Create an Amazon VPC with a DMZ architecture using CloudFormation—ArcGIS Enterprise in the cloud

The Esri arcgis-vpc-dmz.template.json Amazon Web Services (AWS) CloudFormation template is part of an advanced workflow for configuring a highly available ArcGIS Enterprise deployment in private subnets. Private subnets are not directly accessible from the internet. This is referred to as a DMZ network architecture and can provide greater security. It requires knowledge of networking concepts and design and is only intended for highly available ArcGIS Enterprise deployments.

This template creates the following architecture in Amazon Web Services:

A VPC with a NAT Gateway

License:

Certain icons in the diagram are used with permission from Amazon Web Services.

DMZ network architecture workflow

The workflow for deploying a highly available ArcGIS Enterprise deployment in a DMZ network architecture in Amazon Web Services (AWS) is outlined in the following steps:

Create an Amazon Virtual Private Cloud (VPC) using the arcgis-vpc-dmz.template.json template.
Create an elastic load balancer (ELB).
You can use other Esri CloudFormation templates to complete steps 2 and 3. The templates that you can use depend on the type of ArcGIS Enterprise deployment that is required.
Deploy ArcGIS Enterprise.

Prerequisites

Prerequisites can be grouped by the items—such as files and accounts—that you must obtain and the tasks you must perform before running the CloudFormation template.

Required items

You need the following before running this template:

An Amazon Web Services account.
The account must have access to basic AWS services such as CloudFormation, Amazon Elastic Compute Cloud (EC2), Amazon Virtual Private Cloud (VPC), Amazon Simple Storage Service (S3), Systems Manager, Amazon CloudWatch, Lambda, AWS Identity and Access Management (IAM), Amazon DynamoDB, Secrets Manager, AWS Certificate Manager, and Amazon Relational Database Service (RDS).
Open and save a local copy of the arcgis-vpc-dmz.template.json template.

Required tasks

Complete the following tasks before running this template:

Create an Elastic IP address.
Confirm that the number of Virtual Private Clouds in the region where you want to create this VPC does not exceed the number allowed for the region. The default number is five per region, but you can increase this limit by sending a request to AWS.

Parameters

Refer to the following tables for descriptions of the parameters used in this CloudFormation template. Tables are grouped by parameter type.

VPC Configuration


Parameter name	Required?	Parameter description
Availability Zones	Required	Choose any two availability zones for your VPC and subnets.
VPC CIDR	Optional	Provide a Classless Inter-Domain Routing (CIDR) block of IP addresses for the VPC. The default is 10.0.0.0/16.

Public Subnet Configuration


Parameter name	Required?	Parameter description
Public Subnet 1 CIDR	Optional	Provide the first public subnet for the CIDR range. The default is 10.0.0.0/24.
Public Subnet 2 CIDR	Optional	Provide the second public subnet for the CIDR range. The default is 10.0.1.0/24.

Private Subnet Configuration


Parameter name	Required?	Parameter description
Private Subnet 1 CIDR	Optional	Provide a private subnet CIDR range. The default is 10.0.2.0/24.
Private Subnet 2 CIDR	Optional	Provide a second private subnet CIDR range. The default is 10.0.3.0/24.

NAT Configuration


Parameter name	Required?	Parameter description
Elastic IP Address Allocation ID	Required	Provide the Allocation ID of an Elastic IP address (in the format eipalloc-XXXXXXXX) for the NAT Gateway.

Outputs

When your stack is created successfully, you can see the following output parameters on the Outputs tab of the CloudFormation stack in AWS Management Console.


Output name	Output description
VPCId	The ID of the VPC in which you will create deployments. Choose this ID when launching ArcGIS stacks.
PublicSubnet1Id	The ID of public subnet 1, which you can choose when you use Esri CloudFormation templates to create ArcGIS deployments in this VPC.
PublicSubnet2Id	The ID of public subnet 2, which you can choose when you use Esri CloudFormation templates to create highly available ArcGIS deployments or enterprise geodatabases in this VPC.
PrivateSubnet1Id	The ID of private subnet 1, which you can choose when you use Esri CloudFormation templates to create ArcGIS deployments in this VPC.
PrivateSubnet2Id	The ID of private subnet 2, which you can choose when you use Esri CloudFormation templates to create highly available ArcGIS deployments or enterprise geodatabases in this VPC.

Feedback on this topic?