CtrlK
BlogDocsLog inGet started
Tessl Logo

giuseppe-trisciuoglio/developer-kit

Comprehensive developer toolkit providing reusable skills for Java/Spring Boot, TypeScript/NestJS/React/Next.js, Python, PHP, AWS CloudFormation, AI/RAG, DevOps, and more.

82

Quality

82%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Risky

Do not use without reviewing

Validation failed for skills in this tile
One or more skills have errors that need to be fixed before they can move to Implementation and Discovery review.
Overview
Quality
Evals
Security
Files

reference.mdplugins/developer-kit-aws/skills/aws-cloudformation/aws-cloudformation-vpc/references/

AWS CloudFormation VPC - Reference

This reference guide contains detailed information about AWS CloudFormation resources, intrinsic functions, and configurations for VPC infrastructure.

AWS::EC2::VPC

Creates an Amazon Virtual Private Cloud (VPC).

Properties

PropertyTypeRequiredDescription
CidrBlockStringYesThe IPv4 CIDR block for the VPC
EnableDnsHostnamesBooleanNoIndicates whether instances launched in the VPC get DNS hostnames
EnableDnsSupportBooleanNoIndicates whether DNS resolution is supported in the VPC
InstanceTenancyStringNoThe tenancy options for instances launched into the VPC (default, dedicated, host)
TagsList of TagNoTags assigned to the VPC

Example

Resources:
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsHostnames: true
      EnableDnsSupport: true
      InstanceTenancy: default
      Tags:
        - Key: Name
          Value: my-vpc

Attributes

AttributeDescription
CidrBlockThe CIDR block of the VPC
DefaultSecurityGroupThe default security group ID
IdThe VPC ID

AWS::EC2::Subnet

Creates a subnet in the specified VPC.

Properties

PropertyTypeRequiredDescription
AvailabilityZoneStringYesThe Availability Zone of the subnet
CidrBlockStringYesThe IPv4 CIDR block for the subnet
MapPublicIpOnLaunchBooleanNoWhether instances launched in this subnet receive a public IP
TagsList of TagNoTags assigned to the subnet
VpcIdStringYesThe ID of the VPC

Example

Resources:
  PublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.0.1.0/24
      AvailabilityZone: !Select [0, !GetAZs '']
      MapPublicIpOnLaunch: true
      Tags:
        - Key: Name
          Value: public-subnet

Attributes

AttributeDescription
AvailabilityZoneThe Availability Zone of the subnet
CidrBlockThe CIDR block of the subnet
IdThe subnet ID

AWS::EC2::InternetGateway

Creates an internet gateway for use with a VPC.

Properties

PropertyTypeRequiredDescription
TagsList of TagNoTags assigned to the internet gateway

Example

Resources:
  InternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Name
          Value: my-igw

Attributes

AttributeDescription
IdThe internet gateway ID

AWS::EC2::VPCGatewayAttachment

Attaches an internet gateway or a virtual private gateway to a VPC.

Properties

PropertyTypeRequiredDescription
InternetGatewayIdStringCondThe ID of the internet gateway (use InternetGatewayId OR VpnGatewayId)
VpcIdStringYesThe ID of the VPC
VpnGatewayIdStringCondThe ID of the virtual private gateway

Example

Resources:
  VPCGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref VPC
      InternetGatewayId: !Ref InternetGateway

AWS::EC2::NatGateway

Creates a NAT gateway in the specified subnet.

Properties

PropertyTypeRequiredDescription
AllocationIdStringYesThe allocation ID of an Elastic IP address to associate with the NAT gateway
SubnetIdStringYesThe subnet in which to create the NAT gateway
TagsList of TagNoTags assigned to the NAT gateway

Example

Resources:
  NatGateway:
    Type: AWS::EC2::NatGateway
    Properties:
      AllocationId: !GetAtt EIP.AllocationId
      SubnetId: !Ref PublicSubnet
      Tags:
        - Key: Name
          Value: my-nat-gw

Attributes

AttributeDescription
IdThe NAT gateway ID

AWS::EC2::EIP

Allocates an Elastic IP address and associates it with an instance or network interface.

Properties

PropertyTypeRequiredDescription
DomainStringNoIndicates whether the EIP is for use in EC2-Classic or in a VPC (vpc or standard)
InstanceIdStringNoThe ID of the instance
NetworkInterfaceIdStringNoThe ID of the network interface

Example

Resources:
  NatGatewayEIP:
    Type: AWS::EC2::EIP
    DependsOn: InternetGatewayAttachment
    Properties:
      Domain: vpc
      Tags:
        - Key: Name
          Value: nat-gw-eip

Attributes

AttributeDescription
AllocationIdThe allocation ID of the Elastic IP address
PublicIpThe public IP address

AWS::EC2::RouteTable

Creates a route table for the specified VPC.

Properties

PropertyTypeRequiredDescription
TagsList of TagNoTags assigned to the route table
VpcIdStringYesThe ID of the VPC

Example

Resources:
  RouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: my-route-table

Attributes

AttributeDescription
IdThe route table ID

AWS::EC2::Route

Creates a route in a route table within a VPC.

Properties

PropertyTypeRequiredDescription
DestinationCidrBlockStringCondThe IPv4 CIDR address block used for the destination match
DestinationIpv6CidrBlockStringCondThe IPv6 CIDR address block used for the destination match
EgressOnlyInternetGatewayIdStringCondThe ID of the egress-only internet gateway
GatewayIdStringCondThe ID of the internet gateway or virtual private gateway
InstanceIdStringCondThe ID of the instance
NatGatewayIdStringCondThe ID of the NAT gateway
NetworkInterfaceIdStringCondThe ID of the network interface
RouteTableIdStringYesThe ID of the route table
VpcPeeringConnectionIdStringCondThe ID of a VPC peering connection

Example

Resources:
  DefaultRoute:
    Type: AWS::EC2::Route
    DependsOn: VPCGatewayAttachment
    Properties:
      RouteTableId: !Ref RouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway

AWS::EC2::SubnetRouteTableAssociation

Associates a subnet with a route table.

Properties

PropertyTypeRequiredDescription
RouteTableIdStringYesThe ID of the route table
SubnetIdStringYesThe ID of the subnet

Example

Resources:
  SubnetRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref RouteTable
      SubnetId: !Ref Subnet

AWS::EC2::SecurityGroup

Creates a security group.

Properties

PropertyTypeRequiredDescription
GroupDescriptionStringYesA description of the security group
GroupNameStringNoThe name of the security group
SecurityGroupEgressList of IpPermissionNoOutbound rules for the security group
SecurityGroupIngressList of IpPermissionNoInbound rules for the security group
TagsList of TagNoTags assigned to the security group
VpcIdStringNoThe ID of the VPC

Example

Resources:
  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: My security group
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0
      Tags:
        - Key: Name
          Value: my-sg

Security Group Ingress Example

Resources:
  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group with various rules
      VpcId: !Ref VPC
      SecurityGroupIngress:
        # Allow HTTP from anywhere
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
        # Allow SSH from specific CIDR
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 10.0.0.0/16
        # Allow PostgreSQL from security group
        - IpProtocol: tcp
          FromPort: 5432
          ToPort: 5432
          SourceSecurityGroupId: !Ref OtherSecurityGroup
        # Allow all ICMP
        - IpProtocol: icmp
          FromPort: -1
          ToPort: -1
          CidrIp: 10.0.0.0/16

AWS::EC2::VPCEndpoint

Creates a VPC endpoint.

Properties

PropertyTypeRequiredDescription
PrivateDnsEnabledBooleanNoIndicates whether to associate a private hosted zone with the specified VPC
RouteTableIdsList of StringCondThe IDs of the route tables for the endpoint (Gateway endpoint only)
SecurityGroupIdsList of StringCondThe IDs of the security groups for the endpoint (Interface endpoint only)
ServiceNameStringYesThe service name
SubnetIdsList of StringCondThe IDs of the subnets for the endpoint (Interface endpoint only)
VpcEndpointTypeStringNoThe type of endpoint (Interface or Gateway)
VpcIdStringYesThe ID of the VPC

Example - Gateway Endpoint

Resources:
  S3GatewayEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcId: !Ref VPC
      ServiceName: !Sub com.amazonaws.${AWS::Region}.s3
      RouteTableIds:
        - !Ref PrivateRouteTable

Example - Interface Endpoint

Resources:
  SecretsManagerEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      VpcId: !Ref VPC
      ServiceName: !Sub com.amazonaws.${AWS::Region}.secretsmanager
      SubnetIds:
        - !Ref PrivateSubnet1
        - !Ref PrivateSubnet2
      PrivateDnsEnabled: true

AWS::EC2::VPCPeeringConnection

Creates a VPC peering connection between two VPCs.

Properties

PropertyTypeRequiredDescription
PeerVpcIdStringYesThe ID of the VPC with which you are creating the peering connection
PeerOwnerIdStringNoThe AWS account ID of the owner of the peer VPC
PeerRegionStringNoThe region of the peer VPC (required for cross-region peering)
TagsList of TagNoTags assigned to the VPC peering connection
VpcIdStringYesThe ID of the requester VPC

Example

Resources:
  VPCPeeringConnection:
    Type: AWS::EC2::VPCPeeringConnection
    Properties:
      VpcId: !Ref VPC
      PeerVpcId: !Ref PeerVpcId
      PeerOwnerId: !Ref PeerOwnerId
      Tags:
        - Key: Name
          Value: peering-connection

AWS::EC2::NetworkAcl

Creates a network ACL in a VPC.

Properties

PropertyTypeRequiredDescription
TagsList of TagNoTags assigned to the network ACL
VpcIdStringYesThe ID of the VPC

Example

Resources:
  NetworkAcl:
    Type: AWS::EC2::NetworkAcl
    Properties:
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: my-nacl

AWS::EC2::NetworkAclEntry

Creates an entry in a network ACL.

Properties

PropertyTypeRequiredDescription
CidrBlockStringCondThe IPv4 CIDR range for the rule (use CidrBlock OR Ipv6CidrBlock)
EgressBooleanNoWhether this rule applies to egress traffic
Ipv6CidrBlockStringCondThe IPv6 CIDR range for the rule
NetworkAclIdStringYesThe ID of the network ACL
PortRangePortRangeCondThe port range for the rule (TCP/UDP protocols only)
ProtocolIntegerYesThe protocol number (-1 for all)
RuleActionStringYesWhether to allow or deny traffic (allow or deny)
RuleNumberIntegerYesThe rule number (1-32766)

Example

Resources:
  NetworkAclEntry:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId: !Ref NetworkAcl
      RuleNumber: 100
      Protocol: 6
      RuleAction: allow
      CidrBlock: 0.0.0.0/0
      PortRange:
        From: 80
        To: 443

AWS::EC2::CustomerGateway

Creates a customer gateway.

Properties

PropertyTypeRequiredDescription
BgpAsnIntegerYesThe customer gateway's Border Gateway Protocol (BGP) Autonomous System Number
IpAddressStringYesThe customer gateway's IP address
TagsList of TagNoTags assigned to the customer gateway
TypeStringYesThe type of customer gateway (ipsec.1)

Example

Resources:
  CustomerGateway:
    Type: AWS::EC2::CustomerGateway
    Properties:
      BgpAsn: 65001
      IpAddress: 203.0.113.1
      Type: ipsec.1
      Tags:
        - Key: Name
          Value: my-cgw

AWS::EC2::VPNGateway

Creates a virtual private gateway.

Properties

PropertyTypeRequiredDescription
TagsList of TagNoTags assigned to the virtual private gateway
TypeStringYesThe type of VPN gateway (ipsec.1)

Example

Resources:
  VPNGateway:
    Type: AWS::EC2::VPNGateway
    Properties:
      Type: ipsec.1
      Tags:
        - Key: Name
          Value: my-vpn-gw

AWS::EC2::VPNConnection

Creates a VPN connection between a virtual private gateway and a customer gateway.

Properties

PropertyTypeRequiredDescription
CustomerGatewayIdStringYesThe ID of the customer gateway
StaticRoutesOnlyBooleanNoWhether to use static routes only
TagsList of TagNoTags assigned to the VPN connection
TypeStringYesThe type of VPN connection (ipsec.1)
VpnGatewayIdStringYesThe ID of the virtual private gateway

Example

Resources:
  VPNConnection:
    Type: AWS::EC2::VPNConnection
    Properties:
      CustomerGatewayId: !Ref CustomerGateway
      VpnGatewayId: !Ref VPNGateway
      Type: ipsec.1
      StaticRoutesOnly: true
      Tags:
        - Key: Name
          Value: my-vpn

AWS::EC2::FlowLog

Creates a flow log for a VPC, subnet, or network interface.

Properties

PropertyTypeRequiredDescription
DeliverLogsPermissionArnStringCondThe ARN of the IAM role that permits AWS to publish flow logs
LogDestinationTypeStringNoThe type of log destination (cloud-watch-logs, s3, kinesis-data-firehose)
LogGroupNameStringCondThe name of the log group for CloudWatch Logs
LogDestinationStringCondThe destination for the log data (S3 bucket or Kinesis Data Firehose ARN)
ResourceIdStringYesThe ID of the subnet, VPC, or network interface
ResourceTypeStringYesThe type of resource (VPC, Subnet, NetworkInterface)
TrafficTypeStringYesThe type of traffic to log (ACCEPT, REJECT, ALL)

Example - CloudWatch Logs

Resources:
  FlowLogsRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: vpc-flow-logs.amazonaws.com
            Action: sts:AssumeRole

  FlowLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: /aws/vpc/flow-logs

  FlowLog:
    Type: AWS::EC2::FlowLog
    Properties:
      ResourceId: !Ref VPC
      ResourceType: VPC
      TrafficType: ALL
      LogDestinationType: cloud-watch-logs
      LogGroupName: !Ref FlowLogGroup
      DeliverLogsPermissionArn: !GetAtt FlowLogsRole.Arn

Intrinsic Functions Reference

!Ref

Returns the value of the specified parameter or resource.

# Reference a parameter
VpcId: !Ref VPCId

# Reference a resource (returns the physical ID)
VpcId: !Ref VPC

!GetAtt

Returns the value of an attribute from a resource.

# Get the allocation ID from an EIP
AllocationId: !GetAtt EIP.AllocationId

# Get the CIDR block from a VPC
CidrBlock: !GetAtt VPC.CidrBlock

!Sub

Substitutes variables in an input string with their values.

# With variable substitution
Name: !Sub ${AWS::StackName}-vpc

# Without variable substitution
Name: !Sub "literal-string"

!Join

Combines a list of values into a single value.

# Join with comma
SubnetIds: !Join [",", [!Ref Subnet1, !Ref Subnet2, !Ref Subnet3]]

!Select

Returns a single object from a list of objects.

# Select first AZ
AvailabilityZone: !Select [0, !GetAZs '']

# Select specific subnet CIDR
CidrBlock: !Select [0, !Ref SubnetCidrs]

!FindInMap

Returns the value corresponding to keys in a two-level map.

# Find in mapping
ImageId: !FindInMap [RegionMap, !Ref AWS::Region, HVM64]

!If

Returns one value if the specified condition is true and another value if the condition is false.

# Conditional value
SubnetId: !If [IsProduction, !Ref ProdSubnet, !Ref DevSubnet]

!Equals

Compares two values and returns true if the values are equal.

# Condition
IsProduction: !Equals [!Ref Environment, production]

!And

Returns true if all specified conditions are true.

# Multiple conditions
ShouldDeploy: !And [!Condition UseNat, !Condition IsProduction]

!Or

Returns true if any specified condition is true.

# Any condition
ShouldDeploy: !Or [!Condition IsProduction, !Condition UseNat]

!Not

Returns true if the specified condition is false.

# Negation
NotDevelopment: !Not [!Equals [!Ref Environment, development]]

!ImportValue

Returns the value of an output exported by another stack.

# Import value
VpcId: !ImportValue ${NetworkStackName}-VpcId

!GetAZs

Returns a list of Availability Zones for the specified region.

# Get all AZs in current region
AvailabilityZones: !GetAZs ''

Common CIDR Blocks

Private IPv4 Address Ranges

CIDR BlockRangeTypical Use
10.0.0.0/810.0.0.0 - 10.255.255.255Large private networks
172.16.0.0/12172.16.0.0 - 172.31.255.255Medium private networks
192.168.0.0/16192.168.0.0 - 192.168.255.255Small private networks

Recommended VPC CIDR Blocks

VPC SizeCIDR BlockUsable IPs
/1610.0.0.0/1665,536
/1710.0.0.0/1732,768
/1810.0.0.0/1816,384
/1910.0.0.0/198,192
/2010.0.0.0/204,096
/2110.0.0.0/212,048
/2210.0.0.0/221,024
/2410.0.0.0/24256

Subnet sizing for 10.0.0.0/16 VPC

Subnet TypeCIDR BlockSizeUsable IPs
Public10.0.1.0/24/24251
Private10.0.10.0/24/24251
Public10.0.2.0/24/24251
Private10.0.11.0/24/24251
Public10.0.3.0/24/24251
Private10.0.12.0/24/24251

AWS Service Endpoints

Common S3 Gateway Endpoints

RegionService Name
us-east-1com.amazonaws.us-east-1.s3
us-west-2com.amazonaws.us-west-2.s3
eu-west-1com.amazonaws.eu-west-1.s3

Common Interface Endpoints

ServiceService Name Pattern
Secrets Managercom.amazonaws.{region}.secretsmanager
SSMcom.amazonaws.{region}.ssm
CloudWatch Logscom.amazonaws.{region}.logs
ECR APIcom.amazonaws.{region}.ecr.api
ECR DKRcom.amazonaws.{region}.ecr.dkr
SQScom.amazonaws.{region}.sqs
SNScom.amazonaws.{region}.sns

Limits and Quotas

VPC Limits

ResourceDefault Limit
VPCs per region5
Subnets per VPC200
Route tables per VPC200
Routes per route table50
Security groups per VPC500
Rules per security group60 (inbound) + 60 (outbound)
Network ACLs per VPC200
Entries per network ACL20 (inbound) + 20 (outbound)
Internet gateways per region5
NAT gateways per AZ5
VPC peering connections per VPC50

Tags Best Practices

Recommended Tagging Strategy

Resources:
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      Tags:
        - Key: Name
          Value: !Sub ${EnvironmentName}-vpc
        - Key: Environment
          Value: !Ref EnvironmentName
        - Key: Project
          Value: !Ref ProjectName
        - Key: ManagedBy
          Value: CloudFormation
        - Key: CostCenter
          Value: !Ref CostCenter

Common Tags

Tag KeyDescriptionExample Values
NameHuman-readable resource nameproduction-vpc
EnvironmentDeployment environmentdevelopment, staging, production
ProjectProject namemy-project
OwnerTeam or individual responsibleteam@example.com
ManagedByTool that manages the resourceCloudFormation
CostCenterBudget allocation12345
VersionResource or application version1.0.0

plugins

developer-kit-aws

skills

aws-cloudformation

aws-cloudformation-vpc

references

examples.md

reference.md

EXAMPLES.md

REFERENCE.md

SKILL.md

README.md

tile.json