#sudo npm install -g aws-cdk
#echo '{"app": "python3 vpc.py"}' > cdk.json
#vi vpc.py
#pip install aws-cdk.aws-ec2
from aws_cdk import (
aws_ec2 as ec2,
aws_iam as iam,
core,
)
class Vpc(core.Stack):
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, *kwargs)
vpc = ec2.Vpc(self, "vpc",
#两个可用区
max_azs=2,
#CIDR地址池
cidr="10.10.0.0/16",
#创建2个公网子网,两个私网子网,两个隔离子网
subnet_configuration=[ec2.SubnetConfiguration(
subnet_type=ec2.SubnetType.PUBLIC,
name="Public",
cidr_mask=24
), ec2.SubnetConfiguration(
subnet_type=ec2.SubnetType.PRIVATE,
name="Private",
cidr_mask=24
), ec2.SubnetConfiguration(
subnet_type=ec2.SubnetType.ISOLATED,
name="DB",
cidr_mask=24
)
],
#两个nat网关
nat_gateways=2,
)
#创建alb安全组
sgalb = ec2.SecurityGroup(self,"sg_alb",
#选择vpc
vpc =vpc ,
#自定义安全组名称
security_group_name = "sg_alb",
#默认关闭所有出站流量
allow_all_outbound = True
)
#alb接收所有地址的80端口访问
sgalb.connections.allow_from_any_ipv4(ec2.Port.tcp(80))
#创建堡垒机安全组
sgbastion = ec2.SecurityGroup(self, "sg_bastion",
vpc = vpc,
security_group_name = "sg_bastion" ,
allow_all_outbound = True
)
#堡垒机接受所有ip地址的22端口访问
sgbastion.connections.allow_from_any_ipv4(ec2.Port.tcp(22))
#创建ec2安全组
sgecc = ec2.SecurityGroup(self,"sg_ec2",
vpc = vpc ,
security_group_name = "sg_ec2",
allow_all_outbound = True
)
#安全组接收alb的7777端口流量
sgecc.connections.allow_from(sgalb,ec2.Port.tcp(80))
#安全组接收堡垒机22端口访问
sgecc.connections.allow_from(sgbastion,ec2.Port.tcp(22))
#创建rds安全组
sgrds = ec2.SecurityGroup(self,"sg_rds",
vpc = vpc ,
security_group_name = "sg_rds" ,
allow_all_outbound = True
)
#rds接收ec2 3306端口访问
sgrds.connections.allow_from(sgecc,ec2.Port.tcp(3306))
#rds接收堡垒机3306端口访问
sgrds.connections.allow_from(sgbastion,ec2.Port.tcp(3306))
#efs安全组
sgnfs = ec2.SecurityGroup(self,"sg_efs",
vpc = vpc ,
security_group_name = "sg_efs" ,
allow_all_outbound = True
)
sgnfs.connections.allow_from(sgecc,ec2.Port.tcp(2049))
sgnfs.connections.allow_from(sgbastion,ec2.Port.tcp(2049))
#Memcached安全组 要接收ec2 11211 流量
sgMche = ec2.SecurityGroup(self,"sg_ElastiCache",
vpc = vpc,
security_group_name = "sg_ElastiCache",
allow_all_outbound = True
)
sgMche.connections.allow_from(sgecc,ec2.Port.tcp(11211))
sgMche.connections.allow_from(sgbastion,ec2.Port.tcp(11211))
key_name="bastionkey"
#iam.CfnInstanceProfile(self,'iam',roles='arn:aws:iam::946651172288:instance-profile/Work-Role')
role = iam.Role.from_role_arn(self,"ecs",role_arn='arn:aws:iam::946651172288:role/EC2InstanceRole')
bastion = ec2.Instance(self,"myBastion",
vpc = vpc,
instance_name = "myBastionHostLinux",
machine_image = ec2.MachineImage.latest_amazon_linux(
generation = ec2.AmazonLinuxGeneration.AMAZON_LINUX_2),
vpc_subnets = ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC),
key_name = key_name,
role=role,
security_group = sgbastion,
instance_type=ec2.InstanceType(instance_type_identifier="t2.micro")
)
core.CfnOutput(self,"Outpur_bastion",
value=bastion.instance_public_ip)
#输出配置
core.CfnOutput(self, "Output_vpc",
value=vpc.vpc_id)
app = core.App()
Vpc(app, "Vpc")
app.synth()