upi/aws/cloudformation/01_vpc.yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Template for Best Practice VPC with 1-3 AZs

Parameters:
  VpcCidr:
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-4]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-24
    Default: 10.0.0.0/16
    Description: CIDR block for VPC
    Type: String
  AvailabilityZoneCount:
    ConstraintDescription: "The number of availability zones (Min: 1, Max: 3)"
    MinValue: 1
    MaxValue: 3
    Default: 1
    Description: "How many AZs to create VPC subnets for (Min: 1, Max: 3)"
    Type: Number
  SubnetBits:
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/19-27
    MinValue: 5
    MaxValue: 13
    Default: 12
    Description: "Size of each subnet to create within the availability zones. (Min: 5 = /27, Max: 13 = /19)"
    Type: Number

Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: "Network Configuration"
      Parameters:
      - VpcCidr
      - SubnetBits
    - Label:
        default: "Availability Zones"
      Parameters:
      - AvailabilityZoneCount
    ParameterLabels:
      AvailabilityZoneCount:
        default: "Availability Zone Count"
      VpcCidr:
        default: "VPC CIDR"
      SubnetBits:
        default: "Bits Per Subnet"

Conditions:
  DoAz3: !Equals [3, !Ref AvailabilityZoneCount]
  DoAz2: !Or [!Equals [2, !Ref AvailabilityZoneCount], Condition: DoAz3]

Resources:
  VPC:
    Type: "AWS::EC2::VPC"
    Properties:
      EnableDnsSupport: "true"
      EnableDnsHostnames: "true"
      CidrBlock: !Ref VpcCidr
      Tags:
      - Key: Application
        Value: !Ref "AWS::StackName"
      - Key: Network
        Value: Public
      - Key: Name
        Value: !Ref "AWS::StackName"
  PublicSubnet:
    Type: "AWS::EC2::Subnet"
    Properties:
      VpcId: !Ref VPC
      CidrBlock: !Select [0, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
      AvailabilityZone: !Select
      - 0
      - Fn::GetAZs: !Ref "AWS::Region"
      Tags:
      - Key: Application
        Value: !Ref "AWS::StackName"
      - Key: Network
        Value: Public
  PublicSubnet2:
    Type: "AWS::EC2::Subnet"
    Condition: DoAz2
    Properties:
      VpcId: !Ref VPC
      CidrBlock: !Select [1, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
      AvailabilityZone: !Select
      - 1
      - Fn::GetAZs: !Ref "AWS::Region"
      Tags:
      - Key: Application
        Value: !Ref "AWS::StackName"
      - Key: Network
        Value: Public
  PublicSubnet3:
    Type: "AWS::EC2::Subnet"
    Condition: DoAz3
    Properties:
      VpcId: !Ref VPC
      CidrBlock: !Select [2, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
      AvailabilityZone: !Select
      - 2
      - Fn::GetAZs: !Ref "AWS::Region"
      Tags:
      - Key: Application
        Value: !Ref "AWS::StackName"
      - Key: Network
        Value: Public
  InternetGateway:
    Type: "AWS::EC2::InternetGateway"
    Properties:
      Tags:
      - Key: Application
        Value: !Ref "AWS::StackName"
      - Key: Network
        Value: Public
  GatewayToInternet:
    Type: "AWS::EC2::VPCGatewayAttachment"
    Properties:
      VpcId: !Ref VPC
      InternetGatewayId: !Ref InternetGateway
  PublicRouteTable:
    Type: "AWS::EC2::RouteTable"
    Properties:
      VpcId: !Ref VPC
      Tags:
      - Key: Application
        Value: !Ref "AWS::StackName"
      - Key: Network
        Value: Public
  PublicRoute:
    Type: "AWS::EC2::Route"
    DependsOn: GatewayToInternet
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway
  PublicSubnetRouteTableAssociation:
    Type: "AWS::EC2::SubnetRouteTableAssociation"
    Properties:
      SubnetId: !Ref PublicSubnet
      RouteTableId: !Ref PublicRouteTable
  PublicSubnetRouteTableAssociation2:
    Type: "AWS::EC2::SubnetRouteTableAssociation"
    Condition: DoAz2
    Properties:
      SubnetId: !Ref PublicSubnet2
      RouteTableId: !Ref PublicRouteTable
  PublicSubnetRouteTableAssociation3:
    Condition: DoAz3
    Type: "AWS::EC2::SubnetRouteTableAssociation"
    Properties:
      SubnetId: !Ref PublicSubnet3
      RouteTableId: !Ref PublicRouteTable
  PublicNetworkAcl:
    Type: "AWS::EC2::NetworkAcl"
    Properties:
      VpcId: !Ref VPC
      Tags:
      - Key: Application
        Value: !Ref "AWS::StackName"
      - Key: Network
        Value: Public
  InboundHTTPPublicNetworkAclEntry:
    Type: "AWS::EC2::NetworkAclEntry"
    Properties:
      NetworkAclId: !Ref PublicNetworkAcl
      RuleNumber: "100"
      Protocol: "6"
      RuleAction: allow
      Egress: "false"
      CidrBlock: 0.0.0.0/0
      PortRange:
        From: "80"
        To: "80"
  InboundHTTPSPublicNetworkAclEntry:
    Type: "AWS::EC2::NetworkAclEntry"
    Properties:
      NetworkAclId: !Ref PublicNetworkAcl
      RuleNumber: "101"
      Protocol: "6"
      RuleAction: allow
      Egress: "false"
      CidrBlock: 0.0.0.0/0
      PortRange:
        From: "443"
        To: "443"
  InboundSSHPublicNetworkAclEntry:
    Type: "AWS::EC2::NetworkAclEntry"
    Properties:
      NetworkAclId: !Ref PublicNetworkAcl
      RuleNumber: "102"
      Protocol: "6"
      RuleAction: allow
      Egress: "false"
      CidrBlock: 0.0.0.0/0
      PortRange:
        From: "22"
        To: "22"
  InboundEphemeralPublicNetworkAclEntry:
    Type: "AWS::EC2::NetworkAclEntry"
    Properties:
      NetworkAclId: !Ref PublicNetworkAcl
      RuleNumber: "103"
      Protocol: "6"
      RuleAction: allow
      Egress: "false"
      CidrBlock: 0.0.0.0/0
      PortRange:
        From: "1024"
        To: "65535"
  OutboundPublicNetworkAclEntry:
    Type: "AWS::EC2::NetworkAclEntry"
    Properties:
      NetworkAclId: !Ref PublicNetworkAcl
      RuleNumber: "100"
      Protocol: "6"
      RuleAction: allow
      Egress: "true"
      CidrBlock: 0.0.0.0/0
      PortRange:
        From: "0"
        To: "65535"
  PublicSubnetNetworkAclAssociation:
    Type: "AWS::EC2::SubnetNetworkAclAssociation"
    Properties:
      SubnetId: !Ref PublicSubnet
      NetworkAclId: !Ref PublicNetworkAcl
  PublicSubnetNetworkAclAssociation2:
    Type: "AWS::EC2::SubnetNetworkAclAssociation"
    Condition: DoAz2
    Properties:
      SubnetId: !Ref PublicSubnet2
      NetworkAclId: !Ref PublicNetworkAcl
  PublicSubnetNetworkAclAssociation3:
    Type: "AWS::EC2::SubnetNetworkAclAssociation"
    Condition: DoAz3
    Properties:
      SubnetId: !Ref PublicSubnet3
      NetworkAclId: !Ref PublicNetworkAcl
  PrivateSubnet:
    Type: "AWS::EC2::Subnet"
    Properties:
      VpcId: !Ref VPC
      CidrBlock: !Select [3, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
      AvailabilityZone: !Select
      - 0
      - Fn::GetAZs: !Ref "AWS::Region"
      Tags:
      - Key: Application
        Value: !Ref "AWS::StackName"
      - Key: Network
        Value: Private
  PrivateRouteTable:
    Type: "AWS::EC2::RouteTable"
    Properties:
      VpcId: !Ref VPC
      Tags:
      - Key: Application
        Value: !Ref "AWS::StackName"
      - Key: Network
        Value: Private
  PrivateSubnetRouteTableAssociation:
    Type: "AWS::EC2::SubnetRouteTableAssociation"
    Properties:
      SubnetId: !Ref PrivateSubnet
      RouteTableId: !Ref PrivateRouteTable
  NAT:
    DependsOn:
    - GatewayToInternet
    Type: "AWS::EC2::NatGateway"
    Properties:
      AllocationId:
        "Fn::GetAtt":
        - EIP
        - AllocationId
      SubnetId: !Ref PublicSubnet
  EIP:
    Type: "AWS::EC2::EIP"
    Properties:
      Domain: vpc
  Route:
    Type: "AWS::EC2::Route"
    Properties:
      RouteTableId:
        Ref: PrivateRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId:
        Ref: NAT
  PrivateSubnet2:
    Type: "AWS::EC2::Subnet"
    Condition: DoAz2
    Properties:
      VpcId: !Ref VPC
      CidrBlock: !Select [4, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
      AvailabilityZone: !Select
      - 1
      - Fn::GetAZs: !Ref "AWS::Region"
      Tags:
      - Key: Application
        Value: !Ref "AWS::StackName"
      - Key: Network
        Value: Private
  PrivateRouteTable2:
    Type: "AWS::EC2::RouteTable"
    Condition: DoAz2
    Properties:
      VpcId: !Ref VPC
      Tags:
      - Key: Application
        Value: !Ref "AWS::StackName"
      - Key: Network
        Value: Private
  PrivateSubnetRouteTableAssociation2:
    Type: "AWS::EC2::SubnetRouteTableAssociation"
    Condition: DoAz2
    Properties:
      SubnetId: !Ref PrivateSubnet2
      RouteTableId: !Ref PrivateRouteTable2
  NAT2:
    DependsOn:
    - GatewayToInternet
    Type: "AWS::EC2::NatGateway"
    Condition: DoAz2
    Properties:
      AllocationId:
        "Fn::GetAtt":
        - EIP2
        - AllocationId
      SubnetId: !Ref PublicSubnet2
  EIP2:
    Type: "AWS::EC2::EIP"
    Condition: DoAz2
    Properties:
      Domain: vpc
  Route2:
    Type: "AWS::EC2::Route"
    Condition: DoAz2
    Properties:
      RouteTableId:
        Ref: PrivateRouteTable2
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId:
        Ref: NAT2
  PrivateSubnet3:
    Type: "AWS::EC2::Subnet"
    Condition: DoAz3
    Properties:
      VpcId: !Ref VPC
      CidrBlock: !Select [5, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
      AvailabilityZone: !Select
      - 2
      - Fn::GetAZs: !Ref "AWS::Region"
      Tags:
      - Key: Application
        Value: !Ref "AWS::StackName"
      - Key: Network
        Value: Private
  PrivateRouteTable3:
    Type: "AWS::EC2::RouteTable"
    Condition: DoAz3
    Properties:
      VpcId: !Ref VPC
      Tags:
      - Key: Application
        Value: !Ref "AWS::StackName"
      - Key: Network
        Value: Private
  PrivateSubnetRouteTableAssociation3:
    Type: "AWS::EC2::SubnetRouteTableAssociation"
    Condition: DoAz3
    Properties:
      SubnetId: !Ref PrivateSubnet3
      RouteTableId: !Ref PrivateRouteTable3
  NAT3:
    DependsOn:
    - GatewayToInternet
    Type: "AWS::EC2::NatGateway"
    Condition: DoAz3
    Properties:
      AllocationId:
        "Fn::GetAtt":
        - EIP3
        - AllocationId
      SubnetId: !Ref PublicSubnet3
  EIP3:
    Type: "AWS::EC2::EIP"
    Condition: DoAz3
    Properties:
      Domain: vpc
  Route3:
    Type: "AWS::EC2::Route"
    Condition: DoAz3
    Properties:
      RouteTableId:
        Ref: PrivateRouteTable3
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId:
        Ref: NAT3
  S3Endpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      PolicyDocument:
        Version: 2012-10-17
        Statement:
        - Effect: Allow
          Principal: '*'
          Action:
          - '*'
          Resource:
          - '*'
      RouteTableIds:
      - !Ref PublicRouteTable
      - !Ref PrivateRouteTable
      - !If [DoAz2, !Ref PrivateRouteTable2, !Ref "AWS::NoValue"]
      - !If [DoAz3, !Ref PrivateRouteTable3, !Ref "AWS::NoValue"]
      ServiceName: !Join
      - ''
      - - com.amazonaws.
        - !Ref 'AWS::Region'
        - .s3
      VpcId: !Ref VPC

Outputs:
  VpcId:
    Description: ID of the newly created VPC
    Value: !Ref VPC
  PublicSubnetIds:
    Description: Subnet IDs of the public subnets
    Value:
      !Join [
        ",",
        [!Ref PublicSubnet, !If [DoAz2, !Ref PublicSubnet2, !Ref "AWS::NoValue"], !If [DoAz3, !Ref PublicSubnet3, !Ref "AWS::NoValue"]]
      ]
  PrivateSubnetIds:
    Description: Subnet IDs of the private subnets
    Value:
      !Join [
        ",",
        [!Ref PrivateSubnet, !If [DoAz2, !Ref PrivateSubnet2, !Ref "AWS::NoValue"], !If [DoAz3, !Ref PrivateSubnet3, !Ref "AWS::NoValue"]]
      ]
Adding initial user doc/guide & materials for UPI AWS installation Moved the encrypted-AMI section from "Create Cluster" to "Running Cluster", because it has more value there folks inspecting their account and what has happened after the fact. Since we call out the running instances (by count with a picture) they may wonder "where did this unique AMI come from it is running"? It goes along with some of the other explanations we chase with as well. The Create Cluster section just has the whole IPI output, but no explanation of all wizardry under the covers, calling this particular wrinkle out there seemed a bit awkward to me. 2019-03-12 20:56:09 -04:00			`AWSTemplateFormatVersion: 2010-09-09`
			`Description: Template for Best Practice VPC with 1-3 AZs`

			`Parameters:`
			`VpcCidr:`
			`AllowedPattern: ^(([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])\.){3}([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])(\/(1[6-9]\|2[0-4]))$`
			`ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-24`
			`Default: 10.0.0.0/16`
			`Description: CIDR block for VPC`
			`Type: String`
			`AvailabilityZoneCount:`
			`ConstraintDescription: "The number of availability zones (Min: 1, Max: 3)"`
			`MinValue: 1`
			`MaxValue: 3`
			`Default: 1`
			`Description: "How many AZs to create VPC subnets for (Min: 1, Max: 3)"`
			`Type: Number`
			`SubnetBits:`
			`ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/19-27`
			`MinValue: 5`
			`MaxValue: 13`
			`Default: 12`
			`Description: "Size of each subnet to create within the availability zones. (Min: 5 = /27, Max: 13 = /19)"`
			`Type: Number`

			`Metadata:`
			`AWS::CloudFormation::Interface:`
			`ParameterGroups:`
			`- Label:`
			`default: "Network Configuration"`
			`Parameters:`
			`- VpcCidr`
			`- SubnetBits`
			`- Label:`
			`default: "Availability Zones"`
			`Parameters:`
			`- AvailabilityZoneCount`
			`ParameterLabels:`
			`AvailabilityZoneCount:`
			`default: "Availability Zone Count"`
			`VpcCidr:`
			`default: "VPC CIDR"`
			`SubnetBits:`
			`default: "Bits Per Subnet"`

			`Conditions:`
			`DoAz3: !Equals [3, !Ref AvailabilityZoneCount]`
			`DoAz2: !Or [!Equals [2, !Ref AvailabilityZoneCount], Condition: DoAz3]`

			`Resources:`
			`VPC:`
			`Type: "AWS::EC2::VPC"`
			`Properties:`
			`EnableDnsSupport: "true"`
			`EnableDnsHostnames: "true"`
			`CidrBlock: !Ref VpcCidr`
			`Tags:`
			`- Key: Application`
			`Value: !Ref "AWS::StackName"`
			`- Key: Network`
			`Value: Public`
			`- Key: Name`
			`Value: !Ref "AWS::StackName"`
			`PublicSubnet:`
			`Type: "AWS::EC2::Subnet"`
			`Properties:`
			`VpcId: !Ref VPC`
			`CidrBlock: !Select [0, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]`
			`AvailabilityZone: !Select`
			`- 0`
			`- Fn::GetAZs: !Ref "AWS::Region"`
			`Tags:`
			`- Key: Application`
			`Value: !Ref "AWS::StackName"`
			`- Key: Network`
			`Value: Public`
			`PublicSubnet2:`
			`Type: "AWS::EC2::Subnet"`
			`Condition: DoAz2`
			`Properties:`
			`VpcId: !Ref VPC`
			`CidrBlock: !Select [1, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]`
			`AvailabilityZone: !Select`
			`- 1`
			`- Fn::GetAZs: !Ref "AWS::Region"`
			`Tags:`
			`- Key: Application`
			`Value: !Ref "AWS::StackName"`
			`- Key: Network`
			`Value: Public`
			`PublicSubnet3:`
			`Type: "AWS::EC2::Subnet"`
			`Condition: DoAz3`
			`Properties:`
			`VpcId: !Ref VPC`
			`CidrBlock: !Select [2, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]`
			`AvailabilityZone: !Select`
			`- 2`
			`- Fn::GetAZs: !Ref "AWS::Region"`
			`Tags:`
			`- Key: Application`
			`Value: !Ref "AWS::StackName"`
			`- Key: Network`
			`Value: Public`
			`InternetGateway:`
			`Type: "AWS::EC2::InternetGateway"`
			`Properties:`
			`Tags:`
			`- Key: Application`
			`Value: !Ref "AWS::StackName"`
			`- Key: Network`
			`Value: Public`
			`GatewayToInternet:`
			`Type: "AWS::EC2::VPCGatewayAttachment"`
			`Properties:`
			`VpcId: !Ref VPC`
			`InternetGatewayId: !Ref InternetGateway`
			`PublicRouteTable:`
			`Type: "AWS::EC2::RouteTable"`
			`Properties:`
			`VpcId: !Ref VPC`
			`Tags:`
			`- Key: Application`
			`Value: !Ref "AWS::StackName"`
			`- Key: Network`
			`Value: Public`
			`PublicRoute:`
			`Type: "AWS::EC2::Route"`
			`DependsOn: GatewayToInternet`
			`Properties:`
			`RouteTableId: !Ref PublicRouteTable`
			`DestinationCidrBlock: 0.0.0.0/0`
			`GatewayId: !Ref InternetGateway`
			`PublicSubnetRouteTableAssociation:`
			`Type: "AWS::EC2::SubnetRouteTableAssociation"`
			`Properties:`
			`SubnetId: !Ref PublicSubnet`
			`RouteTableId: !Ref PublicRouteTable`
			`PublicSubnetRouteTableAssociation2:`
			`Type: "AWS::EC2::SubnetRouteTableAssociation"`
			`Condition: DoAz2`
			`Properties:`
			`SubnetId: !Ref PublicSubnet2`
			`RouteTableId: !Ref PublicRouteTable`
			`PublicSubnetRouteTableAssociation3:`
			`Condition: DoAz3`
			`Type: "AWS::EC2::SubnetRouteTableAssociation"`
			`Properties:`
			`SubnetId: !Ref PublicSubnet3`
			`RouteTableId: !Ref PublicRouteTable`
			`PublicNetworkAcl:`
			`Type: "AWS::EC2::NetworkAcl"`
			`Properties:`
			`VpcId: !Ref VPC`
			`Tags:`
			`- Key: Application`
			`Value: !Ref "AWS::StackName"`
			`- Key: Network`
			`Value: Public`
			`InboundHTTPPublicNetworkAclEntry:`
			`Type: "AWS::EC2::NetworkAclEntry"`
			`Properties:`
			`NetworkAclId: !Ref PublicNetworkAcl`
			`RuleNumber: "100"`
			`Protocol: "6"`
			`RuleAction: allow`
			`Egress: "false"`
			`CidrBlock: 0.0.0.0/0`
			`PortRange:`
			`From: "80"`
			`To: "80"`
			`InboundHTTPSPublicNetworkAclEntry:`
			`Type: "AWS::EC2::NetworkAclEntry"`
			`Properties:`
			`NetworkAclId: !Ref PublicNetworkAcl`
			`RuleNumber: "101"`
			`Protocol: "6"`
			`RuleAction: allow`
			`Egress: "false"`
			`CidrBlock: 0.0.0.0/0`
			`PortRange:`
			`From: "443"`
			`To: "443"`
			`InboundSSHPublicNetworkAclEntry:`
			`Type: "AWS::EC2::NetworkAclEntry"`
			`Properties:`
			`NetworkAclId: !Ref PublicNetworkAcl`
			`RuleNumber: "102"`
			`Protocol: "6"`
			`RuleAction: allow`
			`Egress: "false"`
			`CidrBlock: 0.0.0.0/0`
			`PortRange:`
			`From: "22"`
			`To: "22"`
			`InboundEphemeralPublicNetworkAclEntry:`
			`Type: "AWS::EC2::NetworkAclEntry"`
			`Properties:`
			`NetworkAclId: !Ref PublicNetworkAcl`
			`RuleNumber: "103"`
			`Protocol: "6"`
			`RuleAction: allow`
			`Egress: "false"`
			`CidrBlock: 0.0.0.0/0`
			`PortRange:`
			`From: "1024"`
			`To: "65535"`
			`OutboundPublicNetworkAclEntry:`
			`Type: "AWS::EC2::NetworkAclEntry"`
			`Properties:`
			`NetworkAclId: !Ref PublicNetworkAcl`
			`RuleNumber: "100"`
			`Protocol: "6"`
			`RuleAction: allow`
			`Egress: "true"`
			`CidrBlock: 0.0.0.0/0`
			`PortRange:`
			`From: "0"`
			`To: "65535"`
			`PublicSubnetNetworkAclAssociation:`
			`Type: "AWS::EC2::SubnetNetworkAclAssociation"`
			`Properties:`
			`SubnetId: !Ref PublicSubnet`
			`NetworkAclId: !Ref PublicNetworkAcl`
			`PublicSubnetNetworkAclAssociation2:`
			`Type: "AWS::EC2::SubnetNetworkAclAssociation"`
			`Condition: DoAz2`
			`Properties:`
			`SubnetId: !Ref PublicSubnet2`
			`NetworkAclId: !Ref PublicNetworkAcl`
			`PublicSubnetNetworkAclAssociation3:`
			`Type: "AWS::EC2::SubnetNetworkAclAssociation"`
			`Condition: DoAz3`
			`Properties:`
			`SubnetId: !Ref PublicSubnet3`
			`NetworkAclId: !Ref PublicNetworkAcl`
			`PrivateSubnet:`
			`Type: "AWS::EC2::Subnet"`
			`Properties:`
			`VpcId: !Ref VPC`
			`CidrBlock: !Select [3, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]`
			`AvailabilityZone: !Select`
			`- 0`
			`- Fn::GetAZs: !Ref "AWS::Region"`
			`Tags:`
			`- Key: Application`
			`Value: !Ref "AWS::StackName"`
			`- Key: Network`
			`Value: Private`
			`PrivateRouteTable:`
			`Type: "AWS::EC2::RouteTable"`
			`Properties:`
			`VpcId: !Ref VPC`
			`Tags:`
			`- Key: Application`
			`Value: !Ref "AWS::StackName"`
			`- Key: Network`
			`Value: Private`
			`PrivateSubnetRouteTableAssociation:`
			`Type: "AWS::EC2::SubnetRouteTableAssociation"`
			`Properties:`
			`SubnetId: !Ref PrivateSubnet`
			`RouteTableId: !Ref PrivateRouteTable`
			`NAT:`
			`DependsOn:`
			`- GatewayToInternet`
			`Type: "AWS::EC2::NatGateway"`
			`Properties:`
			`AllocationId:`
			`"Fn::GetAtt":`
			`- EIP`
			`- AllocationId`
			`SubnetId: !Ref PublicSubnet`
			`EIP:`
			`Type: "AWS::EC2::EIP"`
			`Properties:`
			`Domain: vpc`
			`Route:`
			`Type: "AWS::EC2::Route"`
			`Properties:`
			`RouteTableId:`
			`Ref: PrivateRouteTable`
			`DestinationCidrBlock: 0.0.0.0/0`
			`NatGatewayId:`
			`Ref: NAT`
			`PrivateSubnet2:`
			`Type: "AWS::EC2::Subnet"`
			`Condition: DoAz2`
			`Properties:`
			`VpcId: !Ref VPC`
			`CidrBlock: !Select [4, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]`
			`AvailabilityZone: !Select`
			`- 1`
			`- Fn::GetAZs: !Ref "AWS::Region"`
			`Tags:`
			`- Key: Application`
			`Value: !Ref "AWS::StackName"`
			`- Key: Network`
			`Value: Private`
			`PrivateRouteTable2:`
			`Type: "AWS::EC2::RouteTable"`
			`Condition: DoAz2`
			`Properties:`
			`VpcId: !Ref VPC`
			`Tags:`
			`- Key: Application`
			`Value: !Ref "AWS::StackName"`
			`- Key: Network`
			`Value: Private`
			`PrivateSubnetRouteTableAssociation2:`
			`Type: "AWS::EC2::SubnetRouteTableAssociation"`
			`Condition: DoAz2`
			`Properties:`
			`SubnetId: !Ref PrivateSubnet2`
			`RouteTableId: !Ref PrivateRouteTable2`
			`NAT2:`
			`DependsOn:`
			`- GatewayToInternet`
			`Type: "AWS::EC2::NatGateway"`
			`Condition: DoAz2`
			`Properties:`
			`AllocationId:`
			`"Fn::GetAtt":`
			`- EIP2`
			`- AllocationId`
			`SubnetId: !Ref PublicSubnet2`
			`EIP2:`
			`Type: "AWS::EC2::EIP"`
			`Condition: DoAz2`
			`Properties:`
			`Domain: vpc`
			`Route2:`
			`Type: "AWS::EC2::Route"`
			`Condition: DoAz2`
			`Properties:`
			`RouteTableId:`
			`Ref: PrivateRouteTable2`
			`DestinationCidrBlock: 0.0.0.0/0`
			`NatGatewayId:`
			`Ref: NAT2`
			`PrivateSubnet3:`
			`Type: "AWS::EC2::Subnet"`
			`Condition: DoAz3`
			`Properties:`
			`VpcId: !Ref VPC`
			`CidrBlock: !Select [5, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]`
			`AvailabilityZone: !Select`
			`- 2`
			`- Fn::GetAZs: !Ref "AWS::Region"`
			`Tags:`
			`- Key: Application`
			`Value: !Ref "AWS::StackName"`
			`- Key: Network`
			`Value: Private`
			`PrivateRouteTable3:`
			`Type: "AWS::EC2::RouteTable"`
			`Condition: DoAz3`
			`Properties:`
			`VpcId: !Ref VPC`
			`Tags:`
			`- Key: Application`
			`Value: !Ref "AWS::StackName"`
			`- Key: Network`
			`Value: Private`
			`PrivateSubnetRouteTableAssociation3:`
			`Type: "AWS::EC2::SubnetRouteTableAssociation"`
			`Condition: DoAz3`
			`Properties:`
			`SubnetId: !Ref PrivateSubnet3`
			`RouteTableId: !Ref PrivateRouteTable3`
			`NAT3:`
			`DependsOn:`
			`- GatewayToInternet`
			`Type: "AWS::EC2::NatGateway"`
			`Condition: DoAz3`
			`Properties:`
			`AllocationId:`
			`"Fn::GetAtt":`
			`- EIP3`
			`- AllocationId`
			`SubnetId: !Ref PublicSubnet3`
			`EIP3:`
			`Type: "AWS::EC2::EIP"`
			`Condition: DoAz3`
			`Properties:`
			`Domain: vpc`
			`Route3:`
			`Type: "AWS::EC2::Route"`
			`Condition: DoAz3`
			`Properties:`
			`RouteTableId:`
			`Ref: PrivateRouteTable3`
			`DestinationCidrBlock: 0.0.0.0/0`
			`NatGatewayId:`
			`Ref: NAT3`
			`S3Endpoint:`
			`Type: AWS::EC2::VPCEndpoint`
			`Properties:`
			`PolicyDocument:`
			`Version: 2012-10-17`
			`Statement:`
			`- Effect: Allow`
			`Principal: '*'`
			`Action:`
			`- '*'`
			`Resource:`
			`- '*'`
			`RouteTableIds:`
			`- !Ref PublicRouteTable`
			`- !Ref PrivateRouteTable`
			`- !If [DoAz2, !Ref PrivateRouteTable2, !Ref "AWS::NoValue"]`
			`- !If [DoAz3, !Ref PrivateRouteTable3, !Ref "AWS::NoValue"]`
			`ServiceName: !Join`
			`- ''`
			`- - com.amazonaws.`
			`- !Ref 'AWS::Region'`
			`- .s3`
			`VpcId: !Ref VPC`

			`Outputs:`
			`VpcId:`
			`Description: ID of the newly created VPC`
			`Value: !Ref VPC`
			`PublicSubnetIds:`
			`Description: Subnet IDs of the public subnets`
			`Value:`
			`!Join [`
			`",",`
			`[!Ref PublicSubnet, !If [DoAz2, !Ref PublicSubnet2, !Ref "AWS::NoValue"], !If [DoAz3, !Ref PublicSubnet3, !Ref "AWS::NoValue"]]`
			`]`
			`PrivateSubnetIds:`
			`Description: Subnet IDs of the private subnets`
			`Value:`
			`!Join [`
			`",",`
			`[!Ref PrivateSubnet, !If [DoAz2, !Ref PrivateSubnet2, !Ref "AWS::NoValue"], !If [DoAz3, !Ref PrivateSubnet3, !Ref "AWS::NoValue"]]`
			`]`