From 3f4783e99b8c3770f7a267eca599e4850eaf55c8 Mon Sep 17 00:00:00 2001 From: yongqiangliu <343847055@qq.com> Date: Tue, 30 Dec 2025 16:18:41 +0800 Subject: [PATCH 1/3] align difference with global at 2025-12-30. change storageAccount params and update dir to china. --- .../README.md | 4 +- .../createUiDefinition.json | 76 +- .../mainTemplate.json | 732 +++++++++++++++-- china/azure/marketplace-ha/README.md | 4 +- .../marketplace-ha/createUiDefinition.json | 78 +- china/azure/marketplace-ha/mainTemplate.json | 738 +++++++++++++++-- china/azure/marketplace-management/README.md | 4 +- .../createUiDefinition.json | 80 +- .../marketplace-management/mainTemplate.json | 743 +++++++++++++++-- china/azure/marketplace-mds/README.md | 4 +- .../marketplace-mds/createUiDefinition.json | 80 +- china/azure/marketplace-mds/mainTemplate.json | 744 ++++++++++++++++-- china/azure/marketplace-single/README.md | 4 +- .../createUiDefinition.json | 77 +- .../marketplace-single/mainTemplate.json | 728 +++++++++++++++-- china/azure/marketplace-vmss/README.md | 4 +- .../marketplace-vmss/createUiDefinition.json | 83 +- .../azure/marketplace-vmss/mainTemplate.json | 730 +++++++++++++++-- .../nestedtemplates/azure-func-sami.json | 0 .../gateway-load-balancers.json | 2 +- .../nestedtemplates/load-balancers-waap.json | 0 .../azure/nestedtemplates/load-balancers.json | 2 +- .../vnet-1-subnet-existing.json | 2 +- .../vnet-2-subnet-ha2-existing.json | 2 +- .../vnet-2-subnet-ha2-new.json | 2 +- .../vnet-existing-stack-ha.json | 4 +- .../vnet-existing-stack-mgmt.json | 2 +- .../nestedtemplates/vnet-existing-stack.json | 2 +- .../azure/nestedtemplates/vnet-existing.json | 2 +- .../nestedtemplates/vnet-new-stack-ha.json | 4 +- .../nestedtemplates/vnet-new-stack-mgmt.json | 2 +- .../azure/nestedtemplates/vnet-new-stack.json | 2 +- 32 files changed, 4413 insertions(+), 528 deletions(-) mode change 100644 => 100755 china/azure/nestedtemplates/azure-func-sami.json mode change 100644 => 100755 china/azure/nestedtemplates/gateway-load-balancers.json mode change 100644 => 100755 china/azure/nestedtemplates/load-balancers-waap.json diff --git a/china/azure/marketplace-gateway-load-balancer/README.md b/china/azure/marketplace-gateway-load-balancer/README.md index 4e55d4a8..58211fd7 100644 --- a/china/azure/marketplace-gateway-load-balancer/README.md +++ b/china/azure/marketplace-gateway-load-balancer/README.md @@ -11,12 +11,12 @@ Benefits: · Provides consistent security policy management, enforcement, and reporting with a single pane of glass, using Check Point Unified Security Management - Deploy to Azure -To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-gateway-load-balancer%2FmainTemplate.json) +To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-gateway-load-balancer%2FmainTemplate.json) diff --git a/china/azure/marketplace-gateway-load-balancer/createUiDefinition.json b/china/azure/marketplace-gateway-load-balancer/createUiDefinition.json index 3cd3057f..ac70cb63 100644 --- a/china/azure/marketplace-gateway-load-balancer/createUiDefinition.json +++ b/china/azure/marketplace-gateway-load-balancer/createUiDefinition.json @@ -1352,6 +1352,35 @@ }, "visible": "[steps('network').NSG]" }, + { + "name": "storageAccountDeployMode", + "type": "Microsoft.Common.DropDown", + "label": "Storage Account Deployment Mode", + "toolTip": "Select your preferred Storage Account deployment mode, New to a new Storage Account, Existing to an existing Storage Account, Managed to managed Storage Account, None to deploy without a Storage Account", + "defaultValue": "New", + "constraints": { + "allowedValues": [ + { + "label": "New", + "value": "New" + }, + { + "label": "Existing", + "value": "Existing" + }, + { + "label": "Managed", + "value": "Managed" + }, + { + "label": "None", + "value": "None" + } + ], + "required": true + }, + "visible": true + }, { "name": "addStorageAccountIpRules", "type": "Microsoft.Common.OptionsGroup", @@ -1369,9 +1398,48 @@ "value": true } ], - "required": true + "required": "[equals(steps('network').storageAccountDeployMode, 'New')]" }, - "visible": true + "visible": "[equals(steps('network').storageAccountDeployMode, 'New')]" + }, + { + "name": "existingStorageAccount", + "type": "Microsoft.Solutions.ResourceSelector", + "label": "Storage Account", + "defaultValue": "null", + "toolTip": "Choose an existing Storage Account", + "resourceType": "Microsoft.Storage/storageAccounts", + "constraints": { + "required": "[equals(steps('network').storageAccountDeployMode, 'Existing')]" + }, + "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]" + }, + { + "name": "infoExistingStorageAccount", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]", + "options": { + "icon": "Info", + "text": "The Storage Account must allow network access from the Serial Console feature, for more information - Serial Console Security." + } + }, + { + "name": "infoManagedStorageAccount", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('network').storageAccountDeployMode, 'Managed')]", + "options": { + "icon": "Info", + "text": "Azure will use a managed Storage Account for the deployment, no additional configuration is required." + } + }, + { + "name": "warningNoneStorageAccount", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('network').storageAccountDeployMode, 'None')]", + "options": { + "icon": "Warning", + "text": "Please note that deploying without a Storage Account will not allow you to use the Serial Console feature. For more information - Azure Serial Console." + } } ] }, @@ -1445,9 +1513,11 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", + "storageAccountDeployMode": "[steps('network').storageAccountDeployMode]", "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", + "existingStorageAccountId": "[steps('network').existingStorageAccount]", "SerialConsolePasswordHash": "[steps('chkp-advanced').AdditionalPassword]", "MaintenanceModePasswordHash": "[steps('chkp-advanced').MaintenanceModePassword]" } } -} \ No newline at end of file +} diff --git a/china/azure/marketplace-gateway-load-balancer/mainTemplate.json b/china/azure/marketplace-gateway-load-balancer/mainTemplate.json index 8a8c16c4..342bfbc6 100644 --- a/china/azure/marketplace-gateway-load-balancer/mainTemplate.json +++ b/china/azure/marketplace-gateway-load-balancer/mainTemplate.json @@ -1,5 +1,5 @@ { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "subscriptionId": { @@ -319,7 +319,7 @@ "_artifactsLocation": { "type": "string", "metadata": { - "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/" + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/" }, "defaultValue": "[deployment().properties.templateLink.uri]" }, @@ -393,19 +393,39 @@ "type": "string", "defaultValue": "[concat(parameters('vmName'),'-nsg')]" }, + "storageAccountDeployMode": { + "type": "string", + "defaultValue": "New", + "metadata": { + "description": "Choose the Storage Account mode: 'New' creates a new account, 'Existing' uses one already available, 'Managed' provisions a managed account, and 'None' skips account creation." + }, + "allowedValues": [ + "New", + "Existing", + "Managed", + "None" + ] + }, "addStorageAccountIpRules": { "type": "bool", "metadata": { - "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/zh-cn/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled. Only relevant when 'Storage Account Deploy Mode' is set to 'New'." }, "defaultValue": false }, "storageAccountAdditionalIps": { "type": "array", "metadata": { - "description": "IPs/CIDRs that are allowed access to the Storage Account" + "description": "IPs/CIDRs that are allowed access to the Storage Account. Format should be an array of strings. Only relevant when 'Storage Account Deploy Mode' is set to 'New'." }, "defaultValue": [] + }, + "existingStorageAccountId": { + "type": "string", + "metadata": { + "description": "The ID of the existing Storage Account. Only relevant when 'Storage Account Deploy Mode' is set to 'Existing'." + }, + "defaultValue": "" } }, "variables": { @@ -439,219 +459,773 @@ "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", "serialConsoleGeographies": { "eastasia": [ + "4.145.74.168", + "20.195.85.180", + "20.195.85.181", + "20.205.68.106", + "20.205.68.107", "20.205.69.28", - "20.195.85.180" + "23.97.88.117", + "23.98.106.151" ], "southeastasia": [ + "4.145.74.168", + "20.195.85.180", + "20.195.85.181", + "20.205.68.106", + "20.205.68.107", "20.205.69.28", - "20.195.85.180" + "23.97.88.117", + "23.98.106.151" ], "australiacentral": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "australiacentral2": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "australiaeast": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "australiasoutheast": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "brazilsouth": [ - "91.234.136.63", - "20.206.0.194" + "20.206.0.192", + "20.206.0.193", + "20.206.0.194", + "20.226.211.157", + "108.140.5.172", + "191.234.136.63", + "191.238.77.232", + "191.238.77.233" ], "brazilsoutheast": [ - "91.234.136.63", - "20.206.0.194" + "20.206.0.192", + "20.206.0.193", + "20.206.0.194", + "20.226.211.157", + "108.140.5.172", + "191.234.136.63", + "191.238.77.232", + "191.238.77.233" ], "canadacentral": [ + "20.175.7.183", + "20.48.201.78", + "20.48.201.79", + "20.220.7.246", + "52.139.106.74", + "52.139.106.75", "52.228.86.177", "52.242.40.90" ], "canadaeast": [ + "20.175.7.183", + "20.48.201.78", + "20.48.201.79", + "20.220.7.246", + "52.139.106.74", + "52.139.106.75", "52.228.86.177", "52.242.40.90" ], "northeurope": [ + "4.210.131.60", + "20.105.209.72", + "20.105.209.73", + "40.113.178.49", + "52.146.137.65", "52.146.139.220", - "20.105.209.72" + "52.146.139.221", + "98.71.107.78" ], "westeurope": [ + "4.210.131.60", + "20.105.209.72", + "20.105.209.73", + "40.113.178.49", + "52.146.137.65", "52.146.139.220", - "20.105.209.72" + "52.146.139.221", + "98.71.107.78" ], "francecentral": [ "20.111.0.244", - "52.136.191.10" + "40.80.103.247", + "51.138.215.126", + "51.138.215.127", + "52.136.191.8", + "52.136.191.9", + "52.136.191.10", + "98.66.128.35" ], "francesouth": [ "20.111.0.244", - "52.136.191.10" + "40.80.103.247", + "51.138.215.126", + "51.138.215.127", + "52.136.191.8", + "52.136.191.9", + "52.136.191.10", + "98.66.128.35" ], "germanynorth": [ + "20.52.94.114", + "20.52.94.115", + "20.52.95.48", + "20.113.251.155", "51.116.75.88", - "20.52.95.48" + "51.116.75.89", + "51.116.75.90", + "98.67.183.186" ], "germanywestcentral": [ + "20.52.94.114", + "20.52.94.115", + "20.52.95.48", + "20.113.251.155", "51.116.75.88", - "20.52.95.48" + "51.116.75.89", + "51.116.75.90", + "98.67.183.186" ], "centralindia": [ - "20.192.168.150", - "20.192.153.104" + "4.187.107.68", + "20.192.47.134", + "20.192.47.135", + "20.192.152.150", + "20.192.152.151", + "20.192.153.104", + "20.207.175.96", + "52.172.82.199", + "98.70.20.180" ], "southindia": [ - "20.192.168.150", - "20.192.153.104" + "4.187.107.68", + "20.192.47.134", + "20.192.47.135", + "20.192.152.150", + "20.192.152.151", + "20.192.153.104", + "20.207.175.96", + "52.172.82.199", + "98.70.20.180" ], "westindia": [ - "20.192.168.150", - "20.192.153.104" + "4.187.107.68", + "20.192.47.134", + "20.192.47.135", + "20.192.152.150", + "20.192.152.151", + "20.192.153.104", + "20.207.175.96", + "52.172.82.199", + "98.70.20.180" ], "japaneast": [ + "20.18.7.188", "20.43.70.205", - "20.189.228.222" + "20.89.12.192", + "20.89.12.193", + "20.189.194.100", + "20.189.228.222", + "20.189.228.223", + "20.210.144.254" ], "japanwest": [ + "20.18.7.188", "20.43.70.205", - "20.189.228.222" + "20.89.12.192", + "20.89.12.193", + "20.189.194.100", + "20.189.228.222", + "20.189.228.223", + "20.210.144.254" ], "koreacentral": [ + "20.200.166.136", + "20.200.194.238", + "20.200.194.239", "20.200.196.96", - "52.147.119.29" + "20.214.133.81", + "52.147.119.28", + "52.147.119.29", + "52.147.119.30" ], "koreasouth": [ + "20.200.166.136", + "20.200.194.238", + "20.200.194.239", "20.200.196.96", - "52.147.119.29" + "20.214.133.81", + "52.147.119.28", + "52.147.119.29", + "52.147.119.30" ], "norwaywest": [ + "20.100.1.154", + "20.100.1.155", "20.100.1.184", - "51.13.138.76" + "20.100.21.182", + "51.13.138.76", + "51.13.138.77", + "51.13.138.78", + "51.120.183.54" ], "norwayeast": [ + "20.100.1.154", + "20.100.1.155", "20.100.1.184", - "51.13.138.76" + "20.100.21.182", + "51.13.138.76", + "51.13.138.77", + "51.13.138.78", + "51.120.183.54" ], "switzerlandnorth": [ + "20.199.207.188", "20.208.4.98", - "51.107.251.190" + "20.208.4.99", + "20.208.4.120", + "20.208.149.229", + "51.107.251.190", + "51.107.251.191", + "51.107.255.176" ], "switzerlandwest": [ + "20.199.207.188", "20.208.4.98", - "51.107.251.190" + "20.208.4.99", + "20.208.4.120", + "20.208.149.229", + "51.107.251.190", + "51.107.251.191", + "51.107.255.176" ], "uaecentral": [ + "20.38.141.5", + "20.45.95.64", + "20.45.95.65", "20.45.95.66", - "20.38.141.5" + "20.203.93.198", + "20.233.132.205", + "40.120.87.50", + "40.120.87.51" ], "uaenorth": [ + "20.38.141.5", + "20.45.95.64", + "20.45.95.65", "20.45.95.66", - "20.38.141.5" + "20.203.93.198", + "20.233.132.205", + "40.120.87.50", + "40.120.87.51" ], "uksouth": [ + "20.58.68.62", + "20.58.68.63", + "20.90.32.180", "20.90.132.144", - "20.58.68.62" + "20.90.132.145", + "51.104.30.169", + "172.187.0.26", + "172.187.65.53" ], "ukwest": [ + "20.58.68.62", + "20.58.68.63", + "20.90.32.180", "20.90.132.144", - "20.58.68.62" + "20.90.132.145", + "51.104.30.169", + "172.187.0.26", + "172.187.65.53" ], "swedencentral": [ + "20.91.100.236", + "51.12.22.174", + "51.12.22.175", + "51.12.22.204", + "51.12.72.222", "51.12.72.223", - "51.12.22.174" + "51.12.73.92", + "172.160.216.6" ], "swedensouth": [ + "20.91.100.236", + "51.12.22.174", + "51.12.22.175", + "51.12.22.204", + "51.12.72.222", "51.12.72.223", - "51.12.22.174" + "51.12.73.92", + "172.160.216.6" ], "centralus": [ - "20.98.146.84", - "20.98.194.64", + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "eastus2": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "eastus2": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "eastus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "eastus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "northcentralus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "northcentralus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "southcentralus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "southcentralus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westus2": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westus2": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westus3": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westus3": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westcentralus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westcentralus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" + "20.98.146.84", + "20.98.146.85", + "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" ], "eastus2euap": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", "20.45.242.18", - "20.51.21.252" + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", + "20.69.5.162", + "20.83.222.100", + "20.83.222.101", + "20.83.222.102", + "20.98.146.84", + "20.98.146.85", + "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" ], "centraluseuap": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", "20.45.242.18", - "20.51.21.252" + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", + "20.69.5.162", + "20.83.222.100", + "20.83.222.101", + "20.83.222.102", + "20.98.146.84", + "20.98.146.85", + "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" ], "usgovarizona": [ + "20.140.104.48", + "20.140.105.3", + "20.140.144.58", + "20.140.144.59", + "20.140.147.168", + "20.140.53.121", "20.141.10.130", - "52.127.55.131" + "20.141.10.131", + "20.141.13.121", + "20.141.15.104", + "52.127.55.131", + "52.235.252.252", + "52.235.252.253", + "52.243.247.124", + "52.245.155.139", + "52.245.156.185", + "62.10.196.24", + "62.10.196.25", + "62.10.84.240", + "62.11.6.64", + "62.11.6.65" ], "usgovvirginia": [ + "20.140.104.48", + "20.140.105.3", + "20.140.144.58", + "20.140.144.59", + "20.140.147.168", + "20.140.53.121", "20.141.10.130", - "52.127.55.131" + "20.141.10.131", + "20.141.13.121", + "20.141.15.104", + "52.127.55.131", + "52.235.252.252", + "52.235.252.253", + "52.243.247.124", + "52.245.155.139", + "52.245.156.185", + "62.10.196.24", + "62.10.196.25", + "62.10.84.240", + "62.11.6.64", + "62.11.6.65" ], "usgovtexas": [ + "20.140.104.48", + "20.140.105.3", + "20.140.144.58", + "20.140.144.59", + "20.140.147.168", + "20.140.53.121", "20.141.10.130", - "52.127.55.131" + "20.141.10.131", + "20.141.13.121", + "20.141.15.104", + "52.127.55.131", + "52.235.252.252", + "52.235.252.253", + "52.243.247.124", + "52.245.155.139", + "52.245.156.185", + "62.10.196.24", + "62.10.196.25", + "62.10.84.240", + "62.11.6.64", + "62.11.6.65" ], "chinanorth": [ "139.217.51.16", @@ -680,7 +1254,7 @@ "additionalDiskSizeGB": "[if(contains('R8110 R8120', variables('osVersion')), 0, parameters('additionalDiskSizeGB'))]", "diskSizeGB": "[add(variables('additionalDiskSizeGB'), variables('diskSize100GB'))]", "vxlanParametersForR82": "kernel_parameters:\n sim:\n - sim_enable_vxlan=3\n - sim_enable_gre=3\n fw: \n - fw_enable_vxlan=1\n - fw_enable_gre=1", - "cloudConfigParams": [ + "cloudConfigParams":[ "[concat('installationType=\\\"', variables('installationType'), '\\\"')]", "[concat('allowUploadDownload=\\\"', variables('allowUploadDownload'), '\\\"')]", "[concat('osVersion=\\\"', variables('osVersion'), '\\\"')]", @@ -787,7 +1361,7 @@ } }, "upgrading": "[equals(parameters('upgrading'), 'yes')]", - "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/',parameters('_artifactsLocation'))]", + "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/',parameters('_artifactsLocation'))]", "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-1-subnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", "loadBalacerSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/gateway-load-balancers.json', parameters('_artifactsLocationSasToken')))]", "lbsTargetRGName": "[parameters('lbsTargetRGName')]", @@ -838,7 +1412,7 @@ "properties": { "mode": "Incremental", "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [] } @@ -1003,6 +1577,7 @@ } }, { + "condition": "[equals(parameters('storageAccountDeployMode'), 'New')]", "type": "Microsoft.Storage/storageAccounts", "name": "[variables('storageAccountName')]", "apiVersion": "2021-06-01", @@ -1020,7 +1595,7 @@ "sku": { "name": "[variables('storageAccountType')]" }, - "kind": "Storage", + "kind": "StorageV2", "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" }, { @@ -1111,10 +1686,7 @@ ] }, "diagnosticsProfile": { - "bootDiagnostics": { - "enabled": "true", - "storageUri": "[reference(variables('storageAccountId'), '2023-01-01').primaryEndpoints.blob]" - } + "bootDiagnostics": "[if(equals(parameters('storageAccountDeployMode'), 'None'), createObject('enabled', false()), if(equals(parameters('storageAccountDeployMode'), 'Managed'), createObject('enabled', true()), createObject('enabled', true(), 'storageUri', if(equals(parameters('storageAccountDeployMode'), 'New'), reference(variables('storageAccountId'), '2023-01-01').primaryEndpoints.blob, reference(parameters('existingStorageAccountId'), '2023-05-01').primaryEndpoints.blob))))]" } }, "overprovision": false diff --git a/china/azure/marketplace-ha/README.md b/china/azure/marketplace-ha/README.md index f9419db6..30aa4fea 100644 --- a/china/azure/marketplace-ha/README.md +++ b/china/azure/marketplace-ha/README.md @@ -11,11 +11,11 @@ Benefits: · Provides consistent security policy management, enforcement, and reporting with a single pane of glass, using Check Point Unified Security Management - + Deploy to Azure -To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-ha%2FmainTemplate.json) +To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-ha%2FmainTemplate.json) diff --git a/china/azure/marketplace-ha/createUiDefinition.json b/china/azure/marketplace-ha/createUiDefinition.json index 6b59bdda..515078be 100644 --- a/china/azure/marketplace-ha/createUiDefinition.json +++ b/china/azure/marketplace-ha/createUiDefinition.json @@ -1102,7 +1102,7 @@ "name": "floatingIP", "type": "Microsoft.Common.OptionsGroup", "label": "Deploy the Load Balancers with floating IP", - "defaultValue": "No", + "defaultValue": "Yes", "toolTip": "Deploy the Load Balancers with floating IP.", "constraints": { "allowedValues": [ @@ -1478,6 +1478,35 @@ }, "visible": "[steps('network').NSG]" }, + { + "name": "storageAccountDeployMode", + "type": "Microsoft.Common.DropDown", + "label": "Storage Account Deployment Mode", + "toolTip": "Select your preferred Storage Account deployment mode, New to a new Storage Account, Existing to an existing Storage Account, Managed to managed Storage Account, None to deploy without a Storage Account", + "defaultValue": "New", + "constraints": { + "allowedValues": [ + { + "label": "New", + "value": "New" + }, + { + "label": "Existing", + "value": "Existing" + }, + { + "label": "Managed", + "value": "Managed" + }, + { + "label": "None", + "value": "None" + } + ], + "required": true + }, + "visible": true + }, { "name": "addStorageAccountIpRules", "type": "Microsoft.Common.OptionsGroup", @@ -1495,9 +1524,48 @@ "value": true } ], - "required": true + "required": "[equals(steps('network').storageAccountDeployMode, 'New')]" }, - "visible": true + "visible": "[equals(steps('network').storageAccountDeployMode, 'New')]" + }, + { + "name": "existingStorageAccount", + "type": "Microsoft.Solutions.ResourceSelector", + "label": "Storage Account", + "defaultValue": "null", + "toolTip": "Choose an existing Storage Account", + "resourceType": "Microsoft.Storage/storageAccounts", + "constraints": { + "required": "[equals(steps('network').storageAccountDeployMode, 'Existing')]" + }, + "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]" + }, + { + "name": "infoExistingStorageAccount", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]", + "options": { + "icon": "Info", + "text": "The Storage Account must allow network access from the Serial Console feature, for more information - Serial Console Security." + } + }, + { + "name": "infoManagedStorageAccount", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('network').storageAccountDeployMode, 'Managed')]", + "options": { + "icon": "Info", + "text": "Azure will use a managed Storage Account for the deployment, no additional configuration is required." + } + }, + { + "name": "warningNoneStorageAccount", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('network').storageAccountDeployMode, 'None')]", + "options": { + "icon": "Warning", + "text": "Please note that deploying without a Storage Account will not allow you to use the Serial Console feature. For more information - Azure Serial Console." + } } ] }, @@ -1571,7 +1639,9 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", - "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", + "storageAccountDeployMode": "[steps('network').storageAccountDeployMode]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", + "existingStorageAccountId": "[steps('network').existingStorageAccount]", "VipsNumber": "[int(steps('network').Vips_Number)]", "VipNames": "[concat(steps('network').VIP_Names.VIP2_Name, ',', steps('network').VIP_Names.VIP3_Name, ',', steps('network').VIP_Names.VIP4_Name, ',', steps('network').VIP_Names.VIP5_Name, ',', steps('network').VIP_Names.VIP6_Name, ',', steps('network').VIP_Names.VIP7_Name, ',', steps('network').VIP_Names.VIP8_Name, ',', steps('network').VIP_Names.VIP9_Name, ',', steps('network').VIP_Names.VIP10_Name)]", "SerialConsolePasswordHash": "[steps('chkp-advanced').AdditionalPassword]", diff --git a/china/azure/marketplace-ha/mainTemplate.json b/china/azure/marketplace-ha/mainTemplate.json index bd2ec8f6..29a0fd47 100644 --- a/china/azure/marketplace-ha/mainTemplate.json +++ b/china/azure/marketplace-ha/mainTemplate.json @@ -66,7 +66,7 @@ "no", "yes" ], - "defaultValue": "no", + "defaultValue": "yes", "metadata": { "description": "Deploy the Load Balancers with floating IP" } @@ -279,7 +279,7 @@ "_artifactsLocation": { "type": "string", "metadata": { - "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/" + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/" }, "defaultValue": "[deployment().properties.templateLink.uri]" }, @@ -335,19 +335,39 @@ "type": "string", "defaultValue": "" }, + "storageAccountDeployMode": { + "type": "string", + "defaultValue": "New", + "metadata": { + "description": "Choose the Storage Account mode: 'New' creates a new account, 'Existing' uses one already available, 'Managed' provisions a managed account, and 'None' skips account creation." + }, + "allowedValues": [ + "New", + "Existing", + "Managed", + "None" + ] + }, "addStorageAccountIpRules": { "type": "bool", "metadata": { - "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled. Only relevant when 'Storage Account Deploy Mode' is set to 'New'." }, "defaultValue": false }, "storageAccountAdditionalIps": { "type": "array", "metadata": { - "description": "IPs/CIDRs that are allowed access to the Storage Account" + "description": "IPs/CIDRs that are allowed access to the Storage Account. Format should be an array of strings. Only relevant when 'Storage Account Deploy Mode' is set to 'New'." }, "defaultValue": [] + }, + "existingStorageAccountId": { + "type": "string", + "metadata": { + "description": "The ID of the existing Storage Account. Only relevant when 'Storage Account Deploy Mode' is set to 'Existing'." + }, + "defaultValue": "" } }, "variables": { @@ -384,219 +404,773 @@ "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", "serialConsoleGeographies": { "eastasia": [ + "4.145.74.168", + "20.195.85.180", + "20.195.85.181", + "20.205.68.106", + "20.205.68.107", "20.205.69.28", - "20.195.85.180" + "23.97.88.117", + "23.98.106.151" ], "southeastasia": [ + "4.145.74.168", + "20.195.85.180", + "20.195.85.181", + "20.205.68.106", + "20.205.68.107", "20.205.69.28", - "20.195.85.180" + "23.97.88.117", + "23.98.106.151" ], "australiacentral": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "australiacentral2": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "australiaeast": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "australiasoutheast": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "brazilsouth": [ - "91.234.136.63", - "20.206.0.194" + "20.206.0.192", + "20.206.0.193", + "20.206.0.194", + "20.226.211.157", + "108.140.5.172", + "191.234.136.63", + "191.238.77.232", + "191.238.77.233" ], "brazilsoutheast": [ - "91.234.136.63", - "20.206.0.194" + "20.206.0.192", + "20.206.0.193", + "20.206.0.194", + "20.226.211.157", + "108.140.5.172", + "191.234.136.63", + "191.238.77.232", + "191.238.77.233" ], "canadacentral": [ + "20.175.7.183", + "20.48.201.78", + "20.48.201.79", + "20.220.7.246", + "52.139.106.74", + "52.139.106.75", "52.228.86.177", "52.242.40.90" ], "canadaeast": [ + "20.175.7.183", + "20.48.201.78", + "20.48.201.79", + "20.220.7.246", + "52.139.106.74", + "52.139.106.75", "52.228.86.177", "52.242.40.90" ], "northeurope": [ + "4.210.131.60", + "20.105.209.72", + "20.105.209.73", + "40.113.178.49", + "52.146.137.65", "52.146.139.220", - "20.105.209.72" + "52.146.139.221", + "98.71.107.78" ], "westeurope": [ + "4.210.131.60", + "20.105.209.72", + "20.105.209.73", + "40.113.178.49", + "52.146.137.65", "52.146.139.220", - "20.105.209.72" + "52.146.139.221", + "98.71.107.78" ], "francecentral": [ "20.111.0.244", - "52.136.191.10" + "40.80.103.247", + "51.138.215.126", + "51.138.215.127", + "52.136.191.8", + "52.136.191.9", + "52.136.191.10", + "98.66.128.35" ], "francesouth": [ "20.111.0.244", - "52.136.191.10" + "40.80.103.247", + "51.138.215.126", + "51.138.215.127", + "52.136.191.8", + "52.136.191.9", + "52.136.191.10", + "98.66.128.35" ], "germanynorth": [ + "20.52.94.114", + "20.52.94.115", + "20.52.95.48", + "20.113.251.155", "51.116.75.88", - "20.52.95.48" + "51.116.75.89", + "51.116.75.90", + "98.67.183.186" ], "germanywestcentral": [ + "20.52.94.114", + "20.52.94.115", + "20.52.95.48", + "20.113.251.155", "51.116.75.88", - "20.52.95.48" + "51.116.75.89", + "51.116.75.90", + "98.67.183.186" ], "centralindia": [ - "20.192.168.150", - "20.192.153.104" + "4.187.107.68", + "20.192.47.134", + "20.192.47.135", + "20.192.152.150", + "20.192.152.151", + "20.192.153.104", + "20.207.175.96", + "52.172.82.199", + "98.70.20.180" ], "southindia": [ - "20.192.168.150", - "20.192.153.104" + "4.187.107.68", + "20.192.47.134", + "20.192.47.135", + "20.192.152.150", + "20.192.152.151", + "20.192.153.104", + "20.207.175.96", + "52.172.82.199", + "98.70.20.180" ], "westindia": [ - "20.192.168.150", - "20.192.153.104" + "4.187.107.68", + "20.192.47.134", + "20.192.47.135", + "20.192.152.150", + "20.192.152.151", + "20.192.153.104", + "20.207.175.96", + "52.172.82.199", + "98.70.20.180" ], "japaneast": [ + "20.18.7.188", "20.43.70.205", - "20.189.228.222" + "20.89.12.192", + "20.89.12.193", + "20.189.194.100", + "20.189.228.222", + "20.189.228.223", + "20.210.144.254" ], "japanwest": [ + "20.18.7.188", "20.43.70.205", - "20.189.228.222" + "20.89.12.192", + "20.89.12.193", + "20.189.194.100", + "20.189.228.222", + "20.189.228.223", + "20.210.144.254" ], "koreacentral": [ + "20.200.166.136", + "20.200.194.238", + "20.200.194.239", "20.200.196.96", - "52.147.119.29" + "20.214.133.81", + "52.147.119.28", + "52.147.119.29", + "52.147.119.30" ], "koreasouth": [ + "20.200.166.136", + "20.200.194.238", + "20.200.194.239", "20.200.196.96", - "52.147.119.29" + "20.214.133.81", + "52.147.119.28", + "52.147.119.29", + "52.147.119.30" ], "norwaywest": [ + "20.100.1.154", + "20.100.1.155", "20.100.1.184", - "51.13.138.76" + "20.100.21.182", + "51.13.138.76", + "51.13.138.77", + "51.13.138.78", + "51.120.183.54" ], "norwayeast": [ + "20.100.1.154", + "20.100.1.155", "20.100.1.184", - "51.13.138.76" + "20.100.21.182", + "51.13.138.76", + "51.13.138.77", + "51.13.138.78", + "51.120.183.54" ], "switzerlandnorth": [ + "20.199.207.188", "20.208.4.98", - "51.107.251.190" + "20.208.4.99", + "20.208.4.120", + "20.208.149.229", + "51.107.251.190", + "51.107.251.191", + "51.107.255.176" ], "switzerlandwest": [ + "20.199.207.188", "20.208.4.98", - "51.107.251.190" + "20.208.4.99", + "20.208.4.120", + "20.208.149.229", + "51.107.251.190", + "51.107.251.191", + "51.107.255.176" ], "uaecentral": [ + "20.38.141.5", + "20.45.95.64", + "20.45.95.65", "20.45.95.66", - "20.38.141.5" + "20.203.93.198", + "20.233.132.205", + "40.120.87.50", + "40.120.87.51" ], "uaenorth": [ + "20.38.141.5", + "20.45.95.64", + "20.45.95.65", "20.45.95.66", - "20.38.141.5" + "20.203.93.198", + "20.233.132.205", + "40.120.87.50", + "40.120.87.51" ], "uksouth": [ + "20.58.68.62", + "20.58.68.63", + "20.90.32.180", "20.90.132.144", - "20.58.68.62" + "20.90.132.145", + "51.104.30.169", + "172.187.0.26", + "172.187.65.53" ], "ukwest": [ + "20.58.68.62", + "20.58.68.63", + "20.90.32.180", "20.90.132.144", - "20.58.68.62" + "20.90.132.145", + "51.104.30.169", + "172.187.0.26", + "172.187.65.53" ], "swedencentral": [ + "20.91.100.236", + "51.12.22.174", + "51.12.22.175", + "51.12.22.204", + "51.12.72.222", "51.12.72.223", - "51.12.22.174" + "51.12.73.92", + "172.160.216.6" ], "swedensouth": [ + "20.91.100.236", + "51.12.22.174", + "51.12.22.175", + "51.12.22.204", + "51.12.72.222", "51.12.72.223", - "51.12.22.174" + "51.12.73.92", + "172.160.216.6" ], "centralus": [ - "20.98.146.84", - "20.98.194.64", + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "eastus2": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "eastus2": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "eastus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "eastus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "northcentralus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "northcentralus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "southcentralus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "southcentralus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westus2": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westus2": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westus3": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westus3": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westcentralus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westcentralus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" + "20.98.146.84", + "20.98.146.85", + "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" ], "eastus2euap": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", "20.45.242.18", - "20.51.21.252" + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", + "20.69.5.162", + "20.83.222.100", + "20.83.222.101", + "20.83.222.102", + "20.98.146.84", + "20.98.146.85", + "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" ], "centraluseuap": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", "20.45.242.18", - "20.51.21.252" + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", + "20.69.5.162", + "20.83.222.100", + "20.83.222.101", + "20.83.222.102", + "20.98.146.84", + "20.98.146.85", + "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" ], "usgovarizona": [ + "20.140.104.48", + "20.140.105.3", + "20.140.144.58", + "20.140.144.59", + "20.140.147.168", + "20.140.53.121", "20.141.10.130", - "52.127.55.131" + "20.141.10.131", + "20.141.13.121", + "20.141.15.104", + "52.127.55.131", + "52.235.252.252", + "52.235.252.253", + "52.243.247.124", + "52.245.155.139", + "52.245.156.185", + "62.10.196.24", + "62.10.196.25", + "62.10.84.240", + "62.11.6.64", + "62.11.6.65" ], "usgovvirginia": [ + "20.140.104.48", + "20.140.105.3", + "20.140.144.58", + "20.140.144.59", + "20.140.147.168", + "20.140.53.121", "20.141.10.130", - "52.127.55.131" + "20.141.10.131", + "20.141.13.121", + "20.141.15.104", + "52.127.55.131", + "52.235.252.252", + "52.235.252.253", + "52.243.247.124", + "52.245.155.139", + "52.245.156.185", + "62.10.196.24", + "62.10.196.25", + "62.10.84.240", + "62.11.6.64", + "62.11.6.65" ], "usgovtexas": [ + "20.140.104.48", + "20.140.105.3", + "20.140.144.58", + "20.140.144.59", + "20.140.147.168", + "20.140.53.121", "20.141.10.130", - "52.127.55.131" + "20.141.10.131", + "20.141.13.121", + "20.141.15.104", + "52.127.55.131", + "52.235.252.252", + "52.235.252.253", + "52.243.247.124", + "52.245.155.139", + "52.245.156.185", + "62.10.196.24", + "62.10.196.25", + "62.10.84.240", + "62.11.6.64", + "62.11.6.65" ], "chinanorth": [ "139.217.51.16", @@ -732,7 +1306,7 @@ "count": 2, "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", - "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/',parameters('_artifactsLocation'))]", + "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/',parameters('_artifactsLocation'))]", "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-2-subnet-ha2-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", "ExsitingNsgRoleAssignmentURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/existing-nsg-RoleAssignment', '.json'))]", "sicKey": "[parameters('sicKey')]", @@ -877,13 +1451,14 @@ "properties": { "mode": "Incremental", "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [] } } }, { + "condition": "[equals(parameters('storageAccountDeployMode'), 'New')]", "type": "Microsoft.Storage/storageAccounts", "name": "[variables('storageAccountName')]", "apiVersion": "2022-09-01", @@ -901,7 +1476,7 @@ "sku": { "name": "[variables('storageAccountType')]" }, - "kind": "Storage", + "kind": "StorageV2", "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" }, { @@ -1206,7 +1781,7 @@ }, { "type": "Microsoft.Compute/virtualMachines", - "apiVersion": "2022-11-01", + "apiVersion": "2023-09-01", "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", "[resourceId('Microsoft.Compute/availabilitySets', variables('availabilitySetName'))]", @@ -1227,10 +1802,7 @@ "UserData": "[base64(concat(variables('customData')[copyIndex()], 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefixes.value[0], reference('networkExistingSetup').outputs.vnetAddressPrefixes.value[0]), '\"', '\n'))]", "availabilitySet": "[if(not(variables('useAZ')), variables('availabilitySetProperty'), json('null'))]", "diagnosticsProfile": { - "bootDiagnostics": { - "enabled": "true", - "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-05-01').primaryEndpoints.blob]" - } + "bootDiagnostics": "[if(equals(parameters('storageAccountDeployMode'), 'None'), createObject('enabled', false()), if(equals(parameters('storageAccountDeployMode'), 'Managed'), createObject('enabled', true()), createObject('enabled', true(), 'storageUri', if(equals(parameters('storageAccountDeployMode'), 'New'), reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-05-01').primaryEndpoints.blob, reference(parameters('existingStorageAccountId'), '2023-05-01').primaryEndpoints.blob))))]" }, "hardwareProfile": { "vmSize": "[parameters('vmSize')]" @@ -1332,7 +1904,7 @@ "properties": { "roleDefinitionId": "[variables('roleDefinitionIds')[if(greater(copyIndex(1), 2), 1, 0)]]", "scope": "[resourceGroup().id]", - "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), if(equals(mod(copyIndex(1), 2), 1), '1', '2'))), '2022-11-01', 'Full').identity.principalId]" + "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), if(equals(mod(copyIndex(1), 2), 1), '1', '2'))), '2023-09-01', 'Full').identity.principalId]" }, "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Authorization/roleAssignments'), parameters('tagsByResource')['Microsoft.Authorization/roleAssignments'], json('{}')) ]" }, @@ -1367,10 +1939,10 @@ "value": "[variables('roleDefinitionIds')[copyIndex()]]" }, "principalId1": { - "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '1')), '2022-11-01', 'Full').identity.principalId]" + "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '1')), '2023-09-01', 'Full').identity.principalId]" }, "principalId2": { - "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '2')), '2022-11-01', 'Full').identity.principalId]" + "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '2')), '2023-09-01', 'Full').identity.principalId]" }, "index": { "value": "[copyIndex()]" diff --git a/china/azure/marketplace-management/README.md b/china/azure/marketplace-management/README.md index 0371dd80..8a626c31 100644 --- a/china/azure/marketplace-management/README.md +++ b/china/azure/marketplace-management/README.md @@ -11,11 +11,11 @@ Benefits: · Provides consistent security policy management, enforcement, and reporting with a single pane of glass, using Check Point Unified Security Management - + Deploy to Azure -To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-management%2FmainTemplate.json) +To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-management%2FmainTemplate.json) diff --git a/china/azure/marketplace-management/createUiDefinition.json b/china/azure/marketplace-management/createUiDefinition.json index 79b76ad6..12dbd960 100644 --- a/china/azure/marketplace-management/createUiDefinition.json +++ b/china/azure/marketplace-management/createUiDefinition.json @@ -712,6 +712,35 @@ "validationMessage": "Only alphanumeric characters are allowed, and the name must be 1-30 characters long." }, "visible": "[steps('network').NSG]" + }, + { + "name": "storageAccountDeployMode", + "type": "Microsoft.Common.DropDown", + "label": "Storage Account Deployment Mode", + "toolTip": "Select your preferred Storage Account deployment mode, New to a new Storage Account, Existing to an existing Storage Account, Managed to managed Storage Account, None to deploy without a Storage Account", + "defaultValue": "New", + "constraints": { + "allowedValues": [ + { + "label": "New", + "value": "New" + }, + { + "label": "Existing", + "value": "Existing" + }, + { + "label": "Managed", + "value": "Managed" + }, + { + "label": "None", + "value": "None" + } + ], + "required": true + }, + "visible": true }, { "name": "addStorageAccountIpRules", @@ -730,9 +759,48 @@ "value": true } ], - "required": true + "required": "[equals(steps('network').storageAccountDeployMode, 'New')]" }, - "visible": true + "visible": "[equals(steps('network').storageAccountDeployMode, 'New')]" + }, + { + "name": "existingStorageAccount", + "type": "Microsoft.Solutions.ResourceSelector", + "label": "Storage Account", + "defaultValue": "null", + "toolTip": "Choose an existing Storage Account", + "resourceType": "Microsoft.Storage/storageAccounts", + "constraints": { + "required": "[equals(steps('network').storageAccountDeployMode, 'Existing')]" + }, + "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]" + }, + { + "name": "infoExistingStorageAccount", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]", + "options": { + "icon": "Info", + "text": "The Storage Account must allow network access from the Serial Console feature, for more information - Serial Console Security." + } + }, + { + "name": "infoManagedStorageAccount", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('network').storageAccountDeployMode, 'Managed')]", + "options": { + "icon": "Info", + "text": "Azure will use a managed Storage Account for the deployment, no additional configuration is required." + } + }, + { + "name": "warningNoneStorageAccount", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('network').storageAccountDeployMode, 'None')]", + "options": { + "icon": "Warning", + "text": "Please note that deploying without a Storage Account will not allow you to use the Serial Console feature. For more information - Azure Serial Console." + } } ] }, @@ -786,7 +854,7 @@ "bootstrapScript": "[steps('chkp-advanced').bootstrapScript]", "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp-advanced').allowUploadDownload, 'true')]", "additionalDiskSizeGB": "[int(steps('chkp-advanced').additionalDiskSizeGB)]", - "msi": "[steps('chkp-advanced').identityAccessManagement]", + "msi" : "[steps('chkp-advanced').identityAccessManagement]", "diskType": "[if(contains('R81.10' , steps('chkp').cloudGuardVersion) , steps('chkp-advanced').VMDiskTypeOldVersions , steps('chkp-advanced').VMDiskType)]", "sourceImageVhdUri": "[coalesce(steps('chkp-advanced').sourceImageVhdUri, 'noCustomUri')]", "enableApi": "[steps('chkp-advanced').enableApi]", @@ -794,8 +862,10 @@ "tagsByResource": "[steps('tags').tagsByResource]", "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", - "NewNsgName": "[steps('network').NSGName]", - "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", + "NewNsgName": "[steps('network').NSGName]", + "storageAccountDeployMode": "[steps('network').storageAccountDeployMode]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", + "existingStorageAccountId": "[steps('network').existingStorageAccount]", "SerialConsolePasswordHash": "[steps('chkp-advanced').AdditionalPassword]", "MaintenanceModePasswordHash": "[steps('chkp-advanced').MaintenanceModePassword]" } diff --git a/china/azure/marketplace-management/mainTemplate.json b/china/azure/marketplace-management/mainTemplate.json index d7e1777d..0cd42651 100644 --- a/china/azure/marketplace-management/mainTemplate.json +++ b/china/azure/marketplace-management/mainTemplate.json @@ -224,7 +224,7 @@ "_artifactsLocation": { "type": "string", "metadata": { - "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/" + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/" }, "defaultValue": "[deployment().properties.templateLink.uri]" }, @@ -251,19 +251,39 @@ "type": "string", "defaultValue": "[concat(parameters('vmName'),'-nsg')]" }, + "storageAccountDeployMode": { + "type": "string", + "defaultValue": "New", + "metadata": { + "description": "Choose the Storage Account mode: 'New' creates a new account, 'Existing' uses one already available, 'Managed' provisions a managed account, and 'None' skips account creation." + }, + "allowedValues": [ + "New", + "Existing", + "Managed", + "None" + ] + }, "addStorageAccountIpRules": { "type": "bool", "metadata": { - "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled. Only relevant when 'Storage Account Deploy Mode' is set to 'New'." }, "defaultValue": false }, "storageAccountAdditionalIps": { "type": "array", "metadata": { - "description": "IPs/CIDRs that are allowed access to the Storage Account" + "description": "IPs/CIDRs that are allowed access to the Storage Account. Format should be an array of strings. Only relevant when 'Storage Account Deploy Mode' is set to 'New'." }, "defaultValue": [] + }, + "existingStorageAccountId": { + "type": "string", + "metadata": { + "description": "The ID of the existing Storage Account. Only relevant when 'Storage Account Deploy Mode' is set to 'Existing'." + }, + "defaultValue": "" } }, "variables": { @@ -290,219 +310,773 @@ "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", "serialConsoleGeographies": { "eastasia": [ + "4.145.74.168", + "20.195.85.180", + "20.195.85.181", + "20.205.68.106", + "20.205.68.107", "20.205.69.28", - "20.195.85.180" + "23.97.88.117", + "23.98.106.151" ], "southeastasia": [ + "4.145.74.168", + "20.195.85.180", + "20.195.85.181", + "20.205.68.106", + "20.205.68.107", "20.205.69.28", - "20.195.85.180" + "23.97.88.117", + "23.98.106.151" ], "australiacentral": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "australiacentral2": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "australiaeast": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "australiasoutheast": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "brazilsouth": [ - "91.234.136.63", - "20.206.0.194" + "20.206.0.192", + "20.206.0.193", + "20.206.0.194", + "20.226.211.157", + "108.140.5.172", + "191.234.136.63", + "191.238.77.232", + "191.238.77.233" ], "brazilsoutheast": [ - "91.234.136.63", - "20.206.0.194" + "20.206.0.192", + "20.206.0.193", + "20.206.0.194", + "20.226.211.157", + "108.140.5.172", + "191.234.136.63", + "191.238.77.232", + "191.238.77.233" ], "canadacentral": [ + "20.175.7.183", + "20.48.201.78", + "20.48.201.79", + "20.220.7.246", + "52.139.106.74", + "52.139.106.75", "52.228.86.177", "52.242.40.90" ], "canadaeast": [ + "20.175.7.183", + "20.48.201.78", + "20.48.201.79", + "20.220.7.246", + "52.139.106.74", + "52.139.106.75", "52.228.86.177", "52.242.40.90" ], "northeurope": [ + "4.210.131.60", + "20.105.209.72", + "20.105.209.73", + "40.113.178.49", + "52.146.137.65", "52.146.139.220", - "20.105.209.72" + "52.146.139.221", + "98.71.107.78" ], "westeurope": [ + "4.210.131.60", + "20.105.209.72", + "20.105.209.73", + "40.113.178.49", + "52.146.137.65", "52.146.139.220", - "20.105.209.72" + "52.146.139.221", + "98.71.107.78" ], "francecentral": [ "20.111.0.244", - "52.136.191.10" + "40.80.103.247", + "51.138.215.126", + "51.138.215.127", + "52.136.191.8", + "52.136.191.9", + "52.136.191.10", + "98.66.128.35" ], "francesouth": [ "20.111.0.244", - "52.136.191.10" + "40.80.103.247", + "51.138.215.126", + "51.138.215.127", + "52.136.191.8", + "52.136.191.9", + "52.136.191.10", + "98.66.128.35" ], "germanynorth": [ + "20.52.94.114", + "20.52.94.115", + "20.52.95.48", + "20.113.251.155", "51.116.75.88", - "20.52.95.48" + "51.116.75.89", + "51.116.75.90", + "98.67.183.186" ], "germanywestcentral": [ + "20.52.94.114", + "20.52.94.115", + "20.52.95.48", + "20.113.251.155", "51.116.75.88", - "20.52.95.48" + "51.116.75.89", + "51.116.75.90", + "98.67.183.186" ], "centralindia": [ - "20.192.168.150", - "20.192.153.104" + "4.187.107.68", + "20.192.47.134", + "20.192.47.135", + "20.192.152.150", + "20.192.152.151", + "20.192.153.104", + "20.207.175.96", + "52.172.82.199", + "98.70.20.180" ], "southindia": [ - "20.192.168.150", - "20.192.153.104" + "4.187.107.68", + "20.192.47.134", + "20.192.47.135", + "20.192.152.150", + "20.192.152.151", + "20.192.153.104", + "20.207.175.96", + "52.172.82.199", + "98.70.20.180" ], "westindia": [ - "20.192.168.150", - "20.192.153.104" + "4.187.107.68", + "20.192.47.134", + "20.192.47.135", + "20.192.152.150", + "20.192.152.151", + "20.192.153.104", + "20.207.175.96", + "52.172.82.199", + "98.70.20.180" ], "japaneast": [ + "20.18.7.188", "20.43.70.205", - "20.189.228.222" + "20.89.12.192", + "20.89.12.193", + "20.189.194.100", + "20.189.228.222", + "20.189.228.223", + "20.210.144.254" ], "japanwest": [ + "20.18.7.188", "20.43.70.205", - "20.189.228.222" + "20.89.12.192", + "20.89.12.193", + "20.189.194.100", + "20.189.228.222", + "20.189.228.223", + "20.210.144.254" ], "koreacentral": [ + "20.200.166.136", + "20.200.194.238", + "20.200.194.239", "20.200.196.96", - "52.147.119.29" + "20.214.133.81", + "52.147.119.28", + "52.147.119.29", + "52.147.119.30" ], "koreasouth": [ + "20.200.166.136", + "20.200.194.238", + "20.200.194.239", "20.200.196.96", - "52.147.119.29" + "20.214.133.81", + "52.147.119.28", + "52.147.119.29", + "52.147.119.30" ], "norwaywest": [ + "20.100.1.154", + "20.100.1.155", "20.100.1.184", - "51.13.138.76" + "20.100.21.182", + "51.13.138.76", + "51.13.138.77", + "51.13.138.78", + "51.120.183.54" ], "norwayeast": [ + "20.100.1.154", + "20.100.1.155", "20.100.1.184", - "51.13.138.76" + "20.100.21.182", + "51.13.138.76", + "51.13.138.77", + "51.13.138.78", + "51.120.183.54" ], "switzerlandnorth": [ + "20.199.207.188", "20.208.4.98", - "51.107.251.190" + "20.208.4.99", + "20.208.4.120", + "20.208.149.229", + "51.107.251.190", + "51.107.251.191", + "51.107.255.176" ], "switzerlandwest": [ + "20.199.207.188", "20.208.4.98", - "51.107.251.190" + "20.208.4.99", + "20.208.4.120", + "20.208.149.229", + "51.107.251.190", + "51.107.251.191", + "51.107.255.176" ], "uaecentral": [ + "20.38.141.5", + "20.45.95.64", + "20.45.95.65", "20.45.95.66", - "20.38.141.5" + "20.203.93.198", + "20.233.132.205", + "40.120.87.50", + "40.120.87.51" ], "uaenorth": [ + "20.38.141.5", + "20.45.95.64", + "20.45.95.65", "20.45.95.66", - "20.38.141.5" + "20.203.93.198", + "20.233.132.205", + "40.120.87.50", + "40.120.87.51" ], "uksouth": [ + "20.58.68.62", + "20.58.68.63", + "20.90.32.180", "20.90.132.144", - "20.58.68.62" + "20.90.132.145", + "51.104.30.169", + "172.187.0.26", + "172.187.65.53" ], "ukwest": [ + "20.58.68.62", + "20.58.68.63", + "20.90.32.180", "20.90.132.144", - "20.58.68.62" + "20.90.132.145", + "51.104.30.169", + "172.187.0.26", + "172.187.65.53" ], "swedencentral": [ + "20.91.100.236", + "51.12.22.174", + "51.12.22.175", + "51.12.22.204", + "51.12.72.222", "51.12.72.223", - "51.12.22.174" + "51.12.73.92", + "172.160.216.6" ], "swedensouth": [ + "20.91.100.236", + "51.12.22.174", + "51.12.22.175", + "51.12.22.204", + "51.12.72.222", "51.12.72.223", - "51.12.22.174" + "51.12.73.92", + "172.160.216.6" ], "centralus": [ - "20.98.146.84", - "20.98.194.64", + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "eastus2": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "eastus2": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "eastus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "eastus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "northcentralus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "northcentralus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "southcentralus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "southcentralus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westus2": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westus2": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westus3": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westus3": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westcentralus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westcentralus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" + "20.98.146.84", + "20.98.146.85", + "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" ], "eastus2euap": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", "20.45.242.18", - "20.51.21.252" + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", + "20.69.5.162", + "20.83.222.100", + "20.83.222.101", + "20.83.222.102", + "20.98.146.84", + "20.98.146.85", + "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" ], "centraluseuap": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", "20.45.242.18", - "20.51.21.252" + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", + "20.69.5.162", + "20.83.222.100", + "20.83.222.101", + "20.83.222.102", + "20.98.146.84", + "20.98.146.85", + "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" ], "usgovarizona": [ + "20.140.104.48", + "20.140.105.3", + "20.140.144.58", + "20.140.144.59", + "20.140.147.168", + "20.140.53.121", "20.141.10.130", - "52.127.55.131" + "20.141.10.131", + "20.141.13.121", + "20.141.15.104", + "52.127.55.131", + "52.235.252.252", + "52.235.252.253", + "52.243.247.124", + "52.245.155.139", + "52.245.156.185", + "62.10.196.24", + "62.10.196.25", + "62.10.84.240", + "62.11.6.64", + "62.11.6.65" ], "usgovvirginia": [ + "20.140.104.48", + "20.140.105.3", + "20.140.144.58", + "20.140.144.59", + "20.140.147.168", + "20.140.53.121", "20.141.10.130", - "52.127.55.131" + "20.141.10.131", + "20.141.13.121", + "20.141.15.104", + "52.127.55.131", + "52.235.252.252", + "52.235.252.253", + "52.243.247.124", + "52.245.155.139", + "52.245.156.185", + "62.10.196.24", + "62.10.196.25", + "62.10.84.240", + "62.11.6.64", + "62.11.6.65" ], "usgovtexas": [ + "20.140.104.48", + "20.140.105.3", + "20.140.144.58", + "20.140.144.59", + "20.140.147.168", + "20.140.53.121", "20.141.10.130", - "52.127.55.131" + "20.141.10.131", + "20.141.13.121", + "20.141.15.104", + "52.127.55.131", + "52.235.252.252", + "52.235.252.253", + "52.243.247.124", + "52.245.155.139", + "52.245.156.185", + "62.10.196.24", + "62.10.196.25", + "62.10.84.240", + "62.11.6.64", + "62.11.6.65" ], "chinanorth": [ "139.217.51.16", @@ -582,7 +1156,7 @@ "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", - "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/',parameters('_artifactsLocation'))]", + "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/',parameters('_artifactsLocation'))]", "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-1-subnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]", "deployNewVnet": "[equals(parameters('vnetNewOrExisting'), 'new')]", @@ -599,13 +1173,14 @@ "properties": { "mode": "Incremental", "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [] } } }, { + "condition": "[equals(parameters('storageAccountDeployMode'), 'New')]", "type": "Microsoft.Storage/storageAccounts", "name": "[variables('storageAccountName')]", "apiVersion": "2022-09-01", @@ -623,7 +1198,7 @@ "sku": { "name": "[variables('storageAccountType')]" }, - "kind": "Storage", + "kind": "StorageV2", "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" }, { @@ -720,6 +1295,7 @@ }, { "condition": "[parameters('deployNewNSG')]", + "dependsOn": ["[variables('publicIPAddressId')]"], "type": "Microsoft.Network/networkSecurityGroups", "apiVersion": "2020-06-01", "location": "[variables('location')]", @@ -837,6 +1413,20 @@ "priority": "170", "direction": "Inbound" } + }, + { + "name": "Allow-self-IP-inbound", + "properties": { + "description": "Allow inbound traffic from the VM's public IP address", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "*", + "sourceAddressPrefix": "[reference(variables('publicIPAddressId')).IpAddress]", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": "180", + "direction": "Inbound" + } } ] }, @@ -907,10 +1497,7 @@ "properties": { "UserData": "[variables('customData64')]", "diagnosticsProfile": { - "bootDiagnostics": { - "enabled": "true", - "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-05-01').primaryEndpoints.blob]" - } + "bootDiagnostics": "[if(equals(parameters('storageAccountDeployMode'), 'None'), createObject('enabled', false()), if(equals(parameters('storageAccountDeployMode'), 'Managed'), createObject('enabled', true()), createObject('enabled', true(), 'storageUri', if(equals(parameters('storageAccountDeployMode'), 'New'), reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-05-01').primaryEndpoints.blob, reference(parameters('existingStorageAccountId'), '2023-05-01').primaryEndpoints.blob))))]" }, "hardwareProfile": { "vmSize": "[parameters('vmSize')]" diff --git a/china/azure/marketplace-mds/README.md b/china/azure/marketplace-mds/README.md index dfd4de9d..d3797206 100644 --- a/china/azure/marketplace-mds/README.md +++ b/china/azure/marketplace-mds/README.md @@ -11,12 +11,12 @@ Benefits: · Provides consistent security policy management, enforcement, and reporting with a single pane of glass, using Check Point Unified Security Management - Deploy to Azure -To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-mds%2FmainTemplate.json) +To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-mds%2FmainTemplate.json) diff --git a/china/azure/marketplace-mds/createUiDefinition.json b/china/azure/marketplace-mds/createUiDefinition.json index 125e6e1e..e267adac 100644 --- a/china/azure/marketplace-mds/createUiDefinition.json +++ b/china/azure/marketplace-mds/createUiDefinition.json @@ -296,7 +296,7 @@ } }, { - "visible": "[bool(basics('auth').sshPublicKey)]", + "visible": "[bool(basics('auth').sshPublicKey)]", "name": "EnableSerialConsolePassword", "type": "Microsoft.Common.OptionsGroup", "label": "Enable Serial console password", @@ -624,6 +624,35 @@ }, "visible": "[steps('network').NSG]" }, + { + "name": "storageAccountDeployMode", + "type": "Microsoft.Common.DropDown", + "label": "Storage Account Deployment Mode", + "toolTip": "Select your preferred Storage Account deployment mode, New to a new Storage Account, Existing to an existing Storage Account, Managed to managed Storage Account, None to deploy without a Storage Account", + "defaultValue": "New", + "constraints": { + "allowedValues": [ + { + "label": "New", + "value": "New" + }, + { + "label": "Existing", + "value": "Existing" + }, + { + "label": "Managed", + "value": "Managed" + }, + { + "label": "None", + "value": "None" + } + ], + "required": true + }, + "visible": true + }, { "name": "addStorageAccountIpRules", "type": "Microsoft.Common.OptionsGroup", @@ -641,9 +670,48 @@ "value": true } ], - "required": true + "required": "[equals(steps('network').storageAccountDeployMode, 'New')]" }, - "visible": true + "visible": "[equals(steps('network').storageAccountDeployMode, 'New')]" + }, + { + "name": "existingStorageAccount", + "type": "Microsoft.Solutions.ResourceSelector", + "label": "Storage Account", + "defaultValue": "null", + "toolTip": "Choose an existing Storage Account", + "resourceType": "Microsoft.Storage/storageAccounts", + "constraints": { + "required": "[equals(steps('network').storageAccountDeployMode, 'Existing')]" + }, + "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]" + }, + { + "name": "infoExistingStorageAccount", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]", + "options": { + "icon": "Info", + "text": "The Storage Account must allow network access from the Serial Console feature, for more information - Serial Console Security." + } + }, + { + "name": "infoManagedStorageAccount", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('network').storageAccountDeployMode, 'Managed')]", + "options": { + "icon": "Info", + "text": "Azure will use a managed Storage Account for the deployment, no additional configuration is required." + } + }, + { + "name": "warningNoneStorageAccount", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('network').storageAccountDeployMode, 'None')]", + "options": { + "icon": "Warning", + "text": "Please note that deploying without a Storage Account will not allow you to use the Serial Console feature. For more information - Azure Serial Console." + } } ] }, @@ -705,8 +773,10 @@ "tagsByResource": "[steps('tags').tagsByResource]", "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", - "NewNsgName": "[steps('network').NSGName]", - "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", + "NewNsgName": "[steps('network').NSGName]", + "storageAccountDeployMode": "[steps('network').storageAccountDeployMode]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", + "existingStorageAccountId": "[steps('network').existingStorageAccount]", "SerialConsolePasswordHash": "[steps('chkp-advanced').AdditionalPassword]", "MaintenanceModePasswordHash": "[steps('chkp-advanced').MaintenanceModePassword]" } diff --git a/china/azure/marketplace-mds/mainTemplate.json b/china/azure/marketplace-mds/mainTemplate.json index 852acf6e..08efa566 100644 --- a/china/azure/marketplace-mds/mainTemplate.json +++ b/china/azure/marketplace-mds/mainTemplate.json @@ -219,7 +219,7 @@ "_artifactsLocation": { "type": "string", "metadata": { - "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/" + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/" }, "defaultValue": "[deployment().properties.templateLink.uri]" }, @@ -246,19 +246,39 @@ "type": "string", "defaultValue": "[concat(parameters('vmName'),'-nsg')]" }, + "storageAccountDeployMode": { + "type": "string", + "defaultValue": "New", + "metadata": { + "description": "Choose the Storage Account mode: 'New' creates a new account, 'Existing' uses one already available, 'Managed' provisions a managed account, and 'None' skips account creation." + }, + "allowedValues": [ + "New", + "Existing", + "Managed", + "None" + ] + }, "addStorageAccountIpRules": { "type": "bool", "metadata": { - "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled. Only relevant when 'Storage Account Deploy Mode' is set to 'New'." }, "defaultValue": false }, "storageAccountAdditionalIps": { "type": "array", "metadata": { - "description": "IPs/CIDRs that are allowed access to the Storage Account" + "description": "IPs/CIDRs that are allowed access to the Storage Account. Format should be an array of strings. Only relevant when 'Storage Account Deploy Mode' is set to 'New'." }, "defaultValue": [] + }, + "existingStorageAccountId": { + "type": "string", + "metadata": { + "description": "The ID of the existing Storage Account. Only relevant when 'Storage Account Deploy Mode' is set to 'Existing'." + }, + "defaultValue": "" } }, "variables": { @@ -279,219 +299,789 @@ "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", "serialConsoleGeographies": { "eastasia": [ + "4.145.74.168", + "20.195.85.180", + "20.195.85.181", + "20.205.68.106", + "20.205.68.107", "20.205.69.28", - "20.195.85.180" + "23.97.88.117", + "23.98.106.151" ], "southeastasia": [ + "4.145.74.168", + "20.195.85.180", + "20.195.85.181", + "20.205.68.106", + "20.205.68.107", "20.205.69.28", - "20.195.85.180" + "23.97.88.117", + "23.98.106.151" ], "australiacentral": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "australiacentral2": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "australiaeast": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "australiasoutheast": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "brazilsouth": [ - "91.234.136.63", - "20.206.0.194" + "20.206.0.192", + "20.206.0.193", + "20.206.0.194", + "20.226.211.157", + "108.140.5.172", + "191.234.136.63", + "191.238.77.232", + "191.238.77.233" ], "brazilsoutheast": [ - "91.234.136.63", - "20.206.0.194" + "20.206.0.192", + "20.206.0.193", + "20.206.0.194", + "20.226.211.157", + "108.140.5.172", + "191.234.136.63", + "191.238.77.232", + "191.238.77.233" ], "canadacentral": [ + "20.175.7.183", + "20.48.201.78", + "20.48.201.79", + "20.220.7.246", + "52.139.106.74", + "52.139.106.75", "52.228.86.177", "52.242.40.90" ], "canadaeast": [ + "20.175.7.183", + "20.48.201.78", + "20.48.201.79", + "20.220.7.246", + "52.139.106.74", + "52.139.106.75", "52.228.86.177", "52.242.40.90" ], "northeurope": [ + "4.210.131.60", + "20.105.209.72", + "20.105.209.73", + "40.113.178.49", + "52.146.137.65", "52.146.139.220", - "20.105.209.72" + "52.146.139.221", + "98.71.107.78" ], "westeurope": [ + "4.210.131.60", + "20.105.209.72", + "20.105.209.73", + "40.113.178.49", + "52.146.137.65", "52.146.139.220", - "20.105.209.72" + "52.146.139.221", + "98.71.107.78" ], "francecentral": [ "20.111.0.244", - "52.136.191.10" + "40.80.103.247", + "51.138.215.126", + "51.138.215.127", + "52.136.191.8", + "52.136.191.9", + "52.136.191.10", + "98.66.128.35" ], "francesouth": [ "20.111.0.244", - "52.136.191.10" + "40.80.103.247", + "51.138.215.126", + "51.138.215.127", + "52.136.191.8", + "52.136.191.9", + "52.136.191.10", + "98.66.128.35" ], "germanynorth": [ + "20.52.94.114", + "20.52.94.115", + "20.52.95.48", + "20.113.251.155", "51.116.75.88", - "20.52.95.48" + "51.116.75.89", + "51.116.75.90", + "98.67.183.186" ], "germanywestcentral": [ + "20.52.94.114", + "20.52.94.115", + "20.52.95.48", + "20.113.251.155", "51.116.75.88", - "20.52.95.48" + "51.116.75.89", + "51.116.75.90", + "98.67.183.186" ], "centralindia": [ - "20.192.168.150", - "20.192.153.104" + "4.187.107.68", + "20.192.47.134", + "20.192.47.135", + "20.192.152.150", + "20.192.152.151", + "20.192.153.104", + "20.207.175.96", + "52.172.82.199", + "98.70.20.180" ], "southindia": [ - "20.192.168.150", - "20.192.153.104" + "4.187.107.68", + "20.192.47.134", + "20.192.47.135", + "20.192.152.150", + "20.192.152.151", + "20.192.153.104", + "20.207.175.96", + "52.172.82.199", + "98.70.20.180" ], "westindia": [ - "20.192.168.150", - "20.192.153.104" + "4.187.107.68", + "20.192.47.134", + "20.192.47.135", + "20.192.152.150", + "20.192.152.151", + "20.192.153.104", + "20.207.175.96", + "52.172.82.199", + "98.70.20.180" ], "japaneast": [ + "20.18.7.188", "20.43.70.205", - "20.189.228.222" + "20.89.12.192", + "20.89.12.193", + "20.189.194.100", + "20.189.228.222", + "20.189.228.223", + "20.210.144.254" ], "japanwest": [ + "20.18.7.188", "20.43.70.205", - "20.189.228.222" + "20.89.12.192", + "20.89.12.193", + "20.189.194.100", + "20.189.228.222", + "20.189.228.223", + "20.210.144.254" ], "koreacentral": [ + "20.200.166.136", + "20.200.194.238", + "20.200.194.239", "20.200.196.96", - "52.147.119.29" + "20.214.133.81", + "52.147.119.28", + "52.147.119.29", + "52.147.119.30" ], "koreasouth": [ + "20.200.166.136", + "20.200.194.238", + "20.200.194.239", "20.200.196.96", - "52.147.119.29" + "20.214.133.81", + "52.147.119.28", + "52.147.119.29", + "52.147.119.30" ], "norwaywest": [ + "20.100.1.154", + "20.100.1.155", "20.100.1.184", - "51.13.138.76" + "20.100.21.182", + "51.13.138.76", + "51.13.138.77", + "51.13.138.78", + "51.120.183.54" ], "norwayeast": [ + "20.100.1.154", + "20.100.1.155", "20.100.1.184", - "51.13.138.76" + "20.100.21.182", + "51.13.138.76", + "51.13.138.77", + "51.13.138.78", + "51.120.183.54" ], "switzerlandnorth": [ + "20.199.207.188", "20.208.4.98", - "51.107.251.190" + "20.208.4.99", + "20.208.4.120", + "20.208.149.229", + "51.107.251.190", + "51.107.251.191", + "51.107.255.176" ], "switzerlandwest": [ + "20.199.207.188", "20.208.4.98", - "51.107.251.190" + "20.208.4.99", + "20.208.4.120", + "20.208.149.229", + "51.107.251.190", + "51.107.251.191", + "51.107.255.176" ], "uaecentral": [ + "20.38.141.5", + "20.45.95.64", + "20.45.95.65", "20.45.95.66", - "20.38.141.5" + "20.203.93.198", + "20.233.132.205", + "40.120.87.50", + "40.120.87.51" ], "uaenorth": [ + "20.38.141.5", + "20.45.95.64", + "20.45.95.65", "20.45.95.66", - "20.38.141.5" + "20.203.93.198", + "20.233.132.205", + "40.120.87.50", + "40.120.87.51" ], "uksouth": [ + "20.58.68.62", + "20.58.68.63", + "20.90.32.180", "20.90.132.144", - "20.58.68.62" + "20.90.132.145", + "51.104.30.169", + "172.187.0.26", + "172.187.65.53" ], "ukwest": [ + "20.58.68.62", + "20.58.68.63", + "20.90.32.180", "20.90.132.144", - "20.58.68.62" + "20.90.132.145", + "51.104.30.169", + "172.187.0.26", + "172.187.65.53" ], "swedencentral": [ + "20.91.100.236", + "51.12.22.174", + "51.12.22.175", + "51.12.22.204", + "51.12.72.222", "51.12.72.223", - "51.12.22.174" + "51.12.73.92", + "172.160.216.6" ], "swedensouth": [ + "20.91.100.236", + "51.12.22.174", + "51.12.22.175", + "51.12.22.204", + "51.12.72.222", "51.12.72.223", - "51.12.22.174" + "51.12.73.92", + "172.160.216.6" ], "centralus": [ - "20.98.146.84", - "20.98.194.64", + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "eastus2": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "eastus2": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "eastus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "eastus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "northcentralus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "northcentralus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "southcentralus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "southcentralus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westus2": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westus2": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westus3": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westus3": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westcentralus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westcentralus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" + "20.98.146.84", + "20.98.146.85", + "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" ], "eastus2euap": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", "20.45.242.18", - "20.51.21.252" + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", + "20.69.5.162", + "20.83.222.100", + "20.83.222.101", + "20.83.222.102", + "20.98.146.84", + "20.98.146.85", + "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" ], "centraluseuap": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", "20.45.242.18", - "20.51.21.252" + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", + "20.69.5.162", + "20.83.222.100", + "20.83.222.101", + "20.83.222.102", + "20.98.146.84", + "20.98.146.85", + "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" ], "usgovarizona": [ + "20.140.104.48", + "20.140.105.3", + "20.140.144.58", + "20.140.144.59", + "20.140.147.168", + "20.140.53.121", "20.141.10.130", - "52.127.55.131" + "20.141.10.131", + "20.141.13.121", + "20.141.15.104", + "52.127.55.131", + "52.235.252.252", + "52.235.252.253", + "52.243.247.124", + "52.245.155.139", + "52.245.156.185", + "62.10.196.24", + "62.10.196.25", + "62.10.84.240", + "62.11.6.64", + "62.11.6.65" ], "usgovvirginia": [ + "20.140.104.48", + "20.140.105.3", + "20.140.144.58", + "20.140.144.59", + "20.140.147.168", + "20.140.53.121", "20.141.10.130", - "52.127.55.131" + "20.141.10.131", + "20.141.13.121", + "20.141.15.104", + "52.127.55.131", + "52.235.252.252", + "52.235.252.253", + "52.243.247.124", + "52.245.155.139", + "52.245.156.185", + "62.10.196.24", + "62.10.196.25", + "62.10.84.240", + "62.11.6.64", + "62.11.6.65" ], "usgovtexas": [ + "20.140.104.48", + "20.140.105.3", + "20.140.144.58", + "20.140.144.59", + "20.140.147.168", + "20.140.53.121", "20.141.10.130", - "52.127.55.131" + "20.141.10.131", + "20.141.13.121", + "20.141.15.104", + "52.127.55.131", + "52.235.252.252", + "52.235.252.253", + "52.243.247.124", + "52.245.155.139", + "52.245.156.185", + "62.10.196.24", + "62.10.196.25", + "62.10.84.240", + "62.11.6.64", + "62.11.6.65" + ], + "chinanorth": [ + "139.217.51.16", + "139.217.171.176" + ], + "chinanorth2": [ + "40.73.96.39", + "40.73.33.105" + ], + "chinaeast": [ + "139.217.171.176", + "139.217.51.16" + ], + "chinaeast2": [ + "40.73.33.105", + "40.73.96.39" ] }, "serialConsoleIps": "[if(contains(variables('serialConsoleGeographies'),variables('location')),variables('serialConsoleGeographies')[variables('location')],createArray())]", @@ -547,7 +1137,7 @@ "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPAddressName'))]", "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", - "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/',parameters('_artifactsLocation'))]", + "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/',parameters('_artifactsLocation'))]", "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-1-subnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]", "deployNewVnet": "[equals(parameters('vnetNewOrExisting'), 'new')]", @@ -564,13 +1154,14 @@ "properties": { "mode": "Incremental", "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [] } } }, { + "condition": "[equals(parameters('storageAccountDeployMode'), 'New')]", "type": "Microsoft.Storage/storageAccounts", "name": "[variables('storageAccountName')]", "apiVersion": "2022-09-01", @@ -588,7 +1179,7 @@ "sku": { "name": "[variables('storageAccountType')]" }, - "kind": "Storage", + "kind": "StorageV2", "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" }, { @@ -872,10 +1463,7 @@ "properties": { "UserData": "[variables('customData64')]", "diagnosticsProfile": { - "bootDiagnostics": { - "enabled": "true", - "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-05-01').primaryEndpoints.blob]" - } + "bootDiagnostics": "[if(equals(parameters('storageAccountDeployMode'), 'None'), createObject('enabled', false()), if(equals(parameters('storageAccountDeployMode'), 'Managed'), createObject('enabled', true()), createObject('enabled', true(), 'storageUri', if(equals(parameters('storageAccountDeployMode'), 'New'), reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-05-01').primaryEndpoints.blob, reference(parameters('existingStorageAccountId'), '2023-05-01').primaryEndpoints.blob))))]" }, "hardwareProfile": { "vmSize": "[parameters('vmSize')]" diff --git a/china/azure/marketplace-single/README.md b/china/azure/marketplace-single/README.md index 70e2b3ef..361b6517 100644 --- a/china/azure/marketplace-single/README.md +++ b/china/azure/marketplace-single/README.md @@ -11,12 +11,12 @@ Benefits: · Provides consistent security policy management, enforcement, and reporting with a single pane of glass, using Check Point Unified Security Management - + Deploy to Azure -To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-single%2FmainTemplate.json) +To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-single%2FmainTemplate.json) diff --git a/china/azure/marketplace-single/createUiDefinition.json b/china/azure/marketplace-single/createUiDefinition.json index e19c85b8..4759eaa2 100644 --- a/china/azure/marketplace-single/createUiDefinition.json +++ b/china/azure/marketplace-single/createUiDefinition.json @@ -1190,6 +1190,35 @@ }, "visible": "[steps('network').NSG]" }, + { + "name": "storageAccountDeployMode", + "type": "Microsoft.Common.DropDown", + "label": "Storage Account Deployment Mode", + "toolTip": "Select your preferred Storage Account deployment mode, New to a new Storage Account, Existing to an existing Storage Account, Managed to managed Storage Account, None to deploy without a Storage Account", + "defaultValue": "New", + "constraints": { + "allowedValues": [ + { + "label": "New", + "value": "New" + }, + { + "label": "Existing", + "value": "Existing" + }, + { + "label": "Managed", + "value": "Managed" + }, + { + "label": "None", + "value": "None" + } + ], + "required": true + }, + "visible": true + }, { "name": "addStorageAccountIpRules", "type": "Microsoft.Common.OptionsGroup", @@ -1207,9 +1236,48 @@ "value": true } ], - "required": true + "required": "[equals(steps('network').storageAccountDeployMode, 'New')]" }, - "visible": true + "visible": "[equals(steps('network').storageAccountDeployMode, 'New')]" + }, + { + "name": "existingStorageAccount", + "type": "Microsoft.Solutions.ResourceSelector", + "label": "Storage Account", + "defaultValue": "null", + "toolTip": "Choose an existing Storage Account", + "resourceType": "Microsoft.Storage/storageAccounts", + "constraints": { + "required": "[equals(steps('network').storageAccountDeployMode, 'Existing')]" + }, + "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]" + }, + { + "name": "infoExistingStorageAccount", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]", + "options": { + "icon": "Info", + "text": "The Storage Account must allow network access from the Serial Console feature, for more information - Serial Console Security." + } + }, + { + "name": "infoManagedStorageAccount", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('network').storageAccountDeployMode, 'Managed')]", + "options": { + "icon": "Info", + "text": "Azure will use a managed Storage Account for the deployment, no additional configuration is required." + } + }, + { + "name": "warningNoneStorageAccount", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('network').storageAccountDeployMode, 'None')]", + "options": { + "icon": "Warning", + "text": "Please note that deploying without a Storage Account will not allow you to use the Serial Console feature. For more information - Azure Serial Console." + } } ] }, @@ -1277,7 +1345,10 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", - "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]" + "storageAccountDeployMode": "[steps('network').storageAccountDeployMode]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", + "existingStorageAccountId": "[steps('network').existingStorageAccount]" } } } + diff --git a/china/azure/marketplace-single/mainTemplate.json b/china/azure/marketplace-single/mainTemplate.json index 927e838f..82cba76c 100644 --- a/china/azure/marketplace-single/mainTemplate.json +++ b/china/azure/marketplace-single/mainTemplate.json @@ -240,7 +240,7 @@ "_artifactsLocation": { "type": "string", "metadata": { - "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/" + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/" }, "defaultValue": "[deployment().properties.templateLink.uri]" }, @@ -286,19 +286,39 @@ "type": "string", "defaultValue": "[concat(parameters('vmName'),'-nsg')]" }, + "storageAccountDeployMode": { + "type": "string", + "defaultValue": "New", + "metadata": { + "description": "Choose the Storage Account mode: 'New' creates a new account, 'Existing' uses one already available, 'Managed' provisions a managed account, and 'None' skips account creation." + }, + "allowedValues": [ + "New", + "Existing", + "Managed", + "None" + ] + }, "addStorageAccountIpRules": { "type": "bool", "metadata": { - "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled. Only relevant when 'Storage Account Deploy Mode' is set to 'New'." }, "defaultValue": false }, "storageAccountAdditionalIps": { "type": "array", "metadata": { - "description": "IPs/CIDRs that are allowed access to the Storage Account" + "description": "IPs/CIDRs that are allowed access to the Storage Account. Format should be an array of strings. Only relevant when 'Storage Account Deploy Mode' is set to 'New'." }, "defaultValue": [] + }, + "existingStorageAccountId": { + "type": "string", + "metadata": { + "description": "The ID of the existing Storage Account. Only relevant when 'Storage Account Deploy Mode' is set to 'Existing'." + }, + "defaultValue": "" } }, "variables": { @@ -331,219 +351,773 @@ "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", "serialConsoleGeographies": { "eastasia": [ + "4.145.74.168", + "20.195.85.180", + "20.195.85.181", + "20.205.68.106", + "20.205.68.107", "20.205.69.28", - "20.195.85.180" + "23.97.88.117", + "23.98.106.151" ], "southeastasia": [ + "4.145.74.168", + "20.195.85.180", + "20.195.85.181", + "20.205.68.106", + "20.205.68.107", "20.205.69.28", - "20.195.85.180" + "23.97.88.117", + "23.98.106.151" ], "australiacentral": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "australiacentral2": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "australiaeast": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "australiasoutheast": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "brazilsouth": [ - "91.234.136.63", - "20.206.0.194" + "20.206.0.192", + "20.206.0.193", + "20.206.0.194", + "20.226.211.157", + "108.140.5.172", + "191.234.136.63", + "191.238.77.232", + "191.238.77.233" ], "brazilsoutheast": [ - "91.234.136.63", - "20.206.0.194" + "20.206.0.192", + "20.206.0.193", + "20.206.0.194", + "20.226.211.157", + "108.140.5.172", + "191.234.136.63", + "191.238.77.232", + "191.238.77.233" ], "canadacentral": [ + "20.175.7.183", + "20.48.201.78", + "20.48.201.79", + "20.220.7.246", + "52.139.106.74", + "52.139.106.75", "52.228.86.177", "52.242.40.90" ], "canadaeast": [ + "20.175.7.183", + "20.48.201.78", + "20.48.201.79", + "20.220.7.246", + "52.139.106.74", + "52.139.106.75", "52.228.86.177", "52.242.40.90" ], "northeurope": [ + "4.210.131.60", + "20.105.209.72", + "20.105.209.73", + "40.113.178.49", + "52.146.137.65", "52.146.139.220", - "20.105.209.72" + "52.146.139.221", + "98.71.107.78" ], "westeurope": [ + "4.210.131.60", + "20.105.209.72", + "20.105.209.73", + "40.113.178.49", + "52.146.137.65", "52.146.139.220", - "20.105.209.72" + "52.146.139.221", + "98.71.107.78" ], "francecentral": [ "20.111.0.244", - "52.136.191.10" + "40.80.103.247", + "51.138.215.126", + "51.138.215.127", + "52.136.191.8", + "52.136.191.9", + "52.136.191.10", + "98.66.128.35" ], "francesouth": [ "20.111.0.244", - "52.136.191.10" + "40.80.103.247", + "51.138.215.126", + "51.138.215.127", + "52.136.191.8", + "52.136.191.9", + "52.136.191.10", + "98.66.128.35" ], "germanynorth": [ + "20.52.94.114", + "20.52.94.115", + "20.52.95.48", + "20.113.251.155", "51.116.75.88", - "20.52.95.48" + "51.116.75.89", + "51.116.75.90", + "98.67.183.186" ], "germanywestcentral": [ + "20.52.94.114", + "20.52.94.115", + "20.52.95.48", + "20.113.251.155", "51.116.75.88", - "20.52.95.48" + "51.116.75.89", + "51.116.75.90", + "98.67.183.186" ], "centralindia": [ - "20.192.168.150", - "20.192.153.104" + "4.187.107.68", + "20.192.47.134", + "20.192.47.135", + "20.192.152.150", + "20.192.152.151", + "20.192.153.104", + "20.207.175.96", + "52.172.82.199", + "98.70.20.180" ], "southindia": [ - "20.192.168.150", - "20.192.153.104" + "4.187.107.68", + "20.192.47.134", + "20.192.47.135", + "20.192.152.150", + "20.192.152.151", + "20.192.153.104", + "20.207.175.96", + "52.172.82.199", + "98.70.20.180" ], "westindia": [ - "20.192.168.150", - "20.192.153.104" + "4.187.107.68", + "20.192.47.134", + "20.192.47.135", + "20.192.152.150", + "20.192.152.151", + "20.192.153.104", + "20.207.175.96", + "52.172.82.199", + "98.70.20.180" ], "japaneast": [ + "20.18.7.188", "20.43.70.205", - "20.189.228.222" + "20.89.12.192", + "20.89.12.193", + "20.189.194.100", + "20.189.228.222", + "20.189.228.223", + "20.210.144.254" ], "japanwest": [ + "20.18.7.188", "20.43.70.205", - "20.189.228.222" + "20.89.12.192", + "20.89.12.193", + "20.189.194.100", + "20.189.228.222", + "20.189.228.223", + "20.210.144.254" ], "koreacentral": [ + "20.200.166.136", + "20.200.194.238", + "20.200.194.239", "20.200.196.96", - "52.147.119.29" + "20.214.133.81", + "52.147.119.28", + "52.147.119.29", + "52.147.119.30" ], "koreasouth": [ + "20.200.166.136", + "20.200.194.238", + "20.200.194.239", "20.200.196.96", - "52.147.119.29" + "20.214.133.81", + "52.147.119.28", + "52.147.119.29", + "52.147.119.30" ], "norwaywest": [ + "20.100.1.154", + "20.100.1.155", "20.100.1.184", - "51.13.138.76" + "20.100.21.182", + "51.13.138.76", + "51.13.138.77", + "51.13.138.78", + "51.120.183.54" ], "norwayeast": [ + "20.100.1.154", + "20.100.1.155", "20.100.1.184", - "51.13.138.76" + "20.100.21.182", + "51.13.138.76", + "51.13.138.77", + "51.13.138.78", + "51.120.183.54" ], "switzerlandnorth": [ + "20.199.207.188", "20.208.4.98", - "51.107.251.190" + "20.208.4.99", + "20.208.4.120", + "20.208.149.229", + "51.107.251.190", + "51.107.251.191", + "51.107.255.176" ], "switzerlandwest": [ + "20.199.207.188", "20.208.4.98", - "51.107.251.190" + "20.208.4.99", + "20.208.4.120", + "20.208.149.229", + "51.107.251.190", + "51.107.251.191", + "51.107.255.176" ], "uaecentral": [ + "20.38.141.5", + "20.45.95.64", + "20.45.95.65", "20.45.95.66", - "20.38.141.5" + "20.203.93.198", + "20.233.132.205", + "40.120.87.50", + "40.120.87.51" ], "uaenorth": [ + "20.38.141.5", + "20.45.95.64", + "20.45.95.65", "20.45.95.66", - "20.38.141.5" + "20.203.93.198", + "20.233.132.205", + "40.120.87.50", + "40.120.87.51" ], "uksouth": [ + "20.58.68.62", + "20.58.68.63", + "20.90.32.180", "20.90.132.144", - "20.58.68.62" + "20.90.132.145", + "51.104.30.169", + "172.187.0.26", + "172.187.65.53" ], "ukwest": [ + "20.58.68.62", + "20.58.68.63", + "20.90.32.180", "20.90.132.144", - "20.58.68.62" + "20.90.132.145", + "51.104.30.169", + "172.187.0.26", + "172.187.65.53" ], "swedencentral": [ + "20.91.100.236", + "51.12.22.174", + "51.12.22.175", + "51.12.22.204", + "51.12.72.222", "51.12.72.223", - "51.12.22.174" + "51.12.73.92", + "172.160.216.6" ], "swedensouth": [ + "20.91.100.236", + "51.12.22.174", + "51.12.22.175", + "51.12.22.204", + "51.12.72.222", "51.12.72.223", - "51.12.22.174" + "51.12.73.92", + "172.160.216.6" ], "centralus": [ - "20.98.146.84", - "20.98.194.64", + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "eastus2": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "eastus2": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "eastus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "eastus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "northcentralus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "northcentralus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "southcentralus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "southcentralus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westus2": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westus2": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westus3": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westus3": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westcentralus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westcentralus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" + "20.98.146.84", + "20.98.146.85", + "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" ], "eastus2euap": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", "20.45.242.18", - "20.51.21.252" + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", + "20.69.5.162", + "20.83.222.100", + "20.83.222.101", + "20.83.222.102", + "20.98.146.84", + "20.98.146.85", + "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" ], "centraluseuap": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", "20.45.242.18", - "20.51.21.252" + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", + "20.69.5.162", + "20.83.222.100", + "20.83.222.101", + "20.83.222.102", + "20.98.146.84", + "20.98.146.85", + "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" ], "usgovarizona": [ + "20.140.104.48", + "20.140.105.3", + "20.140.144.58", + "20.140.144.59", + "20.140.147.168", + "20.140.53.121", "20.141.10.130", - "52.127.55.131" + "20.141.10.131", + "20.141.13.121", + "20.141.15.104", + "52.127.55.131", + "52.235.252.252", + "52.235.252.253", + "52.243.247.124", + "52.245.155.139", + "52.245.156.185", + "62.10.196.24", + "62.10.196.25", + "62.10.84.240", + "62.11.6.64", + "62.11.6.65" ], "usgovvirginia": [ + "20.140.104.48", + "20.140.105.3", + "20.140.144.58", + "20.140.144.59", + "20.140.147.168", + "20.140.53.121", "20.141.10.130", - "52.127.55.131" + "20.141.10.131", + "20.141.13.121", + "20.141.15.104", + "52.127.55.131", + "52.235.252.252", + "52.235.252.253", + "52.243.247.124", + "52.245.155.139", + "52.245.156.185", + "62.10.196.24", + "62.10.196.25", + "62.10.84.240", + "62.11.6.64", + "62.11.6.65" ], "usgovtexas": [ + "20.140.104.48", + "20.140.105.3", + "20.140.144.58", + "20.140.144.59", + "20.140.147.168", + "20.140.53.121", "20.141.10.130", - "52.127.55.131" + "20.141.10.131", + "20.141.13.121", + "20.141.15.104", + "52.127.55.131", + "52.235.252.252", + "52.235.252.253", + "52.243.247.124", + "52.245.155.139", + "52.245.156.185", + "62.10.196.24", + "62.10.196.25", + "62.10.84.240", + "62.11.6.64", + "62.11.6.65" ], "chinanorth": [ "139.217.51.16", @@ -657,7 +1231,7 @@ "publicIPAddressId": "[resourceId('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]", "bootstrapScript64": "[base64(parameters('bootstrapScript'))]", "allowUploadDownload": "[parameters('allowDownloadFromUploadToCheckPoint')]", - "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/',parameters('_artifactsLocation'))]", + "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/',parameters('_artifactsLocation'))]", "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", "sicKey": "[parameters('sicKey')]", "managementGUIClientNetwork": "[parameters('managementGUIClientNetwork')]", @@ -679,13 +1253,14 @@ "properties": { "mode": "Incremental", "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [] } } }, { + "condition": "[equals(parameters('storageAccountDeployMode'), 'New')]", "type": "Microsoft.Storage/storageAccounts", "name": "[variables('storageAccountName')]", "apiVersion": "2022-09-01", @@ -703,7 +1278,7 @@ "sku": { "name": "[variables('storageAccountType')]" }, - "kind": "Storage", + "kind": "StorageV2", "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" }, { @@ -899,10 +1474,7 @@ "properties": { "UserData": "[base64(concat(variables('customData'), '\n', 'vnet=\"', if(equals(parameters('vnetNewOrExisting'), 'new'), reference('networkNewSetup').outputs.vnetAddressPrefix.value, reference('networkExistingSetup').outputs.vnetAddressPrefix.value), '\"', '\n' ))]", "diagnosticsProfile": { - "bootDiagnostics": { - "enabled": "true", - "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-05-01').primaryEndpoints.blob]" - } + "bootDiagnostics": "[if(equals(parameters('storageAccountDeployMode'), 'None'), createObject('enabled', false()), if(equals(parameters('storageAccountDeployMode'), 'Managed'), createObject('enabled', true()), createObject('enabled', true(), 'storageUri', if(equals(parameters('storageAccountDeployMode'), 'New'), reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2023-05-01').primaryEndpoints.blob, reference(parameters('existingStorageAccountId'), '2023-05-01').primaryEndpoints.blob))))]" }, "hardwareProfile": { "vmSize": "[parameters('vmSize')]" diff --git a/china/azure/marketplace-vmss/README.md b/china/azure/marketplace-vmss/README.md index 6ac40698..5930a779 100644 --- a/china/azure/marketplace-vmss/README.md +++ b/china/azure/marketplace-vmss/README.md @@ -11,13 +11,13 @@ Benefits: · Provides consistent security policy management, enforcement, and reporting with a single pane of glass, using Check Point Unified Security Management - + Deploy to Azure -To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2FChina%2Fazure%2ftemplates%2Fmarketplace-vmss%2FmainTemplate.json) +To deploy with full control over all the template options use: [Full Control Deployment](https://portal.azure.cn/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FCheckPointSW%2FCloudGuardIaaS%2Fmaster%2Fchina%2Fazure%2ftemplates%2Fmarketplace-vmss%2FmainTemplate.json) diff --git a/china/azure/marketplace-vmss/createUiDefinition.json b/china/azure/marketplace-vmss/createUiDefinition.json index d4b49a95..df5475f4 100644 --- a/china/azure/marketplace-vmss/createUiDefinition.json +++ b/china/azure/marketplace-vmss/createUiDefinition.json @@ -99,7 +99,7 @@ "regex": "^[a-z0-9A-Z_\\-]{1,30}$", "validationMessage": "Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long." } - }, + }, { "name": "mgmtIPaddress", "type": "Microsoft.Common.TextBox", @@ -753,7 +753,7 @@ "sku": "sg-ngtx" }, "count": "[steps('chkp-advanced').vmCount]" - }, + }, { "name": "sicKeyUi", "type": "Microsoft.Common.PasswordBox", @@ -771,6 +771,7 @@ "hideConfirmation": false } } + ] }, { @@ -939,7 +940,7 @@ "name": "floatingIP", "type": "Microsoft.Common.OptionsGroup", "label": "Deploy the Load Balancers with floating IP", - "defaultValue": "No", + "defaultValue": "Yes", "toolTip": "Deploy the Load Balancers with floating IP.", "constraints": { "allowedValues": [ @@ -1573,6 +1574,35 @@ }, "visible": "[steps('network').NSG]" }, + { + "name": "storageAccountDeployMode", + "type": "Microsoft.Common.DropDown", + "label": "Storage Account Deployment Mode", + "toolTip": "Select your preferred Storage Account deployment mode, New to a new Storage Account, Existing to an existing Storage Account, Managed to managed Storage Account, None to deploy without a Storage Account", + "defaultValue": "New", + "constraints": { + "allowedValues": [ + { + "label": "New", + "value": "New" + }, + { + "label": "Existing", + "value": "Existing" + }, + { + "label": "Managed", + "value": "Managed" + }, + { + "label": "None", + "value": "None" + } + ], + "required": true + }, + "visible": true + }, { "name": "addStorageAccountIpRules", "type": "Microsoft.Common.OptionsGroup", @@ -1590,9 +1620,48 @@ "value": true } ], - "required": true + "required": "[equals(steps('network').storageAccountDeployMode, 'New')]" }, - "visible": true + "visible": "[equals(steps('network').storageAccountDeployMode, 'New')]" + }, + { + "name": "existingStorageAccount", + "type": "Microsoft.Solutions.ResourceSelector", + "label": "Storage Account", + "defaultValue": "null", + "toolTip": "Choose an existing Storage Account", + "resourceType": "Microsoft.Storage/storageAccounts", + "constraints": { + "required": "[equals(steps('network').storageAccountDeployMode, 'Existing')]" + }, + "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]" + }, + { + "name": "infoExistingStorageAccount", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('network').storageAccountDeployMode, 'Existing')]", + "options": { + "icon": "Info", + "text": "The Storage Account must allow network access from the Serial Console feature, for more information - Serial Console Security." + } + }, + { + "name": "infoManagedStorageAccount", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('network').storageAccountDeployMode, 'Managed')]", + "options": { + "icon": "Info", + "text": "Azure will use a managed Storage Account for the deployment, no additional configuration is required." + } + }, + { + "name": "warningNoneStorageAccount", + "type": "Microsoft.Common.InfoBox", + "visible": "[equals(steps('network').storageAccountDeployMode, 'None')]", + "options": { + "icon": "Warning", + "text": "Please note that deploying without a Storage Account will not allow you to use the Serial Console feature. For more information - Azure Serial Console." + } } ] }, @@ -1680,7 +1749,9 @@ "deployNewNSG": "[steps('network').NSG]", "ExistingNSG": "[steps('network').nsgSelector]", "NewNsgName": "[steps('network').NSGName]", - "addStorageAccountIpRules": "[steps('network').addStorageAccountIpRules]", + "storageAccountDeployMode": "[steps('network').storageAccountDeployMode]", + "addStorageAccountIpRules":"[steps('network').addStorageAccountIpRules]", + "existingStorageAccountId": "[steps('network').existingStorageAccount]", "SerialConsolePasswordHash": "[steps('chkp-advanced').AdditionalPassword]", "MaintenanceModePasswordHash": "[steps('chkp-advanced').MaintenanceModePassword]" } diff --git a/china/azure/marketplace-vmss/mainTemplate.json b/china/azure/marketplace-vmss/mainTemplate.json index abcd3f4a..4c20f4f8 100644 --- a/china/azure/marketplace-vmss/mainTemplate.json +++ b/china/azure/marketplace-vmss/mainTemplate.json @@ -152,7 +152,7 @@ }, "floatingIP": { "type": "string", - "defaultValue": "no", + "defaultValue": "yes", "allowedValues": [ "no", "yes" @@ -438,7 +438,7 @@ "_artifactsLocation": { "type": "string", "metadata": { - "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/" + "description": "Use the following URI when deploying a custom template: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/" }, "defaultValue": "[deployment().properties.templateLink.uri]" }, @@ -480,19 +480,39 @@ "type": "string", "defaultValue": "[concat(parameters('vmName'),'-nsg')]" }, + "storageAccountDeployMode": { + "type": "string", + "defaultValue": "New", + "metadata": { + "description": "Choose the Storage Account mode: 'New' creates a new account, 'Existing' uses one already available, 'Managed' provisions a managed account, and 'None' skips account creation." + }, + "allowedValues": [ + "New", + "Existing", + "Managed", + "None" + ] + }, "addStorageAccountIpRules": { "type": "bool", "metadata": { - "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled" + "description": "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, based on https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-linux#use-serial-console-with-custom-boot-diagnostics-storage-account-firewall-enabled. Only relevant when 'Storage Account Deploy Mode' is set to 'New'" }, "defaultValue": false }, "storageAccountAdditionalIps": { "type": "array", "metadata": { - "description": "IPs/CIDRs that are allowed access to the Storage Account" + "description": "IPs/CIDRs that are allowed access to the Storage Account. Format should be an array of strings. Only relevant when 'Storage Account Deploy Mode' is set to 'New'." }, "defaultValue": [] + }, + "existingStorageAccountId": { + "type": "string", + "metadata": { + "description": "The ID of the existing Storage Account. Only relevant when 'Storage Account Deploy Mode' is set to 'Existing'." + }, + "defaultValue": "" } }, "variables": { @@ -527,219 +547,773 @@ "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", "serialConsoleGeographies": { "eastasia": [ + "4.145.74.168", + "20.195.85.180", + "20.195.85.181", + "20.205.68.106", + "20.205.68.107", "20.205.69.28", - "20.195.85.180" + "23.97.88.117", + "23.98.106.151" ], "southeastasia": [ + "4.145.74.168", + "20.195.85.180", + "20.195.85.181", + "20.205.68.106", + "20.205.68.107", "20.205.69.28", - "20.195.85.180" + "23.97.88.117", + "23.98.106.151" ], "australiacentral": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "australiacentral2": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "australiaeast": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "australiasoutheast": [ + "4.198.45.55", + "4.200.251.224", + "20.167.131.228", + "20.53.52.250", "20.53.53.224", - "20.70.222.112" + "20.53.55.174", + "20.70.222.112", + "20.70.222.113", + "68.218.123.133" ], "brazilsouth": [ - "91.234.136.63", - "20.206.0.194" + "20.206.0.192", + "20.206.0.193", + "20.206.0.194", + "20.226.211.157", + "108.140.5.172", + "191.234.136.63", + "191.238.77.232", + "191.238.77.233" ], "brazilsoutheast": [ - "91.234.136.63", - "20.206.0.194" + "20.206.0.192", + "20.206.0.193", + "20.206.0.194", + "20.226.211.157", + "108.140.5.172", + "191.234.136.63", + "191.238.77.232", + "191.238.77.233" ], "canadacentral": [ + "20.175.7.183", + "20.48.201.78", + "20.48.201.79", + "20.220.7.246", + "52.139.106.74", + "52.139.106.75", "52.228.86.177", "52.242.40.90" ], "canadaeast": [ + "20.175.7.183", + "20.48.201.78", + "20.48.201.79", + "20.220.7.246", + "52.139.106.74", + "52.139.106.75", "52.228.86.177", "52.242.40.90" ], "northeurope": [ + "4.210.131.60", + "20.105.209.72", + "20.105.209.73", + "40.113.178.49", + "52.146.137.65", "52.146.139.220", - "20.105.209.72" + "52.146.139.221", + "98.71.107.78" ], "westeurope": [ + "4.210.131.60", + "20.105.209.72", + "20.105.209.73", + "40.113.178.49", + "52.146.137.65", "52.146.139.220", - "20.105.209.72" + "52.146.139.221", + "98.71.107.78" ], "francecentral": [ "20.111.0.244", - "52.136.191.10" + "40.80.103.247", + "51.138.215.126", + "51.138.215.127", + "52.136.191.8", + "52.136.191.9", + "52.136.191.10", + "98.66.128.35" ], "francesouth": [ "20.111.0.244", - "52.136.191.10" + "40.80.103.247", + "51.138.215.126", + "51.138.215.127", + "52.136.191.8", + "52.136.191.9", + "52.136.191.10", + "98.66.128.35" ], "germanynorth": [ + "20.52.94.114", + "20.52.94.115", + "20.52.95.48", + "20.113.251.155", "51.116.75.88", - "20.52.95.48" + "51.116.75.89", + "51.116.75.90", + "98.67.183.186" ], "germanywestcentral": [ + "20.52.94.114", + "20.52.94.115", + "20.52.95.48", + "20.113.251.155", "51.116.75.88", - "20.52.95.48" + "51.116.75.89", + "51.116.75.90", + "98.67.183.186" ], "centralindia": [ - "20.192.168.150", - "20.192.153.104" + "4.187.107.68", + "20.192.47.134", + "20.192.47.135", + "20.192.152.150", + "20.192.152.151", + "20.192.153.104", + "20.207.175.96", + "52.172.82.199", + "98.70.20.180" ], "southindia": [ - "20.192.168.150", - "20.192.153.104" + "4.187.107.68", + "20.192.47.134", + "20.192.47.135", + "20.192.152.150", + "20.192.152.151", + "20.192.153.104", + "20.207.175.96", + "52.172.82.199", + "98.70.20.180" ], "westindia": [ - "20.192.168.150", - "20.192.153.104" + "4.187.107.68", + "20.192.47.134", + "20.192.47.135", + "20.192.152.150", + "20.192.152.151", + "20.192.153.104", + "20.207.175.96", + "52.172.82.199", + "98.70.20.180" ], "japaneast": [ + "20.18.7.188", "20.43.70.205", - "20.189.228.222" + "20.89.12.192", + "20.89.12.193", + "20.189.194.100", + "20.189.228.222", + "20.189.228.223", + "20.210.144.254" ], "japanwest": [ + "20.18.7.188", "20.43.70.205", - "20.189.228.222" + "20.89.12.192", + "20.89.12.193", + "20.189.194.100", + "20.189.228.222", + "20.189.228.223", + "20.210.144.254" ], "koreacentral": [ + "20.200.166.136", + "20.200.194.238", + "20.200.194.239", "20.200.196.96", - "52.147.119.29" + "20.214.133.81", + "52.147.119.28", + "52.147.119.29", + "52.147.119.30" ], "koreasouth": [ + "20.200.166.136", + "20.200.194.238", + "20.200.194.239", "20.200.196.96", - "52.147.119.29" + "20.214.133.81", + "52.147.119.28", + "52.147.119.29", + "52.147.119.30" ], "norwaywest": [ + "20.100.1.154", + "20.100.1.155", "20.100.1.184", - "51.13.138.76" + "20.100.21.182", + "51.13.138.76", + "51.13.138.77", + "51.13.138.78", + "51.120.183.54" ], "norwayeast": [ + "20.100.1.154", + "20.100.1.155", "20.100.1.184", - "51.13.138.76" + "20.100.21.182", + "51.13.138.76", + "51.13.138.77", + "51.13.138.78", + "51.120.183.54" ], "switzerlandnorth": [ + "20.199.207.188", "20.208.4.98", - "51.107.251.190" + "20.208.4.99", + "20.208.4.120", + "20.208.149.229", + "51.107.251.190", + "51.107.251.191", + "51.107.255.176" ], "switzerlandwest": [ + "20.199.207.188", "20.208.4.98", - "51.107.251.190" + "20.208.4.99", + "20.208.4.120", + "20.208.149.229", + "51.107.251.190", + "51.107.251.191", + "51.107.255.176" ], "uaecentral": [ + "20.38.141.5", + "20.45.95.64", + "20.45.95.65", "20.45.95.66", - "20.38.141.5" + "20.203.93.198", + "20.233.132.205", + "40.120.87.50", + "40.120.87.51" ], "uaenorth": [ + "20.38.141.5", + "20.45.95.64", + "20.45.95.65", "20.45.95.66", - "20.38.141.5" + "20.203.93.198", + "20.233.132.205", + "40.120.87.50", + "40.120.87.51" ], "uksouth": [ + "20.58.68.62", + "20.58.68.63", + "20.90.32.180", "20.90.132.144", - "20.58.68.62" + "20.90.132.145", + "51.104.30.169", + "172.187.0.26", + "172.187.65.53" ], "ukwest": [ + "20.58.68.62", + "20.58.68.63", + "20.90.32.180", "20.90.132.144", - "20.58.68.62" + "20.90.132.145", + "51.104.30.169", + "172.187.0.26", + "172.187.65.53" ], "swedencentral": [ + "20.91.100.236", + "51.12.22.174", + "51.12.22.175", + "51.12.22.204", + "51.12.72.222", "51.12.72.223", - "51.12.22.174" + "51.12.73.92", + "172.160.216.6" ], "swedensouth": [ + "20.91.100.236", + "51.12.22.174", + "51.12.22.175", + "51.12.22.204", + "51.12.72.222", "51.12.72.223", - "51.12.22.174" + "51.12.73.92", + "172.160.216.6" ], "centralus": [ - "20.98.146.84", - "20.98.194.64", + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "eastus2": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "eastus2": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "eastus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "eastus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "northcentralus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "northcentralus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "southcentralus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "southcentralus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westus2": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westus2": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westus3": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westus3": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westcentralus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westcentralus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" - ], - "westus": [ "20.98.146.84", + "20.98.146.85", "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" + ], + "westus": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", + "20.45.242.18", + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", "20.69.5.162", + "20.83.222.100", + "20.83.222.101", "20.83.222.102", - "20.83.222.100" + "20.98.146.84", + "20.98.146.85", + "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" ], "eastus2euap": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", "20.45.242.18", - "20.51.21.252" + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", + "20.69.5.162", + "20.83.222.100", + "20.83.222.101", + "20.83.222.102", + "20.98.146.84", + "20.98.146.85", + "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" ], "centraluseuap": [ + "4.149.249.197", + "4.150.239.210", + "20.14.127.175", + "20.40.200.175", "20.45.242.18", - "20.51.21.252" + "20.45.242.19", + "20.45.242.20", + "20.47.232.186", + "20.51.21.252", + "20.69.5.160", + "20.69.5.161", + "20.69.5.162", + "20.83.222.100", + "20.83.222.101", + "20.83.222.102", + "20.98.146.84", + "20.98.146.85", + "20.98.194.64", + "20.98.194.65", + "20.98.194.66", + "20.168.188.34", + "20.241.116.153", + "52.159.214.194", + "57.152.124.244", + "68.220.123.194", + "74.249.127.175", + "74.249.142.218", + "157.55.93.0", + "168.61.232.59", + "172.183.234.204", + "172.191.219.35" ], "usgovarizona": [ + "20.140.104.48", + "20.140.105.3", + "20.140.144.58", + "20.140.144.59", + "20.140.147.168", + "20.140.53.121", "20.141.10.130", - "52.127.55.131" + "20.141.10.131", + "20.141.13.121", + "20.141.15.104", + "52.127.55.131", + "52.235.252.252", + "52.235.252.253", + "52.243.247.124", + "52.245.155.139", + "52.245.156.185", + "62.10.196.24", + "62.10.196.25", + "62.10.84.240", + "62.11.6.64", + "62.11.6.65" ], "usgovvirginia": [ + "20.140.104.48", + "20.140.105.3", + "20.140.144.58", + "20.140.144.59", + "20.140.147.168", + "20.140.53.121", "20.141.10.130", - "52.127.55.131" + "20.141.10.131", + "20.141.13.121", + "20.141.15.104", + "52.127.55.131", + "52.235.252.252", + "52.235.252.253", + "52.243.247.124", + "52.245.155.139", + "52.245.156.185", + "62.10.196.24", + "62.10.196.25", + "62.10.84.240", + "62.11.6.64", + "62.11.6.65" ], "usgovtexas": [ + "20.140.104.48", + "20.140.105.3", + "20.140.144.58", + "20.140.144.59", + "20.140.147.168", + "20.140.53.121", "20.141.10.130", - "52.127.55.131" + "20.141.10.131", + "20.141.13.121", + "20.141.15.104", + "52.127.55.131", + "52.235.252.252", + "52.235.252.253", + "52.243.247.124", + "52.245.155.139", + "52.245.156.185", + "62.10.196.24", + "62.10.196.25", + "62.10.84.240", + "62.11.6.64", + "62.11.6.65" ], "chinanorth": [ "139.217.51.16", @@ -854,7 +1428,7 @@ "sicKey": "[parameters('sicKey')]", "installationType": "vmss", "upgrading": "[equals(parameters('upgrading'), 'yes')]", - "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/China/azure/templates/',parameters('_artifactsLocation'))]", + "_artifactsLocation": "[if(contains(parameters('_artifactsLocation'),'raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/marketplace'),'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/china/azure/templates/',parameters('_artifactsLocation'))]", "networkSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/vnet-2-subnet-ha-', parameters('vnetNewOrExisting'), '.json', parameters('_artifactsLocationSasToken')))]", "loadBalacerSetupURL": "[uri(variables('_artifactsLocation'), concat('nestedtemplates/load-balancers.json', parameters('_artifactsLocationSasToken')))]", "lbsTargetRGName": "[parameters('lbsTargetRGName')]", @@ -950,7 +1524,7 @@ "properties": { "mode": "Incremental", "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "resources": [] } @@ -1118,6 +1692,7 @@ } }, { + "condition": "[equals(parameters('storageAccountDeployMode'), 'New')]", "type": "Microsoft.Storage/storageAccounts", "name": "[variables('storageAccountName')]", "apiVersion": "2021-04-01", @@ -1135,7 +1710,7 @@ "sku": { "name": "[variables('storageAccountType')]" }, - "kind": "Storage", + "kind": "StorageV2", "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Storage/storageAccounts'), parameters('tagsByResource')['Microsoft.Storage/storageAccounts'], json('{}')) ]" }, { @@ -1246,10 +1821,7 @@ ] }, "diagnosticsProfile": { - "bootDiagnostics": { - "enabled": "true", - "storageUri": "[reference(variables('storageAccountId'), '2023-01-01').primaryEndpoints.blob]" - } + "bootDiagnostics": "[if(equals(parameters('storageAccountDeployMode'), 'None'), createObject('enabled', false()), if(equals(parameters('storageAccountDeployMode'), 'Managed'), createObject('enabled', true()), createObject('enabled', true(), 'storageUri', if(equals(parameters('storageAccountDeployMode'), 'New'), reference(variables('storageAccountId'), '2023-01-01').primaryEndpoints.blob, reference(parameters('existingStorageAccountId'), '2023-05-01').primaryEndpoints.blob))))]" } }, "overprovision": false diff --git a/china/azure/nestedtemplates/azure-func-sami.json b/china/azure/nestedtemplates/azure-func-sami.json old mode 100644 new mode 100755 diff --git a/china/azure/nestedtemplates/gateway-load-balancers.json b/china/azure/nestedtemplates/gateway-load-balancers.json old mode 100644 new mode 100755 index 5bd9db41..88b7348a --- a/china/azure/nestedtemplates/gateway-load-balancers.json +++ b/china/azure/nestedtemplates/gateway-load-balancers.json @@ -1,5 +1,5 @@ { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "location": { diff --git a/china/azure/nestedtemplates/load-balancers-waap.json b/china/azure/nestedtemplates/load-balancers-waap.json old mode 100644 new mode 100755 diff --git a/china/azure/nestedtemplates/load-balancers.json b/china/azure/nestedtemplates/load-balancers.json index dcdf0ae0..a3fdb935 100644 --- a/china/azure/nestedtemplates/load-balancers.json +++ b/china/azure/nestedtemplates/load-balancers.json @@ -61,7 +61,7 @@ "appProbeName": "[variables('appName')]", "appFrontEndProtocol": "tcp", "appFrontEndPort": 80, - "appBackEndPort": 8081, + "appBackEndPort": 80, "appHealthProtocol": "tcp", "ilbHealthProtocol": "tcp", "lbHealthPort": 8117, diff --git a/china/azure/nestedtemplates/vnet-1-subnet-existing.json b/china/azure/nestedtemplates/vnet-1-subnet-existing.json index 81fc0d5a..cb335d9a 100644 --- a/china/azure/nestedtemplates/vnet-1-subnet-existing.json +++ b/china/azure/nestedtemplates/vnet-1-subnet-existing.json @@ -84,4 +84,4 @@ "type": "object" } } -} +} \ No newline at end of file diff --git a/china/azure/nestedtemplates/vnet-2-subnet-ha2-existing.json b/china/azure/nestedtemplates/vnet-2-subnet-ha2-existing.json index 17781d8c..04e3694c 100644 --- a/china/azure/nestedtemplates/vnet-2-subnet-ha2-existing.json +++ b/china/azure/nestedtemplates/vnet-2-subnet-ha2-existing.json @@ -73,4 +73,4 @@ "type": "array" } } -} +} \ No newline at end of file diff --git a/china/azure/nestedtemplates/vnet-2-subnet-ha2-new.json b/china/azure/nestedtemplates/vnet-2-subnet-ha2-new.json index be5ae374..d9ca08ba 100644 --- a/china/azure/nestedtemplates/vnet-2-subnet-ha2-new.json +++ b/china/azure/nestedtemplates/vnet-2-subnet-ha2-new.json @@ -189,4 +189,4 @@ "type": "array" } } -} +} \ No newline at end of file diff --git a/china/azure/nestedtemplates/vnet-existing-stack-ha.json b/china/azure/nestedtemplates/vnet-existing-stack-ha.json index 6e31b659..2f99a6f4 100644 --- a/china/azure/nestedtemplates/vnet-existing-stack-ha.json +++ b/china/azure/nestedtemplates/vnet-existing-stack-ha.json @@ -1,5 +1,5 @@ { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "location": { @@ -90,4 +90,4 @@ "type": "string" } } -} +} \ No newline at end of file diff --git a/china/azure/nestedtemplates/vnet-existing-stack-mgmt.json b/china/azure/nestedtemplates/vnet-existing-stack-mgmt.json index 1be25f0b..fd9b75d1 100644 --- a/china/azure/nestedtemplates/vnet-existing-stack-mgmt.json +++ b/china/azure/nestedtemplates/vnet-existing-stack-mgmt.json @@ -1,5 +1,5 @@ { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "location": { diff --git a/china/azure/nestedtemplates/vnet-existing-stack.json b/china/azure/nestedtemplates/vnet-existing-stack.json index 1c99915b..967e485d 100644 --- a/china/azure/nestedtemplates/vnet-existing-stack.json +++ b/china/azure/nestedtemplates/vnet-existing-stack.json @@ -1,5 +1,5 @@ { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "location": { diff --git a/china/azure/nestedtemplates/vnet-existing.json b/china/azure/nestedtemplates/vnet-existing.json index 415f5361..64533665 100644 --- a/china/azure/nestedtemplates/vnet-existing.json +++ b/china/azure/nestedtemplates/vnet-existing.json @@ -73,4 +73,4 @@ "type": "string" } } -} +} \ No newline at end of file diff --git a/china/azure/nestedtemplates/vnet-new-stack-ha.json b/china/azure/nestedtemplates/vnet-new-stack-ha.json index 938c82ab..c7e9b1ad 100644 --- a/china/azure/nestedtemplates/vnet-new-stack-ha.json +++ b/china/azure/nestedtemplates/vnet-new-stack-ha.json @@ -1,5 +1,5 @@ { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "location": { @@ -138,4 +138,4 @@ "type": "string" } } -} +} \ No newline at end of file diff --git a/china/azure/nestedtemplates/vnet-new-stack-mgmt.json b/china/azure/nestedtemplates/vnet-new-stack-mgmt.json index 2ecdc128..e443a759 100644 --- a/china/azure/nestedtemplates/vnet-new-stack-mgmt.json +++ b/china/azure/nestedtemplates/vnet-new-stack-mgmt.json @@ -1,5 +1,5 @@ { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "location": { diff --git a/china/azure/nestedtemplates/vnet-new-stack.json b/china/azure/nestedtemplates/vnet-new-stack.json index 2deae4d9..731bd0be 100644 --- a/china/azure/nestedtemplates/vnet-new-stack.json +++ b/china/azure/nestedtemplates/vnet-new-stack.json @@ -1,5 +1,5 @@ { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "location": { From 7413988c8cc947aa19138ab41571df514324ce1b Mon Sep 17 00:00:00 2001 From: yongqiangliu <343847055@qq.com> Date: Tue, 13 Jan 2026 23:34:08 +0800 Subject: [PATCH 2/3] init aws CFT and align difference with global at 2025-01-13. 1. add support ipv6 2. add new version R82.10 --- china/aws/images/launch.png | Bin 0 -> 2941 bytes china/aws/images/step1_aws.png | Bin 0 -> 29773 bytes china/aws/images/step2_aws.png | Bin 0 -> 77305 bytes china/aws/templates/README.md | 454 ++++++ china/aws/templates/asg/README.md | 22 + china/aws/templates/asg/autoscale-master.yaml | 735 ++++++++++ china/aws/templates/asg/autoscale.yaml | 626 +++++++++ china/aws/templates/cluster/README.md | 40 + .../aws/templates/cluster/cluster-master.yaml | 505 +++++++ china/aws/templates/cluster/cluster.yaml | 755 ++++++++++ .../aws/templates/cross-az-cluster/README.md | 26 + .../cross-az-cluster-master.yaml | 516 +++++++ .../cross-az-cluster/cross-az-cluster.yaml | 780 +++++++++++ china/aws/templates/download-m.png | Bin 0 -> 734 bytes china/aws/templates/general/README.md | 29 + .../templates/general/cloudwatch-policy.yaml | 39 + .../templates/general/cluster-iam-role.yaml | 35 + china/aws/templates/general/cme-iam-role.yaml | 161 +++ china/aws/templates/general/sts-role.yaml | 119 ++ china/aws/templates/geo-cluster/README.md | 40 + .../geo-cluster/geo-cluster-master.yaml | 523 +++++++ .../templates/geo-cluster/geo-cluster.yaml | 734 ++++++++++ china/aws/templates/gwlb-asg/README.md | 73 + .../templates/gwlb-asg/autoscale-gwlb.yaml | 677 +++++++++ .../templates/gwlb-asg/cme-iam-role-gwlb.yaml | 131 ++ china/aws/templates/gwlb-asg/gwlb-master.yaml | 740 ++++++++++ china/aws/templates/gwlb-asg/gwlb.yaml | 744 ++++++++++ .../templates/gwlb-asg/management-gwlb.yaml | 578 ++++++++ .../templates/gwlb-asg/tgw-gwlb-master.yaml | 870 ++++++++++++ china/aws/templates/gwlb-asg/tgw-gwlb.yaml | 1218 +++++++++++++++++ china/aws/templates/launch.png | Bin 0 -> 2941 bytes china/aws/templates/management/README.md | 35 + .../management/management-master.yaml | 601 ++++++++ .../aws/templates/management/management.yaml | 580 ++++++++ china/aws/templates/mds/README.md | 21 + china/aws/templates/mds/mds-master.yaml | 573 ++++++++ china/aws/templates/mds/mds.yaml | 525 +++++++ china/aws/templates/single-gw/README.md | 40 + .../templates/single-gw/gateway-master.yaml | 489 +++++++ china/aws/templates/single-gw/gateway.yaml | 595 ++++++++ china/aws/templates/standalone/README.md | 41 + .../standalone/standalone-master.yaml | 436 ++++++ .../aws/templates/standalone/standalone.yaml | 531 +++++++ china/aws/templates/tgw-asg/README.md | 40 + .../aws/templates/tgw-asg/tgw-asg-master.yaml | 681 +++++++++ china/aws/templates/tgw-asg/tgw-asg.yaml | 682 +++++++++ .../templates/tgw-cross-az-cluster/README.md | 38 + .../tgw-cross-az-cluster-master.yaml | 527 +++++++ .../tgw-cross-az-cluster.yaml | 523 +++++++ china/aws/templates/tgw-ha/README.md | 39 + china/aws/templates/tgw-ha/tgw-ha-master.yaml | 524 +++++++ china/aws/templates/tgw-ha/tgw-ha.yaml | 520 +++++++ china/aws/templates/utils/amis.yaml | 52 + .../aws/templates/utils/copy-lambda-zip.yaml | 138 ++ .../utils/tap-target-and-filter.yaml | 68 + china/aws/templates/utils/vpc-ipv6.yaml | 703 ++++++++++ china/aws/templates/utils/vpc.yaml | 571 ++++++++ 57 files changed, 20743 insertions(+) create mode 100755 china/aws/images/launch.png create mode 100755 china/aws/images/step1_aws.png create mode 100755 china/aws/images/step2_aws.png create mode 100644 china/aws/templates/README.md create mode 100644 china/aws/templates/asg/README.md create mode 100755 china/aws/templates/asg/autoscale-master.yaml create mode 100644 china/aws/templates/asg/autoscale.yaml create mode 100644 china/aws/templates/cluster/README.md create mode 100644 china/aws/templates/cluster/cluster-master.yaml create mode 100644 china/aws/templates/cluster/cluster.yaml create mode 100644 china/aws/templates/cross-az-cluster/README.md create mode 100644 china/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml create mode 100644 china/aws/templates/cross-az-cluster/cross-az-cluster.yaml create mode 100644 china/aws/templates/download-m.png create mode 100644 china/aws/templates/general/README.md create mode 100644 china/aws/templates/general/cloudwatch-policy.yaml create mode 100644 china/aws/templates/general/cluster-iam-role.yaml create mode 100644 china/aws/templates/general/cme-iam-role.yaml create mode 100755 china/aws/templates/general/sts-role.yaml create mode 100644 china/aws/templates/geo-cluster/README.md create mode 100644 china/aws/templates/geo-cluster/geo-cluster-master.yaml create mode 100644 china/aws/templates/geo-cluster/geo-cluster.yaml create mode 100644 china/aws/templates/gwlb-asg/README.md create mode 100644 china/aws/templates/gwlb-asg/autoscale-gwlb.yaml create mode 100644 china/aws/templates/gwlb-asg/cme-iam-role-gwlb.yaml create mode 100644 china/aws/templates/gwlb-asg/gwlb-master.yaml create mode 100644 china/aws/templates/gwlb-asg/gwlb.yaml create mode 100644 china/aws/templates/gwlb-asg/management-gwlb.yaml create mode 100644 china/aws/templates/gwlb-asg/tgw-gwlb-master.yaml create mode 100644 china/aws/templates/gwlb-asg/tgw-gwlb.yaml create mode 100644 china/aws/templates/launch.png create mode 100644 china/aws/templates/management/README.md create mode 100755 china/aws/templates/management/management-master.yaml create mode 100644 china/aws/templates/management/management.yaml create mode 100644 china/aws/templates/mds/README.md create mode 100755 china/aws/templates/mds/mds-master.yaml create mode 100644 china/aws/templates/mds/mds.yaml create mode 100644 china/aws/templates/single-gw/README.md create mode 100644 china/aws/templates/single-gw/gateway-master.yaml create mode 100644 china/aws/templates/single-gw/gateway.yaml create mode 100644 china/aws/templates/standalone/README.md create mode 100644 china/aws/templates/standalone/standalone-master.yaml create mode 100644 china/aws/templates/standalone/standalone.yaml create mode 100644 china/aws/templates/tgw-asg/README.md create mode 100644 china/aws/templates/tgw-asg/tgw-asg-master.yaml create mode 100644 china/aws/templates/tgw-asg/tgw-asg.yaml create mode 100644 china/aws/templates/tgw-cross-az-cluster/README.md create mode 100644 china/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml create mode 100644 china/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml create mode 100644 china/aws/templates/tgw-ha/README.md create mode 100644 china/aws/templates/tgw-ha/tgw-ha-master.yaml create mode 100644 china/aws/templates/tgw-ha/tgw-ha.yaml create mode 100644 china/aws/templates/utils/amis.yaml create mode 100755 china/aws/templates/utils/copy-lambda-zip.yaml create mode 100755 china/aws/templates/utils/tap-target-and-filter.yaml create mode 100644 china/aws/templates/utils/vpc-ipv6.yaml create mode 100644 china/aws/templates/utils/vpc.yaml diff --git a/china/aws/images/launch.png b/china/aws/images/launch.png new file mode 100755 index 0000000000000000000000000000000000000000..b16d779c493cfdac15923f3114ba94d01bf98999 GIT binary patch literal 2941 zcmV-@3xf2CP)004&&004{<00AEV003vB002H&00Br#000h50000B=O+L10005n zX+uL$P-t&-Z*ypGa3D!TLm+T+Z)Rz1WdHy;%bk$G_W^)-PS50WJ!Ba@scL5yTRrMFE7>J3iZ#h|3MEudGkN;2U76tA0Zyq@7uVVMS5rl zX7b6rnY@`dFF^a)?R%RuSAjG$I@nm1r_Y|t+$YSVg=@Hv>tR$D-sYn%P+Wg)CGb5D z|D*-{_-ZY1ddsfkd@>&u+VC@rE~$?X8T>a+w1kZ67KHGIJ6Y4N~QNydDF%rI|f8GqE6UI8s_UZA^;fh?Kg0rN)d*d_WUwG7RQBFQT zIGBzCegmpPnW^$|xPAZt010qNS#tmY3labT3lag+-G2N400|9AL_t(&L+zV?P*p_~ z$KOm%jYU$DDAErxOaU=4P;gLDi4e<5lSa+5Kq)gd!pT&A_zWABkOZB9FiIWm7ctsT zwWO((YAh=!Cnt-VvFX>0_PeGgPxpHsXW4t--shwG!)Nc#e7tY>oU`}b-S6Aod*yjZ zJDz&!AYF6E7K*=mEnSqoCd~hg)X5uo{O_;X#aj6Cn;$!s;eN1yzB~2{Hvr+Fk&)9H zY0S)xHgaxn=ElQ>787P~as^|mgK@^#LjwsD*HQoR57GLqZwC|-3kc#tfVXNjebQb> zzji!He|@pd1|4k)a~gv&{^@Wdb+p&evl|yud1Zx7NUy&2DGSDVcv^OS#4`^9j_zMi zbg+@=y?Ubk)&8J9%;}3Y_9r^J`23A>s;geaLV`v%ZGXR0HeH9OxMDl2Z12t{`nkQ9 zsC^}K;=L+AjG_t?ava{ihBjAu$y>UL=HI!F3JW(-Y3U|~Fr zJzr|HpGqJ{?`rJM?Kizz1RHj0g%Ly3tCZ6cCc$W27NGQGW;MbxmajF&Pz zohbpK!YCjo4ngT;4;#RkY^Ms9MdQii@lf0PBBR|6#PyH4fMY?*z!;h}ahTEfzXCbp zTDZ2!-W?Xryw_@LGWF;&oh~@9&?q9AiS*@6XsNSiA&kE@6X8J%dXZVkEFfH1+jJ?M zyLJufT$Alop|Uuib8Kr|V6>Z%nEw5u_%oO_DTB-6(_DEoWv30K1KSqcV*d@ukp*O3 z&twmleUE#oPt=W8Tay(%d(KoM!l8?3#*Bv<5fi{h8~Z2LhSg?GZ8h(O@UoEwgn|+f zgz}-)!Fxygabn+CS42Q2+o?iDVI1eUr#{taH*tQ%nH+O$*C?YM{F8Q12HHZKXxn5D z7VqpFs~vm^bh<<&M`q>{-dN}7SF6pn&W?v4ur%PCT=2vW&ESo-5)fV>eg7_0<}aLJ zz|8`a4RkznC1s~ZD!=|QXH)BggO&ZjV^^@fd1<_B9nL6Ay|kmpNZj?Kd#P(JyeWq3 zD+@2?^4j@v)-rUiF%Kuw2J$!Akq6p<58Bl8MZ0nxAi3-DZn?JACvh1$qkMelaP~8` z5s18uaaKFPUqo2a^h1_32njQiPTAeoJ_rJ`z+?l>;7vCR2w-jdahJ8OznSiiAwfYp zz+?mH5ZpXE1f3+`Z0QVVhnea`0EnHHAI)WH2OSI_oTW~DaMt6+CV2pfcY>VZ50Sth zqR@R|cM}kVib0ng;Dc*PY@l47_bx&dd$3#-J;sU?5jll4xl=k_M@mX53kfq4#3bB! zUAfhsPe9NLG=o<_N4wz|Q#vZ)Sdl-JI` zMENW%=)-mJ)yuk%An~}i)H&mw9DjM3C5rRdM@P?7+I4F~=uWQsz0b^g9_I z55C-jE+n6rOh;VYTz=e#m;{IlPjnE_A0O1RW`GjV{*8$?0sXe;%5H%h1kQTQYB+zr zBZcNoiKfViGuThg%Wmz*_MJ7C+se*5w1YFss23k+-KZ;kgDrNQVB#fTCm(N3rl-7@ z(agLk_Sa)f?MlqGS?4Q%xo7bkozj)7^SbcSW6+Ln2X49Q#P-gx;&l<(#pFD&tYLp7 zkNgl5$QoWue;%02dm!Ts1Oa_z4YDbTV8BgEXPA&qMyKJkbSyr@E*&OiQ=POS0|3E0 z>-0f!;`DW^bAs#WWqc73H19X`a0$M^_# zA?b%KYl1GOg50U}`|IO)_QC&J#ExFswFg2$1O!#PfsS+oHwjEOkTo>IX5U;sfXnyY z9K+=us|Ip;`c=J@PkqUyHXoc(hOhWI>+ZbXH@H>BvC7BI*RAekOw9D{i{u(^ZJ-YK zEoI3qm|Wol8`_qBNFLC`+RP92^9{t3TZUP&x`6D+AxoORKhnX|95nFL`(^aXjt#6C z^%T}GYX!A8B+$`TpMXq>00_(t+#nd49N`D-H;wl_Y2;-@((FmSspq-AskwAoU)9FN z(PwcTe0869ntbAhFUl=d@hZky2VaRpJFq8N9UpAG6XYcA0NfA!agD>wLtB#hGdcks+q5{2%QbgjqT1M5 zGl=p=bUo@P#r2@4SHvqjd=Ue`Ky`@G+mRfCjn^p{*GmZj;4|vl8xoZd?oGcQHomAw zn-Ys_bSGE%NR0RvUEABQE*NG{!V{ec$Rs5DvgQ=gf~na`3$N9WW$^&@CK>{2TQ``F zJn8#JxdDNN2|Zq`OYPhXIYs0YlF&69;XTq@jcG~)3+7H^@!0+^3=au-qFh*7)*%Gft}b6G3UjQZbrJc^<6(XvF|NW;-hI1pHv&;^qO zmb0ixlZb#%JQqf0S{wWkJafs|H?0`MIsvx72f|+@qVk@?F?<2MP?R7iu!RYIo>=bN z7iA4iQX6cXQHF3}7tvu-S##f5ipgBcOPAkYB;s$PVHle~jp`RA(2Larc|(mr9XzFB zpA;rE!I+xBxSBu=W}RDR+~6u69O_pYn1vvsrNwEqxoiMGMmj-#n9yKr!5Kk)hc8m}Nh?uAr`{FjG(sO+9T5%)>UUvs ngnya({{|0K82{jZnM(9G9lJ2&?EU>R00000NkvXXu0mjfzX_8$ literal 0 HcmV?d00001 diff --git a/china/aws/images/step1_aws.png b/china/aws/images/step1_aws.png new file mode 100755 index 0000000000000000000000000000000000000000..a626c70530cbb151a9e99b2f236223c15265278a GIT binary patch literal 29773 zcmeFYd0dj||32DGGdc4qb!IA4b8D>3$u)OT$#KdpwY1!oa!nD<1vdny@ss9~nz&ZFq?kN8+)qm~UwM*XF={L_^yY|Q)UnhUJNA}85faV+7pRW=<9e>@08B<%7 z9efjM?`FSiS4-hu@s)37$KPLb@=M&cOQHYs<113!qp)4O5@(%%v%i=cyt0#b2L!GD zxU+qziud+0yj8Ks9rC2+$-+el?`7KAd(n+Hu%toHh>QchKX=L{<+)$Wzj@_{e66od z9`)Z;ws?8zyvl(ezPbLxPrv^9tHIHuN51dcb>!&Wuj4sg#oru<+C{>tY$}n7r7o=| zb>CV2lzyr2L`|?*Ax01 z2G1BT%6RzLqHG}TPCZGQIzPJ2a_qdVT;D61=CW$BJ>~@X;#}v3NcxjBV`15MZDE_D zaS7{|cajKCJC{b7xBTa-zo)-bMlYwE#r7tr_b&9b%|4I|&L=Gp4-}I9ezIT)JbR1P zkv4mDQ-W$|Y7W;L#=17XX&)S_>`WhT>IB2-S9&H%nybUHylq=Z1E52G!6Md)fKB228;|BRbW+b1@UX{Zs zI7RazdSAK&_e1kA?M-s`Tg*Gc=BRJWEZbK+$bZK`OivzSA(Iq6qg~5ej?80TVhm@< zG|GluSv4MdRi0`T&M-7A{GRHT=L0S{>92wZ1zU*U9i(@}+%g+3AIQCB+tSABd{9lt z56&-}(x2c0_Nbx5%Ddv-^ny0e#xM{YVA?-fb=EQTa?yIU`0DzGCF}a88R_7rIyxqY z6j!UlIzD>S1Yx8t!8=n}K4D#q_E?oxs6=Z9e7Y6vfH*{XNjF~x!BfV0vgr;)EA{sD=H062Tiap1SU^Rb^t24#I+!)iZE*V|oCKFLLoR?5FLPM84kVYhnEr>gYYcIi5 zAA&MVAXDrH+?9G8yjij&EqoddO|~jmDoPVjA0^c*+j$>+UZ0)xH%wkXk7EV+C%dT?|tmwlmL0Gv}!;1Bi`O0QO zZ!tE_b05Mkoe6H{$(BBD8oe;PmM~gkdM}kc7s--^Xwm4aG z`HD@@O#M1xQ=zH=^H8Hc2Be110LnWbCzTSn97Y0hIPgmGfN>pU>q7g<taSCYy)#!PbNi2%i5B)w{DSSc(?z z+_sLFxpEPMFicP}w)E6%t#DD5sc9Ow+DySBI z=YYfQCA+!Zxdj|9VBeE04RwdS0{Zzfa}mz0d1V~e@#^=?l7tiMpAJJv+C6&>!>y)gtJ=qaK|8x1c8fo#pqFnpAWcjpi3DNmUH0)81z|;= zi9){>JmjdHZokQIi!lqsg)bCkl`cb6Q_8*q%`B;@Nb&fbOCctK<%f1x%$g1?=DGcj ztJP^#L(ieU@7ccXOM!~#k0Ea&C5Y~(_k%t(P@)(?HC zS(=@+OSwGjJ8a3`k9fj?@+7YIF?pBuBflm4aX|TbG{H{G=0FBgyB3}bZ$TCZ#SKo2 zXmaX1`#kxOn*o?=jfQYi9lgxl7B~B0mJeOlW?z-l6;da(j?H9;5Dl8`T?o$YD)F1+ z8_E|^XEhSqVZ*{W zX-I5ua7}#*Q_t3z7x^EIlJvmTe2=al-N!H|4`F0GKHvCc5T0^n#EsN&w%X5N0}K%5Sxf zos^HD#c@(12X47i5a)7P+2KXSlP9{&gCzNu`aRW==lqn*!$bEX0>Epo+7DgB=CsZVqV@-|=R4MA{Ie$xdj4mz{y&01 zZ_#A1r4JSg^YDlv$D;m0&f_ZGq60S5D)_K-r(JEcEf(IA=)0C*! z{$CAC{z-EHegJP!tyU`44qWX8V^nT^!^!* z)NNZRdb!Z`dM)-T_F0QWdaD4mUk7g35u>st-PRucGQILoa>@~gN``)_p_jT>_8V3Q z!k9GIz1#d%Ca5OwVX4OOM#ZG<U57qzqT^r>!p+Vh> zP(gFwh7V;Q_MdYL<;mZY=$C^tb)HKt)PR{nqQuGM%VK8^Y2CQr`U$b|Dezja{Jh!K zqUUdnoW6v`VrO{K^YebG!1PoDOU53as;Se5tIBBQzniwC=~GTu9_jUJ+S(jai_1)t zS4Cel-RJpbDy?Hx&_)-P7=;=&dkgT-diThCTB`2R^KD#bJ-;i1#gY)6(Hb;q?zipvo~1Jef-StQ`j znWjKoz0IYT^I?`4q|sg@M4h>zmk?T&){^)DySjchg4v z-{wexv|!5({;~wGVEPErK*F{7p#_%aYI^UxrpaZMwLgQT2bjWHNK5<5M)MI8xhAeB z|HGGvF{P=FeH(BG(`ilYeOm%z+{MC+_Z)ZLwwCuBBR)-$FC`-u8~YP>7Edj$2EZPs z9a(?2!eI@VfkRjL4(ubL{W;yA2N{vd^Lz=fybK<@VG&m z+2K$+fc+IWLAIoyFV{i9=O1hdn|kis1&<+ImHT^cifJ3Effd-agoG+6_cZu!uaaWm zc?B!X-5+gj0qg04&{o6rN&S;@#*f2WV&g4_+2h7Z1d3Oo5HyVsa-b|~x2+NTYbW(`!2QBB&F@ZN6T zOC?W8fVIhAt#4~mWZKJj*QS*i+&~pC9x3BOufIk~qXIHHJm#dLYVMM-6UpdaFM7l6 zv_16d1H1(x6sN|}yarh2kh3=H%g1X1%@`~xdF18uovdW*)uT+iB>_Q(<5G_ z4A~EL?p@8fWNX&otY7^TtC0fTm`J_sl`O6&u{7Nu10wlR-qNBI04M#EbPD=5t7PGzF2;m&AQLGnqkDoxg(og1Oq>j`3?pgWR7GkGMc9 zqkmtY;tg)8>T>1}?JW>(TpaODxo7j{&#Y5UkH-?lN=G%x_Cu|yN0C(vq^0$HfzU0= zaDh;(&i5(MWL~o&e2KKub+dnM>3PEM#eJ)d_h&PMu%jOk83ij^;Xxyh(t=j}@kSab zGhkUPFi_)E`Z<&+P*`Ou7qu0{8iH z#{Nk7w%3|uDX9VZv2r@cm7aYtbA^90y<}Tec?8R12pGnYym*PM*HNygf z82Y;woA%ayyWg?V|L`%$SR-)J6sq2wr1H6x{^)lzP~Ovj?=&+9(pWQm=w~Jn>aDj* zTYmk)p(mt&8@D!_Wf6*`yPO=&EJ+EGq7KXQjT73Bad^|y$-mZA6QH-Rx+B_Snbu~g z(4jvJ>8|;ZEQ?je^rB*01gw>`aGI~BW_JM4(G-_)j$!vHqPIH&(z`u>{oO?ir?iFB z%e1azll5+h&93~K3TaZetx4!={YHk`P5f}^cp~(gPdp)MsxMm+%i;&V*baGFly#Io zoSBf#y2de^5^wdwFUzni*_Fk*V~Y?a4`#^+gwP2L!RcCi7ruDanGE%&fD!LGzqq$W z^$)&#D^ZKZ2K%^%z&F!}(3Hs_5N8LEa9y^1YZazD<`tL>?ZyT0lNe=7xJrfqz=>Np ztpSVhUQ=CdFpW`h|GQ?uHG3ikpdfc?`MG>eGUL27wQt9JnJM*73*>jb-nLHDVK91+ zm+1xkh+SC{&8ESmtM4|3p3_+6;?^zTasw|pB`9Kkr6v_}DVgA-8tc`Aw|GGdABYm* zt2>43ZK5`KP?H|n3n`q6Y8By#6IC+&RdHcIX>r@btU`U+4xSe(xjUL9r zg4Esi=w8BsZ&sHFDz+#>T}3&o`8|XAa^AAVLtkqUZBeD z8!zE|be*}!ks1MhZk`IHN%qWM^T>hc>xNTcIbFHQf&9gl2IMJ?F-#=iwS%)YN5y_p?Q=(vq=ZwI~=wJo$LBcPXTv4CQw@5BZ*Mk@F@L>+eHRFt5B$^3OcFX&|E+D zM67t*vD^H^=HtoApEG5>JY+?iE%e=NAY_)*0UP(2OAqYr9t)UIMQ3auj=zHA4>8?y zz6}xu_(7=+L&MfqgSBh7I@g{pgn9u*VSfSXs7HTQ5!&?(T&OS}Rao_a59aW+ijP5P8T__cI7BkC(K(|+iFsxgQacGjj10aCN;H5A$D zpK#xO$DswfvtHqC5Cf07KwIQ*zpLbX0sq|Ghi7$sk~qnNo@EZ}AA5&e81=0L7EE19 zq$=&jC^p}U3TjAe@xK>ri-nmFj++I91auAdH|FKC@@{OyLi#JuuZWe zdfSc7dEc^}6h{I~2?lsJp);R=hh>|BQ-5Z(d`)k|?CrGS5C|A(KUzq}$TzZN#GJ85 zA!o3nnpht>_*@LR_9(@2eYsei6a^`s2*~{q#{J>p%68jAUzF2?6uL=}t;$pPwz zlUH-xnx74eeNpN}NLoBVBcNs`D=8o)HfNJgL5W`K2jQ%VO?(7M(v$E_@ZP_Qkkn$v zo8hO|OZ@m|jQk;aV%LX6P>r&WTbEgEACKA+Mg_E7bFt>8urL{*UwT4c8B(O-eYNiic2nk!>$?v*=HNhDQ5QGuN ziOK9b3a5sjnXWY8%?5j?f5xBXgm zDVm2ldECYu4~4I_FB$k69NH47qf1b(mEH!OqyD}I(}qekKBjbBME$fIM7{=y-ODXZ zEgDbmjy7>)|H1JE*=4tRcTBo}giC0()b^amAw{i7xA+>yLSxEhN{?bub&C7mFaPQhUFCvDdwE+tx!~XLb-_A$LY!GMXNfU ztMg5Y>lv#VUOh)9i{1$SC3UQ!tWU$c}D7ro^@x9MC*rknpU_7AMX7K82W zIZaJ>iDGv|_ZYkwJ^Dx8{ei4hJ&^0sX5-=wjM+G18%W-|f_QgHaIm~9YzoVIvMeG` zU^Z_D&DSlSI{u=LnDMiBY#j1A$B^hL8_G&J@ui2?41Q^wEQK=7erqIs7zasy#=Ok_ zbrd|b?<~$4OGZ3azBdOd?=QLi?uAeH^xtS{JdRA7n7H=9%rr^^t=GpMnf*kRG*tBI z_Kd<(ej|JBG~Z6RG!p9zL&GV-dub`Br0>DF29MpPmpsgt@BF27ps$?JudwuYm}>XI zSrsKQ9-39$IH}$GLsxRqc#pI=`a=}>Sw;%`xky$9qn{1Yl;yVkDYi{EBFVuu`pNCsgr@GeO#$w_ zdP;0s?O1K=Q;E6!uQSK{x(~0qWz-Ef{f!;c03kC^M&D4(-hPatKNI;0ym#k^$MZnt z4h61}?afEVdx*vH)OLB_X#VZi6#galmC?-GeEXsL#kcS2X%i-YPP+azpT8jcO_9OhzpWa}! zUcL{wTtV^aS(pCL?H`Wm3Np@!ro7GrNKB|3!*99dCuf<^sSPP8*?+V zHS~gb`K+E)nk*-aWE{5a^&6!3iicVAB!zS`Wk5K^<`XrGyFdKeb#{ol`pcv{ zhtHqhit3)uL#kuhau+ji*<)^>0zeFwzgza-U%1oh+tb$ByFHBE;|Q$r36?zBHuGFE zKQ@`JR&Nj!lsxlixRF0mXG|m8#~;F_Ge(xI9!`*Dn%-o_w+Ce$B!f zara*|nQG1WA2|<8B}?u8*G^U7JZaKmsHG&tEXaKZ4vzax>1Ut4z76D@NF{^($oa9D zm8;!2-p4TVP=e-|RQ@8sIAjl#_u;z?9ogT5c zznl{khtby*M0dWCr~wc0e8S87qW$y&nJHRt0KFq)J$(^BoO%z%+4@jqyMVZl!Y4e= zit~zmk-ywIz{%|w?K|VoCC(-pV)W#WKu|h|uNJjJMvKJ+%uK6^c{9jYEu|#0q&)}Q zZiT%~L;HMg*f;!a#mS^;&GNlmqRkP^OTqPGGj?|T8?4VyH0H+gmRU;_jK5jJw|CiL`{0GSk2&k3xAeQ(XpSyv%qJY_ z_>0b8h|4#Od2jrLk)9;hQ>63s_O00@JjQx`2XzVjfKNrA#29$k+Kh)!_F)Q+XO{F% ztkDgVxtHyr(HZYK_<=trf2fO@$?tqX`?vQ}iR%KT)69`kKvqAnDr6ushlg-nw{ z(-ADc@h4d?veq{6wTKZhFq`m<`$2!ApvkKbFuE#8&zf2bNUe1)^uT#-d7FeRjq^za zRrJVBN1A!t=BKukfMgc}l2V-TRce|FIT>^NCqOw~T^c5%W|}g-N)sKgN^Xu~s(E!u zOJ!86fvi`%)Q_+%7+-@KBoEH|tq8CmKXg?W#?P?YAZa2AAY$;X-=Z)kV0YcT?WcD` zvoBY#{|1Jj+p#4H&3BS_2m6dBPKXFo`wcsYlS6{5wfCLsxgu;LC2+Tb=acL1jeadp zlPyiR_syGG21=P56Z>5eJ3E#{uu0&8qLI_9>p%J1#Yu+V3in^baKC)!+@Z##D zUZMEa2g}q)^Iyfy4DMb_PJ4X~z#yODKxteshRgD*!q$>(UuhD*ayR)dvm3LXhUrtB zikFkyL_A?29Wn^? z%8u6p);TYut*_J$lY>KdstF|^I;kew-mHz;+o;RCzIzEu^;^R*A*MIeID}c z-VNrB0>N|9b*O@;d)Py1*Zbcr{`!Ae_fOD0|m z3Es9=H&+w=wir>AkdZIBAvhe$-%yd!lxNnW(_ZF8ZvYQfef(c3bL$_KVq^$P^S@Ef ze-qRxa_}()Fc@P z`F}vY@6ok>X0r8JnKP|4`M<&3Yr>?&Y5?ms8L1Jsv%@4YOvZ{#pZ9H+VqZK%N){}8 z6T*cCbE(Gvr52dQkI$t_Zq%_ua$9s}_&Ik7J~BN6CfuZkawR+LE=&K#mW;HW?Z4%b zPiYG|Iw8!vk&_0?rKaoZ+oN$qDcU63WhoXo{zXL?zej7`9Nn4(x{pc66ZQDbt~#Xo z<^V7^04ArPcGJfq<|Vc0^&7zu2TOXEDF@c%@NHK6DV5*u4Iw+)dG=iM8E@f;YHhK6 z>Cd-f77Ojnx5KBmq;MIX5+p;7T#H1k{2Js;>hKw}10X$?wo2^wQzAoW zBInQlNA4QDCK7N9Z@88n*sDmk#V1~0B}%}{L3m8E9}0aXnl<=N^r^p^+eh4P+@?go zaIL+uXkrXEpM*y!9Q#L0i`qvuc8UTOq0)JyGKQQ^=)cM>xgr9!MqKGUI3TOBs^tGVA zWMoy!_^Y)$R%WEA1GwXe%^P=Ez078;)v7PvPO`$y5_ZgC`>`*GePslu8ggs!)!Gzn za>I7!^5JGq;d#h4L@`qdd4N$iy zmENhfal5P}E5hi}>mgsIl3u^i3Xd^e7)<3l-wECR9US%6hSblHNmb*Voyt_M2&3|1 z2XeK7iB$Ff-;HysCoMWKL#C>SgTE3MR3L<})>=$}DlCJ$s;DOvTV$d*ocd=S{!Bc@ zar>~$S>o1sXyA{D%$YDRWCON@0fiLEat)3_HxZ&1<$db zu!M|thuVCPn$1^RdCMZ=mOb@X(G&5;!a%84r3aHIR*z>yaSNsClMAgZpc>b9C15SP z{dXH+Tr$eXryPF*u})a-XqW%a+*VR(ysB+M`eR+>&HjTAlB^CcOX}&M>4iZK4X>>< zogCaNfNPE^7#4`~4iAxHNqK9HaT!{J)!s7_0ZAvWg5E99K?q7aNJbM@mM02`+LDzl z@&Jqydbiplh`Fr0aIkRTZf#y+^(0`#cQcjm+sEC#){+Dm6QAxCG%ZWmnYoDAP{)C5 z=#3i-!63pH((8K#^PCgVabZ6h{!;)Cr@JNMs=w!EO1 zAqfLBf0_X+pl{GN!RT{Wt0O=$=^q0w$p7Ns(5U)pBkI0X#A+p3l#?3FA{iiqAGkC! zX-T%I9-`CYGvFUCHic6FdeM!&3^K#W1eAF{($U}RK9S=h*z8}sv(RIp1AbQGG1zH1 z{iADRe=BMIBo~GZ^uz2JJ+dEiUKsF*K;!(zA-a1`bKy)TiHOVkEgU6P-rq`*B=|vn z*OW8Z_mlia@huM%R`MCR+uH!pXkwMEfx1IWc*+YMdX`dD(W%uYRA@3-zdrh!*EI86 zFS|)$>I%#lk>)MpJRuGn#*#t7vP$CwW}!)qy<&0)x2J()Ubjx)oWSgSE#L8Ds&w(C z$v-=mbFsDRqP>e<>In;aDYol&+<2q1-Q3=J-nXkO;Ea8UqVafNLWF}fvt*D`j#3i! zgW1P1tz`@fpu!hQPBUITj2y8zQ?}=)+TMl2wZ=9(B@4F0^<{n^cDuW=o3kS5&b>ZB zG7!3rAe!O4^E2QSbS~-IwBmT>u}pPzJJ1frYH>{`GlL~I)pxTF^x@Z9G{YK3sUcC_ zw}LjixI5L@*douexMV#59FZn7Dh`TJK|Xe-QOMqIkWV<HyN*tma$H#mT0X1aM)(tY@5*NguG_%eP@5x5zzVCJ=##zri)o{9FU4jyC7aF zPDl&@Rj5fj^yJl}m6juMhV8(0dzbhOW3|T$Cx<-fv~PUk4lRJuVGWP_ZdI4xHm}|+ zT@^7>3ElQXm0SH5;}PUsw?sB-RdqwFZgp)55ww{iG+Q9o;>Yg4YEeU@j|?qO@mM)J z5p(?|e3ohNf8PjiiM5XD2fCv$+irA!H9z*QSsyREGIc7!NNTyylQvnoXbEZzf#eQr zY=;JVL&jyP1~a^?+QtRS(h})YW1_o&5?>g zBDvfS#~fT`c21IRtaNt0ICUm&8EuQtc7Oy z=;I~~{q0VbTKrD0R8lKlBfj|1pUqmqGjpU{wS%OBYUHYAaDTb|(04L-aag%6l;0LF zeXDa!)`iKp=(N^8rjRG0z(m)j5$=8KA6;riJ%ZI{_$|)6WW7DQ!asz9J|F`&ZU))A zzA#v-6Q13N^$n;KY{;T~x2tv$~sqlF15SB9E z$AHc2unZfYIS`y%d9!VxtM8h8o~)*e`Y<8PV-r_wA%GULg<*0;GOY2dktJqW`AkP) ziK%ibbFLz|hPZ%x9PdZBbJ&*co`T!!jp2PF@GC5m_qNj#M(_vUD5)6RW+rFq>l3UVEO6Fq8wYj}uyO&s_;)MK-o={&g^Vcx^?OFzyB;TPiR{X& z@v8GpIV1yVV6R0_?}jCsSCvA4z`!|=f6}hT+pM;gOOMBHpQXOPM`pEYgG|urF%;o( zo8T(Kf)FsT3);AFq5{9 z%Ob3i3e0X5JVG##vM|JEY|d_NGd*&x5)ZxTO(T=UH}U}P*!z*Pol15g4=cZo9)G_M zJE8NhTG2!8%mcT=gvZ|)2wAU_33g>J;GjP4ol#WU;d8S5ku945`047jC=U5DTUS%U z@gN~ZpZwMy)}DJM_e<6S-14ph*G5Vl;$I}MCb_QSQ7Wt{-2&(Z$I=(%6ZK88TcR)5Dx})^r~=om;f^N z*+1i;wFKVlxY}RK8qx_aAc|}AW|4Qr=XxW@HxRB3&JAu0&I`>w=N5h0vdBEJNB8qk zqe|YAMR7)%C9C&cL_)Kz&xWa8yDnb@c<+51TOsscc^dY#?*0(bj_1D;?n?TZn4R#z z$Vo;0Gvr6hW_P9k&gUXh4mwjM0Re*%;YFtcKUYLqE<8%sQ+fnn8mq(g-|i-4Fo#m- zCx9f(ZfQ+9fuIFwvX(UUluZU_XWg%vFoyA$K0XGxBNW;HzEX6`dMTyo)W6EtoONP? zxI}e;blMsNFDf>lxir-l87I8-VkC0D40OYO=z=U@T=wYllne@LC9@r!bGePYaVoDC zdEZ89*Dgli+4SqQ%hcbT!Byz{&UYdwW5Eywy`YF0=mg#{0>qQ?v6U)jyZ=x()>ls% z=1ozDXXhy%1%*spH^-FwKn7M`wy7oAexqw7G{Vp}SDGOVv@X;z-w;+gK2l2)?cBbVVB3>HX*W3lty|(3Iu`cVRq-OisAJe zHk&ibDdQ=j{vOnLTa#IUPPM8JnNbcW%Frb&z~-qbds-QRM z=Vc=QA*Na+a=xk)dM549^AMEMeh({sgX*pZn_XFhTH#4=jh%!f0`Ih>xmBFg4e&KB(wX`(`3> zZI+NUJ+j;}mb0AFGBTJNLAzrNop4gHDj0z7s|`9CIj}=1f04Bg+qJ8p?{?t5WcGgS zTLrgnR}@dR$&l&YR9Y<4#I3<}fDXovJ-3w&T={5eqxrOIT>AcU+-IsO2^zDcBKgV{ zI%Nw(6*l%T`cU4a@k=PcSUIyi%ie`3xDuBZ*sYgYf;ddmVxJ%BTWwcHx=ccOtjlR1 z|Lh<+fb6Vd{R0swwG8bV!UEnnB~)mu)9&mOsQ%eYxx>%oNa}1hZyU>k9JRMzVLIRr#3x7Ue1LH6E2ce_jvHf7OYc zEKZFdrFG=u^pcwcej@A5D2pi0DF%g(^<()$I>q9Kyy3{rY|uMTgvGvSOlYTipqb7p zGI{ey@z<|oR(h9PP(20;<;>l?t}Wl1`x+TDuh8iiB)T~lC-W|)CuD4ug|h`H*7d#a1w`1jMBxtD7_z<)DqgJ3{VYOkZ7nto z`b|X%B1rmMe#w4!7Un<=l-O;GMaZ;sZ6OoWXaMt@7E|GJ7LUIL0;~o>*2iKA@3q&i zFDH<#wR@Vp2()CzJO>`hZSCacH4JWF0HD9^&9(VAb^c<1*OeW{LdTjgKY)tQtA9Dugcj1Um>bWyLf-s!ae%dvjaGl*S4QU-(ByO<3qeAcl|N+kNIhEMg;yKf*@T!Y zZwq%_zS>y;2{0ebs$Ri&QRs5r8s*{^#!skd4KiMFIbWVbC1nL=?}P37egCAB!Fds} zTx6>9Xhu%j*K4+$j+376UEm__#xWXKtq%vJ2V`uaWwd)VFIX7SHA#a^F5{)4f>z4j`%x$pE{R!Hr?-kJls=j}`UjVGXv8v0fp5pL-d~ zXGTAM;B~kW6@@iU7%cJiSEo+a%Modjw@MI(jSDjO=^gi5Cu^3}`3F#^Wls9&6PYD5 zUOEGvc?|=rsoJXm!CZwUj+a8p%;V-Kx|4(VH`J;}B4-_pV~2`w4p`vj2Xe=dmOHrV z;!a(WwI-&i)5I=e9Gx1Hf-t_p?^hrkNI?o6j3xPr>!Z2wPbG@sRNFt0@ua5#UD0mb z*K@sNU%5e_-UH7 z(*5LJI_gI=Z2N3F!a)nD_Mrk!b9a7!OXSXj)G(UY+ItzjdO3MIlQ+2lMydr10+S`j z)@H|Nd!f5;&RWZEAnTe+qlCAQfiPAkSjeNKPPMP~xqxqI9ntQ|j9GJ=s-Ur*sqhzB zH-u~)b2WN@NF1@trrw>bfGRTwmsQ&VFao~%O`k(`ZdKvnThe$r)`MJX3 z>C%?;;P@TkP6h6iIpl-}M{E}%5Zsk#n`tr*f!pX+8vU~po6?yv<5s51uHUsw5blkl zyD&@D9Q&bFyutvCkQ$1Zf>Ngf7yN$~zJ5;;40KPft;k?Lq_mK^p0Tm9d;;~OPi>M+ zpwt3D2#=pef5*$1P93_m_OTX|8(*#jXeVc@vZ>Yh`)cT=Ah}x6m3$z3-jX)cel2EZlOvKfjaE*=<#K{* ztu41vNF^da-Cn=w7<&{bFxy(%qx)8qqo8k7Rczg zJBSN-)3!m_8ao73X1Q-)&bYGf(DFp>(S|yD1L-GR?8!d9M|a1(g6RN=Ifvp!2Y`=C zCE`wOV9sU12sgY?Q1}4B3ED01*)3-h^)$ghP!zZgZ&z*&w1&dEUOjE{(YVQ@93OlF z`c7p(pSbDGJx&AKOv1Q3Xjw&g_(Z zGBg>lidM^WgRvd{h#tMw8aa8W|MxL_=N1(#-|hEKDofp~ypm z!f|7<)d9mX_$g+ji`{!CTDCr{j1;;8PH)#W0K1P=h%WLi^>Q}*5>WjQ5bxikh;MjZG1u%uO~#l1fq!4hxNv3tZN-h_Q=bbxONmW$$6Mk2Ch2L0NC6=5Yd<3 zSP-eVDDx6cotJr?KEo{)^q(JbF;hd9i&D5tlON9|?d6|#$@7OoB!6s6CsfojOIW5( zkCV-j!_`Cs#l@5I=Oq$4Q+;-9UW5rB$Aq45jSRP$Z2A7FZA+@RvD(#F9=wa^f;vys zkEZ{kQDtsYX3gw%s+V&9o-@!2WO zd66{+ld~1wtqo>>rb0h>36Hmo7i=VEdz0QScU8RUs4eFoIYaoqt>F3@thlwlZnSVh z(La4+S};k|>+7#(z{wj5!3k!Cu85fxz(^dxEgrS-!X&RIk2JmlOTW_F$$N><`)-$! zcfJhWojEMA`8Wz2O;3BjV=)JQnDHTNix?!%P8E*!;iywc>_8kbH6cSB2b{pMgcn7p zAHLh5Zh56szj;OP(N2FN<4)4B9^vH^J$HodgTsCxG1r)Ir7igJ=d=stGL{8RlS0{j zih4lihaFJLDzJ_@>;isWl@J}c^&ZR)UzIuWCYtIVcsrUq=}!L3O4{LPEa(z8*Hk1R z@=wZXL?s5WR8vj^Z^}H{FgB&UZl|I5cHB^->g(TVn!}OqGSd-XVyqGx0NxMsb8K_Q z$~3@_FSWisi>Jp)-Nbms+Ji9uvc6(eGAT$fSSPi7p|9~Kq$r_E=1j(UyQtRpikHB` z`rhL9<3k?E_yEK-o&dYV`K0aDG;qGjc)S^WMY7#){<6xKR{8A#6mdyeVGi{*>PJdh zT)vyAo4>y}&aN?~Rui|*xyrl?Z!r;MgHqeXgw8&b$%776*Hen5?lA#(`K6xCw^~e; zWcOT}-+p8cnoR#rA!T1c2NdGo+Xup+AKM#`2k zeg-0{cqNc}+5m-YH>815Y-(F_gHTo^D{lwild(nAXgQskx@r>He}?Y>DmVR22qM@V z106p0x!shn&yZWznSi7>Cf>Wf=U~*+Pm<+!7J2Jp#`}^D?j;Dg@&HPpN~JAkcoQ5% z^P}l?dsNXIDSfscL8Y1!32`SQL%gy4$s>{)B%ho<|6-zcEY>4AquXuZbe&Z6H02p& z?MC}UUQ!K33JY9oYn+ueK!XKWi#+irTVeEv@e*g`etf;N%so=V?4$J<-pQQc-ZUI= zo8nD$Wo{ArOEbwkCkBy1)Y_((wFMnF+tC&}-IX$!%jYor8U%%}l)c7}6UOIz3zF{y zAIvOybKCx3`3Pzt%t5Tll{RL`ms&@qd?yt@M9l)lBB0+-iKvz7qJ5pLcw439{rz4f*GJyl1c{)mI!+@n|?pyl!Oj|j6E-Q*`gow73ghtIA+I6+zt z?Gs(F3S6#5hw?73M6bd`s>g((0V^DKwMD3;Da5TZ`je-vK|o%d$%^Qj?p*nWntC&| zZlPVqBc0$G)7P)R-*tJ}T50cFJLtkV?SpfzLE0%o2HiyX`sm6s*3TLs>S`R`b!@<~q+N;dsk_(e&Z9jnah|TS<3o zEdj(TFEU&!*r1R-Gb-!x!-~ER?TRG7(C8Wtr2u9`;zxMG^buG~SCbCw zS;L_L8XQ8&K8N!tpLdHYb-1-`su+ns62u4{ZghiP!ecvU6b=0~<06UQ%%LoXu@;a$ zF+m8)WYO$35BkozhP!vUpZdt|9NrO6WAq{+9L|MNRgb}P?_cZ|%gKyv1Dx@2pUm=* z)VD1{+%7RdUx|wXi;g_DN30SU|epO7~29$v6dXl0!bjd2{_*E;Ag7kz&_9I#EbnUS5hn$R_XhD_{%vv z4paK14-PFl04`>?S)@A{T(bLSy|D{>Ww&F(;Z~_wWD9}TD&$Wa%~tR3hY2TGmc@9L z|E;|*k80}N`nI*zwurPB6#*G4g7PxSJQHV`1Qh{gii!$|0T}}cNwm~jW(5S4Au2;; zjK~y7LL3+rgeVAMOcV?;5E7F>Lgx3x-rM*7`>u7r@9SD$pOv+;&N*2*InS{7v-ke} zepz?6(4k1>-H4mth|ip2+M+`5-El)8xV0;fh?E?<{Tuf7j;g24Kz7W@%KfWP!27^P zV-LyRi%gz6BtOMra|~G9x(1}FHXIyC5}5+2vNqG>1sjU@|L`RTT50L%?uc^@aIpu4 zvGKD9sJ4QhIohnIaI562v)&F{EPRR9Y-AIuJT`Ch24g_eBfsk0K!*LHS5-sV$CPF{ z#_G^l>+Y+mysLT!a5giZGvuEl0SSVvSm)it-B*GbMsrY-R)S>HenHPDG)>sqd1bs8 zCC&r(t3dF2WP|a#b)RD{T)$_7lj;uqdB-nNfHM=$O`LvnVftO{rJLnD7$E79RQHAV z(vmVAJ5gur`uFFLrQZxV<-DG%tA^-|j*Nf3!FaZ#+G7Z^V_IjF ziM07{X(UNfiiDatxCkD(~T#fFOzAl?!)#bsj(v9*FG zo>yZd4FVdrzZXTpHzkv$)Y|~++@<&!g(68?bp(*4mB@0;AP2T-a}A?;J_#I2$Z70< z!gm3JGM{Y8>-EhKq(~bppp^O5x@#u}zqXCKDsnAUzd@G0ef#@nfJC&>Eq>aIE{uAA z)n~?j^}2(ku(a}?^GB6{V3pD=ewpI4U=Aztb?U5?evZEtFTV)NZXr8356fRq#$6W3 zYAHjp03-O^rQ|6;w=EIKg)#?;x?Uz1-Dw?ArOpZahdpAhbq&_`n|F}&LLn(58to;a zM&ixxLaa#|5f!Jxj&u!wKYBiR6vA@jyZ~p#G30wy}QZL=HGwx`lEIS9Wy&_|Mfi$;{|^sV1`>GpIN|)4EgVw$AFndQ0vKi(4NEWqC$>?rP``J+u%rU_;l_-+E3R|z?o2j-yDbFRx1SX?{v6yshAA%{Tci=f( z1Ue7HpMEEr`h*zjs7FXg!nt%-Qjps=z1LxQb<8%QMf*^u7wCi=SQNfCl=3j`HVer< zI=MuEsa_OHRy??eY_AT`?8o@W_ryR&S|)iU$%oRG!ALw&8`Ik(wUpMg#7`KlP6$v( zvw)bdS8ygSL9l(5y72ZTfYAUn!H$?IEy0(vgR;zH;Ox#6FY$Bo`b462^lBUvK!N|V z%I-feJrVZm9#lwbSnZY0+q#12T z-BwjYS@)rNmE%a$4c6|O!nd5>gC>Bl=!Kk#o1U~}t55RZwiUg76BCZP{COOIqav0ffWZ9gC0?L;cus4kP zeB1cVmpZCph$`VB;Sb>eY=I>7G$K`uUcPyu^2R^wNdMONhPRKqJ2T8*7uJ=v?QZGe4?c=h+kEQ;SAeVRD zcN^kAABW^aj;9yqPM^85*bokK==_=5XO6(e-tX_i5sBDZ@BXFgg|(DQ!s|r6MYbwyT@7-^Mxq^vMN47xPVG5s`qd%t z?FXcY-^U38#q*=#=hM4Vg1G;vWtE1A1UvWjmAsUCyw~50zm(T$&KNeR6UpdJt zGttW_9(}wMHRGhw1XbIXn|AA@eTn;TDcbmkmtjZCDfVx|LlfYD{MMG@Gcz2qWE4qS zsvuR77>`F**8EG^i;Y6WlXDA0+*Kt?!Z*E^^>}LfjXX?qK)+hBdV5o%b}7|F6To>x zXZ3r*Uw^gk>05sBtNdL$=p)Em`P;Ujx6NZ*eiR~Vpne`Aa2IN27-s>|eH8vPf^mR* z`8uTk0L1`6NF3Xov$TCY5pJM+@AHE-aUozTT=7CXL8sZBgUyfywdv$r-~{cBAvm!4 zJ}g@@r+2a6H*@z?faRyypVMfACgZn0?fAxaqFewuQPGabxiN48dz*Je5YiFb)M(W+ zJz+@V&@VOpU|{KP%s$whS~s^8-f_e;4pH20_jZi+9*A8X8#VLG?NH@vLM>yFXepTm znwXxDg}r)5TsQ(e-%s1C*1YtUAoEZEe7@XXeM9h5_&}6pclghoe4L<)_1G`7%^#Me zW-%f^<-?wRn;icuz*eFCq!WF=2XNJR995P6{9~(LhAPP!MC&-(Z6I!%KDjL1S&V&l z(rialXU@BU2i^7u9;^asZa&+|l`|1U!ZC$sd{;HR?0(%M8UEK(G3;d^(($ z;gt@%686w~0xYXi3}|3)iQ8T~sX3n2j;Q(=eeINF@+B*bJDuB4;^^x;`*!CQ>h+E` zuFqQ1n}V?NV`J(d&!l@*PrAj^8^(=#GjAw}2X8JWy`5qV_O)u(vk_H^ZhEiUYiZeW zddn!1MNS?~8Q+Z~UbCovE^eZ3um8gK&5rGxe=o(^!OKxZ+s~8g34mn!gDOpl=GZ~qQr@jau>_wp#JR)5N%{9V;kNgH^32nJA@j8Ab+Q1` z!fywgQH7q(q-+4)__*z9_ZwIDj1&p{hoIrdhF%2G=|o5gy~128uE{^;WrIM z@9UuJ>|N3eTXuVACX7VyA`uxEuz3R8<6UfDffP-{@x^v{2C(fCO(ZuQ9*w@=&w1xt z7V2WoaJ$6;(0cHZ518JKEff!!)Q6Z76#a4xR$knZAdPs^-@ZEK!|80DY@NgTk!9y* zpwm@fZ7{yuMCo6%p0cC)!?h)FY@x)rGX^>R=E};Sm}igtAf1B!1ABnb#8PleW3Hxc zckY7ps6N>5((_gTJE9nwvSTK@rz=!5|qL-BkaUsoiHaiRfk3&>T>%|+=r2kUhW z@Arc3(Bd#G)8q;CReCflagQG6H|-Hx!lZ&flP7I|SB7QUjk^X!J%V{o8_ACt|A`6T zRXc`<+_Hi}^0sEtBF!GT;o<^9BpIUvZNZ-m!1}aqP-*3fmcAbhc0zVS()#a3RTlgk z2zEgKVynBP-T_2A<=6dv^(Z;d3q`>*_Z%7ViW5eR)DSkE-1Dd6%Px;b0IcBjZvd?S z#})US@&`KS1i&CI`l{Qs$RY2~BkNm;#fNdA#vH*A$Uh?BtVAxlC4pubiK zfH~Pidg-oZA|mAbND1U>JQM_tvd%6=%_X%N-$k?-lm<+~LtF9QfPW&CKB$;-;F zYR)H{eEFs?mw_h-qSb*t0~S{KeV+fz8~J2|FTm#L8VkJ-HOBh{Q}c%9-<|oqvwSTT z4GolKx7gT`{Gn+F@s!>t8UcL^UGr7*Gk7|pJNm`Q=~h_ua@^5EVGAJcgSSgBJn`;# z+0GXDMQ@U5vE=H98{AHdW4~jO(eWV(Lc&ktZ_l2X;Z-NPg7Pl5^?Nz}4_qmSB+@37FJ z9a%th+t$$DNT?N8MM+%#G$(g=*l7*?Wna+qWu#M+&lqXo!As^h`&S+P2YL^#KkHwdTt?*4fGR4EcMsi9s0_MR4?XBRd{f0WkYUpJgi+Q+8-90kn_XbDb28+N_Tb1R(*SIiY?d)NMS@2Y2r$SM zsw^P&^pHNikrh8eXH#dLz_GDyp^V^W)Qf@Bg#pE!sSAB_mJJqbZinH<`zD3bQ+a&M zi_61`fMiJ#IqM=;&{~e+<7y;EwVjr$ss8W^UJGV*(m!pu>ctcpPr~3{U&O|&IzE7g z0xB`7Om>C{&YKzJ{C-hKfhneg>{;ft1ST;E5t;^;f@w1TzB)Adx|y)QO3J5GQydjL zB0(JXTtqfKIvh?R>oLXcq^?$%80xz8!W^!vUn|-IeUKDllH@Dpe;JL)WWNh}v!4Ct0oUq9xF_M}d+n7~6AWY;a zME;X-W4JG&^}z?(m{__81%5;=5HVpS3pp07iG`+_Z{o>9#-;q{?~xRMg*Ebt45XrL zcamNOjYM5}rwVdM3v7VT4%5yHv3@YW zHi)TS-V6mm91%1I>YSTp%$YE2cVop#>5K_#2L)9xeBuUuHr5CxgmvNhu#@WSM&wr} zSkA*&ajE?xi>&A-g-`SG_6AvT`_O0;+o4G&-laNoT12?);@ei_xnvOzSHJ{Cbf#ps znI#w|->Q^&B}cJrtyE42_UVYGcB{|ljwSUAyJJ!E3G{$4xpS|b%=@hzg&6;JT4QVJ z4~rZ|5uLubjTo=m7CIQ4@%=Ib|K1q_!Y0c65y@S1)(-#-vrIY~#%(#y4O||J@Z!iy z6X_p^(SA*x=H_I*(kCiS(UQ)3w4_PB#%#J>ISfl8K02E0{4RG=-*8NflINz>x-^i4 zXVGZNwETFqWmy`ZI@-2#%ONzUgLg zXdyyyN(ldvv;?TOL|p+=bD3I`;0u|<#H;brw5f;V&!5VIi~3edNq##}L$l3$WQJo! z9Xyg&sqjG1Xw_PMeKDJ83OZ(Knrb33e7JVwL%scsc2?M|R_Q1>I>ueaZ5nlgNo4me ze;24?Z9y>C4e2%q){&;Lb=Z&fBX5=NyMT%+QrJ?8F!SJ1i^FsaFCxX>k^M53)0HxJ zZ%)dfty~}ws(0H(kRs`%R)3ZKzzx(}IAo&y6;C3`0$;r%II5KxPUqKgU4U{dY+xQM z@*`A$+2bjqu^fc_Yk#NP+P8(Nt5orbZ+O@X@P&>I_cgq;O=7zYV>(^o906e~KgN@R zH)Wr$KvF+t9Ja@x57+(d1p;-fG~^ss0|$mIbRcy{N5LJKbIZZ}Oti7l>`#Nqn86Ya zkZ*c6FX6*#f99YAXc=#ae?5ey>IE)z5MyrTCm%vVQ>D;3hIPx*%NVkNg#%ENBKuji zBCSPqBl!G*)J|v>`o@S}eJe`$A_%$)r#Z*m?1Nb}q}7r?e-zS5gOsL5SMu9L?~TT> zL%FCS@DioBVWnb8=!&z6@#se^6`d}WxuB^Oz_w8R8Wk@raHcVLJFVcTrmW(HEzZ}l z3TY$|l%szVUSfC^yD~7`F=-mJB?_1ViwScxCY+pNKsvct*Zd}EjI5Eq7J3vg*x?3B zPx4Z_vtUXqi%m2)T0q_LPd*{YIwZbf=-j=ka&$=lL0fHU{HR0kzA9;Njo9$fyvvxy ze}RUPamF{zWU}51=o@z-q>02$;E~H>W_yE)hWRPdcdN4AM_r&sJ~Xsn5EaPi2dBo0 ztM~ZJAHGZ0-nB}b02ZDDSxLkHF#IhoBbr?fv37z5+U?}<7l{;sA{mO1>yb@R0^BDI z_mCVVB#hr`4Z45#vUo>iyTT!&0Rf9^?A%d4>p_jhSw5lX^#j6KaHc_KO?0 zuPQaGVH`030CmnK9nW#Hge^V2K6NZjRcJ)4%Vp|UuLhBvDqd2yEpc2+WUoQS2-lyD zF7`7}-<$~ZS#6Pu5OzO}uZS$)z)k%j1NBZ<_Hr0q4>=bofoI4F#o((19$ zC}l`-31c$CVwZ$k;U29{9FoecI-CfOgW0u0ea}Qyuy^>~-7aAVz>b+&^NgxaNk;p;5trm{Cv1j?`4 z73{S$-F)kZj}+uQ`37Tr__*rwP1OZi2o!|h{6+N7>713j=HVRaFRvaJbIiuK)FM-` z!7tauFM7dFVIa(m?|xC1Ph7>KMPnDzabQVy_+mhEMcP(TJIRPMx{nlcN+qN_2}&r_ z1IyyARsf}zoWi?wL_uOtPC2<=%-^Kc9z+ciaE6Nd2_DvKI=8^*Bd{Bxs*esHyK2|i z97NJ@l}=VdXg@5gt~kC4Iy()-=5j5$6kptKj_Fvm7@7vDFKRRh>`K1HCJC_|vQ;^Q z2{^i*2824;pxFak7jEzFA<;FF`+|fusl7E;Krgh9wOHwPc00tvd{2P}DUhNLIY0cq z@bqPfO9@t$U!Jm8Vet4F0SyQCNwdWTdAGW2Br3RKd*c(^O6R`OLby5CF< zbmqzrb072o4}DWYC7quky~l{u_)-18=e@qG!w(SlctML*EcAj)V|}9EE|0bMW$CTe z&y$H#2DhgywK;MaJ(rP&pDianI^~?<(t&t(7`|Q>-z;I`jC4>R$l+mAv{#Fg`Fm+c z8xHDK5k>(P8*Gz#$qwkpX%}-l!_V)_l6skjsuQQhggR&6rGyW^)X!J2tgno>q5+hM z`6lLFjXdvCovb2k&XD%DULDcbfYd1wuho2=x#*k;YJKSh9Z~N3MvH5AP_xqk)cUeZ1-ql=;v~ryqP7d z057mo&IdIMCIxqUpHI!T7~q@wks(xe4G^m93!axG!Uc|Y2`2~@I#l9Q!OM-tGMaGC zD)HeRrJe%A_GIZwoz~?3fgYT6fhP-X{4m*EuqvmfM~91vOvd#)TyYU=sWel#kBdqa zwWKAB0v9kIAZwR$5)BCSd1KM+VPUC_tK{`dO4{ATSfpb*0u+l*2<763=^cq7!<`h+ zY$r%VNlvY@L<770%ZHG+qht@?1_%ZRNW)QzX9$SPNV{Wpnz~bPMYc&Wqx8pu7@RqH z-CN0eMPEtM3uq?TVPG`G+8P4GNHp%u(l?(R1y>9&Ns2M+8+;Q9CJ?v);lhu7fth&W8yAg0f2-T!fMX9#$NGF3Lapt543s&g2A< z@4Pr|xfSSUL5bN~Drdoca7ZJ`B1H#Cz|kaO6-Tu^f!uf$is)0l&k3 zsYt2o_#P77oTM;C#dP+K-`;%ED9o*MUYLCb!dV8^z$nMbVs;v?DWZoUp@dVaj;bet z5Xq)t8Tq z>sr*-Hj7fngf5~a;uygo75x*;-aenh4~VTs8;nRAM2HDYAAb`);r^r5PCqC$5g|+S zdDo`+&KLCQH(rW|EYX|FNPon2Em3TK^O^cu>yv_8ALK1XILg3sp1l;0DfHRW)(Dd;wn*d&_p)x-6+KuFl3q@W+R9Z1w_mJY|bKt7OOk?akA_zvxRx z{M|=?&m-kT_$x1wy+FQDqPFArC0`l({71!4{yGoq?@UMGkMmFsnG62s1as2-D-!Ama=w17JoALJ!N;wn$ zf~)vHzwgZk^oW!dLbxF5k8RRfT(#z*dq;uue;hw;{@bemWv%*uem?yF5Kw(`ww}~b Zpm?m6%GgL&xN>wo4*MKxI&k)v{{}9qv^I!SPM_W;2m=mdx0IzSj)LvYu@A-E0h zHcQCwz5l+gSGBdfZ)>;fR#7wbZ8?4V>vPU`dP0>IrLmuoJplj!Tjsr_DgZoU2LR-0 z4CMQ7cmkP<0KgBBkrY>Vo7tUr_mbB_pdTou$e4UJA}}Ht_}uf3z)1Y_;(4yrmf=gC z_)&|Ax6p|q3#dl=Xpv6(=nq+yDyEA4SQ>o#=j4^QvGS~3q$UjE8|Pg{N%AJI<2q1p z8$sSp%&vRF8=iyu>pmOlp8JkrjY4?%4<#m72n0j=&xhNeuZS3FA4(-t-m>JsLfoOA z8uC!Oe|!&n`tLn$LN)t;HEF{?Gb{e9X`~|G5&EwxYgi%Qe|nJO{D0i&j;gAKh4`mW z`qFJY1P{&L_kSo57oVIQpX~By8*0j@cFR~5^U!xeQBg)%u_I#t1Uh#OB?x+5Ga2UL z@y6M{q8J1^TxyF;C?sBJabV*Xzm%^zeEbbe?8(nrlUdeI^LIi&1P)VaIff#p)gS-i z^=-VM5yuuA7AQXq_BI$!ty}e$baVPte8wHUe8t_vL!m!aBup6WTUQ~Zb=5k66dhsYIC`JpiChSI22x{@((VRpUpXhUQLd--4F~)1{i4ugO ziVTo7^7dz&bBDc5Na0%#7KBT?exE<;F*mGeOo{QO43lk!pnZhZ4rJmt=}b*1eoJ(< z?ps!<6W(Z??I|pyd;YK#eOz=L%>4$4_JQ;G$+21Pt6>E{2?Yrc|MiMT^jgGe_T`I< zS#OZaV812wV-DfJN*HWwD7P?xa;R^eese+6MTMq08(v_Q4Uzk4@>#t-_iGJj)wz%~ z+!-f3gHctiTn52g@gf2RN`T4b4i7w&KlyrFz={sYe02%ow&Y;SHE0t?ub;^}SSZEP zP=Hi!P$6urEm|(0dRr>LyNNo-t$Ur#@E~Jm&Ll$N`pW%D&utIsjVf~v=JauHJfM=L zzfhA!?dK7kTrO3L$3&w{lip};me<8@GR1~vYo=GjcU@xOcJ8{c{M5dLqv#p*s?FPf zO8me}o4zhcF_Mx3bqLJ5Ih zSfJh;b5{FdNOSEUMH_56F_jXun984OqcABi4)hNG zbapYPsbs&b70Xp$Y>Cr0Tg<5lsCC;8NDW&#z#Mn4o8~uLT{dH>E_)`OwQb;%SJ@nw zU7Gd*py5z5&qQ5I>%Z1ykEDbiZ%P)h2Z|XnzE*zqp#HaU-}^(1Ov?}uxlB1vm9?L1 zX$vm5r#sPJRxzbF8F>{>h?H~%|6ML{BZnNp;+YFt70eugaWXq2g)CI>&0unXA2~eP zTX%qu3NVwSmnpVz?tnc_Q8g8mo!(hP?VM7k*@6IeD@^Kucc8@s2ncG?_f1S}`vx-6!Q)*3E5JH3s* zBUhv={K70XMe3)0)+Rrb#^YY;!D@k1gBFJAJXAmHKbZb)-Z#}QDjHVK;l_15$nT?? zv#PDfvK4|#m0fJM&b5TD1weun`GG@$L(=?GHU>X=vxhb5nbcVx-Nl*WT7QZpZ)i5~ z)%eIlkf~g%9zLV!b`1(@SVXWP0Y17nA~bM8Ya3o^jpaqr8)9!Ibr33470&0>8DFNF zR{z9i|LP8AXY8$upQ-5?m9~6zK7&#RyaszaP#h#3TrzrW4!FzeId6u-fFl$qVs8!HH0#@f#KUaY)471*UWWz<@ z%N|NSle5Z@{!{7>GNSaKEsIW*nxTFaHCHEa6m(|xW(#Et3%&+AE!75@Qp)_=Ww$0` zd)jrA=~n0D=aD3>g_9?*H4D0Fg-HXe49$0MXSCRIGoY17-y9K_XSUTDpRR?z-LAlR z&*xR69OKjtxzz>LthrjPKdH_v8Iu^CIXs(fFNNrO17_2*70Mg=s6c^M#e}tvNPXo- z=hWPl^u`6W#+%9w6?nnBT?_${SHRo8#aNrv5UgC?qhz(Ih|L5VQ~JOcYt$$EYvxN! zW=5X%j&!9v@#p9~cw*m3F53;x{Ep9YaZ>}$KIt}vDRXG=Olp%)B zx>tQ8$xjD1czJv(pBl=c7ce5A!u4&#t{Z5x$lKxMh@ZD^4lpgDzHON>EUhbrJ0~}7 zvfDi`gqmfdRLx8B%!NB>M;hu(;MEz3MN|KM_txrWJPGu!hQ&pn(RT`BAEYOEeo>V1 zJ^119y&d~rA6U%Vi?l11kiU$}t~a?_6@NBi@SUixnZnF@^(t+)lSG+u?e?n&9SXEV zWdEbC$csKzFXvaf*Na3i>~;o;p{G+gGnny1yzt>oV<91jCi>@9Q231eG7Ujk7`hfF zMb#&ak~F02*qEuosNC$aN3`$)=Ug;eOD-Epa9Z76OIxYI!AR%klv6B8A}Ef?m#NZ5 z)r((e*GP9P;gAAY^3~9Jw<_SNXt%uiwRC?m<8Ew1Q}j1Tg**&EpJhh#;G!>moXt7Un3iU zA;4+bf&l^E0l!vPd>6Y5SL-$=ku5XtVVOv5S6NTZz)POl%R{rj9g`~xf>;A2{&%uw z-J-F;*6UWyOb9qk3R|@hW5g$#7Ky%2rkK}-^u@7+GZ)YF!S_c5&cjTF>vhYzXgD8Z`>CPAo9*enX+0@M2 zRRNm?KtFhMe3@#HkumYR)ImhOfo*LKJb zZY?|6NY%~8d9WhiK}J99X;zx)z$RCZ-c z{(#RX+Wt*HCtgCv8iYJ!j4XJIGh@Vu??C((pO9jP`1>0K6u`_u-PU(JObTjKM1?IWE z(n|hw{p7(F*i15dr#jxhzyC5c!=_=(xPuao%II$d>%yL`a(d<|G3ogSnvJOowVn73 zE44I)>7}9qo1^{ar+#07R1|Urff(+K9Xr6gk?h2twJz3b=kV0*bSh0o(KME(Jb7WX zUd|Z*4aIrUSORD?*$lGwqy*eD^TW~^LXmB}GJzw*;Y&H9cpw^+lGF6I$0@ioPG`aU z78Z`_9|TGClyDnETJSY`5v5IBIADTaV|n+9<#=JzM0UV&JhhKkI*=s6AcLA>v$^pi zVR!Ity-^e&0So^Z@b$&*T*t@a3|p>}4(b+qMUXuwI*@*SH8D(@OG)dHcFS|{b|%Dn zQnV%>dm;O4cW+@ilZH`)vl9_}C~TA)k%vgWO&&X=4CXBnP!{Saf(PQ>tttDkH!Sr$ zt@OFDp148Lq!o{;AMQ21m{t3td$MWPVsY*(BJlB%zolP_ch6k9em#$lr`yDJ@S((F z&BD&)2}ljSY`PqNtW+XNTQE@$=ksaHtR#PNRJM0v;mRy|`X~r@oVMk$VG6R@v+)tc zP5Np0GSJeKfolsJTe*k=iPSSoW?45(M)pdd?rdxzi7oNi4OT6Ueom`z;*q=U3v+IH zV$#U78DwEQ`ENJ9aaW81o9;CR6qmU6iw|UR=397a0`|X`(olIZ-mBdobNqG&qSMa?`GRJXK(!S^jO& ztjLE~BsG5hm!Dm9P2uq1)6vov5&!?m6aRn3z5id;D8aZhAStO7veVL3ZzKvV_OPtG z#!NcD`77TOEJJ2Rb?G;x_Fza?mnpL>14izEw{G>}aXiM3K$S0ZB<+y|D$v8?O!@fl zItj1b$2zoAY1eBySeh5TpTm~&5euNRRd4(CQcuHZAw| z|DFn0;RHkG2GxlsKhHm^oCQC1#N4jO3}KaVyv(;p>11Q-YbSRPtir`MrzRWigq9hO zW${64)$AG+_o;hI-L;i`pFL;;w0~9OaBih|l8XK0z*ii#0GBbSpYqS+rOq;K)}wXI;=^|==otvS5xKkYv9e3w2Ot*P?UhVUJ!hOX_RQ< zWo`8uOM1xa`Qyg{f8ntpF-f+=HeED*?YMU%8@W$mU_jpU+eWcq?!6`T;BHn8RRUYr^RJJvQr8%VnZh7a1+!A<{|><+5M5=0YWd(`r=-Ilw|5i!7=DS zd5i~Y;MeMS%|>k97_f>?_OCo6iw?nR?yW--c2M)nF+f6ksP!zXIcj}ztTaYHIwV3S zaSi2LZS~2i^-4bPyVi(TZ^9y0FH&B<e-!?1=S)q_TA3j1Wt2NoOg?%kC>Zz>L#c((~A% z?t8{;q%PWtw$JB*k13lVk@VBG3M^m~y1aY-Hq4btYHl(*-`9gR`zAK(d0fl&VbgGB zpgMkq%icADKSia2pz93cecRDBUnPpYnyzy*$Vd)}A9Ps_APJD$*!_8O6OAHwzH-tI z8oEA#VKgDFmT|CMnz!|(Gt7eR-444ltV#}+1YqvIl+^pCCeOCe7t)SS@8SiCF;3y2j`Q5#B#L2d}Obd+ff-9(g@r-p}toU+UGm zFCK~a&T1*ag&XgVkM9+HqVT44{+!FP^ohNjoB-e)btV2bxB8=s{fG+{8wF1OI4IxPfgy0+D2Us5dmfTAkxu%?}BWGaADj_yJ%<$azO#4Iuo$C zBxDywO;0*@eSC`7t4MuojA)CG5Z#C*k;P@-)YPso3jHADa@8q#-=;W9 z7ivAS*xo=$9|^m(MHM)G;0YbCp>Ho`ZS~_*Ytm<P_8DcCw;p5Mr zQ=-b{M6o+D+utgPd_hOc02!S<=E52BY~sU3T$yqOb3FuaH3l2ON!qhK*iCdFAQl{I2KsIv-^FFbm%He`r6;_>5y z_!$6C77%lEKmLNy8)-Oh)Ls0vA8}zm$HKzi#d^7RAh&ojvHsg7i#n*|Zd2z@;P9dj z!bW}Bd*zmTyViXQ23bDl!?`@1xsT+b*t(>9=3IPfGz_YyxL9rqs1sXisj>P_teooP zO3vr-aK74Ic5510 zgA64#+P*_*OMh$F6Z<`WX551D+crISpdH0PyUEJ{G#_(77TLL}aTB42xvsdFrkxrb zeXum_^jD*bh!{X7nje&psw=+CMR*o)5F~i13e8u@7%Ip%>KU0@nwnZ_T}|A>E$zo6RO|JY8~WJe8UBt=KvZS3H+w6 zOE>5_s^g^tfGjGavR9bJqr3!KZ(ZFRzT)iVmcCP&Waua?ok3rBHmLLx2Q>+f26b9! zNV28~n$Hrg|M`1JsPD+@6Sa_>w$}t3SD#8Lvn0?W{y?0oP?n~0+;33?n+>X9bvqF- z&!}gl$G03A2BjSLK`ZOo^R$=xNHo_6(S1BcDg}g9Oa@^gMN-R~n)Zz~%e{s3z_6+0 z^^+DS{(3Y(+Al&+3cg6@Ap9AI4LloRsgkhSUMB`9-Wru*y}G(iF+5iOC|d3d8+q>E z#CFJ)w%%E24fu()*C**_(0agARwg-d|8fdHx_+rMFVL(u4F#|?7xW)@XfHN?5Ks%Z zKVBy(h~NGd>s|?{gyZkKSY)ccExGpi>5y9Abg58NzX$xtkEi8*1kk7$y^}QB_Wqvw z*{Y(F(O>IWWhuEaVh6wr=?@9*x%4S+B(A>RfoF)=gM9)3yPI4N%sU zd1PS*tb4VHA0J+mbF7-A&R=a!muCEe?iBC$ryeVSiSpA+>x*B!PWPGxuNzCFNUx46#w?r5$ety;B(_<6cA*UbISxz7Uiov=Cjw<{<}y1(7r?jf&0c$HE#(tB$84ep!2;@O3DHW728*Ba5NGwQi_bVvn>(j|_o+bOLZ9k5*gdZhor zZK=ff%q7s2aMHmCrnT;7o2M;k@6h;pf#5#U>c{jrFev3VFZ zM02f;nY425$(Ww^brs-8mx8F(3)0F=qJ8PJl>DpJa{?+*QW<^Dni!s(uwV|_Pjy^aiD+KHHV^gKyD>zT~PKO_zN zT-O8Upjd!jhP$_DNY=|=&CBF%l=snNBmjpZRC%-C z{?7)fBX+bR2Wb#h3!?R963?RvCfRhgJ>KOe&M2UaHRW(HIb`mLwCG)o&+S3scUg8? zmSv9Au%Y2TOYR=&b4ny&Q4CgTI-^1Gwb+sxXpOlwb@B;O{tZWXOfDM|Z4-XQNhiPn zcqa$lj>B(ZeFpqxD&4V=d~!@!={au-7>C`4_2&ZzS;Rf`@~GeK5)XeO@q`QH^$G#* z7VO;k4yF4fi|02=UU$tZj93v1z|~j!cV>q}a0PjAPwh|vg?Ezj48V=2+-Ma5yk9)_ zfJ7^y{5}71U;53(hr|ooSyNlMK3}dMOzn7s-**+Mt0nS2?bREwFWGr-SYHQqE$Y|W zCrC8B{6{7>xkxC+=MI7%Rp+eDER9CuP2?>sm~Wp})GpRWx&p0Gg@R(d;T&m$9(&PSXa?8U9tyZSy z#s)@|Wyqwi1}-9m1YyMKHYSrfBT?wQWJwIX{C6gYG|r*nkl^AvwqYitEnYQ;VxzFI#J3 zL&Yw5kf+1~fpR)ec&~k)Mnr*?in+l%0yqzVL+eqQRL@N1YhsNxY`T?5jb6Xyouk6^ zMj}+QKqcpQ$A%n=ZvEpv?_>&JI;~BD%^e*d2OE#C63azR#cIpEpBK9DEP{Vn+M)ZY zo82!V1_@*1q4F7#M^-$x85@qrJ5xnnvX2hZfhrN2h$x^6%Rz#=$A$aU8X zJDfZ3H(qp2HtQY5iEXjOl`xPZ-EEai zv!A;!{Mo*idAL)@?dX072bbKP1>x2744Wavc|tfya8+dGpb?f2u7WvVxauaJOd|Ln zT<(yNJ9l|(<#RZoYZl4)u>mh(fRPZ|3|AR*V~{2u?>%F}=Wd@>sE zAx7KVLeks$%Roz+uIA0S!wtr3LqOq#!*K&Xh(&SRk%+=LNIi9w42e|acgf=NHF!e- zyz@FcP8<+DKgGKT(PhjVht)7Nzh#f#_?biHHUf1e^hTZAg>a;g7mT_*h#SR_w3wps zw^B4#fW{^-wY3E#S+**r+rI@ z(D7@Khk&dw%9lAONCjqYGu&GkXl<|YHZ${7db~8d11)R4`_3n3 ze>tW3@%O>ts6$^B)(I2^h)&GPg5Tyy&}o1J$)*<6nC&sQM$!Fr#WM4=C1>VpemQT4 zv5l?}Pc^tz)s?${r1^%49jLkpfMm>X*m8f(U8tG*vp2`4;Nz3Le&f=b)<;_B+*JQB zd{wZQbcpKA_cclzPr$^V_O5mGkz-9~$;H}ud1kXmdo|^YC}2+vWpx8(>U3+Tp;x5p zsYHMt!0w{qCY5BlxirYv#J_xWaWgjSuk|%BS!c>_Vj_F&$I+;gxA1-dh)zCtBH0V@ zWq*b+-6AYZ!~Q4JP3oak^~UeNU6(BBcx)rtK9#XP67wviqxp&S>hnaM?bWu) zAnXsuszJ}U=iR#`U+PZXjZqioecc7m+U>W+;*$8Rur&3B1=vP&>kj(jL39!#j|I;; zlvWcLXbob9(OTt-IoQjBKK!Rg($CC9V9MLiYecYC9-lG-sm_r_O#`HvK#%y`eCg`D zy~4xRwT#4f$oils&H?JLts++1NB_@eo05w^f zFSJHi?Vfo|=RGo0MHggHhAa2~#J*&`PnC9s8O-JJU+F1YR=O-J0 zUSGrj5o*=B5xyvZ2AHiLj?91?+V-KjGIGG(Klajh-1YR!_GaE`3qbMN20aUC%xX zZqXAhJND@MrgaZ#FuBj9w^A8&)YQ{whdI_Lni5029)gISAl-&dyBP+k=7Cy#nt_8Y8TX5FFZ?qBdI9qq56 z`IKFlZ7jfaGzl`%ejV9z@P2?kX3#a#q_bfBZ!MZ6IYVj-g;behzPH3r%a~s!Wkl@@WXT(ad$2n z`7U7NGKJ)?MvOe&AEC=qzL;|y(#~YQ54%UJh>N#HuEq~9W!B>aJ`7GiBqZ$Y^sKU? zqC!l+@q_fgIscz$zCDe$mh0;++QHZ&U0tZP*AMpf^ZAOfOY6g8{u*z>GN{g!0De;D zU}(7FAPcX|GX5$D(S-9yjU2u^mHb0pU~6+gT6Evs)=A_tROt(&4GINl{@Ix`Zm97W zPfdZ#o;WX~@l9i~3=I;^mfs8X_nOVzrk=VflaB%7w^+x&EwrKYnW;AN^VCPz;*Jty zr@?=$(9ihD$WQWvP=?TUH06lW`|1Z9^T-Twv@1r)`li6JE67~6D)@>`d5yA>BxasAyrVI>tzDK@vdH&?U{1d z-D~6J<);Elrq_0^%erkZD$EgtW!Pj@C2olmakpA;^KVW>5x3jAf?TpBuH=_1QHYb$ z(m$(ESWhBMxeJb(q9TVCQ0FTd5NOXFj^a2@+NKh-GV2=OZm>BBUfy0E%*B%C4eo&t z$F^^KUi6_3TswAQiN^dDn^`f@MA+YrzgcKB_;frWDYSwl`!hSJF0GKcB-aDe(WcWN zBCO8q*hgI76=_6Gnu^378K7vIb1FmWDoqo*3aG?V@OGaVKX=KYGn<2@)ZEs)PjAu~ z?S8L6%A}akqlZW1=I_a(=TN@u|M1H9&xr`eBDL1-yWh70riYJ7bLR8QW-fN3oIxC^ zZzMj`xW>6TV=xWAo<|mN!PuH=(?AB23#d&SpQ^B|>-lP<7J>ZUS00?9FC% zgI&@>(nT|OD^@i=(4P%=J_TMa7dy+LO`)`g`_#1&Q9GNIc_~l;sL>S1s<^x~RfY&K zcK@2FN!NaJadOnvlh)d3*M1DvboS_}W_l`&ON;3Zh#L}yvl_*v^Lh*=BL~OsVkw%^ zwFgDo+(x@`M$0NH0CB0=;q%CruipE3B1kFt1YZcgnl~Ezw#km)Y8~GyROzl#*Dlfm zl?HyfMT}_4Lmv`CMjbRLq?86|_8=3|Kx4htsjhG!An=64*V#dTZm@f*$Hy2ut!7!v zTI<|Ve*ehe*|6`z_8NyQ(h1lka6kyzXq72!pZe9vgSg-Q6Su}avBf(?J#^&0cC6yR zmbY$_C)|BJk)~SEt41P0Q~6YTM}aV8_qPZ1%{Ko^00|rbv|Jin=(amU^4PZP=|a-o z@_qH4>USZTBPm+j!iw_C`x{$ExBx8;vkf_bv7%UlSVIN6e~coD0A6SM&02mO@a<`uN`*V%S37{v zxdHE?wwM=-z}JoH6xr#Hu;3w)zDV|4uf;qoT2>RSrXFK+sArR%uH~dgqbwC;EMBQO z*efB6rFI@1NyI(vH#d}G(A5w4{`asBx2S+hmYqwt|u(S>OY$JP`dUT0j<9o zdP+%=tAXx223 zai5*5?oq0#93`|D4baLT?n zicoBxpN1O0oeNApX*%}k=j2>!AuHB^0MCI7_M2 zog5zy_Ntl(lY(Ks&D(lWcN-6U<5OJQ>1NNqvv%Hb+`X4b0J4gGqV2}WuRn@K{yWrl zUA(*UHasT@JYHz*D)3`0vgeP=jV(Xul(N#E?o%NHe{>OH%!-|n^lMLoevA&ChUBzy zDC+V-a6ejohei(L0^iD*Jn_DpE-}6Ivu>f1<<;>2U2JG3J&&;17ye-4;$SYF6SR+u z0xU+QtJ1u1X9P~D$+nF-2t(;5;sRQVYjuJM;B>>XFpQug&Xq=XM0KqiW#B*PGME? zw(jHTqI~DWR~A%T*5J39M8C~33R*3?PFEr^z;)<~#8$ zgAm+VcT_(RI__ITqdB1fKfaHBMvyop@o$RLO;<1ShrxO1H?>R*R*FM7x)O8HtyI>v zo9>CN+-Mh1Re`$Iu~@3Os1&YVYQJJ#(IvcJJSB6iyL4EKr*O2fq1NJ23n;6i*IEsrtD|H*y`TI8uw*4XsfFC9JW22A^NJ zjD{VMGU!;hJ?O`FY)|oW(4!Z&OVlX9tcxqot_t<@HX z#soMhj6>6@J5ViPLn& zzqY}w@fPkK!|x8kiIyigyR=h%UzZzz?#n$&1dJLE2AlFlULQgdvLj(@n>^~@seD#p z6X7If3(f}XQ}&}r)LoaP$!epHS64lh6wnvamSG_Gby4@XQ_F4XsyWgm!5#+B-A4uv zdv;d8^&DS?#L^8(n*vekbS(=NVuICrSEFC3rR$JJ8bneBR*K_()g&sM7N?QPT|{d) z*G7}yr)Ep%V+8R4yPjTmu=-HpIT|_kts1ivjM!v*nP!5{8H|hQOAmt(LO)g%3G%Vh zYQ6ryZjtjAzm$Q2amHe}-W~i?lC?MfxNL5>?}g>l07`%!0sRbr1TF1;U?{_EtS)^_ ztv=nSm0i}iTT4+$;ZdX z>$9qvow7b!mS#89Fd&G)lS|q}t3E`hY*@_9mZSfr&%XM-FCn`qn0reo;dxBurkOi6 z{-o}mnJonDYrgtIO8uhy3lep2k$w>mHMPUoPMPE_(bp>xUr$3p@02-RL>UgXknv`2&BG#xm;pvz?xRr zQR{w;sV?jMsYgiLub?BuRghb`@cE>76Dc4zW4^bM#yXjD&&|;Or?(*MdsZGvT&JaHQiPop~_kaGD zq_)`euoR#Fe8R_{p#8sk~N$` z)t-4zce{iS<(Py$DvVF9JfW{@Mk6fo8Al2eEC&R{si12^AH;_be4*8)7XQ5yuB5O< z;oI{H7Af|&Hu1sFr*ALkQ=afE3l`Qoaz!&#mqh`75xWfq`_m9#bo0|bxrL^ed2QeD zg~@dCb|T~is+iv$_4XxHOYJU?$ZJFF;V1MD!onApy0?E^pW2A{$>lFlHia=(jix*Y zB_zBEsIoV#h#VaMf!^CN?fQqwnh9TbYw%Vq34~hgQT-W-=5Sl6D(8d3U3Sq|gM#{$ z=V}v{Q|11p9{{nJz8G(qs8b}|dEc6^6j8q$LCGz`(3H@v7@nI6qnaD&)eKD|*Lr_) ztnoT&H|xVp?I(NlCqYlXZ4P8phbpW@&6A}}u>U6_RQeihM4LL^q>ylyD@Vka05g8+!cR zW8m^-{+*B=%VOuu6Q*9Ui%$oSh3796;QZV=>XDv6XMyVyq0F@7g9(K)#qt<%|4%?uOg zrl1F^315YcDz>aI*vY;pu1Jk(W{a&Y8^Sk8DRi&jwc`dO$r(X7#X}<8JD7-67)lyVLEa!%sLqri zRUPZ`&2%n^mLD#X8i2j}2aOxkjJ@8M%K#0iDKiyvuvypkp?CKV-Bg)`{yePo$~K;w z!T=&=FKMVxtz>;f-z&(l-RA^ctGkKm+zqT;NA+N>{t@%BNJJh?w+_#ron(0_ACu~` zs5A51AXk~0NLCkJcXfV%o0p)y-|Qhyckkz|^~**+sxGr`sH=wOH4<0vuRiJRjV~ zvnO1@5(VOOSvohQl|~E-d(?)Vh7aRNN+0sMkD~*t8zgPL$`t1|d0FYEFikY7?7YT& zWGige>>dsY@y?_s?OX+CtC7rQtFLsN{Shwzz+ptKOm^tePivyN-CzFlk^XYkmr|GI zmYWy_^pkE=pSx?99Arx0(V~SN9V3w+7ggF$^m6hri}Z1eqLk@3VgDX2IUhD@3Xgwj zic85yHL^NEMYSf9m?7eP`zg-A*4gn94dx<|gEYm%mclR6&*v)A-Z@(%(@{=khFMl)rB;;;iB9(hg{L(Su#RRvD zE0q0xXgvc9vY$jkQMpl>$AD+!Xkpg!%t)HOL(}`@H;FX7cV3zzeiFtO7BXXjWrH}; zqwIRMx~lJ+C6aK(K0Yd-n&XISeNRtBNNV}t)I#?@BWh?!nA(N2;Y7-C68pyUYobAR zwdxD%DdJl^poCKQbW((4Alr0*sYx0aKI64{xpBCOFG=;*VC$ZabNisRb|1~LQA7jY z-*n+%mNlAWW!N4UjPY9E-lr`c%iZUo!8-Kd?Nij+yj$b5D1J>!evU^;V=biukqr7> zu7}R@jc!&N+sAJ7XAT@ql8Z*l)QH7sN!vvNY+$J2+!Gr7w#W3e>FTz4b9f&g-9;Ch zbm7Ntkx#&qPt)F>pv&g@2Y|MVp?b1|nvmB5F>|p|n(nK9vgy9z!V!7$(|l=VC)Vk3 zIB_6&Y1CF?A83z>kGXo|_&!9qZtL3w#yQJ>?e4@4LU(rt)6s(XWZKr=cdBPc2dncb zgKL*q>BDVz{;xsGhmYnjnWcR2OMb6`HnAgR3;pjT=_;daL{rze^=wN#FAJExdEJ_2 zW1>C2E)41ysEP#IIQD;os1i;;3!96mi6@WF5rF^5m;Nt93|-;@TNorIrLH|Zr>8!A z4y@EZ55w%J?i`aSzN-F8#b!d6IHe9Pa3JI@qc5Tqtghtd3E27(@f#4MsZPiYv->GA7&vaG(4~*Q{r89+YKkp2ah08K`XO+GWFMLV+7krmA;?GO}F9za& z>6P{W(}?;%4F11zx&BM9sN(-XAt;~Uxt`nHC9+9XRNOz#l$iJ$aS1i&#|sOS9L;8H z`yg1w{XsV}_FIy9Fg|qCo{7&+>~`MO?I5!Z<@pb?m$LG#_s_+(ZHoC=Af#Cb_UCVP zwE&dyP*%8#W}?NG>V2x=Q0xuVGWl6*hlmKroe3q?`v@0( zL9pi!ufA12rVS~ORUa8SmA#{!uQGQU%X<>jeX)zX>95^?hYmk)oTZK>$|%0p~hhnClbxR{g*W6W)M-|tSkSUPb%J_lJrbzrT%eEp~_rz z&GV`J7w|u9+vK&|eUtNrde$61%1^`)hcjaburu-Se0tzVs=RN;$YA2S{%m-&f_+j3Kj z9nl7edBb@eN4qgKe9%YN!>TRS7004+K4`njXoQ@+ruh$}#K}3knjvV*2d-Kl7smki zs=t=rscxpEM=raqk=sYe3f5s}$%um2&n^=q)pQ>_p7deK3O8@gYX^@T*w89?{IDCX zW{cBFxV6E%ZR$Jd$n`x1xu0%i#aim-Dd@zk?rouJf7Tfu_3lFxcy2m0J~^9fi_sp< zlB3Aqvq4C?j?neEX&JGTn7K6DlJ?#AX{c1@xE;0{&P~wrrP?;)+vVeGrzz5x&3(-=AwLr)i-fC;y%Q(v(yO3!LvT7VXBmJvur-@%^zuD9T8KE;f}_ z#haL>5cA}DJasA;gZXAsxBUVz>Jo*c?|qY-fRYAuJABE{(EsxokkNhTn$l9(wWy|> zHF1$WZHs{fBpV*ls7PeWM^#SaVo0g+}KH(O$i=I96rtq~D zZW2RX-A$VD=ggA{8TB>6 z@pV5r0DIOPQ8sn?uJLlzC3uZyIWqEk#wgRP>IpP+)#hi!>D^Nz1poGzD37AO_D*r%d^+*?yU>u6fco>9iZ+T2Gcj33jdSH3CN8-4S-ne&~U9 z#jU{g+rQtDF(PQDb5~QBhvs(SP-|iVB!W=&SqH{*nt5cbV4bqQh#+f|f7eBvqwjOW z(vhtf4Q{*-p=Mc4O~b>iWbQblgKX~bk3E4=D|uwy>OlZbULU}Fnu`rl0Hv+ptBJyl z`x0G1Q13V5yN;ZyR~B{44ZwnKf2!P*^y;%B3sh-LTc&lm6%AgP@L-gcdNrg z;vNG$$S_`uhXrJJqt@jI9tuf}GS_MC{f`t;uG=BoZ9F~2na z=U9{h`o%ppCvDh!{cA_luI0k|sIqeskxS`U@xN%Oe$6MAwmD5>HQ}f?h^vbeZ{VlN zvbw$OnvY{C{Rr2u=8Z4bh(vFKsS*v?pEQ(Y z=yt=hs?3!+$LzIYjmaSUfX-0ZPL*++9U~x)0(KRBRVKIbyy^a$1zX%1m#W$MP)&cY z_V5CK=6P!wJPienEpl|oTo?O0@6z1(B>O;WK6S7E;`ju46OQ7^eU#bmJ&7rpeGEs_ z!`8jy33lKU1Qn)$)PNP@YJp8o?}smd=~2v9jeB%N@mEL0nScjdE=*SdpMJ_=u|-bIHiD$>X=I5UYd#R;3Rw% zDCvNT6wy8piOlYR-2cYdd&M=`b?e?yM3f>bO+i4BUIhfCqezF)I{}g2I{`vd1f(kn zNbkMZ&_bk3?=?W^orIdu*?FFKt#9w|x7WeGk8+SZ$vx-DY~%W0LqkS;z_LUHzOBaf zRPdig>Q4*jK#|cJ6>DTw(B=5yNp%6M);|MbHubW$OSV-CvQx5t(t~)|xbWZEN}wGl z&HK;w|1xi#eCt;V3vblJn0(NA50cYTze0ISew^pM(tqDKyI^`)yu)pb2Y%fOsuZm+ zzs%o3rCpdFIvv&-+rQWGRkjZ)-oQ^PNzf^|+G#~HxY^E~?R|?l6z*yUw!yv?Ds8?t zlwvJS9*YoqU;w%!V@114&NE}Ud;|5k+3XN% zh1Pa?6~QVmUbp(O6ko{d+1_MNzHADN!Luh?Nk4wzhu`PJdC~$nc6sG>f?i`?HBn+! z=NH%Bxq-Db)(M$@op8YtK`wjE6KO?&X?=T5HcmL)ENIA|iTw zOHeBUYMB~qZ1l%TDior90}aQ&!awBDTcur9iOl|F_sqgGt_A-0Nq6~ zGBGkPR4n_nxOpHi#9hFE!q3y3XO`DR4KuqgiNpJs`>BG`YM{khFHE)gW(7;9aq|hH zTIN`=OJaiCTgb6zBO~#a^0+d$FhveZ+XRBKmNJ2Pt`9m|zs17Mz_&OitqybTS9R%c z4EH{kNUOQUy|2uq?z|8gdwma=tUfOG2wb2VY8M>)8M;J=BG@(QN zT)MIr=Y-HOQe9cf+jv*^;|sT2UDCfIN7n=#m^66$V+a?wz2otxc2!b zdsA^WZL-HpfjUG2JM_+U`?e-mI$GW1_c0&8h2_frK+A_Of7*HxlQKrD*bIub#qY!1 z{mh+1H;d6z9t%%Cs=jIV?C3rL3yPb3VMm+ZDedw+E$vtFd*C8YcB$7U9oz)?>hrWp zAaHLW#k&u1t$M1+?Nz8or5CZ+6;I_b?J{>29WQ5H`sZ%Ek@okoLiTQb5!J>wiW@~5 zJQS+aWhF-&c=tv6w%A#Ts->88DRu_c^r2c?-%4}e%4ja2+X($We-{(k0bUN#;y|)r zqZYqPZVD_DiV!mQoBGwpBQaS?AObJq4A_Xf+;bB-pXSMb&7I;o1 z`Ov>V73z9?=5O5Jc6d6c=n(^IQkh!Vi-LCjecv$qBbZ)i>@hjH)E>ha+7OSxZJ|t8 z=>D}2M=cY}b-l(Yb=?T%vnz%-M!-BIk42j^pTAf zNz9bQindFYHO+&+{2D|bvm17Wo~+=_D=BMScsQ9w{i@8lrFyebA{4}dG*^Uoss!LA z&pu@0FL}wm*wT-M3!Bu%#~TJGsZiy^3$~PbqDDq`g1+!juU5s2>hkgx=p*ZWnDip{ z2X93?L079k=*TG9^;U`M}>;0%@9cI_uK~ z+M5kLir0Im$!g)7^Uco_citV4;m&Zie>9qn_Lbg=unf_|lb?m15lj|3^@yZiEW<^Q zj2~EgNir+Eu^$qJxqM!pW^;Uh3uZHT{>JA0pGFx-YCg~N#d}ik*FwO+3tw?)grCb7 zVY$TedCeKI%q%{2iYw!Q*`qRb!cXI0yA0DVS|sZ~U5~|qsauyqYQGKKmzMAS^%gb7T)w*s=?5fwW5Fp}F6N%FS4F%f}qRY46ulG{~rfJTEWTqUp z3uSVyJP^6x^^Pa?;|cNE^E^g&O(IXLqLI81&99y3!9L+BLfZaLxaM;LNet@SHn>y}4So(pvi?qaW) zVUnZM7e^PQLKgB&!R!=-^c!KxP;x7)wL7*li$rD;DWfW}WSGe#O|LAqc!EL-_U*sI z=##1IK^ZvN{dxV%)pUd!=oa0g`QRCUfPKezC*6I`h6{lvn#7k|k^zp1-EUZrM|xYL z$wF!=dP-vkUI@&~Z00};{NHF>V#0z=pjog$vD4AN6Glo9KxM288r*$c`obu%G&Uj-$XVf zqHx{RP`t;Nq`P|uv%&AYt@aa^cx}l&_Z}$ezv=9l7!roGP4&`8KP2D$=2s`yR;S`~ zLLpP4tEzrYEZ z3$Zk4FqMhX?REEVAxpP3#a-rs^f3ebt=}V`;BCeZQK7m}|9ZAZpP#&xYP;SrgZtEY z0B3ajogSU<3{C+QZ$XZ6UWP4h*B;H?cNcpv+l;d3a2M_ENOy7xgV680;++IdJU_$TCBdmLp`1R zL`I45@3*?R!;L>jgPhS9DgkSp?*i&FL6rh6SH6|}%n!d9%eSO&j5kB3ioTJbd6DNb znl};D*53bk+S!nl%0P;#l*6BGGFdT!ZRf%fg5k)+!;o*XTq!SECcS5_!dfjo+t2=# zq!gf~3EqG3vJ5i)r%R4Zw(hsy9pW^m)LB}emj9Ve=)HQ4>XM5K{Yi5J8@54ZzoG*W za+mqumLjdt?#*^y5yh2qzuXNcLcr}}64#Y-X7fab7lY{`Il8Kk02+e+4bRCW9H`2m z9_M-~GvawcRx0~bYR!jRexu(M9knCNlzSTq+glC%7l&ws*QZ)uTM4J ziU5z;zRy)^PhRhmHqYScUnX!$CeAgJ1ztw^z~Me$1pp7eg6(0kd@W%Fgxs<$7asH` zn63<3u*kU8%F*GzA~UCVNn3lxcnB9YJq|FuE#U?Pem%CMdeQ7t0k5&`nR{~*5MZ&r z)LjAq-~u%7vQ%!+fBZlq&H3VM<}?9+2#s=F=bbpo7fX+%Tr3X@E~8J=7m(lysELiF z(n8gz)AL;38apfF`hO@yO#2YWOuLfv<0nzUeyM?9BkZt+J^{6r&9wjA8lZ~Y;VVwc!ZF%S zM$g_fJ{Nne)_}2ZKNv%M07#mWI5ml-M9imhJ-a~e6{|<*`?Z6_N`qfRf&8x|&#ws} zLm2F&a97bxsGl+z6kOrCicn?RExfzC#OuUTVSIf4l@{nP9YVZ4+4My~i=ARVWhcMb zdVT_5SDRg`IpuqhTy#^V^?2)#VChtLa(&cJX9^eD6dL&8#V%k8*nu+Pq|cdtygStq zA{;BaFZ?2w(zb@q?L@?mU(lhAh0$=AH^)FGpQNtG!Ba->? zb$;U&F2)rBqFHCe4KHmwE+PY0UgP{9XHzg;wovJ7vv#l7u;j)7ECp1Z$TH-6-KEDm zHfGoU=?&7BWdXM$Z&rFp*1dJ=t0SxM#}Jx_uVNzH@-T1)DPaf~edSzA`pFvhEI+`R z!$f@}T84!whjM`Q37)rHqJQI!IpTbwKh#H{_~gv!apQ7Y5H~-SiY>AEzTwgAsg^qi zOMh8pY}kjTP;?9^(=jCWeUiE7{Owy5{Y}fJZK4njwP^kBD6%~YB@oDHJ+U|BIhUh2 zQ})7(0#$SnHLi~3yPi~X;lf+2t(X0Q&DT^vT2h0Yfvrz>(+!0WG`g7^FQbm0(2M^r z5A4}*c*g=)e+uBv$tO`VJVlZ+IHZIUKf|R8nm_U^jq$kP$yuV^)W4$8FcTlOzBe^w z007~cZ^NhTPU^q&Rq|M(1t}R&9K*O_w2`>5R7IrEE0DHxFlD*X% z^~)302cd~Z36&$~blP8vw2TfzhdUMN8G zXkEZ@bm=CF{C$PKQ}DYkv{!&`{Y1T5o-FQ!HuH3gRL*P1!M?Z?#&OgB9UM~sIOse3 z`iMh&q(2alNxN;1ENVuk*KATaG_QY5rMlNLO$;vYy%#)F#YPgyZdhhr2tz8&&DWU^ zAMekrA0WpSq{Whr8@(2qR~gg9$7U-^`bVRP{FR^anLDeIT@soQA4UE?aB~4upGgJZ zB?nZCVsrNm5{Estbf*G5D%34{EHcXXiKaO(1)BqIO&6|dc3D`N;42EgSJZp(B)oT2 z^9tebJh@3!7SI6J(q{#GL*idn+NUzO0S$@wJ&v0j;@E=htb6m6e)?-xqZd4mthu?% z3)9ALIuTnWQu9*TY1;N2AvfaRD3YB%Vqncv-kU-W;-pKC%vvaLxM9BdfI$R)CHHf( zV$n|nb4_QYw+VC);w;{?P{;)XSvQRh>N5d2k4qA%_%aPaKGzh(_Fkpp1T$*3qcsx0 ztIAVfF<)QPZ&`d@fKq%Bkk-{;79xDbvb{A=wL{!SU#juRQam;*tGvY78(zKNGw*Q^ z@cCA~M)y&Fqc5NRaK2N!0ld}xD_-DT?Z&Ki{0nG%m}vBK&x>OR(|u&ofu>X=NjJPM z)Yin3@&(|nKlf&LHcb6UtXNT~pAXDuaX`IdGDmbDEX4x& z943fYMftq3Ny9sef>Ovwxj8X`BxBh^H@lCP*Z10Y!gPD~AT-SEE70gR(L;4-y!K42 zd+oe#Iq3;B!s)#bEF&$y8E zD;%Y<m~Ip3oX;MwaRdjF+LrQ~8qVK1D9i*=vl+UdnF z+DAu28H)CFZ`ZOINLBojouV2FAMA5|39v)gZ94WDmNSuJ~FWgo%UH&+4b zcc7}EawqGtsC&W3Xk|CRB_I2g(17%qx85VE5wgSIP)Bn^Qqn#*E$Ob6S3YJ`a-<@k z*ejilYPo>9u#7J~d4Ut-a>SJdg0M+|_U$ObT^5%3o$`x;#42Z=*=P+{KcG(w<8 zmP*MgAq}xNopB|xg?v*_MMWVC^!;UcP4#o0Teill2$!g)VNZf;z-~TBmc%>j%&m$R zmCkDNT?vOgOGGIDu#%g%M_O4nu2yKG8;Rx?!iglCPJ$r}8_GVud{|?_^S2f3a&F;UI zYk$~eCOV^ zztf__-#63MbZ;1!ue3eBoJR9h-~k9H!`-UL{Gve8{92YI8RQN?dY!E%!bm4cZ3DTk zU}1dBbNa11$RhYj6t`U6a=!5r$rE!|>Wh@O2wwr1o@F=TW)RBUxxlUFb!tug-LMJW;Kz0- zG8Z)p^X{8#)kjp-TqWODvhLXe1FXzuYi=CvqSTdI_tKqFd(jj`k4Vn9u8(x+o*AO^6nLenuvWoX@}QE4bj) zV@M2VAEdp>-V(FoZ&|Kwy0XlL06We4pM_ksi8BGD)Lg?lhjM~D(kAAQh-T}O&Tg7B z2Iyv`AJ=&riA3AWo3Lnef=m}pDs7ED+Nv~I=aBK|GjA>oju9(Q z*9$-y_W&t|mCE*0@J}+tUP`5T)-a;S(i1Ef6g9o;Xi@8*(d-@^izO!3C`QqMtgE&^ z7s2J@`B>dO{T7M(STapJtC+skn@@5MZ=s`E5*(U_2-0FbXOj0eoL=(<5uIe6zvxMy*0HpT~z zw%HjZ0yy{c^X8J~79!n<2QAe|A28jqEg)uBmjGyQ`($DO;)1gq_Bw9s&9Vki`|-x&Ca zqCDX(ioZ1F^Dyw5?3e52AXScLrwS-?zRF2$vFq>cG0n01;hg@-XlFvT=4PKC#}pAA z+pN z8m;`&TvLW3ptu<6?NR#mI86-zC@yva<*#Bre}Xvu$pePYORx(q$y!zSavX|&*y|Q> z$?Cuqv-WK#^Ny!KN*DvXg~}jca;e}7yc|O>i`k?vPN^D4TZJbHuM>aKS@w8YWke|B zy|kfQ`c-WP&Q?_-1z^fm9yjtRFO!Xw=C+UFX?)q+0LgcD%Z5|WI+UgPHj!q`&n|DA zP85571vb0GN20XNH=oR}4!-g)Mij04e@?jPZvBj^o^1svUnr^8OR3#UXG%-H1a?3= zP3K9djQ;JH_SpY)wong(u`l3Gv@aC>%}RQw$^*7WrgTMoi$CnTLj+XS1xL4-wV2}R zvsKa_Pu-j^rsa--&(!0Su~k@%p)*J`2nBPv(D}rpD;h2nauV25u+v z5_Wpl2Rf9LJLHbK2%*~6U0`ZKThCu2j!#1&;kR70n6|x}p+Kk2Xi*)yW1qUS3(wu3 z+@C9wN3nF+v0;`d8a5kUbovWZHko(Ua`K27ChZ zSd@597*Coe0vF192!KyLg4A>Cy}q$^?E(Ulq4wo7jjo=#FFy?wkoC0s9F|Phv*S~ek+e8lEsF4r0~pZm3-tTSRB%t1lGD&rFtAfkvO*KQ1#A;xN68$5!!pL1c99W z_T&&8zERU6-3g6d60%AHe?jh@K~$en*6bjX3O=4{*}kR47=uM~N;=;JIk?!OESjy3 zS<hM(j|LV`YWZ4u?W5JCjsGT(cRPXKz#&8W1#bDR9AtolP?1c(Q7mUTs|RbDd6K*SKq;{;+L$%7jV}k5t>UW8+Nv?y+c= zZ*yNjmTn>I!A?v>%wo-bLM>}iQ}c6rwY{cOPh_M1RLPm6d640+v@r4ZCY9y{QK2HA zGkrYVS5*&p2U}AOG%tS|q+r z0FNQKpyzT`bZ-6MViLpWWC)y-4p#(r4koxMGhIF2bViH5)ee~3d!IffHJ4Q}Wr6hy z@a-8RX_YGbDt~FHwir*VgbimNqTkVIZ7-)}Upo`McW2U;YeWvA;DVP!ZaS$(pRJl5Sm3iR1Op zFA>F}4zAL@D!}9-G`yQ!Q_TQrW0CF14egAD_+07r*l8 z`8s*TYoc<qGhLB^kFC)A0w-+nhDQ-@vVro&{{n&3~B z!tn)xr!UO9!fpC_1@;9m-^Qhh1kAvMQ7Q{3V;0rKSsr4R=@T8aa@5$Y)myZ}40~EH zxSG_oOtcDhC`G_Yononl3Ak)m)C(e_YO>FcJs~p9SbB>Ct53T=v5L{zA(C~Jx~C+R z@zZzhU{&7tlQpaENn031a5Otwwj>r)c@7ft6t&L`Ut5w}bJf>O>$m8%K0fU$wc!}p zmLBIS%YD2`pHxSYM7zeHYf#c)zg%p;xh@pBv;VrT8L>mlP~3>PE7jLq7WNq~d-rbz ztyu7nq}Du{xmn$&Pw~+i%t|Fm$&TkSP_FJNVArZIg(qeQS~nH*RC|u>GzLSFSmwyG zRrc{ZmZUuRYwApi4X<3qTeNuTm56|vSsiq_IK$>QYlW=c$luxEpHt7TfVC4;QKKDm zX77-Y`Xgr|esAp;vc_8Z6*x0`s)PYDocF18x!dCYgj8P0%#wy>yuwLs&55?lDq$?p zUaa5*z0jP)VPbHw#`-rr2C_xHbU2f~@cH?XA@BBQ$$-s(t>r5=7(1{oTk0n@nfJD9 zep9+q$_?%~<60Vg_dcr3S+FN!|r6s&Fepn za%AG_wym0mPc>b#SqzY`r>XGYKHuu@dHGcQ$)jB4E`)KpyHaqHdwDH5;trQ#!#m+g z56$lnl7xj>c#NrM%IxZtmgrPYJ{Fw=9TafB6ek~*)U0u30K|pwHwhFjvr?>ggo@d* z_1&V#RlSnF&S#X+#G(*IHZD1j~$hrO_~FVj)i+tcr{7wvZIMjT&9?k$*xvyeyy1SRrp z7aLtb;1BWUaxx#+&fobc(MZ&@JMJ&Ii4a-~PO*0T!43kKQLHZd*%ieXlXscN3L!QTLQe)h6$_NY+D0DZiK{Ua{)}ubxP| z&uA7T52A@E3%42y$UXM%2y}#b+;I9h3vodIE>>kZ_;DPs4hLj%KAj842ORx3z>=kB z?F`h{5u_GDAf}*q0Kp${MwzuHIJvRb;^1GX1A~JeQnn)Dia~F3T*o}&|6po%>*Q#{ zCbSKx3y!iB!S@Z3LomM*L@$NmfB9*tlE)QU?3_m4P1$fzJa(o%`dx`%{%d;TNm@Q)5c{PUQldB-(*_yA5S{a=7fp3KZYn(3@pFGXRSOB7wl zf>Sy&GM`1Ovj2J0O~dt&{-T4~7Hdwu=USo3lU#zN$BrhwUeqoZ;9 zn?K3_MXJDH9yKG))BdCpLtOuoH(#P|mBhoN_hS42QdNGM3`_HNA0*p;4u~JkW> z+8GxIMRRn81}qUAweBBrW;BbP|8XcO6w@s7x(N!6QB$=yJdA^=vkaLdz|VLq%eXQX z7h#+8UusZYLjEPkv=@=ob0dU5GLXl*S_aHlVxg)Bk)#M;u`>U;Xs z)xjXzuhDOoBg>c$ZIV2LJ8)^f-sPfkxF~O`1zUN2piYK-psU+7%8yq?+R#!bo@lu$ zWKq?>kpHHNtg@h|P?;U}ze0{{4 zuD_%!?5`SKIjx*pMVOPO1A%-H-ix1Uo+W3}G&G|7?i|yB%-Ib3I+X0{>p;PRy#M@@ zwV*gg0_tQ6;Cn|4hb}iHyfeU_DjBEAU98)HB6o~5Upng zYwK-IJL!#%=J56i%1JtHj`>^DXM|Hl)!~f_Oik&q_VEBxl@zBO%)>%wZAde~dvqf+ zYFG+uy0&8bS2Q#nQr@~crV<=_HjsfcvbB==-i_K{|B0xbgkDHj8jaGAq@SEYwZ7br z2r1%B&d?#AzEF9Mvd)UE9Inh*Bwlf%&_At$ti=ANqm#9&a&=g6`e0{mK8*>HxuRX? z`+HZW{vty|a2S_D7_O8iHx2xHKG0Y=+x@3PkZ`r#hXi(DoA8rK2l9rYR5;W?w z1O6uFEowhEGTPeNJ7C>!4{i?bB0Hk!^IdpOsLj4F_rV6QIo59AE{D|VlD|v3p_ZNq zxRp~kPm}Mz5gTors%Y9!3oc(xmV0j|I1R%EreeVsffz+&!YGXAl z&H;pIW6^+`KSPr>cK~`114FTE6b3rDD45asN8gE)x@Z4BbS-BV@5VfmbQV1P(;CZ? zA&Fi@Ptq;=i(jnMy>s7!>Hz{(@NToxN)p4QXIij-uW|z9Kr<=qp7zVz41L`G_9?KK zfS}!FDsXwzgYPd46&+09Jcp9fO=+L^Y+u{0WiQ7OtF^Xz0QK2f6C+5h*5de8!%51B=nTKD$;pra?=Y4AtdJ8cyU9`S;9O{(0uIID z@S{$x?Wt^?aq~hVbvi;koF{uBAW`gtR>;X(`5?<3fahS-BTkZTMUU$<^zu$D-EO9z zw^xmzg!<*mtpNq8D3Xe$c6vLB-LtwaVN6ofG2LgsXxCH-#j?P0Z)s9$1RmT`>&QjB z|51QD<@=7*d(-8z$jHdO)JsBq06|#i`nWaNv}AMy>&^)6X2bRgG*jU3veuq#QO9fG(S*&Iu2~|_PqP?Ty~|+rJWWP3Os&+zIgE(X4>&|B^oR#qZ-w}udc4nI&-;F=*rw=QW^#q)!vmsIpJJN#mQ_gVbNE9Gh($cc8X)>8B#L?jxn}QU4o1rw!!|xy zZBA5X1$939<0oS*>xsdu6Up`9u)($Z0*8nEPcLrZD#b*fg5GhpZLkOnN+Y&Xn?k{U5ve_kDX1_C0NLN2q zvh`m-b+q+W?_kE%pO$IqyHJr$o*M4>20ZMl-|%ZTn1l+@g+F&8?5ytwW)DWUX@TRl zwCd=^N+x>is%5uqFyMiGUc^%p|6gV8za7F1?`Y08>`hqlPj_qo-V^fcDp<%Xv)+ ze?{81*GpO|;cgtV0}n1l-Fy&D(cjXQ>uTkw;#g=euHmAjjBJ30%b3(N^iPKjn6LJe zR`<1mdWe(v^dd0c%^6tX-Huk}LRsj5d!xC2H)@E=PcArR!ZW4={bBPZ7psu@rXTN{ zkrF2hw+I~dPZm(pWP08fpKJwF|Wj~MS2s5Ux@hmU=WtK)mPu_2egT$ zS0vq0@L*%hTl-h4M3S4WUeg@ufeiagLs;oVFTeW3M4_u<*XayHL;%l^i{trkePYkU zOgnU5o7iX{e@=H^T#$uKdk~)t7(!M;Pz@(I$DES`TfoxCG1%~<0&5n_l1fZx)VVZX zB-QI*7vK@&Pfum>4v6;kP#pTNRaJqZDFrDX(H!z+Kl1wDY6uBIOtxCUL@6B4s-OjBT$?h^8t=RoH(%yByNuAZI<-!hJ{q z2cx4S(Bg^h8lk>Vwd_uj=#xNZ7GeEYhbKN7+&!Z;n>s!rL1}4iHJ)5(OBMd=8mBxf zExs82iSUVB_l9QS*~EQT+eS_<6;m{7!`#U^0Eak)r!ppu^w)${Js*o5U)tb~pNUZB z$xbLJ=>3K=)_4M_V_*>nai5+{rKoV>41i6_Tpr^g#c6{j@hN}zc4~wFQdH-@$VvpBYZC>fzp87LGePiS@n*MRa*~dQ z)iLg4DblYKJ6gR+`D(L@DO~k^Vr6&MnYk8rT#0>`b<8sOJhw*vj*q#0b6f_;O*Vn=0V74o%ESa> zYLNiVo&`-qZJosWSE#N94x7sgh4u2?5{s~HY8IiO=9c9BJO)MxeN&yfjDb)_)RPz>ha*WK!0&MHuk=EM_K6NLL2AK)1Zc5e%MG#?PE zND`7|IAo$Jx=-taf=lNKvq&b19KIE4Ak0!o1R`M76>*F93yB2#pcY0k@FJ@7`TK1a z%E1&j`PFUaiQIw*EM>@dy{hC`rOo$n`8uX=Rt;QwaF^JO2T~Wy0Ws+=8qZePCjY+t z1-J(M#lS}WL80*528Wr~5KsirEw*^PeSCh?VV)1>aBgNW)FuqukbyuH?l=rI!|4HT z9hp|@T&U6MA#~)4aVU9pv3FznvRN5>tLnt^k_EQ8!;h|w-S>xGrzeJ^^A*J3S#{>dwMVA|h54}c>G1wg<7@9i z&40TFCVAXaThx$qFjdcgEc!k2#k?y<+2Ps>E8u|jKeA}p%URHV)-R=cA15mx{?&PD z!IM30OgepiT+`8Y3mi)-Q(UPZIA3&dnF(lC0t}wZh+Co}cO@4{0l@6b_)1l#K<1Si z%8K;P44N2!&bzJ{pp)dW`@B2+6X0(=zKVGL02v?_3fzKyQUb$XXwUf_o=0?9QS`#2 z=_>hsfwx)Xj!44ms#(@OZrV&oF=D^!11`k;RN7@$#%Rr)bSNJ)7g6&oiVqLYv*O9( zLSKmUcjLH0da|ZcQDJwP064Fl6HLdq?P`sMi#a_yWsQnhW+wbO%Vn8lQ)Y^IEgP5- zAm1GI;(RguprO~_AFwtW3U&YO72^F)8+qL#7T{FTx9Rd@ri+eM6-V z%XJ*R5%2#^I(le26rhluMywKbDsy}-h@l$#Q<`#q>7hohl=*28s4OLe2J|suRroLl z-vl6!5EgSEs)JUfigVp@-VVhC`IFxI26~QcD=aJN4q<))e$bmtc+ZF99roW(pfRC_ zZvPL+W1eWH``Iv51f4W@F`Si`qgUaOUNhl$IGfRoz}s<)m{UP|JN!A(0XRPuuSf;u zausxaUwzlKzD3305X*n8w|AoBP-jXoCK(V6W?aq`myawqC+j@Qix8uzE-#QAwJbuT z$I^@$e*qkUU0KbI1iJ}KmL^ACbGvyzXXrr7LJ!I0=;BPDG5&0#(A{Mez$zi=My%g< z@3_WdlqG5pv0E?dzR0XAjP~%lf9m~y9~Kmp2sy0C#*D=hv}o5eh`6KHEP0-WzZ1D; z`=|QAFu4;!$?y3UjzyMOlub`w;!TmLVO{vN^@_94>A)`%94C8n?0mP_qmT8TGpjh2 z^JH4Gr}bjz`ID!ry02X0I-b0(B{Y3jnz!0Q+poi8__k^PMeovfKc&i};R{sS zWu*c-b}sM0jWoRGU-8SAQJW`p6T$*OZo)gBi9r#qcl># z%FEU;N{ql}Goi(^(mVmj0q3QCu$gUTtTU42p7E_zVx%UV};{lU+s!){!+pb;YS zKF*WwtdOu@MblhEJsO0>n?_98cj#rX8&Vbpxx;}FA`Z4Mu0 zlUO&`?apN-@d~Z#Umthw+k~FORoR99y!AXik#SUVwBKXC`xsWgeK6+zYTWwMC#l~i zaD~0Es-|rYD&2)F35er4%hOW_~MlrxaeZU0nM3bb9&? zXsDN`o8-2Ax6deQTV^0{YE5cxN{MhQvdksc^8+@CX24hU37|+*?!*_eFqU3dnNci2 z*s`X7V{hWQ)L&%d^aA#-jckrU^Y(nEBa_8we}DAgh(44DYuxwT_A_hU@->6wLaq#o z!_j`1?H+DAvJ5J&v}a;uCZ*lbv@`#4fBRa*a_DD)XU7{(E??E(?k6!EtAeW0F*KirZBe z8ZncJlyvO<9ci7zD!ZfE23^hP7^1m)Q!ArwFU`hm+X@whnCRhAfYea0iQqTvHkH;9 zOiPSYM^h)2L0U(!aQ?mqW54<2gPb)O_XifCxQfqYI23}*5GGKXOShltPU5O`JEXv~ zEtlnlb%};RUjWAefnwYe1_dv%kAki}9YNK{6DL_&S5vvkHX9okOUoUdhR~?NA6~l{ zy!hgzl#-&@D-qaJcjw7)ytydKa65R#jYK^%@Dm%r5IhUjs(0s zt3S5EMoz!;hLqygZ20i7fxiY`y1E`G{DyvKOZ;4S31e`%47t5f-7)g)FS`$zzrKIp zNgoQ@oOxN{Z2$P-&vauSGnJA%?^AA?kCTVmK1LPG$F%CWDjQ-o&jN4WGYPA^tWH>T zvGvt8cy?qK$l-dh5-p56UXspGHmSW#RxZCkLFf&1EpBP|4Z#wTD8hFqsdsnj~q&BR0Q2)sZIW9AHqU=&j z=7)_9+idg2#_HzrP*g-B*W!1@NmU%jOM5Dp#ghehd5_h6;u8}8VurW(7iyEhm%@j% zf>+YY(84ImzX%#5PccxVOg;>@&d@xlQ521I`jCvPEK9Q&hlV;~MiyU%Op? zQMk%%9CLju&=kQgZd7$qySNG}H&0SZoHNf5PSPrTsCpa()4n@sk~tDxFv4Ms@32z!uGce-GI8p=Bv`oeIZrPqOPWV@L{et zT18Q@#bIe){BUZ2CO7woVA-G-KCc0+%GIuCtuc!$6_hO8T)TZuKR7SlA0m23{>IM; zvKhG8VS-vHM%ZFW#v!vE|D*lDIhkZZdfej30QxDP?bs(^jMz&e#7ChsRjU;CVSKGaQZTF5?5jEw43pi0EWOh7jc^p38a}BaD~2CjWL+d zxdSf}jqyiiv^1DN=wmF0=p1}6fa1R`tp)KeWk&w2FOWv=;tD;WJy&)5bFURQ9R)ru z2D)h);(koJKWo9x<*#1pP=!Q)>czgiq#7r5yx!IIua{2%1&?w}TnvS4XR(Qqbl$e& z#CSR?Cx;HJs|d@HQka(oqH0pQ4toDtsgl3H0u}B#LL%v&jjg2RdMouL!Y#RvAXfdT z<>WMzf#jyWmdbHJoT`KnjA6^>B$a`uqTKAIkLCLRqzY;Iwkasn*Yhni{3g2b8kM0S z%zj-^BOI1-iDIgFe@6gv{svI@A?wb!Zj*6`zw7iVQQ=dq;mVs#iy=f*ihF~9O>vvI zoF8_@uiaDK^JXGE{n}yt8mT+50=RwSlWwW@z^oa!TTVCf9zv`@$gaI zvLANeFdMYv#ZT@}s-1fFQga)pK;C|`mE^Mg1b+irEj^O3FqZfEXGbXhdJDHHc2H?y zLR@vod$bpphkGO$LUz)N_B&(~0+8QKwN0MfeiWE58vgk4;vYAt8NHWUiyXicVrue{ zx1Al{|BJY{jEbxI-b5QuLa-!2@C1Tef9g9k$Gl>UB&d`SR8kFcrlvAn zV-VBTeyTJqTJYxKU1-s;2>EO0My@J@WN^Q_XI9B-rv8QR#;oE4%$>K8GaG(va^9apqboxbJYtS51DOs z-DC2Mg`M^?ZI50}B85|4VJx;NUBY{y*zc_M8AM!BvcxgLm*5s#dA;6GVP+#u-vsh1 zf?jyR1YGadqK{muqy)up-Vln&r+abCF4a~9RS{ZNN>g~Vm+UhYRh(4Y{%^2& z{4Hvt!jPGrnV6tHLo~tN2XMb+^U02uUigsG;9ufVl&Erg!Zg)fJsDbN8-SmRen@ z&{2m)5-@o=KYuBCH921GsgVdi=Y zXjn7FHiG2ia*g60TM#y0xTEWm>)zDuHGE%)gtmkz=G|0-?SkV{%R|f?4my;5oKuAD z`~IK!_*2#WoT1@(paX;)97-E3X0Yl&9+h_X~IPAv}A z;dr*Us6JBn+)h*C`W+f*_1D2;3Bw{N&U+Oc4y zEhK)BTdp^OO4Cfc}H}fdZF<}^(G4LZYpn!t8Rs2 zC3~P9jdb{@(6!kKGUGhC+UtFl2e(h>&L<7em0{?(w zaTY(5ZVNpByS2Xf)=c3XOWDJ79Zh}4ecP=D%jpg|TDfZZk`tZqD$=_#2{)jvZ*zrG zbP`fqSXZV7NdPY-EN!_tw}JC3fd7i(^woS2GwxwFx%vEJ^RToKMy-E$b(QJ7ytkot zbatK6tPw2GMo$$WBzv2k^HHa&sL28tO@be)>Kr(sCd_Gdd-RKRg`lByzvrn|kN@dt`b2b zDLLsg6jR(^c_5Q`)W5f07iHz;*81^+9|};k+F0neud$lR;K~NCSgyVc)H>KqXx8%U zbDX-dlhz>o^wHAG0_%#BuNAzS5`5R*oG&S1liXeRR6z0NLpzoxAzbD3HC5Z0-ioiD zgblb++~>DxY2%77!9_IfB5bwgoS(IepIs67m*-IddKrfIX=YC@a_`KcBkQ>(NYMa) zFTW^^WNtfdrW)o?kDjA*e8IJQnMe{(Vr8Xbl$@Hl^*P7VsvuvCSK)))a834i9?}6U z(jQn4g2y#=pD&s%n)MlmRBwAClMTt9e{w*Z8oh?>6E6zF)1iWJt`YZpzjyT$GMftSe(1W6%d?j zZT>q{ ze&3d!x0~B7gSHzjx__-g`!sPVd`5pYzoX)j$fCBR=)ah}qR*jm;r~hxsSqOz+cEyg zx1)dpH7KgDzvq^y{%3^S`_BlNE7bj80KOu{|7ZsNk44q;QXdt?x*v?(-~f)Z3U%r& zj&^o87ZAJJ4Niu=Tb-Z`oUhP@hW6_}N~I_ouu-dY;yVziOf~{v#Mj5mOOXE#t}XX# zglap&dQOfNL<-~&CAnDA`dh191ZcfX0PvuDBy$v{lWH!+vvRQ>^Yw!(kcJ2#4st;; ztM%+khfCP7<#p@_f54M3nz+9|D;}yM=<*RHrraRG}6g9J_q_ zeBwDgDiN=nzA<<71^$+FH(mOp9VP^PBA8OrQXM8(pP<9Ieaf4>fO|-#z1ng^33#^6 z3I!lgjIHQD)UWdIi0h$0g#T?#Y8sN^a8k27q-n#dtOR$G=+7l>z+L(eNEfm4juXhmUcW;^?_7kakfG5me>#iRF%s?{{B~7UNkkn-K`TC-|M2*i zW(P^j*)<=HM*ZRMMNB}r>s{{UL>NtF;Z9?I5VVcgm82e2x+`UYBXgL3{J;>8s zt;BgxBQukDIuTS4T8|njk22|tqcEtqye-?Yth04u5Cc`HM9jPYP8aw)pNME!)!R+a zPgbhd0?nUJsEHf*PUre>7UHkm%v>6sh*@=Vk5B?zwDf={+rbMBRBbGNY08`WZ$aid zU}0_=+YB85`=a*U_DAh4-WUu};onzo+_)goU77S6)2-!L)$F58;Y)qdz`(l$#o4Rd z;=8M?yBjE~dy18N;SiiyJwi2Om5l#*K5B(1pY*SJAk6=9`u?vLC5N~Jq^6XM zA5ECd&>!hhc5U)+(KAwye%zCS>3LzhI98QFUs%hR4#|lXV!t{P(d~vCP~BH~9Q+9t zq+l9jnS6r0;dLx515`nIW-CLZ-3e$wO`cDtSx2D&h6) zk7QXcHi{BX1p{=fy3sX@E` zP1WWrN&1}ZIjY4j0m^J7ZxfOjS}TH-*Ov1qg2#lUrwu%O|#-_R#^t4+FHOeQ*_Gbo6cd>#uAMI>t`4bnRsd(EHgeAP+=Z%sfUcw0| zfGrcuZ0&{qfeseQp=Kj;zMQct79qh^2fN?zxUVwTqT#Iy3lS2Pp~dhXO3vn} z*26D5P>shN@0T`#g~5ufja^F{>b6ItwY|eE@I73EEKRak>PHzzcXsH6O|-V1$_E*H zPm!%B7q0f6Wf-q_2A|3Y%locGVcdu+AWw*KBn3JYE>dn7k56X`6R{H_G*l`=z>`73 z0TaBilDZ4~P)<%TCROZFZJzP+1rhqYh!bB&=EY801NKWdzhCsmXxB;GvOFS9c9TD2 zlj%FBkMz#cr+$qW@dQj}W<4)u>nKK5c$PSb9@3?I`|Zhn7gdiY;HI;h?b5@Jw!;EE zRJp~*&%8Vt#c_gc4cs>KtDG9CZQK+&1|6d5hT}ye-s1ztkQb(xb+hOm(MXrU2518t z!9`F0>@mb!4FKq-frgHRv!gb2T}R?)(GVlOKB;m;aCI)u&$t*;VfrGsE%0+|*3U)T zRmy;OS0Zy`BvV?<{^&oBB}BRttS#)DT6EVYz=a0zOh4L}fNm5xCy|j=2PH<&=eFQ( zFnU0zLT&KmN>Za)&-BfH;{%-G=->_Cn3NWY>E>4xiFd28^#0f~M8GhgzqmZADS;IWwQ7Z==TT#_ zR!8?x>}6zHheeNk1p_Fe1MHK(>bGT&rhPmv2?DchZqsx9u>Tp}UD<># zuH*Wv!TqV9U@|q?lu~@X@rAt{AgFz@{fNG^4W?uE`5P>aVgXvonIXf5_S(ztpo@ck z94~`uu0g}o!@lKI9p_=4IldiMKw}7;7*z4ocUxzv;1J8Fpknbd_axI^3z!Q>e-1w1 z5A!VtoIfjI7irUg$vaI`P*c+bab$Wb$XKufIKEI+lZekwKp(&HpyPW*E>NL{j?Wt% z(%g=xMy5e?~uiznOVE9?(YDd;S!y zYVYb->+<;7=>dFI01 z%e~)gM-X=V1C9%{aWh|}0Z(NR-S10|ieTstISzqbOE|zp3(TT+S`!yaV zr5abb{oBM{_m5Ul{3;ua8E~rWG;p%fwlB__WEj(Ns586bVtf82<*6=i6k}n!Dmn~p z(wHBt!X*ZcRCE%A%5Rih-(15E1$~ z?Rt{8ddnm9^3fRO`ZUv>u?xv51gFdBO}*oU8WyE3j-?BKw6S*H|3Iw(k1}Wt3r07@ zB0D^kUh7BSGZ0HjLGCj^MNj9hU7-)B5a>`G38r1HS*WhIglbkm40P0|dmU-*6EFKm z8@=ysn@0N1OD~6+zux3{r+U&%_!<7*pG%?Sr2bF%o+3}q2WlBjK|HS0`ici-qtS~^ zcV2c`k+&}o_ii;}{kiB2Om8;5+7s1|(HGPcNz^_TszIW!C*iA7_R?`HY1Pm?Mc}|6>DkhBl!}#Nn zjjs@`*1oXBTwOy{_L>}R+_>dm=g{0yB!ePBXqU2bwb{W8HI zeVPXYpnf`Iz@gW&X`DK`L2gfI zNus}Q0x*B%OXQq;etWCR_PN)E>+q5n-b-ue-6UB=X$&>{&P#w^YRgMk!JhJRejL+9=bNm|dChs_80dkK z3dU-Z2`AUZW^}n`SPgt+>BiQH1%jix$f(wwRyr=e5&e#q^;j*DF2IYoJu_l`i5;69 zMFnP(fC3DoohE7p%$`UEpOEM)-=Cws`l%4f#}K3~j!kExHz0uJLb=^w$C<2yDh>xz zDE`3OHtz0v)cm>)qJq-VT=VaF<|+mSCtt0hV1G&v%~2;hQ#9#FBbaA;m8 z!`EnL--2K&C4wYKbe?U%uCT9{Sc$o_e+R8;s*JD^9 z)yi_K3N$}CO{ch(uhAr}Lc(K`ci$E#x<%1O&VJU9m;Pw^n)Oig0%aQCvP*uuD*=!f zPSGio^^wIn;jG%z$dspfh$D;wdxO`OgCE}WG!Xsvk~qS11$FYJWkT7YTB{xjVv<(; znW*=g-~q~C2vN$sX+?B1)3t=Fiixq)O!VX|%4>;zSgBFMx^2-SLtg-irjlff-CPx- zazSke73L-nJ|_*4zYx5J6scoXlpifmi&uW+-#@U6Gswo|VX5C=kT<&^9OP5Dp&ix8 zWp2R$%h5l-{Q0YzYS6b%{qT;5Wz~ton?GGFWyWbJR#0!W;!C&)L8Q&797=~$2s0qBzpI&*$(|{iZ>#c|{`9Z{+3fI>Om-!mu6V{<>C!J9^nPyI zS5~;ycBxWOL}qW@zk^D+AB8+kiarFjA5TY!PWxBLHB;_qiXTWiP^~1 zGnKpPrgna-o-5_f=ZQ!kU;C*8%ED!=Q2dhX5#8&=YDMs_)?S+7X)iB{0VncGPM)8% zZ{pFbyj+rVdprx1G!izET+#?Ei>H_4IQcko&a3c*vx&u|p+|Pp-&o2bnT{g|J4J5PDfJl=#hf$ zhFyx7?7P-MSx+85yqe1P37Yi_unIT+epa*hwotZ8DP<^U7Oyz^vu$obuO#*9^jY8;SS-S8b29N&OWuxDFM@0$!AndjW*{CcB z3FZPBSE9%D9Y@wHwD^b4D?o2Fkv70PuTb`fE&zw?zO}IG>rfw_rZTLP0IfSJz;hOV zXyYV5_C;1h3FO{1z9yGD{`9cYm4#tl;56Qk-AWlM0kZjO^Zb5#ty7vveJ$APH;n|Z zZ7#PZe>|~_J6lA}MqA?|F!#~tiuGlx%UuM#r?&;>@sh_Qz?&6K`TO_}$hb+S?wUok zacb;l5ubiu2(Y8k(>>bLOgq$PrQ{zoqCv6KYBaU5tP$kimlatsn)n=p!&OKli_3S% z-WbCun!_t_%xUt1&K>Ut?DQ*!JC1^7DBtt%2508WU#jVg%d*$y4SPiqf``HVYfX_? zzM|n(b9(F5Ze;aV8iPe-+mcC1`B4S*=Zwbp@0yMGU;uNL9G}ACmVm3o-88^N7SKy7 zipa(Y80;8L^@E{%c{E2Ne3qCxJ&A$zEcEV+I>ay*^>h-_yuDhJ!v{dX%)0q#lhtgK z{?p49ER0k%PKF^pkAt>W6!Ds6KjXw<1@# z?cnydaU`|p$qPex_6ZyIA;o^ToB#ZIb$p)L;AG2IQN7?^i9pE&xsNLDp8wo7)&r#9 z>`dyzjwObE%yi8`Hg0WW9*z_bPlwyaK3PnPa5@*{H%+hT?WL3t4Fq_Pl(T!YPbJ>Ad%NX}^+W-*Ls8xl z7C4O2Ymvqv4XYc)UNIYHqXDIk{nh$ zPWay~e13J2L#V2~K@uOFs26ohSiB`Y^JB0bDb4`T^x7)ixOBm6ReY}~BW=kgKH0MA z*x{9AZ)}@UEoJa!f>JfSwg>t*=*R{%jug~hmu2xe-u4hvT;wQF5TG^b0~CP7FN!t$ zz}wF5Nix1Zj#9_0VDKx3vt=*S<<$+k?bV4RF6GWtBZ}x4Tn(_3$hxx6%>>y)UvqNj zSCKLXelu&2NQ>vsDbHZ5@ae-tgvzGW&U|-iLk1Yfptx?%r}BfF6uz$lC3T&muU z%tPD=ZwG8-(D%$;w_%7`FRqZ59$9ENA$~^~YZ>bae|S_m-&U=zIOCW#pYkdPKD79< z!fVyLR)co^WkWSb`OED-q@<^VYjdC#=a#x&M+tPc&?I)n<56*i0kOsLS-~0L{7QO; z3KC0-a6$N;;glSJWZHg1nfM-Cj*hS^>{(5Yytmn!osUoVu*+CFKLI6Fl`pntQ~SA# z8c-$}AU5S6CLt>yXdqMgjmp;hH+bNg_P7qP9%5Pk!q}j>T3_8GVobFZqdB4aV#1HS z=F9+bx={hQ%Z-b~3>zN6dC1GXH@Uxr_qu0IYgJ-HlN`!RNEu>uTRqfKqft+!EMT!u zBBu1wXzG!Lld^7`7fH84TNI1x$%J8t-@2T)0jHy@xr#D`DAgCI$i-?&SwGPGF1DW0 zjC3`rjY#5P8S?UI?c&jPNb`NqB2SpwT-^-Hs??R1<;F0@m~F1J4zWt{tliV@lt9Jh zy(~~ZJgIgpSNuudRfGb7#u`k~IntK!hHM=Kw>_k1hz`I$uQ4 zw4LWFjJF%B$D{VFcN4XTD2?Tyr!knxJy?|WZF%_`cqOho)dei67kw?^6uDjf=5FbBm>()uv=dQxOWQ(Bfx9mzY&&s5dxsGJq9}nnU2oXHoBx+r91gM zfUUn)mri4EQ7&}Yu6lPwvNU4>00QSeIh*IkTAcb~>En07{R!B!HNfc<9zBTGBS7D> zus3)w_+e$+C*N&xS5opXz!pLJKE*AZ_8m<(8*=xu5>n#2ovUBR6+Nxg4^n3VHxCAV4d#h!Uq8gZLFlwQN+2?BX4!FGSGfnM4)tjsj4^?IgyVb@;INRbYX`B-6k44KxjhvF@lq(*}v-*43w6x#umV6N% zwoS9>3rJ9?AVJRTjIrNaX9Tg1>~#~aD}}^ zN$a}8oP}bmPJRrNUZYkq#-WPaAGsf^>npuaTxcbq!Ch1<`QW7zIbdGwXi||is@{5m zcks!4{S%1G(uPaQR3$R`D)2B17lia&s@r4nQi%dvU*i^@D$m~z0OfRrW+{P|?|{&B zQO}8%j5x#jy8&LwnWLicA+^PVjQ!^LIMb6Uqx4cAoT8%oINaFi^fn9t0yr}qoYP|H z^Lr(s(_i0le?xP1vjq7(!j3}e*M?+o8L+vo!YP}j*yAJU#7rHTz0w@3o)jJViZ+*# z%p8?x;JWSq=b7W(oGGi`!X=(n{j00G_EIIwo`w11Jd42+W-f|rQc@oQi!Mxfk?DHW zmoD@j-rO;Ibpuu%eI&GYMaLh*;3vQ(N2s1!taxb5L zvjUr+Z80PE69$Dh^{kL;mJz1?u|ah4XQ_XLZ7)|iDsqG|y43b*YAaUaIfeSF&|$cCGu-9! zBI3Am>wammDXDt|eB2skm(-z68S`T23bw5`tY)GaBx2o&m)bPT7v#DL9ypqTI35g9 z<0iKAOS3f)#giNfxS920o%IxkccZKsOLWFyynb+*hAv+D^9QpreHGcWH(cwJSnF%j zMu9S1M$5A52EnC5Bxe!_yr@u!6A$(90J!%07PVw~To}b<6S&LIwk9em)ax6w;{Sb> z@C#1cnPLx0!N>3Ef`!`7`N$OD4WP39&_6OoWZ#^E=ghIfO-pLCw(f>zW;Ss22HEXh z+l4+W*igkxmfL)rJbEG?1GEAo1%J}_ihL8!fcBdD@qRKLvNwedTO_3mSJSnh{? z2_jDV(ac-7vOerFi$(Jas)$Fx2B)++|2f8WF~W$Pk71}?)(#lIC(N^d4=OFkg<(ae z3pMg_FPCF0`N=joz`C-!X#-c&t3A@`%~sHc9BJOf6mGi z?SqKtJvslHylU_!h!5WDfr0{E?Q7|r=722IWj^3Kmlmss+q1Y=(&34~i4_Nn=D*;7+x=uC5OQVLq>`Id z7pXw6WR3ieyzv>e=620Id)=dZ+p&A%FqNxL&f4@(=(MJZ%TDM8alnZUSl(Fs`i1!$~kKxrNwSM*?>r+77}C3~-^ zWVzAFjtCbhTB!2e8Qc^t1j@!j38XvQve{b>B|ZmSp*5ALIfil zrZ+y>OA*$rA38KdGcY4<+1k*XLb!9ny)bz*Zq#AFa-XvySgSUo)s$CT`Q&@%)&}JF z%PiS2A^rx+-7jC)&WPO2X$VNNOm*G^KKAZoD2y3;cU8)1iEsk~m5h(X>B6iJv zII>S|r^sP(xZK=MckinRc;LAHi?#WG1^fJO;DY{d7UeC00=`iDH{#;%12O+Rio+&~Bx^k_U;Iaz( z8S0j`vRw!)v&dL@* zK%cal5*qVbCy-Q1H*G_2h3*e(@caR4ztz;YhxwU)A#?VnJb)wcje^ss@{$)Id>oK> zb;7QnHj0d{IAInT9-QB;D{`nHzpHjCEO?+tC8c3TF;k*$Wm@reN4vr=xaP-)pC!Lu zx0em|t4B~BxyC2Q2B^O)0DL4 z0pP6-DMk<|3u%@-W%JzBB_*v>QjGKU6dkk!vGK~?;;dnq9IhYRwSsoKfgUP2F81NH zforJoPUzsAzwswKkq7)RJ#|!Z3{U>L2&^K!6f;5-h`{~Ad5{(EW(c2;+LP5Joi`8n}m-zIR zB~KEgM{q@5Oww5cKHKJbRf-DOfcyE;QL_yyZjXy{!q1sv>2F_AtU>V;wDUjie?Mv; zIHwFg;l+tree0By@Qg6*d&rexF}QztR*JUzgb}qK#5SYf+yq(t9H^?%E1!7F_GC%& zIRFq=XRv(4?pXXtuUT&*NFUFEyN6r=M!&g-QIm?;pBY@yx1q1A`B-=~SK`B4#zugn zW*H`i!1R!tVnN;c$$JsPEFERl;6F9H2&+YznKpwD7iapz$dYnRj(K+4Gv!5jJq-Yi zgb6M5RA=*{s*E&4m>%Un${Phg%r)76F&Wde*pZTOW{jB%A%dkjlF8OeCe6^8GB8NB z-v>^iW3janq$}nZ5i+^3&~Gqj{X-vbb4&qTM&{6<{pr=$sGQo4%BvWd)ZP2>L4;TU zu-Mwws%-#oeh4_bbS8#rnAsd@MihZBhw0zY@*!YRF-P#WUn{uwZoNwQKD`k71X8l+a^f9^*^3&m@ z0en}A=H0#=V>K(?PKU7W-#{J#KG92Qdqt4|>KhUYK# zZ7N$NpM$Lo`uq#EPIq^=xs#JOdl)V^ zTBuu5y?B-;dZbgTvCCr1^T9%AiYh}czqG3LD&!9ep3Qk<_C(RHB9el?BB;TmTwpwJ zsKo7kQ_2#}yG=-99akDf+DdoLP)B&I#)n_`c!(XM`;jq>?%CB9P&nWkjLQ86+_iev zdhAd8*VZ712TGutU%vEp`7bUadxsT{*COstj+^f0so7A^p+q@az0fe@{#Z&X8t3+C zY5opL>V7ok{z6L1q^Cnr@NR2k$NkVs*zoi5#mqjC@@bnb1?mRl;LDX#P(&iTF}0%9 z6pD7q;LhI5%U9MAg@^ll*!&hzc#c5aWBb{1_3KO8C13x<`jg^?=Q4>b6>My~Fc!Kn zGS(B@)4WGP`goW*+*X>n{yPLSAq|oBdT-_E-ec6l(h&=Oty}yi19)Pi5 zJCB6xop+DxFm&5dU(;H72el|Qro6~{2S&$834Kb$%cLZBTbGms@|9JgM>PUox)HRd zJFC0UEMpkSdiJ~LP`$i#oRk=u*KX}uKbJNjI&58OI>7ZTn1BvZ8fHy%V}9OxSA-i; zGSV{OUT)~gl&2EO?LBQX2ZLlDAddJ^`6R39fsB6h+FCACZ+_?yHsCN)c+McDri07W zpK89@aqy?jMZ`euz*W)%Xq~(=Yb?r-;#~NQ-grnn#mq4vH-p`cUKsNd-@dRBRmrg;Y8d z)0*Hl*G>Iuks)2i?^YkU~XtVX3$#rlG{q@=>NvwgGY=XYyf zy!flsVQkByUK3+t-hE!_s%nzwq1Cz~ywNh7F_nhjhVejQWiDF#?O=zUzJ4OAmQ>jH zvIIFg<>B$NqsPT|;v;0jCx$RI9yX z3;X-VM)T;;d-s~_KA=2{+7Iy(6$d@o(?*_Etc|7ORR`O)X)liS**+8Y9S~n|;?xJi zx|4tq+a;alcvF6IO2IsL>)(4>r6ji%b(U6GF3*8A<6ATnQ$Mzfq{ZIh_zDz<`m7&# z6k49)7(!!-`xTb5n?C;2n)=qo*L_(4WTAL>d}2mcRvsWTwqnO`)ep=V)E-12*CWl- z8tkm|2NFnK{hW7a@#$%%?5VVC`H-~XBX-H25A^BiWb2Eb&F-=jtr#>AFR`nCg#m%zUei*OegT>MG*iV3@5$HZIza8DrL5r;=So~%os3z#2@X`z;+@N!3X> z!Su8ZW97T$*1_WAVtWlgvlI_s@;N`aZ-hR(Ya0m!bN%-I{*5WreuQMMp;{$N%wR** zQerIff;Y0Ko-QI03TbU=RLf%B6Ge6cEZ=80!pe0M9BP|=b<#({6Hdo$&>AFsTq4>}W5cAvA?5qPHnt{b;NqCznI}U1d z-)8U7M4n?w0uYNC5!2?gE-qc&2NYDjK3pY|S_3`|ZgwBs2BV^sHx{s!Y*5YE&_HIu z9zFOu0k4j{se{+sgw*<`-qB6i2h)7=k@n+E{socN35qD>hl9l(RYZXXx~3$7b)mOV z0LlkYx_4;tbQW^rLS-v2ogAH1Lo+3V40h}ovCl1m{!EW9UEJ*7IJj<45Wl~|kdz~p z*;DH2CB;kU7RzSNo^Aisxrz&xec)Dsq>>cV7HA5t9-DAa8@*GbZu|6s6cEs+8$=5w zg2JsH?ZnN<9)hz2_Lo)~vubFFc$-^!?=R5JI|&ex8NU8?JQ_o>66H=V=Kt*(D(7jy{2DN=Z$FIh1UTF68Mug`8}}CV2E_cRoMEfYRN=y#E0Kz*2`6KZ6|7 z4^rk+_U1(r8T=!FF3{`<8!3??0L(wm5ULLPG1hx; z$*XFW{a9z&cD+f9^L`QiF~`f6MiztdDWBg{o)~x%G|?%sOs#L;Jp$OGhJ|`CK%mig zye4*)C0{IqWq;=)N*rL{I2<~mCMxpS(xKmD@7_E%*IN@0KXw`>=t-@NBv9<}TS;s% zJ#TLifVkRpBsNjD3aaqXvedNlDmU5Btwn~l$55dOFS(j{7!YME>D?NxU0LraCo0WH zCKIyVIdzt;D>d#@^Eg#i205a)9gp?cf3)MZs^;{|x)=+rNK~pI8JOTYLT^eT_ih;e z{mIhRbOGUF+5VD_R8RNJlyrU;cf_=Gd|n8+o-3JERnX)?fCKV(@>T1O>uO$m$t`j< z81k#qxt6$aG{^bc+5GJA5L2)@xT-$ZbYS5snuu;?jp*Cs4DxApzzgrm1N${4xL@Jf z<|R~hA$XW#=An2GXfi6Day-Ypzd17@ewyjie5j;6?XKFY+9CryN|S2sK_|cULT&5U zJ%D&5?2IIu5I0*XqL}AJSP7l$z7y zXY%LKaIjJ=NgtRA2IN|6yGFdt<{|E&@0flUonc^rsq9j|la&}8fSgv?t<`5|vl@{x z>HC5?9ny$%n^4;LiYonUT;kTW$I5`Bkk=0Fyx6r%C*byR$v7M33O_2NNQiWwGvu8i46kX|PMLK&2o17DW3rFWAW#r#qjzk++IjFp z`xTd9HiM0KTgMMs*VQTLi8sk8kX+b$;FAtO!MmNeSDxUaTZE!R*V`E}L}be@Bpvwc z^M@3fj4Uq|F4#J=h_&XN-S$HBIAZe3!i!_DVTNfp6KsCrTW-q5xKf?#4Qx_Rf0gKX z3?uC78(G~=uZ=~c`+jm=a{(^n8WFmTEQ4^_OVF(|xgR@pk61r)(O7PRyz^ZPtyBUu z(T6rHDP(Uf5EA%j(HLorcJRISu&Cr{AdVVkzpAeh!;Bs|jBwL$561^cDdHQUl|28} zx~Yia7mM00)k1oM6ThSK!eYMNyDv0@sv|ir*|9u}^o7Hoh>-=wdc?E>nsoC-CZ?&{LHC>h%*gIzD_Ru-HWxEvD! z9?4Ktm~9i7cD*6Zn@@@tZnW$tajkswGpIZqHo!(s=GwCw5ox!$Smi+j*rB*}zHBo3 z{lZeAHO02*cno37kF6MWU}J~ZJbh}NgJopCqN2LAP_9)4uQRGDpL%U)Wc>w*a~@xi zA?%E6o0ha9QOORk?brMHcqW{cGO=vdUw6E=z^@(-`$e!_lg~vl`i4r|q*8HUq(*e6 zLZ_-}Pp?F*X)7wDJ3Z?#yeVDxeMo&T=FFDXeza*u^?=(cl~$?Tko6JJ!vbW@t@2PP zQnN+i1#s8mV4&!qoP-L~*JLiZIIq@`ohYQb*RK;4t`sj_-{5pr)1UngJF}rd#+tD; zcd?9OTA@3)z)0na!fqGMvbACUU`U6LwzG5^9bijkLu}bU!=hn3hc~m(+PWy(#x0p2 zik!c)aSaBcMyWJUymPCS+~%Oe$t~cg4@E;*W`VgnJ!#Te@&iq~6FC`<`(ot3_pm%; zO6|XtW;B&|EuVW!8_&!O&FT+{60D1-EDy@=E;WuMP6CD{Y}>yz zvBlfr&7Z4B40zTjfNS4VFIO11rpdyQrcLE7$kUOobP_6H9bd7!kcSE9Fw`-0ikBC9 zV>6R$oCaI6nrUFx1-djPUtVj4iY}FYkhKxli%yN`79=E$)mT~Z*ckUpd&XQ4`A?x+c+_Mt-BR_w-#vEbcXw-1LirO5i z(&=_KYmV#RF@J7JVF3x&(5GXB5u;^Et~-Q}93K#8jV!O6TLwBt7>5>k^N(nr`!49ms9vj6 zNKCfdgFS6;N4jy{!_(WeHPXor#|jsgDib;7szY3L!gyKQ7b}c`u8VspR+>|CL3`cJ zA8cfS^8OsDzWEQ_A)oP$3t@y9JC|jk@di`*%uLehB|rPcYZV}th227~Np-#D%(Ca| zRIVpYH-9~PU22rEMl?%nn&veTkukrWPVH+*OE9Q4wyi88SRz#rlcAC#5pz`74r`yU zVY;gN6HiOJeyha_J6bm9XXxyz>F&33Z<trOD=|; zgZ*|>rGfk$I|$UgAgAndrLyQ`31<=jnD}{S2B#3<6IdVQWT2_3L6LnjduWTR>Xx=I z>x63fkraApo8T#|it%N3iXA|n^+g#}Z652f#$4zrtm=ifulKg39?%`}8Xe5lQ*8T~ zOiszEUPedCAJ-AKh7$t`sAdk=iN(IVW&FndJr8B2_2b+fz?~e>`+m5y@9Tbdg0DXU z5b~)1a{bfmvd-$sPAYyyN?g|>goYusRdo&qTh@0c$Zv6X!~A_T=i{6XnRRECQiW~b zBsR914Yph<6sG7qSBNxw?n1*+3nJV7_VpDf>=#s&e3u)i-Er=swip)SLT$A+QoF+# zHSKpE>vJ;b;;K_T9xbxnvu|bG^qMzs=QQ}ntfWMt9}bnP8Ml@lutV`gn|-=B@{|@H z$lW1M;dYCOb#_e>fGUf(bSae@S6x|Hb@6sh6OYsVte?YG)WdEMnXT6+hN? zEu2q{^QMbsI6Pb9`Zau2a@u3AUbEqr$@!DnA1=3@hskYW7Zxb01C>Lb^zY}vT78}i z7I_|iE^9aQjoGuKbHvL@;Zt)Bt|#BPHq??tMabD!V*H|E|lD30%47ac+fNeCJU1c%`6 z?h@SHLvVLzfFwu)0fGm2x8N?p-C=MEu7eNG?aA-IPn~o2-uKqtb*s+lPg7G&Gqcv} z?sq-*`g$U&fG1(DRKlyz?da@^_UfnbO4}O?@d{ccauEv8L#_ii*MRK=>U_Z0S78I@V06F4TJdMpaF?Ga`(PPzTOI-jZLy~YH#uQV9s47Ml>cXp9tJ@1uhy@X-6%G&28KwTuSbB?8z{nyJ z=s^!hODG9|mmsgcR1?vX3ah3jj<3#+-m;Ic-#gR&KC{Z_u{G6ap9uun3V$X% zX$z#=mnP{>dsqU>Jkk?!-f9%il^P_d84EvEXQibmiOy~R zJGXeq`CGhG*{koU->!8*%7oe&r?Qp}k8cjN)E8BpK8Q-IXZ3FlmF7|oPGbm}s0`I2 zBGH+U&E;u{Z4)ccc(i@najK$U|I=qj<>gsuBZ=3*Xra|3iBhCOe8Y1d^MwkkQVA84 z@=wveUzlkK9D``(6+qhvyk3-tP^A=iI#n$q?wfd>)_+}&@$dhlnCKy+b$q71otB=r z11eC{3<-Wn)LH>kWj*^2r$un?mzsK&EP!Edl3 zYzDNI+Md<(s3tcsxoUsj4lPXgl+Mtk-|%wgBrGL8#S^+mT<>Kxm~V_CaE+l?`dsib zdLxgd-*qo%<8wuBdB^Pn`V)x&#i&**bEtxehh6%HJyI$iucT03tB;~YWWs*Xd|}&` zx{>)_IqwqCL8xBUz~F~-|9MNPcB*sp2LSD=cs8)oagRdoOyv!6z~=AuXu@_f{v4Uh zUvM^o{*J-jP#YIC#z{=fDf#F0gT)dsf61_9?8Nu)r(j6Rrc59Yw^^_4Czp*d6aFlp{%p6WqOetcq@gML!AFxkt?^ zcW1(PM3;LidDQygrwTegOQ1^)c2K}~QM$muoHo7x-8MKHGU`(X7KUtr(6*LuuF%&B z&uYj^gs(g{Sjv&d(liZzXn}lieVpQ~vK7r3$Sc|AR7x3m@?)y&5`NliZEY4xGBHIL z>8TgTZO3+8;?OZPdQXm$~7gs4#7&A*y#D)ztP6u3H6~RJDyJ4r^ zn>0mehyjYFPY>k$UN^SkZ5duXr$Ko+MegHM__cu#^An&hFxi@@v9YtWD`uXYnYjdB z$LIVh+8|0cA`*hE7(g6uB9ZeiU$W`nB(x4N3G5#lha&F&5KBv8^72rTwjZLZktphu zQ@sV>_U@6X()@cmHX6>KD#_D8I))4q-uY$kC4gH+MAs?~84O!Vh{I0wc@kA%W8sKn)8CFgV18o;a2gM1GJU)~LVu|EU z3ZB1{mQc!TnKMg38}=!?zx#cNDhzY6LIdLDSCYZ(r>*lcMo?@&bI5w__Sfa+qGv7EL-*b1m4I~aPWMNfPIkq;O&_; zHkuo!_#*T9^AhEBXXrWZyUB$nY0zc^w!zBIp&YWDeD+HnG!U7++^6hf zMqVS!a7X9MW?WmNhZJo1+Fqwv52Ov5j@BG#Ubk-BRig~~I6?M1H}+hU-NP<*hpD3E)>Yo;-}Xy|3%wz~Q`aq_h* z)1{cfZ(ifs9tGngRL9)6nA3~^LKhjg5EMjgUpAd!MP;27muw?yHgGT8({iaBi%0&L z@ML)*rjmu`7sZ+eoxYTV5e5?JWAB*#q^a7-0YBZdAFTuQrh2MVKR$f>hij%zPZ`c^ z@t02|;E=~B1T*4+G8BwB1>g&!HDIrO;)QTSIUhEsi0v%#=~|>zZHqZN2sth~ZXrSz zp}<24d>PI$r|%y#%AIENM)K%|e}jYAu^eW3I4a?)?vapaXy6NRYKxn|i_u}V*(N#Y zws>Uihg%41bi$i!S!gyEc~;Tp;zQlJMW?UlwUO{c=aq|n!$+8G;d#XDZ37Bu!yc6Y z?^?XQj9Wlnwy#z(J@@;pi)%Fs=sKd1Y^}ICa%hLvm86Avo3WFi>1Zs)Vp%q}Wo->r zqhs&5OEmd%_>lTZh7jIvvTB8lOncTwOpib2X)6k9s9d6ur*?z>qEAORir@?%K-yx_ z-@4xn)P`M_?o&T;?G-u_tfaa+)>(q%*op0TCJ_Lco49eM+u@kM=e z=554xS0v@*v)SeGZ=ITGWzGl)n1W=U3tZ$yp9M~OTRKC|u@M~4NoF4NOPe;$m_sFc zav-uaPY&d$au11Q%gd|SN_4e~t1-gp7G>%_+*ThiiH<*_)*??8`qa`H5t-{>*=-UD z^g!Fw&V5Z}aHUKx>7$eGgMSbB42()C_R3!wDr;FJ7uztkI}>v<#U%leOo!U}k&pA&Ui(N1eFuVEM!_TifhqU$;(Ceb-gar+)ZD zG$xa!Sv+MOC;ca4v7&)Px<+!>B~z?poi;KJ(}usk9d*{wU}uq7~a@ie?+g=Aqx;j88AA0 zC6XWW)`%?@Q#RoI31zdS6)R>8#Gul{3TY`9`vVoIAPz}H0j3*6Jw%A>CBHGD`E}om z_Lx{x+$;6y6&6Hkk8Er&rtc-_$O_K)b>T_+US_dDg?EVJj z%_<8QCjDkL^$pvV+Tc(&wOTV&bTDT|LRPGRp@viR42h|2NSIi{H~BS;M5f z#S=wz3%yRxS@(Ta1p3Fq1)(uUHroRZ-kR;aQ3gYqGHKmo-+YT#HEugis{B^B9YDUV zO~AX;>hE7~d@X4#@A8n6~%&zSL>X7by#Ygki77;-->f zJtSXn@|pY2xoy8cEBe_FpetFXhFbAst9qvb_v3A}O*lFZGU*;}jZ@U|!Vin3l$52E zw3GC-WlBEp&q{MXAJjG@5)o5@_wVxu8y!ONfoKv%1eK*pY8XkI_>0*{ZJ+@$>mMBp zZfc9VW%>%s$=EcpcAv4+0O8&XVnTsmEA?&=O3FGJT;!qf2xaEO!`+R88JkmP>)Ruo zchTplD3g+C2e^b2<&blBM^=JbpVc8z+O-G85&IadSVw=8i@eJh>%OVp=;%j>TT?#P zVuws+WrdL%=SW9i%%2gXK)1Fw1l-E8V6TIxpqp!#<76ZIlOU(|MFq8T=AEq>x7A~W zrNu^}Ho8<`v%W^_W^4@Z6*-@!V`37DiCJipg87t@xsNVmihi+aN;usbUe8zLuBfoG zp|_h+e|ooa*wG;e!S>)tIvNEiL)lYg89;jz_^~2rRB5_Uo$t9Mr_iUxyNCc~{WX;u z4ZCveJlRsjqe3fkZ(E(yOTF2ArQJ~lbP}e=3AN>KE}_hDaG)P)ti)=vwzhWU(#|FY-Tz04b=;zETD4w%b}o+Y zbZqf!%<1s$mXyZ2Is^Y>Xv-WoY9zOd&1L#;B3=0%*mugawLEKSwxB;rN2d0aY-d}R z?%5R$^AJrFk|SoD(#*&=A?F#<7F25z>coI@t2ZV?TD(_ z(Yz3gN;lF&Nu#=?@xi*0mWV_IYDhTS`y3V}Y+nq;o0TFb52&+)r-cGXk;#86WbnTx zCeC_RS{OcT7L?VRO$sC&0w_vaZAC*mKHt|8cihDys2>KVpbqeAj}&Xh13TVYeFXtS z#qGv*-+QO4Kig^-9yvGuI;SvPVWq4UrY7EzVe#ZqfWVt4zqLtB;{53@X{9XQxjdkI zg6E;3>b|zwCj;M3d0+$ShWv_3D355DMNk?zIt}D+{PVm2zjGA-Yd`TnJ!_*wclQN6 zjaE?h--J{K+3(GS(*<-^)-W(tBp*G_%)uebx$j{{NN~;8>mBD}&BHQ7&O3bp7pi<9 z#~BUN9E|0hDa#eKdw`tx+Mp{>?4>{1_c) zqr&OqwTH|hXiKf&rdD_mE_+Eyi7yx|1v^|QQ0bKQBhciKP|EP1DYpRhZ8f=oe(joj z1(?^TAj7}M1rac0f**l_ovz9{cTJ8?pG-}eNKKj2)Vv_V#snI-godS-8KDmiaopWZ zU7ub24WV1&2Uf|&&{j|QMEXT}D_@zziurKTw1=|9)ao7Zt-QRvesc65@B2U8*R{g0 zlPn*2b{oPj4xVK@J136uqZC3ilp5>0)>$Jm0SpumOpPD_+*{?t`9c8OzMal%Tf$2Ed zSWzr*L$1c#P>nsga4^RtZf@c~z=nn&!sjt|9@~_*oT4r4hDySqn@{CG0JRo*RxdG$ z`TKKeIU_UNvHBAH{{%yNP!K?k_w4C!y_DY^ z?E-t_(_dW~rME)6%uh1-Fy_b_KE_P=g|V@};wQIov4oPSZ9PM!m$O6BL{rJb2ML}{wR{nRtMfeIJjAJjK#?SMn!;?)h4>B z+zgo21Q|>S(`{)b%I^piHDA!VdEXt`2^s+X5ujOX-*M+EteA-`gghmITRgDygk~Y2T=UlD%U76hg-+@N^$)bC6 zwhtdCi?7Zm#1^CXf!bx^P@oMNHb0)6O_i!&*YS^s9=>k!fA*jgV*2ymobXy6>GCu{ zHdnLIRTbUA%-XQuZu_A7qe-f&2t_oWc|tB4)$4K2i*a8g>(}oY3nsAq&tDwJ7HH7b z$WlgolM2;kTu#G<+~YA}a5(lgS%4stY=-Yc$)q`aS631Jq!8()XPBzV@>gwY5637m zYNcmepa5MJkSAm;Lcn;SppT*=>>2ngrF`BOs{cDg1ayJIqiZuzctP= zbzQ&}EZ^rR3S)od`(ni_SN?W5@VuSZ`fLACV)}b?P-c*{1~yBL4?3lNL0u4Aw8F_k z%mZCA##m{eCp0Y!iHgM_{lnZJr7!hXf1N_@0Hw7mghv=1gduZ?kgJKJ?sZb-4Ey7F zeFdiOZEXJ)eFsV6Ba6Fw_rZB63*pZ#2}Tt-Rx){iQ2eDhMNP<*!`i5E8cYNA@2#Yv zUL>{P)9dSJ;XQxi#tVb<6LztYXG(AS1)KBbtX_B}4LKIObbtD}v(ZkPUKti&1Ns1c zv~Eu;_sGFd`%1Nfd0%7d?C&8GGLal)6L(FiG*o-~9FKmk!b|DX8_-mujybV(9%GYL zy>1!Dqc$fQMV|)#b_>yB$dzsQgN){lGM7dTw@-OVo=_50P6nH@e8~fEZ-Pv1jH#*3lV;dRkAZ$j^f>QyBIlofe zwL|#Js3!qZZ8VS7{Y%S>nV|nzuO0yVfr9{)x<{O@A0XrVvC+{BIbn!zdL#y zdNrM#P7+fVmjxTO)bf5QrB9?M6AS6PiLOr-D>Km5IRkkv2GT`qtOj(P@`gnca1s20 z{VWZ3SkP9|mxe>mBW6shPJ5Yf1)I-yKMlR z0f&jj@$5uVVZ+W{JV7uq zo4&L_A$acQcuWxdlH!0l2|N6&N(Cly9>}7Ee+(1zzZ-yi#loKTOu_5Ehgwcczty=E zD0*JIm)dQQB+*$-7r{#);NM7L0c+*iVT_VivyinXcRCYLaVGLaT|$5lJ$TGf|10xY zFdDw{MVovt@XwB)6(lR+GHJl0n6rF<02iPV0FM78l>0v}CQppbCC+)0Vf}1#a|ifg zUasEeejDdEXz}nfrD3PwPhI)Ra$w@*(3?Z(IX9|Zgf0t};k1okUm zf-?Bhodg8e7fWvo7NZ3SMP?G)_I>bn$bR$&%?8=WKs@l?j1z@B*M`fE&v+051%^5| z97Ch1Ppg3@T!H~4M&b|4<7-#sQ3 zlWA|yVmNl#9-BM_9giZ-2p&Wdu2)(X?jG>J-P?R|2MvYt1 zn=%33+9nW13(dv%XSn5NC57jxnIpxalTuxq~`rmR@81KLQS5+c68<#qL9Y`eoqQysL+*)`?KNLMYl8gz22o()RNl;`>V*7m^#e8`301UyJ za4&aW=KGxRe!E=f7JR;Klg-`b2P+Ga!33XdwoS4>XsT-$8T#JeC9dyUj4Tz^2QDc; zcwTP4d{MfkdUSIBy^VQkT#GKn>!Frd!^Zqwy^EB_tBeZqa_*I6zSTr34IEC1xMY8a z{XM89$C&|}Odx-bD`^WfXJh=jOO?h%FW%RhdYTp2`FTA6$H(Pyrk+bd|qVgI0h z@9>rWUL(2TowxW$ArR@K$WX01CpPT@SC_4vhSp?}W}3FD%a96Ez~}o-kMV(8hp%(Y z+~3Gd_deStT3f~?`uq{neT|sY`O+u zOkhe&7<4!JsTXcU06ceroM)7&Z^RD%B!c=+wS{pn^Q72a%8g|7xh@h=APAr*At&jQ zNU|W2sAh)K!Gnb!v6-di)O+JmE|4SjS+eBgl16kYe6pol=Q3YpEDAz9jZ7(bFI}Pt zI`|PhCbHi_9-NlyRoFiKsbqmV^IpaUdZ`ecf=G7<@}Tz zS!b=Ra75BWwDQCLz;;Nn$KluGn$P6)N7Sa99we|CkZTKY0%ty}@iE)Ab|)5XA1 zGjw|P*D>q2ba}$M#>Yal`{CZgxIyPCQ(hg%;|gR_tZ$$VXySu&ET8Z0&_x+iaYqm1 zyvs-M4~Zxo*timwq%*=zI2uXJX@8f~AW@cMM!Wyraer2+nz_QtK^6VtB!>JAhF8j% z$(7A|1)uGrln^x+k{rlP5i7XaI>llpuZ-Yrtp*3J^$jxlMo)`?Q*oz}pK4I%38XLaw{}6G`J8%Mn_qt4$Lb+NpEGzdCylU*&`W$x%s*Qw2jU?~;WGDuH5z2B zNN%hHJqORx^Gl~%DER3JiG=*lKXu1QmA&XQ#3y}*jl`B4QYS8`Gz`?5DocRi<6OH5 z%p`@F(IOS6^*i*AT0Ui^h{kXD^h)6Rw;BWyxwd1|F06H^mC+FohqnUvLBGLr`tWr*^0rn{fI#`MUPdvofX@<+>)2crnIGo}QAx;-pDzbR&dR$)XKqz9QlONSsMso`vJ;SKm* zZ&f+?dX02y*7Q;-KpMC3}Yamwq( z19apS>?z1nEnW-L+RwgGH7lkSTM(l5oCZfI>ZHHXOfMVU4GI*eDwEULEqXaQ;G)g* zQWN~`ElJ?pHv6bvFkW7Sz#F1JAd&6oA{0+Zm6i~eEFaOcka<8DsEPGVd>Ulm`qCB9RiEi3kG&ZrYXh38@bE%#cibE~NMlFg+&(pS ze`fbD$m|2Qj=vFRBpS$xfRB4gBDZXwx{p@dJTozN+OO^Q&$qY(6Fgbn3)9`rNN^EY?G{!m!7!+cHZo;&1;!(w|h>tcbQ{K5bS96=LqdVj_ z#(nX?FmGPesXT7X!^x@|r!RPKZ z$RIC6y1Sn6i`QBU`g=+!m(6@`&cJf(OUUo+l+>-v7obOAZr}kqx{=W9aIYzJl3!w- zo_jv^j^8@e2ri1rr(DhbT9Fo9>&nOZd6{_2#!|9a4P=it&8XEks=zFam~yi}G33!1 z%ma`f-~8AG=HKxx8a>C}$ocIr-vtV(v=(1sYN$$5%zvNp1v~CDtrXb;qA z&s!QNYr92TU&+OxUjxlLHWnan!GK!P$?aG6jP<9GU`Z7Rc>{NK9o29;o6btqumn48 zA8k}^l&7#|9Px$9RDw6m3%@+)$leA}aVan?aLZlRk)c0&9=+;}kK7(%F=xjH4tQ%bpLK87Mhb=~wmFke!?fKbS0qO%Zie zEL@hpa($Y?*e4%cUVLp0+zMnIom@q_KV+!CA?;fx7V)#^d*;KhjX=}4`0mWVzueSH zT2xVYj_D1OTF>&ZR&=aJMv(VoyjzD%HZm|5wvTU~!eCrI@SkM!9q5xB*9BUaMb^5F zetA|Ijk!Tq_zMN7`vuA18-|LR*(y0|iqrCxVOj_r z6%`1!Pq_lN_9!U@C<0FRkU(5qPe7KNg63;^tVIWcMoc$Mw}V89EgerWKu;be#~s`~ zF$^$8K<$FQ*S%mHL66y%V%Yb>*Mf`bv<4B&T|Hat4eXVs{vJ^4T`bsq73@`qwU?;* z%)k=!u>Q^q5Z_N<+URubx?Yp3S4tvfv7HWIzx;Cb5okt58FZ;qW#P%n%N^vidlT@I zy;C-b5NIB1RU}}xP=3tV;Ew+h>O^060mWTrwC$}Q1j5Cdm)@0dd@Ey9?`&z^j-7fp zD%bt%ZLZ7iKr@5Pg%KhAig=u!*wD!z{_HSx+HgP0GKaFXPoH)m&ua}b!5EH zQCEKY&Z3^Gi$x`CgEw-rr-q#`{d39RX0cL!d8f3J`ik4+E*?oO;)@h18g?JM+2G}? zWS=1-(3C9iDm}+c`LL|K*s3Y5d^sCP`A2f_Dmu`eCpLzXHE$(&!s??YIUgW=q{tR@>}p!L7)K%omDx^&DOC<7v7-FBKqVR>to! zJ{odsz}wna4*PHllL&5pYf|sjI6J){%)1sd3gKl6-!bDU5R1a@)1X73iJk%TFjs8o zeR0-$3sT0;F_#fIkc&S`2qUyMdqeSu&+{uGa9MHU!Q}xSWe#Qf=av4+?{Db0(T{{r zdLP;z8lR}QDL3o1PxZBq)SpP52X~KCGiA6rZcG^tgEBgQ&Z&VVJyc<(`j>}wg_2k+ z5ZrLDX8{i%CxXog$c0nxja}ngHR}2x0&*xTic59QbHUw%TqSo*2ASo&%gzGnJ`K4b zNtu;{zKMkQZf;uD#^E=SCk=bL8d@+ygO&>JrM>mU+`2D73c%Hx-37HE5CM?F-;71A z)3D^3@1)eGOfo0+X{6SWtk}&s9ejXFk}%;@i+WPvv|DM~_j$V9OyS6U+tvm)be5h^ z4xKBfh8`DH=#xY&{^cE2tc~7<2b*S6{Xe_VR1TXAi!L;z#V^Z5dD?f) zrKxA_oQ+QFA)E1Fj}I~|10_avRA#i{9$7AqCz4`C8tSI~cGF~+D5>lBCfeM3P4=(R zJVV;-9PVaB(h_u?;}DcjRDENNT`$n$ZHeamR*R-?gv@|2f`T%Ef1in9sF2tp1eW!; z_r7ur(voTx61r?cMW?|ZCTb!6Wi`>&L0@~(?ZM&wJc*-%)hJHH)|;DWIF)~EuiULE zUIIz3YLf?!=z7tF!I{P!ht)@~H6Kkk^{sl315*BEJDCb(JaSOMX)SZwLzM4q z?N4KKVhRg0E{kGTOpT+6oy(r`IIgy)d)*ul4NmPuCFNpkIqiyH(=9m(p@K2|A%_Lk zydNQ(iLK@YKogzs+#d)`m}{{z^Oj1Bb&3&ocpS7V9y7i?uL%GURC}D*z9b# zM^bcGRQ`hH*#Hfu@`cK3`m}9OxDZan0>_T%|Ib`3@r$7C3AT~K@U{Xbvvh&9q?Gt5 zaG|u3=6iom?swOod;QfeT7z~P27Nqi%rx5B=h%xYV&C>f+1n>lLK(tR8qtLq{wbIm|({ zWfAe1d$9U>W^&#_8IeARi97Iq*n_&hU@I7!NDk7e2y5l>-cL*Vix&36k!dM0zm9mj z7q|%UOab%K#YA5&etNZ9kFycm&V5N8BPm90?BpajuG{k0Ct+I*H#gO+FNE407J8W5 zfKC@VdC8Tto^yg*by-ck{M@zzx|Vku;EiJD*X6n>AQ7;w$$2g3N`AZhZ1jvSe@Ey_noT;;h)`Gb^!Yow9)-w9qX{c9d?Vs2~v+@4>~N4rpM3it^{6lG2wj2ccP)_iZy8kYZ-KsU5Ok z_SWwTu0B7Tp(G&sA`V2Pw^27izM_fDjDWct!{5?80cm*8hugQ@DUvAEPx(kJOr(}N zdT%e=K+$WFK*J}3A!G8UGR)BBAU78Rl#WSUoZs`h%BNvPJ7pE}*Xal%@VE*ZtuKG> zuEjzoB(AN?^bggA?6_hbOy5<$`Pntr*Q1Yo?ybF`g8+I;oV^Syn0^kYpvGf>3uHXI zd!Pq@`)s7pcRoz6uF#AYH~AuQQzfZs-j#SU|2i~wG6?L$iA1`GbKvH!cW^=+)1;SN ztmbdO-H7w8&bEYLH>{cwSt){$q8lDZAZP&vQ*z#ul>efHx^lh2aU~Yet|ou591AHc zte_@*&tQ)Zs!#c$J?nCyY_$J9yq7uhc?Er8!##><-Jd_~&*YD>NFQN>1FfQlI=9w4 zYvI}B>4&l6$t~o2G<=cTd|AW&;l*63LE)SnlE?VB4-2WKPTq1|idUQiiVcebo-_Mj zb)25t9lgPMqU#pbwRBKDfIOjM(wXFx)V>Bg_K!6+%Q2mngYRG<%rZj%;7pbd*dq1TEowtTxcdVojnRD;mAp49K)gh3j3#lsc z_pUUwOKcwsR?=p#Pz*mMxD!{R-gNA0YAOiY&e8i8S^^^&VpVlp1H>b+5-@uWYjaf# z2C!E^9hMVoOaqZYoP0wO_|#aS&=!&X-8lJ>bzED zqBh-ojR-7yweZ&zdWn`<15;}$|BMx?r1~a?!I!OIKb$$X{*Rp8pfTLtPnGA2My?Q7 z=IzXNKL0xn+giw~ERJE5o7#M9Dp}zhw;j5B!EN$qvIx@iHJk}7jc7#1O&?s!Myu<- zziylRRwzj%RjZC$r0eR~i{5WBmZ@g7d-+a`f*tnYxc=FFN1Yh~ZKk$~n~8qBHpKXp zD0PwF681*_3o0K#=9*xzOyspO?Ynb%x##vNwDm)rp$nR%-K?zUf7VQ++x0c;N(k z%8I1!mqeV?ElWvAK1%e@(4(v0e{^T^j;Czju42xp@xSJr*kSpY<1>Z6(sT|gDJs-e zI}7hAS!j?R>uWLHr6(9uIAMr{@1H^|o%lo_9JA(SnVw#0OkY z>Rha(#*{Mg`7>4k1QL$LH#LdMo~R66cQG@2nr!mA2ka_o`lEP@s(mj5Ruz&S7&Z3^8PA~HW zPaWF}836BlgA{Y_FZw6q9t|#Kz{npl0Z$+Nbim(j7DIl92y-=FyLtt_;rZ|NM)v*r z76AAUH#Rn=^R6Cs4AqOLwGFTQAL`zSa#Y#_dj#`8y4bDWGR9tOJ(}T+%s}_onXHg- z0u%;jef^TU=HsQN8lKPLf$<4J5{nb39Z4TkH-p?HYj~o%hV`@!we?(kPdgqLX)BwL z9|bPbbzPP7YnqQIXKHxp9)&c*tmu;Gr%Fn@WsrYAPWjH%IINVt;lxtu?9>4y@c~o3 zGPH@Iy1s_KAFyeYxeod`?rrm==kbY{i@UdLo+b%+r4ec#Gh?D)8K0J}QSul1OXq zP^fAFw1Pb91r9=`LOH`%W}}1LfWcl33?!KaM{2orp0*M=KMFTlKR7rPF@IvN^c8owU%mIYd4NwAkxQo89oKgR-Ze%Ii8{JY;J0Y zZ7NY#)-ilt)C)v-ZPM9Ha@r?^2|O-29S4>s#ViUs;=veOq^iZS0}Q!X7zmdSB=U@2 zqs(8^c?Dm`CG_vA_tUbZW@+}TMdvh5Xb}l5T_(|k+>Vr3*M*d{FX8Sv5se?Q3|?bu z3%kV!GrV^=M5@szbpHx+Jr`LXFq0APH@t0E()ZIdAE+%^WA_fFOL*h;D*fTpJkNWp z{rC1`3T4Ad6Ld6yN=iX!w~{z z%~ttPUzFYNU2U|9>!-8Y4hqG(u6aj=L)i~W?YV|l49dOM=8$7U5FKCP9a0OgVXx|k zfzNLitT){{NB6#5!{MLv(!oJ`VPe$acfIdF_l z9(>j0<9&0nC(IzwhXf*ZK7;LVLg6W&6=qgjHVbu;ZVe%O27<5Ro<`_3_?GQQn6(WQ zF%-qw>0!I5+Z%WD#gQ|!YZ=tW>gJaHDi+iEP=@2?m&agamLzQ*$D8OC8XbNu!PdOps5NoeDG_zyY~&+9pw7jI^SR!fHyr> z^pcGoMV+$*MJs9l$3MD5bNA^Y1v(Ci0?s9^+##7#4tx#OeG1H`kyM^WXV;okmEw)c zDgE5UBg^T~#pa2vS1mKT_2rvH$klXaisptvN5$A)KwmWHpip_mSM00>Q*=N#z{ny} z>N?YtHqFw$xJ~tsR9u+b1osGB-HG5FpNq+oqRxgPAIQz#kW)|QqAN@{Ap zTbqJ3#Tqea|05}AxbE&T;`BHwIEr0t&$^1(8%d4!5&YR|IyIXKNroyA9e;OHY^u-k zJ-Iluh_EmyF<#VF0w&wnLs!?a1PG}@wSizTyJd)}QZ$XGVD z*^3LmUvOngzs%Ws(+*i)9Ne4YjLAOKa!B5=(^yENuc5%sY%Fd@ncxODj7<7_GKb)w zVz`|)I;B$=XaYk7yJ-MZfLe6Bt{A%sVL z>20a4n#5J5z7IDob^}tYTwOU}ckWg4d$55iIAOMG_B}f3*9mqi%B#8){I7ydbNf_` zS~kdU$(Lpki#~HBo8md}^kT&t?@Z@ieqo%arGgc&qEh{xb#{_kX;D?NDRPaS7h4-1 z#AvYc1aK4g_Q;X28)zFJ#+x*s&74oy3WsmNHWg1L3-RlJ})z8 zS7&h3mR5NgzmhGaBhN$eWVq*ORqeQFaq?67W0Pu;{Nt(N;?d*}fpq&?*jLgi)S zvMxl(DJZkI9q^f=0c<*yN82g}Dzr)I?YB@=>9SLm%L#3!sDb%=ybs|Msj#>SNZbt; zPl+iZ0JME^N(1#wdLe`hZ-9KQ+JXIRNoKpI`u5S6%0yoee$AS#kYuZzbg?w>i6`Tq zz3=*rczl^a7xP&Yf}x?Q{foRJrwuc`B^I}(!Ib8sdnr2IJxIenPv<5M8)#-#b+52J z{m^t7$=!Tg2pjdid<`+UHKJp=9hI_M-Y26PmC6ww0p z-PqsU-Fq@Qi+fUoln?Y+E(jV}$FX_7KQhoMKQ4SnhtcYx>Nl`eGd?Wy*XG(H1XtCju=CeZ0RwJ=HT1Z;N55NN7Cgmcq# zfP#zoLsA%accgAs@I_+YLB%}yqMR`DMdFz}WH{7hdKP2l}C~knBl_qSlSX|=tK<7~_$25~>(RpmVVa&?BlqSb2|9J?)SH1`GmdW? zOhTBXWheAimPJFTZq`>y?$^Bsx8GT`&Ar&&7uIclOvvtRZc3d$>2<4byB-hm`)FxT zGgkDG64&3b!Kf71Ba!{_0*$B6ZG3((uiR*Y-?yGdKkM3V^G=-Ci~6Bakm6V3b?p<> z^zl_n)FjqYdhw7(&l0SN=3*hsxzjAEsGr(>wrRKd zVkYH+@;?&Fsm?CMVoLaV*Q6rX9;j#&`K**udW-$iK%~))vJv(X3+csNR`S&6so0z& zD?(?z$0Oi(FoGEut7$roet%s&rdP!OYg{@K==KM%N(2G9IQbiGu)yS9jyJrdYd0ij zDT#{r_M}%k`_8Rg15`+~n0hZtzb`pDaroU~%E&>lKJH`#Hi_MV@UR!9MGU%f32u5X zQ2DLNu#R%Bek#?VLA_Ovg%bRtnn0q9wIO-IthPf6wOrvDX z_tQqj|I*Qt~2)KYpFm^fQM_NI=`! zh~fL-TmJv2x#x^(s#`XQf{1{Trl269N>xC5QxcGl^cD~)5fCC^h!PWuigZ4y(h-rK zAiad5NKrZnQbVMRgh1$_Uhwi1|NKX(PpK`eOp4YkI$Q7fST=!+CadYGdC(StK0I(eU~bxw zOyqo|vY!d*Np6Z*aXw05*+DEl_{@Jz)ql%f7+8%!=Slz?&J^Lf$7N{(@yHFp;h`A& zg=#O`eWZUI@wh}d&b}sE=)oJn*HH>|zks_nc57LHy$NVM>q?|cd)+{i0Ls6q@WaKc zRc|t_eq_~ys;1Lu#1xK;_RoEB@ttI145)_h?W*MXyP_j!?MyS9!*NOsp4D2k6z|^H^8N(|8q#&+ zQNu>Qleo%BtHeHf2tO&H0ttYobUwhY)+B_djFm3O?d$CsW?7Ode z!N|w0rxyFu&qwUjoW_`wF;9p3a@*>GrH166pjU<&=er78`3ig-Ja-F2&+I(KJ2uEa zsS}@}ISsI4_@Gf}$3QGhQtM#NjSSbnh*vnKXb{wU0}y@qW!Feg|6qjW+ZoNa)Bbc= zyF}Xy(Hl<}SIsj3q$0(e$NBZ|``eNE3OlrONcuB~1n?lhih9N<_N7ps5e1<$#=1Q= zBBK2%I6&=q(|04vOKatagrb^F7|tX5@F;{8@#XO^#n z?wz3jvJW?oe9f&a*s4w=b`f<2B$`dFk22qkDHd7Xn6 z_Drat@3&Y~t2gVHljC_==%S%+1Ml~9YG_|*mx!j;R`T9(+YHp{WT#IIVYdD4pWAFO z1_l9r;@trQKYw|Ao^ufW>z~R4mT8HHM_Xhy@j@TM%nno8{YyS=0#_h>7r_u&9X<$a zLR`UOLdAFS@~%7Ug%hNXM;_x9acNy9rg+&Ky4}*gdu6Jk);2cxb%L)3Jr9z-X=>~d za>dn-KTTc3p3RpI5!JTsOJ!Nw#Qd<4-gi}9vaTYym9GowqkZ;rW|vFLr++VM4}q>( zOlKJ2y8<64nWU+C==YDn{i5836B=5iFmDipEl#h6>#BzK<4a5Ey2qQ!9EM~DUX(P~ zX%8PdP0R;f_b7tju09)@U}HVxD#hW(xgi`@?d-c&ligB?n`vEYL)c4!K(|#xHqnmb zJqkL!DL3>$%bLg%(Fso?h(FgH3P@_aab999G=Ah!<)Lzo-4Nurog1B3By9~3nE48~ zqO)Eb`d+GK6qnqWYli6OKW)yExmKij=RNgHdDy~2W3byx-Viom*ro0HNHxTf!r6%B zqTUI!kJNRC4@)y|rfBFl+{tZEAPM8UezhFXO6)W4DqfCzbqG&OXwpSxnK{a;Qp6%W z!pL9QUgD6?WuBzElnCclaWY;W#rQh_75AO`M|Ug?0~{U~pl_KxF{a1Ct77?Y(W)gq zvQ12!EYQYtfU06`__KJRcmV_Q<-X-+hkalvfA#<|xwh$KsMnxBpWe_d+6tf!(=Y4(y=RZc3*r_;s4!f@*!#Nl!=Fwx9zGmH0 zld-8LKos)1KUg+6R6F$LjfLNt>bZLAK#09etdL={ocO^j&hL8ew|?y_EImG<0^n|<-@jGTg4=j zaqla~PUwNn?`m!Elk{mGrjd`2(2he+^l~WL!a5Ct*s^H-9y0(JoW=7+32UEN??3)s z)2V3k(i)7Hx94X>TZkJ$0+)XG@aU?E;4c#@b>7Px%Kk0jsCyep>YzGW_OLh<6P_LK z*N$!1by}WdakgdxR&xm|)E8Nm`DMmRHq^=eBoLFF58VxPb;p!tgjLniw#g#5op>TC z9KbNrIMK2=d3_$&wR1uXFJ0x;qs-rQu(~3ljGQ}oWKrZ_?(nr_JPW^>jY&<}>8P(Q zso%Z*PUhBNQ;AlD2(ulLM7_?^PUNzpf{`07r2N(hEl7B%YQW;mi=y1>W!3MA6$pD( zS{ztNa;FA1m7_eKdP-A22s(XSn0su^^*}Y5U%NX4bfjyK&iTCnVL^~CVh)Kd8?hb0 z!C`jU4VgMfjCQ76&iS)9&uI1bvIE1eC_KAAU(*xBm&;%)N?Tj%{G~;WFZa`5Jv!7< zv0TB53pWGyY%(vH>fdSpYqDC1-4Km7%dtB5L(1l(O5R#j_ysly*( zhYi><(xPKeP|ur*)BJnl=X6v1h$5|c7=c)d9@1Q6twQSQ75uh?uF#wxmo9U2|GSQQPv8Lcx)?6|&+7 zrK_JNUxaMPo!R2a#F(Z1$R>_}_Xa0#GQ4=;Z`2j{Tl=f>W;#de!J~~C?(lS?MR!;P zm#nrq3IyV%74tdKlA6ju)(Zj7;s{Ivx$lFtz z*~D0R3xR`0Usjp}*7h;`@D(+Icc?DLT9ftkyN^kIUrA|M%6AZ;?1*3L{(DJ+3-o95 z7n=XdCb2Vec!}JIxHNN!g2XOkcRINIn>IX4JI$e4jbcoIiIVOt?U^4~btOt;Ay80i zlQI?0p{f=Au>AhRuloeD*N-TXYg^=K5NJS9GIvxk(TyWXw$do{3Nb!5MMe46vn}DF z0E<`KkpmH-18OS9EqHXEG4M?&kL9f}z0uDld45jh~5tCJzqx+UVf$>h2r;qto1fVT6+WY$^2`f4q&LlSnGLnJ|8QkZ$B|DVdQ&{i%}Wsd34W_trVfXhmQ&4*k1Q5Ax5Sa} z&Pq9O9%g&EK5?9yX{uQr`m4I1AK9L~ujud>vk=W&&pvnMM_jMFl(pGbX$ zg+YH=J4yLY-I1Q0n4rG$bdj9+v^%4pyv~U7m-T)ZQs~?2 zY7XJou+|{%K(YyMzS2VTySNA_M%iYgbLcV?r%{0|X723oL@7%NcS={T(zcw`W?g}Q zbfDNX(mCcV+*H7MD8*9v7G!X&C&BJKu6W7j3-_@q@qLSu)f$?H+GtBIfE{NvP7liV z?DNP6OUexG@XKj*!>d)@N&hCsPLuup!yHX3@?PAb)AER1_It`|Rd;G}_KLd5*f%Mk zrBO>KFdO}2)zzC@B;c&gw!@dKXRqm@H@X$>AKpybh0-RO6BFnF&PtTW9+Oq{?FFb?NMklx9_AklCS36DcfZGjI>#@Xc~l# z{)GPBGZWKCTd5_r_;a#a$DaSB4-HeW_el$o{Tu232Cyef0(O>A9+cScO-GW`d_3&a zQ&VK06S{-u_xkIt%a!qd{f}PrBo3G$<+*k`3-j|ojxWQCEzHdcP{w1lKs^(-R-=+_ z3Wd@)JAe6qG(jm=I3WT^0fp0^v{~1)|9=5%KFB||0W8NK9Y)MFoG!hBMDkgtzWXrD z>Y5aT6G8wxWEXwoNPI>DI$Iyy(zHp-64O*Z zcWcsVvaXhwy&ApqA!+aJ1Yx&xRcB&`bL>usbg@jxxTx@fCu;qd-`p!xjM2d-!Vuw7 zjo2T~Dihdo{)mCJsLTbiz5N^&2fqZ5t&iIXh29lvt#o znsUhD058l^#Zd$!fgo<+ZTV+FyHnkkgFTxR>%AIL4+b=+LKs~OEjqu=oDuGP9_85_ z9Hl!aJ7kk9+UO6t*ZrC?CUMcjHQixxP^!s>32P%aY-wa+#H;vZgyizOuc~qyd~Y~U z=xXf29aP%&Vpt;VmuB6sr$&ep^uqY>o0RicNkfC$S6ZVdB7NQnEwiTV=t35^-5uX7 zU_WPovM)8@h0F}Sk>wQ{e}0NUu2;mB%Fvyy%NTEFDZ5*4^K#moF^AhKs>*!&&cycK z4``QjQTH&DhzcJZZpF7mjSCkVTKRA}*jjnZ63eFG|04&ZrC95<6(19AZm@ptimH=| zdH_;>9Kl}Lt;w)mi?kWtx9nW%Vi+(OndY<@?LNe0j^qs@XvJG!Z1VGZWxpLlR9lB9 z$zMgnSvLbEDz)PnUhg+YfBy33JM7JR3-zQc!Ufy`4DF%{fG~x|gwhSzeFRIodH`A`}U9HQX zdY{+3KfJL(=VuI#E=gbSzZrIEt8Kd0?fcBQQZzcPahQPh3SC2c^b|~cFU`mk%#m70 zg1a~3tf~$v7VAWL*Mtb2Ma5CyBbfk_qA{P=hod}$l_)r<$`_TPZYmNzaSLWN0tSm) zZ>8OW`NF?y_5=Q&Wb!R;1=iX-7*$g&ro7)tumgd_zp8G7qQ~B+S4W32*FuO&vJ=-p z%-*4)S30P<`T`HWvQm(z_vBfaS0;3&=4sEgL+-ptIZR1v*fvWBO)L0M=ipNb7ph># z2_r!d%yz{~&>x?Vy+(z`C#57D>OH50fLkt*B&MyX^#?Bv&Qm6_2==CWxOFlgD7qxm zQg0aqa-l!kS^XyC0IR{9bG>_^bfRH153dbQMS)ikVS)YTH(f@q5^0qctMOl`*aBuC zMgEtE(Z$!Hq@zdF!`>dFwauXjD*|DS&RE^5xG}L8_l!8fd z0>3H5;fLGVmielDUqy6638M~-f6sA+*Waa|n%i@NWFD+EW*9xmk9&v2VoFxy14tXm zUtY|$B$eAcV1BLHt{2uV5~zv4b*2SD%e<*KYhmfIet3(BWZ6zk*GpGQzk&Yep*T@6 zIOjR>d(#Ju9dhb*ik3F&I9|2hU$TFtrhPXR--+Z^%0HP&HJF@wU*efSi4*enX>zc| zG8eJL2Kl3ad6EiWp*uUUXm0j;=eNu zL3!1(*<5Y4Tai?J=#GHly4>AopCijMJ+r}kkw<~3$$iRLDi6-*J>Gmcq%yqfiugLn{?h+I_#>}EATOadf~;~ z)fq*qQ+rbZ&SVKrr#R;AJuqQ~mAyokWs5{DXndhF*szrVx0S~!=7qyXW>d-ME&|(k zZ@DLjJ}^-tF0ns+g7lT0cDycuKr)?-rN>uIus@`Mkp8_N=k;=JiVL%c_v&f{Bg{9k z%4}(cHl1cb2)u8nVH)PZ(6|<*z-O{J)}xt|{S@op71m0NdY0g#fUD`O+m7T中国AWS云的CloudGuard CloudFormation集群部署模板 

+

The table below lists CloudFormation templates provided and maintained by Check Point that simplify the deployment of Check Point security solutions in AWS.

+

You can use these templates as-is or as building blocks for customizing your own templates.

+

Notes:

+
    +
  • +

    You must accept the Software Terms of the relevant Check Point Product AMI in the AWS Marketplace at least once prior to launching the CloudFormation templates. It is not required to actually launch the instance from the Marketplace, but the agreement must be accepted from this location.

    +

    此模板中的镜像使用“西云数据”发布的最新版本镜像文件,使用此模板前请先在AWS中国镜像市场订阅相关镜像,使用西云数据镜像部署的产品需要联系Check Point与AWS的销售已得到正确的许可证

    +
    • +
  • +

    国际版AWS使用的CloudFormation Templates请直接访问Check Point官网SK111013 Check Point SK111013 +

    +
    • +
  • +

    For R81.20 and higher versions, Gateway Load Balancer (GWLB) and Gateway images are unified. They use the same Product AMI in the AWS Marketplace.

    +
    • +
  • Some stacks may "roll back" automatically after 1 hour, with an error "WaitCondition timed out". If this happens, please check Internet access is working, either through AWS (Internet Gateway (IGW) assigned to the VPC, routetables with a default route and assigned to the relevant subnet(s), and Elastic IP (EIP) assigned, etc), or through another method like external proxy, or route to on-prem, for example. 

     
    • +
+

Table of Contents

+ +
    +
  • +
    Security Gateways Auto Scaling Group for Gateway Load Balancer (GWLB)
    +
    • +
  • +
    Security Gateway
    +
    • +
  • +
    Single Availability Zone Cluster
    +
    • +
  • +
    Security Gateways Auto Scaling Group
    +
    • +
  • +
    Security Gateways Auto Scaling Group for Transit Gateway
    +
    • +
  • +
    Cross Availability Zone Cluster
    +
    • +
  • +
    Cross Availability Zone Cluster for Transit Gateway
    +
    • +
  • +
    Security Management Server
    +
    • +
  • +
    Multi-Domain Management Server
    +
    • +
  • +
    Security Management Server & Security Gateway (Standalone Deployment)
    +
    • +
  • +
    CloudGuard AppSec (Not in China AWS) 
    +
    • +
  • +
    CloudGuard AppSec Auto Scaling Group (Not in China AWS)
    +
    • +
  • +
    General
    +
    • +
+ +


Security Gateways Auto Scaling Group for Gateway Load Balancer (GWLB)

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
DescriptionNotesVersionTerraform TemplateCloudFormation Template DownloadDirect Launch
Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC.

For more details, refer to CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide		Creates a new VPC and deploys into it a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server.R81.20
R82
Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server into an existing VPC.
Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC for Transit Gateway.

For more details, refer to CloudGuard Network for AWS Gateway Load Balancer Security VPC for Transit Gateway R80.40 Deployment Guide		Creates a new VPC and deploys into it a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, for Transit Gateway.R81.20
R82
Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, for Transit Gateway into an existing VPC.
+



Security Gateway

+
+ + + + + + + + + + + + + + + + + + + + + + + + +
DescriptionNotesVersionTerraform TemplateCloudFormation Template DownloadDirect Launch
Deploys and configures a Security Gateway.

To deploy the Security Gateway so that it will be automatically provisioned, refer to sk131434.		Creates a new VPC and deploys a Security Gateway into it.R81.20
R81.10
R82
Deploys a Security Gateway into an existing VPC.
+

 

+

Single Availability Zone Cluster

+
+ + + + + + + + + + + + + + + + + + + + + + + + +
DescriptionNotesVersionTerraform TemplateCloudFormation Template  DownloadDirect Launch
Deploys and configures two Security Gateways as a Cluster.

For more details, refer to the CloudGuard Network for AWS Security Cluster R80.20 and Higher Deployment Guide.		Creates a new VPC and deploys a Cluster into it.R81.20
R81.10
R82
Deploys a Cluster into an existing VPC.
+

 

+

Security Gateways Auto Scaling Group

+
+ + + + + + + + + + + + + + + + + + +
DescriptionNotesVersionTerraform TemplateCloudFormation Template DownloadDirect Launch
Deploys and configures the Security Gateways as an AWS Auto Scaling group.

For more details, refer to the CloudGuard Network Auto Scaling for AWS R80.20 and Higher Deployment Guide.		Deploys an Auto Scaling group of Security Gateways into an existing VPC.R81.20
R81.10
R82
+

 

+

Security Gateways Auto Scaling Group for Transit Gateway

+
+ + + + + + + + + + + + + + + + + + + + + + + + +
DescriptionNotesVersionTerraform TemplateCloudFormation Template DownloadDirect Launch
Deploys and configured the Security Gateways as an AWS Auto Scaling group configured for Transit Gateway.

For more details, refer to AWS Transit Gateway R80.10 and above Deployment Guide.		Creates a new VPC and deploys an Auto Scaling group of Security Gateways configured for Transit Gateway into it, and an optional, preconfigured Security Management Server to manage them.R81.20
R81.10
R82
Deploys an Auto Scaling group of Security Gateways configured for Transit Gateway into an existing VPC, and an optional, preconfigured Security Management Server to manage them.
+

+


Cross Availability Zone Cluster

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
DescriptionNotesVersionTerraform TemplateCloudFormation Template DownloadDirect Launch
+

Deploys two Security Gateways, each in a different Availability Zone.

For more details, refer to Cross Availability Zone Cluster for AWS R81.20 Administration Guide

+		Creates a new VPC and deploys a Cross Availability Zone Cluster of Security Gateways into it.R81.20
R82
Deploys a Cross Availability Zone Cluster of Security Gateways into an existing VPC.
+

Deploys two Security Gateways, each in a different Availability Zone.

For more details, refer to CloudGuard Transit Gateway High Availability for AWS R80.40 Administration Guide

+		Creates a new VPC and deploys a Cross Availability Zone Cluster of Security Gateways into it.R81.10
R81
R80.40
Deploys a Cross Availability Zone Cluster of Security Gateways into an existing VPC.
+

+


Cross Availability Zone Cluster for Transit Gateway

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
DescriptionNotesVersionTerraform TemplateCloudFormation Template DownloadDirect Launch
+

Deploys two Security Gateways, each in a different Availability Zone, configured for Transit Gateway.

+

For more details, refer to Cross Availability Zone Cluster for AWS R81.20 Administration Guide

+		Creates a new VPC and deploys a Cross Availability Zone Cluster of Security Gateways configured for Transit Gateway into it.R81.20
R82
Deploys a Cross Availability Zone Cluster of Security Gateways configured for Transit Gateway into an existing VPC.
+

Deploys two Security Gateways, each in a different Availability Zone, configured for Transit Gateway.

+

For more details, refer to CloudGuard Transit Gateway High Availability for AWS R80.40 Administration Guide

+		Creates a new VPC and deploys a Cross Availability Zone Cluster of Security Gateways configured for Transit Gateway into it.R81.10
R81
R80.40
Deploys a Cross Availability Zone Cluster of Security Gateways configured for Transit Gateway into an existing VPC.
+

+


Security Management Server

+
+ + + + + + + + + + + + + + + + + + +
DescriptionNotesVersionTerraform TemplateCloudFormation Template  DownloadDirect Launch
Deploys and configures a Security Management Server.

For more details, refer to sk130372.		Deploys a Security Management Server into an existing VPC.R81.20
R81.10
R82
+

 

+

Multi-Domain Management Server

+
+ + + + + + + + + + + + + + + + + + +
DescriptionNotesVersionTerraform TemplateCloudFormation Template  DownloadDirect Launch
Deploys and configures a Multi-Domain Security Management Server. +

For more details, refer to sk143213.

+		Deploys a Multi-Domain Security Management Server into an existing VPC.R81.20
R81.10
R82
+

+


Security Management Server & Security Gateway (Standalone Deployment)

+
+ + + + + + + + + + + + + + + + + + + + + + + + +
DescriptionNotesVersionTerraform TemplateCloudFormation Template  DownloadDirect Launch
+

Deploys and configures Standalone or a manually configurable instance.

+		Creates a new VPC and deploys a Standalone or a manually configurable instance into it.R81.20
R81.10
R82
Deploys a Standalone or a manually configurable instance into an existing VPC.
+

+


CloudGuard AppSec (Not in China AWS)不支持中国AWS请勿使用

+
+ + + + + + + + + + + + + + + + + + + +
DescriptionNotesCloudFormation Template  DownloadDirect Launch
Deploys and configures a CloudGuard Infinity Next GatewayCreates a new VPC and deploys a CloudGuard Infinity Next Gateway into it.
Deploys a CloudGuard Infinity Next Gateway into an existing VPC.
+


CloudGuard AppSec Auto Scaling Group (Not in China AWS)不支持中国AWS请勿使用

+
+ + + + + + + + + + + + + + + + + + + +
DescriptionNotesCloudFormation Template  DownloadDirect Launch
Deploys and configures a CloudGuard Infinity Next Gateway as an AWS Auto Scaling GroupCreates a new VPC and deploys the Auto Scaling Group into it.
Deploys the Auto Scaling Group into an existing VPC.
+


General

+
+ + + + + + + + + + + + + + + + + + + + +
DescriptionCloudFormation Template  DownloadTerraform TemplateDirect Launch
Create an Instance profile for Security Management Server
+

Creates an Instance profile in your account preconfigured with permissions to manage resources.

+

For more details, refer to sk122074.

+
Current Check Point AMIs +

A helper template that returns the latest Check Point AMIs in a given region.

+
+

CloudFormation templates for previous versions can be found in the CloudGuard Network Security GitHub repository.

+

Notes:

+
    +
  • CloudFormation Templates are often called CFT by customers and partners.

    • +
  • Check Point Recommended version for all deployments is R81.10 Take 335 with its Recommended Jumbo Hotfix Accumulator Take. R81.10 is initially recommended for customers who are interested in implementing the new features described at the formal announcement.
    • diff --git a/china/aws/templates/asg/README.md b/china/aws/templates/asg/README.md new file mode 100644 index 00000000..fa77f06f --- /dev/null +++ b/china/aws/templates/asg/README.md @@ -0,0 +1,22 @@ + +## Security Gateway Auto Scaling + + + + + + + + + + + + + + + +
    DescriptionNotesDirect Launch
    + Deploys and configures the Security Gateways as an AWS Auto Scaling group.

    For more details, refer to the CloudGuard Network Auto Scaling for AWS R80.20 and Higher Deployment Guide . +     		Deploys an Auto Scaling group of Security Gateways into an existing VPC.
    +
    +
    \ No newline at end of file diff --git a/china/aws/templates/asg/autoscale-master.yaml b/china/aws/templates/asg/autoscale-master.yaml new file mode 100755 index 00000000..7f31be26 --- /dev/null +++ b/china/aws/templates/asg/autoscale-master.yaml @@ -0,0 +1,735 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: | + Create an Auto Scaling group of Check Point gateways into a new VPC (20250617) + See CloudGuard Network for AWS Auto Scale Group deployment guide for detailed deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZones + - NumberOfAZs + - VPCCIDR + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PublicSubnet3CIDR + - PublicSubnet4CIDR + - PrivateSubnet1CIDR + - PrivateSubnet2CIDR + - PrivateSubnet3CIDR + - PrivateSubnet4CIDR + - Label: + default: EC2 Instances Configuration + Parameters: + - AutoScaleGroupName + - GatewayName + - GatewayInstanceType + - KeyName + - VolumeSize + - VolumeType + - EnableVolumeEncryption + - EnableInstanceConnect + - MetaDataToken + - Label: + default: Auto Scaling Configuration + Parameters: + - GatewaysMinSize + - GatewaysMaxSize + - AdminEmail + - GatewaysTargetGroups + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - Label: + default: Automatic Provisioning with Security Management Server Settings + Parameters: + - ControlGatewayOverPrivateOrPublicAddress + - ManagementServer + - ConfigurationTemplate + - Label: + default: Proxy Configuration (optional) + Parameters: + - ELBType + - ELBPort + - ELBClients + ParameterLabels: + AvailabilityZones: + default: Availability Zones + NumberOfAZs: + default: Number of AZs + VPCCIDR: + default: VPC CIDR + PublicSubnet1CIDR: + default: Public Subnet 1 + PublicSubnet2CIDR: + default: Public Subnet 2 + PublicSubnet3CIDR: + default: Public Subnet 3 + PublicSubnet4CIDR: + default: Public Subnet 4 + PrivateSubnet1CIDR: + default: Private Subnet 1 + PrivateSubnet2CIDR: + default: Private Subnet 2 + PrivateSubnet3CIDR: + default: Private Subnet 3 + PrivateSubnet4CIDR: + default: Private Subnet 4 + GatewayName: + default: Gateways name + GatewayInstanceType: + default: Gateways instance type + KeyName: + default: Key name + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + EnableVolumeEncryption: + default: Enable volume encryption + EnableInstanceConnect: + default: Enable AWS Instance Connect + MetaDataToken: + default: Metadata HTTP token + GatewaysMinSize: + default: Minimum Gateway group size + GatewaysMaxSize: + default: Maximum Gateway group size + AdminEmail: + default: Email address + GatewaysTargetGroups: + default: Gateways target groups + GatewayVersion: + default: Gateways version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Gateways Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: Gateways SIC key + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Gateways bootstrap script + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template + ELBType: + default: Proxy type + ELBPort: + default: Proxy port + ELBClients: + default: Allowed proxy clients + AutoScaleGroupName: + default: Auto Scale Group name +Parameters: + AvailabilityZones: + Description: List of Availability Zones (AZs) to use for the subnets in the VPC. Select at least two. + Type: List + AllowedPattern: '.+' + NumberOfAZs: + Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter. + Type: Number + Default: 2 + AllowedValues: + - 2 + - 3 + - 4 + VPCCIDR: + Description: CIDR block for the VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet1CIDR: + Description: CIDR block for public subnet 1 located in the 1st Availability Zone. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet2CIDR: + Description: CIDR block for public subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.20.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet3CIDR: + Description: CIDR block for public subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 10.0.30.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet4CIDR: + Description: CIDR block for public subnet 4 located in the 4th Availability Zone. + Type: String + Default: 10.0.40.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet1CIDR: + Description: CIDR block for private subnet 1 located in the 1st Availability Zone. + Type: String + Default: 10.0.11.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet2CIDR: + Description: CIDR block for private subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.21.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet3CIDR: + Description: CIDR block for private subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 10.0.31.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet4CIDR: + Description: CIDR block for private subnet 4 located in the 4th Availability Zone. + Type: String + Default: 10.0.41.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The instance type of the Secutiry Gateways. + Type: String + Default: c6i.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instances. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: Must be the name of an existing EC2 KeyPair. + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + EnableVolumeEncryption: + Description: Encrypt Auto Scaling instances volume with default AWS KMS key. + Type: String + Default: true + AllowedValues: + - true + - false + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + GatewaysMinSize: + Description: The minimal number of gateways in the Auto Scaling group. + Type: Number + Default: 2 + MinValue: 1 + GatewaysMaxSize: + Description: The maximal number of gateways in the Auto Scaling group. + Type: Number + Default: 10 + MinValue: 1 + AdminEmail: + Description: Notifications about scaling events will be sent to this email address. (optional) + Type: String + Default: '' + AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$' + ConstraintDescription: Must be a valid email address. + GatewaysTargetGroups: + Description: A list of Target Groups to associate with the Auto Scaling. + group (comma separated list of ARNs, without spaces) (optional) + Type: String + Default: '' + GatewayVersion: + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD". + to get the PASSWORD's hash) (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections. + between Check Point components. Choose a random string consisting of at least + 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Improve product experience by sending data to Check Point + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address. + Type: String + Default: private + AllowedValues: + - private + - public + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration. + Type: String + Default: management-server + MinLength: 1 + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration. + Type: String + Default: ASG-configuration + MinLength: 1 + MaxLength: 30 + ELBType: + Type: String + Default: none + AllowedValues: + - none + - internal + - internet-facing + ELBPort: + Type: Number + Default: 8080 + ELBClients: + Type: String + Default: 0.0.0.0/0 + AllowedPattern: '^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})$' + AutoScaleGroupName: + Description: The Name of the Auto Scaling Group. (optional) + Type: String + Default: "" + MaxLength: 100 +Conditions: + ProvidedAdminEmail: !Not [!Equals [!Ref AdminEmail, '']] + ProvidedTargetGroups: !Not [!Equals [!Ref GatewaysTargetGroups, '']] + EnableCloudWatch: !Equals [!Ref CloudWatch, true] + CreateELB: !Not [!Equals [!Ref ELBType, none]] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] + 4AZs: !Equals [ !Ref NumberOfAZs, 4 ] + 3AZs: !Or [ !Equals [ !Ref NumberOfAZs, 3 ], !Condition 4AZs ] + GenerateAutoScalingName: !Equals [!Ref AutoScaleGroupName, ""] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml + Parameters: + AvailabilityZones: !Join [ ',' , !Ref AvailabilityZones ] + NumberOfAZs: !Ref NumberOfAZs + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnet1CIDR + PublicSubnet2CIDR: !Ref PublicSubnet2CIDR + PublicSubnet3CIDR: !Ref PublicSubnet3CIDR + PublicSubnet4CIDR: !Ref PublicSubnet4CIDR + PrivateSubnet1CIDR: !Ref PrivateSubnet1CIDR + PrivateSubnet2CIDR: !Ref PrivateSubnet2CIDR + PrivateSubnet3CIDR: !Ref PrivateSubnet3CIDR + PrivateSubnet4CIDR: !Ref PrivateSubnet4CIDR + ChkpGatewayRole: + Type: AWS::IAM::Role + Condition: EnableCloudWatch + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: + - ec2.amazonaws.com.cn + Action: + - sts:AssumeRole + Path: / + CloudwatchPolicy: + Condition: EnableCloudWatch + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cloudwatch-policy.yaml + Parameters: + PolicyName: ChkpGatewayPolicy + PolicyRole: !Ref ChkpGatewayRole + InstanceProfile: + Type: AWS::IAM::InstanceProfile + Condition: EnableCloudWatch + Properties: + Path: / + Roles: + - !Ref ChkpGatewayRole + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml + Parameters: + Version: !Join ['-', [!Ref GatewayVersion, GW]] + NotificationTopic: + Type: AWS::SNS::Topic + Condition: ProvidedAdminEmail + Properties: + Subscription: + - Endpoint: !Ref AdminEmail + Protocol: email + ElasticLoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Condition: CreateELB + Properties: + CrossZone: true + Listeners: + - LoadBalancerPort: !Ref ELBPort + InstancePort: !Ref ELBPort + Protocol: TCP + HealthCheck: + Target: !Join [':', [TCP, !Ref ELBPort]] + HealthyThreshold: 3 + UnhealthyThreshold: 5 + Interval: 30 + Timeout: 5 + Scheme: !Ref ELBType + Subnets: + - !GetAtt VPCStack.Outputs.PublicSubnet1ID + - !GetAtt VPCStack.Outputs.PublicSubnet2ID + - !If [3AZs, !GetAtt VPCStack.Outputs.PublicSubnet3ID, !Ref 'AWS::NoValue'] + - !If [4AZs, !GetAtt VPCStack.Outputs.PublicSubnet4ID, !Ref 'AWS::NoValue'] + Policies: + - PolicyName: EnableProxyProtocol + PolicyType: ProxyProtocolPolicyType + Attributes: + - Name: ProxyProtocol + Value: true + InstancePorts: + - !Ref ELBPort + SecurityGroups: + - !Ref ELBSecurityGroup + PermissiveSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + Tags: + - Key: Name + Value: !Join ['_', [!Ref 'AWS::StackName', PermissiveSecurityGroup]] + GroupDescription: Permissive security group. + VpcId: !GetAtt VPCStack.Outputs.VPCID + SecurityGroupIngress: + - IpProtocol: -1 + CidrIp: 0.0.0.0/0 + GatewayGroup: + Type: AWS::AutoScaling::AutoScalingGroup + DependsOn: GatewayLaunchTemplate + Properties: + VPCZoneIdentifier: + - !GetAtt VPCStack.Outputs.PublicSubnet1ID + - !GetAtt VPCStack.Outputs.PublicSubnet2ID + - !If [3AZs, !GetAtt VPCStack.Outputs.PublicSubnet3ID, !Ref 'AWS::NoValue'] + - !If [4AZs, !GetAtt VPCStack.Outputs.PublicSubnet4ID, !Ref 'AWS::NoValue'] + LaunchTemplate: + LaunchTemplateId: !Ref GatewayLaunchTemplate + Version: !GetAtt GatewayLaunchTemplate.LatestVersionNumber + AutoScalingGroupName: !If [GenerateAutoScalingName, !Join ["-", [!Ref 'AWS::StackName', GatewayGroup]], !Ref AutoScaleGroupName] + MinSize: !Ref GatewaysMinSize + MaxSize: !Ref GatewaysMaxSize + LoadBalancerNames: !If [CreateELB, [!Ref ElasticLoadBalancer], !Ref 'AWS::NoValue'] + TargetGroupARNs: !If [ProvidedTargetGroups, !Split [',', !Ref GatewaysTargetGroups], !Ref 'AWS::NoValue'] + HealthCheckType: ELB + HealthCheckGracePeriod: 3600 + NotificationConfiguration: !If + - ProvidedAdminEmail + - TopicARN: !Ref NotificationTopic + NotificationTypes: + - autoscaling:EC2_INSTANCE_LAUNCH + - autoscaling:EC2_INSTANCE_LAUNCH_ERROR + - autoscaling:EC2_INSTANCE_TERMINATE + - autoscaling:EC2_INSTANCE_TERMINATE_ERROR + - !Ref 'AWS::NoValue' + Tags: + - Key: Name + Value: !Ref GatewayName + PropagateAtLaunch: true + - Key: x-chkp-tags + Value: !Join + - ':' + - - !Join ['=', [management, !Ref ManagementServer]] + - !Join ['=', [template, !Ref ConfigurationTemplate]] + - !Join ['=', [ip-address, !Ref ControlGatewayOverPrivateOrPublicAddress]] + PropagateAtLaunch: true + GatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + AssociatePublicIpAddress: true + Groups: + - !Ref PermissiveSecurityGroup + Monitoring: + Enabled: true + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !Ref EnableVolumeEncryption + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !If [EnableCloudWatch, !Ref InstanceProfile, !Ref 'AWS::NoValue'] + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect}' + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"autoscale\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version + GatewayScaleUpPolicy: + Type: AWS::AutoScaling::ScalingPolicy + Properties: + AdjustmentType: ChangeInCapacity + AutoScalingGroupName: !Ref GatewayGroup + Cooldown: 300 + ScalingAdjustment: 1 + GatewayScaleDownPolicy: + Type: AWS::AutoScaling::ScalingPolicy + Properties: + AdjustmentType: ChangeInCapacity + AutoScalingGroupName: !Ref GatewayGroup + Cooldown: 300 + ScalingAdjustment: -1 + CPUAlarmHigh: + Type: AWS::CloudWatch::Alarm + Properties: + AlarmDescription: Scale-up if CPU > 80% for 10 minutes. + MetricName: CPUUtilization + Namespace: AWS/EC2 + Statistic: Average + Period: 300 + EvaluationPeriods: 2 + Threshold: 80 + AlarmActions: + - !Ref GatewayScaleUpPolicy + Dimensions: + - Name: AutoScalingGroupName + Value: !Ref GatewayGroup + ComparisonOperator: GreaterThanThreshold + CPUAlarmLow: + Type: AWS::CloudWatch::Alarm + Properties: + AlarmDescription: Scale-down if CPU < 60% for 10 minutes. + MetricName: CPUUtilization + Namespace: AWS/EC2 + Statistic: Average + Period: 300 + EvaluationPeriods: 2 + Threshold: 60 + AlarmActions: + - !Ref GatewayScaleDownPolicy + Dimensions: + - Name: AutoScalingGroupName + Value: !Ref GatewayGroup + ComparisonOperator: LessThanThreshold + ELBSecurityGroup: + Type: AWS::EC2::SecurityGroup + Condition: CreateELB + Properties: + GroupDescription: ELB security group. + VpcId: !GetAtt VPCStack.Outputs.VPCID + SecurityGroupIngress: + - IpProtocol: tcp + CidrIp: !Ref ELBClients + FromPort: !Ref ELBPort + ToPort: !Ref ELBPort +Outputs: + URL: + Description: The URL of the Proxy. + Condition: CreateELB + Value: !Join ['', ['http://', !GetAtt ElasticLoadBalancer.DNSName]] + SecurityGroup: + Description: The Security Group of the Auto Scaling group. + Value: !GetAtt PermissiveSecurityGroup.GroupId \ No newline at end of file diff --git a/china/aws/templates/asg/autoscale.yaml b/china/aws/templates/asg/autoscale.yaml new file mode 100644 index 00000000..951eae08 --- /dev/null +++ b/china/aws/templates/asg/autoscale.yaml @@ -0,0 +1,626 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: | + Create an Auto Scaling group of Check Point gateways into an existing VPC (20250617). + See CloudGuard Network for AWS Auto Scale Group deployment guide for detailed deployment and configuration steps +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - GatewaysSubnets + - Label: + default: EC2 Instances Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - VolumeSize + - VolumeType + - EnableVolumeEncryption + - EnableInstanceConnect + - MetaDataToken + - Label: + default: Auto Scaling Configuration + Parameters: + - AutoScaleGroupName + - GatewaysMinSize + - GatewaysMaxSize + - AdminEmail + - GatewaysTargetGroups + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - Label: + default: Automatic Provisioning with Security Management Server Settings + Parameters: + - ControlGatewayOverPrivateOrPublicAddress + - ManagementServer + - ConfigurationTemplate + - Label: + default: Proxy Configuration (optional) + Parameters: + - ELBType + - ELBPort + - ELBClients + ParameterLabels: + VPC: + default: VPC + GatewaysSubnets: + default: Gateways subnets + GatewayName: + default: Gateways name + GatewayInstanceType: + default: Gateways instance type + KeyName: + default: Key name + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + EnableVolumeEncryption: + default: Enable volume encryption + EnableInstanceConnect: + default: Enable AWS Instance Connect + MetaDataToken: + default: Metadata HTTP token + GatewaysMinSize: + default: Minimum Gateway group size + GatewaysMaxSize: + default: Maximum Gateway group size + AdminEmail: + default: Email address + GatewaysTargetGroups: + default: Gateways target groups + GatewayVersion: + default: Gateways version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Gateways Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: Gateways SIC key + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Gateways bootstrap script + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template + ELBType: + default: Proxy type + ELBPort: + default: Proxy port + ELBClients: + default: Allowed proxy clients + AutoScaleGroupName: + default: Auto Scale Group name +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + GatewaysSubnets: + Description: Select at least 2 public subnets in the VPC. + Type: List + MinLength: 2 + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The instance type of the Secutiry Gateways. + Type: String + Default: c6i.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instances. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: Must be the name of an existing EC2 KeyPair. + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + EnableVolumeEncryption: + Description: Encrypt Auto Scaling instances volume with default AWS KMS key. + Type: String + Default: true + AllowedValues: + - true + - false + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + GatewaysMinSize: + Description: The minimal number of gateways in the Auto Scaling group. + Type: Number + Default: 2 + MinValue: 1 + GatewaysMaxSize: + Description: The maximal number of gateways in the Auto Scaling group. + Type: Number + Default: 10 + MinValue: 1 + AdminEmail: + Description: Notifications about scaling events will be sent to this email address. (optional) + Type: String + Default: '' + AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$' + ConstraintDescription: Must be a valid email address. + GatewaysTargetGroups: + Description: A list of Target Groups to associate with the Auto Scaling. + group (comma separated list of ARNs, without spaces) (optional) + Type: String + Default: '' + GatewayVersion: + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD". + to get the PASSWORD's hash) (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections. + between Check Point components. Choose a random string consisting of at least + 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Improve product experience by sending data to Check Point + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address. + Type: String + Default: private + AllowedValues: + - private + - public + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration. + Type: String + Default: management-server + MinLength: 1 + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration. + Type: String + Default: ASG-configuration + MinLength: 1 + MaxLength: 30 + ELBType: + Type: String + Default: none + AllowedValues: + - none + - internal + - internet-facing + ELBPort: + Type: Number + Default: 8080 + ELBClients: + Type: String + Default: 0.0.0.0/0 + AllowedPattern: '^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})$' + AutoScaleGroupName: + Description: The Name of the Auto Scaling Group. (optional) + Type: String + Default: "" + MaxLength: 100 + +Conditions: + ProvidedAdminEmail: !Not [!Equals [!Ref AdminEmail, '']] + ProvidedTargetGroups: !Not [!Equals [!Ref GatewaysTargetGroups, '']] + EnableCloudWatch: !Equals [!Ref CloudWatch, true] + CreateELB: !Not [!Equals [!Ref ELBType, none]] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] + GenerateAutoScalingName: !Equals [!Ref AutoScaleGroupName, ""] +Resources: + ChkpGatewayRole: + Type: AWS::IAM::Role + Condition: EnableCloudWatch + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: + - ec2.amazonaws.com.cn + Action: + - sts:AssumeRole + Path: / + CloudwatchPolicy: + Condition: EnableCloudWatch + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cloudwatch-policy.yaml + Parameters: + PolicyName: ChkpGatewayPolicy + PolicyRole: !Ref ChkpGatewayRole + InstanceProfile: + Type: AWS::IAM::InstanceProfile + Condition: EnableCloudWatch + Properties: + Path: / + Roles: + - !Ref ChkpGatewayRole + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml + Parameters: + Version: !Join ['-', [!Ref GatewayVersion, GW]] + NotificationTopic: + Type: AWS::SNS::Topic + Condition: ProvidedAdminEmail + Properties: + Subscription: + - Endpoint: !Ref AdminEmail + Protocol: email + ElasticLoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Condition: CreateELB + Properties: + CrossZone: true + Listeners: + - LoadBalancerPort: !Ref ELBPort + InstancePort: !Ref ELBPort + Protocol: TCP + HealthCheck: + Target: !Join [':', [TCP, !Ref ELBPort]] + HealthyThreshold: 3 + UnhealthyThreshold: 5 + Interval: 30 + Timeout: 5 + Scheme: !Ref ELBType + Subnets: !Ref GatewaysSubnets + Policies: + - PolicyName: EnableProxyProtocol + PolicyType: ProxyProtocolPolicyType + Attributes: + - Name: ProxyProtocol + Value: true + InstancePorts: + - !Ref ELBPort + SecurityGroups: + - !Ref ELBSecurityGroup + PermissiveSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + Tags: + - Key: Name + Value: !Join ['_', [!Ref 'AWS::StackName', PermissiveSecurityGroup]] + GroupDescription: Permissive security group. + VpcId: !Ref VPC + SecurityGroupIngress: + - IpProtocol: -1 + CidrIp: 0.0.0.0/0 + GatewayGroup: + Type: AWS::AutoScaling::AutoScalingGroup + DependsOn: GatewayLaunchTemplate + Properties: + VPCZoneIdentifier: !Ref GatewaysSubnets + LaunchTemplate: + LaunchTemplateId: !Ref GatewayLaunchTemplate + Version: !GetAtt GatewayLaunchTemplate.LatestVersionNumber + AutoScalingGroupName: !If [GenerateAutoScalingName, !Join ["-", [!Ref 'AWS::StackName', GatewayGroup]], !Ref AutoScaleGroupName] + MinSize: !Ref GatewaysMinSize + MaxSize: !Ref GatewaysMaxSize + LoadBalancerNames: !If [CreateELB, [!Ref ElasticLoadBalancer], !Ref 'AWS::NoValue'] + TargetGroupARNs: !If [ProvidedTargetGroups, !Split [',', !Ref GatewaysTargetGroups], !Ref 'AWS::NoValue'] + HealthCheckGracePeriod: 3600 + HealthCheckType: ELB + NotificationConfiguration: !If + - ProvidedAdminEmail + - TopicARN: !Ref NotificationTopic + NotificationTypes: + - autoscaling:EC2_INSTANCE_LAUNCH + - autoscaling:EC2_INSTANCE_LAUNCH_ERROR + - autoscaling:EC2_INSTANCE_TERMINATE + - autoscaling:EC2_INSTANCE_TERMINATE_ERROR + - !Ref 'AWS::NoValue' + Tags: + - Key: Name + Value: !Ref GatewayName + PropagateAtLaunch: true + - Key: x-chkp-tags + Value: !Join + - ':' + - - !Join ['=', [management, !Ref ManagementServer]] + - !Join ['=', [template, !Ref ConfigurationTemplate]] + - !Join ['=', [ip-address, !Ref ControlGatewayOverPrivateOrPublicAddress]] + PropagateAtLaunch: true + GatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + AssociatePublicIpAddress: true + Groups: + - !Ref PermissiveSecurityGroup + Monitoring: + Enabled: true + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !Ref EnableVolumeEncryption + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !If [EnableCloudWatch, !Ref InstanceProfile, !Ref 'AWS::NoValue'] + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect}' + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"autoscale\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version + GatewayScaleUpPolicy: + Type: AWS::AutoScaling::ScalingPolicy + Properties: + AdjustmentType: ChangeInCapacity + AutoScalingGroupName: !Ref GatewayGroup + Cooldown: 300 + ScalingAdjustment: 1 + GatewayScaleDownPolicy: + Type: AWS::AutoScaling::ScalingPolicy + Properties: + AdjustmentType: ChangeInCapacity + AutoScalingGroupName: !Ref GatewayGroup + Cooldown: 300 + ScalingAdjustment: -1 + CPUAlarmHigh: + Type: AWS::CloudWatch::Alarm + Properties: + AlarmDescription: Scale-up if CPU > 80% for 10 minutes. + MetricName: CPUUtilization + Namespace: AWS/EC2 + Statistic: Average + Period: 300 + EvaluationPeriods: 2 + Threshold: 80 + AlarmActions: + - !Ref GatewayScaleUpPolicy + Dimensions: + - Name: AutoScalingGroupName + Value: !Ref GatewayGroup + ComparisonOperator: GreaterThanThreshold + CPUAlarmLow: + Type: AWS::CloudWatch::Alarm + Properties: + AlarmDescription: Scale-down if CPU < 60% for 10 minutes. + MetricName: CPUUtilization + Namespace: AWS/EC2 + Statistic: Average + Period: 300 + EvaluationPeriods: 2 + Threshold: 60 + AlarmActions: + - !Ref GatewayScaleDownPolicy + Dimensions: + - Name: AutoScalingGroupName + Value: !Ref GatewayGroup + ComparisonOperator: LessThanThreshold + ELBSecurityGroup: + Type: AWS::EC2::SecurityGroup + Condition: CreateELB + Properties: + GroupDescription: ELB security group. + VpcId: !Ref VPC + SecurityGroupIngress: + - IpProtocol: tcp + CidrIp: !Ref ELBClients + FromPort: !Ref ELBPort + ToPort: !Ref ELBPort +Outputs: + URL: + Description: The URL of the Proxy. + Condition: CreateELB + Value: !Join ['', ['http://', !GetAtt ElasticLoadBalancer.DNSName]] + SecurityGroup: + Description: The Security Group of the Auto Scaling group. + Value: !GetAtt PermissiveSecurityGroup.GroupId + diff --git a/china/aws/templates/cluster/README.md b/china/aws/templates/cluster/README.md new file mode 100644 index 00000000..c7a7c0f8 --- /dev/null +++ b/china/aws/templates/cluster/README.md @@ -0,0 +1,40 @@ +## Security Cluster + + + + + + + + + + + + + + + + + + + + +
    DescriptionNotesDirect Launch
    + Deploys and configures two Security Gateways as a Cluster.

    For more details, refer to the CloudGuard Network for AWS Security Cluster R80.20 and Higher Deployment Guide. +     		Creates a new VPC and deploys a Cluster into it.
    Deploys a Cluster into an existing VPC.
    +
    +
    +## Revision History +In order to check the template version, please refer to [sk125252](https://support.checkpoint.com/results/sk/sk125252#ToggleR8120gateway) + +| Template Version | Description | +|------------------|------------------------------------------------------------------------------------------------------------------| +| 20240704 | - R80.40 version deprecation.
    - R81 version deprecation. | +| 20240519 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20230923 | Add support for C5d instance type. | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
    - Add description for reserved words in hostname | +| 20230503 | Template version 20230503 and above supports Smart-1 Cloud token validation. | +| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud. | +| 20221123 | Templates version 20221120 and above support R81.20 | +| 20220606 | New instance type support | +| 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Terraform module for AWS | diff --git a/china/aws/templates/cluster/cluster-master.yaml b/china/aws/templates/cluster/cluster-master.yaml new file mode 100644 index 00000000..15e3e69b --- /dev/null +++ b/china/aws/templates/cluster/cluster-master.yaml @@ -0,0 +1,505 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: | + Deploy a Check Point Cluster in a new VPC (20250617). + See CloudGuard Network for AWS Single Availability Zone Cluster Deployment guide for detailed deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZone + - VPCCIDR + - PublicSubnetCIDR + - PrivateSubnetCIDR + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - GatewayPredefinedRole + - TerminationProtection + - MetaDataToken + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - MemberAToken + - MemberBToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + VPCCIDR: + default: VPC CIDR + AvailabilityZone: + default: Availability zone + PublicSubnetCIDR: + default: Public subnet CIDR + PrivateSubnetCIDR: + default: Private subnet CIDR + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Security Gateways instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate Elastic IPs + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + GatewayPredefinedRole: + default: Existing IAM role name + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + GatewayVersion: + default: Version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + MemberAToken: + default: Smart-1 Cloud Token for member A + MemberBToken: + default: Smart-1 Cloud Token for member B + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + AvailabilityZone: + Description: The availability zone in which to deploy the cluster. + Type: AWS::EC2::AvailabilityZone::Name + MinLength: 1 + VPCCIDR: + Description: The CIDR block for your VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnetCIDR: + Description: The external subnet of the cluster. The cluster's public IPs will be generated from this subnet. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnetCIDR: + Description: The internal subnet of the cluster. The cluster's private IPs will be generated from this subnet. + Type: String + Default: 10.0.11.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Cluster + GatewayInstanceType: + Description: The instance type of the Secutiry Gateway. + Type: String + Default: c6i.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + AllocatePublicAddress: + Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Default: false + Type: String + AllowedValues: + - true + - false + GatewayPredefinedRole: + Description: A predefined IAM role to attach to the cluster profile. (optional) + Type: String + Default: '' + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayVersion: + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD". + to get the PASSWORD's hash) (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections. + between Check Point components. Choose a random string consisting of at least + 8 alphanumeric characters + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + MemberAToken: + Description: Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + MemberBToken: + Description: Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + ResourcesTagName: + Description: Name tag prefix of the resources (optional). + Type: String + Default: '' + GatewayHostname: + Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179. + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' +Conditions: + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml + Parameters: + AvailabilityZones: !Ref AvailabilityZone + NumberOfAZs: 1 + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnetCIDR + PrivateSubnet1CIDR: !Ref PrivateSubnetCIDR + InternalRouteTable: + Type: AWS::EC2::RouteTable + DependsOn: VPCStack + Properties: + VpcId: !GetAtt VPCStack.Outputs.VPCID + Tags: + - Key: Name + Value: Private Subnets Route Table + ClusterStack: + Type: AWS::CloudFormation::Stack + DependsOn: VPCStack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/cluster.yaml + Parameters: + VPC: !GetAtt VPCStack.Outputs.VPCID + PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID + PrivateSubnet: !GetAtt VPCStack.Outputs.PrivateSubnet1ID + InternalRouteTable: !Ref InternalRouteTable + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + KeyName: !Ref KeyName + AllocatePublicAddress: !Ref AllocatePublicAddress + VolumeSize: !Ref VolumeSize + VolumeType: !Ref VolumeType + VolumeEncryption: !Ref VolumeEncryption + EnableInstanceConnect: !Ref EnableInstanceConnect + GatewayPredefinedRole: !Ref GatewayPredefinedRole + TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken + GatewayVersion: !Ref GatewayVersion + Shell: !Ref Shell + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + MemberAToken: !Ref MemberAToken + MemberBToken: !Ref MemberBToken + ResourcesTagName: !Ref ResourcesTagName + GatewayHostname: !Ref GatewayHostname + AllowUploadDownload: !Ref AllowUploadDownload + CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript + NTPPrimary: !Ref NTPPrimary + NTPSecondary: !Ref NTPSecondary +Outputs: + ClusterPublicAddress: + Description: The public address of the cluster. + Value: !GetAtt ClusterStack.Outputs.ClusterPublicAddress + MemberAPublicAddress: + Condition: AllocateAddress + Description: The public address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress + MemberASSH: + Condition: AllocateAddress + Description: SSH command to member A. + Value: !GetAtt ClusterStack.Outputs.MemberASSH + MemberAURL: + Condition: AllocateAddress + Description: URL to the member A portal. + Value: !GetAtt ClusterStack.Outputs.MemberAURL + MemberAExternalInterface: + Description: The external interface of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAExternalInterface + MemberAPrivateExternalAddress: + Description: The private external address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPrivateExternalAddress + MemberAPrivateInternalAddress: + Description: The private internal address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPrivateInternalAddress + MemberBPublicAddress: + Condition: AllocateAddress + Description: The public address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress + MemberBSSH: + Condition: AllocateAddress + Description: SSH command to member B. + Value: !GetAtt ClusterStack.Outputs.MemberBSSH + MemberBURL: + Condition: AllocateAddress + Description: URL to the member B portal. + Value: !GetAtt ClusterStack.Outputs.MemberBURL + MemberBPrivateExternalAddress: + Description: The private external address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPrivateExternalAddress + MemberBPrivateInternalAddress: + Description: The private internal address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPrivateInternalAddress + ClusterPrivateAliasExternalAddress: + Description: The secondary external private IP address of the cluster. + Value: !GetAtt ClusterStack.Outputs.ClusterPrivateAliasExternalAddress + ClusterPrivateAliasInternalAddress: + Description: The secondary internal private IP address of the cluster. + Value: !GetAtt ClusterStack.Outputs.ClusterPrivateAliasInternalAddress +Rules: + MemberATokenNotProvided: + RuleCondition: !Equals [!Ref MemberAToken, ''] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" + Assert: !Equals [!Ref MemberBToken, ''] + MemberBTokenNotProvided: + RuleCondition: !Equals [ !Ref MemberBToken, '' ] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" + Assert: !Equals [ !Ref MemberAToken, '' ] + MembersTokenValueEquals: + RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] + Assertions: + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberAToken, '' ] + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberBToken, '' ] \ No newline at end of file diff --git a/china/aws/templates/cluster/cluster.yaml b/china/aws/templates/cluster/cluster.yaml new file mode 100644 index 00000000..b112ed45 --- /dev/null +++ b/china/aws/templates/cluster/cluster.yaml @@ -0,0 +1,755 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: | + Deploys a Check Point Cluster into an existing VPC (20250617). + See CloudGuard Network for AWS Single Availability Zone Cluster Deployment guide for detailed deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - PublicSubnet + - PrivateSubnet + - InternalRouteTable + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - GatewayPredefinedRole + - TerminationProtection + - MetaDataToken + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - MemberAToken + - MemberBToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + VPC: + default: VPC + PublicSubnet: + default: Public subnet + PrivateSubnet: + default: Private subnet + InternalRouteTable: + default: Internal route table + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Security Gateways instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate Elastic IPs + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + GatewayPredefinedRole: + default: Existing IAM role name + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + GatewayVersion: + default: Version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + MemberAToken: + default: Smart-1 Cloud Token for member A + MemberBToken: + default: Smart-1 Cloud Token for member B + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + PublicSubnet: + Description: The public subnet of the cluster. The cluster's public IPs will be generated from this subnet. The subnet's route table must have 0.0.0.0/0 route to Internet Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + PrivateSubnet: + Description: The private subnet of the cluster. The cluster's private IPs will be generated from this subnet. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + InternalRouteTable: + Description: The route table id in which to set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the route table. (optional) + Type: String + Default: '' + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Cluster + GatewayInstanceType: + Description: The instance type of the Secutiry Gateway. + Type: String + Default: c6i.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayPredefinedRole: + Description: A predefined IAM role to attach to the cluster profile. (optional) + Type: String + Default: '' + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayVersion: + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD". + to get the PASSWORD's hash) (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections. + between Check Point components. Choose a random string consisting of at least + 8 alphanumeric characters + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + MemberAToken: + Description: Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + MemberBToken: + Description: Follow the instructions in sk180501 to quickly connect this Single AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + ResourcesTagName: + Description: Name tag prefix of the resources (optional). + Type: String + Default: '' + GatewayHostname: + Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179. + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Improve product experience by sending data to Check Point + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' +Conditions: + ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']] + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] + EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']] + CreateRole: !Equals [!Ref GatewayPredefinedRole, ''] + ProvidedPassHash: !Not [!Equals [!Ref GatewayPasswordHash, '']] + ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] + EmptyHostName: !Equals [!Ref GatewayHostname, ''] + EnableCloudWatch: !Equals [!Ref CloudWatch, true] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] +Resources: + ClusterReadyHandle: + Type: AWS::CloudFormation::WaitConditionHandle + Condition: AllocateAddress + Properties: {} + ClusterReadyCondition: + Type: AWS::CloudFormation::WaitCondition + DependsOn: [MemberAInstance, MemberBInstance] + Condition: AllocateAddress + Properties: + Count: 2 + Handle: !Ref ClusterReadyHandle + Timeout: 1800 + ClusterRole: + Condition: CreateRole + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cluster-iam-role.yaml + ClusterInstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Path: / + Roles: [!If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole]] + CloudwatchPolicy: + Condition: EnableCloudWatch + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cloudwatch-policy.yaml + Parameters: + PolicyName: !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + PolicyRole: !If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole] + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml + Parameters: + Version: !Join [-, [!Ref GatewayVersion, GW]] + PermissiveSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Permissive security group. + VpcId: !Ref VPC + SecurityGroupIngress: + - IpProtocol: -1 + CidrIp: 0.0.0.0/0 + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - PermissiveSecurityGroup + MemberAExternalInterface: + Type: AWS::EC2::NetworkInterface + DependsOn: PermissiveSecurityGroup + Properties: + Description: Member A external. + SecondaryPrivateIpAddressCount: 1 + SourceDestCheck: false + GroupSet: [!Ref PermissiveSecurityGroup] + SubnetId: !Ref PublicSubnet + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_A_ExternalInterface + MemberBExternalInterface: + Type: AWS::EC2::NetworkInterface + DependsOn: PermissiveSecurityGroup + Properties: + Description: Member B external. + SourceDestCheck: false + GroupSet: [!Ref PermissiveSecurityGroup] + SubnetId: !Ref PublicSubnet + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_B_ExternalInterface + MemberAInternalInterface: + Type: AWS::EC2::NetworkInterface + DependsOn: PermissiveSecurityGroup + Properties: + Description: Member A internal. + SecondaryPrivateIpAddressCount: 1 + GroupSet: [!Ref PermissiveSecurityGroup] + SourceDestCheck: false + SubnetId: !Ref PrivateSubnet + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_A_InternalInterface + MemberBInternalInterface: + Type: AWS::EC2::NetworkInterface + DependsOn: PermissiveSecurityGroup + Properties: + Description: Member B internal. + GroupSet: [!Ref PermissiveSecurityGroup] + SourceDestCheck: false + SubnetId: !Ref PrivateSubnet + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_B_InternalInterface + InternalDefaultRoute: + Type: AWS::EC2::Route + Condition: ProvidedRouteTable + DependsOn: MemberAInternalInterface + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NetworkInterfaceId: !Ref MemberAInternalInterface + RouteTableId: !Ref InternalRouteTable + PrivateSubnetRouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: ProvidedRouteTable + Properties: + RouteTableId: !Ref InternalRouteTable + SubnetId: !Ref PrivateSubnet + MemberAInstance: + Type: AWS::EC2::Instance + DependsOn: [MemberAExternalInterface, MemberAInternalInterface, MemberAGatewayLaunchTemplate] + Properties: + LaunchTemplate: + LaunchTemplateId: !Ref MemberAGatewayLaunchTemplate + Version: !GetAtt MemberAGatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection + Tags: + - Key: Name + Value: !Join ['-', [!Ref GatewayName, Member-A]] + - Key: x-chkp-member-ips + Value: !Join + - ':' + - - !Join [ '=', [ public-ip, !If [ AllocateAddress, !Ref MemberAPublicAddress, '' ] ] ] + - !Join [ '=', [ external-private-ip, !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress ] ] + - !Join [ '=', [ internal-private-ip, !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress ] ] + - Key: x-chkp-cluster-ips + Value: !Join + - ':' + - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ] + - !Join [ '=', [ cluster-eth0-private-ip, !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ] ] ] + - !Join [ '=', [ cluster-eth1-private-ip, !Select [ 0, !GetAtt MemberAInternalInterface.SecondaryPrivateIpAddresses ] ] ] + MemberBInstance: + Type: AWS::EC2::Instance + DependsOn: [MemberBExternalInterface, MemberBInternalInterface, MemberBGatewayLaunchTemplate] + Properties: + LaunchTemplate: + LaunchTemplateId: !Ref MemberBGatewayLaunchTemplate + Version: !GetAtt MemberBGatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection + Tags: + - Key: Name + Value: !Join ['-', [!Ref GatewayName, Member-B]] + - Key: x-chkp-member-ips + Value: !Join + - ':' + - - !Join [ '=', [ public-ip, !If [ AllocateAddress, !Ref MemberBPublicAddress, '' ] ] ] + - !Join [ '=', [ external-private-ip, !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress ] ] + - !Join [ '=', [ internal-private-ip, !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress ] ] + - Key: x-chkp-cluster-ips + Value: !Join + - ':' + - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ] + - !Join [ '=', [ cluster-eth0-private-ip, !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ] ] ] + - !Join [ '=', [ cluster-eth1-private-ip, !Select [ 0, !GetAtt MemberAInternalInterface.SecondaryPrivateIpAddresses ] ] ] + MemberAGatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberAExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberAInternalInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !Ref ClusterInstanceProfile + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-a'] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version + MemberBGatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberBExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberBInternalInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !Ref ClusterInstanceProfile + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-b'] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version + ClusterPublicAddress: + Type: AWS::EC2::EIP + Properties: + Domain: vpc + MemberAPublicAddress: + Type: AWS::EC2::EIP + Condition: AllocateAddress + Properties: + Domain: vpc + MemberBPublicAddress: + Type: AWS::EC2::EIP + Condition: AllocateAddress + Properties: + Domain: vpc + ClusterAddressAssoc: + Type: AWS::EC2::EIPAssociation + DependsOn: MemberAInstance + Properties: + NetworkInterfaceId: !Ref MemberAExternalInterface + AllocationId: !GetAtt ClusterPublicAddress.AllocationId + PrivateIpAddress: !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses] + MemberAAddressAssoc: + Type: AWS::EC2::EIPAssociation + Condition: AllocateAddress + DependsOn: MemberAInstance + Properties: + NetworkInterfaceId: !Ref MemberAExternalInterface + AllocationId: !GetAtt MemberAPublicAddress.AllocationId + PrivateIpAddress: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress + MemberBAddressAssoc: + Type: AWS::EC2::EIPAssociation + Condition: AllocateAddress + DependsOn: MemberBInstance + Properties: + NetworkInterfaceId: !Ref MemberBExternalInterface + AllocationId: !GetAtt MemberBPublicAddress.AllocationId + PrivateIpAddress: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress +Outputs: + ClusterPublicAddress: + Description: The public address of the cluster. + Value: !Ref ClusterPublicAddress + MemberAPublicAddress: + Condition: AllocateAddress + Description: The public address of member A. + Value: !Ref MemberAPublicAddress + MemberASSH: + Condition: AllocateAddress + Description: SSH command to member A. + Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberAPublicAddress]] + MemberAURL: + Condition: AllocateAddress + Description: URL to the member A portal. + Value: !Join ['', ['https://', !Ref MemberAPublicAddress]] + MemberAExternalInterface: + Description: The external interface of member A. + Value: !Ref MemberAExternalInterface + MemberAPrivateExternalAddress: + Description: The private external address of member A. + Value: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress + MemberAPrivateInternalAddress: + Description: The private internal address of member A. + Value: !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress + MemberBPublicAddress: + Condition: AllocateAddress + Description: The public address of member B. + Value: !Ref MemberBPublicAddress + MemberBSSH: + Condition: AllocateAddress + Description: SSH command to member B. + Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberBPublicAddress]] + MemberBURL: + Condition: AllocateAddress + Description: URL to the member B portal. + Value: !Join ['', ['https://', !Ref MemberBPublicAddress]] + MemberBPrivateExternalAddress: + Description: The private external address of member B. + Value: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress + MemberBPrivateInternalAddress: + Description: The private internal address of member B. + Value: !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress + ClusterPrivateAliasExternalAddress: + Description: The secondary external private IP address of the cluster. + Value: !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ] + ClusterPrivateAliasInternalAddress: + Description: The secondary internal private IP address of the cluster. + Value: !Select [ 0, !GetAtt MemberAInternalInterface.SecondaryPrivateIpAddresses ] + +Rules: + MemberATokenNotProvided: + RuleCondition: !Equals [!Ref MemberAToken, ''] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" + Assert: !Equals [!Ref MemberBToken, ''] + MemberBTokenNotProvided: + RuleCondition: !Equals [ !Ref MemberBToken, '' ] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" + Assert: !Equals [ !Ref MemberAToken, '' ] + MembersTokenValueEquals: + RuleCondition: !EachMemberEquals [[!Ref MemberBToken], !Ref MemberAToken] + Assertions: + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberAToken, '' ] + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberBToken, '' ] + + diff --git a/china/aws/templates/cross-az-cluster/README.md b/china/aws/templates/cross-az-cluster/README.md new file mode 100644 index 00000000..410fbdba --- /dev/null +++ b/china/aws/templates/cross-az-cluster/README.md @@ -0,0 +1,26 @@ + +## Cross Availability Zone Cluster + + + + + + + + + + + + + + + + + + + +
    DescriptionNotesDirect Launch
    + Deploys two Security Gateways, each in a different Availability Zone.

    For more details, refer to Cross Availability Zone Cluster for AWS R81.20 Administration Guide. +     		Creates a new VPC and deploys a Cross Availability Zone Cluster of Security Gateways into it.
    Deploys a Cross Availability Zone Cluster of Security Gateways into an existing VPC.
    +
    +
    \ No newline at end of file diff --git a/china/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml b/china/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml new file mode 100644 index 00000000..8bf7bd6f --- /dev/null +++ b/china/aws/templates/cross-az-cluster/cross-az-cluster-master.yaml @@ -0,0 +1,516 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: | + Deploy a Check Point Cluster in a new VPC (20250617). + See CloudGuard Network for AWS Cross Availability Zone Cluster Deployment guide for detailed deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZones + - VPCCIDR + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PrivateSubnet1CIDR + - PrivateSubnet2CIDR + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeEncryption + - EnableInstanceConnect + - GatewayPredefinedRole + - TerminationProtection + - MetaDataToken + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - MemberAToken + - MemberBToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + AvailabilityZones: + default: Availability zones + VPCCIDR: + default: VPC CIDR + PublicSubnet1CIDR: + default: Public subnet 1 CIDR + PublicSubnet2CIDR: + default: Public subnet 2 CIDR + PrivateSubnet1CIDR: + default: Private subnet 1 CIDR + PrivateSubnet2CIDR: + default: Private subnet 2 CIDR + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Security Gateways instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate Elastic IPs + VolumeSize: + default: Root volume size (GB) + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + GatewayPredefinedRole: + default: Existing IAM role name + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + GatewayVersion: + default: Version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + MemberAToken: + default: Smart-1 Cloud Token for member A + MemberBToken: + default: Smart-1 Cloud Token for member B + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + AvailabilityZones: + Description: The availability zones in which to deploy the cluster. + Type: List + MinLength: 2 + VPCCIDR: + Description: The CIDR block for your VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet1CIDR: + Description: The 1st external subnet of the cluster. The cluster's public IPs will be generated from this subnet. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet2CIDR: + Description: The 2nd external subnet of the cluster. The cluster's public IPs will be generated from this subnet. + Type: String + Default: 10.0.20.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet1CIDR: + Description: The 1st internal subnet of the cluster. The cluster's private IPs will be generated from this subnet. + Type: String + Default: 10.0.11.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet2CIDR: + Description: The 2nd internal subnet of the cluster. The cluster's private IPs will be generated from this subnet. + Type: String + Default: 10.0.21.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Cluster + GatewayInstanceType: + Description: The instance type of the Secutiry Gateway. + Type: String + Default: c6i.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + AllocatePublicAddress: + Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Default: false + Type: String + AllowedValues: + - true + - false + GatewayPredefinedRole: + Description: A predefined IAM role to attach to the cluster profile. (optional) + Type: String + Default: '' + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayVersion: + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD". + to get the PASSWORD's hash) (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections. + between Check Point components. Choose a random string consisting of at least + 8 alphanumeric characters + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + MemberAToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + MemberBToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + ResourcesTagName: + Description: Name tag prefix of the resources. (optional) + Type: String + Default: '' + GatewayHostname: + Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179. + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Improve product experience by sending data to Check Point. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' +Conditions: + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml + Parameters: + AvailabilityZones: !Join [',', !Ref AvailabilityZones] + NumberOfAZs: 2 + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnet1CIDR + PublicSubnet2CIDR: !Ref PublicSubnet2CIDR + PrivateSubnet1CIDR: !Ref PrivateSubnet1CIDR + PrivateSubnet2CIDR: !Ref PrivateSubnet2CIDR + InternalRouteTable: + Type: AWS::EC2::RouteTable + DependsOn: VPCStack + Properties: + VpcId: !GetAtt VPCStack.Outputs.VPCID + Tags: + - Key: Name + Value: Private Subnets Route Table + ClusterStack: + Type: AWS::CloudFormation::Stack + DependsOn: VPCStack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/cross-az-cluster.yaml + Parameters: + VPC: !GetAtt VPCStack.Outputs.VPCID + PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID + PublicSubnetB: !GetAtt VPCStack.Outputs.PublicSubnet2ID + PrivateSubnetA: !GetAtt VPCStack.Outputs.PrivateSubnet1ID + PrivateSubnetB: !GetAtt VPCStack.Outputs.PrivateSubnet2ID + InternalRouteTable: !Ref InternalRouteTable + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + KeyName: !Ref KeyName + AllocatePublicAddress: !Ref AllocatePublicAddress + VolumeSize: !Ref VolumeSize + VolumeEncryption: !Ref VolumeEncryption + EnableInstanceConnect: !Ref EnableInstanceConnect + GatewayPredefinedRole: !Ref GatewayPredefinedRole + TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken + GatewayVersion: !Ref GatewayVersion + Shell: !Ref Shell + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + MemberAToken: !Ref MemberAToken + MemberBToken: !Ref MemberBToken + ResourcesTagName: !Ref ResourcesTagName + GatewayHostname: !Ref GatewayHostname + AllowUploadDownload: !Ref AllowUploadDownload + CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript + NTPPrimary: !Ref NTPPrimary + NTPSecondary: !Ref NTPSecondary +Outputs: + ClusterPublicAddress: + Description: The public address of the cluster. + Value: !GetAtt ClusterStack.Outputs.ClusterPublicAddress + MemberAPublicAddress: + Condition: AllocateAddress + Description: The public address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress + MemberASSH: + Condition: AllocateAddress + Description: SSH command to member A. + Value: !GetAtt ClusterStack.Outputs.MemberASSH + MemberAURL: + Condition: AllocateAddress + Description: URL to the member A portal. + Value: !GetAtt ClusterStack.Outputs.MemberAURL + MemberAExternalInterface: + Description: The external interface of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAExternalInterface + MemberAPrivateExternalAddress: + Description: The primary external private address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPrivateExternalAddress + MemberAPrivateAliasAddress: + Description: The secondary external private IP address of Member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPrivateAliasAddress + MemberAPrivateInternalAddress: + Description: The private Internal address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPrivateInternalAddress + MemberBPublicAddress: + Condition: AllocateAddress + Description: The public address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress + MemberBSSH: + Condition: AllocateAddress + Description: SSH command to member B. + Value: !GetAtt ClusterStack.Outputs.MemberBSSH + MemberBURL: + Condition: AllocateAddress + Description: URL to the member B portal. + Value: !GetAtt ClusterStack.Outputs.MemberBURL + MemberBPrivateExternalAddress: + Description: The primary external private address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPrivateExternalAddress + MemberBPrivateAliasAddress: + Description: The secondary external private IP address of Member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPrivateAliasAddress + MemberBPrivateInternalAddress: + Description: The private Internal address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPrivateInternalAddress +Rules: + MemberATokenNotProvided: + RuleCondition: !Equals [!Ref MemberAToken, ''] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" + Assert: !Equals [!Ref MemberBToken, ''] + MemberBTokenNotProvided: + RuleCondition: !Equals [ !Ref MemberBToken, '' ] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" + Assert: !Equals [ !Ref MemberAToken, '' ] + MembersTokenValueEquals: + RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] + Assertions: + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberAToken, '' ] + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberBToken, '' ] \ No newline at end of file diff --git a/china/aws/templates/cross-az-cluster/cross-az-cluster.yaml b/china/aws/templates/cross-az-cluster/cross-az-cluster.yaml new file mode 100644 index 00000000..181a918c --- /dev/null +++ b/china/aws/templates/cross-az-cluster/cross-az-cluster.yaml @@ -0,0 +1,780 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: | + Deploys a Check Point Cluster into an existing VPC (20250617). + See CloudGuard Network for AWS Cross Availability Zone Cluster Deployment guide for detailed deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - PublicSubnetA + - PublicSubnetB + - PrivateSubnetA + - PrivateSubnetB + - InternalRouteTable + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - GatewayPredefinedRole + - TerminationProtection + - MetaDataToken + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - MemberAToken + - MemberBToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + VPC: + default: VPC + PublicSubnetA: + default: Public subnet 1 + PublicSubnetB: + default: Public subnet 2 + PrivateSubnetA: + default: Private subnet 1 + PrivateSubnetB: + default: Private subnet 2 + InternalRouteTable: + default: Internal route table + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Security Gateways instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate Elastic IPs + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + GatewayPredefinedRole: + default: Existing IAM role name + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + GatewayVersion: + default: Version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + MemberAToken: + default: Smart-1 Cloud Token for member A + MemberBToken: + default: Smart-1 Cloud Token for member B + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + PublicSubnetA: + Description: Select a public subnet for the first Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a public subnet for the first Security Gateway. + PublicSubnetB: + Description: Select a public subnet for the second Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a public subnet for the second Security Gateway. + PrivateSubnetA: + Description: Select a private subnet for the first Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a private subnet for the first Security Gateway. + PrivateSubnetB: + Description: Select a private subnet for the second Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a private subnet for the second Security Gateway. + InternalRouteTable: + Description: Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the Route Table. (optional) + Type: String + Default: '' + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Cluster + GatewayInstanceType: + Description: The instance type of the Secutiry Gateway. + Type: String + Default: c6i.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayPredefinedRole: + Description: A predefined IAM role to attach to the cluster profile. (optional) + Type: String + Default: '' + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayVersion: + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections + between Check Point components. Choose a random string consisting of at least + 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + MemberAToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + MemberBToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + ResourcesTagName: + Description: Name tag prefix of the resources. (optional) + Type: String + Default: '' + GatewayHostname: + Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179. + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose + Improve product experience by sending data to Check Point. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' +Conditions: + ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']] + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] + EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']] + CreateRole: !Equals [!Ref GatewayPredefinedRole, ''] + ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] + EmptyHostName: !Equals [!Ref GatewayHostname, ''] + EnableCloudWatch: !Equals [!Ref CloudWatch, true] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] +Resources: + ClusterReadyHandle: + Type: AWS::CloudFormation::WaitConditionHandle + Condition: AllocateAddress + Properties: {} + ClusterReadyCondition: + Type: AWS::CloudFormation::WaitCondition + DependsOn: [MemberAInstance, MemberBInstance] + Condition: AllocateAddress + Properties: + Count: 2 + Handle: !Ref ClusterReadyHandle + Timeout: 1800 + ClusterRole: + Condition: CreateRole + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cluster-iam-role.yaml + ClusterInstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Path: / + Roles: [!If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole]] + CloudwatchPolicy: + Condition: EnableCloudWatch + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cloudwatch-policy.yaml + Parameters: + PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ] + PolicyRole: !If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole] + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml + Parameters: + Version: !Join ['-', [!Ref GatewayVersion, GW]] + PermissiveSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Permissive security group. + VpcId: !Ref VPC + SecurityGroupIngress: + - IpProtocol: -1 + CidrIp: 0.0.0.0/0 + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - PermissiveSecurityGroup + MemberAExternalInterface: + Type: AWS::EC2::NetworkInterface + DependsOn: PermissiveSecurityGroup + Properties: + Description: Member A external. + SecondaryPrivateIpAddressCount: 1 + SourceDestCheck: false + GroupSet: [!Ref PermissiveSecurityGroup] + SubnetId: !Ref PublicSubnetA + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_A_ExternalInterface + MemberBExternalInterface: + Type: AWS::EC2::NetworkInterface + DependsOn: PermissiveSecurityGroup + Properties: + Description: Member B external. + SecondaryPrivateIpAddressCount: 1 + SourceDestCheck: false + GroupSet: [!Ref PermissiveSecurityGroup] + SubnetId: !Ref PublicSubnetB + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_B_ExternalInterface + MemberAInternalInterface: + Type: AWS::EC2::NetworkInterface + DependsOn: PermissiveSecurityGroup + Properties: + Description: Member A internal. + GroupSet: [!Ref PermissiveSecurityGroup] + SourceDestCheck: false + SubnetId: !Ref PrivateSubnetA + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_A_InternalInterface + MemberBInternalInterface: + Type: AWS::EC2::NetworkInterface + DependsOn: PermissiveSecurityGroup + Properties: + Description: Member B internal. + GroupSet: [!Ref PermissiveSecurityGroup] + SourceDestCheck: false + SubnetId: !Ref PrivateSubnetB + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_B_InternalInterface + InternalDefaultRoute: + Type: AWS::EC2::Route + Condition: ProvidedRouteTable + DependsOn: MemberAInternalInterface + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NetworkInterfaceId: !Ref MemberAInternalInterface + RouteTableId: !Ref InternalRouteTable + PrivateSubnet1RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: ProvidedRouteTable + Properties: + RouteTableId: !Ref InternalRouteTable + SubnetId: !Ref PrivateSubnetA + PrivateSubnet2RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: ProvidedRouteTable + Properties: + RouteTableId: !Ref InternalRouteTable + SubnetId: !Ref PrivateSubnetB + ClusterPublicAddress: + Type: AWS::EC2::EIP + Properties: + Domain: vpc + MemberAPublicAddress: + Type: AWS::EC2::EIP + Condition: AllocateAddress + Properties: + Domain: vpc + MemberBPublicAddress: + Type: AWS::EC2::EIP + Condition: AllocateAddress + Properties: + Domain: vpc + ClusterAddressAssoc: + Type: AWS::EC2::EIPAssociation + DependsOn: MemberAInstance + Properties: + NetworkInterfaceId: !Ref MemberAExternalInterface + AllocationId: !GetAtt ClusterPublicAddress.AllocationId + PrivateIpAddress: !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses] + MemberAAddressAssoc: + Type: AWS::EC2::EIPAssociation + Condition: AllocateAddress + DependsOn: MemberAInstance + Properties: + NetworkInterfaceId: !Ref MemberAExternalInterface + AllocationId: !GetAtt MemberAPublicAddress.AllocationId + PrivateIpAddress: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress + MemberBAddressAssoc: + Type: AWS::EC2::EIPAssociation + Condition: AllocateAddress + DependsOn: MemberBInstance + Properties: + NetworkInterfaceId: !Ref MemberBExternalInterface + AllocationId: !GetAtt MemberBPublicAddress.AllocationId + PrivateIpAddress: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress + MemberAInstance: + Type: AWS::EC2::Instance + DependsOn: [MemberAExternalInterface, MemberAInternalInterface, ClusterPublicAddress, MemberBInternalInterface, MemberBExternalInterface, MemberAGatewayLaunchTemplate] + Properties: + LaunchTemplate: + LaunchTemplateId: !Ref MemberAGatewayLaunchTemplate + Version: !GetAtt MemberAGatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection + Tags: + - Key: Name + Value: !Join ['-', [!Ref GatewayName, Member-A]] + - Key: x-chkp-member-ips + Value: !Join + - ':' + - - !Join [ '=', [ public-ip, !If [ AllocateAddress, !Ref MemberAPublicAddress, '' ] ] ] + - !Join [ '=', [ external-private-ip, !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress ] ] + - !Join [ '=', [ internal-private-ip, !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress ] ] + - Key: x-chkp-cluster-ips + Value: !Join + - ':' + - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ] + - !Join [ '=', [ secondary-external-private-ip, !Select [ 0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses ] ] ] + MemberBInstance: + Type: AWS::EC2::Instance + DependsOn: [MemberBExternalInterface, MemberBInternalInterface, ClusterPublicAddress, MemberAInternalInterface, MemberBGatewayLaunchTemplate] + Properties: + LaunchTemplate: + LaunchTemplateId: !Ref MemberBGatewayLaunchTemplate + Version: !GetAtt MemberBGatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection + Tags: + - Key: Name + Value: !Join ['-', [!Ref GatewayName, Member-B]] + - Key: x-chkp-member-ips + Value: !Join + - ':' + - - !Join [ '=', [ public-ip, !If [ AllocateAddress, !Ref MemberBPublicAddress, '' ] ] ] + - !Join [ '=', [ external-private-ip, !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress ] ] + - !Join [ '=', [ internal-private-ip, !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress ] ] + - Key: x-chkp-cluster-ips + Value: !Join + - ':' + - - !Join [ '=', [ cluster-ip, !Ref ClusterPublicAddress ] ] + - !Join [ '=', [ secondary-external-private-ip, !Select [ 0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses ] ] ] + MemberAGatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberAExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberAInternalInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !Ref ClusterInstanceProfile + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-a'] + - !Join ['', [' other_member_ip="', !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress, '"']] + - !Join ['', [' secondary_ip="', !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses], '"']] + - !Join ['', [' remote_secondary_ip="', !Select [0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses], '"']] + - !Join ['', [' cluster_ip="', !Ref ClusterPublicAddress, '"']] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version + MemberBGatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberBExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberBInternalInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !Ref ClusterInstanceProfile + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-b'] + - !Join ['', [' other_member_ip="', !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress, '"']] + - !Join ['', [' secondary_ip="', !Select [0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses], '"']] + - !Join ['', [' remote_secondary_ip="', !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses], '"']] + - !Join ['', [' cluster_ip="', !Ref ClusterPublicAddress, '"']] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join [ '', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"' ] ] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"cross-az-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"cross_az_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" clusterIp=\"${cluster_ip}\" secondaryIp=\"${secondary_ip}\" otherMemberPrivateClusterIp=\"${remote_secondary_ip}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version +Outputs: + ClusterPublicAddress: + Description: The public address of the cluster. + Value: !Ref ClusterPublicAddress + MemberAPublicAddress: + Condition: AllocateAddress + Description: The public address of member A. + Value: !Ref MemberAPublicAddress + MemberASSH: + Condition: AllocateAddress + Description: SSH command to member A. + Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberAPublicAddress]] + MemberAURL: + Condition: AllocateAddress + Description: URL to the member A portal. + Value: !Join ['', ['https://', !Ref MemberAPublicAddress]] + MemberAExternalInterface: + Description: The external interface of member A. + Value: !Ref MemberAExternalInterface + MemberAPrivateExternalAddress: + Description: The primary external private address of member A. + Value: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress + MemberAPrivateAliasAddress: + Description: The secondary external private IP address of Member A. + Value: !Select [0, !GetAtt MemberAExternalInterface.SecondaryPrivateIpAddresses] + MemberAPrivateInternalAddress: + Description: The private Internal address of member A. + Value: !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress + MemberBPublicAddress: + Condition: AllocateAddress + Description: The public address of member B. + Value: !Ref MemberBPublicAddress + MemberBSSH: + Condition: AllocateAddress + Description: SSH command to member B. + Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberBPublicAddress]] + MemberBURL: + Condition: AllocateAddress + Description: URL to the member B portal. + Value: !Join ['', ['https://', !Ref MemberBPublicAddress]] + MemberBPrivateExternalAddress: + Description: The primary external private address of member B. + Value: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress + MemberBPrivateAliasAddress: + Description: The secondary external private IP address of Member B. + Value: !Select [0, !GetAtt MemberBExternalInterface.SecondaryPrivateIpAddresses] + MemberBPrivateInternalAddress: + Description: The private Internal address of member B. + Value: !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress +Rules: + MemberATokenNotProvided: + RuleCondition: !Equals [!Ref MemberAToken, ''] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" + Assert: !Equals [!Ref MemberBToken, ''] + MemberBTokenNotProvided: + RuleCondition: !Equals [ !Ref MemberBToken, '' ] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" + Assert: !Equals [ !Ref MemberAToken, '' ] + MembersTokenValueEquals: + RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] + Assertions: + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberAToken, '' ] + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberBToken, '' ] diff --git a/china/aws/templates/download-m.png b/china/aws/templates/download-m.png new file mode 100644 index 0000000000000000000000000000000000000000..1920b1bb2230d3ee4f67c0c2fdc51405432449b0 GIT binary patch literal 734 zcmV<40wMj0P)Uj3N}7+QYz(bv8o z_x<$T0&O*DyvfPA=iYNZ_nULBaOLSX{<0?SPGyu@J;LkqZj<8jNlCK4-317ufYWO7 zI4rs>7_Qfu;4!v&3^0ubqA=>Pv=2T;fa7KiXMewFhT~;b5U~wYzT4K<_^Dp zb(Hgo+)M}HyIwD#+^6(kyK!r>(DEWI?fIxFX^c$`O$_!4c)zfu`8F#Fg3zgv)X6(t zKp3vH^oCLST+JoNvzb*Z23<(tOur26#aqqM8*{QOmjqGl0`mDh6sHQ6)!GNGAhBW- zWTUc{8@Zg%h%}kn^Ou@i*XJZEPGcW~)>o?8Y}X0X)6<6&AS%(JON00lUc{EG+!mAS zeLk?LVLTj)H%mG3J5s?eeBVbHh9^&fCrn}&ds3>j(@4JKXBnxnelF610RNnVLQTBR zJrB}C9cj7V)8NjQ|H_3U5BXRM`J1z|vkz2N%{ug1Y}+DpNG^YtcRfZHhhqLrWtECo9#T_gMQj5g+d{*yu7?du=BaxrM3#j z+}{+~Zvw3R_^@UeMxs)wWOyI=%~`TxQZN>a#m4a;%k#XCq+pe{)n5V(09KY!`^#Ai QPXGV_07*qoM6N<$f`MLDGXMYp literal 0 HcmV?d00001 diff --git a/china/aws/templates/general/README.md b/china/aws/templates/general/README.md new file mode 100644 index 00000000..0905ffea --- /dev/null +++ b/china/aws/templates/general/README.md @@ -0,0 +1,29 @@ +## General + + + + + + + + + + + + + + + + + + +
    DescriptionDirect Launch
    + Create an IAM role for Security Management Server
    + Creates an IAM role in your account preconfigured with permissions to manage resources.
    + For more details, refer to sk122074 . +
    + Current Check Point AMIs
    + A helper template that returns the latest Check Point AMIs in a given region. +
    +
    +
    diff --git a/china/aws/templates/general/cloudwatch-policy.yaml b/china/aws/templates/general/cloudwatch-policy.yaml new file mode 100644 index 00000000..58dca0b6 --- /dev/null +++ b/china/aws/templates/general/cloudwatch-policy.yaml @@ -0,0 +1,39 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Creates an IAM role for selected permissions (20250617) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Policy Attributes + Parameters: + - PolicyName + - PolicyRole + ParameterLabels: + PolicyName: + default: Policy name + PolicyRole: + default: IAM role name +Parameters: + PolicyName: + Description: '' + Type: String + Default: 'Cloudwatch' + AllowedPattern: '[\w+=,.@-]+' + PolicyRole: + Description: '' + Type: String + AllowedPattern: '[\w+=,.@-]+' +Resources: + IAMPolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: !Sub "${PolicyName}-iam-policy" + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: + - cloudwatch:PutMetricData + Resource: '*' + Roles: + - !Ref PolicyRole diff --git a/china/aws/templates/general/cluster-iam-role.yaml b/china/aws/templates/general/cluster-iam-role.yaml new file mode 100644 index 00000000..7e5ea6d8 --- /dev/null +++ b/china/aws/templates/general/cluster-iam-role.yaml @@ -0,0 +1,35 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Creates an IAM role for selected permissions (20250617) +Resources: + ClusterIAMRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: [ec2.amazonaws.com.cn] + Action: sts:AssumeRole + Path: / + Policies: + - PolicyName: ClusterPolicy + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: + - ec2:AssignPrivateIpAddresses + - ec2:AssociateAddress + - ec2:CreateRoute + - ec2:DescribeNetworkInterfaces + - ec2:DescribeRouteTables + - ec2:ReplaceRoute + Resource: '*' +Outputs: + ClusterIAMRole: + Description: The IAM role. + Value: !Ref ClusterIAMRole + ClusterARNRole: + Description: The IAM role ARN. + Value: !GetAtt ClusterIAMRole.Arn diff --git a/china/aws/templates/general/cme-iam-role.yaml b/china/aws/templates/general/cme-iam-role.yaml new file mode 100644 index 00000000..86a4a2d9 --- /dev/null +++ b/china/aws/templates/general/cme-iam-role.yaml @@ -0,0 +1,161 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: | + Creates an IAM role for selected permissions (20250617) + See sk122074 administration guide for detailed deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: IAM + Parameters: + - Permissions + - Label: + default: Advanced Configuration (optional) + Parameters: + - STSRoles + - TrustedAccount + ParameterLabels: + Permissions: + default: IAM role + STSRoles: + default: STS roles + TrustedAccount: + default: Trusted Account ID +Parameters: + Permissions: + Type: String + Default: Create with read permissions + AllowedValues: + - Create with read permissions + - Create with read-write permissions + - Create with assume role permissions (specify an STS role ARN) + STSRoles: + Description: The IAM role will be able to assume these STS Roles (comma separated list of ARNs, without spaces). + Type: String + Default: '' + TrustedAccount: + Description: A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it. + Type: String + Default: '' + AllowedPattern: '^([0-9]{12})|$' +Conditions: + AllowReadPermissions: !Or + - !Equals [!Ref Permissions, Create with read permissions] + - !Equals [!Ref Permissions, Create with read-write permissions] + AllowWritePermissions: !Equals [!Ref Permissions, Create with read-write permissions] + ProvidedSTSRoles: !Not [!Equals [!Ref STSRoles, '']] + NotProvidedTrustedAccount: !Equals ['', !Ref TrustedAccount] + ProvidedTrustedAccount: !Not [!Condition NotProvidedTrustedAccount] +Resources: + CMEIAMRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - !If + - ProvidedTrustedAccount + - Effect: Allow + Principal: + AWS: [!Ref TrustedAccount] + Action: ['sts:AssumeRole'] + - !Ref 'AWS::NoValue' + - !If + - NotProvidedTrustedAccount + - Effect: Allow + Principal: + Service: [ec2.amazonaws.com.cn] + Action: ['sts:AssumeRole'] + - !Ref 'AWS::NoValue' + Path: / + Policies: + - PolicyName: CMEPolicy + PolicyDocument: + Version: 2012-10-17 + Statement: + - !If + - ProvidedSTSRoles + - Effect: Allow + Action: ['sts:AssumeRole'] + Resource: !Split [',', !Ref STSRoles] + - !Ref 'AWS::NoValue' + - !If + - AllowReadPermissions + - Effect: Allow + Action: + - autoscaling:DescribeAutoScalingGroups + - ec2:DescribeRegions + - ec2:DescribeCustomerGateways + - ec2:DescribeInstances + - ec2:DescribeNetworkInterfaces + - ec2:DescribeRouteTables + - ec2:DescribeSecurityGroups + - ec2:DescribeSubnets + - ec2:DescribeTransitGateways + - ec2:DescribeTransitGatewayAttachments + - ec2:DescribeTransitGatewayRouteTables + - ec2:DescribeVpcs + - ec2:DescribeVpnGateways + - ec2:DescribeVpnConnections + - ec2:GetTransitGatewayAttachmentPropagations + - elasticloadbalancing:DescribeLoadBalancers + - elasticloadbalancing:DescribeTags + - elasticloadbalancing:DescribeListeners + - elasticloadbalancing:DescribeTargetGroups + - elasticloadbalancing:DescribeRules + - elasticloadbalancing:DescribeTargetHealth + Resource: '*' + - !Ref 'AWS::NoValue' + - !If + - AllowWritePermissions + - Effect: Allow + Action: + - ec2:AssociateTransitGatewayRouteTable + - ec2:AttachVpnGateway + - ec2:CreateCustomerGateway + - ec2:CreateVpnConnection + - ec2:CreateVpnGateway + - ec2:DeleteCustomerGateway + - ec2:DeleteVpnConnection + - ec2:DeleteVpnGateway + - ec2:DetachVpnGateway + - ec2:DisableTransitGatewayRouteTablePropagation + - ec2:DisableVgwRoutePropagation + - ec2:DisassociateTransitGatewayRouteTable + - ec2:EnableTransitGatewayRouteTablePropagation + - ec2:EnableVgwRoutePropagation + Resource: '*' + - !Ref 'AWS::NoValue' + - !If + - AllowWritePermissions + - Effect: Allow + Action: + - cloudformation:DescribeStacks + - cloudformation:DescribeStackResources + - cloudformation:ListStacks + Resource: '*' + - !Ref 'AWS::NoValue' + - !If + - AllowWritePermissions + - Effect: Allow + Action: + - cloudformation:CreateStack + - cloudformation:DeleteStack + Resource: 'arn:aws-cn:cloudformation:*:*:stack/vpn-by-tag--*/*' + - !Ref 'AWS::NoValue' + InstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + InstanceProfileName: !Ref CMEIAMRole + Roles: + - !Ref CMEIAMRole +Outputs: + CMEIAMRole: + Description: The IAM role. + Value: !Ref CMEIAMRole + CMEARNRole: + Description: The IAM role ARN. + Value: !GetAtt CMEIAMRole.Arn + InstanceProfile: + Description: The Instance Profile ARN. + Value: !GetAtt InstanceProfile.Arn diff --git a/china/aws/templates/general/sts-role.yaml b/china/aws/templates/general/sts-role.yaml new file mode 100755 index 00000000..93f5cb40 --- /dev/null +++ b/china/aws/templates/general/sts-role.yaml @@ -0,0 +1,119 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Creates an IAM role for cross account permissions (20190313) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Cross Account Permissions Configuration + Parameters: + - TrustedAccount + - Permissions + ParameterLabels: + TrustedAccount: + default: Trusted Account ID + STSPermissions: + default: IAM Role Permissions +Parameters: + TrustedAccount: + Description: A 12 digits number that represents the ID of the trusted account. + Type: String + AllowedPattern: '^[0-9]{12}$' + STSPermissions: + Description: Select Read-Write if you intend to use this role with Transit VPC. + Type: String + Default: Read only + AllowedValues: + - Read only + - Read-Write +Conditions: + AllowReadPermissions: !Or + - !Equals [!Ref STSPermissions, Read only] + - !Equals [!Ref STSPermissions, Read-Write] + AllowCreateVPNPermissions: !Equals [!Ref STSPermissions, Read-Write] +Resources: + Role: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + AWS: + - !Ref TrustedAccount + Action: + - sts:AssumeRole + Path: / + Policies: + - PolicyName: Policy + PolicyDocument: + Version: 2012-10-17 + Statement: + - !If + - AllowReadPermissions + - Effect: Allow + Action: + - ec2:DescribeInstances + - ec2:DescribeNetworkInterfaces + - ec2:DescribeSubnets + - ec2:DescribeVpcs + - ec2:DescribeVpnGateways + - ec2:DescribeVpnConnections + - ec2:DescribeSecurityGroups + - elasticloadbalancing:DescribeLoadBalancers + - elasticloadbalancing:DescribeTags + - elasticloadbalancing:DescribeListeners + - elasticloadbalancing:DescribeTargetGroups + - elasticloadbalancing:DescribeRules + - elasticloadbalancing:DescribeTargetHealth + - autoscaling:DescribeAutoScalingGroups + Resource: '*' + - !Ref 'AWS::NoValue' + - !If + - AllowCreateVPNPermissions + - Effect: Allow + Action: + - ec2:DescribeCustomerGateways + - ec2:CreateCustomerGateway + - ec2:DeleteCustomerGateway + - ec2:DescribeRouteTables + - ec2:EnableVgwRoutePropagation + - ec2:DisableVgwRoutePropagation + - ec2:DescribeVpnGateways + - ec2:CreateVpnGateway + - ec2:AttachVpnGateway + - ec2:DetachVpnGateway + - ec2:DeleteVpnGateway + - ec2:DescribeVpnConnections + - ec2:CreateVpnConnection + - ec2:DeleteVpnConnection + - ec2:DescribeTransitGateways + - ec2:DescribeTransitGatewayRouteTables + - ec2:DescribeTransitGatewayAttachments + - ec2:AssociateTransitGatewayRouteTable + - ec2:DisassociateTransitGatewayRouteTable + - ec2:EnableTransitGatewayRouteTablePropagation + - ec2:DisableTransitGatewayRouteTablePropagation + - ec2:GetTransitGatewayAttachmentPropagations + Resource: '*' + - !Ref 'AWS::NoValue' + - !If + - AllowCreateVPNPermissions + - Effect: Allow + Action: + - cloudformation:DescribeStacks + - cloudformation:DescribeStackResources + Resource: '*' + - !Ref 'AWS::NoValue' + - !If + - AllowCreateVPNPermissions + - Effect: Allow + Action: + - cloudformation:CreateStack + - cloudformation:DeleteStack + Resource: arn:aws:cloudformation:*:*:stack/vpn-by-tag--*/* + - !Ref 'AWS::NoValue' +Outputs: + Role: + Description: The role ARN to assume by the trusted account. + Value: !GetAtt Role.Arn diff --git a/china/aws/templates/geo-cluster/README.md b/china/aws/templates/geo-cluster/README.md new file mode 100644 index 00000000..bd022a24 --- /dev/null +++ b/china/aws/templates/geo-cluster/README.md @@ -0,0 +1,40 @@ + +## Cross Availability Zone Cluster + + + + + + + + + + + + + + + + + + + +
    DescriptionNotesDirect Launch
    + Deploys two Security Gateways, each in a different Availability Zone.

    For more details, refer to CloudGuard Transit Gateway High Availability for AWS R80.40 Administration Guide. +     		Creates a new VPC and deploys a Cross Availability Zone Cluster of Security Gateways into it.
    Deploys a Cross Availability Zone Cluster of Security Gateways into an existing VPC.
    +
    +
    +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|------------------------------------------------------------------------------------------------------------------| +| 20240704 | - R80.40 version deprecation.
    - R81 version deprecation | +| 20240519 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20230923 | Add support for C5d instance type. | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
    - Add description for reserved words in hostname | +| 20230503 | Template version 20230503 and above supports Smart-1 Cloud token validation. | +| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud. | +| 20221123 | Templates version 20221120 and above support R81.20 | +| 20220606 | New instance type support | +| 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Terraform module for AWS | diff --git a/china/aws/templates/geo-cluster/geo-cluster-master.yaml b/china/aws/templates/geo-cluster/geo-cluster-master.yaml new file mode 100644 index 00000000..326a0f49 --- /dev/null +++ b/china/aws/templates/geo-cluster/geo-cluster-master.yaml @@ -0,0 +1,523 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploy a Check Point cross AZ Cluster in a new VPC (20241027) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZones + - VPCCIDR + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PrivateSubnet1CIDR + - PrivateSubnet2CIDR + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - GatewayPredefinedRole + - TerminationProtection + - MetaDataToken + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - MemberAToken + - MemberBToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + AvailabilityZones: + default: Availability Zones + VPCCIDR: + default: VPC CIDR + PublicSubnet1CIDR: + default: Public subnet 1 CIDR + PublicSubnet2CIDR: + default: Public subnet 2 CIDR + PrivateSubnet1CIDR: + default: Private subnet 1 CIDR + PrivateSubnet2CIDR: + default: Private subnet 2 CIDR + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Security Gateways instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate Elastic IPs for cluster members + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + GatewayPredefinedRole: + default: Existing IAM role name + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + GatewayVersion: + default: Gateways version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + MemberAToken: + default: Smart-1 Cloud Token for member A + MemberBToken: + default: Smart-1 Cloud Token for member B + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + AvailabilityZones: + Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved). + Type: List + MinLength: 2 + VPCCIDR: + Description: CIDR block for the VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet1CIDR: + Description: CIDR block for public subnet 1 located in the 1st Availability Zone. The cluster's public IPs will be generated from this subnet. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet2CIDR: + Description: CIDR block for public subnet 2 located in the 2nd Availability Zone. The cluster's public IPs will be generated from this subnet. + Type: String + Default: 10.0.20.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet1CIDR: + Description: CIDR block for private subnet 1 located in the 1st Availability Zone. The cluster's private IPs will be generated from this subnet. + Type: String + Default: 10.0.11.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet2CIDR: + Description: CIDR block for private subnet 2 located in the 2nd Availability Zone. The cluster's private IPs will be generated from this subnet. + Type: String + Default: 10.0.21.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Cluster + GatewayInstanceType: + Description: The instance type of the Secutiry Gateway. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the Security Gateways. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Description: When choosing "false", make sure the cluster members can connect to an ec2 endpoint. + Default: true + Type: String + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayPredefinedRole: + Description: A predefined IAM role to attach to the cluster profile. (optional) + Type: String + Default: '' + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayVersion: + Description: The license to install on the Security Gateways. + Type: String + Default: R81.10-BYOL + AllowedValues: + - R81.10-BYOL + - R82-BYOL + - R82.10-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to + get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections between + Check Point components. Choose a random string consisting of at least 8 + alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + MemberAToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + MemberBToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + ResourcesTagName: + Description: Name tag prefix of the resources. (optional) + Type: String + Default: '' + GatewayHostname: + Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179. + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: >- + Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' +Conditions: + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml + Parameters: + AvailabilityZones: !Join [',', !Ref AvailabilityZones] + NumberOfAZs: 2 + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnet1CIDR + PublicSubnet2CIDR: !Ref PublicSubnet2CIDR + PrivateSubnet1CIDR: !Ref PrivateSubnet1CIDR + PrivateSubnet2CIDR: !Ref PrivateSubnet2CIDR + InternalRouteTable: + Type: AWS::EC2::RouteTable + DependsOn: VPCStack + Properties: + VpcId: !GetAtt VPCStack.Outputs.VPCID + Tags: + - Key: Name + Value: Private Subnets Route Table + ClusterStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/geo-cluster.yaml + Parameters: + VPC: !GetAtt VPCStack.Outputs.VPCID + PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID + PublicSubnetB: !GetAtt VPCStack.Outputs.PublicSubnet2ID + PrivateSubnetA: !GetAtt VPCStack.Outputs.PrivateSubnet1ID + PrivateSubnetB: !GetAtt VPCStack.Outputs.PrivateSubnet2ID + InternalRouteTable: !Ref InternalRouteTable + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + KeyName: !Ref KeyName + AllocatePublicAddress: !Ref AllocatePublicAddress + VolumeSize: !Ref VolumeSize + VolumeType: !Ref VolumeType + VolumeEncryption: !Ref VolumeEncryption + EnableInstanceConnect: !Ref EnableInstanceConnect + GatewayPredefinedRole: !Ref GatewayPredefinedRole + TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken + GatewayVersion: !Ref GatewayVersion + Shell: !Ref Shell + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + MemberAToken: !Ref MemberAToken + MemberBToken: !Ref MemberBToken + ResourcesTagName: !Ref ResourcesTagName + GatewayHostname: !Ref GatewayHostname + AllowUploadDownload: !Ref AllowUploadDownload + CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript + NTPPrimary: !Ref NTPPrimary + NTPSecondary: !Ref NTPSecondary +Outputs: + MemberAPublicAddress: + Condition: AllocateAddress + Description: The public address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress + MemberAPrivateExternalAddress: + Description: The private external address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPrivateExternalAddress + MemberAPrivateInternalAddress: + Description: The private internal address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPrivateInternalAddress + MemberASSH: + Condition: AllocateAddress + Description: SSH command to member A. + Value: !GetAtt ClusterStack.Outputs.MemberASSH + MemberAURL: + Condition: AllocateAddress + Description: URL to the member A portal. + Value: !GetAtt ClusterStack.Outputs.MemberAURL + MemberBPublicAddress: + Condition: AllocateAddress + Description: The public address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress + MemberBPrivateExternalAddress: + Description: The private external address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPrivateExternalAddress + MemberBPrivateInternalAddress: + Description: The private internal address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPrivateInternalAddress + MemberBSSH: + Condition: AllocateAddress + Description: SSH command to member B. + Value: !GetAtt ClusterStack.Outputs.MemberBSSH + MemberBURL: + Condition: AllocateAddress + Description: URL to the member B portal. + Value: !GetAtt ClusterStack.Outputs.MemberBURL +Rules: + MemberATokenNotProvided: + RuleCondition: !Equals [!Ref MemberAToken, ''] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + Assert: !Equals [!Ref MemberBToken, ''] + MemberBTokenNotProvided: + RuleCondition: !Equals [ !Ref MemberBToken, '' ] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + Assert: !Equals [ !Ref MemberAToken, '' ] + MembersTokenValueEquals: + RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] + Assertions: + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberAToken, '' ] + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberBToken, '' ] \ No newline at end of file diff --git a/china/aws/templates/geo-cluster/geo-cluster.yaml b/china/aws/templates/geo-cluster/geo-cluster.yaml new file mode 100644 index 00000000..51cdc5dd --- /dev/null +++ b/china/aws/templates/geo-cluster/geo-cluster.yaml @@ -0,0 +1,734 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploys a Check Point cross AZ Cluster into an existing VPC (20241027) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - PublicSubnetA + - PublicSubnetB + - PrivateSubnetA + - PrivateSubnetB + - InternalRouteTable + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - GatewayPredefinedRole + - TerminationProtection + - MetaDataToken + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - MemberAToken + - MemberBToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + VPC: + default: VPC + PublicSubnetA: + default: Public subnet 1 + PublicSubnetB: + default: Public subnet 2 + PrivateSubnetA: + default: Private subnet 1 + PrivateSubnetB: + default: Private subnet 2 + InternalRouteTable: + default: Internal route table + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Security Gateways instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate Elastic IPs for cluster members + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + GatewayPredefinedRole: + default: Existing IAM role name + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + GatewayVersion: + default: Gateways version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + MemberAToken: + default: Smart-1 Cloud Token for member A + MemberBToken: + default: Smart-1 Cloud Token for member B + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + ConstraintDescription: you must select a VPC. + PublicSubnetA: + Description: Select a public subnet for the first Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a public subnet for the first Security Gateway. + PublicSubnetB: + Description: Select a public subnet for the second Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a public subnet for the second Security Gateway. + PrivateSubnetA: + Description: Select a private subnet for the first Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a private subnet for the first Security Gateway. + PrivateSubnetB: + Description: Select a private subnet for the second Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a private subnet for the second Security Gateway. + InternalRouteTable: + Description: Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the Route Table. (optional) + Type: String + Default: '' + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Cluster + GatewayInstanceType: + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the Security Gateways. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Description: When choosing "false", make sure the cluster members can connect to an ec2 endpoint. + Default: true + Type: String + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayPredefinedRole: + Description: A predefined IAM role to attach to the cluster profile. (optional) + Type: String + Default: '' + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayVersion: + Description: The license to install on the Security Gateways. + Type: String + Default: R81.10-BYOL + AllowedValues: + - R81.10-BYOL + - R82-BYOL + - R82.10-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to + get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections between + Check Point components. Choose a random string consisting of at least 8 + alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + MemberAToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + MemberBToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + ResourcesTagName: + Description: Name tag prefix of the resources. (optional) + Type: String + Default: '' + GatewayHostname: + Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179. + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: >- + Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' +Conditions: + ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']] + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] + EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']] + CreateRole: !Equals [!Ref GatewayPredefinedRole, ''] + ProvidedPassHash: !Not [!Equals [!Ref GatewayPasswordHash, '']] + ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] + EmptyHostName: !Equals [!Ref GatewayHostname, ''] + EnableCloudWatch: !Equals [!Ref CloudWatch, true] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] +Resources: + ClusterReadyHandle: + Type: AWS::CloudFormation::WaitConditionHandle + Condition: AllocateAddress + Properties: {} + ClusterReadyCondition: + Type: AWS::CloudFormation::WaitCondition + Condition: AllocateAddress + DependsOn: [MemberAInstance, MemberBInstance] + Properties: + Count: 2 + Handle: !Ref ClusterReadyHandle + Timeout: 1800 + ClusterRole: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cluster-iam-role.yaml + ClusterInstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Path: / + Roles: [!If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole]] + CloudwatchPolicy: + Condition: EnableCloudWatch + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cloudwatch-policy.yaml + Parameters: + PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ] + PolicyRole: !If [CreateRole, !GetAtt ClusterRole.Outputs.ClusterIAMRole, !Ref GatewayPredefinedRole] + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml + Parameters: + Version: !Join ['-', [!Ref GatewayVersion, GW]] + PermissiveSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Permissive security group. + VpcId: !Ref VPC + SecurityGroupIngress: + - IpProtocol: -1 + CidrIp: 0.0.0.0/0 + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - PermissiveSecurityGroup + MemberAExternalInterface: + Type: AWS::EC2::NetworkInterface + Properties: + Description: External. + SourceDestCheck: false + GroupSet: [!Ref PermissiveSecurityGroup] + SubnetId: !Ref PublicSubnetA + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_A_ExternalInterface + MemberBExternalInterface: + Type: AWS::EC2::NetworkInterface + Properties: + Description: External. + SourceDestCheck: false + GroupSet: [!Ref PermissiveSecurityGroup] + SubnetId: !Ref PublicSubnetB + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_B_ExternalInterface + MemberAInternalInterface: + Type: AWS::EC2::NetworkInterface + Properties: + Description: Internal. + GroupSet: [!Ref PermissiveSecurityGroup] + SourceDestCheck: false + SubnetId: !Ref PrivateSubnetA + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_A_InternalInterface + MemberBInternalInterface: + Type: AWS::EC2::NetworkInterface + Properties: + Description: Internal. + GroupSet: [!Ref PermissiveSecurityGroup] + SourceDestCheck: false + SubnetId: !Ref PrivateSubnetB + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - Member_B_InternalInterface + InternalDefaultRoute: + Type: AWS::EC2::Route + Condition: ProvidedRouteTable + DependsOn: MemberAInternalInterface + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NetworkInterfaceId: !Ref MemberAInternalInterface + RouteTableId: !Ref InternalRouteTable + PrivateSubnet1RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: ProvidedRouteTable + Properties: + RouteTableId: !Ref InternalRouteTable + SubnetId: !Ref PrivateSubnetA + PrivateSubnet2RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: ProvidedRouteTable + Properties: + RouteTableId: !Ref InternalRouteTable + SubnetId: !Ref PrivateSubnetB + MemberAInstance: + Type: AWS::EC2::Instance + DependsOn: [MemberAInternalInterface, MemberAGatewayLaunchTemplate] + Properties: + LaunchTemplate: + LaunchTemplateId: !Ref MemberAGatewayLaunchTemplate + Version: !GetAtt MemberAGatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection + Tags: + - Key: Name + Value: !Join ['-', [!Ref GatewayName, Member-A]] + MemberBInstance: + Type: AWS::EC2::Instance + DependsOn: [MemberBInternalInterface, MemberBGatewayLaunchTemplate] + Properties: + LaunchTemplate: + LaunchTemplateId: !Ref MemberBGatewayLaunchTemplate + Version: !GetAtt MemberBGatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection + Tags: + - Key: Name + Value: !Join ['-', [!Ref GatewayName, Member-B]] + MemberAGatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberAExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberAInternalInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !Ref ClusterInstanceProfile + UserData: !Base64 + 'Fn::Join': + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenA=''${MemberAToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-a'] + - !Join ['', [' other_member_ip="', !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress, '"']] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberAPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenA}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" elasticIp=\"${eip}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"' + MemberBGatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref MemberBExternalInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref MemberBInternalInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !Ref ClusterInstanceProfile + UserData: !Base64 + 'Fn::Join': + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; tokenB=''${MemberBToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ClusterReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [EmptyHostName, ' hostname=""',!Sub ' hostname=${GatewayHostname}-member-b'] + - !Join ['', [' other_member_ip="', !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress, '"']] + - !Join ['', [' eip="', !If [AllocateAddress, !Ref MemberBPublicAddress, ''], '"']] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join [ '', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"' ] ] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${tokenB}\"" installationType=\"geo-cluster\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20240204\" templateName=\"geo_cluster\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" elasticIp=\"${eip}\" otherMemberIp=\"${other_member_ip}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version + MemberAPublicAddress: + Type: AWS::EC2::EIP + Condition: AllocateAddress + Properties: + Domain: vpc + MemberBPublicAddress: + Type: AWS::EC2::EIP + Condition: AllocateAddress + Properties: + Domain: vpc + MemberAAddressAssoc: + Type: AWS::EC2::EIPAssociation + Condition: AllocateAddress + DependsOn: MemberAInstance + Properties: + NetworkInterfaceId: !Ref MemberAExternalInterface + AllocationId: !GetAtt MemberAPublicAddress.AllocationId + PrivateIpAddress: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress + MemberBAddressAssoc: + Type: AWS::EC2::EIPAssociation + Condition: AllocateAddress + DependsOn: MemberBInstance + Properties: + NetworkInterfaceId: !Ref MemberBExternalInterface + AllocationId: !GetAtt MemberBPublicAddress.AllocationId + PrivateIpAddress: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress +Outputs: + MemberAPublicAddress: + Condition: AllocateAddress + Description: The public address of member A. + Value: !Ref MemberAPublicAddress + MemberAPrivateExternalAddress: + Description: The private external address of member A. + Value: !GetAtt MemberAExternalInterface.PrimaryPrivateIpAddress + MemberAPrivateInternalAddress: + Description: The private internal address of member A. + Value: !GetAtt MemberAInternalInterface.PrimaryPrivateIpAddress + MemberAExternalInterface: + Description: The external interface of member A. + Value: !Ref MemberAExternalInterface + MemberASSH: + Condition: AllocateAddress + Description: SSH command to member A. + Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberAPublicAddress]] + MemberAURL: + Condition: AllocateAddress + Description: URL to the member A portal. + Value: !Join ['', ['https://', !Ref MemberAPublicAddress]] + MemberBPublicAddress: + Condition: AllocateAddress + Description: The public address of member B. + Value: !Ref MemberBPublicAddress + MemberBPrivateExternalAddress: + Description: The private external address of member B. + Value: !GetAtt MemberBExternalInterface.PrimaryPrivateIpAddress + MemberBPrivateInternalAddress: + Description: The private internal address of member B. + Value: !GetAtt MemberBInternalInterface.PrimaryPrivateIpAddress + MemberBExternalInterface: + Description: The external interface of member B. + Value: !Ref MemberBExternalInterface + MemberBSSH: + Condition: AllocateAddress + Description: SSH command to member B. + Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref MemberBPublicAddress]] + MemberBURL: + Condition: AllocateAddress + Description: URL to the member B portal. + Value: !Join ['', ['https://', !Ref MemberBPublicAddress]] +Rules: + MemberATokenNotProvided: + RuleCondition: !Equals [!Ref MemberAToken, ''] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty." + Assert: !Equals [!Ref MemberBToken, ''] + MemberBTokenNotProvided: + RuleCondition: !Equals [ !Ref MemberBToken, '' ] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty." + Assert: !Equals [ !Ref MemberAToken, '' ] + MembersTokenValueEquals: + RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] + Assertions: + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberAToken, '' ] + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberBToken, '' ] \ No newline at end of file diff --git a/china/aws/templates/gwlb-asg/README.md b/china/aws/templates/gwlb-asg/README.md new file mode 100644 index 00000000..f287a7b1 --- /dev/null +++ b/china/aws/templates/gwlb-asg/README.md @@ -0,0 +1,73 @@ + +## Gateway Load Balancer (GWLB) Auto Scaling Group + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    DescriptionNotesDirect Launch
    + Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC.

    For more details, refer to CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide. +     		Creates a new VPC and deploys into it a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server.
    + Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC.

    For more details, refer to CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide. +     		Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server into an existing VPC.
    + Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC for Transit Gateway.

    For more details, refer to CloudGuard Network for AWS Gateway Load Balancer Security VPC for Transit Gateway R80.40 Deployment Guide. +     		Creates a new VPC and deploys into it a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, for Transit Gateway.
    + Deploys and configures an AWS Auto Scaling group configured for Gateway Load Balancer in a Centralized Security VPC for Transit Gateway.

    For more details, refer to CloudGuard Network for AWS Gateway Load Balancer Security VPC for Transit Gateway R80.40 Deployment Guide. +     		Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, for Transit Gateway into an existing VPC.
    + Deploys and configures a Quick Start AWS Auto Scaling Group configured for Gateway Load Balancer in a Centralized Security VPC, and Servers in Servers VPC

    For more details, refer to CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide. +     		Creates a new Security VPC with Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, Servers' VPC with Gateway Load Balancer Endpoints (1 per Availability Zone), Application Load Balancer in Servers' VPC, Servers and optionally a Security Management Server.
    +
    + Deploys and configures a Quick Start AWS Auto Scaling Group configured for Gateway Load Balancer in a Centralized Security VPC, and Servers in Servers VPC.

    For more details, refer to CloudGuard Network for AWS Centralized Gateway Load Balancer R80.40 Deployment Guide. +     		Deploys a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, optionally a Security Management Server into an existing Security VPC, Gateway Load Balancer Endpoints (1 per Availability Zone), Application Load Balancer and Servers into an existing Servers' VPC.
    +
    +
    +
    + +## Revision History +In order to check the template version, please refer to [sk125252](https://support.checkpoint.com/results/sk/sk125252#ToggleR8120gateway) + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------------------------------| +| 20240704 | - R80.40 version deprecation.
    - R81 version deprecation | +| 20240519 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20240414 | Add support for Elastic Load Balancer Health Checks. | +| 20230923 | Add support for C5d instance type. | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
    - Add description for reserved words in hostname | +| 20221226 | Support ASG Launch Template instead of Launch Configuration. | +| 20221123 | Templates version 20221120 and above support R81.20 | +| 20220606 | New instance type support | +| 20220414 | First release of Check Point Auto Scaling GWLB Terraform module for AWS | diff --git a/china/aws/templates/gwlb-asg/autoscale-gwlb.yaml b/china/aws/templates/gwlb-asg/autoscale-gwlb.yaml new file mode 100644 index 00000000..e74745d0 --- /dev/null +++ b/china/aws/templates/gwlb-asg/autoscale-gwlb.yaml @@ -0,0 +1,677 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: | + Create an Auto Scaling group of Check Point gateways (20250617) + See CloudGuard Network for AWS Gateway Load Balancer Auto Scaling Group Deployment Guide administration guide for detailed deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - GatewaysSubnets + - Label: + default: EC2 Instances Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - VolumeSize + - VolumeType + - EnableVolumeEncryption + - EnableInstanceConnect + - MetaDataToken + - Label: + default: Auto Scaling Configuration + Parameters: + - AutoScaleGroupName + - GatewaysMinSize + - GatewaysMaxSize + - AdminEmail + - GatewaysTargetGroups + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - AllowUploadDownload + - CloudWatch + - EnableIPv6Traffic + - GatewayBootstrapScript + - Label: + default: Automatic Provisioning with Security Management Server Settings + Parameters: + - ControlGatewayOverPrivateOrPublicAddress + - AllocatePublicAddress + - ManagementServer + - ConfigurationTemplate + - Label: + default: Proxy Configuration (optional) + Parameters: + - ELBType + - ELBPort + - ELBClients + ParameterLabels: + VPC: + default: VPC + GatewaysSubnets: + default: Gateways subnets + GatewayName: + default: Gateways name + GatewayInstanceType: + default: Gateways instance type + KeyName: + default: Key name + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + EnableVolumeEncryption: + default: Enable volume encryption + EnableInstanceConnect: + default: Enable AWS Instance Connect + MetaDataToken: + default: Metadata HTTP token + GatewaysMinSize: + default: Minimum Gateway group size + GatewaysMaxSize: + default: Maximum Gateway group size + AdminEmail: + default: Email address + GatewaysTargetGroups: + default: Gateways target groups + GatewayVersion: + default: Gateways version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Gateways Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: Gateways SIC key + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Gateways bootstrap script + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + AllocatePublicAddress: + default: Allocate Public IPs + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template + ELBType: + default: Proxy type + ELBPort: + default: Proxy port + ELBClients: + default: Allowed proxy clients + AutoScaleGroupName: + default: Auto Scale Group name + EnableIPv6Traffic: + default: Add support for IPv6 traffic inspection +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + GatewaysSubnets: + Description: Select at least 2 public subnets in the VPC. + Type: List + MinLength: 2 + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The instance type of the Secutiry Gateways. + Type: String + Default: c6i.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instances. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: Must be the name of an existing EC2 KeyPair. + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + EnableVolumeEncryption: + Description: Encrypt Auto Scaling instances volume with default AWS KMS key. + Type: String + Default: true + AllowedValues: + - true + - false + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + GatewaysMinSize: + Description: The minimal number of gateways in the Auto Scaling group. + Type: Number + Default: 2 + MinValue: 1 + GatewaysMaxSize: + Description: The maximal number of gateways in the Auto Scaling group. + Type: Number + Default: 10 + MinValue: 1 + AdminEmail: + Description: Notifications about scaling events will be sent to this email address. (optional) + Type: String + Default: '' + AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$' + ConstraintDescription: Must be a valid email address. + GatewaysTargetGroups: + Description: A list of Target Groups to associate with the Auto Scaling + group (comma separated list of ARNs, without spaces). (optional) + Type: String + Default: '' + GatewayVersion: + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.20-BYOL + - R82-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections + between Check Point components. Choose a random string consisting of at least + 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address. + Type: String + Default: private + AllowedValues: + - private + - public + AllocatePublicAddress: + Description: Allocate a Public IP for gateway members. + Type: String + Default: false + AllowedValues: + - true + - false + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration. + Type: String + Default: management-server + MinLength: 1 + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration. + Type: String + Default: ASG-configuration + MinLength: 1 + MaxLength: 30 + ELBType: + Type: String + Default: none + AllowedValues: + - none + - internal + - internet-facing + ELBPort: + Type: Number + Default: 8080 + ELBClients: + Type: String + Default: 0.0.0.0/0 + AllowedPattern: '^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})$' + AutoScaleGroupName: + Description: The Name of the Auto Scaling Group. (optional) + Type: String + Default: "" + MaxLength: 100 + EnableIPv6Traffic: + Description: Add support for IPv6 traffic inspection. + Type: String + Default: false + AllowedValues: + - true + - false +Conditions: + ProvidedAdminEmail: !Not [!Equals [!Ref AdminEmail, '']] + ProvidedTargetGroups: !Not [!Equals [!Ref GatewaysTargetGroups, '']] + EnableCloudWatch: !Equals [!Ref CloudWatch, true] + CreateELB: !Not [!Equals [!Ref ELBType, none]] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] + GenerateAutoScalingName: !Equals [!Ref AutoScaleGroupName, ""] + EnableIPv6: !Equals [!Ref EnableIPv6Traffic, true] +Resources: + ChkpGatewayRole: + Type: AWS::IAM::Role + Condition: EnableCloudWatch + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: + - ec2.amazonaws.com.cn + Action: + - sts:AssumeRole + Path: / + CloudwatchPolicy: + Condition: EnableCloudWatch + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cloudwatch-policy.yaml + Parameters: + PolicyName: ChkpGatewayPolicy + PolicyRole: !Ref ChkpGatewayRole + InstanceProfile: + Type: AWS::IAM::InstanceProfile + Condition: EnableCloudWatch + Properties: + Path: / + Roles: + - !Ref ChkpGatewayRole + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml + Parameters: + Version: !Join ['-', [!Ref GatewayVersion, GW]] + NotificationTopic: + Type: AWS::SNS::Topic + Condition: ProvidedAdminEmail + Properties: + Subscription: + - Endpoint: !Ref AdminEmail + Protocol: email + ElasticLoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Condition: CreateELB + Properties: + CrossZone: true + Listeners: + - LoadBalancerPort: !Ref ELBPort + InstancePort: !Ref ELBPort + Protocol: TCP + HealthCheck: + Target: !Join [':', [TCP, !Ref ELBPort]] + HealthyThreshold: 3 + UnhealthyThreshold: 5 + Interval: 30 + Timeout: 5 + Scheme: !Ref ELBType + Subnets: !Ref GatewaysSubnets + Policies: + - PolicyName: EnableProxyProtocol + PolicyType: ProxyProtocolPolicyType + Attributes: + - Name: ProxyProtocol + Value: true + InstancePorts: + - !Ref ELBPort + SecurityGroups: + - !Ref ELBSecurityGroup + PermissiveSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + Tags: + - Key: Name + Value: !Join ['_', [!Ref 'AWS::StackName', PermissiveSecurityGroup]] + GroupDescription: Permissive security group. + VpcId: !Ref VPC + SecurityGroupIngress: + - IpProtocol: -1 + CidrIp: 0.0.0.0/0 + GatewayGroup: + Type: AWS::AutoScaling::AutoScalingGroup + DependsOn: GatewayLaunchTemplate + Properties: + # AutoScalingGroupName: !If [GenerateAutoScalingName, !Join ["-", [!Ref 'AWS::StackName', GatewayGroup]], !Ref AutoScaleGroupName] + VPCZoneIdentifier: !Ref GatewaysSubnets + LaunchTemplate: + LaunchTemplateId: !Ref GatewayLaunchTemplate + Version: !GetAtt GatewayLaunchTemplate.LatestVersionNumber + MinSize: !Ref GatewaysMinSize + MaxSize: !Ref GatewaysMaxSize + LoadBalancerNames: !If [CreateELB, [!Ref ElasticLoadBalancer], !Ref 'AWS::NoValue'] + TargetGroupARNs: !If [ProvidedTargetGroups, !Split [',', !Ref GatewaysTargetGroups], !Ref 'AWS::NoValue'] + HealthCheckGracePeriod: 3600 + HealthCheckType: ELB + NotificationConfiguration: !If + - ProvidedAdminEmail + - TopicARN: !Ref NotificationTopic + NotificationTypes: + - autoscaling:EC2_INSTANCE_LAUNCH + - autoscaling:EC2_INSTANCE_LAUNCH_ERROR + - autoscaling:EC2_INSTANCE_TERMINATE + - autoscaling:EC2_INSTANCE_TERMINATE_ERROR + - !Ref 'AWS::NoValue' + Tags: + - Key: Name + Value: !Ref GatewayName + PropagateAtLaunch: true + - Key: x-chkp-tags + Value: !Join + - ':' + - - !Join ['=', [management, !Ref ManagementServer]] + - !Join ['=', [template, !Ref ConfigurationTemplate]] + - !Join ['=', [ip-address, !Ref ControlGatewayOverPrivateOrPublicAddress]] + PropagateAtLaunch: true + - Key: x-chkp-topology + Value: internal + PropagateAtLaunch: true + - Key: x-chkp-solution + Value: autoscale_gwlb + PropagateAtLaunch: true + GatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + AssociatePublicIpAddress: !Ref AllocatePublicAddress + Groups: + - !Ref PermissiveSecurityGroup + Monitoring: + Enabled: true + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !Ref EnableVolumeEncryption + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !If [EnableCloudWatch, !Ref InstanceProfile, !Ref 'AWS::NoValue'] + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'network:' + - ' version: 1' + - ' config:' + - ' - type: bridge' + - ' name: br0' + - ' mtu: *eth0-mtu' + - ' subnets:' + - ' - address: *eth0-private' + - ' type: static' + - ' gateway: *default-gateway' + - ' dns_nameservers:' + - ' - *eth0-dns1' + - ' bridge_interfaces:' + - ' - eth0' + - 'kernel_parameters:' + - ' sim:' + - ' - sim_geneve_enabled=1' + - ' - sim_geneve_br_dev=br0' + - ' fw:' + - ' - fwtls_bridge_mode_inspection=1' + - ' - fw_geneve_enabled=1' + - 'bootcmd:' + - ' - echo "brctl hairpin br0 eth0 on" >> /etc/rc.local' + - ' - echo "cpprod_util CPPROD_SetValue \"fw1\" \"AwsGwlb\" 4 1 1" >> /etc/rc.local' + - ' - |' + - ' gparam_file_path="$(find $PPKDIR/boot/modules/ -regextype egrep -regex ''.*(sim_kern_64_3_10_64_v6|sim_kern_64_v6)\.gparams'')"' + - ' if cat $gparam_file_path | grep -q sim_geneve_enabled ; then' + - ' cp /etc/basedb /etc/basedb.bak' + - ' grep -vx "ipv6 t" /etc/basedb.bak | grep -vx "ipv6 f" > /etc/basedb;' + - ' echo "ipv6 t" >> /etc/basedb;' + - ' /etc/rc3.d/S07ipv6gen' + - ' fi' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect}' + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"autoscale_gwlb\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version + GatewayScaleUpPolicy: + Type: AWS::AutoScaling::ScalingPolicy + Properties: + AdjustmentType: ChangeInCapacity + AutoScalingGroupName: !Ref GatewayGroup + Cooldown: 300 + ScalingAdjustment: 1 + GatewayScaleDownPolicy: + Type: AWS::AutoScaling::ScalingPolicy + Properties: + AdjustmentType: ChangeInCapacity + AutoScalingGroupName: !Ref GatewayGroup + Cooldown: 300 + ScalingAdjustment: -1 + CPUAlarmHigh: + Type: AWS::CloudWatch::Alarm + Properties: + AlarmDescription: Scale-up if CPU > 80% for 10 minutes. + MetricName: CPUUtilization + Namespace: AWS/EC2 + Statistic: Average + Period: 300 + EvaluationPeriods: 2 + Threshold: 80 + AlarmActions: + - !Ref GatewayScaleUpPolicy + Dimensions: + - Name: AutoScalingGroupName + Value: !Ref GatewayGroup + ComparisonOperator: GreaterThanThreshold + CPUAlarmLow: + Type: AWS::CloudWatch::Alarm + Properties: + AlarmDescription: Scale-down if CPU < 60% for 10 minutes. + MetricName: CPUUtilization + Namespace: AWS/EC2 + Statistic: Average + Period: 300 + EvaluationPeriods: 2 + Threshold: 60 + AlarmActions: + - !Ref GatewayScaleDownPolicy + Dimensions: + - Name: AutoScalingGroupName + Value: !Ref GatewayGroup + ComparisonOperator: LessThanThreshold + ELBSecurityGroup: + Type: AWS::EC2::SecurityGroup + Condition: CreateELB + Properties: + GroupDescription: ELB security group. + VpcId: !Ref VPC + SecurityGroupIngress: + - IpProtocol: tcp + CidrIp: !Ref ELBClients + FromPort: !Ref ELBPort + ToPort: !Ref ELBPort +Outputs: + URL: + Description: The URL of the Proxy. + Condition: CreateELB + Value: !Join ['', ['http://', !GetAtt ElasticLoadBalancer.DNSName]] + SecurityGroup: + Description: The Security Group of the Auto Scaling group. + Value: !GetAtt PermissiveSecurityGroup.GroupId +Rules: + GatewayAddressAllocationRule: + RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] + Assertions: + - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false" + Assert: !Equals [!Ref AllocatePublicAddress, 'true'] diff --git a/china/aws/templates/gwlb-asg/cme-iam-role-gwlb.yaml b/china/aws/templates/gwlb-asg/cme-iam-role-gwlb.yaml new file mode 100644 index 00000000..a6b48ff4 --- /dev/null +++ b/china/aws/templates/gwlb-asg/cme-iam-role-gwlb.yaml @@ -0,0 +1,131 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Creates an IAM role for selected permissions (20250617). Refer to sk122074 for more info +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: IAM + Parameters: + - Permissions + - Label: + default: Advanced Configuration (optional) + Parameters: + - STSRoles + - TrustedAccount + ParameterLabels: + Permissions: + default: IAM role + STSRoles: + default: STS roles + TrustedAccount: + default: Trusted Account ID +Parameters: + Permissions: + Type: String + Default: Create with read permissions + AllowedValues: + - Create with read permissions + - Create with read-write permissions + - Create with assume role permissions (specify an STS role ARN) + STSRoles: + Description: The IAM role will be able to assume these STS Roles (comma separated list of ARNs, without spaces). + Type: String + Default: '' + TrustedAccount: + Description: A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it. + Type: String + Default: '' + AllowedPattern: '^([0-9]{12})|$' +Conditions: + AllowReadPermissions: !Or + - !Equals [!Ref Permissions, Create with read permissions] + - !Equals [!Ref Permissions, Create with read-write permissions] + AllowWritePermissions: !Equals [!Ref Permissions, Create with read-write permissions] + ProvidedSTSRoles: !Not [!Equals [!Ref STSRoles, '']] + NotProvidedTrustedAccount: !Equals ['', !Ref TrustedAccount] + ProvidedTrustedAccount: !Not [!Condition NotProvidedTrustedAccount] +Resources: + CMEIAMRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - !If + - ProvidedTrustedAccount + - Effect: Allow + Principal: + AWS: [!Ref TrustedAccount] + Action: ['sts:AssumeRole'] + - !Ref 'AWS::NoValue' + - !If + - NotProvidedTrustedAccount + - Effect: Allow + Principal: + Service: [ec2.amazonaws.com.cn] + Action: ['sts:AssumeRole'] + - !Ref 'AWS::NoValue' + Path: / + Policies: + - PolicyName: CMEPolicy + PolicyDocument: + Version: 2012-10-17 + Statement: + - !If + - ProvidedSTSRoles + - Effect: Allow + Action: ['sts:AssumeRole'] + Resource: !Split [',', !Ref STSRoles] + - !Ref 'AWS::NoValue' + - !If + - AllowReadPermissions + - Effect: Allow + Action: + - autoscaling:DescribeAutoScalingGroups + - ec2:DescribeRegions + - ec2:DescribeInstances + - ec2:DescribeNetworkInterfaces + - ec2:DescribeRouteTables + - ec2:DescribeSecurityGroups + - ec2:DescribeSubnets + - ec2:DescribeVpcs + - ec2:DescribeInternetGateways + - ec2:DescribeVpcEndpoints + - ec2:DescribeVpcEndpointServiceConfigurations + - elasticloadbalancing:DescribeLoadBalancers + - elasticloadbalancing:DescribeTags + - elasticloadbalancing:DescribeListeners + - elasticloadbalancing:DescribeTargetGroups + - elasticloadbalancing:DescribeRules + - elasticloadbalancing:DescribeTargetHealth + Resource: '*' + - !Ref 'AWS::NoValue' + - !If + - AllowWritePermissions + - Effect: Allow + Action: + - ec2:CreateRoute + - ec2:ReplaceRoute + - ec2:DeleteRoute + - ec2:CreateRouteTable + - ec2:AssociateRouteTable + - ec2:CreateTags + Resource: '*' + - !Ref 'AWS::NoValue' + InstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + InstanceProfileName: !Ref CMEIAMRole + Roles: + - !Ref CMEIAMRole +Outputs: + CMEIAMRole: + Description: The IAM role. + Value: !Ref CMEIAMRole + CMEARNRole: + Description: The IAM role ARN. + Value: !GetAtt CMEIAMRole.Arn + InstanceProfile: + Description: The Instance Profile ARN. + Value: !GetAtt InstanceProfile.Arn + diff --git a/china/aws/templates/gwlb-asg/gwlb-master.yaml b/china/aws/templates/gwlb-asg/gwlb-master.yaml new file mode 100644 index 00000000..363f6a94 --- /dev/null +++ b/china/aws/templates/gwlb-asg/gwlb-master.yaml @@ -0,0 +1,740 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: | + Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20250617). + See CloudGuard Network for AWS Gateway Load Balancer Auto Scaling Group deployment guide for detailed deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZones + - NumberOfAZs + - VPCCIDR + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PublicSubnet3CIDR + - PublicSubnet4CIDR + - Label: + default: General Settings + Parameters: + - KeyName + - EnableVolumeEncryption + - VolumeSize + - VolumeType + - EnableInstanceConnect + - TerminationProtection + - MetaDataToken + - AllowUploadDownload + - ManagementServer + - ConfigurationTemplate + - AdminEmail + - Shell + - Label: + default: Gateway Load Balancer Configuration + Parameters: + - GWLBName + - TargetGroupName + - AcceptConnectionRequired + - CrossZoneLoadBalancing + - Label: + default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration + Parameters: + - AutoScaleGroupName + - GatewayName + - GatewayInstanceType + - GatewaysMinSize + - GatewaysMaxSize + - GatewayVersion + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - ControlGatewayOverPrivateOrPublicAddress + - IPMode + - AllocatePublicAddress + - CloudWatch + - GatewayBootstrapScript + - Label: + default: Check Point CloudGuard IaaS Security Management Server Configuration + Parameters: + - ManagementDeploy + - ManagementInstanceType + - ManagementVersion + - ManagementPasswordHash + - ManagementMaintenancePasswordHash + - GatewaysPolicy + - AdminCIDR + - GatewayManagement + - GatewaysAddresses + ParameterLabels: + AvailabilityZones: + default: Availability Zones + NumberOfAZs: + default: Number of AZs + VPCCIDR: + default: VPC CIDR + PublicSubnet1CIDR: + default: Auto Scaling Group Public Subnet 1 + PublicSubnet2CIDR: + default: Auto Scaling Group Public Subnet 2 + PublicSubnet3CIDR: + default: Auto Scaling Group Public Subnet 3 + PublicSubnet4CIDR: + default: Auto Scaling Group Public Subnet 4 + KeyName: + default: Key name + IPMode: + default: IP Configuration Mode + EnableVolumeEncryption: + default: Enable environment volume encryption + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + AllowUploadDownload: + default: Allow upload & download + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template + AdminEmail: + default: Email address + Shell: + default: Admin shell + GWLBName: + default: Gateway Load Balancer Name + TargetGroupName: + default: Target Group Name + AcceptConnectionRequired: + default: Connection Acceptance Required + CrossZoneLoadBalancing: + default: Enable Cross Zone Load Balancing + GatewayName: + default: Gateways instance name + GatewayInstanceType: + default: Gateways instance type + GatewaysMinSize: + default: Minimum group size + GatewaysMaxSize: + default: Maximum group size + GatewayVersion: + default: Gateways version & license + GatewayPasswordHash: + default: Gateways Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: Gateways SIC key + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + AllocatePublicAddress: + default: Allocate Public IPs + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Gateways bootstrap script + ManagementDeploy: + default: Deploy Management Server + ManagementInstanceType: + default: Management instance type + ManagementVersion: + default: Management version & license + ManagementPasswordHash: + default: Management password hash + ManagementMaintenancePasswordHash: + default: Management Maintenance Password hash + GatewaysPolicy: + default: Security Policy + AdminCIDR: + default: Administrator addresses + GatewayManagement: + default: Manage Gateways + GatewaysAddresses: + default: Gateways addresses + AutoScaleGroupName: + default: Auto Scale Group name +Parameters: + AvailabilityZones: + Description: List of Availability Zones (AZs) to use for the subnets in the VPC. Select at least two. + Type: List + MinLength: 2 + NumberOfAZs: + Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter. + Type: Number + Default: 2 + MinValue: 2 + MaxValue: 4 + VPCCIDR: + Description: CIDR block for the VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet1CIDR: + Description: CIDR block for public subnet 1 located in the 1st Availability Zone. If you choose to deploy a Security Management Server it will be deployed in this subnet. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet2CIDR: + Description: CIDR block for public subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.20.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet3CIDR: + Description: CIDR block for public subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 10.0.30.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet4CIDR: + Description: CIDR block for public subnet 4 located in the 4th Availability Zone. + Type: String + Default: 10.0.40.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instances created by this stack. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: Must be the name of an existing EC2 KeyPair. + EnableVolumeEncryption: + Description: Encrypt Environment instances volume with default AWS KMS key. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration. + Type: String + Default: gwlb-management-server + MinLength: 1 + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration. + Type: String + Default: gwlb-ASG-configuration + MinLength: 1 + MaxLength: 30 + AdminEmail: + Description: Notifications about scaling events will be sent to this email address. (optional) + Type: String + Default: '' + AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$' + Shell: + Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GWLBName: + Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + AllowedPattern: '^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])$' + Default: gwlb1 + MaxLength: 32 + ConstraintDescription: Must be a valid GWLB Name. + TargetGroupName: + Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + AllowedPattern: '^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])$' + Default: tg1 + MaxLength: 32 + ConstraintDescription: Must be a valid target group name. + AcceptConnectionRequired: + Description: Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). + Default: "false" + AllowedValues: ["true", "false"] + Type: String + ConstraintDescription: Must be true or false. + CrossZoneLoadBalancing: + Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The EC2 instance type for the Security Gateways. + Type: String + Default: c6i.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + GatewaysMinSize: + Description: The minimal number of Security Gateways. + Type: Number + Default: 2 + MinValue: 1 + GatewaysMaxSize: + Description: The maximal number of Security Gateways. + Type: Number + Default: 10 + MinValue: 1 + GatewayVersion: + Description: The version and license to install on the Security Gateways. + Type: String + Default: R82-BYOL + AllowedValues: + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long. + NoEcho: true + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address. + Type: String + Default: private + AllowedValues: + - private + - public + AllocatePublicAddress: + Description: Allocate a Public IP for gateway members. + Type: String + Default: false + AllowedValues: + - true + - false + IPMode: + Description: Specifies the IP mode for inspection of traffic encapsulation in IPv4 Geneve headers. When set to DualStack, both IPv4 and IPv6 traffic are inspected. For supported versions and Jumbo Hotfix requirements, refer to the admin guide. + Type: String + AllowedValues: + - IPv4 + - DualStack + Default: IPv4 + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + ManagementDeploy: + Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementInstanceType: + Description: The EC2 instance type of the Security Management Server. + Type: String + Default: m5.xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + ManagementVersion: + Description: The license to install on the Security Management Server. + Type: String + Default: R82-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + ManagementMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaysPolicy: + Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group. + Type: String + Default: Standard + MinLength: 1 + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewayManagement: + Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. + Type: String + Default: Locally managed + AllowedValues: + - Locally managed + - Over the internet + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + AutoScaleGroupName: + Description: The Name of the Auto Scaling Group. (optional) + Type: String + Default: "" + MaxLength: 100 +Conditions: + 4AZs: !Equals [!Ref NumberOfAZs, 4] + 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs] + DeployManagement: !Equals [!Ref ManagementDeploy, true] + GenerateAutoScalingName: !Equals [!Ref AutoScaleGroupName, ""] + IsIPv6Enabled: !Not [!Equals [!Ref IPMode, "IPv4"]] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: !If [IsIPv6Enabled, https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc-ipv6.yaml, https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml] + Parameters: + AvailabilityZones: !Join [',' , !Ref AvailabilityZones] + NumberOfAZs: !Ref NumberOfAZs + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnet1CIDR + PublicSubnet2CIDR: !Ref PublicSubnet2CIDR + PublicSubnet3CIDR: !Ref PublicSubnet3CIDR + PublicSubnet4CIDR: !Ref PublicSubnet4CIDR + CreatePrivateSubnets: false + GWLBStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/gwlb.yaml + Parameters: + VPC: !GetAtt VPCStack.Outputs.VPCID + AutoScaleGroupName: !If [GenerateAutoScalingName, !Join ["-", [!Ref 'AWS::StackName', GatewayGroup]], !Ref AutoScaleGroupName] + GatewaysSubnets: !Join + - ',' + - - !GetAtt VPCStack.Outputs.PublicSubnet1ID + - !GetAtt VPCStack.Outputs.PublicSubnet2ID + - !If [ 3AZs, !GetAtt VPCStack.Outputs.PublicSubnet3ID, !Ref 'AWS::NoValue' ] + - !If [ 4AZs, !GetAtt VPCStack.Outputs.PublicSubnet4ID, !Ref 'AWS::NoValue' ] + KeyName: !Ref KeyName + EnableVolumeEncryption: !Ref EnableVolumeEncryption + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + EnableInstanceConnect: !Ref EnableInstanceConnect + TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken + AllowUploadDownload: !Ref AllowUploadDownload + ManagementServer: !Ref ManagementServer + ConfigurationTemplate: !Ref ConfigurationTemplate + AdminEmail: !Ref AdminEmail + Shell: !Ref Shell + GWLBName: !Ref GWLBName + TargetGroupName: !Ref TargetGroupName + AcceptConnectionRequired: !Ref AcceptConnectionRequired + CrossZoneLoadBalancing: !Ref CrossZoneLoadBalancing + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + GatewaysMinSize: !Ref GatewaysMinSize + GatewaysMaxSize: !Ref GatewaysMaxSize + GatewayVersion: !Ref GatewayVersion + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress + AllocatePublicAddress: !Ref AllocatePublicAddress + CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript + ManagementDeploy: !Ref ManagementDeploy + ManagementInstanceType: !Ref ManagementInstanceType + ManagementVersion: !Ref ManagementVersion + ManagementPasswordHash: !Ref ManagementPasswordHash + ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash + GatewaysPolicy: !Ref GatewaysPolicy + AdminCIDR: !Ref AdminCIDR + GatewayManagement: !Ref GatewayManagement + GatewaysAddresses: !Ref GatewaysAddresses + IPMode: !Ref IPMode +Outputs: + VPCID: + Description: VPC ID. + Value: !GetAtt VPCStack.Outputs.VPCID + ManagementPublicAddress: + Description: The public address of the management server. + Value: !GetAtt GWLBStack.Outputs.ManagementPublicAddress + Condition: DeployManagement + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name. + Value: !GetAtt GWLBStack.Outputs.ConfigurationTemplateName + ControllerName: + Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name + Value: !GetAtt GWLBStack.Outputs.ControllerName + GWLBName: + Description: Gateway Load Balancer Name. + Value: !Ref GWLBName + GWLBServiceName: + Description: Gateway Load Balancer Service Name. + Value: !GetAtt GWLBStack.Outputs.GWLBServiceName +Rules: + GatewayAddressAllocationRule: + RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] + Assertions: + - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false" + Assert: !Equals [!Ref AllocatePublicAddress, 'true'] diff --git a/china/aws/templates/gwlb-asg/gwlb.yaml b/china/aws/templates/gwlb-asg/gwlb.yaml new file mode 100644 index 00000000..664c32b5 --- /dev/null +++ b/china/aws/templates/gwlb-asg/gwlb.yaml @@ -0,0 +1,744 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: | + Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, in a new VPC (20250617). + See CloudGuard Network for AWS Gateway Load Balancer Auto Scaling Group deployment guide for detailed deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Network Configuration + Parameters: + - VPC + - GatewaysSubnets + - Label: + default: General Settings + Parameters: + - KeyName + - EnableVolumeEncryption + - VolumeSize + - VolumeType + - EnableInstanceConnect + - TerminationProtection + - MetaDataToken + - AllowUploadDownload + - ManagementServer + - ConfigurationTemplate + - AdminEmail + - Shell + - Label: + default: Gateway Load Balancer Configuration + Parameters: + - GWLBName + - TargetGroupName + - AcceptConnectionRequired + - CrossZoneLoadBalancing + - Label: + default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration + Parameters: + - AutoScaleGroupName + - GatewayName + - GatewayInstanceType + - GatewaysMinSize + - GatewaysMaxSize + - GatewayVersion + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - ControlGatewayOverPrivateOrPublicAddress + - AllocatePublicAddress + - IPMode + - CloudWatch + - GatewayBootstrapScript + - Label: + default: Check Point CloudGuard IaaS Security Management Server Configuration + Parameters: + - ManagementDeploy + - ManagementInstanceType + - ManagementVersion + - ManagementPasswordHash + - ManagementMaintenancePasswordHash + - GatewaysPolicy + - AdminCIDR + - GatewayManagement + - GatewaysAddresses + ParameterLabels: + VPC: + default: VPC + GatewaysSubnets: + default: Gateways subnets + KeyName: + default: Key name + IPMode: + default: IP Configuration Mode + EnableVolumeEncryption: + default: Enable environment volume encryption + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + AllowUploadDownload: + default: Allow upload & download + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template + AdminEmail: + default: Email address + Shell: + default: Admin shell + GWLBName: + default: Gateway Load Balancer Name + TargetGroupName: + default: Target Group Name + AcceptConnectionRequired: + default: Connection Acceptance Required + CrossZoneLoadBalancing: + default: Enable Cross Zone Load Balancing + GatewayName: + default: Gateways instance name + GatewayInstanceType: + default: Gateways instance type + GatewaysMinSize: + default: Minimum group size + GatewaysMaxSize: + default: Maximum group size + GatewayVersion: + default: Gateways version & license + GatewayPasswordHash: + default: Gateways Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: Gateways SIC key + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + AllocatePublicAddress: + default: Allocate Public IPs + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Gateways bootstrap script + ManagementDeploy: + default: Deploy Management Server + ManagementInstanceType: + default: Management instance type + ManagementVersion: + default: Management version & license + ManagementPasswordHash: + default: Management password hash + ManagementMaintenancePasswordHash: + default: Management Maintenance Password hash + GatewaysPolicy: + default: Security Policy + AdminCIDR: + default: Administrator addresses + GatewayManagement: + default: Manage Gateways + GatewaysAddresses: + default: Gateways addresses + AutoScaleGroupName: + default: Auto Scale Group name +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + ConstraintDescription: You must select a VPC. + GatewaysSubnets: + Description: Select at least 2 public subnets in the VPC. + Type: List + MinLength: 2 + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instances created by this stack. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: Must be the name of an existing EC2 KeyPair. + EnableVolumeEncryption: + Description: Encrypt Environment instances volume with default AWS KMS key. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration. + Type: String + Default: gwlb-management-server + MinLength: 1 + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration. + Type: String + Default: gwlb-ASG-configuration + MinLength: 1 + MaxLength: 30 + AdminEmail: + Description: Notifications about scaling events will be sent to this email address. (optional) + Type: String + Default: '' + AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$' + Shell: + Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GWLBName: + Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + Default: gwlb1 + ConstraintDescription: Must be a valid GWLB Name. + TargetGroupName: + Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + Default: tg1 + ConstraintDescription: Must be a valid target group name. + AcceptConnectionRequired: + Description: Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false(acceptance not required). + Default: "false" + AllowedValues: ["true", "false"] + Type: String + ConstraintDescription: Must be true or false. + CrossZoneLoadBalancing: + Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The EC2 instance type for the Security Gateways. + Type: String + Default: c6i.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + GatewaysMinSize: + Description: The minimal number of Security Gateways. + Type: Number + Default: 2 + MinValue: 1 + GatewaysMaxSize: + Description: The maximal number of Security Gateways. + Type: Number + Default: 10 + MinValue: 1 + GatewayVersion: + Description: The version and license to install on the Security Gateways. + Type: String + Default: R82-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: Secure Internal Communication acti.vation key should contain only alpha numeric characters and be at least 8 characters long. + NoEcho: true + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address. + Type: String + Default: private + AllowedValues: + - private + - public + AllocatePublicAddress: + Description: Allocate a Public IP for gateway members. + Type: String + Default: false + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + IPMode: + Description: Specifies the IP mode for inspection of traffic encapsulation in IPv4 Geneve headers. When set to DualStack, both IPv4 and IPv6 traffic are inspected. For supported versions and Jumbo Hotfix requirements, refer to the admin guide. + Type: String + AllowedValues: + - IPv4 + - DualStack + Default: IPv4 + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + ManagementDeploy: + Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementInstanceType: + Description: The EC2 instance type of the Security Management Server. + Type: String + Default: m5.xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + ManagementVersion: + Description: The license to install on the Security Management Server. + Type: String + Default: R82-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + ManagementMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaysPolicy: + Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group. + Type: String + Default: Standard + MinLength: 1 + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewayManagement: + Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. + Type: String + Default: Locally managed + AllowedValues: + - Locally managed + - Over the internet + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + AutoScaleGroupName: + Description: The Name of the Auto Scaling Group. (optional) + Type: String + Default: "" + MaxLength: 100 +Conditions: + DeployManagement: !Equals [!Ref ManagementDeploy, true] + VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true] + GenerateAutoScalingName: !Equals [!Ref AutoScaleGroupName, ""] + IsIPv6Enabled: !Not [!Equals [!Ref IPMode, "IPv4"]] +Resources: + GatewayLoadBalancer: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Type: gateway + Name: !Ref GWLBName + IpAddressType: !If [IsIPv6Enabled, dualstack, ipv4] + LoadBalancerAttributes: + - Key: load_balancing.cross_zone.enabled + Value: !Ref CrossZoneLoadBalancing + Subnets: !Ref GatewaysSubnets + Tags: + - Key: x-chkp-management + Value: !Ref ManagementServer + - Key: x-chkp-template + Value: !Ref ConfigurationTemplate + VpcEndpointService: + Type: AWS::EC2::VPCEndpointService + Properties: + # Due to an issue in AWS CloudFormation, EndpointService deployment does not support IPv6. + # This issue will be resolved in the future. + AcceptanceRequired: !Ref AcceptConnectionRequired + GatewayLoadBalancerArns: + - !Ref GatewayLoadBalancer + TargetGroup: + Type: AWS::ElasticLoadBalancingV2::TargetGroup + Properties: + Name: !Ref TargetGroupName + Port: 6081 + Protocol: GENEVE + HealthCheckPort: 8117 + HealthCheckProtocol: TCP + TargetGroupAttributes: + - Key: deregistration_delay.timeout_seconds + Value: 20 + VpcId: !Ref VPC + TargetType: instance + Tags: + - Key: Name + Value: !Join + - "" + - - !Ref AWS::StackName + - "-tg1" + Listener: + Type: AWS::ElasticLoadBalancingV2::Listener + Properties: + DefaultActions: + - Type: forward + TargetGroupArn: !Ref TargetGroup + LoadBalancerArn: !Ref GatewayLoadBalancer + SecurityGatewaysStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/autoscale-gwlb.yaml + Parameters: + VPC: !Ref VPC + AutoScaleGroupName: !If [GenerateAutoScalingName, !Join ["-", [!Ref 'AWS::StackName', GatewayGroup]], !Ref AutoScaleGroupName] + GatewaysSubnets: !Join [',', !Ref GatewaysSubnets] + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + KeyName: !Ref KeyName + Shell: !Ref Shell + EnableVolumeEncryption: !Ref EnableVolumeEncryption + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + EnableInstanceConnect: !Ref EnableInstanceConnect + MetaDataToken: !Ref MetaDataToken + GatewaysMinSize: !Ref GatewaysMinSize + GatewaysMaxSize: !Ref GatewaysMaxSize + AdminEmail: !Ref AdminEmail + GatewaysTargetGroups: !Ref TargetGroup + GatewayVersion: !Ref GatewayVersion + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + AllowUploadDownload: !Ref AllowUploadDownload + ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress + AllocatePublicAddress: !Ref AllocatePublicAddress + CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript + ManagementServer: !Ref ManagementServer + ConfigurationTemplate: !Ref ConfigurationTemplate + IPMode: !Ref IPMode + ManagementStack: + Type: AWS::CloudFormation::Stack + Condition: DeployManagement + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/management-gwlb.yaml + Parameters: + VPC: !Ref VPC + ManagementSubnet: !Select [0, !Ref GatewaysSubnets] + ManagementName: !Ref ManagementServer + ManagementInstanceType: !Ref ManagementInstanceType + KeyName: !Ref KeyName + Shell: !Ref Shell + VolumeEncryption: !If [VolumeEncryption, alias/aws/ebs, ''] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + EnableInstanceConnect: !Ref EnableInstanceConnect + ManagementPermissions: Create with read-write permissions + ManagementVersion: !Ref ManagementVersion + ManagementPasswordHash: !Ref ManagementPasswordHash + ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash + AllowUploadDownload: !Ref AllowUploadDownload + AdminCIDR: !Ref AdminCIDR + GatewayManagement: !Ref GatewayManagement + GatewaysAddresses: !Ref GatewaysAddresses + TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken + ManagementBootstrapScript: !Join + - ';' + - - 'echo -e "\nStarting Bootstrap script\n"' + - !Sub 'policy=${GatewaysPolicy} ; region=${AWS::Region} ; conf_template=${ConfigurationTemplate} ; mgmt=${ManagementServer}' + - !Sub ['version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - !Join ['', ['sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ' | base64 -d)"']] + - 'controller="gwlb-controller"' + - 'echo "Creating CME configuration"' + - 'autoprov_cfg -f init AWS -mn "${mgmt}" -tn "${conf_template}" -cn "${controller}" -po "${policy}" -otp "${sic}" -r "${region}" -ver "${version}" -iam' + - 'echo -e "\nFinished Bootstrap script\n"' +Outputs: + VPCID: + Description: VPC ID. + Value: !Ref VPC + ManagementPublicAddress: + Description: The public address of the management server. + Value: !GetAtt ManagementStack.Outputs.PublicAddress + Condition: DeployManagement + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name. + Value: !Ref ConfigurationTemplate + ControllerName: + Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name. + Value: gwlb-controller + GWLBName: + Description: Gateway Load Balancer Name. + Value: !Ref GWLBName + GWLBServiceName: + Description: Gateway Load Balancer Service Name. + Value: !Sub ['cn.com.amazonaws.vpce.${AWS::Region}.${Service}', {Service: !Ref VpcEndpointService}] +Rules: + GatewayAddressAllocationRule: + RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] + Assertions: + - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false" + Assert: !Equals [!Ref AllocatePublicAddress, 'true'] diff --git a/china/aws/templates/gwlb-asg/management-gwlb.yaml b/china/aws/templates/gwlb-asg/management-gwlb.yaml new file mode 100644 index 00000000..fc824c8b --- /dev/null +++ b/china/aws/templates/gwlb-asg/management-gwlb.yaml @@ -0,0 +1,578 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: | + Deploys a Check Point Management Server (20250617) + See sk130372 administration guide for detailed deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - ManagementSubnet + - Label: + default: EC2 Instance Configuration + Parameters: + - ManagementName + - ManagementInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - TerminationProtection + - MetaDataToken + - Label: + default: IAM Permissions (ignored when the installation is not Primary Management + Server) + Parameters: + - ManagementPermissions + - ManagementPredefinedRole + - ManagementSTSRoles + - Label: + default: Check Point Settings + Parameters: + - ManagementVersion + - Shell + - ManagementPasswordHash + - ManagementMaintenancePasswordHash + - Label: + default: Security Management Server Settings + Parameters: + - ManagementHostname + - PrimaryManagement + - ManagementSICKey + - AllowUploadDownload + - AdminCIDR + - GatewayManagement + - GatewaysAddresses + - ManagementBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + VPC: + default: VPC + ManagementSubnet: + default: Management subnet + ManagementName: + default: Management name + ManagementInstanceType: + default: Instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate an Elastic IP + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + ManagementPermissions: + default: IAM role + ManagementPredefinedRole: + default: Existing IAM role name + ManagementSTSRoles: + default: STS roles + ManagementVersion: + default: Version & license + Shell: + default: Admin shell + ManagementPasswordHash: + default: Password hash + ManagementMaintenancePasswordHash: + default: Management Maintenance Password hash + ManagementHostname: + default: Management hostname + PrimaryManagement: + default: Primary management + ManagementSICKey: + default: SIC key + AllowUploadDownload: + default: Allow upload & download + AdminCIDR: + default: Administrator addresses + GatewayManagement: + default: Gateways management + GatewaysAddresses: + default: Gateways addresses + ManagementBootstrapScript: + default: Management bootstrap script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + ManagementSubnet: + Description: To access the instance from the internet, make sure the subnet has + a route to the internet + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ManagementName: + Description: The Management name tag. + Type: String + Default: Check-Point-Management + ManagementInstanceType: + Description: The instance type of the Security Management Server. + Type: String + Default: m5.xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Description: Allocate an elastic IP for the Management. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementPermissions: + Description: IAM role to attach to the instance profile. + Type: String + Default: Create with read permissions + AllowedValues: + - None (configure later) + - Use existing (specify an existing IAM role name) + - Create with assume role permissions (specify an STS role ARN) + - Create with read permissions + - Create with read-write permissions + ManagementPredefinedRole: + Description: A predefined IAM role to attach to the instance profile. Ignored + if IAM role is not set to 'Use existing'. + Type: String + Default: '' + ManagementSTSRoles: + Description: The IAM role will be able to assume these STS Roles (comma separated + list of ARNs, without spaces). Ignored if IAM role is set to 'None' or 'Use + existing'. + Type: CommaDelimitedList + Default: '' + ManagementVersion: + Description: The license to install on the Security Management Server. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + ManagementMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + ManagementHostname: + Description: (optional) + Type: String + Default: mgmt-aws + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' + ConstraintDescription: A valid hostname label or an empty string. + PrimaryManagement: + Description: Determines if this is the primary Management Server or not. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementSICKey: + Description: >- + Mandatory only if deploying a secondary Management Server, the Secure Internal + Communication key creates trusted connections between Check Point components. + Choose a random string consisting of at least 8 alphanumeric characters. + Type: String + Default: '' + AllowedPattern: '(|[a-zA-Z0-9]{8,})' + ConstraintDescription: Can be empty if this is a primary Management Server. Otherwise, + at least 8 alpha numeric characters. + NoEcho: true + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate + with the Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Management. + Server + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewayManagement: + Description: Select 'Over the internet' if any of the gateways you wish to manage + are not directly accessed via their private IP address. + Type: String + Default: Locally managed + AllowedValues: + - Locally managed + - Over the internet + ManagementBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '[\.a-zA-Z0-9\-]*' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '[\.a-zA-Z0-9\-]*' +Conditions: + EIP: !Equals [!Ref AllocatePublicAddress, true] + ManageOverInternet: !Equals [!Ref GatewayManagement, Over the internet] + ManageOverInternetAndEIP: !And [!Condition EIP, !Condition ManageOverInternet] + CreateRole: !Or + - !Equals [!Ref ManagementPermissions, Create with assume role permissions (specify an STS role ARN)] + - !Equals [!Ref ManagementPermissions, Create with read permissions] + - !Equals [!Ref ManagementPermissions, Create with read-write permissions] + EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']] + UseRole: !Not [!Equals [!Ref ManagementPermissions, None (configure later)]] + NoSIC: !Equals [!Ref ManagementSICKey, ''] + PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] +Resources: + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml + Parameters: + Version: !Join ['-', [!Ref ManagementVersion, MGMT]] + ManagementReadyHandle: + Type: AWS::CloudFormation::WaitConditionHandle + Condition: EIP + Properties: {} + ManagementReadyCondition: + Type: AWS::CloudFormation::WaitCondition + Condition: EIP + DependsOn: ManagementInstance + Properties: + Handle: !Ref ManagementReadyHandle + Timeout: 1800 + ManagementSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Management security group. + VpcId: !Ref VPC + SecurityGroupIngress: + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 257 + ToPort: 257 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 8211 + ToPort: 8211 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18191 + ToPort: 18191 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18192 + ToPort: 18192 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18208 + ToPort: 18208 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18210 + ToPort: 18210 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18211 + ToPort: 18211 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18221 + ToPort: 18221 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18264 + ToPort: 18264 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 22 + ToPort: 22 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 443 + ToPort: 443 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 18190 + ToPort: 18190 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 19009 + ToPort: 19009 + ManagementRoleStack: + Type: AWS::CloudFormation::Stack + Condition: CreateRole + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/cme-iam-role-gwlb.yaml + Parameters: + Permissions: !Ref ManagementPermissions + STSRoles: !Join [',', !Ref ManagementSTSRoles] + InstanceProfile: + Type: AWS::IAM::InstanceProfile + Condition: PreRole + Properties: + Path: / + Roles: + - !Ref ManagementPredefinedRole + ManagementInstance: + Type: AWS::EC2::Instance + DependsOn: ManagementLaunchTemplate + Properties: + LaunchTemplate: + LaunchTemplateId: !Ref ManagementLaunchTemplate + Version: !GetAtt ManagementLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection + Tags: + - Key: Name + Value: !Ref ManagementName + NetworkInterfaces: + - DeviceIndex: 0 + AssociatePublicIpAddress: false + Description: eth0 + GroupSet: + - !Ref ManagementSecurityGroup + DeleteOnTermination: true + SubnetId: !Ref ManagementSubnet + ManagementLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref ManagementInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !If [ UseRole, !If [ PreRole, !Ref InstanceProfile, !GetAtt ManagementRoleStack.Outputs.CMEIAMRole ], !Ref 'AWS::NoValue' ] + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${ManagementHostname} ; primary_mgmt=${PrimaryManagement} ; eic=${EnableInstanceConnect} ; admin_subnet=${AdminCIDR} ; eip=${AllocatePublicAddress} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary}' + - !If [EIP, !Sub ' wait_handle=''${ManagementReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [NoSIC, ' sic=""', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref ManagementSICKey, ')"']]] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementMaintenancePasswordHash, ')"']] + - !If [ManageOverInternetAndEIP, ' pub_mgmt=true', ' pub_mgmt=false'] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref ManagementBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref ManagementVersion]]}] + - ' python3 /etc/cloud_config.py waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" installationType=\"management\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"management_gwlb\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" primary=\"${primary_mgmt}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" overTheInternet=\"${pub_mgmt}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version + PublicAddress: + Type: AWS::EC2::EIP + Condition: EIP + Properties: + Domain: vpc + AddressAssoc: + Type: AWS::EC2::EIPAssociation + Condition: EIP + DependsOn: ManagementInstance + Properties: + InstanceId: !Ref ManagementInstance + AllocationId: !GetAtt PublicAddress.AllocationId +Outputs: + PublicAddress: + Condition: EIP + Description: The public address of the Management Server. + Value: !Ref PublicAddress + SSH: + Condition: EIP + Description: SSH command. + Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref PublicAddress]] + URL: + Condition: EIP + Description: URL to the portal. + Value: !Join ['', ['https://', !Ref PublicAddress]] diff --git a/china/aws/templates/gwlb-asg/tgw-gwlb-master.yaml b/china/aws/templates/gwlb-asg/tgw-gwlb-master.yaml new file mode 100644 index 00000000..d400a5a0 --- /dev/null +++ b/china/aws/templates/gwlb-asg/tgw-gwlb-master.yaml @@ -0,0 +1,870 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: | + Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in a new VPC for Transit Gateway (20250617). + See CloudGuard Network for AWS Gateway Load Balancer Auto Scaling Group deployment guide for detailed deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZones + - NumberOfAZs + - VPCCIDR + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PublicSubnet3CIDR + - PublicSubnet4CIDR + - TgwSubnet1CIDR + - TgwSubnet2CIDR + - TgwSubnet3CIDR + - TgwSubnet4CIDR + - NatGwSubnet1CIDR + - NatGwSubnet2CIDR + - NatGwSubnet3CIDR + - NatGwSubnet4CIDR + - GWLBeSubnet1CIDR + - GWLBeSubnet2CIDR + - GWLBeSubnet3CIDR + - GWLBeSubnet4CIDR + - Label: + default: General Settings + Parameters: + - KeyName + - EnableVolumeEncryption + - VolumeSize + - VolumeType + - EnableInstanceConnect + - TerminationProtection + - MetaDataToken + - AllowUploadDownload + - ManagementServer + - ConfigurationTemplate + - AdminEmail + - Shell + - Label: + default: Gateway Load Balancer Configuration + Parameters: + - GWLBName + - TargetGroupName + - CrossZoneLoadBalancing + - Label: + default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration + Parameters: + - AutoScaleGroupName + - GatewayName + - GatewayInstanceType + - GatewaysMinSize + - GatewaysMaxSize + - GatewayVersion + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - ControlGatewayOverPrivateOrPublicAddress + - AllocatePublicAddress + - CloudWatch + - GatewayBootstrapScript + - Label: + default: Check Point CloudGuard IaaS Security Management Server Configuration + Parameters: + - ManagementDeploy + - ManagementInstanceType + - ManagementVersion + - ManagementPasswordHash + - ManagementMaintenancePasswordHash + - GatewaysPolicy + - AdminCIDR + - GatewayManagement + - GatewaysAddresses + ParameterLabels: + AvailabilityZones: + default: Availability Zones + NumberOfAZs: + default: Number of AZs + VPCCIDR: + default: VPC CIDR + PublicSubnet1CIDR: + default: Public subnet 1 CIDR + PublicSubnet2CIDR: + default: Public subnet 2 CIDR + PublicSubnet3CIDR: + default: Public subnet 3 CIDR + PublicSubnet4CIDR: + default: Public subnet 4 CIDR + TgwSubnet1CIDR: + default: TGW subnet 1 CIDR + TgwSubnet2CIDR: + default: TGW subnet 2 CIDR + TgwSubnet3CIDR: + default: TGW subnet 3 CIDR + TgwSubnet4CIDR: + default: TGW subnet 4 CIDR + NatGwSubnet1CIDR: + default: NAT subnet 1 CIDR + NatGwSubnet2CIDR: + default: NAT subnet 2 CIDR + NatGwSubnet3CIDR: + default: NAT subnet 3 CIDR + NatGwSubnet4CIDR: + default: NAT subnet 4 CIDR + GWLBeSubnet1CIDR: + default: Gateway Load Balancer Endpoint subnet 1 CIDR + GWLBeSubnet2CIDR: + default: Gateway Load Balancer Endpoint subnet 2 CIDR + GWLBeSubnet3CIDR: + default: Gateway Load Balancer Endpoint subnet 3 CIDR + GWLBeSubnet4CIDR: + default: Gateway Load Balancer Endpoint subnet 4 CIDR + KeyName: + default: Key name + EnableVolumeEncryption: + default: Enable environment volume encryption + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + AllowUploadDownload: + default: Allow upload & download + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template + AdminEmail: + default: Email address + Shell: + default: Admin shell + GWLBName: + default: Gateway Load Balancer Name + TargetGroupName: + default: Target Group Name + CrossZoneLoadBalancing: + default: Enable Cross Zone Load Balancing + GatewayName: + default: Gateways instance name + GatewayInstanceType: + default: Gateways instance type + GatewaysMinSize: + default: Minimum group size + GatewaysMaxSize: + default: Maximum group size + GatewayVersion: + default: Gateways version & license + GatewayPasswordHash: + default: Gateways Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: Gateways SIC key + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + AllocatePublicAddress: + default: Allocate Public IPs + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Gateways bootstrap script + ManagementDeploy: + default: Deploy Management Server + ManagementInstanceType: + default: Management instance type + ManagementVersion: + default: Management version & license + ManagementPasswordHash: + default: Management password hash + ManagementMaintenancePasswordHash: + default: Management Maintenance Password hash + GatewaysPolicy: + default: Security Policy + AdminCIDR: + default: Administrator addresses + GatewayManagement: + default: Manage Gateways + GatewaysAddresses: + default: Gateways addresses + AutoScaleGroupName: + default: Auto Scale Group name +Parameters: + AvailabilityZones: + Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved). + Type: List + MinLength: 2 + NumberOfAZs: + Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter. + Type: Number + Default: 2 + MinValue: 2 + MaxValue: 4 + VPCCIDR: + Description: The CIDR block of the provided VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet1CIDR: + Description: CIDR block for public subnet 1 located in the 1st Availability Zone. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet2CIDR: + Description: CIDR block for public subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.20.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet3CIDR: + Description: CIDR block for public subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 10.0.30.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet4CIDR: + Description: CIDR block for public subnet 4 located in the 4th Availability Zone. + Type: String + Default: 10.0.40.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + TgwSubnet1CIDR: + Description: CIDR block for TGW subnet 1 located in the 1st Availability Zone. + Type: String + Default: 10.0.12.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + TgwSubnet2CIDR: + Description: CIDR block for TGW subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.22.0/24 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + TgwSubnet3CIDR: + Description: CIDR block for TGW subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 10.0.32.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + TgwSubnet4CIDR: + Description: CIDR block for TGW subnet 4 located in the 4th Availability Zone. + Type: String + Default: 10.0.42.0/24 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + NatGwSubnet1CIDR: + Description: CIDR block for NAT subnet 1 located in the 1st Availability Zone. + Type: String + Default: 10.0.13.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + NatGwSubnet2CIDR: + Description: CIDR block for NAT subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.23.0/24 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + NatGwSubnet3CIDR: + Description: CIDR block for NAT subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 10.0.33.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + NatGwSubnet4CIDR: + Description: CIDR block for NAT subnet 4 located in the 4th Availability Zone. + Type: String + Default: 10.0.43.0/24 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet1CIDR: + Description: CIDR block for GWLBe subnet 1 located in the 1st Availability Zone. + Type: String + Default: 10.0.14.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet2CIDR: + Description: CIDR block for GWLBe subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.24.0/24 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet3CIDR: + Description: CIDR block for GWLBe subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 10.0.34.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet4CIDR: + Description: CIDR block for GWLBe subnet 4 located in the 4th Availability Zone. + Type: String + Default: 10.0.44.0/24 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instances created by this stack. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: Must be the name of an existing EC2 KeyPair. + EnableVolumeEncryption: + Description: Encrypt Environment instances volume with default AWS KMS key. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration. + Type: String + Default: gwlb-management-server + MinLength: 1 + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration. + Type: String + Default: gwlb-ASG-configuration + MinLength: 1 + MaxLength: 30 + AdminEmail: + Description: Notifications about scaling events will be sent to this email address. (optional) + Type: String + Default: '' + AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$' + Shell: + Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GWLBName: + Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + AllowedPattern: '^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])$' + Default: gwlb1 + MaxLength: 32 + ConstraintDescription: Must be a valid GWLB Name + TargetGroupName: + Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + AllowedPattern: '^([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])$' + Default: tg1 + MaxLength: 32 + ConstraintDescription: Must be a valid target group name. + CrossZoneLoadBalancing: + Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The EC2 instance type for the Security Gateways + Type: String + Default: c6i.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + GatewaysMinSize: + Description: The minimal number of Security Gateways. + Type: Number + Default: 2 + MinValue: 1 + GatewaysMaxSize: + Description: The maximal number of Security Gateways. + Type: Number + Default: 10 + MinValue: 1 + GatewayVersion: + Description: The version and license to install on the Security Gateways. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long. + NoEcho: true + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address. + Type: String + Default: private + AllowedValues: + - private + - public + AllocatePublicAddress: + Description: Allocate a Public IP for gateway members. + Type: String + Default: false + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + ManagementDeploy: + Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementInstanceType: + Description: The EC2 instance type of the Security Management Server. + Type: String + Default: m5.xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + ManagementVersion: + Description: The license to install on the Security Management Server. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + ManagementMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaysPolicy: + Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group. + Type: String + Default: Standard + MinLength: 1 + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewayManagement: + Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. + Type: String + Default: Locally managed + AllowedValues: + - Locally managed + - Over the internet + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + AutoScaleGroupName: + Description: The Name of the Auto Scaling Group. (optional) + Type: String + Default: "" + MaxLength: 100 +Conditions: + 4AZs: !Equals [!Ref NumberOfAZs, 4] + 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs] + DeployManagement: !Equals [!Ref ManagementDeploy, true] + VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true] + GenerateAutoScalingName: !Equals [!Ref AutoScaleGroupName, ""] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml + Parameters: + AvailabilityZones: !Join [',', !Ref AvailabilityZones] + NumberOfAZs: !Ref NumberOfAZs + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnet1CIDR + PublicSubnet2CIDR: !Ref PublicSubnet2CIDR + PublicSubnet3CIDR: !Ref PublicSubnet3CIDR + PublicSubnet4CIDR: !Ref PublicSubnet4CIDR + CreatePrivateSubnets: false + CreateAttachmentSubnets: true + AttachmentSubnet1CIDR: !Ref TgwSubnet1CIDR + AttachmentSubnet2CIDR: !Ref TgwSubnet2CIDR + AttachmentSubnet3CIDR: !Ref TgwSubnet3CIDR + AttachmentSubnet4CIDR: !Ref TgwSubnet4CIDR + TgwGwlbStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/tgw-gwlb.yaml + Parameters: + VPC: !GetAtt VPCStack.Outputs.VPCID + AutoScaleGroupName: !If [GenerateAutoScalingName, !Join ["-", [!Ref 'AWS::StackName', GatewayGroup]], !Ref AutoScaleGroupName] + IGWID: !GetAtt VPCStack.Outputs.IGWID + AvailabilityZones: !Join [',', !Ref AvailabilityZones] + NumberOfAZs: !Ref NumberOfAZs + GatewaysSubnets: !Join + - ',' + - - !GetAtt VPCStack.Outputs.PublicSubnet1ID + - !GetAtt VPCStack.Outputs.PublicSubnet2ID + - !If [3AZs, !GetAtt VPCStack.Outputs.PublicSubnet3ID, !Ref 'AWS::NoValue'] + - !If [4AZs, !GetAtt VPCStack.Outputs.PublicSubnet4ID, !Ref 'AWS::NoValue'] + TgwSubnet1Id: !GetAtt VPCStack.Outputs.AttachmentSubnet1ID + TgwSubnet2Id: !GetAtt VPCStack.Outputs.AttachmentSubnet2ID + TgwSubnet3Id: !If [3AZs, !GetAtt VPCStack.Outputs.AttachmentSubnet3ID, ""] + TgwSubnet4Id: !If [4AZs, !GetAtt VPCStack.Outputs.AttachmentSubnet4ID, ""] + NatGwSubnet1CIDR: !Ref NatGwSubnet1CIDR + NatGwSubnet2CIDR: !Ref NatGwSubnet2CIDR + NatGwSubnet3CIDR: !Ref NatGwSubnet3CIDR + NatGwSubnet4CIDR: !Ref NatGwSubnet4CIDR + GWLBeSubnet1CIDR: !Ref GWLBeSubnet1CIDR + GWLBeSubnet2CIDR: !Ref GWLBeSubnet2CIDR + GWLBeSubnet3CIDR: !Ref GWLBeSubnet3CIDR + GWLBeSubnet4CIDR: !Ref GWLBeSubnet4CIDR + KeyName: !Ref KeyName + EnableVolumeEncryption: !Ref EnableVolumeEncryption + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + EnableInstanceConnect: !Ref EnableInstanceConnect + TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken + AllowUploadDownload: !Ref AllowUploadDownload + ManagementServer: !Ref ManagementServer + ConfigurationTemplate: !Ref ConfigurationTemplate + AdminEmail: !Ref AdminEmail + Shell: !Ref Shell + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + GatewaysMinSize: !Ref GatewaysMinSize + GatewaysMaxSize: !Ref GatewaysMaxSize + GatewayVersion: !Ref GatewayVersion + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress + AllocatePublicAddress: !Ref AllocatePublicAddress + CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript + GWLBName: !Ref GWLBName + TargetGroupName: !Ref TargetGroupName + CrossZoneLoadBalancing: !Ref CrossZoneLoadBalancing + ManagementDeploy: !Ref ManagementDeploy + ManagementInstanceType: !Ref ManagementInstanceType + ManagementVersion: !Ref ManagementVersion + ManagementPasswordHash: !Ref ManagementPasswordHash + ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash + GatewaysPolicy: !Ref GatewaysPolicy + AdminCIDR: !Ref AdminCIDR + GatewayManagement: !Ref GatewayManagement + GatewaysAddresses: !Ref GatewaysAddresses +Outputs: + VPCID: + Description: VPC ID. + Value: !GetAtt VPCStack.Outputs.VPCID + ManagementPublicAddress: + Description: The public address of the management server. + Value: !GetAtt TgwGwlbStack.Outputs.ManagementPublicAddress + Condition: DeployManagement + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name. + Value: !GetAtt TgwGwlbStack.Outputs.ConfigurationTemplateName + ControllerName: + Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name. + Value: !GetAtt TgwGwlbStack.Outputs.ControllerName + GWLBName: + Description: Gateway Load Balancer Name. + Value: !Ref GWLBName + GWLBServiceName: + Description: Gateway Load Balancer Service Name. + Value: !GetAtt TgwGwlbStack.Outputs.GWLBServiceName + TgwSubnet1ID: + Description: TGW subnet 1 ID in Availability Zone 1. + Value: !GetAtt VPCStack.Outputs.AttachmentSubnet1ID + TgwSubnet2ID: + Description: TGW subnet 2 ID in Availability Zone 2. + Value: !GetAtt VPCStack.Outputs.AttachmentSubnet2ID + TgwSubnet3ID: + Description: TGW subnet 3 ID in Availability Zone 3. + Value: !GetAtt VPCStack.Outputs.AttachmentSubnet3ID + Condition: 3AZs + TgwSubnet4ID: + Description: TGW subnet 4 ID in Availability Zone 4. + Value: !GetAtt VPCStack.Outputs.AttachmentSubnet4ID + Condition: 4AZs + TgwSubnet1CIDR: + Description: TGW subnet 1 CIDR in Availability Zone 1. + Value: !GetAtt VPCStack.Outputs.AttachmentSubnet1CIDR + TgwSubnet2CIDR: + Description: TGW subnet 2 CIDR in Availability Zone 2. + Value: !GetAtt VPCStack.Outputs.AttachmentSubnet2CIDR + TgwSubnet3CIDR: + Description: TGW subnet 3 CIDR in Availability Zone 3. + Value: !GetAtt VPCStack.Outputs.AttachmentSubnet3CIDR + Condition: 3AZs + TgwSubnet4CIDR: + Description: TGW subnet 4 CIDR in Availability Zone 4. + Value: !GetAtt VPCStack.Outputs.AttachmentSubnet4CIDR + Condition: 4AZs +Rules: + GatewayAddressAllocationRule: + RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] + Assertions: + - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false" + Assert: !Equals [!Ref AllocatePublicAddress, 'true'] diff --git a/china/aws/templates/gwlb-asg/tgw-gwlb.yaml b/china/aws/templates/gwlb-asg/tgw-gwlb.yaml new file mode 100644 index 00000000..10ab39d3 --- /dev/null +++ b/china/aws/templates/gwlb-asg/tgw-gwlb.yaml @@ -0,0 +1,1218 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: | + Deploy a Gateway Load Balancer, Check Point CloudGuard IaaS Security Gateway Auto Scaling Group, and optionally a Security Management Server, Gateway Load Balancer Endpoints and NAT Gateways for each AZ, in an existing VPC for Transit Gateway (20250617). + See CloudGuard Network for AWS Gateway Load Balancer Auto Scaling Group deployment guide for detailed deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - IGWID + - AvailabilityZones + - NumberOfAZs + - GatewaysSubnets + - TgwSubnet1Id + - TgwSubnet2Id + - TgwSubnet3Id + - TgwSubnet4Id + - NatGwSubnet1CIDR + - NatGwSubnet2CIDR + - NatGwSubnet3CIDR + - NatGwSubnet4CIDR + - GWLBeSubnet1CIDR + - GWLBeSubnet2CIDR + - GWLBeSubnet3CIDR + - GWLBeSubnet4CIDR + - Label: + default: General Settings + Parameters: + - KeyName + - EnableVolumeEncryption + - VolumeSize + - VolumeType + - EnableInstanceConnect + - TerminationProtection + - MetaDataToken + - AllowUploadDownload + - ManagementServer + - ConfigurationTemplate + - AdminEmail + - Shell + - Label: + default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration + Parameters: + - AutoScaleGroupName + - GatewayName + - GatewayInstanceType + - GatewaysMinSize + - GatewaysMaxSize + - GatewayVersion + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - ControlGatewayOverPrivateOrPublicAddress + - AllocatePublicAddress + - CloudWatch + - GatewayBootstrapScript + - Label: + default: Gateway Load Balancer Configuration + Parameters: + - GWLBName + - TargetGroupName + - CrossZoneLoadBalancing + - Label: + default: Check Point CloudGuard IaaS Security Management Server Configuration + Parameters: + - ManagementDeploy + - ManagementInstanceType + - ManagementVersion + - ManagementPasswordHash + - ManagementMaintenancePasswordHash + - GatewaysPolicy + - AdminCIDR + - GatewayManagement + - GatewaysAddresses + ParameterLabels: + VPC: + default: VPC + IGWID: + default: Internet Gateway ID + AvailabilityZones: + default: Availability Zones + NumberOfAZs: + default: Number of AZs + GatewaysSubnets: + default: Gateways subnets + TgwSubnet1Id: + default: Transit Gateway Attachment subnet 1 Id + TgwSubnet2Id: + default: Transit Gateway Attachment subnet 2 Id + TgwSubnet3Id: + default: Transit Gateway Attachment subnet 3 Id + TgwSubnet4Id: + default: Transit Gateway Attachment subnet 4 Id + NatGwSubnet1CIDR: + default: NAT subnet 1 CIDR + NatGwSubnet2CIDR: + default: NAT subnet 2 CIDR + NatGwSubnet3CIDR: + default: NAT subnet 3 CIDR + NatGwSubnet4CIDR: + default: NAT subnet 4 CIDR + GWLBeSubnet1CIDR: + default: Gateway Load Balancer Endpoint subnet 1 CIDR + GWLBeSubnet2CIDR: + default: Gateway Load Balancer Endpoint subnet 2 CIDR + GWLBeSubnet3CIDR: + default: Gateway Load Balancer Endpoint subnet 3 CIDR + GWLBeSubnet4CIDR: + default: Gateway Load Balancer Endpoint subnet 4 CIDR + KeyName: + default: Key name + EnableVolumeEncryption: + default: Enable environment volume encryption + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + AllowUploadDownload: + default: Allow upload & download + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template + AdminEmail: + default: Email address + Shell: + default: Admin shell + GatewayName: + default: Gateways instance name + GatewayInstanceType: + default: Gateways instance type + GatewaysMinSize: + default: Minimum group size + GatewaysMaxSize: + default: Maximum group size + GatewayVersion: + default: Gateways version & license + GatewayPasswordHash: + default: Gateways Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: Gateways SIC key + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + AllocatePublicAddress: + default: Allocate Public IPs + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Gateways bootstrap script + GWLBName: + default: Gateway Load Balancer Name + TargetGroupName: + default: Target Group Name + CrossZoneLoadBalancing: + default: Enable Cross Zone Load Balancing + ManagementDeploy: + default: Deploy Management Server + ManagementInstanceType: + default: Management instance type + ManagementVersion: + default: Management version & license + ManagementPasswordHash: + default: Management password hash + ManagementMaintenancePasswordHash: + default: Management Maintenance Password hash + GatewaysPolicy: + default: Security Policy + AdminCIDR: + default: Administrator addresses + GatewayManagement: + default: Manage Gateways + GatewaysAddresses: + default: Gateways addresses + AutoScaleGroupName: + default: Auto Scale Group name +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + ConstraintDescription: You must select a VPC. + IGWID: + Description: VPC's Internet Gateway Id (e.g. igw-123a4567). + Type: String + MinLength: 1 + ConstraintDescription: You must insert an Internet Gateway Id. + AvailabilityZones: + Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved). + Type: List + MinLength: 2 + NumberOfAZs: + Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter. + Type: Number + Default: 2 + MinValue: 2 + MaxValue: 4 + GatewaysSubnets: + Description: Select at least 2 public subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet. + Type: List + MinLength: 2 + TgwSubnet1Id: + Description: The TGW attachment subnet ID located in the 1st Availability Zone. + Type: String + MinLength: 1 + ConstraintDescription: You must insert Tgw Subnet Id for Availability Zone 1. + TgwSubnet2Id: + Description: The TGW attachment subnet ID located in the 2nd Availability Zone. + Type: String + MinLength: 1 + ConstraintDescription: You must insert Tgw Subnet Id for Availability Zone 2. + TgwSubnet3Id: + Description: The TGW attachment subnet ID located in the 3rd Availability Zone. + Type: String + TgwSubnet4Id: + Description: The TGW attachment subnet ID located in the 4th Availability Zone. + Type: String + NatGwSubnet1CIDR: + Description: CIDR block for NAT subnet 1 located in the 1st Availability Zone. + Type: String + Default: 10.0.13.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + NatGwSubnet2CIDR: + Description: CIDR block for NAT subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.23.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + NatGwSubnet3CIDR: + Description: CIDR block for NAT subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 10.0.33.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + NatGwSubnet4CIDR: + Description: CIDR block for NAT subnet 4 located in the 4th Availability Zone. + Type: String + Default: 10.0.43.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet1CIDR: + Description: CIDR block for GWLBe subnet 1 located in the 1st Availability Zone. + Type: String + Default: 10.0.14.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet2CIDR: + Description: CIDR block for GWLBe subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.24.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet3CIDR: + Description: CIDR block for GWLBe subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 10.0.34.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GWLBeSubnet4CIDR: + Description: CIDR block for GWLBe subnet 4 located in the 4th Availability Zone. + Type: String + Default: 10.0.44.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instances created by this stack. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: Must be the name of an existing EC2 KeyPair. + EnableVolumeEncryption: + Description: Encrypt Environment instances volume with default AWS KMS key. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration. + Type: String + Default: gwlb-management-server + MinLength: 1 + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration. + Type: String + Default: gwlb-ASG-configuration + MinLength: 1 + MaxLength: 30 + AdminEmail: + Description: Notifications about scaling events will be sent to this email address. (optional) + Type: String + Default: '' + AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$' + Shell: + Description: Change the admin shell to enable advanced command line configuration. Applies for Security Gateways and Security Management Server if deployed. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The EC2 instance type for the Security Gateways. + Type: String + Default: c6i.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type. + GatewaysMinSize: + Description: The minimal number of Security Gateways. + Type: Number + Default: 2 + MinValue: 1 + GatewaysMaxSize: + Description: The maximal number of Security Gateways. + Type: Number + Default: 10 + MinValue: 1 + GatewayVersion: + Description: The version and license to install on the Security Gateways. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long. + NoEcho: true + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address. + Type: String + Default: private + AllowedValues: + - private + - public + AllocatePublicAddress: + Description: Allocate a Public IP for gateway members. + Type: String + Default: false + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + GWLBName: + Description: Gateway Load Balancer name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + Default: gwlb1 + ConstraintDescription: Must be a valid GWLB Name + TargetGroupName: + Description: Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. A name cannot begin or end with a hyphen. + Type: String + Default: tg1 + ConstraintDescription: Must be a valid target group name. + CrossZoneLoadBalancing: + Description: Select 'true' to enable cross-az load balancing. NOTE! this may cause a spike in cross-az charges. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementDeploy: + Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementInstanceType: + Description: The EC2 instance type of the Security Management Server. + Type: String + Default: m5.xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type. + ManagementVersion: + Description: The license to install on the Security Management Server. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + ManagementMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaysPolicy: + Description: The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group. + Type: String + Default: Standard + MinLength: 1 + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewayManagement: + Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. + Type: String + Default: Locally managed + AllowedValues: + - Locally managed + - Over the internet + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + AutoScaleGroupName: + Description: The Name of the Auto Scaling Group. (optional) + Type: String + Default: "" + MaxLength: 100 +Conditions: + 4AZs: !Equals [!Ref NumberOfAZs, 4] + 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs] + DeployManagement: !Equals [!Ref ManagementDeploy, true] + VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true] + GenerateAutoScalingName: !Equals [!Ref AutoScaleGroupName, ""] +Resources: + GWLBeSubnet1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref GWLBeSubnet1CIDR + AvailabilityZone: !Select [0, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: GWLBe subnet 1 + - Key: Network + Value: Private + GWLBeSubnet2: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref GWLBeSubnet2CIDR + AvailabilityZone: !Select [1, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: GWLBe subnet 2 + - Key: Network + Value: Private + GWLBeSubnet3: + Type: AWS::EC2::Subnet + Condition: 3AZs + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref GWLBeSubnet3CIDR + AvailabilityZone: !Select [2, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: GWLBe subnet 3 + - Key: Network + Value: Private + GWLBeSubnet4: + Type: AWS::EC2::Subnet + Condition: 4AZs + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref GWLBeSubnet4CIDR + AvailabilityZone: !Select [3, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: GWLBe subnet 4 + - Key: Network + Value: Private + GWLBeSubnet1RouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: GWLBe Subnet 1 Route Table + - Key: Network + Value: Private + GWLBeSubnet1NatGwDefaultRoute: + Type: AWS::EC2::Route + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NatGatewayId: !Ref NatGateway1 + RouteTableId: !Ref GWLBeSubnet1RouteTable + GWLBeSubnet1RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref GWLBeSubnet1RouteTable + SubnetId: !Ref GWLBeSubnet1 + GWLBeSubnet2RouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: GWLBe Subnet 2 Route Table + - Key: Network + Value: Private + GWLBeSubnet2NatGwDefaultRoute: + Type: AWS::EC2::Route + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NatGatewayId: !Ref NatGateway2 + RouteTableId: !Ref GWLBeSubnet2RouteTable + GWLBeSubnet2RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref GWLBeSubnet2RouteTable + SubnetId: !Ref GWLBeSubnet2 + GWLBeSubnet3RouteTable: + Type: AWS::EC2::RouteTable + Condition: 3AZs + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: GWLBe Subnet 3 Route Table + - Key: Network + Value: Private + GWLBeSubnet3NatGwDefaultRoute: + Type: AWS::EC2::Route + Condition: 3AZs + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NatGatewayId: !Ref NatGateway3 + RouteTableId: !Ref GWLBeSubnet3RouteTable + GWLBeSubnet3RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: 3AZs + Properties: + RouteTableId: !Ref GWLBeSubnet3RouteTable + SubnetId: !Ref GWLBeSubnet3 + GWLBeSubnet4RouteTable: + Type: AWS::EC2::RouteTable + Condition: 4AZs + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: GWLBe Subnet 4 Route Table + - Key: Network + Value: Private + GWLBeSubnet4NatGwDefaultRoute: + Type: AWS::EC2::Route + Condition: 4AZs + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NatGatewayId: !Ref NatGateway4 + RouteTableId: !Ref GWLBeSubnet4RouteTable + GWLBeSubnet4RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: 4AZs + Properties: + RouteTableId: !Ref GWLBeSubnet4RouteTable + SubnetId: !Ref GWLBeSubnet4 + NatGwSubnet1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref NatGwSubnet1CIDR + AvailabilityZone: !Select [0, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: NAT subnet 1 + - Key: Network + Value: Private + NatGwSubnet2: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref NatGwSubnet2CIDR + AvailabilityZone: !Select [1, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: NAT subnet 2 + - Key: Network + Value: Private + NatGwSubnet3: + Type: AWS::EC2::Subnet + Condition: 3AZs + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref NatGwSubnet3CIDR + AvailabilityZone: !Select [2, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: NAT subnet 3 + - Key: Network + Value: Private + NatGwSubnet4: + Type: AWS::EC2::Subnet + Condition: 4AZs + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref NatGwSubnet4CIDR + AvailabilityZone: !Select [3, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: NAT subnet 4 + - Key: Network + Value: Private + NatGwSubnet1RouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: NAT Subnet 1 Route Table + - Key: Network + Value: Public + NatGwSubnet1NatGwDefaultRoute: + Type: AWS::EC2::Route + Properties: + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref IGWID + RouteTableId: !Ref NatGwSubnet1RouteTable + NatGwSubnet1RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref NatGwSubnet1RouteTable + SubnetId: !Ref NatGwSubnet1 + NatGwSubnet2RouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: NAT Subnet 2 Route Table + - Key: Network + Value: Public + NatGwSubnet2NatGwDefaultRoute: + Type: AWS::EC2::Route + Properties: + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref IGWID + RouteTableId: !Ref NatGwSubnet2RouteTable + NatGwSubnet2RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref NatGwSubnet2RouteTable + SubnetId: !Ref NatGwSubnet2 + NatGwSubnet3RouteTable: + Type: AWS::EC2::RouteTable + Condition: 3AZs + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: NAT Subnet 3 Route Table + - Key: Network + Value: Public + NatGwSubnet3NatGwDefaultRoute: + Type: AWS::EC2::Route + Condition: 3AZs + Properties: + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref IGWID + RouteTableId: !Ref NatGwSubnet3RouteTable + NatGwSubnet3RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: 3AZs + Properties: + RouteTableId: !Ref NatGwSubnet3RouteTable + SubnetId: !Ref NatGwSubnet3 + NatGwSubnet4RouteTable: + Type: AWS::EC2::RouteTable + Condition: 4AZs + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: NAT Subnet 4 Route Table + - Key: Network + Value: Public + NatGwSubnet4NatGwDefaultRoute: + Type: AWS::EC2::Route + Condition: 4AZs + Properties: + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref IGWID + RouteTableId: !Ref NatGwSubnet4RouteTable + NatGwSubnet4RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: 4AZs + Properties: + RouteTableId: !Ref NatGwSubnet4RouteTable + SubnetId: !Ref NatGwSubnet4 + GWLBStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gwlb/gwlb.yaml + Parameters: + VPC: !Ref VPC + AutoScaleGroupName: !If [GenerateAutoScalingName, !Join ["-", [!Ref 'AWS::StackName', GatewayGroup]], !Ref AutoScaleGroupName] + GatewaysSubnets: !Join [',', !Ref GatewaysSubnets] + KeyName: !Ref KeyName + EnableVolumeEncryption: !Ref EnableVolumeEncryption + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + EnableInstanceConnect: !Ref EnableInstanceConnect + TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken + AllowUploadDownload: !Ref AllowUploadDownload + ManagementServer: !Ref ManagementServer + ConfigurationTemplate: !Ref ConfigurationTemplate + AdminEmail: !Ref AdminEmail + Shell: !Ref Shell + GWLBName: !Ref GWLBName + TargetGroupName: !Ref TargetGroupName + AcceptConnectionRequired: false + CrossZoneLoadBalancing: !Ref CrossZoneLoadBalancing + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + GatewaysMinSize: !Ref GatewaysMinSize + GatewaysMaxSize: !Ref GatewaysMaxSize + GatewayVersion: !Ref GatewayVersion + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress + AllocatePublicAddress: !Ref AllocatePublicAddress + CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript + ManagementDeploy: !Ref ManagementDeploy + ManagementInstanceType: !Ref ManagementInstanceType + ManagementVersion: !Ref ManagementVersion + ManagementPasswordHash: !Ref ManagementPasswordHash + ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash + GatewaysPolicy: !Ref GatewaysPolicy + AdminCIDR: !Ref AdminCIDR + GatewayManagement: !Ref GatewayManagement + GatewaysAddresses: !Ref GatewaysAddresses + GWLBe1: + DependsOn: [GWLBStack, GWLBeSubnet1] + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref VPC + VpcEndpointType: GatewayLoadBalancer + SubnetIds: + - !Ref GWLBeSubnet1 + ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName + GWLBe2: + DependsOn: [GWLBStack, GWLBeSubnet2] + Type: AWS::EC2::VPCEndpoint + Properties: + VpcId: !Ref VPC + VpcEndpointType: GatewayLoadBalancer + SubnetIds: + - !Ref GWLBeSubnet2 + ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName + GWLBe3: + DependsOn: [GWLBStack, GWLBeSubnet3] + Type: AWS::EC2::VPCEndpoint + Condition: 3AZs + Properties: + VpcId: !Ref VPC + VpcEndpointType: GatewayLoadBalancer + SubnetIds: + - !Ref GWLBeSubnet3 + ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName + GWLBe4: + DependsOn: [GWLBStack, GWLBeSubnet4] + Type: AWS::EC2::VPCEndpoint + Condition: 4AZs + Properties: + VpcId: !Ref VPC + VpcEndpointType: GatewayLoadBalancer + SubnetIds: + - !Ref GWLBeSubnet4 + ServiceName: !GetAtt GWLBStack.Outputs.GWLBServiceName + TGWAttachmentSubnet1RouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: TGW Attachment Subnet 1 Route Table + - Key: Network + Value: Private + TGWAttachmentSubnet1GWLBeDefaultRoute: + Type: AWS::EC2::Route + Properties: + DestinationCidrBlock: 0.0.0.0/0 + VpcEndpointId: !Ref GWLBe1 + RouteTableId: !Ref TGWAttachmentSubnet1RouteTable + TGWAttachmentSubnet1RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref TGWAttachmentSubnet1RouteTable + SubnetId: !Ref TgwSubnet1Id + TGWAttachmentSubnet2RouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: TGW Attachment Subnet 2 Route Table + - Key: Network + Value: Private + TGWAttachmentSubnet2GWLBeDefaultRoute: + Type: AWS::EC2::Route + Properties: + DestinationCidrBlock: 0.0.0.0/0 + VpcEndpointId: !Ref GWLBe2 + RouteTableId: !Ref TGWAttachmentSubnet2RouteTable + TGWAttachmentSubnet2RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref TGWAttachmentSubnet2RouteTable + SubnetId: !Ref TgwSubnet2Id + TGWAttachmentSubnet3RouteTable: + Type: AWS::EC2::RouteTable + Condition: 3AZs + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: TGW Attachment Subnet 3 Route Table + - Key: Network + Value: Private + TGWAttachmentSubnet3GWLBeDefaultRoute: + Type: AWS::EC2::Route + Condition: 3AZs + Properties: + DestinationCidrBlock: 0.0.0.0/0 + VpcEndpointId: !Ref GWLBe3 + RouteTableId: !Ref TGWAttachmentSubnet3RouteTable + TGWAttachmentSubnet3RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: 3AZs + Properties: + RouteTableId: !Ref TGWAttachmentSubnet3RouteTable + SubnetId: !Ref TgwSubnet3Id + TGWAttachmentSubnet4RouteTable: + Type: AWS::EC2::RouteTable + Condition: 4AZs + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: TGW Attachment Subnet 4 Route Table + - Key: Network + Value: Private + TGWAttachmentSubnet4GWLBeDefaultRoute: + Type: AWS::EC2::Route + Condition: 4AZs + Properties: + DestinationCidrBlock: 0.0.0.0/0 + VpcEndpointId: !Ref GWLBe4 + RouteTableId: !Ref TGWAttachmentSubnet4RouteTable + TGWAttachmentSubnet4RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: 4AZs + Properties: + RouteTableId: !Ref TGWAttachmentSubnet4RouteTable + SubnetId: !Ref TgwSubnet4Id + NatGwPublicAddress1: + Type: AWS::EC2::EIP + Properties: + Domain: vpc + NatGwPublicAddress2: + Type: AWS::EC2::EIP + Properties: + Domain: vpc + NatGwPublicAddress3: + Type: AWS::EC2::EIP + Condition: 3AZs + Properties: + Domain: vpc + NatGwPublicAddress4: + Type: AWS::EC2::EIP + Condition: 4AZs + Properties: + Domain: vpc + NatGateway1: + DependsOn: [GWLBStack, NatGwSubnet1] + Type: AWS::EC2::NatGateway + Properties: + AllocationId: !GetAtt NatGwPublicAddress1.AllocationId + SubnetId: !Ref NatGwSubnet1 + Tags: + - Key: Name + Value: NatGW1 + NatGateway2: + DependsOn: [GWLBStack, NatGwSubnet2] + Type: AWS::EC2::NatGateway + Properties: + AllocationId: !GetAtt NatGwPublicAddress2.AllocationId + SubnetId: !Ref NatGwSubnet2 + Tags: + - Key: Name + Value: NatGW2 + NatGateway3: + DependsOn: [GWLBStack, NatGwSubnet3] + Type: AWS::EC2::NatGateway + Condition: 3AZs + Properties: + AllocationId: !GetAtt NatGwPublicAddress3.AllocationId + SubnetId: !Ref NatGwSubnet3 + Tags: + - Key: Name + Value: NatGW3 + NatGateway4: + DependsOn: [GWLBStack, NatGwSubnet4] + Type: AWS::EC2::NatGateway + Condition: 4AZs + Properties: + AllocationId: !GetAtt NatGwPublicAddress4.AllocationId + SubnetId: !Ref NatGwSubnet4 + Tags: + - Key: Name + Value: NatGW4 +Outputs: + ManagementPublicAddress: + Description: The public address of the management server. + Value: !GetAtt GWLBStack.Outputs.ManagementPublicAddress + Condition: DeployManagement + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name. + Value: !GetAtt GWLBStack.Outputs.ConfigurationTemplateName + ControllerName: + Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name. + Value: !GetAtt GWLBStack.Outputs.ControllerName + GWLBName: + Description: Gateway Load Balancer Name. + Value: !Ref GWLBName + GWLBServiceName: + Description: Gateway Load Balancer Service Name. + Value: !GetAtt GWLBStack.Outputs.GWLBServiceName +Rules: + GatewayAddressAllocationRule: + RuleCondition: !Equals [!Ref ControlGatewayOverPrivateOrPublicAddress, 'public'] + Assertions: + - AssertDescription: "Gateway's selected to be provisioned by public IP, but ['AllocatePublicAddress'] parameter is false" + Assert: !Equals [!Ref AllocatePublicAddress, 'true'] diff --git a/china/aws/templates/launch.png b/china/aws/templates/launch.png new file mode 100644 index 0000000000000000000000000000000000000000..b16d779c493cfdac15923f3114ba94d01bf98999 GIT binary patch literal 2941 zcmV-@3xf2CP)004&&004{<00AEV003vB002H&00Br#000h50000B=O+L10005n zX+uL$P-t&-Z*ypGa3D!TLm+T+Z)Rz1WdHy;%bk$G_W^)-PS50WJ!Ba@scL5yTRrMFE7>J3iZ#h|3MEudGkN;2U76tA0Zyq@7uVVMS5rl zX7b6rnY@`dFF^a)?R%RuSAjG$I@nm1r_Y|t+$YSVg=@Hv>tR$D-sYn%P+Wg)CGb5D z|D*-{_-ZY1ddsfkd@>&u+VC@rE~$?X8T>a+w1kZ67KHGIJ6Y4N~QNydDF%rI|f8GqE6UI8s_UZA^;fh?Kg0rN)d*d_WUwG7RQBFQT zIGBzCegmpPnW^$|xPAZt010qNS#tmY3labT3lag+-G2N400|9AL_t(&L+zV?P*p_~ z$KOm%jYU$DDAErxOaU=4P;gLDi4e<5lSa+5Kq)gd!pT&A_zWABkOZB9FiIWm7ctsT zwWO((YAh=!Cnt-VvFX>0_PeGgPxpHsXW4t--shwG!)Nc#e7tY>oU`}b-S6Aod*yjZ zJDz&!AYF6E7K*=mEnSqoCd~hg)X5uo{O_;X#aj6Cn;$!s;eN1yzB~2{Hvr+Fk&)9H zY0S)xHgaxn=ElQ>787P~as^|mgK@^#LjwsD*HQoR57GLqZwC|-3kc#tfVXNjebQb> zzji!He|@pd1|4k)a~gv&{^@Wdb+p&evl|yud1Zx7NUy&2DGSDVcv^OS#4`^9j_zMi zbg+@=y?Ubk)&8J9%;}3Y_9r^J`23A>s;geaLV`v%ZGXR0HeH9OxMDl2Z12t{`nkQ9 zsC^}K;=L+AjG_t?ava{ihBjAu$y>UL=HI!F3JW(-Y3U|~Fr zJzr|HpGqJ{?`rJM?Kizz1RHj0g%Ly3tCZ6cCc$W27NGQGW;MbxmajF&Pz zohbpK!YCjo4ngT;4;#RkY^Ms9MdQii@lf0PBBR|6#PyH4fMY?*z!;h}ahTEfzXCbp zTDZ2!-W?Xryw_@LGWF;&oh~@9&?q9AiS*@6XsNSiA&kE@6X8J%dXZVkEFfH1+jJ?M zyLJufT$Alop|Uuib8Kr|V6>Z%nEw5u_%oO_DTB-6(_DEoWv30K1KSqcV*d@ukp*O3 z&twmleUE#oPt=W8Tay(%d(KoM!l8?3#*Bv<5fi{h8~Z2LhSg?GZ8h(O@UoEwgn|+f zgz}-)!Fxygabn+CS42Q2+o?iDVI1eUr#{taH*tQ%nH+O$*C?YM{F8Q12HHZKXxn5D z7VqpFs~vm^bh<<&M`q>{-dN}7SF6pn&W?v4ur%PCT=2vW&ESo-5)fV>eg7_0<}aLJ zz|8`a4RkznC1s~ZD!=|QXH)BggO&ZjV^^@fd1<_B9nL6Ay|kmpNZj?Kd#P(JyeWq3 zD+@2?^4j@v)-rUiF%Kuw2J$!Akq6p<58Bl8MZ0nxAi3-DZn?JACvh1$qkMelaP~8` z5s18uaaKFPUqo2a^h1_32njQiPTAeoJ_rJ`z+?l>;7vCR2w-jdahJ8OznSiiAwfYp zz+?mH5ZpXE1f3+`Z0QVVhnea`0EnHHAI)WH2OSI_oTW~DaMt6+CV2pfcY>VZ50Sth zqR@R|cM}kVib0ng;Dc*PY@l47_bx&dd$3#-J;sU?5jll4xl=k_M@mX53kfq4#3bB! zUAfhsPe9NLG=o<_N4wz|Q#vZ)Sdl-JI` zMENW%=)-mJ)yuk%An~}i)H&mw9DjM3C5rRdM@P?7+I4F~=uWQsz0b^g9_I z55C-jE+n6rOh;VYTz=e#m;{IlPjnE_A0O1RW`GjV{*8$?0sXe;%5H%h1kQTQYB+zr zBZcNoiKfViGuThg%Wmz*_MJ7C+se*5w1YFss23k+-KZ;kgDrNQVB#fTCm(N3rl-7@ z(agLk_Sa)f?MlqGS?4Q%xo7bkozj)7^SbcSW6+Ln2X49Q#P-gx;&l<(#pFD&tYLp7 zkNgl5$QoWue;%02dm!Ts1Oa_z4YDbTV8BgEXPA&qMyKJkbSyr@E*&OiQ=POS0|3E0 z>-0f!;`DW^bAs#WWqc73H19X`a0$M^_# zA?b%KYl1GOg50U}`|IO)_QC&J#ExFswFg2$1O!#PfsS+oHwjEOkTo>IX5U;sfXnyY z9K+=us|Ip;`c=J@PkqUyHXoc(hOhWI>+ZbXH@H>BvC7BI*RAekOw9D{i{u(^ZJ-YK zEoI3qm|Wol8`_qBNFLC`+RP92^9{t3TZUP&x`6D+AxoORKhnX|95nFL`(^aXjt#6C z^%T}GYX!A8B+$`TpMXq>00_(t+#nd49N`D-H;wl_Y2;-@((FmSspq-AskwAoU)9FN z(PwcTe0869ntbAhFUl=d@hZky2VaRpJFq8N9UpAG6XYcA0NfA!agD>wLtB#hGdcks+q5{2%QbgjqT1M5 zGl=p=bUo@P#r2@4SHvqjd=Ue`Ky`@G+mRfCjn^p{*GmZj;4|vl8xoZd?oGcQHomAw zn-Ys_bSGE%NR0RvUEABQE*NG{!V{ec$Rs5DvgQ=gf~na`3$N9WW$^&@CK>{2TQ``F zJn8#JxdDNN2|Zq`OYPhXIYs0YlF&69;XTq@jcG~)3+7H^@!0+^3=au-qFh*7)*%Gft}b6G3UjQZbrJc^<6(XvF|NW;-hI1pHv&;^qO zmb0ixlZb#%JQqf0S{wWkJafs|H?0`MIsvx72f|+@qVk@?F?<2MP?R7iu!RYIo>=bN z7iA4iQX6cXQHF3}7tvu-S##f5ipgBcOPAkYB;s$PVHle~jp`RA(2Larc|(mr9XzFB zpA;rE!I+xBxSBu=W}RDR+~6u69O_pYn1vvsrNwEqxoiMGMmj-#n9yKr!5Kk)hc8m}Nh?uAr`{FjG(sO+9T5%)>UUvs ngnya({{|0K82{jZnM(9G9lJ2&?EU>R00000NkvXXu0mjfzX_8$ literal 0 HcmV?d00001 diff --git a/china/aws/templates/management/README.md b/china/aws/templates/management/README.md new file mode 100644 index 00000000..e8ffc710 --- /dev/null +++ b/china/aws/templates/management/README.md @@ -0,0 +1,35 @@ + +## Security Management Server + + + + + + + + + + + + + + + +
    DescriptionNotesDirect Launch
    + Deploys and configures a Security Management Server.

    For more details, refer to sk130372. +     		Deploys a Security Management Server into an existing VPC.
    +
    +
    +## Revision History +In order to check the template version, please refer to [sk125252](https://support.checkpoint.com/results/sk/sk125252#ToggleR8120gateway) + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------------------------------| +| 20240704 | - R80.40 version deprecation.
    - R81 version deprecation. | +| 20240519 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20230923 | Add support for C5d instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
    - Add description for reserved words in hostname | +| 20221123 | Templates version 20221120 and above support R81.20 | +| 20220606 | New instance type support | +| 20210329 | Stability fixes | +| 20210309 | First release of Check Point Security Management Server Terraform module for AWS | diff --git a/china/aws/templates/management/management-master.yaml b/china/aws/templates/management/management-master.yaml new file mode 100755 index 00000000..d0d5403e --- /dev/null +++ b/china/aws/templates/management/management-master.yaml @@ -0,0 +1,601 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: | + Deploys a Check Point Management Server into a new VPC (20250617) + See sk130372 administration guide for detailed deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZone + - VPCCIDR + - PublicSubnet1CIDR + - Label: + default: EC2 Instance Configuration + Parameters: + - ManagementName + - ManagementInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - TerminationProtection + - MetaDataToken + - Label: + default: IAM Permissions (ignored when the installation is not Primary Management + Server) + Parameters: + - ManagementPermissions + - ManagementPredefinedRole + - ManagementSTSRoles + - Label: + default: Check Point Settings + Parameters: + - ManagementVersion + - Shell + - ManagementPasswordHash + - ManagementMaintenancePasswordHash + - Label: + default: Security Management Server Settings + Parameters: + - ManagementHostname + - ManagementInstallationType + - SICKey + - AllowUploadDownload + - AdminCIDR + - GatewayManagement + - GatewaysAddresses + - ManagementBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + AvailabilityZone: + default: Availability zone + VPCCIDR: + default: VPC CIDR + PublicSubnet1CIDR: + default: Management subnet CIDR + ManagementName: + default: Management name + ManagementInstanceType: + default: Instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate an Elastic IP + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + ManagementPermissions: + default: IAM role + ManagementPredefinedRole: + default: Existing IAM role name + ManagementSTSRoles: + default: STS roles + ManagementVersion: + default: Version & license + Shell: + default: Admin shell + ManagementPasswordHash: + default: Password hash + ManagementMaintenancePasswordHash: + default: Management Maintenance Password hash + ManagementHostname: + default: Management hostname + ManagementInstallationType: + default: Management installation type + SICKey: + default: SIC key + AllowUploadDownload: + default: Allow upload & download + AdminCIDR: + default: Administrator addresses + GatewayManagement: + default: Gateways management + GatewaysAddresses: + default: Gateways addresses + ManagementBootstrapScript: + default: Management bootstrap script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + AvailabilityZone: + Description: The availability zone in which to deploy the instance. + Type: AWS::EC2::AvailabilityZone::Name + MinLength: 1 + VPCCIDR: + Description: The CIDR block of the VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet1CIDR: + Description: The CIDR block of the management subnet. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + ManagementName: + Description: The Management name tag. + Type: String + Default: Check-Point-Management + ManagementInstanceType: + Description: The instance type of the Security Management Server. + Type: String + Default: m5.xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Description: Allocate an elastic IP for the Management. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementPermissions: + Description: IAM role to attach to the instance profile. + Type: String + Default: Create with read permissions + AllowedValues: + - None (configure later) + - Use existing (specify an existing IAM role name) + - Create with assume role permissions (specify an STS role ARN) + - Create with read permissions + - Create with read-write permissions + ManagementPredefinedRole: + Description: A predefined IAM role to attach to the instance profile. Ignored. + if IAM role is not set to 'Use existing' + Type: String + Default: '' + ManagementSTSRoles: + Description: The IAM role will be able to assume these STS Roles (comma separated + list of ARNs, without spaces). Ignored if IAM role is set to 'None' or 'Use + existing'. + Type: CommaDelimitedList + Default: '' + ManagementVersion: + Description: The license to install on the Security Management Server. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + ManagementMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + ManagementHostname: + Description: The name must not contain reserved words. For details, refer to sk40179. (optional) + Type: String + Default: mgmt-aws + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' + ConstraintDescription: A valid hostname label or an empty string. + ManagementInstallationType: + Description: Determines the Management Server installation type. + Type: String + Default: Primary management + AllowedValues: + - Primary management + - Secondary management + - Log Server + SICKey: + Description: >- + Mandatory only if deploying a secondary Management Server or Log Server, the Secure Internal + Communication key creates trusted connections between Check Point components. + Choose a random string consisting of at least 8 alphanumeric characters. + Type: String + Default: '' + AllowedPattern: '(|[a-zA-Z0-9]{8,})' + ConstraintDescription: Can be empty if this is a primary Management Server. Otherwise, + at least 8 alpha numeric characters. + NoEcho: true + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate + with the Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Management + Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewayManagement: + Description: Select 'Over the internet' if any of the gateways you wish to manage + are not directly accessed via their private IP address. + Type: String + Default: Locally managed + AllowedValues: + - Locally managed + - Over the internet + ManagementBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '[\.a-zA-Z0-9\-]*' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '[\.a-zA-Z0-9\-]*' +Conditions: + EIP: !Equals [!Ref AllocatePublicAddress, true] + ManageOverInternet: !Equals [!Ref GatewayManagement, Over the internet] + ManageOverInternetAndEIP: !And [!Condition EIP, !Condition ManageOverInternet] + CreateRole: !Or + - !Equals [!Ref ManagementPermissions, Create with assume role permissions (specify an STS role ARN)] + - !Equals [!Ref ManagementPermissions, Create with read permissions] + - !Equals [!Ref ManagementPermissions, Create with read-write permissions] + EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']] + UseRole: !Not [!Equals [!Ref ManagementPermissions, None (configure later)]] + NoSIC: !Equals [!Ref SICKey, ''] + PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml + Parameters: + AvailabilityZones: !Ref AvailabilityZone + NumberOfAZs: 1 + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnet1CIDR + CreatePrivateSubnets: false + CreateAttachmentSubnets: false + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml + Parameters: + Version: !Join ['-', [!Ref ManagementVersion, MGMT]] + ManagementReadyHandle: + Type: AWS::CloudFormation::WaitConditionHandle + Condition: EIP + Properties: {} + ManagementReadyCondition: + Type: AWS::CloudFormation::WaitCondition + Condition: EIP + DependsOn: ManagementInstance + Properties: + Handle: !Ref ManagementReadyHandle + Timeout: 1800 + ManagementSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Management security group + VpcId: !GetAtt VPCStack.Outputs.VPCID + SecurityGroupIngress: + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 257 + ToPort: 257 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 8211 + ToPort: 8211 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18191 + ToPort: 18191 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18192 + ToPort: 18192 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18208 + ToPort: 18208 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18210 + ToPort: 18210 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18211 + ToPort: 18211 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18221 + ToPort: 18221 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18264 + ToPort: 18264 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 22 + ToPort: 22 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 443 + ToPort: 443 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 18190 + ToPort: 18190 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 19009 + ToPort: 19009 + ManagementRoleStack: + Type: AWS::CloudFormation::Stack + Condition: CreateRole + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cme-iam-role.yaml + Parameters: + Permissions: !Ref ManagementPermissions + STSRoles: !Join [',', !Ref ManagementSTSRoles] + InstanceProfile: + Type: AWS::IAM::InstanceProfile + Condition: PreRole + Properties: + Path: / + Roles: + - !Ref ManagementPredefinedRole + ManagementInstance: + Type: AWS::EC2::Instance + DependsOn: ManagementLaunchTemplate + Properties: + LaunchTemplate: + LaunchTemplateId: !Ref ManagementLaunchTemplate + Version: !GetAtt ManagementLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection + Tags: + - Key: Name + Value: !Ref ManagementName + NetworkInterfaces: + - DeviceIndex: 0 + AssociatePublicIpAddress: false + Description: eth0 + GroupSet: + - !Ref ManagementSecurityGroup + DeleteOnTermination: true + SubnetId: !GetAtt VPCStack.Outputs.PublicSubnet1ID + ManagementLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref ManagementInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !If [ UseRole, !If [ PreRole, !Ref InstanceProfile, !GetAtt ManagementRoleStack.Outputs.CMEIAMRole ], !Ref 'AWS::NoValue' ] + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${ManagementHostname} ; eic=${EnableInstanceConnect} ; admin_subnet=${AdminCIDR} ; eip=${AllocatePublicAddress} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; mgmt_install_type=''${ManagementInstallationType}''' + - !If [EIP, !Sub ' wait_handle=''${ManagementReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [NoSIC, ' sic=""', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref SICKey, ')"']]] + - !If [ManageOverInternetAndEIP, ' pub_mgmt=true', ' pub_mgmt=false'] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref ManagementBootstrapScript, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementMaintenancePasswordHash, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref ManagementVersion]]}] + - ' python3 /etc/cloud_config.py waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" installationType=\"management\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"management\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" "management_installation_type=\"${mgmt_install_type}\"" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" overTheInternet=\"${pub_mgmt}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version + PublicAddress: + Type: AWS::EC2::EIP + Condition: EIP + Properties: + Domain: vpc + AddressAssoc: + Type: AWS::EC2::EIPAssociation + Condition: EIP + DependsOn: ManagementInstance + Properties: + InstanceId: !Ref ManagementInstance + AllocationId: !GetAtt PublicAddress.AllocationId +Outputs: + PublicAddress: + Condition: EIP + Description: The public address of the Management Server. + Value: !Ref PublicAddress + SSH: + Condition: EIP + Description: SSH command. + Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref PublicAddress]] + URL: + Condition: EIP + Description: URL to the portal. + Value: !Join ['', ['https://', !Ref PublicAddress]] diff --git a/china/aws/templates/management/management.yaml b/china/aws/templates/management/management.yaml new file mode 100644 index 00000000..0e787a9d --- /dev/null +++ b/china/aws/templates/management/management.yaml @@ -0,0 +1,580 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: | + Deploys a Check Point Management Server into an existing VPC (20250617) + See sk130372 administration guide for detailed deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - ManagementSubnet + - Label: + default: EC2 Instance Configuration + Parameters: + - ManagementName + - ManagementInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - TerminationProtection + - MetaDataToken + - Label: + default: IAM Permissions (ignored when the installation is not Primary Management + Server) + Parameters: + - ManagementPermissions + - ManagementPredefinedRole + - ManagementSTSRoles + - Label: + default: Check Point Settings + Parameters: + - ManagementVersion + - Shell + - ManagementPasswordHash + - ManagementMaintenancePasswordHash + - Label: + default: Security Management Server Settings + Parameters: + - ManagementHostname + - ManagementInstallationType + - SICKey + - AllowUploadDownload + - AdminCIDR + - GatewayManagement + - GatewaysAddresses + - ManagementBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + VPC: + default: VPC + ManagementSubnet: + default: Management subnet + ManagementName: + default: Management name + ManagementInstanceType: + default: Instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate an Elastic IP + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + ManagementPermissions: + default: IAM role + ManagementPredefinedRole: + default: Existing IAM role name + ManagementSTSRoles: + default: STS roles + ManagementVersion: + default: Version & license + Shell: + default: Admin shell + ManagementPasswordHash: + default: Password hash + ManagementMaintenancePasswordHash: + default: Management Maintenance Password hash + ManagementHostname: + default: Management hostname + ManagementInstallationType: + default: Management installation type + SICKey: + default: SIC key + AllowUploadDownload: + default: Allow upload & download + AdminCIDR: + default: Administrator addresses + GatewayManagement: + default: Gateways management + GatewaysAddresses: + default: Gateways addresses + ManagementBootstrapScript: + default: Management bootstrap script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + ManagementSubnet: + Description: To access the instance from the internet, make sure the subnet has + a route to the internet. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ManagementName: + Description: The Management name tag. + Type: String + Default: Check-Point-Management + ManagementInstanceType: + Description: The instance type of the Security Management Server. + Type: String + Default: m5.xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Description: Allocate an elastic IP for the Management. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementPermissions: + Description: IAM role to attach to the instance profile. + Type: String + Default: Create with read permissions + AllowedValues: + - None (configure later) + - Use existing (specify an existing IAM role name) + - Create with assume role permissions (specify an STS role ARN) + - Create with read permissions + - Create with read-write permissions + ManagementPredefinedRole: + Description: A predefined IAM role to attach to the instance profile. Ignored. + if IAM role is not set to 'Use existing' + Type: String + Default: '' + ManagementSTSRoles: + Description: The IAM role will be able to assume these STS Roles (comma separated + list of ARNs, without spaces). Ignored if IAM role is set to 'None' or 'Use + existing'. + Type: CommaDelimitedList + Default: '' + ManagementVersion: + Description: The license to install on the Security Management Server. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + ManagementMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + ManagementHostname: + Description: The name must not contain reserved words. For details, refer to sk40179. (optional) + Type: String + Default: mgmt-aws + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' + ConstraintDescription: A valid hostname label or an empty string. + ManagementInstallationType: + Description: Determines the Management Server installation type. + Type: String + Default: Primary management + AllowedValues: + - Primary management + - Secondary management + - Log Server + SICKey: + Description: >- + Mandatory only if deploying a secondary Management Server or Log Server, the Secure Internal + Communication key creates trusted connections between Check Point components. + Choose a random string consisting of at least 8 alphanumeric characters. + Type: String + Default: '' + AllowedPattern: '(|[a-zA-Z0-9]{8,})' + ConstraintDescription: Can be empty if this is a primary Management Server. Otherwise, + at least 8 alpha numeric characters. + NoEcho: true + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate + with the Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Management + Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewayManagement: + Description: Select 'Over the internet' if any of the gateways you wish to manage + are not directly accessed via their private IP address. + Type: String + Default: Locally managed + AllowedValues: + - Locally managed + - Over the internet + ManagementBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '[\.a-zA-Z0-9\-]*' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '[\.a-zA-Z0-9\-]*' +Conditions: + EIP: !Equals [!Ref AllocatePublicAddress, true] + ManageOverInternet: !Equals [!Ref GatewayManagement, Over the internet] + ManageOverInternetAndEIP: !And [!Condition EIP, !Condition ManageOverInternet] + CreateRole: !Or + - !Equals [!Ref ManagementPermissions, Create with assume role permissions (specify an STS role ARN)] + - !Equals [!Ref ManagementPermissions, Create with read permissions] + - !Equals [!Ref ManagementPermissions, Create with read-write permissions] + EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']] + UseRole: !Not [!Equals [!Ref ManagementPermissions, None (configure later)]] + NoSIC: !Equals [!Ref SICKey, ''] + PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] +Resources: + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml + Parameters: + Version: !Join ['-', [!Ref ManagementVersion, MGMT]] + ManagementReadyHandle: + Type: AWS::CloudFormation::WaitConditionHandle + Condition: EIP + Properties: {} + ManagementReadyCondition: + Type: AWS::CloudFormation::WaitCondition + Condition: EIP + DependsOn: ManagementInstance + Properties: + Handle: !Ref ManagementReadyHandle + Timeout: 1800 + ManagementSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Management security group + VpcId: !Ref VPC + SecurityGroupIngress: + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 257 + ToPort: 257 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 8211 + ToPort: 8211 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18191 + ToPort: 18191 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18192 + ToPort: 18192 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18208 + ToPort: 18208 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18210 + ToPort: 18210 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18211 + ToPort: 18211 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18221 + ToPort: 18221 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18264 + ToPort: 18264 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 22 + ToPort: 22 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 443 + ToPort: 443 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 18190 + ToPort: 18190 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 19009 + ToPort: 19009 + ManagementRoleStack: + Type: AWS::CloudFormation::Stack + Condition: CreateRole + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cme-iam-role.yaml + Parameters: + Permissions: !Ref ManagementPermissions + STSRoles: !Join [',', !Ref ManagementSTSRoles] + InstanceProfile: + Type: AWS::IAM::InstanceProfile + Condition: PreRole + Properties: + Path: / + Roles: + - !Ref ManagementPredefinedRole + ManagementInstance: + Type: AWS::EC2::Instance + DependsOn: ManagementLaunchTemplate + Properties: + LaunchTemplate: + LaunchTemplateId: !Ref ManagementLaunchTemplate + Version: !GetAtt ManagementLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection + Tags: + - Key: Name + Value: !Ref ManagementName + NetworkInterfaces: + - DeviceIndex: 0 + AssociatePublicIpAddress: false + Description: eth0 + GroupSet: + - !Ref ManagementSecurityGroup + DeleteOnTermination: true + SubnetId: !Ref ManagementSubnet + ManagementLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref ManagementInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !If [ UseRole, !If [ PreRole, !Ref InstanceProfile, !GetAtt ManagementRoleStack.Outputs.CMEIAMRole ], !Ref 'AWS::NoValue' ] + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${ManagementHostname} ; eic=${EnableInstanceConnect} ; admin_subnet=${AdminCIDR} ; eip=${AllocatePublicAddress} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; mgmt_install_type=''${ManagementInstallationType}''' + - !If [EIP, !Sub ' wait_handle=''${ManagementReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [NoSIC, ' sic=""', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref SICKey, ')"']]] + - !If [ManageOverInternetAndEIP, ' pub_mgmt=true', ' pub_mgmt=false'] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref ManagementBootstrapScript, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementMaintenancePasswordHash, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref ManagementVersion]]}] + - ' python3 /etc/cloud_config.py waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" installationType=\"management\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"management\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" "management_installation_type=\"${mgmt_install_type}\"" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" overTheInternet=\"${pub_mgmt}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version + PublicAddress: + Type: AWS::EC2::EIP + Condition: EIP + Properties: + Domain: vpc + AddressAssoc: + Type: AWS::EC2::EIPAssociation + Condition: EIP + DependsOn: ManagementInstance + Properties: + InstanceId: !Ref ManagementInstance + AllocationId: !GetAtt PublicAddress.AllocationId +Outputs: + PublicAddress: + Condition: EIP + Description: The public address of the Management Server. + Value: !Ref PublicAddress + SSH: + Condition: EIP + Description: SSH command. + Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref PublicAddress]] + URL: + Condition: EIP + Description: URL to the portal. + Value: !Join ['', ['https://', !Ref PublicAddress]] diff --git a/china/aws/templates/mds/README.md b/china/aws/templates/mds/README.md new file mode 100644 index 00000000..a4119680 --- /dev/null +++ b/china/aws/templates/mds/README.md @@ -0,0 +1,21 @@ +## Multi-Domain Management Server + + + + + + + + + + + + + + + +
    DescriptionNotesDirect Launch
    + Deploys and configures a Multi-Domain Security Management Server.

    For more details, refer to sk143213. +     		Deploys a Multi-Domain Security Management Server into an existing VPC.
    +
    +
    diff --git a/china/aws/templates/mds/mds-master.yaml b/china/aws/templates/mds/mds-master.yaml new file mode 100755 index 00000000..f29d5f9b --- /dev/null +++ b/china/aws/templates/mds/mds-master.yaml @@ -0,0 +1,573 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: | + Deploys a Check Point Multi-Domain Server into a new VPC (20250617) + See sk130372 administration guide for detailed deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZone + - VPCCIDR + - PublicSubnet1CIDR + - Label: + default: EC2 Instance Configuration + Parameters: + - MDSName + - MDSInstanceType + - KeyName + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - TerminationProtection + - MetaDataToken + - Label: + default: IAM Permissions (ignored when the installation type is not Primary + Multi-Domain Server) + Parameters: + - MDSPermissions + - MDSPredefinedRole + - MDSSTSRoles + - Label: + default: Check Point Settings + Parameters: + - MDSVersion + - Shell + - MDSPasswordHash + - MDSMaintenancePasswordHash + - Label: + default: Multi-Domain Server Settings + Parameters: + - MDSHostname + - MDSInstallationType + - MDSSICKey + - AllowUploadDownload + - AdminCIDR + - GatewaysAddresses + - MDSBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + AvailabilityZone: + default: Availability zone + VPCCIDR: + default: VPC CIDR + PublicSubnet1CIDR: + default: MDS subnet CIDR + MDSName: + default: MDS name + MDSInstanceType: + default: Instance type + KeyName: + default: Key name + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + MDSPermissions: + default: IAM role + MDSPredefinedRole: + default: Existing IAM role name + MDSSTSRoles: + default: STS roles + MDSVersion: + default: Version & license + Shell: + default: Admin shell + MDSPasswordHash: + default: Password hash + MDSMaintenancePasswordHash: + default: MDS Maintenance Password hash + MDSHostname: + default: MDS hostname + MDSInstallationType: + default: MDS installation type + MDSSICKey: + default: SIC key + AllowUploadDownload: + default: Allow upload & download + AdminCIDR: + default: Administrator addresses + GatewaysAddresses: + default: Gateways addresses + MDSBootstrapScript: + default: MDS Bootstrap script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + AvailabilityZone: + Description: The availability zone in which to deploy the instance. + Type: AWS::EC2::AvailabilityZone::Name + MinLength: 1 + VPCCIDR: + Description: The CIDR block of the VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet1CIDR: + Description: The CIDR block of the management subnet. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + MDSName: + Description: The MDS name tag. + Type: String + Default: Check-Point-MDS + MDSInstanceType: + Description: The instance type of the Multi-Domain Server. + Type: String + Default: m5.2xlarge + AllowedValues: + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + - r7a.xlarge + - r7a.2xlarge + - r7a.4xlarge + - r7a.8xlarge + - r7a.12xlarge + - r7a.16xlarge + - r7a.24xlarge + - r7a.32xlarge + - r7a.48xlarge + - c7i-flex.xlarge + - c7i-flex.2xlarge + - c7i-flex.4xlarge + - c7i-flex.8xlarge + - m7a.xlarge + - m7a.2xlarge + - m7a.4xlarge + - m7a.8xlarge + - m7a.12xlarge + - m7a.16xlarge + - m7a.24xlarge + - m7a.32xlarge + - m7a.48xlarge + - c7i.xlarge + - c7i.2xlarge + - c7i.4xlarge + - c7i.8xlarge + - c7i.12xlarge + - c7i.16xlarge + - c7i.24xlarge + - c7i.32xlarge + - c7i.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + MDSPermissions: + Description: IAM role to attach to the instance profile. + Type: String + Default: Create with read permissions + AllowedValues: + - None (configure later) + - Use existing (specify an existing IAM role name) + - Create with assume role permissions (specify an STS role ARN) + - Create with read permissions + - Create with read-write permissions + MDSPredefinedRole: + Description: A predefined IAM role to attach to the instance profile. Ignored + if IAM role is not set to 'Use existing'. + Type: String + Default: '' + MDSSTSRoles: + Description: The IAM role will be able to assume these STS Roles (comma separated + list of ARNs, without spaces). Ignored if IAM role is set to 'None' or 'Use + existing'. + Type: CommaDelimitedList + Default: '' + MDSVersion: + Description: The license to install on the Multi-Domain Server. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + MDSPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + MDSMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + MDSHostname: + Description: The name must not contain reserved words. For details, refer to sk40179. (optional) + Type: String + Default: mds-aws + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' + ConstraintDescription: A valid hostname label or an empty string. + MDSInstallationType: + Description: Determines the Multi-Domain Server installation type. + Type: String + Default: Primary Multi-Domain Server + AllowedValues: + - Primary Multi-Domain Server + - Secondary Multi-Domain Server + - Multi-Domain Log Server + MDSSICKey: + Description: >- + Mandatory if deploying a Secondary Multi-Domain Server or Multi-Domain Log Server, + the Secure Internal Communication key creates trusted connections between Check + Point components. Choose a random string consisting of at least 8 alphanumeric + characters. + Type: String + Default: '' + AllowedPattern: '(|[a-zA-Z0-9]{8,})' + ConstraintDescription: Can be empty if this is a Primary Multi-Domain Server. + Otherwise, at least 8 alpha numeric characters. + NoEcho: true + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate + with the Multi-Domain Server. The address should be either 0.0.0.0/0 (any address) or /32 (specific address) + Type: String + AllowedPattern: '^((0.0.0.0\/0)|)$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/32)$' + ConstraintDescription: Administrator address must be either 0.0.0.0/0 or /32 + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Multi-Domain. + Server + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + MDSBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '[\.a-zA-Z0-9\-]*' + NTPSecondary: + Description: (optional) + Type: String + Default: '0.pool.ntp.org' + AllowedPattern: '[\.a-zA-Z0-9\-]*' +Conditions: + EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']] + CreateRole: !And + - !Or + - !Condition PrimaryMDS + - !Condition SecondaryMDS + - !Or + - !Equals [!Ref MDSPermissions, Create with assume role permissions (specify an STS role ARN)] + - !Equals [!Ref MDSPermissions, Create with read permissions] + - !Equals [!Ref MDSPermissions, Create with read-write permissions] + UseRole: !And [!Or [!Condition PrimaryMDS, !Condition SecondaryMDS], !Not [!Equals [!Ref MDSPermissions, None (configure later)]]] + PrimaryMDS: !Equals [!Ref MDSInstallationType, Primary Multi-Domain Server] + SecondaryMDS: !Equals [!Ref MDSInstallationType, Secondary Multi-Domain Server] + PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml + Parameters: + AvailabilityZones: !Ref AvailabilityZone + NumberOfAZs: 1 + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnet1CIDR + CreatePrivateSubnets: false + CreateAttachmentSubnets: false + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml + Parameters: + Version: !Join ['-', [!Ref MDSVersion, MGMT]] + MDSSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: MDS security group + VpcId: !GetAtt VPCStack.Outputs.VPCID + SecurityGroupIngress: + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 257 + ToPort: 257 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 8211 + ToPort: 8211 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18191 + ToPort: 18191 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18192 + ToPort: 18192 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18208 + ToPort: 18208 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18210 + ToPort: 18210 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18211 + ToPort: 18211 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18221 + ToPort: 18221 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18264 + ToPort: 18264 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 22 + ToPort: 22 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 443 + ToPort: 443 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 18190 + ToPort: 18190 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 19009 + ToPort: 19009 + MDSRoleStack: + Type: AWS::CloudFormation::Stack + Condition: CreateRole + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cme-iam-role.yaml + Parameters: + Permissions: !Ref MDSPermissions + STSRoles: !Join [',', !Ref MDSSTSRoles] + InstanceProfile: + Type: AWS::IAM::InstanceProfile + Condition: PreRole + Properties: + Path: / + Roles: + - !Ref MDSPredefinedRole + MDSInstance: + Type: AWS::EC2::Instance + DependsOn: [MDSSecurityGroup, MDSLaunchTemplate] + Properties: + LaunchTemplate: + LaunchTemplateId: !Ref MDSLaunchTemplate + Version: !GetAtt MDSLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection + Tags: + - Key: Name + Value: !Ref MDSName + NetworkInterfaces: + - DeviceIndex: 0 + AssociatePublicIpAddress: false + Description: eth0 + GroupSet: + - !Ref MDSSecurityGroup + DeleteOnTermination: true + SubnetId: !GetAtt VPCStack.Outputs.PublicSubnet1ID + MDSLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref MDSInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !If [ UseRole, !If [ PreRole, !Ref InstanceProfile, !GetAtt MDSRoleStack.Outputs.CMEIAMRole ], !Ref 'AWS::NoValue' ] + UserData: !Base64 + Fn::Join: + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${MDSHostname} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; admin_subnet=${AdminCIDR}' + - !If [PrimaryMDS, ' primary=true ; secondary=false', !If [SecondaryMDS, ' primary=false ; secondary=true', ' primary=false ; secondary=false']] + - !If [PrimaryMDS, ' sic=notused', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref MDSSICKey, ')"']]] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref MDSBootstrapScript, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSMaintenancePasswordHash, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref MDSVersion]]}] + - ' python3 /etc/cloud_config.py sicKey=\"${sic}\" installationType=\"mds\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"mds\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" primary=\"${primary}\" secondary=\"${secondary}\" adminSubnet=\"${admin_subnet}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version \ No newline at end of file diff --git a/china/aws/templates/mds/mds.yaml b/china/aws/templates/mds/mds.yaml new file mode 100644 index 00000000..c78741c7 --- /dev/null +++ b/china/aws/templates/mds/mds.yaml @@ -0,0 +1,525 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: | + Deploys a Check Point Multi-Domain Server into an existing VPC (20250617) + See sk130372 administration guide for detailed deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - MDSSubnet + - Label: + default: EC2 Instance Configuration + Parameters: + - MDSName + - MDSInstanceType + - KeyName + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - TerminationProtection + - MetaDataToken + - Label: + default: IAM Permissions (ignored when the installation type is not Primary + Multi-Domain Server) + Parameters: + - MDSPermissions + - MDSPredefinedRole + - MDSSTSRoles + - Label: + default: Check Point Settings + Parameters: + - MDSVersion + - Shell + - MDSPasswordHash + - MDSMaintenancePasswordHash + - Label: + default: Multi-Domain Server Settings + Parameters: + - MDSHostname + - MDSInstallationType + - MDSSICKey + - AllowUploadDownload + - AdminCIDR + - GatewaysAddresses + - MDSBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + VPC: + default: VPC + MDSSubnet: + default: MDS subnet + MDSName: + default: MDS name + MDSInstanceType: + default: Instance type + KeyName: + default: Key name + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + MDSPermissions: + default: IAM role + MDSPredefinedRole: + default: Existing IAM role name + MDSSTSRoles: + default: STS roles + MDSVersion: + default: Version & license + Shell: + default: Admin shell + MDSPasswordHash: + default: Password hash + MDSMaintenancePasswordHash: + default: MDS Maintenance Password hash + MDSHostname: + default: MDS hostname + MDSInstallationType: + default: MDS installation type + MDSSICKey: + default: SIC key + AllowUploadDownload: + default: Allow upload & download + AdminCIDR: + default: Administrator addresses + GatewaysAddresses: + default: Gateways addresses + MDSBootstrapScript: + default: MDS Bootstrap script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + MDSSubnet: + Description: To access the instance from the internet, make sure the subnet has. + a route to the internet + Type: AWS::EC2::Subnet::Id + MinLength: 1 + MDSName: + Description: The MDS name tag. + Type: String + Default: Check-Point-MDS + MDSInstanceType: + Description: The instance type of the Multi-Domain Server. + Type: String + Default: m5.2xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + MDSPermissions: + Description: IAM role to attach to the instance profile. + Type: String + Default: Create with read permissions + AllowedValues: + - None (configure later) + - Use existing (specify an existing IAM role name) + - Create with assume role permissions (specify an STS role ARN) + - Create with read permissions + - Create with read-write permissions + MDSPredefinedRole: + Description: A predefined IAM role to attach to the instance profile. Ignored + if IAM role is not set to 'Use existing'. + Type: String + Default: '' + MDSSTSRoles: + Description: The IAM role will be able to assume these STS Roles (comma separated + list of ARNs, without spaces). Ignored if IAM role is set to 'None' or 'Use + existing'. + Type: CommaDelimitedList + Default: '' + MDSVersion: + Description: The license to install on the Multi-Domain Server. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + MDSPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + MDSMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + MDSHostname: + Description: The name must not contain reserved words. For details, refer to sk40179. (optional) + Type: String + Default: mds-aws + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' + ConstraintDescription: A valid hostname label or an empty string. + MDSInstallationType: + Description: Determines the Multi-Domain Server installation type. + Type: String + Default: Primary Multi-Domain Server + AllowedValues: + - Primary Multi-Domain Server + - Secondary Multi-Domain Server + - Multi-Domain Log Server + MDSSICKey: + Description: >- + Mandatory if deploying a Secondary Multi-Domain Server or Multi-Domain Log Server, + the Secure Internal Communication key creates trusted connections between Check + Point components. Choose a random string consisting of at least 8 alphanumeric + characters. + Type: String + Default: '' + AllowedPattern: '(|[a-zA-Z0-9]{8,})' + ConstraintDescription: Can be empty if this is a Primary Multi-Domain Server. + Otherwise, at least 8 alpha numeric characters. + NoEcho: true + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate + with the Multi-Domain Server. The address should be either 0.0.0.0/0 (any address) or /32 (specific address) + Type: String + AllowedPattern: '^((0.0.0.0\/0)|)$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/32)$' + ConstraintDescription: Administrator address must be either 0.0.0.0/0 or /32 + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Multi-Domain. + Server + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + MDSBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '[\.a-zA-Z0-9\-]*' + NTPSecondary: + Description: (optional) + Type: String + Default: '0.pool.ntp.org' + AllowedPattern: '[\.a-zA-Z0-9\-]*' +Conditions: + EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']] + CreateRole: !And + - !Or + - !Condition PrimaryMDS + - !Condition SecondaryMDS + - !Or + - !Equals [!Ref MDSPermissions, Create with assume role permissions (specify an STS role ARN)] + - !Equals [!Ref MDSPermissions, Create with read permissions] + - !Equals [!Ref MDSPermissions, Create with read-write permissions] + UseRole: !And [!Or [!Condition PrimaryMDS, !Condition SecondaryMDS], !Not [!Equals [!Ref MDSPermissions, None (configure later)]]] + PrimaryMDS: !Equals [!Ref MDSInstallationType, Primary Multi-Domain Server] + SecondaryMDS: !Equals [!Ref MDSInstallationType, Secondary Multi-Domain Server] + PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] +Resources: + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml + Parameters: + Version: !Join ['-', [!Ref MDSVersion, MGMT]] + MDSSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: MDS security group + VpcId: !Ref VPC + SecurityGroupIngress: + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 257 + ToPort: 257 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 8211 + ToPort: 8211 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18191 + ToPort: 18191 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18192 + ToPort: 18192 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18208 + ToPort: 18208 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18210 + ToPort: 18210 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18211 + ToPort: 18211 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18221 + ToPort: 18221 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18264 + ToPort: 18264 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 22 + ToPort: 22 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 443 + ToPort: 443 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 18190 + ToPort: 18190 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 19009 + ToPort: 19009 + MDSRoleStack: + Type: AWS::CloudFormation::Stack + Condition: CreateRole + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cme-iam-role.yaml + Parameters: + Permissions: !Ref MDSPermissions + STSRoles: !Join [',', !Ref MDSSTSRoles] + InstanceProfile: + Type: AWS::IAM::InstanceProfile + Condition: PreRole + Properties: + Path: / + Roles: + - !Ref MDSPredefinedRole + MDSInstance: + Type: AWS::EC2::Instance + DependsOn: [MDSSecurityGroup, MDSLaunchTemplate] + Properties: + LaunchTemplate: + LaunchTemplateId: !Ref MDSLaunchTemplate + Version: !GetAtt MDSLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection + Tags: + - Key: Name + Value: !Ref MDSName + NetworkInterfaces: + - DeviceIndex: 0 + AssociatePublicIpAddress: false + Description: eth0 + GroupSet: + - !Ref MDSSecurityGroup + DeleteOnTermination: true + SubnetId: !Ref MDSSubnet + MDSLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref MDSInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !If [ UseRole, !If [ PreRole, !Ref InstanceProfile, !GetAtt MDSRoleStack.Outputs.CMEIAMRole ], !Ref 'AWS::NoValue' ] + UserData: !Base64 + Fn::Join: + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${MDSHostname} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; admin_subnet=${AdminCIDR}' + - !If [PrimaryMDS, ' primary=true ; secondary=false', !If [SecondaryMDS, ' primary=false ; secondary=true', ' primary=false ; secondary=false']] + - !If [PrimaryMDS, ' sic=notused', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref MDSSICKey, ')"']]] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref MDSBootstrapScript, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSMaintenancePasswordHash, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref MDSVersion]]}] + - ' python3 /etc/cloud_config.py sicKey=\"${sic}\" installationType=\"mds\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"mds\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" primary=\"${primary}\" secondary=\"${secondary}\" adminSubnet=\"${admin_subnet}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version \ No newline at end of file diff --git a/china/aws/templates/single-gw/README.md b/china/aws/templates/single-gw/README.md new file mode 100644 index 00000000..696ddebd --- /dev/null +++ b/china/aws/templates/single-gw/README.md @@ -0,0 +1,40 @@ +## Security Gateway + + + + + + + + + + + + + + + + + + + +
    DescriptionNotesDirect Launch
    + Deploys and configures a Security Gateway.

    To deploy the Security Gateway so that it will be automatically provisioned, refer to sk131434. +     		Creates a new VPC and deploys a Security Gateway into it.
    Deploys a Security Gateway into an existing VPC.
    +
    +
    + +## Revision History +In order to check the template version, please refer to [sk125252](https://support.checkpoint.com/results/sk/sk125252#ToggleR8120gateway) + +| Template Version | Description | +|------------------|---------------------------------------------------------------------------------------------------------------| +| 20240704 | - R80.40 version deprecation.
    - R81 version deprecation. | +| 20240519 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231113 | Stability fixes. | +| 20230923 | Add support for C5d instance type. | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
    - Add description for reserved words in hostname | +| 20230503 | Template version 20230503 and above supports Smart-1 Cloud token validation. | +| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud | +| 20221123 | Templates version 20221120 and above support R81.20 | +| 20220606 | New instance type support. | diff --git a/china/aws/templates/single-gw/gateway-master.yaml b/china/aws/templates/single-gw/gateway-master.yaml new file mode 100644 index 00000000..5f0fd22a --- /dev/null +++ b/china/aws/templates/single-gw/gateway-master.yaml @@ -0,0 +1,489 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: | + Deploys a Check Point Security Gateway into a new VPC (20250617) + See sk175207 for Gateway administration guide deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZone + - VPCCIDR + - PublicSubnetCIDR + - PrivateSubnetCIDR + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - TerminationProtection + - MetaDataToken + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewaySICKey + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - GatewayToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + - Label: + default: Automatic Provisioning with Security Management Server Settings (optional) + Parameters: + - ControlGatewayOverPrivateOrPublicAddress + - ManagementServer + - ConfigurationTemplate + ParameterLabels: + AvailabilityZone: + default: Availability zone + VPCCIDR: + default: VPC CIDR + PublicSubnetCIDR: + default: Public subnet CIDR + PrivateSubnetCIDR: + default: Private subnet CIDR + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Gateway Instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate an Elastic IP + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + GatewayVersion: + default: Gateway Version & license + Shell: + default: Admin shell + GatewaySICKey: + default: Gateway SIC key + GatewayToken: + default: Smart-1 Cloud Token + GatewayPasswordHash: + default: Gateway Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server + ControlGatewayOverPrivateOrPublicAddress: + default: Gateway address + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template +Parameters: + AvailabilityZone: + Description: The availability zone in which to deploy the instance. + Type: AWS::EC2::AvailabilityZone::Name + MinLength: 1 + VPCCIDR: + Description: The CIDR block of the VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnetCIDR: + Description: The public subnet of the Security Gateway. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnetCIDR: + Description: The private subnet of the Security Gateway. + Type: String + Default: 10.0.11.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GatewayName: + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The instance type of the Secutiry Gateways. + Type: String + Default: c6i.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Ec2 Instance Connect is not supported with versions prior to R80.40. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayVersion: + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections + between Check Point components. Choose a random string consisting of at least + 8 alphanumeric characters. + Type: String + AllowedPattern: '[a-zA-Z0-9]{8,}' + NoEcho: true + GatewayToken: + Description: Follow the instructions in sk180501 to quickly connect this Gateway to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + ResourcesTagName: + Description: The name tag of the resources. (optional) + Type: String + Default: '' + GatewayHostname: + Description: The name must not contain reserved words. For details, refer to sk40179. (optional) + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the Security Gateway is provisioned using its private. + or public address + Type: String + Default: private + AllowedValues: + - private + - public + ManagementServer: + Description: The name that represents the Security Management Server in the automatic. + provisioning configuration. + Type: String + ConfigurationTemplate: + Description: A name of a Security Gateway configuration template in the automatic. + provisioning configuration. + Type: String + MaxLength: 30 +Conditions: + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] + ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml + Parameters: + AvailabilityZones: !Ref AvailabilityZone + NumberOfAZs: 1 + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnetCIDR + CreatePrivateSubnets: true + PrivateSubnet1CIDR: !Ref PrivateSubnetCIDR + CreateAttachmentSubnets: false + InternalRoutingTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !GetAtt VPCStack.Outputs.VPCID + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - InternalRoutingTable + InternalNetworkRouteAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref InternalRoutingTable + SubnetId: !GetAtt VPCStack.Outputs.PrivateSubnet1ID + GatewayStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gateway/gateway.yaml + Parameters: + VPC: !GetAtt VPCStack.Outputs.VPCID + PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID + PrivateSubnet: !GetAtt VPCStack.Outputs.PrivateSubnet1ID + InternalRouteTable: !Ref InternalRoutingTable + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + KeyName: !Ref KeyName + AllocatePublicAddress: !Ref AllocatePublicAddress + VolumeSize: !Ref VolumeSize + VolumeType: !Ref VolumeType + VolumeEncryption: !Ref VolumeEncryption + EnableInstanceConnect: !Ref EnableInstanceConnect + TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken + GatewayVersion: !Ref GatewayVersion + Shell: !Ref Shell + GatewaySICKey: !Ref GatewaySICKey + GatewayToken: !Ref GatewayToken + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + ResourcesTagName: !Ref ResourcesTagName + GatewayHostname: !Ref GatewayHostname + AllowUploadDownload: !Ref AllowUploadDownload + CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript + NTPPrimary: !Ref NTPPrimary + NTPSecondary: !Ref NTPSecondary + ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress + ManagementServer: !Ref ManagementServer + ConfigurationTemplate: !Ref ConfigurationTemplate +Outputs: + CheckPointInstancePublicAddress: + Condition: AllocateAddress + Description: The public address of the Check Point instance. + Value: !GetAtt GatewayStack.Outputs.PublicAddress + CheckPointInstancePrivateExternalAddress: + Description: The private external address of the Check Point instance. + Value: !GetAtt GatewayStack.Outputs.PrivateExternalAddress + CheckPointInstancePrivateInternalAddress: + Description: The private internal address of the Check Point instance. + Value: !GetAtt GatewayStack.Outputs.PrivateInternalAddress + CheckPointInstanceSSH: + Condition: AllocateAddress + Description: SSH command to the Check Point instance. + Value: !GetAtt GatewayStack.Outputs.SSH + CheckPointInstanceURL: + Condition: AllocateAddress + Description: URL to the portal + Value: !GetAtt GatewayStack.Outputs.URL + ManagementName: + Description: The name that represents the Security Management Server. + Value: !Ref ManagementServer + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations + required to automatically provision the Gateways in the Auto Scaling Group, + such as what Security Policy to install and which Blades to enable, will be + placed under this template name. + Value: !Ref ConfigurationTemplate diff --git a/china/aws/templates/single-gw/gateway.yaml b/china/aws/templates/single-gw/gateway.yaml new file mode 100644 index 00000000..a695639b --- /dev/null +++ b/china/aws/templates/single-gw/gateway.yaml @@ -0,0 +1,595 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: | + Deploys a Check Point Security Gateway into an existing VPC (20250617) + See sk175207 for Gateway administration guide deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - PublicSubnet + - PrivateSubnet + - InternalRouteTable + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - TerminationProtection + - MetaDataToken + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewaySICKey + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - GatewayToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + - Label: + default: Automatic Provisioning with Security Management Server Settings (optional) + Parameters: + - ControlGatewayOverPrivateOrPublicAddress + - ManagementServer + - ConfigurationTemplate + ParameterLabels: + VPC: + default: VPC + PublicSubnet: + default: Public subnet + PrivateSubnet: + default: Private subnet + InternalRouteTable: + default: Internal route table + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Gateway Instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate an Elastic IP + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + GatewayVersion: + default: Gateway Version & license + Shell: + default: Admin shell + GatewaySICKey: + default: Gateway SIC key + GatewayToken: + default: Smart-1 Cloud Token + GatewayPasswordHash: + default: Gateway Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server + ControlGatewayOverPrivateOrPublicAddress: + default: Gateway address + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template +Parameters: + VPC: + Type: AWS::EC2::VPC::Id + MinLength: 1 + PublicSubnet: + Description: The public subnet of the security gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + PrivateSubnet: + Description: The private subnet of the security gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + InternalRouteTable: + Description: The route table id in which to set 0.0.0.0/0 route to the Gateway instance (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Gateway, this requires manual configuration in the route table. (optional) + Type: String + Default: '' + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The instance type of the Secutiry Gateway. + Type: String + Default: c6i.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Ec2 Instance Connect is not supported with versions prior to R80.40. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayVersion: + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections + between Check Point components. Choose a random string consisting of at least + 8 alphanumeric characters. + Type: String + AllowedPattern: '[a-zA-Z0-9]{8,}' + NoEcho: true + GatewayToken: + Description: Follow the instructions in SK180501 to quickly connect this Gateway to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + Type: String + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + NoEcho: true + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + ResourcesTagName: + Description: The name tag of the resources. (optional) + Type: String + Default: '' + GatewayHostname: + Description: The name must not contain reserved words. For details, refer to sk40179. (optional) + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the Security Gateway is provisioned using its private + or public address. + Type: String + Default: private + AllowedValues: + - private + - public + ManagementServer: + Description: The name that represents the Security Management Server in the automatic + provisioning configuration. + Type: String + ConfigurationTemplate: + Description: A name of a Security Gateway configuration template in the automatic + provisioning configuration. + Type: String + MaxLength: 30 +Conditions: + ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']] + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] + EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']] + ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] + ProvidedManagementParameters: !And [!Not [!Equals [!Ref ManagementServer, '']], !Not [!Equals [!Ref ConfigurationTemplate, '']]] + EnableCloudWatch: !Equals [!Ref CloudWatch, true] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] +Resources: + ReadyHandle: + Type: AWS::CloudFormation::WaitConditionHandle + Condition: AllocateAddress + Properties: {} + ReadyCondition: + Type: AWS::CloudFormation::WaitCondition + Condition: AllocateAddress + DependsOn: GatewayInstance + Properties: + Handle: !Ref ReadyHandle + Timeout: 1800 + GatewayIAMRole: + Condition: EnableCloudWatch + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: [ ec2.amazonaws.com.cn ] + Action: sts:AssumeRole + Path: / + GatewayInstanceProfile: + Condition: EnableCloudWatch + Type: AWS::IAM::InstanceProfile + Properties: + Path: / + Roles: [!Ref GatewayIAMRole] + CloudwatchPolicy: + Condition: EnableCloudWatch + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cloudwatch-policy.yaml + Parameters: + PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ] + PolicyRole: !Ref GatewayIAMRole + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml + Parameters: + Version: !Join ['-', [!Ref GatewayVersion,GW]] + ExternalNetworkInterface: + Type: AWS::EC2::NetworkInterface + Properties: + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - ExternalNetworkInterface + Description: eth0 + SourceDestCheck: false + GroupSet: + - !Ref PermissiveSecurityGroup + SubnetId: !Ref PublicSubnet + InternalNetworkInterface: + Type: AWS::EC2::NetworkInterface + Properties: + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - InternalNetworkInterface + Description: eth1 + SourceDestCheck: false + GroupSet: + - !Ref PermissiveSecurityGroup + SubnetId: !Ref PrivateSubnet + PermissiveSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + Tags: + - Key: Name + Value: + !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - PermissiveSecurityGroup + GroupDescription: Permissive security group. + VpcId: !Ref VPC + SecurityGroupIngress: + - IpProtocol: -1 + CidrIp: 0.0.0.0/0 + InternalDefaultRoute: + Type: AWS::EC2::Route + Condition: ProvidedRouteTable + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NetworkInterfaceId: !Ref InternalNetworkInterface + RouteTableId: !Ref InternalRouteTable + GatewayInstance: + Type: AWS::EC2::Instance + DependsOn: GatewayLaunchTemplate + Properties: + LaunchTemplate: + LaunchTemplateId: !Ref GatewayLaunchTemplate + Version: !GetAtt GatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection + Tags: + - Key: Name + Value: !Ref GatewayName + - !If + - ProvidedManagementParameters + - Key: x-chkp-tags + Value: + !Join + - ':' + - - !Join ['=', [management, !Ref ManagementServer]] + - !Join ['=', [template,!Ref ConfigurationTemplate]] + - !Join ['=',[ip-address, !Ref ControlGatewayOverPrivateOrPublicAddress]] + - !Ref 'AWS::NoValue' + GatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref ExternalNetworkInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref InternalNetworkInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !If [EnableCloudWatch, !Ref GatewayInstanceProfile, !Ref 'AWS::NoValue'] + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; hostname=${GatewayHostname} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; eic=${EnableInstanceConnect} ; eip=${AllocatePublicAddress} ; token=''${GatewayToken}''' + - !If [AllocateAddress, !Sub ' wait_handle=''${ReadyHandle}''',!Ref 'AWS::NoValue'] + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" "smart1CloudToken=\"${token}\"" installationType=\"gateway\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"gateway\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version + PublicAddress: + Type: AWS::EC2::EIP + Condition: AllocateAddress + Properties: + Domain: vpc + AddressAssoc: + Type: AWS::EC2::EIPAssociation + Condition: AllocateAddress + DependsOn: GatewayInstance + Properties: + NetworkInterfaceId: !Ref ExternalNetworkInterface + AllocationId: !GetAtt PublicAddress.AllocationId + PrivateIpAddress: !GetAtt ExternalNetworkInterface.PrimaryPrivateIpAddress +Outputs: + PublicAddress: + Description: The public address of the Check Point instance. + Value: !Ref PublicAddress + Condition: AllocateAddress + PrivateExternalAddress: + Description: The private external address of the Check Point instance. + Value: !GetAtt ExternalNetworkInterface.PrimaryPrivateIpAddress + PrivateInternalAddress: + Description: The private internal address of the Check Point instance. + Value: !GetAtt InternalNetworkInterface.PrimaryPrivateIpAddress + SSH: + Description: SSH command to the Check Point instance. + Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref PublicAddress]] + Condition: AllocateAddress + URL: + Description: URL to the portal. + Value: !Join ['', ['https://', !Ref PublicAddress]] + Condition: AllocateAddress + ManagementName: + Description: The name that represents the Security Management Server. + Value: !Ref ManagementServer + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations + required to automatically provision the Gateways in the Auto Scaling Group, + such as what Security Policy to install and which Blades to enable, will be + placed under this template name. + Value: !Ref ConfigurationTemplate diff --git a/china/aws/templates/standalone/README.md b/china/aws/templates/standalone/README.md new file mode 100644 index 00000000..012afd92 --- /dev/null +++ b/china/aws/templates/standalone/README.md @@ -0,0 +1,41 @@ + +## Security Management Server & Security Gateway (Standalone Deployment) + + + + + + + + + + + + + + + + + + + +
    DescriptionNotesDirect Launch
    + Deploys and configures Standalone or a manually configurable instance. + Creates a new VPC and deploys a Standalone or a manually configurable instance into it.
    Deploys a Standalone or a manually configurable instance into an existing VPC.
    +
    +
    + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|-------------------------------------------------------------------------------------------------------------------| +| 20240704 | - R80.40 version deprecation.
    - R81 version deprecation. | +| 20240519 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20231113 | - Stability fixes.
    - Add support for BYOL license type for Standalone. | +| 20230923 | Add support for C5d instance type | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
    - Add description for reserved words in hostname | +| 20221123 | Templates version 20221120 and above support R81.20 | +| 20220606 | New instance type support | +| 20210329 | Stability fixes | +| 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Terraform module for AWS | diff --git a/china/aws/templates/standalone/standalone-master.yaml b/china/aws/templates/standalone/standalone-master.yaml new file mode 100644 index 00000000..bb7fa1ee --- /dev/null +++ b/china/aws/templates/standalone/standalone-master.yaml @@ -0,0 +1,436 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploys either a manually configurable or a Check Point CloudGuard IaaS + Security Gateway & Management (Standalone) instance in a new VPC (20250617) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZone + - VPCCIDR + - PublicSubnetCIDR + - PrivateSubnetCIDR + - Label: + default: EC2 Instance Configuration + Parameters: + - StandaloneName + - StandaloneInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - TerminationProtection + - MetaDataToken + - Label: + default: Check Point Settings + Parameters: + - StandaloneVersion + - Shell + - StandalonePasswordHash + - StandaloneMaintenancePasswordHash + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - StandaloneHostname + - AllowUploadDownload + - CloudWatch + - StandaloneBootstrapScript + - NTPPrimary + - NTPSecondary + - AdminCIDR + - GatewaysAddresses + ParameterLabels: + AvailabilityZone: + default: Availability zone + VPCCIDR: + default: VPC CIDR + PublicSubnetCIDR: + default: Public subnet CIDR + PrivateSubnetCIDR: + default: Private subnet CIDR + StandaloneName: + default: Standalone Name + StandaloneInstanceType: + default: Instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate an Elastic IP + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + StandaloneVersion: + default: License + Shell: + default: Admin shell + StandalonePasswordHash: + default: Standalone Password hash + StandaloneMaintenancePasswordHash: + default: Gateway Maintenance Password hash + ResourcesTagName: + default: Resources prefix tag + StandaloneHostname: + default: Standalone Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + StandaloneBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server + AdminCIDR: + default: Administrator addresses + GatewaysAddresses: + default: Gateways addresses +Parameters: + AvailabilityZone: + Description: The availability zone in which to deploy the instance. + Type: AWS::EC2::AvailabilityZone::Name + MinLength: 1 + VPCCIDR: + Description: The CIDR block of the VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnetCIDR: + Description: The public subnet of the Security Gateway. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnetCIDR: + Description: The private subnet of the Security Gateway. + Type: String + Default: 10.0.11.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + StandaloneName: + Type: String + Default: Check-Point-Instance + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Default: true + Type: String + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Ec2 Instance Connect is not supported with versions prior to R80.40. + Default: false + Type: String + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + StandaloneVersion: + Description: Standalone Version & License. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + StandalonePasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + StandaloneMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + StandaloneInstanceType: + Description: The instance type of the Security Gateway & Management (Standalone) instance. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + ResourcesTagName: + Description: The name tag of the resources. (optional) + Type: String + Default: '' + StandaloneHostname: + Description: (optional) + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + StandaloneBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate. + with the Management Server + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Management. + Server. (optional) + Type: String + AllowedPattern: '^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2])))?$' +Conditions: + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] + ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml + Parameters: + AvailabilityZones: !Ref AvailabilityZone + NumberOfAZs: 1 + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnetCIDR + CreatePrivateSubnets: true + PrivateSubnet1CIDR: !Ref PrivateSubnetCIDR + CreateAttachmentSubnets: false + InternalRoutingTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !GetAtt VPCStack.Outputs.VPCID + Tags: + - Key: Name + Value: !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - InternalRoutingTable + InternalNetworkRouteAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: !Ref InternalRoutingTable + SubnetId: !GetAtt VPCStack.Outputs.PrivateSubnet1ID + StandaloneStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/gateway/standalone.yaml + Parameters: + VPC: !GetAtt VPCStack.Outputs.VPCID + PublicSubnet: !GetAtt VPCStack.Outputs.PublicSubnet1ID + PrivateSubnet: !GetAtt VPCStack.Outputs.PrivateSubnet1ID + InternalRouteTable: !Ref InternalRoutingTable + StandaloneName: !Ref StandaloneName + StandaloneInstanceType: !Ref StandaloneInstanceType + KeyName: !Ref KeyName + AllocatePublicAddress: !Ref AllocatePublicAddress + VolumeSize: !Ref VolumeSize + VolumeType: !Ref VolumeType + VolumeEncryption: !Ref VolumeEncryption + EnableInstanceConnect: !Ref EnableInstanceConnect + TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken + StandaloneVersion: !Ref StandaloneVersion + Shell: !Ref Shell + StandalonePasswordHash: !Ref StandalonePasswordHash + StandaloneMaintenancePasswordHash: !Ref StandaloneMaintenancePasswordHash + ResourcesTagName: !Ref ResourcesTagName + StandaloneHostname: !Ref StandaloneHostname + AllowUploadDownload: !Ref AllowUploadDownload + CloudWatch: !Ref CloudWatch + StandaloneBootstrapScript: !Ref StandaloneBootstrapScript + NTPPrimary: !Ref NTPPrimary + NTPSecondary: !Ref NTPSecondary + AdminCIDR: !Ref AdminCIDR + GatewaysAddresses: !Ref GatewaysAddresses +Outputs: + CheckPointInstancePublicAddress: + Condition: AllocateAddress + Description: The public address of the Check Point instance. + Value: !GetAtt StandaloneStack.Outputs.PublicAddress + CheckPointInstanceSSH: + Condition: AllocateAddress + Description: SSH command to the Check Point instance. + Value: !GetAtt StandaloneStack.Outputs.SSH + CheckPointInstanceURL: + Condition: AllocateAddress + Description: URL to the portal. + Value: !GetAtt StandaloneStack.Outputs.URL diff --git a/china/aws/templates/standalone/standalone.yaml b/china/aws/templates/standalone/standalone.yaml new file mode 100644 index 00000000..94a6bf0a --- /dev/null +++ b/china/aws/templates/standalone/standalone.yaml @@ -0,0 +1,531 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploys either a manually configurable or a Check Point CloudGuard IaaS + Security Gateway & Management (Standalone) instance into an existing VPC (20250617) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - PublicSubnet + - PrivateSubnet + - InternalRouteTable + - Label: + default: EC2 Instance Configuration + Parameters: + - StandaloneName + - StandaloneInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - TerminationProtection + - MetaDataToken + - Label: + default: Check Point Settings + Parameters: + - StandaloneVersion + - Shell + - StandalonePasswordHash + - StandaloneMaintenancePasswordHash + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - StandaloneHostname + - AllowUploadDownload + - CloudWatch + - StandaloneBootstrapScript + - NTPPrimary + - NTPSecondary + - AdminCIDR + - GatewaysAddresses + ParameterLabels: + VPC: + default: VPC + PublicSubnet: + default: Public subnet + PrivateSubnet: + default: Private subnet + InternalRouteTable: + default: Internal route table + StandaloneName: + default: Standalone Name + StandaloneInstanceType: + default: Standalone Instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate an Elastic IP + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + StandaloneVersion: + default: License + Shell: + default: Admin shell + StandalonePasswordHash: + default: Standalone Password hash + StandaloneMaintenancePasswordHash: + default: Standalone Maintenance Password hash + ResourcesTagName: + default: Resources prefix tag + StandaloneHostname: + default: Standalone Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + StandaloneBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server + AdminCIDR: + default: Administrator addresses + GatewaysAddresses: + default: Gateways addresses +Parameters: + VPC: + Type: AWS::EC2::VPC::Id + MinLength: 1 + PublicSubnet: + Description: The public subnet of the Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + PrivateSubnet: + Description: The private subnet of the Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + InternalRouteTable: + Description: The route table id in which to set 0.0.0.0/0 route to the Security Gateway instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Gateway, this requires manual configuration in the route table. (optional) + Type: String + Default: '' + StandaloneName: + Type: String + Default: Check-Point-Instance + StandaloneInstanceType: + Description: The instance type of the Security Gateway & Management (Standalone) instance. + Type: String + Default: c5.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Default: true + Type: String + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Ec2 Instance Connect is not supported with versions prior to R80.40. + Default: false + Type: String + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + StandaloneVersion: + Description: Standalone Version & License. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + StandalonePasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + StandaloneMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + ResourcesTagName: + Description: The name tag of the resources. (optional) + Type: String + Default: '' + StandaloneHostname: + Description: (optional) + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + StandaloneBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate. + with the Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Management. + Server. (optional) + Type: String + AllowedPattern: '^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2])))?$' +Conditions: + ProvidedResourcesTag: !Not [!Equals [!Ref ResourcesTagName, '']] + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] + EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']] + ProvidedRouteTable: !Not [!Equals [!Ref InternalRouteTable, '']] + EnableCloudWatch: !Equals [!Ref CloudWatch, true] + IsBYOL: !Equals [!Select [1, !Split ['-', !Ref StandaloneVersion]], 'BYOL'] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] +Resources: + ReadyHandle: + Type: AWS::CloudFormation::WaitConditionHandle + Condition: AllocateAddress + Properties: {} + ReadyCondition: + Type: AWS::CloudFormation::WaitCondition + Condition: AllocateAddress + DependsOn: StandaloneInstance + Properties: + Handle: !Ref ReadyHandle + Timeout: 1800 + StandaloneIAMRole: + Condition: EnableCloudWatch + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: [ ec2.amazonaws.com.cn ] + Action: sts:AssumeRole + Path: / + StandaloneInstanceProfile: + Condition: EnableCloudWatch + Type: AWS::IAM::InstanceProfile + Properties: + Path: / + Roles: [ !Ref StandaloneIAMRole ] + CloudwatchPolicy: + Condition: EnableCloudWatch + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/iam/cloudwatch-policy.yaml + Parameters: + PolicyName: !If [ ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName' ] + PolicyRole: !Ref StandaloneIAMRole + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/amis.yaml + Parameters: + Version: !If [IsBYOL, !Join ['-', [!Ref StandaloneVersion,MGMT]], !Ref StandaloneVersion] + ExternalNetworkInterface: + Type: AWS::EC2::NetworkInterface + Properties: + Tags: + - Key: Name + Value: !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - ExternalNetworkInterface + Description: eth0 + SourceDestCheck: false + GroupSet: + - !Ref PermissiveSecurityGroup + SubnetId: !Ref PublicSubnet + InternalNetworkInterface: + Type: AWS::EC2::NetworkInterface + Properties: + Tags: + - Key: Name + Value: !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - InternalNetworkInterface + Description: eth1 + SourceDestCheck: false + GroupSet: + - !Ref PermissiveSecurityGroup + SubnetId: !Ref PrivateSubnet + PermissiveSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + Tags: + - Key: Name + Value: !Join + - _ + - - !If [ProvidedResourcesTag, !Ref ResourcesTagName, !Ref 'AWS::StackName'] + - PermissiveSecurityGroup + GroupDescription: Permissive security group. + VpcId: !Ref VPC + SecurityGroupIngress: + - IpProtocol: -1 + CidrIp: 0.0.0.0/0 + InternalDefaultRoute: + Type: AWS::EC2::Route + Condition: ProvidedRouteTable + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NetworkInterfaceId: !Ref InternalNetworkInterface + RouteTableId: !Ref InternalRouteTable + StandaloneInstance: + Type: AWS::EC2::Instance + DependsOn: GatewayLaunchTemplate + Properties: + LaunchTemplate: + LaunchTemplateId: !Ref GatewayLaunchTemplate + Version: !GetAtt GatewayLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection + Tags: + - Key: Name + Value: !Ref StandaloneName + GatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + NetworkInterfaceId: !Ref ExternalNetworkInterface + - DeviceIndex: 1 + NetworkInterfaceId: !Ref InternalNetworkInterface + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref StandaloneInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !If [ EnableCloudWatch, !Ref StandaloneInstanceProfile, !Ref 'AWS::NoValue' ] + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; hostname=${StandaloneHostname} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; eic=${EnableInstanceConnect} ; eip=${AllocatePublicAddress} ; admin_subnet=${AdminCIDR}' + - !If [ AllocateAddress, !Sub ' wait_handle=''${ReadyHandle}''',!Ref 'AWS::NoValue' ] + - !Join [ '', [ ' bootstrap="$(echo ', 'Fn::Base64': !Ref StandaloneBootstrapScript, ')"' ] ] + - !Join [ '', [ ' pwd_hash="$(echo ', 'Fn::Base64': !Ref StandalonePasswordHash, ')"' ] ] + - !Join [ '', [ ' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref StandaloneMaintenancePasswordHash, ')"' ] ] + - !Sub [ ' version=${Version}', { Version: !Select [ 0, !Split [ '-', !Ref StandaloneVersion ] ] } ] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" waitHandle=\"${wait_handle}\" installationType=\"standalone\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"20250617\" templateName=\"standalone\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version + PublicAddress: + Type: AWS::EC2::EIP + Condition: AllocateAddress + Properties: + Domain: vpc + AddressAssoc: + Type: AWS::EC2::EIPAssociation + DependsOn: StandaloneInstance + Condition: AllocateAddress + Properties: + NetworkInterfaceId: !Ref ExternalNetworkInterface + AllocationId: !GetAtt PublicAddress.AllocationId + PrivateIpAddress: !GetAtt ExternalNetworkInterface.PrimaryPrivateIpAddress +Outputs: + PublicAddress: + Condition: AllocateAddress + Description: The public address of the Check Point instance. + Value: !Ref PublicAddress + SSH: + Condition: AllocateAddress + Description: SSH command to the Check Point instance. + Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref PublicAddress]] + URL: + Condition: AllocateAddress + Description: URL to the portal. + Value: !Join ['', ['https://', !Ref PublicAddress ]] diff --git a/china/aws/templates/tgw-asg/README.md b/china/aws/templates/tgw-asg/README.md new file mode 100644 index 00000000..3a8d94bb --- /dev/null +++ b/china/aws/templates/tgw-asg/README.md @@ -0,0 +1,40 @@ + +## Transit Gateway Auto Scaling Group + + + + + + + + + + + + + + + + + + + +
    DescriptionNotesDirect Launch
    + Deploys and configured the Security Gateways as an AWS Auto Scaling group configured for Transit Gateway.

    For more details, refer to AWS Transit Gateway R80.10 and above Deployment Guide. +     		Creates a new VPC and deploys an Auto Scaling group of Security Gateways configured for Transit Gateway into it, and an optional, preconfigured Security Management Server to manage them.
    Deploys an Auto Scaling group of Security Gateways configured for Transit Gateway into an existing VPC, and an optional, preconfigured Security Management Server to manage them.
    +
    +
    + +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|------------------------------------------------------------------------------------------| +| 20240704 | - R80.40 version deprecation.
    - R81 version deprecation. | +| 20240519 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20240414 | Add support for Elastic Load Balancer Health Checks. | +| 20230923 | Add support for C5d instance type. | +| 20221226 | Support ASG Launch Template instead of Launch Configuration. | +| 20221123 | Templates version 20221120 and above support R81.20 | +| 20220606 | New instance type support. | +| 20210329 | First release of Check Point Transit Gateway Auto Scaling Group Terraform module for AWS | diff --git a/china/aws/templates/tgw-asg/tgw-asg-master.yaml b/china/aws/templates/tgw-asg/tgw-asg-master.yaml new file mode 100644 index 00000000..0d54f802 --- /dev/null +++ b/china/aws/templates/tgw-asg/tgw-asg-master.yaml @@ -0,0 +1,681 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: | + Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server in a new VPC (20250617). + See CloudGuard Network for AWS Auto Scale Group with Transit Gateway deployment guide for detailed deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Network Configuration + Parameters: + - AvailabilityZones + - NumberOfAZs + - VPCCIDR + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PublicSubnet3CIDR + - PublicSubnet4CIDR + - Label: + default: General Settings + Parameters: + - KeyName + - EnableVolumeEncryption + - VolumeSize + - VolumeType + - EnableInstanceConnect + - TerminationProtection + - MetaDataToken + - AllowUploadDownload + - Label: + default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration + Parameters: + - AutoScaleGroupName + - GatewayName + - GatewayInstanceType + - GatewaysMinSize + - GatewaysMaxSize + - GatewayVersion + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - CloudWatch + - ASN + - AdminEmail + - Label: + default: Check Point CloudGuard IaaS Security Management Server Configuration + Parameters: + - ManagementDeploy + - ManagementInstanceType + - ManagementVersion + - ManagementPasswordHash + - ManagementMaintenancePasswordHash + - ManagementPermissions + - ManagementPredefinedRole + - GatewaysBlades + - AdminCIDR + - GatewayManagement + - GatewaysAddresses + - Label: + default: Automatic Provisioning with Security Management Server Settings + Parameters: + - ControlGatewayOverPrivateOrPublicAddress + - ManagementServer + - ConfigurationTemplate + ParameterLabels: + AvailabilityZones: + default: Availability Zones + NumberOfAZs: + default: Number of AZs + VPCCIDR: + default: VPC CIDR + PublicSubnet1CIDR: + default: Public Subnet 1 + PublicSubnet2CIDR: + default: Public Subnet 2 + PublicSubnet3CIDR: + default: Public Subnet 3 + PublicSubnet4CIDR: + default: Public Subnet 4 + KeyName: + default: Key name + EnableVolumeEncryption: + default: Enable environment volume encryption + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + AllowUploadDownload: + default: Allow upload & download + GatewayName: + default: GatewayName + GatewayInstanceType: + default: Gateways instance type + GatewaysMinSize: + default: Minimum group size + GatewaysMaxSize: + default: Maximum group size + GatewayVersion: + default: Gateways version & license + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + CloudWatch: + default: CloudWatch metrics + ASN: + default: BGP ASN + AdminEmail: + default: Email address + ManagementDeploy: + default: Deploy Management Server + ManagementInstanceType: + default: Instance type + ManagementVersion: + default: Version & license + ManagementPasswordHash: + default: Password hash + ManagementMaintenancePasswordHash: + default: Management Maintenance Password hash + ManagementPermissions: + default: IAM role + ManagementPredefinedRole: + default: Existing IAM role name + GatewaysBlades: + default: Default Blades + AdminCIDR: + default: Administrator addresses + GatewayManagement: + default: Manage Gateways + GatewaysAddresses: + default: Gateways addresses + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template + AutoScaleGroupName: + default: Auto Scale Group name +Parameters: + AvailabilityZones: + Description: List of Availability Zones (AZs) to use for the subnets in the VPC. Select at least two. + Type: List + MinLength: 2 + NumberOfAZs: + Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter. + Type: Number + Default: 2 + MinValue: 2 + MaxValue: 4 + VPCCIDR: + Description: CIDR block for the VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet1CIDR: + Description: CIDR block for public subnet 1 located in the 1st Availability Zone. If you choose to deploy a Security Management Server it will be deployed in this subnet. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet2CIDR: + Description: CIDR block for public subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.20.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet3CIDR: + Description: CIDR block for public subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 10.0.30.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet4CIDR: + Description: CIDR block for public subnet 4 located in the 4th Availability Zone. + Type: String + Default: 10.0.40.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instances created by this stack. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: Must be the name of an existing EC2 KeyPair. + EnableVolumeEncryption: + Description: Encrypt Environment instances volume with default AWS KMS key. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The EC2 instance type for the Security Gateways. + Type: String + Default: c6i.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + GatewaysMinSize: + Description: The minimal number of Security Gateways. + Type: Number + Default: 2 + MinValue: 1 + GatewaysMaxSize: + Description: The maximal number of Security Gateways. + Type: Number + Default: 10 + MinValue: 1 + GatewayVersion: + Description: The version and license to install on the Security Gateways. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters. + Type: String + AllowedPattern: '[a-zA-Z0-9]{8,}' + ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long. + NoEcho: true + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + ASN: + Description: The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways. + Type: String + AllowedPattern: '^[0-9]+$' + Default: 65000 + AdminEmail: + Description: Notifications about scaling events will be sent to this email address. (optional) + Type: String + Default: '' + AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$' + ConstraintDescription: Must be a valid email address. + ManagementDeploy: + Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementInstanceType: + Description: The EC2 instance type of the Security Management Server. + Type: String + Default: m5.xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + ManagementVersion: + Description: The version and license to install on the Security Management Server. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + ManagementMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + ManagementPermissions: + Description: IAM role to attach to the instance profile. + Type: String + Default: Create with read-write permissions + AllowedValues: + - None (configure later) + - Use existing (specify an existing IAM role name) + - Create with assume role permissions (specify an STS role ARN) + - Create with read permissions + - Create with read-write permissions + ManagementPredefinedRole: + Description: A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing'. + Type: String + Default: '' + GatewaysBlades: + Description: Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (these and additional Blades can be manually turned on or off later). + Type: String + Default: true + AllowedValues: + - true + - false + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2])))?$' + GatewayManagement: + Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. + Type: String + Default: Locally managed + AllowedValues: + - Locally managed + - Over the internet + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address. + Type: String + Default: private + AllowedValues: + - private + - public + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration. + Type: String + Default: management-server + MinLength: 1 + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration. + Type: String + Default: TGW-ASG-configuration + MinLength: 1 + MaxLength: 30 + AutoScaleGroupName: + Description: The Name of the Auto Scaling Group. (optional) + Type: String + Default: "" + MaxLength: 100 +Conditions: + 4AZs: !Equals [!Ref NumberOfAZs, 4] + 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs] + DeployManagement: !Equals [!Ref ManagementDeploy, true] + GenerateAutoScalingName: !Equals [!Ref AutoScaleGroupName, ""] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml + Parameters: + AvailabilityZones: !Join [',', !Ref AvailabilityZones] + NumberOfAZs: !Ref NumberOfAZs + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnet1CIDR + PublicSubnet2CIDR: !Ref PublicSubnet2CIDR + PublicSubnet3CIDR: !Ref PublicSubnet3CIDR + PublicSubnet4CIDR: !Ref PublicSubnet4CIDR + CreatePrivateSubnets: false + MainStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/autoscale/tgw-asg.yaml + Parameters: + VPC: !GetAtt VPCStack.Outputs.VPCID + AutoScaleGroupName: !If [GenerateAutoScalingName, !Join ["-", [!Ref 'AWS::StackName', GatewayGroup]], !Ref AutoScaleGroupName] + GatewaysSubnets: !Join + - ',' + - - !GetAtt VPCStack.Outputs.PublicSubnet1ID + - !GetAtt VPCStack.Outputs.PublicSubnet2ID + - !If [3AZs, !GetAtt VPCStack.Outputs.PublicSubnet3ID, !Ref 'AWS::NoValue'] + - !If [4AZs, !GetAtt VPCStack.Outputs.PublicSubnet4ID, !Ref 'AWS::NoValue'] + KeyName: !Ref KeyName + EnableVolumeEncryption: !Ref EnableVolumeEncryption + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + EnableInstanceConnect: !Ref EnableInstanceConnect + TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken + AllowUploadDownload: !Ref AllowUploadDownload + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + GatewaysMinSize: !Ref GatewaysMinSize + GatewaysMaxSize: !Ref GatewaysMaxSize + GatewayVersion: !Ref GatewayVersion + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + CloudWatch: !Ref CloudWatch + ASN: !Ref ASN + AdminEmail: !Ref AdminEmail + ManagementDeploy: !Ref ManagementDeploy + ManagementInstanceType: !Ref ManagementInstanceType + ManagementVersion: !Ref ManagementVersion + ManagementPasswordHash: !Ref ManagementPasswordHash + ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash + ManagementPermissions: !Ref ManagementPermissions + ManagementPredefinedRole: !Ref ManagementPredefinedRole + GatewaysBlades: !Ref GatewaysBlades + AdminCIDR: !Ref AdminCIDR + GatewayManagement: !Ref GatewayManagement + GatewaysAddresses: !Ref GatewaysAddresses + ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress + ManagementServer: !Ref ManagementServer + ConfigurationTemplate: !Ref ConfigurationTemplate +Outputs: + ManagementName: + Description: The name that represents the Security Management Server. + Value: !Ref ManagementServer + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name. + Value: !Ref ConfigurationTemplate + ControllerName: + Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name. + Value: !GetAtt MainStack.Outputs.ControllerName + ManagementPublicAddress: + Description: The public address of the management servers. + Value: !GetAtt MainStack.Outputs.ManagementPublicAddress + Condition: DeployManagement +Rules: + GatewayAddressRule: + RuleCondition: !Equals [!Ref ManagementDeploy, 'true'] + Assertions: + - AssertDescription: "Gateway's netowrk to communicate with the Security Management Server must be provided" + Assert: !Not [ !Equals [!Ref GatewaysAddresses, '']] diff --git a/china/aws/templates/tgw-asg/tgw-asg.yaml b/china/aws/templates/tgw-asg/tgw-asg.yaml new file mode 100644 index 00000000..731649ce --- /dev/null +++ b/china/aws/templates/tgw-asg/tgw-asg.yaml @@ -0,0 +1,682 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: | + Deploy an Auto Scaling Group of CloudGuard Security Gateways for Transit Gateway with an optional Management Server into an existing VPC (20250617). + See CloudGuard Network for AWS Auto Scale Group with Transit Gateway deployment guide for detailed deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Network Configuration + Parameters: + - VPC + - GatewaysSubnets + - Label: + default: General Settings + Parameters: + - KeyName + - EnableVolumeEncryption + - VolumeSize + - VolumeType + - EnableInstanceConnect + - TerminationProtection + - MetaDataToken + - AllowUploadDownload + - Label: + default: Check Point CloudGuard IaaS Security Gateways Auto Scaling Group Configuration + Parameters: + - AutoScaleGroupName + - GatewayName + - GatewayInstanceType + - GatewaysMinSize + - GatewaysMaxSize + - GatewayVersion + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - CloudWatch + - ASN + - AdminEmail + - Label: + default: Check Point CloudGuard IaaS Security Management Server Configuration + Parameters: + - ManagementDeploy + - ManagementInstanceType + - ManagementVersion + - ManagementPasswordHash + - ManagementMaintenancePasswordHash + - ManagementPermissions + - ManagementPredefinedRole + - GatewaysBlades + - AdminCIDR + - GatewayManagement + - GatewaysAddresses + - Label: + default: Automatic Provisioning with Security Management Server Settings + Parameters: + - ControlGatewayOverPrivateOrPublicAddress + - ManagementServer + - ConfigurationTemplate + ParameterLabels: + VPC: + default: VPC + GatewaysSubnets: + default: Subnets + KeyName: + default: Key name + EnableVolumeEncryption: + default: Enable environment volume encryption + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + AllowUploadDownload: + default: Allow upload & download + GatewayName: + default: Name + GatewayInstanceType: + default: Instance type + GatewaysMinSize: + default: Minimum group size + GatewaysMaxSize: + default: Maximum group size + GatewayVersion: + default: Version & license + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + CloudWatch: + default: CloudWatch metrics + ASN: + default: BGP ASN + AdminEmail: + default: Email address + ManagementDeploy: + default: Deploy Management Server + ManagementInstanceType: + default: Instance type + ManagementVersion: + default: Version & license + ManagementPasswordHash: + default: Password hash + ManagementMaintenancePasswordHash: + default: Management Maintenance Password hash + ManagementPermissions: + default: IAM role + ManagementPredefinedRole: + default: Existing IAM role name + GatewaysBlades: + default: Default Blades + AdminCIDR: + default: Administrator addresses + GatewaysAddresses: + default: Gateways addresses + GatewayManagement: + default: Manage Gateways + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template + AutoScaleGroupName: + default: Auto Scale Group name +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + ConstraintDescription: You must select a VPC. + GatewaysSubnets: + Description: Select at least 2 external subnets in the VPC. If you choose to deploy a Security Management Server it will be deployed in the first subnet. + Type: List + MinLength: 2 + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instances created by this stack. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: Must be the name of an existing EC2 KeyPair. + EnableVolumeEncryption: + Description: Encrypt Environment instances volume with default AWS KMS key. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The EC2 instance type for the Security Gateways. + Type: String + Default: c6i.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + GatewaysMinSize: + Description: The minimal number of Security Gateways. + Type: Number + Default: 2 + MinValue: 1 + GatewaysMaxSize: + Description: The maximal number of Security Gateways. + Type: Number + Default: 10 + MinValue: 1 + GatewayVersion: + Description: The version and license to install on the Security Gateways. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters. + Type: String + AllowedPattern: '[a-zA-Z0-9]{8,}' + ConstraintDescription: Secure Internal Communication activation key should contain only alpha numeric characters and be at least 8 characters long. + NoEcho: true + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + ASN: + Description: The organization Autonomous System Number (ASN) that identifies the routing domain for the Security Gateways. + Type: String + Default: 65000 + AllowedPattern: '^[0-9]+$' + AdminEmail: + Description: Notifications about scaling events will be sent to this email address. (optional) + Type: String + Default: '' + AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$' + ConstraintDescription: Must be a valid email address. + ManagementDeploy: + Description: Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementInstanceType: + Description: The EC2 instance type of the Security Management Server. + Type: String + Default: m5.xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: Must be a valid EC2 instance type + ManagementVersion: + Description: The version and license to install on the Security Management Server. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + ManagementMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + ManagementPermissions: + Description: IAM role to attach to the instance profile. + Type: String + Default: Create with read-write permissions + AllowedValues: + - None (configure later) + - Use existing (specify an existing IAM role name) + - Create with assume role permissions (specify an STS role ARN) + - Create with read permissions + - Create with read-write permissions + ManagementPredefinedRole: + Description: A predefined IAM role to attach to the instance profile. Ignored if IAM role is not set to 'Use existing'. + Type: String + Default: '' + GatewaysBlades: + Description: Turn on the Intrusion Prevention System, Application Control, Anti-Virus and Anti-Bot Blades (these and additional Blades can be manually turned on or off later). + Type: String + Default: true + AllowedValues: + - true + - false + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2])))?$' + GatewayManagement: + Description: Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. + Type: String + Default: Locally managed + AllowedValues: + - Locally managed + - Over the internet + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Security Management Server. + Type: String + AllowedPattern: '^$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address. + Type: String + Default: private + AllowedValues: + - private + - public + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration. + Type: String + Default: management-server + MinLength: 1 + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration. + Type: String + Default: TGW-ASG-configuration + MinLength: 1 + MaxLength: 30 + AutoScaleGroupName: + Description: The Name of the Auto Scaling Group. (optional) + Type: String + Default: "" + MaxLength: 100 +Conditions: + VolumeEncryption: !Equals [!Ref EnableVolumeEncryption, true] + DeployManagement: !Equals [!Ref ManagementDeploy, true] + GenerateAutoScalingName: !Equals [!Ref AutoScaleGroupName, ""] +Resources: + ManagementStack: + Type: AWS::CloudFormation::Stack + Condition: DeployManagement + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/management/management.yaml + Parameters: + VPC: !Ref VPC + ManagementSubnet: !Select [0, !Ref GatewaysSubnets] + ManagementName: !Ref ManagementServer + ManagementInstanceType: !Ref ManagementInstanceType + KeyName: !Ref KeyName + AllocatePublicAddress: true + VolumeEncryption: !If [VolumeEncryption, alias/aws/ebs, ''] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + EnableInstanceConnect: !Ref EnableInstanceConnect + TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken + ManagementPermissions: !Ref ManagementPermissions + ManagementPredefinedRole: !Ref ManagementPredefinedRole + ManagementVersion: !Ref ManagementVersion + ManagementPasswordHash: !Ref ManagementPasswordHash + ManagementMaintenancePasswordHash: !Ref ManagementMaintenancePasswordHash + AllowUploadDownload: !Ref AllowUploadDownload + AdminCIDR: !Ref AdminCIDR + GatewayManagement: !Ref GatewayManagement + GatewaysAddresses: !Ref GatewaysAddresses + ManagementBootstrapScript: !Join + - ';' + - - 'echo -e "\nStarting Bootstrap script\n"' + - 'echo "Setting up bootstrap parameters"' + - !Sub 'conf_template=${ConfigurationTemplate} ; mgmt=${ManagementServer} ; region=${AWS::Region} ; blades=${GatewaysBlades}' + - !Sub ['version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - !Join ['', ['sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ' | base64 -d)"']] + - 'community="tgw-community" ; controller="tgw-controller"' + - 'echo "Adding tgw identifier to cloud-version"' + - 'template="management_tgw_asg"' + - 'cv_path="/etc/cloud-version"' + - 'if test -f ${cv_path}; then sed -i ''/template_name/c\template_name: ''"${template}"'''' /etc/cloud-version; fi' + - 'cv_json_path="/etc/cloud-version.json"' + - 'cv_json_path_tmp="/etc/cloud-version-tmp.json"' + - 'if test -f ${cv_json_path}; then cat ${cv_json_path} | jq ''.template_name = "''"${template}"''"'' > ${cv_json_path_tmp}; mv ${cv_json_path_tmp} ${cv_json_path}; fi' + - 'echo "Configuring VPN community: ${community}"' + - '[[ -d /opt/CPcme/menu/additions ]] && /opt/CPcme/menu/additions/config-community.sh "${community}" || /etc/fw/scripts/autoprovision/config-community.sh "${community}"' + - 'echo "Setting VPN rules"' + - 'mgmt_cli -r true add access-layer name "Inline"' + - 'mgmt_cli -r true add access-rule layer Network position 1 name "${community} VPN Traffic Rule" vpn.directional.1.from "${community}" vpn.directional.1.to "${community}" vpn.directional.2.from "${community}" vpn.directional.2.to External_clear action "Apply Layer" source "Any" destination "Any" service "Any" inline-layer "Inline"' + - 'mgmt_cli -r true add dynamic-object name "LocalGateway"' + - 'mgmt_cli -r true add nat-rule package standard position bottom install-on "Policy Targets" original-source All_Internet translated-source "LocalGateway" method hide' + - 'echo "Setting CME configurations"' + - 'autoprov_cfg -f init AWS -mn "${mgmt}" -tn "${conf_template}" -cn "${controller}" -po Standard -otp "${sic}" -r "${region}" -ver "${version}" -iam -dt TGW' + - 'autoprov_cfg -f set controller AWS -cn "${controller}" -sv -com "${community}"' + - 'autoprov_cfg -f set template -tn "${conf_template}" -vpn -vd "" -con "${community}"' + - '${blades} && autoprov_cfg -f set template -tn "${conf_template}" -ia -ips -appi -av -ab' + - 'echo -e "\nFinished Bootstrap script\n"' + SecurityGatewaysStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/autoscale/autoscale.yaml + Parameters: + VPC: !Ref VPC + AutoScaleGroupName: !If [GenerateAutoScalingName, !Join ["-", [!Ref 'AWS::StackName', GatewayGroup]], !Ref AutoScaleGroupName] + GatewaysSubnets: !Join [',', !Ref GatewaysSubnets] + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + KeyName: !Ref KeyName + EnableVolumeEncryption: !Ref EnableVolumeEncryption + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + EnableInstanceConnect: !Ref EnableInstanceConnect + MetaDataToken: !Ref MetaDataToken + GatewaysMinSize: !Ref GatewaysMinSize + GatewaysMaxSize: !Ref GatewaysMaxSize + AdminEmail: !Ref AdminEmail + GatewayVersion: !Ref GatewayVersion + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + AllowUploadDownload: !Ref AllowUploadDownload + CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Join + - ';' + - - 'echo -e "\nStarting Bootstrap script\n"' + - 'echo "Setting up bootstrap parameters"' + - !Sub 'asn=${ASN}' + - 'echo "Adding tgw identifier to cloud-version"' + - 'template="autoscale_tgw"' + - 'cv_path="/etc/cloud-version"' + - 'if test -f ${cv_path}; then sed -i ''/template_name/c\template_name: ''"${template}"'''' /etc/cloud-version; fi' + - 'cv_json_path="/etc/cloud-version.json"' + - 'cv_json_path_tmp="/etc/cloud-version-tmp.json"' + - 'if test -f ${cv_json_path}; then cat ${cv_json_path} | jq ''.template_name = "''"${template}"''"'' > ${cv_json_path_tmp}; mv ${cv_json_path_tmp} ${cv_json_path}; fi' + - 'echo "Setting ASN to: ${asn}"' + - 'clish -c "set as ${asn}" -s' + - 'echo -e "\nFinished Bootstrap script\n"' + ControlGatewayOverPrivateOrPublicAddress: !Ref ControlGatewayOverPrivateOrPublicAddress + ManagementServer: !Ref ManagementServer + ConfigurationTemplate: !Ref ConfigurationTemplate +Outputs: + ManagementName: + Description: The name that represents the Security Management Server. + Value: !Ref ManagementServer + ConfigurationTemplateName: + Description: The name that represents the configuration template. Configurations required to automatically provision the Gateways in the Auto Scaling Group, such as what Security Policy to install and which Blades to enable, will be placed under this template name. + Value: !Ref ConfigurationTemplate + ControllerName: + Description: The name that represents the controller. Configurations required to connect to your AWS environment, such as credentials and regions, will be placed under this controller name. + Value: tgw-controller + ManagementPublicAddress: + Description: The public address of the management servers. + Value: !GetAtt ManagementStack.Outputs.PublicAddress + Condition: DeployManagement +Rules: + GatewayAddressRule: + RuleCondition: !Equals [!Ref ManagementDeploy, 'true'] + Assertions: + - AssertDescription: "Gateway's netowrk to communicate with the Security Management Server must be provided" + Assert: !Not [ !Equals [!Ref GatewaysAddresses, '']] diff --git a/china/aws/templates/tgw-cross-az-cluster/README.md b/china/aws/templates/tgw-cross-az-cluster/README.md new file mode 100644 index 00000000..638194c6 --- /dev/null +++ b/china/aws/templates/tgw-cross-az-cluster/README.md @@ -0,0 +1,38 @@ + +## Transit Gateway Cross Availability Zone Cluster + + + + + + + + + + + + + + + + + + + +
    DescriptionNotesDirect Launch
    + Deploys two Security Gateways, each in a different Availability Zone, configured for Transit Gateway.

    For more details, refer to Cross Availability Zone Cluster for AWS R81.20 Administration Guide. +     		Creates a new VPC and deploys a Cross Availability Zone Cluster of Security Gateways configured for Transit Gateway into it.
    Deploys a Cross Availability Zone Cluster of Security Gateways configured for Transit Gateway into an existing VPC.
    +
    +
    +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------| +| 20240519 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20230923 | Add support for C5d instance type. | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
    - Add description for reserved words in hostname | +| 20230503 | Smart-1 Cloud token validation. | +| 20230411 | - Improved deployment experience for gateways and clusters managed by Smart-1 Cloud.
    - Multiple VIPs support for Cross Availability Zone Cluster. | +| 20221229 | Removed unsupported versions. | +| 20221123 | Templates version 20221120 and above support R81.20 | diff --git a/china/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml b/china/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml new file mode 100644 index 00000000..809d13b9 --- /dev/null +++ b/china/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster-master.yaml @@ -0,0 +1,527 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: | + Deploy a Check Point TGW Cross Availabilty Zone Cluster in a new VPC (20250617). + See CloudGuard Network for AWS Cross Availability Zone Cluster Deployment guide for detailed deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZones + - VPCCIDR + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PrivateSubnet1CIDR + - PrivateSubnet2CIDR + - TgwSubnet1CIDR + - TgwSubnet2CIDR + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - GatewayPredefinedRole + - TerminationProtection + - MetaDataToken + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - MemberAToken + - MemberBToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + AvailabilityZones: + default: Availability zones + VPCCIDR: + default: VPC CIDR + PublicSubnet1CIDR: + default: Public subnet 1 CIDR + PublicSubnet2CIDR: + default: Public subnet 2 CIDR + PrivateSubnet1CIDR: + default: Private subnet 1 CIDR + PrivateSubnet2CIDR: + default: Private subnet 2 CIDR + TgwSubnet1CIDR: + default: TGW HA subnet 1 CIDR + TgwSubnet2CIDR: + default: TGW HA subnet 2 CIDR + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Security Gateways instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate Elastic IPs for cluster members + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + GatewayPredefinedRole: + default: Existing IAM role name + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + GatewayVersion: + default: Gateways version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + MemberAToken: + default: Smart-1 Cloud Token for member A + MemberBToken: + default: Smart-1 Cloud Token for member B + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + AvailabilityZones: + Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved). + Type: List + MinLength: 2 + VPCCIDR: + Description: The CIDR block of the provided VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet1CIDR: + Description: The 1st external subnet of the cluster. The cluster's public IPs will be generated from this subnet. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet2CIDR: + Description: The 2nd external subnet of the cluster. The cluster's public IPs will be generated from this subnet. + Type: String + Default: 10.0.20.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet1CIDR: + Description: The 1st internal subnet of the cluster. The cluster's private IPs will be generated from this subnet. + Type: String + Default: 10.0.11.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet2CIDR: + Description: The 2nd internal subnet of the cluster. The cluster's private IPs will be generated from this subnet. + Type: String + Default: 10.0.21.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + TgwSubnet1CIDR: + Description: The 1st TGW HA subnet of the TGW VPC attachment. + Type: String + Default: 10.0.12.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + TgwSubnet2CIDR: + Description: The 2nd TGW HA subnet of the TGW VPC attachment. + Type: String + Default: 10.0.22.0/24 + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Cluster + GatewayInstanceType: + Description: The instance type of the Secutiry Gateway. + Type: String + Default: c6i.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + AllocatePublicAddress: + Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Default: false + Type: String + AllowedValues: + - true + - false + GatewayPredefinedRole: + Description: A predefined IAM role to attach to the cluster profile. (optional) + Type: String + Default: '' + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayVersion: + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections + between Check Point components. Choose a random string consisting of at least + 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + MemberAToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + MemberBToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + ResourcesTagName: + Description: Name tag prefix of the resources. (optional) + Type: String + Default: '' + GatewayHostname: + Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179. + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' +Conditions: + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml + Parameters: + AvailabilityZones: !Join [',', !Ref AvailabilityZones] + NumberOfAZs: 2 + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnet1CIDR + PublicSubnet2CIDR: !Ref PublicSubnet2CIDR + PrivateSubnet1CIDR: !Ref PrivateSubnet1CIDR + PrivateSubnet2CIDR: !Ref PrivateSubnet2CIDR + CreateAttachmentSubnets: true + AttachmentSubnet1CIDR: !Ref TgwSubnet1CIDR + AttachmentSubnet2CIDR: !Ref TgwSubnet2CIDR + InternalRouteTable: + Type: AWS::EC2::RouteTable + DependsOn: VPCStack + Properties: + VpcId: !GetAtt VPCStack.Outputs.VPCID + Tags: + - Key: Name + Value: Private Subnets Route Table + ClusterStack: + Type: AWS::CloudFormation::Stack + DependsOn: VPCStack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/tgw-cross-az-cluster.yaml + Parameters: + VPC: !GetAtt VPCStack.Outputs.VPCID + PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID + PublicSubnetB: !GetAtt VPCStack.Outputs.PublicSubnet2ID + PrivateSubnetA: !GetAtt VPCStack.Outputs.PrivateSubnet1ID + PrivateSubnetB: !GetAtt VPCStack.Outputs.PrivateSubnet2ID + TgwHASubnetA: !GetAtt VPCStack.Outputs.AttachmentSubnet1ID + TgwHASubnetB: !GetAtt VPCStack.Outputs.AttachmentSubnet2ID + InternalRouteTable: !Ref InternalRouteTable + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + KeyName: !Ref KeyName + AllocatePublicAddress: !Ref AllocatePublicAddress + VolumeSize: !Ref VolumeSize + VolumeType: !Ref VolumeType + VolumeEncryption: !Ref VolumeEncryption + EnableInstanceConnect: !Ref EnableInstanceConnect + GatewayPredefinedRole: !Ref GatewayPredefinedRole + TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken + GatewayVersion: !Ref GatewayVersion + Shell: !Ref Shell + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + MemberAToken: !Ref MemberAToken + MemberBToken: !Ref MemberBToken + ResourcesTagName: !Ref ResourcesTagName + GatewayHostname: !Ref GatewayHostname + AllowUploadDownload: !Ref AllowUploadDownload + CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript + NTPPrimary: !Ref NTPPrimary + NTPSecondary: !Ref NTPSecondary +Outputs: + ClusterPublicAddress: + Description: The public address of the cluster. + Value: !GetAtt ClusterStack.Outputs.ClusterPublicAddress + MemberAPublicAddress: + Condition: AllocateAddress + Description: The public address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress + MemberASSH: + Condition: AllocateAddress + Description: SSH command to member A. + Value: !GetAtt ClusterStack.Outputs.MemberASSH + MemberAURL: + Condition: AllocateAddress + Description: URL to the member A portal. + Value: !GetAtt ClusterStack.Outputs.MemberAURL + MemberBPublicAddress: + Condition: AllocateAddress + Description: The public address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress + MemberBSSH: + Condition: AllocateAddress + Description: SSH command to member B. + Value: !GetAtt ClusterStack.Outputs.MemberBSSH + MemberBURL: + Condition: AllocateAddress + Description: URL to the member B portal. + Value: !GetAtt ClusterStack.Outputs.MemberBURL +Rules: + MemberATokenNotProvided: + RuleCondition: !Equals [!Ref MemberAToken, ''] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" + Assert: !Equals [!Ref MemberBToken, ''] + MemberBTokenNotProvided: + RuleCondition: !Equals [ !Ref MemberBToken, '' ] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" + Assert: !Equals [ !Ref MemberAToken, '' ] + MembersTokenValueEquals: + RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] + Assertions: + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberAToken, '' ] + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberBToken, '' ] diff --git a/china/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml b/china/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml new file mode 100644 index 00000000..2c0ec653 --- /dev/null +++ b/china/aws/templates/tgw-cross-az-cluster/tgw-cross-az-cluster.yaml @@ -0,0 +1,523 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: | + Deploys a Check Point TGW Cross Availabilty Zone Cluster into an existing VPC (20250617). + See CloudGuard Network for AWS Cross Availability Zone Cluster Deployment guide for detailed deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - PublicSubnetA + - PublicSubnetB + - PrivateSubnetA + - PrivateSubnetB + - TgwHASubnetA + - TgwHASubnetB + - InternalRouteTable + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - GatewayPredefinedRole + - TerminationProtection + - MetaDataToken + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - MemberAToken + - MemberBToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + VPC: + default: VPC + PublicSubnetA: + default: Public subnet 1 + PublicSubnetB: + default: Public subnet 2 + PrivateSubnetA: + default: Private subnet 1 + PrivateSubnetB: + default: Private subnet 2 + TgwHASubnetA: + default: TGW HA subnet 1 + TgwHASubnetB: + default: TGW HA subnet 2 + InternalRouteTable: + default: Internal route table + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Security Gateways instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate Elastic IPs for cluster members + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + GatewayPredefinedRole: + default: Existing IAM role name + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + GatewayVersion: + default: Gateways version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + MemberAToken: + default: Smart-1 Cloud Token for member A + MemberBToken: + default: Smart-1 Cloud Token for member B + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + ConstraintDescription: you must select a VPC. + PublicSubnetA: + Description: Select a public subnet for the first Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a public subnet for the first Security Gateway. + PublicSubnetB: + Description: Select a public subnet for the second Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a public subnet for the second Security Gateway. + PrivateSubnetA: + Description: Select a private subnet for the first Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a private subnet for the first Security Gateway. + PrivateSubnetB: + Description: Select a private subnet for the second Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a private subnet for the second Security Gateway. + TgwHASubnetA: + Description: Select a TGW HA subnet for the first Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a TGW HA subnet for the first Security Gateway. + TgwHASubnetB: + Description: Select a TGW HA subnet for the second Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a TGW HAsubnet for the second Security Gateway. + InternalRouteTable: + Description: Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the Route Table. (optional) + Type: String + Default: '' + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Cluster + GatewayInstanceType: + Description: The instance type of the Secutiry Gateway. + Type: String + Default: c6i.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the Security Gateways. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP. + Default: true + Type: String + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayPredefinedRole: + Description: A predefined IAM role to attach to the cluster profile. (optional) + Type: String + Default: '' + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayVersion: + Description: The license to install on the Security Gateways. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.20-BYOL + - R82-BYOL + - R82.10-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections + between Check Point components. Choose a random string consisting of at least + 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + MemberAToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + MemberBToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + ResourcesTagName: + Description: Name tag prefix of the resources. (optional) + Type: String + Default: '' + GatewayHostname: + Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179. + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' +Conditions: + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] +Resources: + ClusterStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/cross-az-cluster.yaml + Parameters: + VPC: !Ref VPC + PublicSubnetA: !Ref PublicSubnetA + PublicSubnetB: !Ref PublicSubnetB + PrivateSubnetA: !Ref PrivateSubnetA + PrivateSubnetB: !Ref PrivateSubnetB + InternalRouteTable: !Ref InternalRouteTable + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + KeyName: !Ref KeyName + AllocatePublicAddress: !Ref AllocatePublicAddress + VolumeSize: !Ref VolumeSize + VolumeType: !Ref VolumeType + VolumeEncryption: !Ref VolumeEncryption + EnableInstanceConnect: !Ref EnableInstanceConnect + GatewayPredefinedRole: !Ref GatewayPredefinedRole + TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken + GatewayVersion: !Ref GatewayVersion + Shell: !Ref Shell + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + MemberAToken: !Ref MemberAToken + MemberBToken: !Ref MemberBToken + ResourcesTagName: !Ref ResourcesTagName + GatewayHostname: !Ref GatewayHostname + AllowUploadDownload: !Ref AllowUploadDownload + CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript + NTPPrimary: !Ref NTPPrimary + NTPSecondary: !Ref NTPSecondary + TGWRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: TGW Subnets + TGWDefaultRoute: + Type: AWS::EC2::Route + DependsOn: ClusterStack + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NetworkInterfaceId: !GetAtt ClusterStack.Outputs.MemberAExternalInterface + RouteTableId: !Ref TGWRouteTable + TGWNSubnet1RouteAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + DependsOn: TGWRouteTable + Properties: + RouteTableId: !Ref TGWRouteTable + SubnetId: !Ref TgwHASubnetA + TGWSubnet2RouteAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + DependsOn: TGWRouteTable + Properties: + RouteTableId: !Ref TGWRouteTable + SubnetId: !Ref TgwHASubnetB +Outputs: + ClusterPublicAddress: + Description: The public address of the cluster. + Value: !GetAtt ClusterStack.Outputs.ClusterPublicAddress + MemberAPublicAddress: + Condition: AllocateAddress + Description: The public address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress + MemberASSH: + Condition: AllocateAddress + Description: SSH command to member A. + Value: !GetAtt ClusterStack.Outputs.MemberASSH + MemberAURL: + Condition: AllocateAddress + Description: URL to the member A portal. + Value: !GetAtt ClusterStack.Outputs.MemberAURL + MemberBPublicAddress: + Condition: AllocateAddress + Description: The public address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress + MemberBSSH: + Condition: AllocateAddress + Description: SSH command to member B. + Value: !GetAtt ClusterStack.Outputs.MemberBSSH + MemberBURL: + Condition: AllocateAddress + Description: URL to the member B portal. + Value: !GetAtt ClusterStack.Outputs.MemberBURL +Rules: + MemberATokenNotProvided: + RuleCondition: !Equals [!Ref MemberAToken, ''] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" + Assert: !Equals [!Ref MemberBToken, ''] + MemberBTokenNotProvided: + RuleCondition: !Equals [ !Ref MemberBToken, '' ] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" + Assert: !Equals [ !Ref MemberAToken, '' ] + MembersTokenValueEquals: + RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] + Assertions: + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberAToken, '' ] + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberBToken, '' ] \ No newline at end of file diff --git a/china/aws/templates/tgw-ha/README.md b/china/aws/templates/tgw-ha/README.md new file mode 100644 index 00000000..cbc90be9 --- /dev/null +++ b/china/aws/templates/tgw-ha/README.md @@ -0,0 +1,39 @@ + +## Transit Gateway Cross Availability Zone Cluster + + + + + + + + + + + + + + + + + + + +
    DescriptionNotesDirect Launch
    + Deploys two Security Gateways, each in a different Availability Zone, configured for Transit Gateway.

    For more details, refer to CloudGuard Transit Gateway High Availability for AWS R80.40 Administration Guide. +     		Creates a new VPC and deploys a Cross Availability Zone Cluster of Security Gateways configured for Transit Gateway into it.
    Deploys a Cross Availability Zone Cluster of Security Gateways configured for Transit Gateway into an existing VPC.
    +
    +
    +## Revision History +In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) + +| Template Version | Description | +|------------------|------------------------------------------------------------------------------------------------------------------| +| 20240519 | Add support for requiring use instance metadata service version 2 (IMDSv2) only | +| 20230923 | Add support for C5d instance type. | +| 20230521 | - Change default shell for the admin user to /etc/cli.sh
    - Add description for reserved words in hostname | +| 20230503 | Template version 20230503 and above supports Smart-1 Cloud token validation. | +| 20230411 | Improved deployment experience for gateways and clusters managed by Smart-1 Cloud. | +| 20221123 | Templates version 20221120 and above support R81.20 | +| 20220606 | New instance type support | +| 20210309 | First release of Check Point Security Management Server & Security Gateway (Standalone) Terraform module for AWS | diff --git a/china/aws/templates/tgw-ha/tgw-ha-master.yaml b/china/aws/templates/tgw-ha/tgw-ha-master.yaml new file mode 100644 index 00000000..62548deb --- /dev/null +++ b/china/aws/templates/tgw-ha/tgw-ha-master.yaml @@ -0,0 +1,524 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: | + Deploy a Check Point TGW HA cross AZ Cluster in a new VPC (20250617) + See CloudGuard Network for AWS Cross Availability Zone Cluster Deployment Guide for detailed deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZones + - VPCCIDR + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PrivateSubnet1CIDR + - PrivateSubnet2CIDR + - TgwSubnet1CIDR + - TgwSubnet2CIDR + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - GatewayPredefinedRole + - TerminationProtection + - MetaDataToken + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - MemberAToken + - MemberBToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + AvailabilityZones: + default: Availability Zones + VPCCIDR: + default: VPC CIDR + PublicSubnet1CIDR: + default: Public subnet 1 CIDR + PublicSubnet2CIDR: + default: Public subnet 2 CIDR + PrivateSubnet1CIDR: + default: Private subnet 1 CIDR + PrivateSubnet2CIDR: + default: Private subnet 2 CIDR + TgwSubnet1CIDR: + default: TGW HA subnet 1 CIDR + TgwSubnet2CIDR: + default: TGW HA subnet 2 CIDR + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Security Gateways instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate Elastic IPs for cluster members + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + GatewayPredefinedRole: + default: Existing IAM role name + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + GatewayVersion: + default: Gateways version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + MemberAToken: + default: Smart-1 Cloud Token for member A + MemberBToken: + default: Smart-1 Cloud Token for member B + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + AvailabilityZones: + Description: The Availability Zones (AZs) to use for the subnets in the VPC. Select two (the logical order is preserved). + Type: List + MinLength: 2 + VPCCIDR: + Description: The CIDR block of the provided VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet1CIDR: + Description: CIDR block for public subnet 1 located in the 1st Availability Zone. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet2CIDR: + Description: CIDR block for public subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.20.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet1CIDR: + Description: CIDR block for private subnet 1 located in the 1st Availability Zone. + Type: String + Default: 10.0.11.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet2CIDR: + Description: CIDR block for private subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.21.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + TgwSubnet1CIDR: + Description: CIDR block for TGW HA subnet 1 located in the 1st Availability Zone. + Type: String + Default: 10.0.12.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + TgwSubnet2CIDR: + Description: CIDR block for TGW HA subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.22.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Cluster + GatewayInstanceType: + Description: The instance type of the Secutiry Gateway. + Type: String + Default: c6i.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + AllocatePublicAddress: + Description: Allocate an Elastic IP for each cluster member, in addition to the shared cluster Elastic IP. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Default: false + Type: String + AllowedValues: + - true + - false + GatewayPredefinedRole: + Description: A predefined IAM role to attach to the cluster profile. (optional) + Type: String + Default: '' + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayVersion: + Type: String + Default: R81.10-BYOL + AllowedValues: + - R81.10-BYOL + - R82-BYOL + - R82.10-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections + between Check Point components. Choose a random string consisting of at least + 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + MemberAToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + MemberBToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + ResourcesTagName: + Description: Name tag prefix of the resources. (optional) + Type: String + Default: '' + GatewayHostname: + Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179. + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' +Conditions: + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/utils/vpc.yaml + Parameters: + AvailabilityZones: !Join [',', !Ref AvailabilityZones] + NumberOfAZs: 2 + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnet1CIDR + PublicSubnet2CIDR: !Ref PublicSubnet2CIDR + PrivateSubnet1CIDR: !Ref PrivateSubnet1CIDR + PrivateSubnet2CIDR: !Ref PrivateSubnet2CIDR + CreateAttachmentSubnets: true + AttachmentSubnet1CIDR: !Ref TgwSubnet1CIDR + AttachmentSubnet2CIDR: !Ref TgwSubnet2CIDR + InternalRouteTable: + Type: AWS::EC2::RouteTable + DependsOn: VPCStack + Properties: + VpcId: !GetAtt VPCStack.Outputs.VPCID + Tags: + - Key: Name + Value: Private Subnets Route Table + ClusterStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/tgw-ha.yaml + Parameters: + VPC: !GetAtt VPCStack.Outputs.VPCID + PublicSubnetA: !GetAtt VPCStack.Outputs.PublicSubnet1ID + PublicSubnetB: !GetAtt VPCStack.Outputs.PublicSubnet2ID + PrivateSubnetA: !GetAtt VPCStack.Outputs.PrivateSubnet1ID + PrivateSubnetB: !GetAtt VPCStack.Outputs.PrivateSubnet2ID + TgwHASubnetA: !GetAtt VPCStack.Outputs.AttachmentSubnet1ID + TgwHASubnetB: !GetAtt VPCStack.Outputs.AttachmentSubnet2ID + InternalRouteTable: !Ref InternalRouteTable + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + KeyName: !Ref KeyName + AllocatePublicAddress: !Ref AllocatePublicAddress + VolumeSize: !Ref VolumeSize + VolumeType: !Ref VolumeType + VolumeEncryption: !Ref VolumeEncryption + EnableInstanceConnect: !Ref EnableInstanceConnect + GatewayPredefinedRole: !Ref GatewayPredefinedRole + TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken + GatewayVersion: !Ref GatewayVersion + Shell: !Ref Shell + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + MemberAToken: !Ref MemberAToken + MemberBToken: !Ref MemberBToken + ResourcesTagName: !Ref ResourcesTagName + GatewayHostname: !Ref GatewayHostname + AllowUploadDownload: !Ref AllowUploadDownload + CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript + NTPPrimary: !Ref NTPPrimary + NTPSecondary: !Ref NTPSecondary +Outputs: + MemberAPublicAddress: + Condition: AllocateAddress + Description: The public address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress + MemberASSH: + Condition: AllocateAddress + Description: SSH command to member A. + Value: !GetAtt ClusterStack.Outputs.MemberASSH + MemberAURL: + Condition: AllocateAddress + Description: URL to the member A portal. + Value: !GetAtt ClusterStack.Outputs.MemberAURL + MemberBPublicAddress: + Condition: AllocateAddress + Description: The public address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress + MemberBSSH: + Condition: AllocateAddress + Description: SSH command to member B. + Value: !GetAtt ClusterStack.Outputs.MemberBSSH + MemberBURL: + Condition: AllocateAddress + Description: URL to the member B portal. + Value: !GetAtt ClusterStack.Outputs.MemberBURL +Rules: + MemberATokenNotProvided: + RuleCondition: !Equals [!Ref MemberAToken, ''] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" + Assert: !Equals [!Ref MemberBToken, ''] + MemberBTokenNotProvided: + RuleCondition: !Equals [ !Ref MemberBToken, '' ] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" + Assert: !Equals [ !Ref MemberAToken, '' ] + MembersTokenValueEquals: + RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] + Assertions: + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberAToken, '' ] + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberBToken, '' ] \ No newline at end of file diff --git a/china/aws/templates/tgw-ha/tgw-ha.yaml b/china/aws/templates/tgw-ha/tgw-ha.yaml new file mode 100644 index 00000000..750de054 --- /dev/null +++ b/china/aws/templates/tgw-ha/tgw-ha.yaml @@ -0,0 +1,520 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: | + Deploy a Check Point TGW HA cross AZ Cluster in a new VPC (20250617) + See CloudGuard Network for AWS Cross Availability Zone Cluster Deployment Guide for detailed deployment and configuration steps. +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - VPC + - PublicSubnetA + - PublicSubnetB + - PrivateSubnetA + - PrivateSubnetB + - TgwHASubnetA + - TgwHASubnetB + - InternalRouteTable + - Label: + default: EC2 Instance Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - GatewayPredefinedRole + - TerminationProtection + - MetaDataToken + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - Label: + default: Quick connect to Smart-1 Cloud (Recommended) + Parameters: + - MemberAToken + - MemberBToken + - Label: + default: Advanced Settings + Parameters: + - ResourcesTagName + - GatewayHostname + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + VPC: + default: VPC + PublicSubnetA: + default: Public subnet 1 + PublicSubnetB: + default: Public subnet 2 + PrivateSubnetA: + default: Private subnet 1 + PrivateSubnetB: + default: Private subnet 2 + TgwHASubnetA: + default: TGW HA subnet 1 + TgwHASubnetB: + default: TGW HA subnet 2 + InternalRouteTable: + default: Internal route table + GatewayName: + default: Gateway Name + GatewayInstanceType: + default: Security Gateways instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate Elastic IPs for cluster members + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + GatewayPredefinedRole: + default: Existing IAM role name + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + GatewayVersion: + default: Gateways version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: SIC key + MemberAToken: + default: Smart-1 Cloud Token for member A + MemberBToken: + default: Smart-1 Cloud Token for member B + ResourcesTagName: + default: Resources prefix tag + GatewayHostname: + default: Gateway Hostname + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Bootstrap Script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + VPC: + Description: Select an existing VPC. + Type: AWS::EC2::VPC::Id + MinLength: 1 + ConstraintDescription: you must select a VPC. + PublicSubnetA: + Description: Select a public subnet for the first Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a public subnet for the first Security Gateway. + PublicSubnetB: + Description: Select a public subnet for the second Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a public subnet for the second Security Gateway. + PrivateSubnetA: + Description: Select a private subnet for the first Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a private subnet for the first Security Gateway. + PrivateSubnetB: + Description: Select a private subnet for the second Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a private subnet for the second Security Gateway. + TgwHASubnetA: + Description: Select a TGW HA subnet for the first Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a TGW HA subnet for the first Security Gateway. + TgwHASubnetB: + Description: Select a TGW HA subnet for the second Security Gateway. + Type: AWS::EC2::Subnet::Id + MinLength: 1 + ConstraintDescription: you must select a TGW HAsubnet for the second Security Gateway. + InternalRouteTable: + Description: Set 0.0.0.0/0 route to the Active Cluster member instance in this route table (e.g. rtb-12a34567). Route table cannot have an existing 0.0.0.0/0 route. If empty - traffic will not be routed through the Security Cluster, this requires manual configuration in the Route Table. (optional) + Type: String + Default: '' + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Cluster + GatewayInstanceType: + Type: String + Default: c6i.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the Security Gateways. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Description: When choosing "false", make sure the cluster members can connect to an ec2 endpoint. + Default: true + Type: String + AllowedValues: + - true + - false + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayPredefinedRole: + Description: A predefined IAM role to attach to the cluster profile. (optional) + Type: String + Default: '' + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + GatewayVersion: + Description: The license to install on the Security Gateways. + Type: String + Default: R81.10-BYOL + AllowedValues: + - R81.10-BYOL + - R82-BYOL + - R82.10-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" to + get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections between + Check Point components. Choose a random string consisting of at least 8 + alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + MemberAToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + MemberBToken: + Description: Follow the instructions in sk180501 to quickly connect this Cross AZ Cluster to Smart-1 Cloud. Paste here the token copied from the Connect Gateway screen in Smart-1 Cloud portal. + AllowedPattern: '(^aHR0cHM6Ly9(.+)|(.*)\s[aHR0cHM6Ly9](.+)|^$)' + Type: String + NoEcho: true + ResourcesTagName: + Description: Name tag prefix of the resources. (optional) + Type: String + Default: '' + GatewayHostname: + Description: The host name will be appended with member-a/b accordingly (optional). The name must not contain reserved words. For details, refer to sk40179. + Type: String + Default: '' + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z]))?$' + ConstraintDescription: A valid hostname label or an empty string. + AllowUploadDownload: + Description: >- + Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '^[\.a-zA-Z0-9\-]*$' +Conditions: + AllocateAddress: !Equals [!Ref AllocatePublicAddress, true] +Resources: + ClusterStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://cgi-cfts.s3.cn-northwest-1.amazonaws.com.cn/cluster/geo-cluster.yaml + Parameters: + VPC: !Ref VPC + PublicSubnetA: !Ref PublicSubnetA + PublicSubnetB: !Ref PublicSubnetB + PrivateSubnetA: !Ref PrivateSubnetA + PrivateSubnetB: !Ref PrivateSubnetB + InternalRouteTable: !Ref InternalRouteTable + GatewayName: !Ref GatewayName + GatewayInstanceType: !Ref GatewayInstanceType + KeyName: !Ref KeyName + AllocatePublicAddress: !Ref AllocatePublicAddress + VolumeSize: !Ref VolumeSize + VolumeType: !Ref VolumeType + VolumeEncryption: !Ref VolumeEncryption + EnableInstanceConnect: !Ref EnableInstanceConnect + GatewayPredefinedRole: !Ref GatewayPredefinedRole + TerminationProtection: !Ref TerminationProtection + MetaDataToken: !Ref MetaDataToken + GatewayVersion: !Ref GatewayVersion + Shell: !Ref Shell + GatewayPasswordHash: !Ref GatewayPasswordHash + GatewayMaintenancePasswordHash: !Ref GatewayMaintenancePasswordHash + GatewaySICKey: !Ref GatewaySICKey + MemberAToken: !Ref MemberAToken + MemberBToken: !Ref MemberBToken + ResourcesTagName: !Ref ResourcesTagName + GatewayHostname: !Ref GatewayHostname + AllowUploadDownload: !Ref AllowUploadDownload + CloudWatch: !Ref CloudWatch + GatewayBootstrapScript: !Ref GatewayBootstrapScript + NTPPrimary: !Ref NTPPrimary + NTPSecondary: !Ref NTPSecondary + TGWRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: TGW Subnets + TGWDefaultRoute: + Type: AWS::EC2::Route + DependsOn: ClusterStack + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NetworkInterfaceId: !GetAtt ClusterStack.Outputs.MemberAExternalInterface + RouteTableId: !Ref TGWRouteTable + TGWNSubnet1RouteAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + DependsOn: TGWRouteTable + Properties: + RouteTableId: !Ref TGWRouteTable + SubnetId: !Ref TgwHASubnetA + TGWSubnet2RouteAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + DependsOn: TGWRouteTable + Properties: + RouteTableId: !Ref TGWRouteTable + SubnetId: !Ref TgwHASubnetB +Outputs: + MemberAPublicAddress: + Condition: AllocateAddress + Description: The public address of member A. + Value: !GetAtt ClusterStack.Outputs.MemberAPublicAddress + MemberASSH: + Condition: AllocateAddress + Description: SSH command to member A. + Value: !GetAtt ClusterStack.Outputs.MemberASSH + MemberAURL: + Condition: AllocateAddress + Description: URL to the member A portal. + Value: !GetAtt ClusterStack.Outputs.MemberAURL + MemberBPublicAddress: + Condition: AllocateAddress + Description: The public address of member B. + Value: !GetAtt ClusterStack.Outputs.MemberBPublicAddress + MemberBSSH: + Condition: AllocateAddress + Description: SSH command to member B. + Value: !GetAtt ClusterStack.Outputs.MemberBSSH + MemberBURL: + Condition: AllocateAddress + Description: URL to the member B portal. + Value: !GetAtt ClusterStack.Outputs.MemberBURL +Rules: + MemberATokenNotProvided: + RuleCondition: !Equals [!Ref MemberAToken, ''] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member A can not be empty" + Assert: !Equals [!Ref MemberBToken, ''] + MemberBTokenNotProvided: + RuleCondition: !Equals [ !Ref MemberBToken, '' ] + Assertions: + - AssertDescription: "Smart-1 Cloud Token for member B can not be empty" + Assert: !Equals [ !Ref MemberAToken, '' ] + MembersTokenValueEquals: + RuleCondition: !EachMemberEquals [ [ !Ref MemberBToken ], !Ref MemberAToken ] + Assertions: + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberAToken, '' ] + - AssertDescription: "The same Smart-1 Cloud token is used for the two Cluster members. Each Cluster member must have a unique token" + Assert: !Equals [ !Ref MemberBToken, '' ] \ No newline at end of file diff --git a/china/aws/templates/utils/amis.yaml b/china/aws/templates/utils/amis.yaml new file mode 100644 index 00000000..be62f083 --- /dev/null +++ b/china/aws/templates/utils/amis.yaml @@ -0,0 +1,52 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: Returns a Check Point Amazon Machine ID (20230110) +Parameters: + Version: + Description: Security Gateway or Management Server version + Type: String + Default: R81.20-BYOL-GW + AllowedValues: + - R81.10-BYOL-MGMT + - R81.10-BYOL-GW + - R81.20-BYOL-MGMT + - R81.20-BYOL-GW + - R82-BYOL-MGMT + - R82-BYOL-GW +Mappings: + ConverterMap: + R81.10-BYOL-MGMT: + Value: R8110BYOLMGMT + R81.10-BYOL-GW: + Value: R8110BYOLGW + R81.20-BYOL-MGMT: + Value: R8120BYOLMGMT + R81.20-BYOL-GW: + Value: R8120BYOLGW + R82-BYOL-MGMT: + Value: R82BYOLMGMT + R82-BYOL-GW: + Value: R82BYOLGW + + RegionMap: + cn-northwest-1: + R8110BYOLMGMT: ami-064a33bb86b69a7d3 + R8110BYOLGW: ami-06e176c827e5c4ca7 + R8120BYOLMGMT: ami-0cf32d6b94fd87cc5 + R8120BYOLGW: ami-000a805e697d66b87 + R82BYOLMGMT: ami-0d08805f54e5726cb + R82BYOLGW: ami-0aa3165569c350981 + cn-north-1: + R8110BYOLMGMT: ami-045ed4c9758825acf + R8110BYOLGW: ami-04028fc05932c373f + R8120BYOLMGMT: ami-057f2fe0648449168 + R8120BYOLGW: ami-00d3fd4736380432d + R82BYOLMGMT: ami-01e5f75e87e8566b6 + R82BYOLGW: ami-0e23b21a74123f268 +Resources: + DummyHandle: + Type: AWS::CloudFormation::WaitConditionHandle + Properties: {} +Outputs: + ImageId: + Description: Check Point Security Gateway AMI + Value: !FindInMap [RegionMap ,!Ref 'AWS::Region', !FindInMap [ConverterMap, !Ref 'Version', Value]] diff --git a/china/aws/templates/utils/copy-lambda-zip.yaml b/china/aws/templates/utils/copy-lambda-zip.yaml new file mode 100755 index 00000000..0da17643 --- /dev/null +++ b/china/aws/templates/utils/copy-lambda-zip.yaml @@ -0,0 +1,138 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Create an S3 bucket in the same region as the stack, and copy a zip of a Lambda from remote bucket to it (20250617) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Lambda zip location + Parameters: + - SourceBucketName + - FolderName + - LambdaPathObjects + ParameterLabels: + SourceBucketName: + default: Source Bucket Name + FolderName: + default: Folder Name + LambdaPathObjects: + default: Lambda Path +Parameters: + SourceBucketName: + Description: The source bucket (e.g. lambda-bucket ). + Type: String + MinLength: 1 + FolderName: + Description: The source folder (e.g. lambda-prefix/ ). + Type: String + AllowedPattern: '^[0-9a-zA-Z-_/]*/$' + LambdaPathObjects: + Description: A zip file (e.g. lambda.zip). + Type: String + AllowedPattern: '.*\.zip' +Resources: + LambdaZipBucket: + Type: AWS::S3::Bucket + CopyZips: + Type: Custom::CopyZips + Properties: + ServiceToken: !GetAtt CopyZipsFunction.Arn + SourceBucket: !Ref SourceBucketName + DestBucket: !Ref LambdaZipBucket + Prefix: !Ref FolderName + Objects: + - !Ref LambdaPathObjects + CopyZipsRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: lambda.amazonaws.com + Action: sts:AssumeRole + Path: / + Policies: + - PolicyName: !Sub lambda-copier-${LambdaZipBucket} + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: + - s3:GetObject + Resource: + - !Sub arn:aws:s3:::${SourceBucketName}/${FolderName}* + - Effect: Allow + Action: + - s3:PutObject + - s3:DeleteObject + Resource: + - !Sub arn:aws:s3:::${LambdaZipBucket}/${FolderName}* + CopyZipsFunction: + Type: AWS::Lambda::Function + Properties: + Description: Copies objects from a source S3 bucket to a destination. + Handler: index.handler + Runtime: python3.7 + Role: !GetAtt CopyZipsRole.Arn + Timeout: 240 + Code: + ZipFile: | + import json + import logging + import threading + import boto3 + import cfnresponse + + + def copy_objects(source_bucket, dest_bucket, prefix, objects): + s3 = boto3.client('s3') + for o in objects: + key = prefix + o + copy_source = {'Bucket': source_bucket, 'Key': key } + print(f'copy_source: {copy_source}') + print(f'dest_bucket = {dest_bucket}') + print(f'key = {key}') + s3.copy_object(CopySource=copy_source, Bucket=dest_bucket, Key=key) + + + def delete_objects(bucket, prefix, objects): + s3 = boto3.client('s3') + objects = {'Objects': [{'Key': prefix + o} for o in objects]} + s3.delete_objects(Bucket=bucket, Delete=objects) + + + def timeout(event, context): + logging.error('Execution is about to time out, sending failure' + ' response to CloudFormation') + cfnresponse.send(event, context, cfnresponse.FAILED, {}, None) + + + def handler(event, context): + # make sure we send a failure to CloudFormation if the function + # is going to timeout + timer = threading.Timer((context.get_remaining_time_in_millis() + / 1000.00) - 0.5, timeout, args=[event, context]) + timer.start() + + print(f'Received event: {json.dumps(event)}') + status = cfnresponse.SUCCESS + try: + source_bucket = event['ResourceProperties']['SourceBucket'] + dest_bucket = event['ResourceProperties']['DestBucket'] + prefix = event['ResourceProperties']['Prefix'] + objects = event['ResourceProperties']['Objects'] + if event['RequestType'] == 'Delete': + delete_objects(dest_bucket, prefix, objects) + else: + copy_objects(source_bucket, dest_bucket, prefix, objects) + except Exception as e: + logging.error('Exception: %s' % e, exc_info=True) + status = cfnresponse.FAILED + finally: + timer.cancel() + cfnresponse.send(event, context, status, {}, None) +Outputs: + LambdaZipBucket: + Description: The new S3 bucket in the local region. + Value: !Ref LambdaZipBucket \ No newline at end of file diff --git a/china/aws/templates/utils/tap-target-and-filter.yaml b/china/aws/templates/utils/tap-target-and-filter.yaml new file mode 100755 index 00000000..d1fea268 --- /dev/null +++ b/china/aws/templates/utils/tap-target-and-filter.yaml @@ -0,0 +1,68 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploy a traffic-mirror-filter and traffic-mirror-target (20250617) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: General Settings + Parameters: + - MirroringNetworkInterfaceId + - EnvironmentPrefix + ParameterLabels: + MirroringNetworkInterfaceId: + default: Mirroring target network interface id + EnvironmentPrefix: + default: Environment prefix for created resources +Parameters: + MirroringNetworkInterfaceId: + Description: The network interface ID to which all the traffic will be mirrored. + Type: String + AllowedPattern: '^eni-[a-z0-9]+$' + EnvironmentPrefix: + Description: The environment prefix for created resources. (optional) + Type: String + AllowedPattern: '[a-zA-Z0-9-_]*' + Default: cp-tap +Resources: + TrafficMirrorFilter: + Type: AWS::EC2::TrafficMirrorFilter + Properties: + Description: Traffic mirror filter. + Tags: + - Key: Name + Value: !Join ['-', [!Ref EnvironmentPrefix, traffic-filter]] + TrafficMirrorFilterRuleIngress: + Type: AWS::EC2::TrafficMirrorFilterRule + Properties: + Description: Traffic mirror filter rule - ingress. + DestinationCidrBlock: 0.0.0.0/0 + RuleAction: accept + RuleNumber: 100 + SourceCidrBlock: 0.0.0.0/0 + TrafficDirection: ingress + TrafficMirrorFilterId: !Ref TrafficMirrorFilter + TrafficMirrorFilterRuleEgress: + Type: AWS::EC2::TrafficMirrorFilterRule + Properties: + Description: Traffic mirror filter rule - egress. + DestinationCidrBlock: 0.0.0.0/0 + RuleAction: accept + RuleNumber: 100 + SourceCidrBlock: 0.0.0.0/0 + TrafficDirection: egress + TrafficMirrorFilterId: !Ref TrafficMirrorFilter + TrafficMirrorTarget: + Type: AWS::EC2::TrafficMirrorTarget + Properties: + Description: Traffic mirror target. + NetworkInterfaceId: !Ref MirroringNetworkInterfaceId + Tags: + - Key: Name + Value: !Join ['-', [!Ref EnvironmentPrefix, traffic-target]] +Outputs: + TrafficMirrorTargetId: + Description: Traffic mirror target id. + Value: !Ref TrafficMirrorTarget + TrafficMirrorFilterId: + Description: Traffic mirror filter id. + Value: !Ref TrafficMirrorFilter \ No newline at end of file diff --git a/china/aws/templates/utils/vpc-ipv6.yaml b/china/aws/templates/utils/vpc-ipv6.yaml new file mode 100644 index 00000000..db242d5a --- /dev/null +++ b/china/aws/templates/utils/vpc-ipv6.yaml @@ -0,0 +1,703 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: This template creates a Multi-AZ, multi-subnet VPC infrastructure (20260101) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Availability Zone Configuration + Parameters: + - AvailabilityZones + - NumberOfAZs + - Label: + default: Network Configuration + Parameters: + - IPMode + - VPCCIDR + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PublicSubnet3CIDR + - PublicSubnet4CIDR + - CreatePrivateSubnets + - PrivateSubnet1CIDR + - PrivateSubnet2CIDR + - PrivateSubnet3CIDR + - PrivateSubnet4CIDR + - CreateAttachmentSubnets + - AttachmentSubnet1CIDR + - AttachmentSubnet2CIDR + - AttachmentSubnet3CIDR + - AttachmentSubnet4CIDR + ParameterLabels: + AvailabilityZones: + default: Availability Zones + NumberOfAZs: + default: Number of Availability Zones + IPMode: + default: IP Configuration Mode + VPCCIDR: + default: VPC CIDR + PublicSubnet1CIDR: + default: Public subnet 1 CIDR + PublicSubnet2CIDR: + default: Public subnet 2 CIDR + PublicSubnet3CIDR: + default: Public subnet 3 CIDR + PublicSubnet4CIDR: + default: Public subnet 4 CIDR + CreatePrivateSubnets: + default: Create private subnets + PrivateSubnet1CIDR: + default: Private subnet 1 CIDR + PrivateSubnet2CIDR: + default: Private subnet 2 CIDR + PrivateSubnet3CIDR: + default: Private subnet 3 CIDR + PrivateSubnet4CIDR: + default: Private subnet 4 CIDR + CreateAttachmentSubnets: + default: Create Attachment subnets + AttachmentSubnet1CIDR: + default: Attachment subnet 1 CIDR + AttachmentSubnet2CIDR: + default: Attachment subnet 2 CIDR + AttachmentSubnet3CIDR: + default: Attachment subnet 3 CIDR + AttachmentSubnet4CIDR: + default: Attachment subnet 4 CIDR +Parameters: + AvailabilityZones: + Description: 'List of Availability Zones to use for the subnets in the VPC. Note: The logical order is preserved.' + Type: List + MinLength: 1 + NumberOfAZs: + Description: Number of Availability Zones to use in the VPC. This must match your + selections in the list of Availability Zones parameter. + Type: Number + Default: 2 + MinValue: 1 + MaxValue: 4 + IPMode: + Description: Specifies the IP mode for the VPC and AWS resources. + Type: String + Default: DualStack + AllowedValues: + - IPv6 + - DualStack + VPCCIDR: + Description: CIDR block for the VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet1CIDR: + Description: CIDR block for the public DMZ subnet 1 located in Availability Zone 1. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet2CIDR: + Description: CIDR block for the public DMZ subnet 2 located in Availability Zone 2. + Type: String + Default: 10.0.20.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet3CIDR: + Description: CIDR block for the public DMZ subnet 3 located in Availability Zone 3. + Type: String + Default: 10.0.30.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet4CIDR: + Description: CIDR block for the public DMZ subnet 4 located in Availability Zone 4. + Type: String + Default: 10.0.40.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + CreatePrivateSubnets: + Description: Set to false to create only public subnets. If false, the CIDR parameters. + for ALL private subnets will be ignored. + Type: String + Default: true + AllowedValues: + - true + - false + PrivateSubnet1CIDR: + Description: CIDR block for private subnet 1 located in Availability Zone 1. + Type: String + Default: 10.0.11.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet2CIDR: + Description: CIDR block for private subnet 2 located in Availability Zone 2. + Type: String + Default: 10.0.21.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet3CIDR: + Description: CIDR block for private subnet 3 located in Availability Zone 3. + Type: String + Default: 10.0.31.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet4CIDR: + Description: CIDR block for private subnet 4 located in Availability Zone 4. + Type: String + Default: 10.0.41.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + CreateAttachmentSubnets: + Description: Set true for creating designated subnets for VPC attachments. If false, + the CIDR parameters for the Attachment subnets will be ignored. + Type: String + Default: false + AllowedValues: + - true + - false + AttachmentSubnet1CIDR: + Description: CIDR block for Attachment subnet 1 located in Availability Zone 1. + Type: String + Default: 10.0.12.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + AttachmentSubnet2CIDR: + Description: CIDR block for Attachment subnet 2 located in Availability Zone 2. + Type: String + Default: 10.0.22.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + AttachmentSubnet3CIDR: + Description: CIDR block for Attachment subnet 3 located in Availability Zone 3. + Type: String + Default: 10.0.32.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + AttachmentSubnet4CIDR: + Description: CIDR block for Attachment subnet 4 located in Availability Zone 4. + Type: String + Default: 10.0.42.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. +Conditions: + 4AZs: !Equals [!Ref NumberOfAZs, 4] + 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs] + 2AZs: !Or [!Equals [!Ref NumberOfAZs, 2], !Condition 3AZs] + PrivateSubnets: !Equals [!Ref CreatePrivateSubnets, true] + 2AZsPrivateSubnets: !And [!Condition PrivateSubnets, !Condition 2AZs] + 3AZsPrivateSubnets: !And [!Condition PrivateSubnets, !Condition 3AZs] + 4AZsPrivateSubnets: !And [!Condition PrivateSubnets, !Condition 4AZs] + AttachmentSubnets: !Equals [!Ref CreateAttachmentSubnets, true] + 2AZsAttachmentSubnets: !And [!Condition AttachmentSubnets, !Condition 2AZs] + 3AZsAttachmentSubnets: !And [!Condition AttachmentSubnets, !Condition 3AZs] + 4AZsAttachmentSubnets: !And [!Condition AttachmentSubnets, !Condition 4AZs] + IsIPv6Only: !Equals [!Ref IPMode, "IPv6"] + IsIPv4Enabled: !Not [!Condition IsIPv6Only] +Resources: + VPC: + Type: AWS::EC2::VPC + Properties: + CidrBlock: !Ref VPCCIDR + EnableDnsSupport: true + EnableDnsHostnames: true + Tags: + - Key: Name + Value: !Ref 'AWS::StackName' + Ipv6CidrBlock: + DependsOn: VPC + Type: AWS::EC2::VPCCidrBlock + Properties: + VpcId: !Ref VPC + AmazonProvidedIpv6CidrBlock: true + InternetGateway: + Type: AWS::EC2::InternetGateway + Properties: + Tags: + - Key: Name + Value: !Ref 'AWS::StackName' + - Key: Network + Value: Public + VPCGatewayAttachment: + Type: AWS::EC2::VPCGatewayAttachment + DependsOn: [VPC, InternetGateway] + Properties: + VpcId: !Ref VPC + InternetGatewayId: !Ref InternetGateway + PublicSubnet1: + Type: AWS::EC2::Subnet + DependsOn: [ VPC, Ipv6CidrBlock ] + Properties: + VpcId: !Ref VPC + CidrBlock: !If [IsIPv6Only, !Ref "AWS::NoValue", !Ref PublicSubnet1CIDR] + AvailabilityZone: !Select [0, !Ref AvailabilityZones] + Ipv6CidrBlock: !Select [ 0, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + AssignIpv6AddressOnCreation: true + Ipv6Native: !If [IsIPv6Only, true, !Ref "AWS::NoValue"] + Tags: + - Key: Name + Value: Public subnet 1 + - Key: Network + Value: Public + MapPublicIpOnLaunch: !If [IsIPv6Only, !Ref "AWS::NoValue", true] + PublicSubnet2: + Condition: 2AZs + DependsOn: [ VPC, Ipv6CidrBlock ] + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: !If [IsIPv6Only, !Ref "AWS::NoValue", !Ref PublicSubnet2CIDR] + AvailabilityZone: !Select [1, !Ref AvailabilityZones] + Ipv6CidrBlock: !Select [ 1, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + AssignIpv6AddressOnCreation: true + Ipv6Native: !If [IsIPv6Only, true, !Ref "AWS::NoValue"] + Tags: + - Key: Name + Value: Public subnet 2 + - Key: Network + Value: Public + MapPublicIpOnLaunch: !If [IsIPv6Only, !Ref "AWS::NoValue", true] + PublicSubnet3: + Condition: 3AZs + DependsOn: [ VPC, Ipv6CidrBlock ] + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: !If [IsIPv6Only, !Ref "AWS::NoValue", !Ref PublicSubnet3CIDR] + AvailabilityZone: !Select [2, !Ref AvailabilityZones] + Ipv6CidrBlock: !Select [ 2, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + AssignIpv6AddressOnCreation: true + Ipv6Native: !If [IsIPv6Only, true, !Ref "AWS::NoValue"] + Tags: + - Key: Name + Value: Public subnet 3 + - Key: Network + Value: Public + MapPublicIpOnLaunch: !If [IsIPv6Only, !Ref "AWS::NoValue", true] + PublicSubnet4: + Condition: 4AZs + DependsOn: [ VPC, Ipv6CidrBlock ] + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: !If [IsIPv6Only, !Ref "AWS::NoValue", !Ref PublicSubnet4CIDR] + AvailabilityZone: !Select [3, !Ref AvailabilityZones] + Ipv6CidrBlock: !Select [ 3, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + AssignIpv6AddressOnCreation: true + Ipv6Native: !If [IsIPv6Only, true, !Ref "AWS::NoValue"] + Tags: + - Key: Name + Value: Public subnet 4 + - Key: Network + Value: Public + MapPublicIpOnLaunch: !If [IsIPv6Only, !Ref "AWS::NoValue", true] + PublicSubnetRouteTable: + Type: AWS::EC2::RouteTable + DependsOn: VPC + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: Public Subnets Route Table + - Key: Network + Value: Public + PublicSubnetRoute: + Condition: IsIPv4Enabled + DependsOn: [VPCGatewayAttachment, PublicSubnetRouteTable] + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref PublicSubnetRouteTable + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref InternetGateway + PublicSubnetRouteIPv6: + DependsOn: [VPCGatewayAttachment, PublicSubnetRouteTable] + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref PublicSubnetRouteTable + DestinationIpv6CidrBlock: ::/0 + GatewayId: !Ref InternetGateway + PublicSubnet1RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + DependsOn: [PublicSubnet1, PublicSubnetRouteTable] + Properties: + SubnetId: !Ref PublicSubnet1 + RouteTableId: !Ref PublicSubnetRouteTable + PublicSubnet2RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: 2AZs + DependsOn: [PublicSubnet2, PublicSubnetRouteTable] + Properties: + SubnetId: !Ref PublicSubnet2 + RouteTableId: !Ref PublicSubnetRouteTable + PublicSubnet3RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: 3AZs + DependsOn: [PublicSubnet3, PublicSubnetRouteTable] + Properties: + SubnetId: !Ref PublicSubnet3 + RouteTableId: !Ref PublicSubnetRouteTable + PublicSubnet4RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: 4AZs + DependsOn: [PublicSubnet4, PublicSubnetRouteTable] + Properties: + SubnetId: !Ref PublicSubnet4 + RouteTableId: !Ref PublicSubnetRouteTable + PrivateSubnet1: + Type: AWS::EC2::Subnet + Condition: PrivateSubnets + DependsOn: [ VPC, Ipv6CidrBlock ] + Properties: + VpcId: !Ref VPC + CidrBlock: !If [IsIPv6Only, !Ref "AWS::NoValue", !Ref PrivateSubnet1CIDR] + AvailabilityZone: !Select [0, !Ref AvailabilityZones] + Ipv6CidrBlock: !Select [ 4, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + AssignIpv6AddressOnCreation: true + Ipv6Native: !If [IsIPv6Only, true, !Ref "AWS::NoValue"] + Tags: + - Key: Name + Value: Private subnet 1 + - Key: Network + Value: Private + PrivateSubnet2: + Type: AWS::EC2::Subnet + Condition: 2AZsPrivateSubnets + DependsOn: [ VPC, Ipv6CidrBlock ] + Properties: + VpcId: !Ref VPC + CidrBlock: !If [IsIPv6Only, !Ref "AWS::NoValue", !Ref PrivateSubnet2CIDR] + AvailabilityZone: !Select [1, !Ref AvailabilityZones] + Ipv6CidrBlock: !Select [ 5, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + AssignIpv6AddressOnCreation: true + Ipv6Native: !If [IsIPv6Only, true, !Ref "AWS::NoValue"] + Tags: + - Key: Name + Value: Private subnet 2 + - Key: Network + Value: Private + PrivateSubnet3: + Type: AWS::EC2::Subnet + Condition: 3AZsPrivateSubnets + DependsOn: [ VPC, Ipv6CidrBlock ] + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref PrivateSubnet3CIDR + AvailabilityZone: !Select [2, !Ref AvailabilityZones] + Ipv6CidrBlock: !Select [ 6, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + AssignIpv6AddressOnCreation: true + Tags: + - Key: Name + Value: Private subnet 3 + - Key: Network + Value: Private + PrivateSubnet4: + Type: AWS::EC2::Subnet + Condition: 4AZsPrivateSubnets + DependsOn: [ VPC, Ipv6CidrBlock ] + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref PrivateSubnet4CIDR + AvailabilityZone: !Select [3, !Ref AvailabilityZones] + Ipv6CidrBlock: !Select [ 7, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + AssignIpv6AddressOnCreation: true + Tags: + - Key: Name + Value: Private subnet 4 + - Key: Network + Value: Private + AttachmentSubnet1: + Condition: AttachmentSubnets + DependsOn: [ VPC, Ipv6CidrBlock ] + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref AttachmentSubnet1CIDR + AvailabilityZone: !Select [0, !Ref AvailabilityZones] + Ipv6CidrBlock: !Select [ 8, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + AssignIpv6AddressOnCreation: true + Tags: + - Key: Name + Value: Attachment subnet 1 + - Key: Network + Value: Private + AttachmentSubnet2: + Condition: AttachmentSubnets + DependsOn: [ VPC, Ipv6CidrBlock ] + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref AttachmentSubnet2CIDR + AvailabilityZone: !Select [1, !Ref AvailabilityZones] + Ipv6CidrBlock: !Select [ 9, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + AssignIpv6AddressOnCreation: true + Tags: + - Key: Name + Value: Attachment subnet 2 + - Key: Network + Value: Private + AttachmentSubnet3: + Condition: 3AZsAttachmentSubnets + DependsOn: [ VPC, Ipv6CidrBlock ] + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref AttachmentSubnet3CIDR + AvailabilityZone: !Select [2, !Ref AvailabilityZones] + Ipv6CidrBlock: !Select [ 10, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + AssignIpv6AddressOnCreation: true + Tags: + - Key: Name + Value: Attachment subnet 3 + - Key: Network + Value: Private + AttachmentSubnet4: + Condition: 4AZsAttachmentSubnets + DependsOn: [ VPC, Ipv6CidrBlock ] + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref AttachmentSubnet4CIDR + AvailabilityZone: !Select [3, !Ref AvailabilityZones] + Ipv6CidrBlock: !Select [ 11, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + AssignIpv6AddressOnCreation: true + Tags: + - Key: Name + Value: Attachment subnet 4 + - Key: Network + Value: Private +Outputs: + VPCID: + Value: !Ref VPC + Description: VPC ID. + Export: + Name: !Sub '${AWS::StackName}-VPCID' + VPCCIDR: + Value: !Ref VPCCIDR + Description: VPC CIDR + Export: + Name: !Sub '${AWS::StackName}-VPCCIDR' + PublicSubnet1CIDR: + Description: Public subnet 1 CIDR in Availability Zone 1. + Value: !Ref PublicSubnet1CIDR + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet1CIDR' + PublicSubnet1ID: + Description: Public subnet 1 ID in Availability Zone 1. + Value: !Ref PublicSubnet1 + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet1ID' + PublicSubnet2CIDR: + Condition: 2AZs + Description: Public subnet 2 CIDR in Availability Zone 2. + Value: !Ref PublicSubnet2CIDR + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet2CIDR' + PublicSubnet2ID: + Condition: 2AZs + Description: Public subnet 2 ID in Availability Zone 2. + Value: !Ref PublicSubnet2 + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet2ID' + PublicSubnet3CIDR: + Condition: 3AZs + Description: Public subnet 3 CIDR in Availability Zone 3. + Value: !Ref PublicSubnet3CIDR + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet3CIDR' + PublicSubnet3ID: + Condition: 3AZs + Description: Public subnet 3 ID in Availability Zone 3. + Value: !Ref PublicSubnet3 + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet3ID' + PublicSubnet4CIDR: + Condition: 4AZs + Description: Public subnet 4 CIDR in Availability Zone 4. + Value: !Ref PublicSubnet4CIDR + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet4CIDR' + PublicSubnet4ID: + Condition: 4AZs + Description: Public subnet 4 ID in Availability Zone 4. + Value: !Ref PublicSubnet4 + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet4ID' + PublicSubnetRouteTable: + Value: !Ref PublicSubnetRouteTable + Description: Public subnet route table. + Export: + Name: !Sub '${AWS::StackName}-PublicSubnetRouteTable' + PrivateSubnet1CIDR: + Condition: PrivateSubnets + Description: Private subnet 1 CIDR in Availability Zone 1. + Value: !Ref PrivateSubnet1CIDR + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet1CIDR' + PrivateSubnet1ID: + Condition: PrivateSubnets + Description: Private subnet 1 ID in Availability Zone 1. + Value: !Ref PrivateSubnet1 + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet1ID' + PrivateSubnet2CIDR: + Condition: 2AZsPrivateSubnets + Description: Private subnet 2 CIDR in Availability Zone 2. + Value: !Ref PrivateSubnet2CIDR + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet2CIDR' + PrivateSubnet2ID: + Condition: 2AZsPrivateSubnets + Description: Private subnet 2 ID in Availability Zone 2. + Value: !Ref PrivateSubnet2 + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet2ID' + PrivateSubnet3CIDR: + Condition: 3AZsPrivateSubnets + Description: Private subnet 3 CIDR in Availability Zone 3. + Value: !Ref PrivateSubnet3CIDR + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet3CIDR' + PrivateSubnet3ID: + Condition: 3AZsPrivateSubnets + Description: Private subnet 3 ID in Availability Zone 3. + Value: !Ref PrivateSubnet3 + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet3ID' + PrivateSubnet4CIDR: + Condition: 4AZsPrivateSubnets + Description: Private subnet 4 CIDR in Availability Zone 4. + Value: !Ref PrivateSubnet4CIDR + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet4CIDR' + PrivateSubnet4ID: + Condition: 4AZsPrivateSubnets + Description: Private subnet 4 ID in Availability Zone 4. + Value: !Ref PrivateSubnet4 + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet4ID' + AttachmentSubnet1CIDR: + Condition: AttachmentSubnets + Description: Attachment subnet 1 CIDR in Availability Zone 1. + Value: !Ref AttachmentSubnet1CIDR + Export: + Name: !Sub '${AWS::StackName}-AttachmentSubnet1CIDR' + AttachmentSubnet1ID: + Condition: AttachmentSubnets + Description: Attachment subnet 1 ID in Availability Zone 1. + Value: !Ref AttachmentSubnet1 + Export: + Name: !Sub '${AWS::StackName}-AttachmentSubnet1ID' + AttachmentSubnet2CIDR: + Condition: 2AZsAttachmentSubnets + Description: Attachment subnet 2 CIDR in Availability Zone 2. + Value: !Ref AttachmentSubnet2CIDR + Export: + Name: !Sub '${AWS::StackName}-AttachmentSubnet2CIDR' + AttachmentSubnet2ID: + Condition: 2AZsAttachmentSubnets + Description: Attachment subnet 2 ID in Availability Zone 2. + Value: !Ref AttachmentSubnet2 + Export: + Name: !Sub '${AWS::StackName}-AttachmentSubnet2ID' + AttachmentSubnet3CIDR: + Condition: 3AZsAttachmentSubnets + Description: Attachment subnet 3 CIDR in Availability Zone 3. + Value: !Ref AttachmentSubnet3CIDR + Export: + Name: !Sub '${AWS::StackName}-AttachmentSubnet3CIDR' + AttachmentSubnet3ID: + Condition: 3AZsAttachmentSubnets + Description: Attachment subnet 3 ID in Availability Zone 3. + Value: !Ref AttachmentSubnet3 + Export: + Name: !Sub '${AWS::StackName}-AttachmentSubnet3ID' + AttachmentSubnet4CIDR: + Condition: 4AZsAttachmentSubnets + Description: Attachment subnet 4 CIDR in Availability Zone 4. + Value: !Ref AttachmentSubnet4CIDR + Export: + Name: !Sub '${AWS::StackName}-AttachmentSubnet4CIDR' + AttachmentSubnet4ID: + Condition: 4AZsAttachmentSubnets + Description: Attachment subnet 4 ID in Availability Zone 4. + Value: !Ref AttachmentSubnet4 + Export: + Name: !Sub '${AWS::StackName}-AttachmentSubnet4ID' + IGWID: + Description: IGW ID. + Value: !Join ['', [!Ref InternetGateway]] + Export: + Name: !Sub '${AWS::StackName}-IGWID' + VPCIPv6CIDR: + Value: !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ] + Description: VPC IPv6 CIDR + Export: + Name: !Sub '${AWS::StackName}-VPCIPv6CIDR' + PublicSubnet1IPv6CIDR: + Description: Public subnet 1 IPv6 CIDR in Availability Zone 1. + Value: !Select [ 0, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet1IPv6CIDR' + PublicSubnet2IPv6CIDR: + Condition: 2AZs + Description: Public subnet 2 IPv6 CIDR in Availability Zone 2. + Value: !Select [ 1, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet2IPv6CIDR' + PublicSubnet3IPv6CIDR: + Condition: 3AZs + Description: Public subnet 3 IPv6 CIDR in Availability Zone 3. + Value: !Select [ 2, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet3IPv6CIDR' + PublicSubnet4IPv6CIDR: + Condition: 4AZs + Description: Public subnet 4 IPv6 CIDR in Availability Zone 4. + Value: !Select [ 3, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet4IPv6CIDR' + PrivateSubnet1IPv6CIDR: + Condition: PrivateSubnets + Description: Private subnet 1 IPv6 CIDR in Availability Zone 1. + Value: !Select [ 4, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet1IPv6CIDR' + PrivateSubnet2IPv6CIDR: + Condition: 2AZsPrivateSubnets + Description: Private subnet 2 IPv6 CIDR in Availability Zone 2. + Value: !Select [ 5, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet2IPv6CIDR' + PrivateSubnet3IPv6CIDR: + Condition: 3AZsPrivateSubnets + Description: Private subnet 3 IPv6 CIDR in Availability Zone 3. + Value: !Select [ 6, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet3IPv6CIDR' + PrivateSubnet4IPv6CIDR: + Condition: 4AZsPrivateSubnets + Description: Private subnet 4 IPv6 CIDR in Availability Zone 4. + Value: !Select [ 7, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet4IPv6CIDR' + AttachmentSubnet1IPv6CIDR: + Condition: AttachmentSubnets + Description: Attachment subnet 1 IPv6 CIDR in Availability Zone 1. + Value: !Select [ 8, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + Export: + Name: !Sub '${AWS::StackName}-AttachmentSubnet1IPv6CIDR' + AttachmentSubnet2IPv6CIDR: + Condition: 2AZsAttachmentSubnets + Description: Attachment subnet 3 IPv6 CIDR in Availability Zone 3. + Value: !Select [ 9, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + Export: + Name: !Sub '${AWS::StackName}-AttachmentSubnet2IPv6CIDR' + AttachmentSubnet3IPv6CIDR: + Condition: 3AZsAttachmentSubnets + Description: Attachment subnet 3 IPv6 CIDR in Availability Zone 3. + Value: !Select [ 10, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + Export: + Name: !Sub '${AWS::StackName}-AttachmentSubnet3IPv6CIDR' + AttachmentSubnet4IPv6CIDR: + Condition: 4AZsAttachmentSubnets + Description: Attachment subnet 4 IPv6 CIDR in Availability Zone 4. + Value: !Select [ 11, !Cidr [ !Select [ 0, !GetAtt VPC.Ipv6CidrBlocks ], 12, 64 ] ] + Export: + Name: !Sub '${AWS::StackName}-AttachmentSubnet4IPv6CIDR' \ No newline at end of file diff --git a/china/aws/templates/utils/vpc.yaml b/china/aws/templates/utils/vpc.yaml new file mode 100644 index 00000000..71be7cd5 --- /dev/null +++ b/china/aws/templates/utils/vpc.yaml @@ -0,0 +1,571 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: This template creates a Multi-AZ, multi-subnet VPC infrastructure (20250617) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: Availability Zone Configuration + Parameters: + - AvailabilityZones + - NumberOfAZs + - Label: + default: Network Configuration + Parameters: + - VPCCIDR + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PublicSubnet3CIDR + - PublicSubnet4CIDR + - CreatePrivateSubnets + - PrivateSubnet1CIDR + - PrivateSubnet2CIDR + - PrivateSubnet3CIDR + - PrivateSubnet4CIDR + - CreateAttachmentSubnets + - AttachmentSubnet1CIDR + - AttachmentSubnet2CIDR + - AttachmentSubnet3CIDR + - AttachmentSubnet4CIDR + ParameterLabels: + AvailabilityZones: + default: Availability Zones + NumberOfAZs: + default: Number of Availability Zones + VPCCIDR: + default: VPC CIDR + PublicSubnet1CIDR: + default: Public subnet 1 CIDR + PublicSubnet2CIDR: + default: Public subnet 2 CIDR + PublicSubnet3CIDR: + default: Public subnet 3 CIDR + PublicSubnet4CIDR: + default: Public subnet 4 CIDR + CreatePrivateSubnets: + default: Create private subnets + PrivateSubnet1CIDR: + default: Private subnet 1 CIDR + PrivateSubnet2CIDR: + default: Private subnet 2 CIDR + PrivateSubnet3CIDR: + default: Private subnet 3 CIDR + PrivateSubnet4CIDR: + default: Private subnet 4 CIDR + CreateAttachmentSubnets: + default: Create Attachment subnets + AttachmentSubnet1CIDR: + default: Attachment subnet 1 CIDR + AttachmentSubnet2CIDR: + default: Attachment subnet 2 CIDR + AttachmentSubnet3CIDR: + default: Attachment subnet 3 CIDR + AttachmentSubnet4CIDR: + default: Attachment subnet 4 CIDR +Parameters: + AvailabilityZones: + Description: 'List of Availability Zones to use for the subnets in the VPC. Note: The logical order is preserved.' + Type: List + MinLength: 1 + NumberOfAZs: + Description: Number of Availability Zones to use in the VPC. This must match your + selections in the list of Availability Zones parameter. + Type: Number + Default: 2 + MinValue: 1 + MaxValue: 4 + VPCCIDR: + Description: CIDR block for the VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet1CIDR: + Description: CIDR block for the public DMZ subnet 1 located in Availability Zone 1. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet2CIDR: + Description: CIDR block for the public DMZ subnet 2 located in Availability Zone 2. + Type: String + Default: 10.0.20.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet3CIDR: + Description: CIDR block for the public DMZ subnet 3 located in Availability Zone 3. + Type: String + Default: 10.0.30.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet4CIDR: + Description: CIDR block for the public DMZ subnet 4 located in Availability Zone 4. + Type: String + Default: 10.0.40.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + CreatePrivateSubnets: + Description: Set to false to create only public subnets. If false, the CIDR parameters. + for ALL private subnets will be ignored. + Type: String + Default: true + AllowedValues: + - true + - false + PrivateSubnet1CIDR: + Description: CIDR block for private subnet 1 located in Availability Zone 1. + Type: String + Default: 10.0.11.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet2CIDR: + Description: CIDR block for private subnet 2 located in Availability Zone 2. + Type: String + Default: 10.0.21.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet3CIDR: + Description: CIDR block for private subnet 3 located in Availability Zone 3. + Type: String + Default: 10.0.31.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet4CIDR: + Description: CIDR block for private subnet 4 located in Availability Zone 4. + Type: String + Default: 10.0.41.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + CreateAttachmentSubnets: + Description: Set true for creating designated subnets for VPC attachments. If false, + the CIDR parameters for the Attachment subnets will be ignored. + Type: String + Default: false + AllowedValues: + - true + - false + AttachmentSubnet1CIDR: + Description: CIDR block for Attachment subnet 1 located in Availability Zone 1. + Type: String + Default: 10.0.12.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + AttachmentSubnet2CIDR: + Description: CIDR block for Attachment subnet 2 located in Availability Zone 2. + Type: String + Default: 10.0.22.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + AttachmentSubnet3CIDR: + Description: CIDR block for Attachment subnet 3 located in Availability Zone 3. + Type: String + Default: 10.0.32.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + AttachmentSubnet4CIDR: + Description: CIDR block for Attachment subnet 4 located in Availability Zone 4. + Type: String + Default: 10.0.42.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. +Conditions: + 4AZs: !Equals [!Ref NumberOfAZs, 4] + 3AZs: !Or [!Equals [!Ref NumberOfAZs, 3], !Condition 4AZs] + 2AZs: !Or [!Equals [!Ref NumberOfAZs, 2], !Condition 3AZs] + PrivateSubnets: !Equals [!Ref CreatePrivateSubnets, true] + 2AZsPrivateSubnets: !And [!Condition PrivateSubnets, !Condition 2AZs] + 3AZsPrivateSubnets: !And [!Condition PrivateSubnets, !Condition 3AZs] + 4AZsPrivateSubnets: !And [!Condition PrivateSubnets, !Condition 4AZs] + AttachmentSubnets: !Equals [!Ref CreateAttachmentSubnets, true] + 2AZsAttachmentSubnets: !And [!Condition AttachmentSubnets, !Condition 2AZs] + 3AZsAttachmentSubnets: !And [!Condition AttachmentSubnets, !Condition 3AZs] + 4AZsAttachmentSubnets: !And [!Condition AttachmentSubnets, !Condition 4AZs] +Resources: + VPC: + Type: AWS::EC2::VPC + Properties: + CidrBlock: !Ref VPCCIDR + EnableDnsSupport: true + EnableDnsHostnames: true + Tags: + - Key: Name + Value: !Ref 'AWS::StackName' + InternetGateway: + Type: AWS::EC2::InternetGateway + Properties: + Tags: + - Key: Name + Value: !Ref 'AWS::StackName' + - Key: Network + Value: Public + VPCGatewayAttachment: + Type: AWS::EC2::VPCGatewayAttachment + DependsOn: [VPC, InternetGateway] + Properties: + VpcId: !Ref VPC + InternetGatewayId: !Ref InternetGateway + PublicSubnet1: + Type: AWS::EC2::Subnet + DependsOn: VPC + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref PublicSubnet1CIDR + AvailabilityZone: !Select [0, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: Public subnet 1 + - Key: Network + Value: Public + MapPublicIpOnLaunch: true + PublicSubnet2: + Condition: 2AZs + DependsOn: VPC + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref PublicSubnet2CIDR + AvailabilityZone: !Select [1, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: Public subnet 2 + - Key: Network + Value: Public + MapPublicIpOnLaunch: true + PublicSubnet3: + Condition: 3AZs + DependsOn: VPC + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref PublicSubnet3CIDR + AvailabilityZone: !Select [2, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: Public subnet 3 + - Key: Network + Value: Public + MapPublicIpOnLaunch: true + PublicSubnet4: + Condition: 4AZs + DependsOn: VPC + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref PublicSubnet4CIDR + AvailabilityZone: !Select [3, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: Public subnet 4 + - Key: Network + Value: Public + MapPublicIpOnLaunch: true + PublicSubnetRouteTable: + Type: AWS::EC2::RouteTable + DependsOn: VPC + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: Public Subnets Route Table + - Key: Network + Value: Public + PublicSubnetRoute: + DependsOn: [VPCGatewayAttachment, PublicSubnetRouteTable] + Type: AWS::EC2::Route + Properties: + RouteTableId: !Ref PublicSubnetRouteTable + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: !Ref InternetGateway + PublicSubnet1RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + DependsOn: [PublicSubnet1, PublicSubnetRouteTable] + Properties: + SubnetId: !Ref PublicSubnet1 + RouteTableId: !Ref PublicSubnetRouteTable + PublicSubnet2RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: 2AZs + DependsOn: [PublicSubnet2, PublicSubnetRouteTable] + Properties: + SubnetId: !Ref PublicSubnet2 + RouteTableId: !Ref PublicSubnetRouteTable + PublicSubnet3RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: 3AZs + DependsOn: [PublicSubnet3, PublicSubnetRouteTable] + Properties: + SubnetId: !Ref PublicSubnet3 + RouteTableId: !Ref PublicSubnetRouteTable + PublicSubnet4RouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Condition: 4AZs + DependsOn: [PublicSubnet4, PublicSubnetRouteTable] + Properties: + SubnetId: !Ref PublicSubnet4 + RouteTableId: !Ref PublicSubnetRouteTable + PrivateSubnet1: + Type: AWS::EC2::Subnet + Condition: PrivateSubnets + DependsOn: VPC + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref PrivateSubnet1CIDR + AvailabilityZone: !Select [0, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: Private subnet 1 + - Key: Network + Value: Private + PrivateSubnet2: + Type: AWS::EC2::Subnet + Condition: 2AZsPrivateSubnets + DependsOn: VPC + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref PrivateSubnet2CIDR + AvailabilityZone: !Select [1, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: Private subnet 2 + - Key: Network + Value: Private + PrivateSubnet3: + Type: AWS::EC2::Subnet + Condition: 3AZsPrivateSubnets + DependsOn: VPC + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref PrivateSubnet3CIDR + AvailabilityZone: !Select [2, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: Private subnet 3 + - Key: Network + Value: Private + PrivateSubnet4: + Type: AWS::EC2::Subnet + Condition: 4AZsPrivateSubnets + DependsOn: VPC + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref PrivateSubnet4CIDR + AvailabilityZone: !Select [3, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: Private subnet 4 + - Key: Network + Value: Private + AttachmentSubnet1: + Condition: AttachmentSubnets + DependsOn: VPC + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref AttachmentSubnet1CIDR + AvailabilityZone: !Select [0, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: Attachment subnet 1 + - Key: Network + Value: Private + AttachmentSubnet2: + Condition: AttachmentSubnets + DependsOn: VPC + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref AttachmentSubnet2CIDR + AvailabilityZone: !Select [1, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: Attachment subnet 2 + - Key: Network + Value: Private + AttachmentSubnet3: + Condition: 3AZsAttachmentSubnets + DependsOn: VPC + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref AttachmentSubnet3CIDR + AvailabilityZone: !Select [2, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: Attachment subnet 3 + - Key: Network + Value: Private + AttachmentSubnet4: + Condition: 4AZsAttachmentSubnets + DependsOn: VPC + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: !Ref AttachmentSubnet4CIDR + AvailabilityZone: !Select [3, !Ref AvailabilityZones] + Tags: + - Key: Name + Value: Attachment subnet 4 + - Key: Network + Value: Private +Outputs: + VPCID: + Value: !Ref VPC + Description: VPC ID. + Export: + Name: !Sub '${AWS::StackName}-VPCID' + VPCCIDR: + Value: !Ref VPCCIDR + Description: VPC CIDR + Export: + Name: !Sub '${AWS::StackName}-VPCCIDR' + PublicSubnet1CIDR: + Description: Public subnet 1 CIDR in Availability Zone 1. + Value: !Ref PublicSubnet1CIDR + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet1CIDR' + PublicSubnet1ID: + Description: Public subnet 1 ID in Availability Zone 1. + Value: !Ref PublicSubnet1 + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet1ID' + PublicSubnet2CIDR: + Condition: 2AZs + Description: Public subnet 2 CIDR in Availability Zone 2. + Value: !Ref PublicSubnet2CIDR + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet2CIDR' + PublicSubnet2ID: + Condition: 2AZs + Description: Public subnet 2 ID in Availability Zone 2. + Value: !Ref PublicSubnet2 + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet2ID' + PublicSubnet3CIDR: + Condition: 3AZs + Description: Public subnet 3 CIDR in Availability Zone 3. + Value: !Ref PublicSubnet3CIDR + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet3CIDR' + PublicSubnet3ID: + Condition: 3AZs + Description: Public subnet 3 ID in Availability Zone 3. + Value: !Ref PublicSubnet3 + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet3ID' + PublicSubnet4CIDR: + Condition: 4AZs + Description: Public subnet 4 CIDR in Availability Zone 4. + Value: !Ref PublicSubnet4CIDR + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet4CIDR' + PublicSubnet4ID: + Condition: 4AZs + Description: Public subnet 4 ID in Availability Zone 4. + Value: !Ref PublicSubnet4 + Export: + Name: !Sub '${AWS::StackName}-PublicSubnet4ID' + PublicSubnetRouteTable: + Value: !Ref PublicSubnetRouteTable + Description: Public subnet route table. + Export: + Name: !Sub '${AWS::StackName}-PublicSubnetRouteTable' + PrivateSubnet1CIDR: + Condition: PrivateSubnets + Description: Private subnet 1 CIDR in Availability Zone 1. + Value: !Ref PrivateSubnet1CIDR + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet1CIDR' + PrivateSubnet1ID: + Condition: PrivateSubnets + Description: Private subnet 1 ID in Availability Zone 1. + Value: !Ref PrivateSubnet1 + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet1ID' + PrivateSubnet2CIDR: + Condition: 2AZsPrivateSubnets + Description: Private subnet 2 CIDR in Availability Zone 2. + Value: !Ref PrivateSubnet2CIDR + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet2CIDR' + PrivateSubnet2ID: + Condition: 2AZsPrivateSubnets + Description: Private subnet 2 ID in Availability Zone 2. + Value: !Ref PrivateSubnet2 + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet2ID' + PrivateSubnet3CIDR: + Condition: 3AZsPrivateSubnets + Description: Private subnet 3 CIDR in Availability Zone 3. + Value: !Ref PrivateSubnet3CIDR + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet3CIDR' + PrivateSubnet3ID: + Condition: 3AZsPrivateSubnets + Description: Private subnet 3 ID in Availability Zone 3. + Value: !Ref PrivateSubnet3 + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet3ID' + PrivateSubnet4CIDR: + Condition: 4AZsPrivateSubnets + Description: Private subnet 4 CIDR in Availability Zone 4. + Value: !Ref PrivateSubnet4CIDR + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet4CIDR' + PrivateSubnet4ID: + Condition: 4AZsPrivateSubnets + Description: Private subnet 4 ID in Availability Zone 4. + Value: !Ref PrivateSubnet4 + Export: + Name: !Sub '${AWS::StackName}-PrivateSubnet4ID' + AttachmentSubnet1CIDR: + Condition: AttachmentSubnets + Description: Attachment subnet 1 CIDR in Availability Zone 1. + Value: !Ref AttachmentSubnet1CIDR + Export: + Name: !Sub '${AWS::StackName}-AttachmentSubnet1CIDR' + AttachmentSubnet1ID: + Condition: AttachmentSubnets + Description: Attachment subnet 1 ID in Availability Zone 1. + Value: !Ref AttachmentSubnet1 + Export: + Name: !Sub '${AWS::StackName}-AttachmentSubnet1ID' + AttachmentSubnet2CIDR: + Condition: 2AZsAttachmentSubnets + Description: Attachment subnet 2 CIDR in Availability Zone 2. + Value: !Ref AttachmentSubnet2CIDR + Export: + Name: !Sub '${AWS::StackName}-AttachmentSubnet2CIDR' + AttachmentSubnet2ID: + Condition: 2AZsAttachmentSubnets + Description: Attachment subnet 2 ID in Availability Zone 2. + Value: !Ref AttachmentSubnet2 + Export: + Name: !Sub '${AWS::StackName}-AttachmentSubnet2ID' + AttachmentSubnet3CIDR: + Condition: 3AZsAttachmentSubnets + Description: Attachment subnet 3 CIDR in Availability Zone 3. + Value: !Ref AttachmentSubnet3CIDR + Export: + Name: !Sub '${AWS::StackName}-AttachmentSubnet3CIDR' + AttachmentSubnet3ID: + Condition: 3AZsAttachmentSubnets + Description: Attachment subnet 3 ID in Availability Zone 3. + Value: !Ref AttachmentSubnet3 + Export: + Name: !Sub '${AWS::StackName}-AttachmentSubnet3ID' + AttachmentSubnet4CIDR: + Condition: 4AZsAttachmentSubnets + Description: Attachment subnet 4 CIDR in Availability Zone 4. + Value: !Ref AttachmentSubnet4CIDR + Export: + Name: !Sub '${AWS::StackName}-AttachmentSubnet4CIDR' + AttachmentSubnet4ID: + Condition: 4AZsAttachmentSubnets + Description: Attachment subnet 4 ID in Availability Zone 4. + Value: !Ref AttachmentSubnet4 + Export: + Name: !Sub '${AWS::StackName}-AttachmentSubnet4ID' + IGWID: + Description: IGW ID. + Value: !Join ['', [!Ref InternetGateway]] + Export: + Name: !Sub '${AWS::StackName}-IGWID' \ No newline at end of file From 43f2b2c891572fd05e781f54754f3d3aa448a03b Mon Sep 17 00:00:00 2001 From: yongqiangliu <343847055@qq.com> Date: Thu, 22 Jan 2026 16:47:57 +0800 Subject: [PATCH 3/3] align difference with global at 2025-01-22. 1. add new version R82.10 for arm in azure China --- .../createUiDefinition.json | 205 +++++++++++++++++- .../mainTemplate.json | 13 +- .../marketplace-ha/createUiDefinition.json | 204 ++++++++++++++++- china/azure/marketplace-ha/mainTemplate.json | 13 +- .../createUiDefinition.json | 62 +++++- .../marketplace-management/mainTemplate.json | 11 +- .../marketplace-mds/createUiDefinition.json | 35 ++- china/azure/marketplace-mds/mainTemplate.json | 9 +- .../createUiDefinition.json | 204 ++++++++++++++++- .../marketplace-single/mainTemplate.json | 15 +- .../marketplace-vmss/createUiDefinition.json | 204 ++++++++++++++++- .../azure/marketplace-vmss/mainTemplate.json | 13 +- 12 files changed, 963 insertions(+), 25 deletions(-) diff --git a/china/azure/marketplace-gateway-load-balancer/createUiDefinition.json b/china/azure/marketplace-gateway-load-balancer/createUiDefinition.json index ac70cb63..8fdd9c41 100644 --- a/china/azure/marketplace-gateway-load-balancer/createUiDefinition.json +++ b/china/azure/marketplace-gateway-load-balancer/createUiDefinition.json @@ -110,6 +110,10 @@ { "label": "R82", "value": "R82" + }, + { + "label": "R82.10", + "value": "R82.10" } ] } @@ -733,6 +737,204 @@ }, "count": "[steps('chkp-advanced').vmCount]" }, + { + "name": "R8210vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('autoprovision').cloudGuardVersion, 'R82.10'), contains(steps('autoprovision').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v4", + "Standard_D4d_v4" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v4", + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D2s_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D2d_v4", + "Standard_D4d_v4", + "Standard_D8d_v4", + "Standard_D16d_v4", + "Standard_D32d_v4", + "Standard_D2ds_v4", + "Standard_D4ds_v4", + "Standard_D8ds_v4", + "Standard_D16ds_v4", + "Standard_D32ds_v4", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "1740992136172", + "offer": "check-point-cg-r8210", + "sku": "sg-byol" + }, + "count": "[steps('chkp-advanced').vmCount]" + }, + { + "name": "R8210vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('autoprovision').cloudGuardVersion, 'R82.10'), contains(steps('autoprovision').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v4", + "Standard_D4d_v4" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v4", + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D2s_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D2d_v4", + "Standard_D4d_v4", + "Standard_D8d_v4", + "Standard_D16d_v4", + "Standard_D32d_v4", + "Standard_D2ds_v4", + "Standard_D4ds_v4", + "Standard_D8ds_v4", + "Standard_D16ds_v4", + "Standard_D32ds_v4", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "1740992136172", + "offer": "check-point-cg-r8210", + "sku": "sg-ngtp" + }, + "count": "[steps('chkp-advanced').vmCount]" + }, + { + "name": "R8210vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('autoprovision').cloudGuardVersion, 'R82.10'), contains(steps('autoprovision').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v4", + "Standard_D4d_v4" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v4", + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D2s_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D2d_v4", + "Standard_D4d_v4", + "Standard_D8d_v4", + "Standard_D16d_v4", + "Standard_D32d_v4", + "Standard_D2ds_v4", + "Standard_D4ds_v4", + "Standard_D8ds_v4", + "Standard_D16ds_v4", + "Standard_D32ds_v4", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "1740992136172", + "offer": "check-point-cg-r8210", + "sku": "sg-ngtx" + }, + "count": "[steps('chkp-advanced').vmCount]" + }, { "name": "sicKeyUi", "type": "Microsoft.Common.PasswordBox", @@ -750,6 +952,7 @@ "hideConfirmation": false } } + ] }, { @@ -1494,7 +1697,7 @@ "availabilityZonesNum": "[coalesce(steps('chkp-advanced').availabilityZonesNum, int('0'))]", "customMetrics": "[steps('chkp-advanced').customMetrics]", "cloudGuardVersion": "[concat(steps('autoprovision').cloudGuardVersion, ' - ', coalesce(steps('autoprovision').R80Offer, 'Bring Your Own License'))]", - "vmSize": "[coalesce(steps('autoprovision').R8110vmSizeUiBYOL, steps('autoprovision').R8110vmSizeUiNGTP, steps('autoprovision').R8110vmSizeUiNGTX, steps('autoprovision').R8120vmSizeUiBYOL, steps('autoprovision').R8120vmSizeUiNGTP, steps('autoprovision').R8120vmSizeUiNGTX, steps('autoprovision').R82vmSizeUiBYOL, steps('autoprovision').R82vmSizeUiNGTP, steps('autoprovision').R82vmSizeUiNGTX)]", + "vmSize": "[coalesce(steps('autoprovision').R8110vmSizeUiBYOL, steps('autoprovision').R8110vmSizeUiNGTP, steps('autoprovision').R8110vmSizeUiNGTX, steps('autoprovision').R8120vmSizeUiBYOL, steps('autoprovision').R8120vmSizeUiNGTP, steps('autoprovision').R8120vmSizeUiNGTX, steps('autoprovision').R82vmSizeUiBYOL, steps('autoprovision').R82vmSizeUiNGTP, steps('autoprovision').R82vmSizeUiNGTX, steps('autoprovision').R8210vmSizeUiBYOL, steps('autoprovision').R8210vmSizeUiNGTP, steps('autoprovision').R8210vmSizeUiNGTX)]", "sicKey": "[steps('autoprovision').sicKeyUi]", "bootstrapScript": "[steps('chkp-advanced').bootstrapScript]", "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp-advanced').allowUploadDownload, 'true')]", diff --git a/china/azure/marketplace-gateway-load-balancer/mainTemplate.json b/china/azure/marketplace-gateway-load-balancer/mainTemplate.json index 342bfbc6..58e700f3 100644 --- a/china/azure/marketplace-gateway-load-balancer/mainTemplate.json +++ b/china/azure/marketplace-gateway-load-balancer/mainTemplate.json @@ -21,7 +21,8 @@ "allowedValues": [ "R81.10 - Bring Your Own License", "R81.20 - Bring Your Own License", - "R82 - Bring Your Own License" + "R82 - Bring Your Own License", + "R82.10 - Bring Your Own License" ], "defaultValue": "R82 - Bring Your Own License", "metadata": { @@ -442,7 +443,10 @@ "R81.20 - Pay As You Go (NGTX)": "NGTX", "R82 - Bring Your Own License": "BYOL", "R82 - Pay As You Go (NGTP)": "NGTP", - "R82 - Pay As You Go (NGTX)": "NGTX" + "R82 - Pay As You Go (NGTX)": "NGTX", + "R82.10 - Bring Your Own License": "BYOL", + "R82.10 - Pay As You Go (NGTP)": "NGTP", + "R82.10 - Pay As You Go (NGTX)": "NGTX" }, "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", "osVersions": { @@ -454,7 +458,10 @@ "R81.20 - Pay As You Go (NGTX)": "R8120", "R82 - Bring Your Own License": "R82", "R82 - Pay As You Go (NGTP)": "R82", - "R82 - Pay As You Go (NGTX)": "R82" + "R82 - Pay As You Go (NGTX)": "R82", + "R82.10 - Bring Your Own License": "R8210", + "R82.10 - Pay As You Go (NGTP)": "R8210", + "R82.10 - Pay As You Go (NGTX)": "R8210" }, "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", "serialConsoleGeographies": { diff --git a/china/azure/marketplace-ha/createUiDefinition.json b/china/azure/marketplace-ha/createUiDefinition.json index 515078be..361ad3e5 100644 --- a/china/azure/marketplace-ha/createUiDefinition.json +++ b/china/azure/marketplace-ha/createUiDefinition.json @@ -88,6 +88,10 @@ { "label": "R82", "value": "R82" + }, + { + "label": "R82.10", + "value": "R82.10" } ] } @@ -711,6 +715,204 @@ }, "count": 2 }, + { + "name": "R8210vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82.10'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v4", + "Standard_D4d_v4" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v4", + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D2s_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D2d_v4", + "Standard_D4d_v4", + "Standard_D8d_v4", + "Standard_D16d_v4", + "Standard_D32d_v4", + "Standard_D2ds_v4", + "Standard_D4ds_v4", + "Standard_D8ds_v4", + "Standard_D16ds_v4", + "Standard_D32ds_v4", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "1740992136172", + "offer": "check-point-cg-r8210", + "sku": "sg-byol" + }, + "count": 2 + }, + { + "name": "R8210vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82.10'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v4", + "Standard_D4d_v4" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v4", + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D2s_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D2d_v4", + "Standard_D4d_v4", + "Standard_D8d_v4", + "Standard_D16d_v4", + "Standard_D32d_v4", + "Standard_D2ds_v4", + "Standard_D4ds_v4", + "Standard_D8ds_v4", + "Standard_D16ds_v4", + "Standard_D32ds_v4", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "1740992136172", + "offer": "check-point-cg-r8210", + "sku": "sg-ngtp" + }, + "count": 2 + }, + { + "name": "R8210vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82.10'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v4", + "Standard_D4d_v4" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v4", + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D2s_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D2d_v4", + "Standard_D4d_v4", + "Standard_D8d_v4", + "Standard_D16d_v4", + "Standard_D32d_v4", + "Standard_D2ds_v4", + "Standard_D4ds_v4", + "Standard_D8ds_v4", + "Standard_D16ds_v4", + "Standard_D32ds_v4", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "1740992136172", + "offer": "check-point-cg-r8210", + "sku": "sg-ngtx" + }, + "count": 2 + }, { "name": "sicKeyUi", "type": "Microsoft.Common.PasswordBox", @@ -1608,7 +1810,7 @@ "authenticationType": "[basics('auth').authenticationType]", "sshPublicKey": "[basics('auth').sshPublicKey]", "vmName": "[basics('clusterObjectNameUi')]", - "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiNGTP, steps('chkp').R8110vmSizeUiNGTX, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiNGTP, steps('chkp').R8120vmSizeUiNGTX, steps('chkp').R82vmSizeUiBYOL, steps('chkp').R82vmSizeUiNGTP, steps('chkp').R82vmSizeUiNGTX)]", + "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiNGTP, steps('chkp').R8110vmSizeUiNGTX, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiNGTP, steps('chkp').R8120vmSizeUiNGTX, steps('chkp').R82vmSizeUiBYOL, steps('chkp').R82vmSizeUiNGTP, steps('chkp').R82vmSizeUiNGTX, steps('chkp').R8210vmSizeUiBYOL, steps('chkp').R8210vmSizeUiNGTP, steps('chkp').R8210vmSizeUiNGTX)]", "sicKey": "[steps('chkp').sicKeyUi]", "virtualNetworkName": "[steps('network').virtualNetwork.name]", "virtualNetworkAddressPrefixes": "[steps('network').virtualNetwork.addressPrefixes]", diff --git a/china/azure/marketplace-ha/mainTemplate.json b/china/azure/marketplace-ha/mainTemplate.json index 29a0fd47..d53c21d7 100644 --- a/china/azure/marketplace-ha/mainTemplate.json +++ b/china/azure/marketplace-ha/mainTemplate.json @@ -14,7 +14,8 @@ "allowedValues": [ "R81.10 - Bring Your Own License", "R81.20 - Bring Your Own License", - "R82 - Bring Your Own License" + "R82 - Bring Your Own License", + "R82.10 - Bring Your Own License" ], "defaultValue": "R82 - Bring Your Own License", "metadata": { @@ -387,7 +388,10 @@ "R81.20 - Pay As You Go (NGTX)": "NGTX", "R82 - Bring Your Own License": "BYOL", "R82 - Pay As You Go (NGTP)": "NGTP", - "R82 - Pay As You Go (NGTX)": "NGTX" + "R82 - Pay As You Go (NGTX)": "NGTX", + "R82.10 - Bring Your Own License": "BYOL", + "R82.10 - Pay As You Go (NGTP)": "NGTP", + "R82.10 - Pay As You Go (NGTX)": "NGTX" }, "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", "osVersions": { @@ -399,7 +403,10 @@ "R81.20 - Pay As You Go (NGTX)": "R8120", "R82 - Bring Your Own License": "R82", "R82 - Pay As You Go (NGTP)": "R82", - "R82 - Pay As You Go (NGTX)": "R82" + "R82 - Pay As You Go (NGTX)": "R82", + "R82.10 - Bring Your Own License": "R8210", + "R82.10 - Pay As You Go (NGTP)": "R8210", + "R82.10 - Pay As You Go (NGTX)": "R8210" }, "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", "serialConsoleGeographies": { diff --git a/china/azure/marketplace-management/createUiDefinition.json b/china/azure/marketplace-management/createUiDefinition.json index 12dbd960..068d7370 100644 --- a/china/azure/marketplace-management/createUiDefinition.json +++ b/china/azure/marketplace-management/createUiDefinition.json @@ -88,6 +88,10 @@ { "label": "R82", "value": "R82" + }, + { + "label": "R82.10", + "value": "R82.10" } ] } @@ -291,6 +295,62 @@ }, "count": 1 }, + { + "name": "R8210vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82.10'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4d_v4" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "1740992136172", + "offer": "check-point-cg-r8210", + "sku": "mgmt-byol" + }, + "count": 1 + }, + { + "name": "R8210vmSizeUiMGMT25", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82.10'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4d_v4" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "1740992136172", + "offer": "check-point-cg-r8210", + "sku": "mgmt-25" + }, + "count": 1 + }, { "name": "managementGUIClientNetwork", "type": "Microsoft.Common.TextBox", @@ -841,7 +901,7 @@ "authenticationType": "[basics('auth').authenticationType]", "sshPublicKey": "[basics('auth').sshPublicKey]", "vmName": "[basics('gatewayNameUi')]", - "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiMGMT25, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiMGMT25, steps('chkp').R82vmSizeUiBYOL, steps('chkp').R82vmSizeUiMGMT25)]", + "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiMGMT25, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiMGMT25, steps('chkp').R82vmSizeUiBYOL, steps('chkp').R82vmSizeUiMGMT25, steps('chkp').R8210vmSizeUiBYOL, steps('chkp').R8210vmSizeUiMGMT25)]", "virtualNetworkName": "[steps('network').virtualNetwork.name]", "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", diff --git a/china/azure/marketplace-management/mainTemplate.json b/china/azure/marketplace-management/mainTemplate.json index 0cd42651..0fe332f0 100644 --- a/china/azure/marketplace-management/mainTemplate.json +++ b/china/azure/marketplace-management/mainTemplate.json @@ -14,7 +14,8 @@ "allowedValues": [ "R81.10 - Bring Your Own License", "R81.20 - Bring Your Own License", - "R82 - Bring Your Own License" + "R82 - Bring Your Own License", + "R82.10 - Bring Your Own License" ], "defaultValue": "R82 - Bring Your Own License", "metadata": { @@ -296,7 +297,9 @@ "R81.20 - Bring Your Own License": "BYOL", "R81.20 - Pay As You Go (MGMT25)": "MGMT25", "R82 - Bring Your Own License": "BYOL", - "R82 - Pay As You Go (MGMT25)": "MGMT25" + "R82 - Pay As You Go (MGMT25)": "MGMT25", + "R82.10 - Bring Your Own License": "BYOL", + "R82.10 - Pay As You Go (MGMT25)": "MGMT25" }, "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", "osVersions": { @@ -305,7 +308,9 @@ "R81.20 - Bring Your Own License": "R8120", "R81.20 - Pay As You Go (MGMT25)": "R8120", "R82 - Bring Your Own License": "R82", - "R82 - Pay As You Go (MGMT25)": "R82" + "R82 - Pay As You Go (MGMT25)": "R82", + "R82.10 - Bring Your Own License": "R8210", + "R82.10 - Pay As You Go (MGMT25)": "R8210" }, "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", "serialConsoleGeographies": { diff --git a/china/azure/marketplace-mds/createUiDefinition.json b/china/azure/marketplace-mds/createUiDefinition.json index e267adac..7ab848ea 100644 --- a/china/azure/marketplace-mds/createUiDefinition.json +++ b/china/azure/marketplace-mds/createUiDefinition.json @@ -88,6 +88,10 @@ { "label": "R82", "value": "R82" + }, + { + "label": "R82.10", + "value": "R82.10" } ] } @@ -204,6 +208,35 @@ }, "count": 1 }, + { + "name": "R8210vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82.10'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size. Minimum of 16 cores and 64 GB RAM is required.", + "recommendedSizes": [ + "Standard_D4ds_v4", + "Standard_D4d_v4" + ], + "constraints": { + "excludedSizes": [ + "Standard_A1_v2", + "Standard_D1_v2", + "Standard_DS1_v2", + "Standard_F1", + "Standard_F1s", + "Standard_G1", + "Standard_GS1" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "1740992136172", + "offer": "check-point-cg-r8210", + "sku": "mgmt-byol" + }, + "count": 1 + }, { "name": "managementGUIClientNetwork", "type": "Microsoft.Common.TextBox", @@ -752,7 +785,7 @@ "authenticationType": "[basics('auth').authenticationType]", "sshPublicKey": "[basics('auth').sshPublicKey]", "vmName": "[basics('gatewayNameUi')]", - "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R82vmSizeUiBYOL)]", + "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R82vmSizeUiBYOL, steps('chkp').R8210vmSizeUiBYOL)]", "virtualNetworkName": "[steps('network').virtualNetwork.name]", "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", "Subnet1Name": "[steps('network').virtualNetwork.subnets.subnet1.name]", diff --git a/china/azure/marketplace-mds/mainTemplate.json b/china/azure/marketplace-mds/mainTemplate.json index 08efa566..2ea055bc 100644 --- a/china/azure/marketplace-mds/mainTemplate.json +++ b/china/azure/marketplace-mds/mainTemplate.json @@ -14,7 +14,8 @@ "allowedValues": [ "R81.10 - Bring Your Own License", "R81.20 - Bring Your Own License", - "R82 - Bring Your Own License" + "R82 - Bring Your Own License", + "R82.10 - Bring Your Own License" ], "defaultValue": "R82 - Bring Your Own License", "metadata": { @@ -288,13 +289,15 @@ "offers": { "R81.10 - Bring Your Own License": "BYOL", "R81.20 - Bring Your Own License": "BYOL", - "R82 - Bring Your Own License": "BYOL" + "R82 - Bring Your Own License": "BYOL", + "R82.10 - Bring Your Own License": "BYOL" }, "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", "osVersions": { "R81.10 - Bring Your Own License": "R8110", "R81.20 - Bring Your Own License": "R8120", - "R82 - Bring Your Own License": "R82" + "R82 - Bring Your Own License": "R82", + "R82.10 - Bring Your Own License": "R8210" }, "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", "serialConsoleGeographies": { diff --git a/china/azure/marketplace-single/createUiDefinition.json b/china/azure/marketplace-single/createUiDefinition.json index 4759eaa2..d6e3bbdf 100644 --- a/china/azure/marketplace-single/createUiDefinition.json +++ b/china/azure/marketplace-single/createUiDefinition.json @@ -88,6 +88,10 @@ { "label": "R82", "value": "R82" + }, + { + "label": "R82.10", + "value": "R82.10" } ] } @@ -711,6 +715,204 @@ }, "count": 1 }, + { + "name": "R8210vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82.10'), contains(steps('chkp').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v4", + "Standard_D4d_v4" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v4", + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D2s_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D2d_v4", + "Standard_D4d_v4", + "Standard_D8d_v4", + "Standard_D16d_v4", + "Standard_D32d_v4", + "Standard_D2ds_v4", + "Standard_D4ds_v4", + "Standard_D8ds_v4", + "Standard_D16ds_v4", + "Standard_D32ds_v4", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "1740992136172", + "offer": "check-point-cg-r8210", + "sku": "sg-byol" + }, + "count": 1 + }, + { + "name": "R8210vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82.10'), contains(steps('chkp').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v4", + "Standard_D4d_v4" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v4", + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D2s_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D2d_v4", + "Standard_D4d_v4", + "Standard_D8d_v4", + "Standard_D16d_v4", + "Standard_D32d_v4", + "Standard_D2ds_v4", + "Standard_D4ds_v4", + "Standard_D8ds_v4", + "Standard_D16ds_v4", + "Standard_D32ds_v4", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "1740992136172", + "offer": "check-point-cg-r8210", + "sku": "sg-ngtp" + }, + "count": 1 + }, + { + "name": "R8210vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('chkp').cloudGuardVersion, 'R82.10'), contains(steps('chkp').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v4", + "Standard_D4d_v4" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v4", + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D2s_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D2d_v4", + "Standard_D4d_v4", + "Standard_D8d_v4", + "Standard_D16d_v4", + "Standard_D32d_v4", + "Standard_D2ds_v4", + "Standard_D4ds_v4", + "Standard_D8ds_v4", + "Standard_D16ds_v4", + "Standard_D32ds_v4", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "1740992136172", + "offer": "check-point-cg-r8210", + "sku": "sg-ngtx" + }, + "count": 1 + }, { "name": "sicKeyUi", "type": "Microsoft.Common.PasswordBox", @@ -1319,7 +1521,7 @@ "authenticationType": "[basics('auth').authenticationType]", "sshPublicKey": "[basics('auth').sshPublicKey]", "vmName": "[basics('gatewayNameUi')]", - "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiNGTP, steps('chkp').R8110vmSizeUiNGTX, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiNGTP, steps('chkp').R8120vmSizeUiNGTX, steps('chkp').R82vmSizeUiBYOL, steps('chkp').R82vmSizeUiNGTP, steps('chkp').R82vmSizeUiNGTX )]", + "vmSize": "[coalesce(steps('chkp').R8110vmSizeUiBYOL, steps('chkp').R8110vmSizeUiNGTP, steps('chkp').R8110vmSizeUiNGTX, steps('chkp').R8120vmSizeUiBYOL, steps('chkp').R8120vmSizeUiNGTP, steps('chkp').R8120vmSizeUiNGTX, steps('chkp').R82vmSizeUiBYOL, steps('chkp').R82vmSizeUiNGTP, steps('chkp').R82vmSizeUiNGTX, steps('chkp').R8210vmSizeUiBYOL, steps('chkp').R8210vmSizeUiNGTP, steps('chkp').R8210vmSizeUiNGTX)]", "sicKey": "[coalesce(steps('chkp').sicKeyUi, 'notused')]", "virtualNetworkName": "[steps('network').virtualNetwork.name]", "virtualNetworkAddressPrefix": "[steps('network').virtualNetwork.addressPrefix]", diff --git a/china/azure/marketplace-single/mainTemplate.json b/china/azure/marketplace-single/mainTemplate.json index 82cba76c..3b8b3291 100644 --- a/china/azure/marketplace-single/mainTemplate.json +++ b/china/azure/marketplace-single/mainTemplate.json @@ -21,7 +21,8 @@ "allowedValues": [ "R81.10 - Bring Your Own License", "R81.20 - Bring Your Own License", - "R82 - Bring Your Own License" + "R82 - Bring Your Own License", + "R82.10 - Bring Your Own License" ], "defaultValue": "R82 - Bring Your Own License", "metadata": { @@ -334,7 +335,10 @@ "R81.20 - Pay As You Go (NGTX)": "NGTX", "R82 - Bring Your Own License": "BYOL", "R82 - Pay As You Go (NGTP)": "NGTP", - "R82 - Pay As You Go (NGTX)": "NGTX" + "R82 - Pay As You Go (NGTX)": "NGTX", + "R82.10 - Bring Your Own License": "BYOL", + "R82.10 - Pay As You Go (NGTP)": "NGTP", + "R82.10 - Pay As You Go (NGTX)": "NGTX" }, "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", "osVersions": { @@ -346,7 +350,10 @@ "R81.20 - Pay As You Go (NGTX)": "R8120", "R82 - Bring Your Own License": "R82", "R82 - Pay As You Go (NGTP)": "R82", - "R82 - Pay As You Go (NGTX)": "R82" + "R82 - Pay As You Go (NGTX)": "R82", + "R82.10 - Bring Your Own License": "R8210", + "R82.10 - Pay As You Go (NGTP)": "R8210", + "R82.10 - Pay As You Go (NGTX)": "R8210" }, "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", "serialConsoleGeographies": { @@ -1147,7 +1154,7 @@ "customData": "[concat('#!/usr/bin/python3 /etc/cloud_config.py\n', '\n', 'installationType=\"', variables('installationType'), '\"', '\n', 'allowUploadDownload=\"', variables('allowUploadDownload'), '\"', '\n', 'osVersion=\"', variables('osVersion'), '\"', '\n', 'templateName=\"', variables('templateName'), '\"', '\n', 'isBlink=\"', variables('isBlink'), '\"', '\n', 'templateVersion=\"', variables('templateVersion'), '\"', '\n', 'bootstrapScript64=\"', variables('bootstrapScript64'), '\"', '\n', 'location=\"', variables('location'), '\"', '\n', 'sicKey=\"', variables('sicKey'), '\"', '\n', 'managementGUIClientNetwork=\"', variables('managementGUIClientNetwork'), '\"', '\n', 'customMetrics=\"', variables('customMetrics'), '\"', '\n', 'adminShell=\"', parameters('adminShell'), '\"', '\n', 'smart1CloudToken=\"', parameters('smart1CloudToken'), '\"', '\n', 'MaintenanceModePassword=\"', parameters('MaintenanceModePasswordHash'), '\"', '\n', 'passwordHash=\"', parameters('SerialConsolePasswordHash'), '\"', '\n')]", "imageOffer": "[concat('check-point-cg-', toLower(variables('osVersion')))]", "imagePublisher": "1740992136172", - "imageSku": "[if(and(equals(parameters('installationType'), 'standalone'), or(equals(variables('osVersion'),'R8110'), equals(variables('osVersion'),'R8120'), equals(variables('osVersion'),'R82'))), 'mgmt-byol', 'sg-byol')]", + "imageSku": "[if(and(equals(parameters('installationType'), 'standalone'), or(equals(variables('osVersion'),'R8110'), equals(variables('osVersion'),'R8120'), equals(variables('osVersion'),'R82'), equals(variables('osVersion'),'R8210'))), 'mgmt-byol', 'sg-byol')]", "imageReferenceBYOL": { "offer": "[variables('imageOffer')]", "publisher": "[variables('imagePublisher')]", diff --git a/china/azure/marketplace-vmss/createUiDefinition.json b/china/azure/marketplace-vmss/createUiDefinition.json index df5475f4..f77dc702 100644 --- a/china/azure/marketplace-vmss/createUiDefinition.json +++ b/china/azure/marketplace-vmss/createUiDefinition.json @@ -131,6 +131,10 @@ { "label": "R82", "value": "R82" + }, + { + "label": "R82.10", + "value": "R82.10" } ] } @@ -754,6 +758,204 @@ }, "count": "[steps('chkp-advanced').vmCount]" }, + { + "name": "R8210vmSizeUiBYOL", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('autoprovision').cloudGuardVersion, 'R82.10'), contains(steps('autoprovision').R80Offer, 'Bring Your Own License'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v4", + "Standard_D4d_v4" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v4", + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D2s_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D2d_v4", + "Standard_D4d_v4", + "Standard_D8d_v4", + "Standard_D16d_v4", + "Standard_D32d_v4", + "Standard_D2ds_v4", + "Standard_D4ds_v4", + "Standard_D8ds_v4", + "Standard_D16ds_v4", + "Standard_D32ds_v4", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "1740992136172", + "offer": "check-point-cg-r8210", + "sku": "sg-byol" + }, + "count": "[steps('chkp-advanced').vmCount]" + }, + { + "name": "R8210vmSizeUiNGTP", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('autoprovision').cloudGuardVersion, 'R82.10'), contains(steps('autoprovision').R80Offer, '(NGTP)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v4", + "Standard_D4d_v4" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v4", + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D2s_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D2d_v4", + "Standard_D4d_v4", + "Standard_D8d_v4", + "Standard_D16d_v4", + "Standard_D32d_v4", + "Standard_D2ds_v4", + "Standard_D4ds_v4", + "Standard_D8ds_v4", + "Standard_D16ds_v4", + "Standard_D32ds_v4", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "1740992136172", + "offer": "check-point-cg-r8210", + "sku": "sg-ngtp" + }, + "count": "[steps('chkp-advanced').vmCount]" + }, + { + "name": "R8210vmSizeUiNGTX", + "type": "Microsoft.Compute.SizeSelector", + "visible": "[and(equals(steps('autoprovision').cloudGuardVersion, 'R82.10'), contains(steps('autoprovision').R80Offer, '(NGTX)'))]", + "label": "Virtual machine size", + "toolTip": "The VM size of the Security Gateway", + "recommendedSizes": [ + "Standard_D4ds_v4", + "Standard_D4d_v4" + ], + "constraints": { + "allowedSizes": [ + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D48_v4", + "Standard_D64_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D32s_v4", + "Standard_D48s_v4", + "Standard_D64s_v4", + "Standard_D2_v4", + "Standard_D4_v4", + "Standard_D8_v4", + "Standard_D16_v4", + "Standard_D32_v4", + "Standard_D2s_v4", + "Standard_D4s_v4", + "Standard_D8s_v4", + "Standard_D16s_v4", + "Standard_D2d_v4", + "Standard_D4d_v4", + "Standard_D8d_v4", + "Standard_D16d_v4", + "Standard_D32d_v4", + "Standard_D2ds_v4", + "Standard_D4ds_v4", + "Standard_D8ds_v4", + "Standard_D16ds_v4", + "Standard_D32ds_v4", + "Standard_F2s", + "Standard_F4s", + "Standard_F8s", + "Standard_F16s", + "Standard_M8ms", + "Standard_M16ms", + "Standard_M32ms", + "Standard_M64ms", + "Standard_M64s", + "Standard_F2", + "Standard_F4", + "Standard_F8", + "Standard_F16" + ] + }, + "osPlatform": "Linux", + "imageReference": { + "publisher": "1740992136172", + "offer": "check-point-cg-r8210", + "sku": "sg-ngtx" + }, + "count": "[steps('chkp-advanced').vmCount]" + }, { "name": "sicKeyUi", "type": "Microsoft.Common.PasswordBox", @@ -1723,7 +1925,7 @@ "availabilityZonesNum": "[coalesce(steps('chkp-advanced').availabilityZonesNum, int('0'))]", "customMetrics": "[steps('chkp-advanced').customMetrics]", "cloudGuardVersion": "[concat(steps('autoprovision').cloudGuardVersion, ' - ', coalesce(steps('autoprovision').R80Offer, 'Bring Your Own License'))]", - "vmSize": "[coalesce(steps('autoprovision').R8110vmSizeUiBYOL, steps('autoprovision').R8110vmSizeUiNGTP, steps('autoprovision').R8110vmSizeUiNGTX , steps('autoprovision').R8120vmSizeUiBYOL, steps('autoprovision').R8120vmSizeUiNGTP, steps('autoprovision').R8120vmSizeUiNGTX, steps('autoprovision').R82vmSizeUiBYOL, steps('autoprovision').R82vmSizeUiNGTP, steps('autoprovision').R82vmSizeUiNGTX)]", + "vmSize": "[coalesce(steps('autoprovision').R8110vmSizeUiBYOL, steps('autoprovision').R8110vmSizeUiNGTP, steps('autoprovision').R8110vmSizeUiNGTX , steps('autoprovision').R8120vmSizeUiBYOL, steps('autoprovision').R8120vmSizeUiNGTP, steps('autoprovision').R8120vmSizeUiNGTX, steps('autoprovision').R82vmSizeUiBYOL, steps('autoprovision').R82vmSizeUiNGTP, steps('autoprovision').R82vmSizeUiNGTX, steps('autoprovision').R8210vmSizeUiBYOL, steps('autoprovision').R8210vmSizeUiNGTP, steps('autoprovision').R8210vmSizeUiNGTX)]", "sicKey": "[steps('autoprovision').sicKeyUi]", "bootstrapScript": "[steps('chkp-advanced').bootstrapScript]", "allowDownloadFromUploadToCheckPoint": "[coalesce(steps('chkp-advanced').allowUploadDownload, 'true')]", diff --git a/china/azure/marketplace-vmss/mainTemplate.json b/china/azure/marketplace-vmss/mainTemplate.json index 4c20f4f8..b4f1e071 100644 --- a/china/azure/marketplace-vmss/mainTemplate.json +++ b/china/azure/marketplace-vmss/mainTemplate.json @@ -21,7 +21,8 @@ "allowedValues": [ "R81.10 - Bring Your Own License", "R81.20 - Bring Your Own License", - "R82 - Bring Your Own License" + "R82 - Bring Your Own License", + "R82.10 - Bring Your Own License" ], "defaultValue": "R82 - Bring Your Own License", "metadata": { @@ -530,7 +531,10 @@ "R81.20 - Pay As You Go (NGTX)": "NGTX", "R82 - Bring Your Own License": "BYOL", "R82 - Pay As You Go (NGTP)": "NGTP", - "R82 - Pay As You Go (NGTX)": "NGTX" + "R82 - Pay As You Go (NGTX)": "NGTX", + "R82.10 - Bring Your Own License": "BYOL", + "R82.10 - Pay As You Go (NGTP)": "NGTP", + "R82.10 - Pay As You Go (NGTX)": "NGTX" }, "offer": "[variables('offers')[parameters('cloudGuardVersion')]]", "osVersions": { @@ -542,7 +546,10 @@ "R81.20 - Pay As You Go (NGTX)": "R8120", "R82 - Bring Your Own License": "R82", "R82 - Pay As You Go (NGTP)": "R82", - "R82 - Pay As You Go (NGTX)": "R82" + "R82 - Pay As You Go (NGTX)": "R82", + "R82.10 - Bring Your Own License": "R8210", + "R82.10 - Pay As You Go (NGTP)": "R8210", + "R82.10 - Pay As You Go (NGTX)": "R8210" }, "osVersion": "[variables('osVersions')[parameters('cloudGuardVersion')]]", "serialConsoleGeographies": {