A configuration package to deploy an Amazon VPC with predefined presets to select: Subnet Tiers (Public and Private), Availability Zones, and Internet Connectivity. Configuration includes Subnets, Routing Tables, Internet Gateway, Nat Gateways, and Security Groups.

A configuration package to deploy an Amazon VPC with no Internet Connectivty. Connectivity to AWS services can be enabled using VPC Endpoints. Configuration items includes number of Subnets, Routing Tables, Security Groups, and VPC Flow Logs.

A customizable configuration package to deploy configure monitoring for Amazon VPCs using Config Rules, CloudWatch Alarms, and CloudWatch Event Rules, and uses SNS to deliver email notifications. The package also includes configuration to enable the required AWS logging services: AWS CloudTrail, Config, and CloudWatch log groups.

This CloudFormation template creates a VPC with public and private subnets across multiple availability zones. It also provisions NAT gateways for private subnets to enable outbound internet access.

This template creates an egress-only internet gateway for your VPC. An egress-only internet gateway is used to enable outbound communication over IPv6 from instances in your VPC to the internet, and prevents hosts outside of your VPC from initiating an IPv6 connection with your instance.

This template creates a set of DHCP options for your VPC. It specifies the domain name, domain name servers, NTP servers, NetBIOS name servers, NetBIOS node type, and tags for the DHCP options.

This CloudFormation template creates a security group and VPC endpoint to allow access to SSM VPC Endpoint. The security group allows inbound traffic on port 443 from any IP address, and the VPC endpoint is created in the specified VPC and subnets.

This CloudFormation template creates a VPC Endpoint for Amazon S3 in the specified VPC, allowing secure and private access to S3 resources within the VPC.

This template creates a customer gateway with the specified properties. The customer gateway is used to establish a VPN connection between your network and an Amazon VPC.

Configuration to enable Traffic Mirroring from a network interface (ENI) of an Amazon EC2 instance, which can then be used for monitoring and security analysis. Traffic Mirroring supports filters and packet truncation so that only traffic of interest is monitored.

Flow Logs enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow Logs can be enabled on a VPC, subnet, or network interface level.

Configuration template to create a customer managed Prefix List with a set of IPv4 or IPv6 CIDR blocks. A prefix list supports up to 1000 entries, and can be referenced in security groups and in subnet route table entries.

Configuration to create a VPC endpoint in an existing VPC. VPC endpoints allow private connectivity from an VPC to supported AWS services. Both Interface and Gateway endpoints are supported.

Configuration to enable logging the DNS queries that originate in an Amazon VPC using the Route53 Resolver Query Logging feature. Query logs can be sent to CloudWatch logs, S3 Buckets, or Kinesis Data Firehose.

Configuration template to deploy a Site-to-Site VPN connection for an existing VPC between a virtual private gateway (VGW) on the AWS side, and a VPN device (customer gateway) on the remote side

Configuration template to set up an AWS Client VPN including the Client VPN Endpoint, VPN Authorization Rules and VPN Routes. The template includes the option to configure authentication, VPC and network settings, and more. 

Configuration templates to create AWS Network Firewall related settings including Firewall endpoints, Firewall Rule Policies, and Firewall Rule Groups (Stateful and Stateless) used to deploy network protections for VPC resources by enforcing traffic flows, filtering URLs, and inspecting traffic for vulnerabilities using IPS signatures.

Configuration templates to deploy an AWS Route53 Resolver Firewall and related settings including firewall rule groups, custom domain lists, and VPC associations. This configuration can be used to block DNS requests for malicious or unwanted domains.

Configuration to create an Application Load Balancer (ALB), target groups and listeners in an AWS VPC to load balance incoming traffic to targets such as EC2 instances or Lambda functions. The ALB also includes health checks to ensure the state of the targets before forwarding traffic.

Configuration to create a Network Load Balancer (NLB), target groups and listeners in an AWS VPC to load balance incoming traffic to targets such as EC2 instances or ALBs. The NLB also includes health checks to ensure the state of the targets before forwarding traffic.

This template creates a Gateway Load Balancer endpoint that connects `myVPC` with the specified endpoint service in the current Region. The template also creates a VPC and a subnet for the endpoint.

This template creates a gateway endpoint that connects the VPC defined by `myVPC` with Amazon S3 in the current Region. The endpoint policy allows only the `s3:GetObject` action on the specified bucket. Traffic to Amazon S3 from the subnets that are associated with the route table specified in `RouteTableIds` is automatically routed through the gateway endpoint. The template also creates a VPC, subnet, route table, and subnet route table association for the endpoint.

This template creates an interface endpoint for Amazon CloudWatch Logs in the current Region. Traffic to CloudWatch Logs from any subnet in the Availability Zones that contain `subnetA` and `subnetB` automatically traverses the interface endpoint. The template also creates a VPC, subnets, and a security group for the endpoint.

This template creates a VPN connection between a newly created virtual private gateway and a VPN customer gateway (with IP address 1.2.3.4). It specifies the type of connection as ipsec.1 and sets the StaticRoutesOnly property to true. It also includes a VPN route for the subnet 10.0.0.0/16

This template shows how to peer two VPCs in the same account. It uses an existing VPC as the requester VPC and creates the accepter VPC.

This template creates a VPN gateway and an attachment to a VPC (vpc-12345). It also created and attaches an Internet Gateway to the same VPC.

This template associates an IPv4 CIDR block and an Amazon-provided IPv6 CIDR block with a VPC. It also outputs the list of IPv4 CIDR block association IDs and IPv6 CIDR blocks that are associated with the VPC.

This template creates a transit gateway with the specified properties. The transit gateway can be used to interconnect virtual private clouds (VPC) and on-premises networks. The example includes properties such as AmazonSideAsn, Description, AutoAcceptSharedAttachments, DefaultRouteTableAssociation, DnsSupport, VpnEcmpSupport, and Tags.

This template creates a traffic mirror session that mirrors the first 100 bytes in each packet. It specifies the description, network interface ID, traffic mirror target ID, traffic mirror filter ID, session number, packet length, virtual network ID, and tags for the session.

This template creates a Traffic Mirror Filter and a Traffic Mirror filter rule for inbound UDP traffic. The rule has a description and specifies the traffic direction as ingress. The rule number is set to 10, and it filters traffic with a destination CIDR block and source CIDR block both set to 10.0.0.0/16. The rule action is set to accept, and the protocol is set to 17 (UDP). The source port range is set from 10 to 50, and the destination port range is set from 50 to 100.

This template creates a traffic mirror filter with the description 'Example traffic mirror filter'. It configures mirroring of Amazon DNS network services.

This template creates a route table for the specified VPC (vpc-123456). The route table is tagged with a key-value pair of 'stack: production'.

This template creates a route in a route table (rtb-123456789) that points to an internet gateway that is created in the template as well. The destination CIDR block is set to `0.0.0.0/0`, which represents all IP addresses.

This template creates an IPv4 prefix list with a maximum of 10 entries. It creates 2 entries in the prefix list with CIDR blocks and descriptions.

This template creates a permission for a specified network interface and AWS account. It grants the permission to attach the network interface to an instance in the specified AWS account.

This template creates a network interface attachment that attaches an elastic network interface (ENI) to an Amazon EC2 instance. The `InstanceId` property specifies the instance to attach the network interface to, the `NetworkInterfaceId` property specifies the network interface to attach, and the `DeviceIndex` property specifies the device index for the attachment.

This template creates a standalone elastic network interface (ENI) with the specified properties. The ENI has a description, has source/destination checking disabled, is associated with a security group, is associated with a subnet, and has a private IP address of 10.0.0.16.

This template creates a public NAT gateway and a route that sends all internet-bound traffic from the private subnet (subnet-123456789) with EC2 instances to the NAT gateway. A public NAT gateway uses an elastic IP address to provide it with a public IP address that doesn't change. The template includes the creation of a NAT gateway, an elastic IP address, and a route table entry.

This template creates an internet gateway and assigns it a tag. The internet gateway is allocated for use with a VPC. The template also includes an attachment to a VPC (vpc-123456)

This template creates a flow log for the specified subnet and captures ACCEPT traffic. The flow log uses a custom log format and is published to a newly created Amazon S3 bucket. The logs are aggregated over 60 second intervals and published in parquet format in Hive-compatible prefixes partitioned on an hourly basis. The flow log is created with two tags.

This template creates a flow log for the specified VPC, and captures all traffic types. The flow log is published to the newly created `FlowLogsGroup` log group in CloudWatch Logs and includes the IAM role with the necessary permissions

This template creates an Elastic IP address and a network interface, and associates the Elastic IP address with the network interface. The template uses the ID of an existing subnet and an example IP address from the subnet CIDR range.

This template creates two VPC security groups with egress and ingress rules. The `SourceSG` security group allows outbound traffic to the `TargetSG` security group. The `TargetSG` security group allows inbound traffic from the `SourceSG` security group. The outbound rule allows TCP traffic from port 0 to port 65535, and the inbound rule allows TCP traffic from port 0 to port 65535.

This template creates a device in a global network. The device is described as the Chicago office device and is associated with a specific site.

This template creates a broadband link in Amazon Network Manager with a download and upload speed of 20 Mbps. The link is provided by AnyCompany and is associated with a specific global network and site.

This template creates a site in Amazon Network Manager for the Chicago office with the specified address and coordinates. It is associated with the global network 'global-network-0d47f6t230mz46dy4' and tagged as 'north-america'.

This template registers a transit gateway in a global network.

Build a custom security group.

A security group that allows inbound web traffic (TCP ports 80 and 443).

A security group that allows inbound RDP traffic (TCP port 3389).

A security group that allows inbound SSH traffic (TCP port 22).

A security group that allows domain controller services on Microsoft Active Directory servers.

A security group that allows inbound DNS traffic (TCP and UDP port 53).

A security group that allows inbound ICMP traffic.

A security group that allows inbound access to a Maria DB instance.

A security group that allows inbound access to a Microsoft SQL server instance.

A security group that allows inbound access to a MySQL server instance.

A security group that allows inbound access to an Oracle server instance.

A security group that allows inbound access to an PostgreSQL server instance.

A security group for Amazon EFS that allows inbound NFS access from resources (including the mount target) associated with this security group (TCP 2049).

A security group that allows inbound access to an Amazon Redshift cluster (TCP 5439)

A security group that allows inbound access to an Amazon OpenSearch (TCP 443 and 80)

Build a custom network ACL.

A network ACL that blacklist inbound traffic based on IP address(es).

A network ACL that blacklist inbound and outbound traffic based on Port(s).

A network ACL that whitelists inbound and outbound traffic based on Port(s) and blocks all other traffic.

This template creates a network ACL and adds an entry to allow all outbound IPv4 traffic. The network ACL is associated with a VPC and has a rule number, protocol, rule action, CIDR block, and egress flag specified.

This template creates a network ACL and adds an entry to allow inbound SSH traffic from a specified network. The network ACL is associated with a VPC and has a rule number, protocol, rule action, CIDR block, and port range specified.

A CloudWatch Alarm that triggers when there are rejected SSH connections in a VPC (Default: 10 connections per hour). Requires VPC flow logs to be enabled.

A CloudWatch Alarm that triggers when the traffic outgoing over a managed AWS VPN tunnel hits a certain threshold (Default: Less than 1,000,000 bytes in 15 minutes).

A CloudWatch Alarm that triggers when the traffic incoming over a managed AWS VPN tunnel hits a certain threshold (Default: Over 5,000,000 bytes in 15 minutes).

A CloudWatch Alarm that triggers when the state of both VPN tunnels in an AWS VPN connection are down.

A CloudWatch Alarm that triggers when changes are made to an Internet Gateway in a VPC.

A CloudWatch Alarm that triggers when changes are made to a VPC.

A CloudWatch Alarm that triggers when changes are made to a VPC's Route Table.

A CloudWatch Alarm that triggers when changes are made to a Network ACL (NACL).

Detect changes to network ACLs and publishes change events to an SNS topic for notification.

Detect changes to network configuration and publishes change events to an SNS topic for notification.

Checks whether security groups in use do not allow restricted incoming SSH traffic. This rule applies only to IPv4.

Checks whether security groups in use do not allow unrestricted incoming TCP traffic to the specified ports. This rule applies only to IPv4.

Check that no EC2 Instances are in Public Subnet.

Check that security groups do not have an inbound rule with protocol of 'All'.

Check that security groups do not have an inbound rule with port range of 'All'.

Check that security groups prefixed with "launch-wizard" are not associated with network interfaces.

A config rule that checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic. The rule returns NOT_APPLICABLE if the security group is not default. The rule is NON_COMPLIANT if the default security group has one or more inbound or outbound traffic.

A config rule that checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC.

A Config rule that checks that both AWS Virtual Private Network tunnels provided by AWS Site-to-Site VPN are in UP status. The rule returns NON_COMPLIANT if one or both tunnels are in DOWN status.

A config rule that checks that Internet gateways (IGWs) are only attached to an authorized Amazon Virtual Private Cloud (VPCs). The rule is NON_COMPLIANT if IGWs are not attached to an authorized VPC.

A Config rule that checks whether Service Endpoint for the service provided in rule parameter is created for each Amazon VPC. The rule returns NON_COMPLIANT if an Amazon VPC doesn't have a VPC endpoint created for the service.

A config rule that checks if Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address. The rule is COMPLIANT if Amazon VPC does not have subnets that are assigned a public IP address. The rule is NON_COMPLIANT if Amazon VPC has subnets that are assigned a public IP address.

A Config rule that checks if default ports for SSH/RDP ingress traffic for network access control lists (NACLs) is unrestricted. The rule is NON_COMPLIANT if a NACL inbound entry allows a source TCP or UDP CIDR block for ports 22 or 3389.

A Config rule that checks if there are public routes in the route table to an Internet Gateway (IGW). The rule is NON_COMPLIANT if a route to an IGW has a destination CIDR block of '0.0.0.0/0' or '::/0' or if a destination CIDR block does not match the rule parameter.

Checks if the AWS Client VPN authorization rules authorizes connection access for all clients. The rule is NON_COMPLIANT if 'AccessAll' is present and set to true.

Checks if there are unused network access control lists (network ACLs). The rule is COMPLIANT if each network ACL is associated with a subnet. The rule is NON_COMPLIANT if a network ACL is not associated with a subnet.

This SCP prevents users or roles in any affected account from changing the configuration of your Amazon EC2 virtual private clouds (VPCs) to grant them direct access to the internet. It doesn't block existing direct access or any access that routes through your on-premises network environment.

This SCP restricts IAM principals in an AWS account from changing creating, updating or deleting settings for Internet Gateways, NAT Gateways, VPC Peering, VPN Gateways, Client VPNs, Direct Connect and Global Accelerator.

This SCP restricts IAM principals in an AWS account from changing creating, updating or deleting Internet Gateways and NAT Gateways.

This SCP prevents users or roles in any affected account from deleting Amazon EC2 flow logs or CloudWatch log groups or log streams.

This SCP restrict users in your AWS Organizations account to creating VPCs with CIDRs from a specific IPv4 pool and associating CIDRs to the VPCs from the pool. Users in the account will not be able to create VPCs with CIDRs or associate CIDRs to VPCs from any other pools from the one you choose.

This SCP prevents users or roles in any affected account from creating a default VPC or Subnets

A VPC endpoint policy that allows full access to the specified resource Arn

A VPC endpoint policy that restricts access through the endpoint to the specified IAM role in the account

A VPC endpoint policy that restricts access through the endpoint to principals in the specified Organization

An S3 endpoint policy that allows read-only access to a specific S3 bucket only

An S3 endpoint policy that allows full access to a specific S3 bucket only

An S3 endpoint policy that restricts access through the S3 endpoint to the specified IAM role in the account

An S3 endpoint policy that restricts access through the S3 endpoint to users in a specific account

A DynamoDB endpoint policy that restricts access through the endpoint to the specified DynamoDB table