Added 'Name' tags for NACLs, Routing Tables, Subnets, and VPC. Added …

[tjpatter]

…S3 VPC Endpoint to private subnets. Added optional Bastion instance support.

As a user of this QuickStart, it was very hard to use the resources it created as nothing had a 'Name' tag. I have modified the template to tag resources appropriately. For example, a subnet could end up with a Name tag of 'DevVPC-private-us-east-1b'. These tags are derived automatically via parameters and environmental information. I have continued the use of the conditionals throughout.

Additionally, I have added a S3 endpoint and associated it with the proper route tables (also continuing the use of the conditionals). Why not send traffic local to S3 instead of relying on NAT / NAT Gateway?

This modified template also adds support for optionally provisioning a Bastion instance.

(Spacing has been fixed from my last pull request attempt)

[santiagocardenas]

Hi Timothy,

The Bastion changes, while they are nice, they are out of the scope of this Quick Start. This Quick Start cover the initial networking plumbing needed to deploy workloads. This also varies in the case of Linux vs. Windows workloads. Any instances with different roles are meant to be deploy on top of this Quick Start and not by this Quick Start.

Also, it would be preferred not to add more parameters to the template for the Name tags. Please derive these from either static subnet names, Avalability Zone names, and/or CloudFormation stack names. The more parameters that are included in this template, the more parameters that must be added to any template that consumes this template (e.g. a main/master template that consumes this as a nested template).

Once again, thank you for contributing many of these changes. We are hoping to include the reworked changes in a future release.

[tjpatter]

I agree to disagree with you... As an end-user of this Quick Start, it is frustrating to have a bare-bones environment provisioned that is not very human-friendly. If I want to launch an instance into a private subnet and then get access to it, there is a lot of extra leg work have to do. There is nothing "quick" about it. Having human-friendly Name tags is a big win from a customer's point of view. It does not impact the ability to script against the output of this Quick Start in any way (no detriment to power users). My $.02 -- if I wanted nothing more than a bare-bones VPC with private subnets I may as well just use the VPC Wizard from the console... What is an extra set of parameters vs. having to decipher, "Hmm, what is subnet-123456? Is it my public or my private? Which AZ does it live in?"

As for the Bastion, I consider it to be a key piece of the VPC infrastructure itself, not an extra add-on application. Even AWS' own Enterprise NIST Accelerator Quick Start includes a Bastion as part of the Management and Production VPC infrastructures... To your point regarding Linux vs. Windows for a Bastion, I do feel this is a good area for improvement. I can easily update the template to allow an end user to choose via a parameter which OS they want as a Bastion and update the security group's access port from 22 to 3389 based upon their choice.

I am not trying to be difficult, but instead a voice for the actual end-users of this template. I strongly urge you to reconsider some of these points. I hold your (AWS') work to the highest standards. As things stand today, this particular Quick Start seems to fall short of the broader goal. Embrace the Amazon way and re-iterate on this to make it something that a wide majority of end-users can truly benefit from.

[santiagocardenas]

The information from the tags is already in the console or the objects (that is, the information about which availability zone it's in is clearly visible in each row on the VPC console's Subnets page). We would see more value for users if we add the name of the subnet (for example the first private subnet would be called "Private subnet 1A") and for the VPC we add the name of the stack (for example, the stack name could be called "ProductionVPC", which in turn would be used as the VPC Name tag).

For the bastion, we have separate Quick Starts that can potentially be nested. Check out the Remote Desktop Gateway one. As of now, however, we don't have a Linux based Bastion Quick Start, but that would be a great idea for a new Quick Start.

The S3 endpoints is something that would be great to include in the VPC as it brings many benefits inline with the network plumbing set up by the VPC Quick Start.

Just to add, we are trying to include as many things as possible as we iterate. As a matter of fact, we just release a new version of this VPC Quick Start today with improvements based on feedback. This VPC Quick Start will be referenced by many other Quick Starts, so we really have to be mindful of the future implications of what we add into it.