Skip To Content

Create an Amazon VPC with a DMZ architecture using CloudFormation

The Esri arcgis-vpc-dmz.template.json Amazon Web Services (AWS) CloudFormation template is part of an advanced workflow for configuring a highly available ArcGIS Enterprise deployment in private subnets. Private subnets are not directly accessible from the internet. This is referred to as a DMZ network architecture and can provide greater security. It requires knowledge of networking concepts and design and is only intended for highly available ArcGIS Enterprise deployments.

This template creates the following architecture in Amazon Web Services:

A VPC with a NAT Gateway

License:

Certain icons in the diagram are used with permission from Amazon Web Services.

DMZ network architecture workflow

The workflow for deploying a highly available ArcGIS Enterprise deployment in a DMZ network architecture in Amazon Web Services (AWS) is outlined in the following steps:

  1. Create an Amazon Virtual Private Cloud (VPC) using the arcgis-vpc-dmz.template.json template.
  2. Create an elastic load balancer (ELB).

    You can use other Esri CloudFormation templates to complete steps 2 and 3. The templates that you can use depend on the type of ArcGIS Enterprise deployment that is required.

  3. Deploy ArcGIS Enterprise.

Prerequisites

Prerequisites can be grouped by the items—such as files and accounts—that you must obtain and the tasks you must perform before running the CloudFormation template.

Required items

You need the following before running this template:

  • An Amazon Web Services account.

    The account must have access to basic AWS services such as CloudFormation, Amazon Elastic Compute Cloud (EC2), Amazon Virtual Private Cloud (VPC), Amazon Simple Storage Service (S3), Systems Manager, Amazon CloudWatch, Lambda, AWS Identity and Access Management (IAM), Amazon DynamoDB, Secrets Manager, AWS Certificate Manager, and Amazon Relational Database Service (RDS).

  • The arcgis-vpc-dmz.template.json template.

Required tasks

Complete the following tasks before running this template:

  • Create an Elastic IP address.
  • Confirm that the number of Virtual Private Clouds in the region where you want to create this VPC does not exceed the number allowed for the region. The default number is five per region, but you can increase this limit by sending a request to AWS.

Parameters

Refer to the following tables for descriptions of the parameters used in this CloudFormation template. Tables are grouped by parameter type.

VPC Configuration

Parameter nameRequired?Parameter description

Availability Zones

Required

Choose any two availability zones for your VPC and subnets.

VPC CIDR

Optional

Provide a Classless Inter-Domain Routing (CIDR) block of IP addresses for the VPC. The default is 10.0.0.0/16.

Public Subnet Configuration

Parameter nameRequired?Parameter description

Public Subnet 1 CIDR

Optional

Provide the first public subnet for the CIDR range. The default is 10.0.0.0/24.

Public Subnet 2 CIDR

Optional

Provide the second public subnet for the CIDR range. The default is 10.0.1.0/24.

Private Subnet Configuration

Parameter nameRequired?Parameter description

Private Subnet 1 CIDR

Optional

Provide a private subnet CIDR range. The default is 10.0.2.0/24.

Private Subnet 2 CIDR

Optional

Provide a second private subnet CIDR range. The default is 10.0.3.0/24.

NAT Configuration

Parameter nameRequired?Parameter description

Elastic IP Address Allocation ID

Required

Provide the Allocation ID of an Elastic IP address (in the format eipalloc-XXXXXXXX) for the NAT Gateway.

Outputs

When your stack is created successfully, you can see the following output parameters on the Outputs tab of the CloudFormation stack in AWS Management Console.

Output nameOutput description

VPCId

The ID of the VPC in which you will create deployments. Choose this ID when launching ArcGIS stacks.

PublicSubnet1Id

The ID of public subnet 1, which you can choose when you use Esri CloudFormation templates to create ArcGIS deployments in this VPC.

PublicSubnet2Id

The ID of public subnet 2, which you can choose when you use Esri CloudFormation templates to create highly available ArcGIS deployments or enterprise geodatabases in this VPC.

PrivateSubnet1Id

The ID of private subnet 1, which you can choose when you use Esri CloudFormation templates to create ArcGIS deployments in this VPC.

PrivateSubnet2Id

The ID of private subnet 2, which you can choose when you use Esri CloudFormation templates to create highly available ArcGIS deployments or enterprise geodatabases in this VPC.