Explanation of AWS Infrastucture pipeline

How VPC, Subnet, Connects with Internet Gateway

Resources:

  ### ECR Repository

  MyECRRepository:

    Type: AWS::ECR::Repository

    Properties:

      RepositoryName: documentportal

      ImageScanningConfiguration:

        ScanOnPush: true

      ImageTagMutability: MUTABLE

  ### VPC, Subnets, Internet Gateway

  MyVPC:

    Type: AWS::EC2::VPC

    Properties:

      CidrBlock: !Ref VpcCIDR 

      EnableDnsSupport: true

      EnableDnsHostnames: true

      Tags:

        - Key: Name

          Value: ecs-vpc

  Subnet1:

    Type: AWS::EC2::Subnet

    Properties:

      VpcId: !Ref MyVPC 

      CidrBlock: !Ref Subnet1CIDR

      AvailabilityZone: !Select [0, !GetAZs '']

      MapPublicIpOnLaunch: true

      Tags:

        - Key: Name

          Value: public-subnet-1

  Subnet2:

    Type: AWS::EC2::Subnet

    Properties:

      VpcId: !Ref MyVPC

      CidrBlock: !Ref Subnet2CIDR

      AvailabilityZone: !Select [1, !GetAZs '']

      MapPublicIpOnLaunch: true

      Tags:

        - Key: Name

          Value: public-subnet-2

Let’s break this AWS CloudFormation “Resources” block line by line — in simple real-world terms — so you understand what exactly AWS builds for you when this template runs.

🧱 SECTION OVERVIEW

This part of the template actually creates infrastructure — the real AWS components (ECR, VPC, subnets, etc.).

Here you’re creating:

1. 🧩 ECR Repository → stores your Docker container images

2. 🌐 VPC (Virtual Private Cloud) → your private AWS network

3. 🕸️ Two Subnets → divisions inside that network (used by ECS)

4. 🌍 Internet Gateway (mentioned later) → gives public access

🔹 1️⃣ ECR Repository (Elastic Container Registry)

MyECRRepository:
  Type: AWS::ECR::Repository
  Properties:
    RepositoryName: documentportal
    ImageScanningConfiguration:
      ScanOnPush: true
    ImageTagMutability: MUTABLE

💬 Explanation

• Type: AWS::ECR::Repository
  👉 Tells CloudFormation to create an ECR (Elastic Container Registry) repository.
  Think of this as your private Docker Hub on AWS.

• RepositoryName: documentportal
  👉 The name of your repository — e.g.
  123456789012.dkr.ecr.ap-south-1.amazonaws.com/documentportal

• ImageScanningConfiguration → ScanOnPush: true
  👉 Automatically scans your uploaded Docker image for vulnerabilities each time you push a new image.

• ImageTagMutability: MUTABLE
  👉 Allows you to overwrite existing image tags (like latest).
  (If you set this to IMMUTABLE, once you push an image with a tag, it can’t be replaced.)

✅ Purpose:
Stores your built Docker images that your ECS service will later pull and run.

🔹 2️⃣ VPC (Virtual Private Cloud)

MyVPC:
  Type: AWS::EC2::VPC
  Properties:
    CidrBlock: !Ref VpcCIDR 
    EnableDnsSupport: true
    EnableDnsHostnames: true
    Tags:
      - Key: Name
        Value: ecs-vpc

💬 Explanation

• Type: AWS::EC2::VPC
  👉 Creates a Virtual Private Cloud — your isolated private network in AWS.

• CidrBlock: !Ref VpcCIDR
  👉 Uses the parameter defined earlier (10.0.0.0/16).
  This defines the IP address range of your network.

• EnableDnsSupport: true
  👉 Allows DNS resolution inside your VPC (important for ECS, EC2, etc.).

• EnableDnsHostnames: true
  👉 Gives your instances (or containers) DNS hostnames like ip-10-0-0-1.ec2.internal.

• Tags → Name: ecs-vpc
  👉 Tags make it easy to identify resources in the AWS console.

✅ Purpose:
This creates your network boundary, where everything — subnets, ECS, load balancers — will live.

🔹 3️⃣ Subnet 1 (Public Subnet in 1st Availability Zone)

Subnet1:
  Type: AWS::EC2::Subnet
  Properties:
    VpcId: !Ref MyVPC 
    CidrBlock: !Ref Subnet1CIDR
    AvailabilityZone: !Select [0, !GetAZs '']
    MapPublicIpOnLaunch: true
    Tags:
      - Key: Name
        Value: public-subnet-1

💬 Explanation

• Type: AWS::EC2::Subnet
  👉 Creates a subnet (a smaller network section inside the VPC).

• VpcId: !Ref MyVPC
  👉 Links this subnet to the VPC you just created.

• CidrBlock: !Ref Subnet1CIDR
  👉 Uses your parameter (10.0.1.0/24).
  This is the IP range of Subnet 1.

• AvailabilityZone: !Select [0, !GetAZs '']
  👉 Automatically picks the first Availability Zone in your region (like ap-south-1a).

  • !GetAZs '' returns a list of all AZs in your current region.

  • !Select [0, ...] picks the first one.

• MapPublicIpOnLaunch: true
  👉 Ensures that any EC2 instance or ECS task launched in this subnet gets a public IP by default.
  This makes it a public subnet (connected to the internet via an Internet Gateway).

• Tag Name: public-subnet-1
  👉 Helps identify it easily.

✅ Purpose:
This subnet is typically where your Load Balancer or public-facing ECS services are placed.

🔹 4️⃣ Subnet 2 (Public Subnet in 2nd Availability Zone)

Subnet2:
  Type: AWS::EC2::Subnet
  Properties:
    VpcId: !Ref MyVPC
    CidrBlock: !Ref Subnet2CIDR
    AvailabilityZone: !Select [1, !GetAZs '']
    MapPublicIpOnLaunch: true
    Tags:
      - Key: Name
        Value: public-subnet-2

💬 Explanation

This is almost identical to Subnet 1, but key differences are:

• AvailabilityZone: !Select [1, !GetAZs '']
  👉 This time it picks the second Availability Zone (like ap-south-1b).

• CidrBlock: Uses 10.0.2.0/24
  👉 So it doesn’t overlap with Subnet 1.

✅ Purpose:
Gives your ECS or load balancer another subnet in a different Availability Zone, enabling high availability (if one zone fails, your app still runs in the other).

🧠 Bonus: What Happens When You Deploy This?

When you deploy this CloudFormation stack:

Later, other sections (like ECS Cluster, Load Balancer, Security Groups) will use these subnet IDs and VPC ID to connect everything together.

🧩 Summary (In Real Words)