private-nlb-httpsという名前のNLBと、ログ出力用のS3バケットです。これを元に設定作るようにシンプルにしてあります。
- HTTPSで受けてバックエンドは80で受ける設定です
- 証明書はACMにアップロード済みを想定しています
- NLBは2つのサブネットにデプロイすることを想定してたパターンです
- S3のバケットポリシーはこちらの公式ドキュメントを参考にしています
---
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
NLBName:
Type: String
NLBTargetGroupName:
Type: String
VpcId:
Type: AWS::EC2::VPC::Id
SubnetIdA:
Type: AWS::EC2::Subnet::Id
IpAddressA:
Type: String
AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})
SubnetIdC:
Type: AWS::EC2::Subnet::Id
IpAddressC:
Type: String
AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})
LogBucketName:
Type: String
ListenerCertificateArn:
Type: String
Default: arn:aws:acm:ap-northeast-1:123456789012:certificate/xxxxxxxxx
Resources:
LogBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Ref LogBucketName
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
PublicAccessBlockConfiguration:
BlockPublicAcls: "True"
BlockPublicPolicy: "True"
IgnorePublicAcls: "True"
RestrictPublicBuckets: "True"
# Refs : https://docs.aws.amazon.com/ja_jp/elasticloadbalancing/latest/network/load-balancer-access-logs.html#access-logging-bucket-requirements
LogBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref LogBucketName
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: AWSLogDeliveryWrite
Effect: Allow
Principal:
Service: delivery.logs.amazonaws.com
Action: s3:PutObject
Resource:
- !Sub arn:aws:s3:::${LogBucket}/AWSLogs/${AWS::AccountId}/*
Condition:
StringEquals:
s3:x-amz-acl: bucket-owner-full-control
- Sid: AWSLogDeliveryAclCheck
Effect: Allow
Principal:
Service: delivery.logs.amazonaws.com
Action: s3:GetBucketAcl
Resource:
- !Sub arn:aws:s3:::${LogBucket}
InternalNLB:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: !Ref NLBName
Type: network
Scheme: "internal"
LoadBalancerAttributes:
- Key: access_logs.s3.enabled
Value: true
- Key: access_logs.s3.bucket
Value: !Ref LogBucket
- Key: load_balancing.cross_zone.enabled
Value: false
SubnetMappings:
- SubnetId: !Ref SubnetIdA
PrivateIPv4Address: !Ref IpAddressA
- SubnetId: !Ref SubnetIdC
PrivateIPv4Address: !Ref IpAddressC
InternalNLBTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
VpcId: !Ref VpcId
Name: !Ref NLBTargetGroupName
Protocol: TCP
Port: 80
TargetType: ip
TargetGroupAttributes:
- Key: deregistration_delay.timeout_seconds
Value: 60
- Key: deregistration_delay.connection_termination.enabled
Value: false
- Key: preserve_client_ip.enabled
Value: false
- Key: proxy_protocol_v2.enabled
Value: false
- Key: stickiness.enabled
Value: false
InternalNLBListener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- TargetGroupArn: !Ref InternalNLBTargetGroup
Type: forward
LoadBalancerArn: !Ref InternalNLB
Port: 443
Protocol: TLS
Certificates:
- CertificateArn: !Ref ListenerCertificateArn