0.2.1"
+}
|