AWSTemplateFormatVersion: "2010-09-09" Description: > Broken Labs - VPC Lab 08. A VPC peering connection exists between two VPCs but routes are missing from both route tables. Instances in the peered VPCs cannot communicate. Licensed under CC BY-NC-SA 4.0: https://creativecommons.org/licenses/by-nc-sa/4.0/ Developed by: Mark Schoonover Resources: # --- VPC A (10.0.0.0/16) — web server --- LabVPCA: Type: AWS::EC2::VPC Properties: CidrBlock: 10.0.0.0/16 EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: brokenlabs-vpc-lab-08-vpc-a LabSubnetA: Type: AWS::EC2::Subnet Properties: VpcId: !Ref LabVPCA CidrBlock: 10.0.1.0/24 AvailabilityZone: !Select [0, !GetAZs ''] MapPublicIpOnLaunch: true Tags: - Key: Name Value: brokenlabs-vpc-lab-08-subnet-a LabIGWA: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: brokenlabs-vpc-lab-08-igw-a LabIGWAttachA: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref LabVPCA InternetGatewayId: !Ref LabIGWA LabRouteTableA: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref LabVPCA Tags: - Key: Name Value: brokenlabs-vpc-lab-08-rt-a LabRouteAInternet: Type: AWS::EC2::Route DependsOn: LabIGWAttachA Properties: RouteTableId: !Ref LabRouteTableA DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref LabIGWA LabSNAssocA: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref LabSubnetA RouteTableId: !Ref LabRouteTableA LabSGA: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow HTTP from VPC B VpcId: !Ref LabVPCA SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 10.1.0.0/16 Tags: - Key: Name Value: brokenlabs-vpc-lab-08-sg-a LabIAMRoleA: Type: AWS::IAM::Role Properties: RoleName: brokenlabs-vpc-lab-08-role-a AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: ec2.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore LabInstanceProfileA: Type: AWS::IAM::InstanceProfile Properties: InstanceProfileName: brokenlabs-vpc-lab-08-profile-a Roles: - !Ref LabIAMRoleA LabInstanceA: Type: AWS::EC2::Instance Properties: InstanceType: t2.micro ImageId: "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64}}" SubnetId: !Ref LabSubnetA SecurityGroupIds: - !Ref LabSGA IamInstanceProfile: !Ref LabInstanceProfileA Tags: - Key: Name Value: brokenlabs-vpc-lab-08-instance-a UserData: Fn::Base64: | #!/bin/bash mkdir -p /var/www/html cat > /var/www/html/index.html << 'HTMLEOF' AWS Broken Labs

AWS Cloud Path Academy

AWS Broken Labs

If you can read this, the lab is fixed.

VPC Lab 08 — VPC Peering

www.cloudpathacademy.com

HTMLEOF cat > /etc/systemd/system/lab-web.service << 'EOF' [Unit] Description=Lab Web Server [Service] ExecStart=/usr/bin/python3 -m http.server 80 --directory /var/www/html Restart=always [Install] WantedBy=multi-user.target EOF systemctl enable lab-web systemctl start lab-web # --- VPC B (10.1.0.0/16) — client instance --- LabVPCB: Type: AWS::EC2::VPC Properties: CidrBlock: 10.1.0.0/16 EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: brokenlabs-vpc-lab-08-vpc-b LabSubnetB: Type: AWS::EC2::Subnet Properties: VpcId: !Ref LabVPCB CidrBlock: 10.1.1.0/24 AvailabilityZone: !Select [0, !GetAZs ''] MapPublicIpOnLaunch: true Tags: - Key: Name Value: brokenlabs-vpc-lab-08-subnet-b LabIGWB: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: brokenlabs-vpc-lab-08-igw-b LabIGWAttachB: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref LabVPCB InternetGatewayId: !Ref LabIGWB LabRouteTableB: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref LabVPCB Tags: - Key: Name Value: brokenlabs-vpc-lab-08-rt-b LabRouteBInternet: Type: AWS::EC2::Route DependsOn: LabIGWAttachB Properties: RouteTableId: !Ref LabRouteTableB DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref LabIGWB LabSNAssocB: Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref LabSubnetB RouteTableId: !Ref LabRouteTableB LabSGB: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Broken Labs VPC Lab 08 instance B security group VpcId: !Ref LabVPCB Tags: - Key: Name Value: brokenlabs-vpc-lab-08-sg-b LabIAMRoleB: Type: AWS::IAM::Role Properties: RoleName: brokenlabs-vpc-lab-08-role-b AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: ec2.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore LabInstanceProfileB: Type: AWS::IAM::InstanceProfile Properties: InstanceProfileName: brokenlabs-vpc-lab-08-profile-b Roles: - !Ref LabIAMRoleB LabInstanceB: Type: AWS::EC2::Instance Properties: InstanceType: t2.micro ImageId: "{{resolve:ssm:/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64}}" SubnetId: !Ref LabSubnetB SecurityGroupIds: - !Ref LabSGB IamInstanceProfile: !Ref LabInstanceProfileB Tags: - Key: Name Value: brokenlabs-vpc-lab-08-instance-b # --- VPC Peering Connection --- LabPeeringConnection: Type: AWS::EC2::VPCPeeringConnection Properties: VpcId: !Ref LabVPCA PeerVpcId: !Ref LabVPCB Tags: - Key: Name Value: brokenlabs-vpc-lab-08-peering Outputs: InstanceAPrivateIP: Description: Private IP of the web server in VPC A — use this as the curl target Value: !GetAtt LabInstanceA.PrivateIp InstanceBId: Description: EC2 Instance ID of the client in VPC B — use this to connect via Session Manager Value: !Ref LabInstanceB