Amazon VPC Operations
Internal
Overview
VPC Operations
Create a VPC
Describe VPC
aws ec2 describe-vpcs --vpc-id <vpc-id>
Create a VPC with Amazon Console
VPC Console -> Your VPCs -> Create VPC:
Name tag: the name of the VPC
IPv4 CIDR block: 10.7.0.0/16
IPv6 CIDR block: No IPv6 CIDR Block
Tenancy: default
Create a VPC with CloudFormation
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref PrimaryIPAddressRange
EnableDnsSupport: true
EnableDnsHostnames: false
InstanceTenancy: "default"
Tags:
- Key: "Name"
Value: !Ref VPCName
CIDR Block Operations
Disassociate a CIDR Block from VPC
aws ec2 disassociate-vpc-cidr-block --association-id vpc-cidr-assoc-09999999999999999 --region us-west-2
Subnet Operations
Describe Subnets
All subnets available in the AWS account:
aws ec2 describe-subnets
Describe a specific subnet:
aws ec2 describe-subnets --subnet-id subnet-09999999999999999
Describe subnets associated with a certain VCP:
aws ec2 describe-subnets --filters Name=vpc-id,Values=vpc-09999999999999999
Describe subnets with a specific CIDR block:
aws ec2 describe-subnets --filters Name=cidr-block,Values=10.20.0.0/16
Note that more sub-CIDR blocks can be used in search.
Create a Subnet
Create a Subnet with CloudFormation
Resources:
Subnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: String
AvailabilityZone: String
AssignIpv6AddressOnCreation: Boolean
Ipv6CidrBlock: String
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: 'blue-subnet'
Delete a Subnet
aws ec2 delete-subnet --subnet-id subnet-09999999999999999
The subnet will not be deleted if it has "dependencies":
The subnet 'subnet-09999999999999999' has dependencies and cannot be deleted.
For that see:
- Attempt to delete from the AWS Console. Select the subnet → Actions → Delete Subnet. You will get a note: "the following subnets cannot be deleted. The following subnets contain one or more instances and cannot be deleted until those instances have been terminated. Click here to view instances. The following subnets contain one or more network interfaces and cannot be deleted until those network interfaces have been deleted Click here to view your network interfaces.
- Disassociate a Route Table from a Subnet
Route Table Operations
Describe a Route Table
aws ec2 describe-route-tables --route-table-ids rtb-09999999999999999
Create a Route Table
Create a Route Table with CloudFormation
Resources:
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: "some-route-table"
SubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref Subnet
Note that a route table is not associated with any subnet after creation, an AWS::EC2::SubnetRouteTableAssociation resource must be explicitly created to implement the association.
Create a Route
Create a Route with CloudFormation
Resources:
ARoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: String
DestinationCidrBlock: String
DestinationIpv6CidrBlock: String
GatewayId: String
NatGatewayId: String
NetworkInterfaceId: String
InstanceId: String
EgressOnlyInternetGatewayId: String
VpcPeeringConnectionId: String
Delete a Route
aws ec2 delete-route --destination-cidr-block "10.20.0.0/16" --route-table-id rtb-0cccccccccccccccc
Disassociate a Route Table from a Subnet
aws ec2 disassociate-route-table --association-id rtbassoc-02222222222222222
Internet Gateway Operations
Describe an Internet Gateway
aws ec2 describe-internet-gateways [--internet-gateway-ids igw-0f8b5a9295a707d16]
Create an Internet Gateway
Resources:
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: infinity-igw
InternetGatewayVpcAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC
Note that an internet gateway is not attached with an VPC after creation, any AWS::EC2::VPCGatewayAttachment resource must be created to attach the internet gateway to a VPC.
However, if the creation is performed with terraform, it seems that terraform manages this transparently.
NAT Gateway Operations
Create a NAT Gateway
Create a NAT Gateway with Amazon Console
Create a NAT Gateway with CloudFormation
Resources:
NATGateway:
Type: AWS::EC2::NatGateway
Properties:
SubnetId: !Ref PublicSubnet
AllocationId: !Ref ElasticIP
Tags:
- Key: Name
Value: infinity-nat
Elastic IP Operations
Describe Elastic IP Addresses
aws [--region <region>] ec2 describe-addresses
aws [--region <region>] ec2 describe-addresses --filters Name=association-id,Values=...
Create an Elastic IP with CloudFormation
The following sequence declares an Elastic IP address and associates it with a VPC. If the Elastic IP and the VPC are defined in the same template, the EIP must declare a dependency on a VPC-gateway attachment.
Resources:
ElasticIPAddress:
Type: AWS::EC2::EIP
DependsOn:
- InternetGatewayVpcAttachment
Properties:
Domain: vpc
InstanceId: String
PublicIpv4Pool: String
Tags:
- Key: Name
Value: my-elastic-address
InstanceId and PublicIpv4Pool are optional.
Unfortunately, AWS::EC2::EIP does support Tags, and implicitly, cannot be named in the CloudFormation template.
Security Group Operations
Remove a Security Group
aws ec2 delete-security-group --group-id sg-0b3b8bdd39f393d7a
Network ACL Operations
Describe Network ACLs
aws ec2 describe-network-acls --network-acl-ids acl-09999999999999999