We use cloudformation as infrastructure as code for our VPN connection between on-premise and our AWS account. We need to set a parameter documented as (complete docs):
Remote IPv4 Network CIDR (IPv4 VPN connection only) The IPv4 CIDR range on the AWS side that is allowed to communicate over the VPN tunnels. Default: 0.0.0.0/0
We have search the internet but there is no real syntax for cloudformation how to set that variable.
We would like to set the value from default value 0.0.0.0/0 to another more specific /24 range.
In some VPN software this is referred to traffic selector,proxy id or encryption domain.
The Remote IPv4 Network CIDR can be changed using the sdk. The below cloud formation will change Remote IPv4 Network CIDR.
lambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
Policies:
- PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:*
Resource: arn:aws:logs:*:*:* // Set appropriate value
- Effect: Allow
Action:
- ec2:ModifyVpnConnectionOptions
Resource: !Sub "arn:aws:ec2:*:..." // Refere to your AWS::EC2::VPNConnection
# A Lambda that changes the remote Ipv4 property of VPN using the aws sdk.
# Asynchronous, so it will finish before the modification of the VPN is done.
customResourceSetRemoteIp:
Type: AWS::Lambda::Function
Properties:
Runtime: nodejs14.x
Role: !GetAtt lambdaExecutionRole.Arn
Handler: index.handler
Code:
ZipFile: |
var response = require('cfn-response')
var aws = require('aws-sdk')
exports.handler = function (event, context) {
console.log("REQUEST RECEIVED:\n" + JSON.stringify(event))
// For Delete requests, immediately send a SUCCESS response.
// You need to run this job with the new value if you want a rollback.
if (event.RequestType == "Delete") {
response.send(event, context, "SUCCESS")
return
}
var responseStatus = "FAILED"
var responseData = {}
var vpnConnection = event.ResourceProperties.VpnConnection;
var remoteIpv4NetworkCidr = event.ResourceProperties.RemoteIpv4NetworkCidr;
console.log("Set remote ipv4 cidr to '" + remoteIpv4NetworkCidr +
"' at vpn connection '" + vpnConnection + "'");
var ec2 = new aws.EC2();
var params = {
VpnConnectionId: vpnConnection, /* required */
DryRun: false,
RemoteIpv4NetworkCidr: remoteIpv4NetworkCidr
};
ec2.modifyVpnConnectionOptions(params, function(err, data) {
if (err) {
console.log(err, err.stack); // an error occurred
responseData = {Error: err}
console.log(responseData.Error + ":\n", err)
} else {
responseStatus = "SUCCESS"
console.log(data); // successful response
}
response.send(event, context, responseStatus, responseData)
});
}
Description: Set VPN options in cloudformation
TracingConfig:
Mode: PassThrough
setRemoteIpOnVpnCustomResource:
Type: AWS::CloudFormation::CustomResource
Version: "1.0"
Properties:
ServiceToken: !GetAtt customResourceSetRemoteIp.Arn
VpnConnection: !Ref vpcVpnConnection
RemoteIpv4NetworkCidr: "10.0.0.0/24"