amazon-web-servicesaws-cloudformationaws-vpn

How to set "Remote IPv4 Network CIDR" VPN properties using cloudformation in AWS


We use cloudformation as infrastructure as code for our VPN connection between on-premise and our AWS account. We need to set a parameter documented as (complete docs):

Remote IPv4 Network CIDR   (IPv4 VPN connection only) The IPv4 CIDR range on the AWS side that is allowed to communicate over the VPN tunnels.  Default: 0.0.0.0/0

We have search the internet but there is no real syntax for cloudformation how to set that variable.

We would like to set the value from default value 0.0.0.0/0 to another more specific /24 range.

In some VPN software this is referred to traffic selector,proxy id or encryption domain.


Solution

  • The Remote IPv4 Network CIDR can be changed using the sdk. The below cloud formation will change Remote IPv4 Network CIDR.

        lambdaExecutionRole:
            Type: AWS::IAM::Role
            Properties:
              AssumeRolePolicyDocument:
                Version: '2012-10-17'
                Statement:
                - Effect: Allow
                  Principal:
                    Service:
                    - lambda.amazonaws.com
                  Action:
                  - sts:AssumeRole
              Path: "/"
              Policies:
              - PolicyName: root
                PolicyDocument:
                  Version: '2012-10-17'
                  Statement:
                  - Effect: Allow
                    Action:
                     - logs:*
                    Resource: arn:aws:logs:*:*:* // Set appropriate value
                  - Effect: Allow
                    Action:
                     - ec2:ModifyVpnConnectionOptions
                    Resource: !Sub "arn:aws:ec2:*:..." // Refere to your AWS::EC2::VPNConnection
    
        # A Lambda that changes the remote Ipv4 property of VPN using the aws sdk.
        # Asynchronous, so it will finish before the modification of the VPN is done.
        customResourceSetRemoteIp:
            Type: AWS::Lambda::Function
            Properties:
              Runtime: nodejs14.x
              Role: !GetAtt lambdaExecutionRole.Arn
              Handler: index.handler
              Code:
                ZipFile: |
                    var response = require('cfn-response')
                    var aws = require('aws-sdk')
                    exports.handler = function (event, context) {
                        console.log("REQUEST RECEIVED:\n" + JSON.stringify(event))
                        
                        // For Delete requests, immediately send a SUCCESS response.
                        // You need to run this job with the new value if you want a rollback. 
                        if (event.RequestType == "Delete") {
                            response.send(event, context, "SUCCESS")
                            return
                        }
                        var responseStatus = "FAILED"
                        var responseData = {}
                        var vpnConnection = event.ResourceProperties.VpnConnection;
                        var remoteIpv4NetworkCidr = event.ResourceProperties.RemoteIpv4NetworkCidr;
                        
                        console.log("Set remote ipv4 cidr to '" + remoteIpv4NetworkCidr + 
                            "' at vpn connection '" + vpnConnection + "'");
                        
                        var ec2 = new aws.EC2();
                        var params = {
                          VpnConnectionId: vpnConnection, /* required */
                          DryRun: false,
                          RemoteIpv4NetworkCidr: remoteIpv4NetworkCidr
                        };
                        ec2.modifyVpnConnectionOptions(params, function(err, data) {
                          if (err) {
                              console.log(err, err.stack); // an error occurred
                              responseData = {Error: err}
                              console.log(responseData.Error + ":\n", err)
                          } else {
                              responseStatus = "SUCCESS"
                              console.log(data);           // successful response
                          }
                          response.send(event, context, responseStatus, responseData)
                        });
                    }
              Description: Set VPN options in cloudformation
              TracingConfig:
                Mode: PassThrough
    
        setRemoteIpOnVpnCustomResource:
            Type: AWS::CloudFormation::CustomResource
            Version: "1.0"
            Properties:
              ServiceToken: !GetAtt customResourceSetRemoteIp.Arn
              VpnConnection: !Ref vpcVpnConnection
              RemoteIpv4NetworkCidr: "10.0.0.0/24"