How to set up and maintain an application environment on Amazon Cloud using CloudFormation


Over the last couple of years Amazon Virtual Private Cloud (VPC) has become the de-facto standard for companies implementing a secure public cloud infrastructure, either as a standalone environment or as an extension of their on-site network. As a member of Amazon Web Services’ Partner Network, Coherent Solutions has been using VPC internally for over two years to readily provision or tear down computing resources as needed. More recently, we have helped a number of clients to securely extend their network out to Amazon’s cloud too.

While VPC provides the core capabilities, AWS offers a number of complementary technologies to help with set up and manage VPC environments in a repeatable and reliable manner. One such technology is Amazon CloudFormation (CF.) Following are steps for setting up a simple environment on Amazon VPC with the help of CloudFormation.

Step 1: Planning your environment

First you need to decide whether your VPC environment will be connected to the company LAN via a VPN tunnel. Amazon does a good job describing a few typical scenarios that benefit from establishing a VPN tunnel VPN tunnels. But for our purpose here we will use a simple, realistic situation of an environment with a public subnet, two private subnets, and no VPN tunnel.


The fact that we are not setting up a VPN tunnel will mean that the only way to access resources in either of the private subnets will be through an SSH tunnel via a bastion host residing on the public subnet.

Step 2: Authoring the CloudFormation template

Once you have defined the architecture of the environment, you can proceed to defining the CF template — or stack in CF terms. The CF template is a JSON file describing various resources comprising a VPC environment and a number of helper functions that allow you to:

  • Set parameters for declared resource properties
  • Reference configured resource attributes when defining other resources
  • Provide output values back to AWS for ease of reference once the stack is


CF templates, being JavaScript files, can be authored by any text or JSON editor. AWS toolkits for popular IDEs provide CF template editors. For example, the CF template editor in Eclipse provides simple template validation capabilities as well as one-click deployment of templates to CloudFormation.


Step 3: Creating the stack

Once you have created the template, it is time to create an instance of the environment by creating a new stack with your template. Go to the CloudFormation control panel in the AWS management console and select, “Create New Stack.” Then:

  • Choose the option to upload a template
  • Specify the values for any parameters you may have defined in your template (Note that all of the parameters are displayed in a somewhat random order by the AWS console.)

Now sit back and enjoy a cup of coffee while CF does all the work. You can monitor the progress of creating a stack by looking at the “Events” tab in the CF control panel.


Step 4: Updating the stack

Once the stack is created, you can continue making changes to it by modifying the template. Say you want to adjust the network security of your environment by updating ingress/egress rules for one or more security group.

  • First, update the rules in the template: you can create new rules, update existing ones, or delete those that are no longer needed.
  • Second, navigate to the CF control panel, click “Update Stack” and choose your updated template.


When changing any of the existing stack resources, play close attention to the CF template reference documentation published by Amazon. It does a good job of defining the framework ehavior for updating properties of various resource types. In some cases, updates are not possible and resources need to be recreated. In others, the framework will automatically recreate the resource.


CloudFormation provides a highly maintainable and controlled way of setting up and managing resources on Amazon Cloud. With a few exceptions, CloudFormation templates should be the preferred way for companies to describe the infrastructure resources.

In future Building Blocks articles I will talk about how to use Amazon Elastic Beanstalk and OpsCode Chef to further automate the management of your application’s infrastructure. Meanwhile, if you have questions or would like to know more about using CloudFormation and other complementary technologies for creating and managing the infrastructure system on Amazon Cloud, please feel free to reach me at: