1

我们使用 cloudformation 作为基础设施代码,用于本地和 AWS 账户之间的 VPN 连接。我们需要设置一个记录为(完整文档)的参数:

远程 IPv4 网络 CIDR(仅限 IPv4 VPN 连接)AWS 端允许通过 VPN 隧道进行通信的 IPv4 CIDR 范围。默认值:0.0.0.0/0

我们已经在互联网上搜索过,但是对于 cloudformation 没有真正的语法如何设置该变量。

我们希望将值从默认值 0.0.0.0/0 设置为另一个更具体的 /24 范围。

在某些 VPN 软件中,这被称为流量选择器、代理 ID 或加密域。

4

1 回答 1

2

可以使用 sdk 更改远程 IPv4 网络 CIDR。下面的云形成将更改远程 IPv4 网络 CIDR。

    lambdaExecutionRole:
        Type: AWS::IAM::Role
        Properties:
          AssumeRolePolicyDocument:
            Version: '2012-10-17'
            Statement:
            - Effect: Allow
              Principal:
                Service:
                - lambda.amazonaws.com
              Action:
              - sts:AssumeRole
          Path: "/"
          Policies:
          - PolicyName: root
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
              - Effect: Allow
                Action:
                 - logs:*
                Resource: arn:aws:logs:*:*:* // Set appropriate value
              - Effect: Allow
                Action:
                 - ec2:ModifyVpnConnectionOptions
                Resource: !Sub "arn:aws:ec2:*:..." // Refere to your AWS::EC2::VPNConnection

    # A Lambda that changes the remote Ipv4 property of VPN using the aws sdk.
    # Asynchronous, so it will finish before the modification of the VPN is done.
    customResourceSetRemoteIp:
        Type: AWS::Lambda::Function
        Properties:
          Runtime: nodejs14.x
          Role: !GetAtt lambdaExecutionRole.Arn
          Handler: index.handler
          Code:
            ZipFile: |
                var response = require('cfn-response')
                var aws = require('aws-sdk')
                exports.handler = function (event, context) {
                    console.log("REQUEST RECEIVED:\n" + JSON.stringify(event))
                    
                    // For Delete requests, immediately send a SUCCESS response.
                    // You need to run this job with the new value if you want a rollback. 
                    if (event.RequestType == "Delete") {
                        response.send(event, context, "SUCCESS")
                        return
                    }
                    var responseStatus = "FAILED"
                    var responseData = {}
                    var vpnConnection = event.ResourceProperties.VpnConnection;
                    var remoteIpv4NetworkCidr = event.ResourceProperties.RemoteIpv4NetworkCidr;
                    
                    console.log("Set remote ipv4 cidr to '" + remoteIpv4NetworkCidr + 
                        "' at vpn connection '" + vpnConnection + "'");
                    
                    var ec2 = new aws.EC2();
                    var params = {
                      VpnConnectionId: vpnConnection, /* required */
                      DryRun: false,
                      RemoteIpv4NetworkCidr: remoteIpv4NetworkCidr
                    };
                    ec2.modifyVpnConnectionOptions(params, function(err, data) {
                      if (err) {
                          console.log(err, err.stack); // an error occurred
                          responseData = {Error: err}
                          console.log(responseData.Error + ":\n", err)
                      } else {
                          responseStatus = "SUCCESS"
                          console.log(data);           // successful response
                      }
                      response.send(event, context, responseStatus, responseData)
                    });
                }
          Description: Set VPN options in cloudformation
          TracingConfig:
            Mode: PassThrough

    setRemoteIpOnVpnCustomResource:
        Type: AWS::CloudFormation::CustomResource
        Version: "1.0"
        Properties:
          ServiceToken: !GetAtt customResourceSetRemoteIp.Arn
          VpnConnection: !Ref vpcVpnConnection
          RemoteIpv4NetworkCidr: "10.0.0.0/24"
于 2021-09-29T14:06:31.907 回答