Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

feat(vpcv2): implementation of add gateway method #31224

Merged
merged 51 commits into from
Sep 12, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
51 commits
Select commit Hold shift + click to select a range
31d3f48
Add RouteTable addRoute method
Aug 9, 2024
727b164
Update packages/@aws-cdk/aws-ec2-alpha/lib/route.ts
shikha372 Aug 9, 2024
cb8c941
Change CfnRoute to Route L2
Aug 12, 2024
d21be53
Update README.md
Aug 12, 2024
42830e7
Merge branch 'main' into vpcv2-rt-addroute
Leo10Gama Aug 12, 2024
2f48ab2
Update integ test to use only one EIGW
Aug 12, 2024
f904a97
Add subnet associateRouteTable method
Aug 13, 2024
b52d498
Appease the linter
Aug 13, 2024
1aef528
Update subnet with public routeTable again
Aug 13, 2024
9b15a4b
Update subnet-v2.ts
shikha372 Aug 14, 2024
bc56a77
Update subnet-v2.ts
shikha372 Aug 14, 2024
cc8db35
Extend IRouteTable into IRouteTableV2
Aug 14, 2024
285da27
Merge branch 'main' into vpcv2-rt-addroute
shikha372 Aug 14, 2024
98f9d53
ok so route table v2 was not a great idea lol
Aug 14, 2024
b3e08c1
Merge branch 'main' into vpcv2-rt-addroute
Leo10Gama Aug 14, 2024
1211fde
Update testing
Aug 15, 2024
ca9c385
Merge branch 'main' into vpcv2-rt-addroute
shikha372 Aug 15, 2024
eaa7ccb
add method associateRouteTable
shikha372 Aug 14, 2024
a25bb78
fixing route class
shikha372 Aug 15, 2024
1721026
making ipam props private
shikha372 Aug 15, 2024
bc393c2
successful build
shikha372 Aug 15, 2024
aed940f
adding validation for ipv4
shikha372 Aug 15, 2024
499c6c8
fixing egw route and subnet snapshot
shikha372 Aug 16, 2024
f296f3e
fixing readme and route unit test
shikha372 Aug 16, 2024
0002de5
fixing vpc snapshot
shikha372 Aug 16, 2024
909f7da
Update route snapshot
Aug 16, 2024
1b907c1
Update route snapshot
Aug 16, 2024
0dba8bb
Merge branch 'main' into vpcv2-rt-addroute
shikha372 Aug 23, 2024
8ca0a3c
adding EGW method to VPC
shikha372 Aug 23, 2024
f42666d
(feat): add EIGW implementation
shikha372 Aug 26, 2024
36a9511
adding unit and integ tests
shikha372 Aug 26, 2024
5bd279b
updating readme and snapshot for EGW
shikha372 Aug 26, 2024
6023ecd
Implement addNatGateway command
Aug 27, 2024
85eafa2
Test cleanup
Aug 27, 2024
09d3ae0
resolving conflicts
shikha372 Aug 27, 2024
c5f2b96
add vpn gateway v2
shikha372 Aug 27, 2024
5a05757
feat(vpcv2): add igw implementation
shikha372 Aug 29, 2024
391ae8e
fix validation for natGW
shikha372 Aug 29, 2024
aba5e66
add VPN route propogation to L2
shikha372 Aug 29, 2024
aeba62b
remove associate routetable
shikha372 Aug 29, 2024
2f1e60c
adding unit tests for internet gateway
shikha372 Aug 30, 2024
e060278
adding unit tests for VPN gateway
shikha372 Aug 30, 2024
74adb43
fixing all integ snapshots
shikha372 Sep 3, 2024
d136789
Merge branch 'main' into vpcv2-rt-addGateway
shikha372 Sep 3, 2024
5d63c6c
Apply suggestions from code review
shikha372 Sep 5, 2024
669c735
Apply suggestions from code review
shikha372 Sep 5, 2024
a9096f5
fix readme
shikha372 Sep 5, 2024
5c7548c
fixing nits for defining default
shikha372 Sep 9, 2024
4b4fb6b
Apply suggestions from code review
shikha372 Sep 11, 2024
dcb11e6
fix nits
shikha372 Sep 11, 2024
f30e1da
Merge branch 'main' into vpcv2-rt-addGateway
mergify[bot] Sep 12, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
239 changes: 200 additions & 39 deletions packages/@aws-cdk/aws-ec2-alpha/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,10 @@ To create a VPC with both IPv4 and IPv6 support:
```ts

const stack = new Stack();
new vpc_v2.VpcV2(this, 'Vpc', {
primaryAddressBlock: vpc_v2.IpAddresses.ipv4('10.0.0.0/24'),
new VpcV2(this, 'Vpc', {
primaryAddressBlock: IpAddresses.ipv4('10.0.0.0/24'),
secondaryAddressBlocks: [
vpc_v2.IpAddresses.amazonProvidedIpv6({cidrBlockName: 'AmazonProvidedIpv6'}),
IpAddresses.amazonProvidedIpv6({cidrBlockName: 'AmazonProvidedIpv6'}),
],
});
```
Expand All @@ -47,18 +47,18 @@ This new construct can be used to add subnets to a `VpcV2` instance:
```ts

const stack = new Stack();
const myVpc = new vpc_v2.VpcV2(this, 'Vpc', {
const myVpc = new VpcV2(this, 'Vpc', {
secondaryAddressBlocks: [
vpc_v2.IpAddresses.amazonProvidedIpv6({ cidrBlockName: 'AmazonProvidedIp'}),
IpAddresses.amazonProvidedIpv6({ cidrBlockName: 'AmazonProvidedIp'}),
],
});

new vpc_v2.SubnetV2(this, 'subnetA', {
new SubnetV2(this, 'subnetA', {
vpc: myVpc,
availabilityZone: 'us-east-1a',
ipv4CidrBlock: new vpc_v2.IpCidr('10.0.0.0/24'),
ipv6CidrBlock: new vpc_v2.IpCidr('2a05:d02c:25:4000::/60'),
subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
ipv4CidrBlock: new IpCidr('10.0.0.0/24'),
ipv6CidrBlock: new IpCidr('2a05:d02c:25:4000::/60'),
subnetType: SubnetType.PRIVATE_ISOLATED,
})
```

Expand All @@ -77,28 +77,28 @@ const ipam = new Ipam(this, 'Ipam', {
operatingRegion: ['us-west-1']
});
const ipamPublicPool = ipam.publicScope.addPool('PublicPoolA', {
addressFamily: vpc_v2.AddressFamily.IP_V6,
addressFamily: AddressFamily.IP_V6,
awsService: AwsServiceName.EC2,
locale: 'us-west-1',
publicIpSource: vpc_v2.IpamPoolPublicIpSource.AMAZON,
publicIpSource: IpamPoolPublicIpSource.AMAZON,
});
ipamPublicPool.provisionCidr('PublicPoolACidrA', { netmaskLength: 52 } );

const ipamPrivatePool = ipam.privateScope.addPool('PrivatePoolA', {
addressFamily: vpc_v2.AddressFamily.IP_V4,
addressFamily: AddressFamily.IP_V4,
});
ipamPrivatePool.provisionCidr('PrivatePoolACidrA', { netmaskLength: 8 } );

new vpc_v2.VpcV2(this, 'Vpc', {
primaryAddressBlock: vpc_v2.IpAddresses.ipv4('10.0.0.0/24'),
new VpcV2(this, 'Vpc', {
primaryAddressBlock: IpAddresses.ipv4('10.0.0.0/24'),
secondaryAddressBlocks: [
vpc_v2.IpAddresses.amazonProvidedIpv6({ cidrBlockName: 'AmazonIpv6' }),
vpc_v2.IpAddresses.ipv6Ipam({
IpAddresses.amazonProvidedIpv6({ cidrBlockName: 'AmazonIpv6' }),
IpAddresses.ipv6Ipam({
ipamPool: ipamPublicPool,
netmaskLength: 52,
cidrBlockName: 'ipv6Ipam',
}),
vpc_v2.IpAddresses.ipv4Ipam({
IpAddresses.ipv4Ipam({
ipamPool: ipamPrivatePool,
netmaskLength: 8,
cidrBlockName: 'ipv4Ipam',
Expand All @@ -116,64 +116,88 @@ Since `VpcV2` does not create subnets automatically, users have full control ove

```ts

const myVpc = new vpc_v2.VpcV2(this, 'Vpc');
const routeTable = new vpc_v2.RouteTable(this, 'RouteTable', {
const myVpc = new VpcV2(this, 'Vpc');
const routeTable = new RouteTable(this, 'RouteTable', {
vpc: myVpc,
});
const subnet = new vpc_v2.SubnetV2(this, 'Subnet', {
const subnet = new SubnetV2(this, 'Subnet', {
vpc: myVpc,
routeTable,
availabilityZone: 'eu-west-2a',
ipv4CidrBlock: new IpCidr('10.0.0.0/24'),
subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
subnetType: SubnetType.PRIVATE_ISOLATED,
});
```

`Route`s can be created to link subnets to various different AWS services via gateways and endpoints. Each unique route target has its own dedicated construct that can be routed to a given subnet via the `Route` construct. An example using the `InternetGateway` construct can be seen below:
`Routes` can be created to link subnets to various different AWS services via gateways and endpoints. Each unique route target has its own dedicated construct that can be routed to a given subnet via the `Route` construct. An example using the `InternetGateway` construct can be seen below:

```ts
const stack = new Stack();
const myVpc = new vpc_v2.VpcV2(this, 'Vpc');
const routeTable = new vpc_v2.RouteTable(this, 'RouteTable', {
const myVpc = new VpcV2(this, 'Vpc');
const routeTable = new RouteTable(this, 'RouteTable', {
vpc: myVpc,
});
const subnet = new vpc_v2.SubnetV2(this, 'Subnet', {
const subnet = new SubnetV2(this, 'Subnet', {
vpc: myVpc,
availabilityZone: 'eu-west-2a',
ipv4CidrBlock: new IpCidr('10.0.0.0/24'),
subnetType: ec2.SubnetType.PRIVATE_ISOLATED });
subnetType: SubnetType.PRIVATE_ISOLATED });

const igw = new vpc_v2.InternetGateway(this, 'IGW', {
const igw = new InternetGateway(this, 'IGW', {
vpc: myVpc,
});
new vpc_v2.Route(this, 'IgwRoute', {
new Route(this, 'IgwRoute', {
routeTable,
destination: '0.0.0.0/0',
target: { gateway: igw },
});
```

Alternatively, `Routes` can also be created via method `addRoute` in the `RouteTable` class. An example using the `EgressOnlyInternetGateway` construct can be seen below:
Note: `EgressOnlyInternetGateway` can only be used to set up outbound IPv6 routing.

```ts

const stack = new Stack();
const myVpc = new VpcV2(this, 'Vpc',{
primaryAddressBlock: IpAddresses.ipv4('10.1.0.0/16'),
secondaryAddressBlocks: [IpAddresses.amazonProvidedIpv6({
cidrBlockName: 'AmazonProvided',
})]
});

const eigw = new EgressOnlyInternetGateway(this, 'EIGW', {
vpc: myVpc,
});

const routeTable = new RouteTable(this, 'RouteTable', {
vpc: myVpc,
});

routeTable.addRoute('EIGW', '::/0', { gateway: eigw });
```

Other route targets may require a deeper set of parameters to set up properly. For instance, the example below illustrates how to set up a `NatGateway`:

```ts

const myVpc = new vpc_v2.VpcV2(this, 'Vpc');
const routeTable = new vpc_v2.RouteTable(this, 'RouteTable', {
const myVpc = new VpcV2(this, 'Vpc');
const routeTable = new RouteTable(this, 'RouteTable', {
vpc: myVpc,
});
const subnet = new vpc_v2.SubnetV2(this, 'Subnet', {
const subnet = new SubnetV2(this, 'Subnet', {
vpc: myVpc,
availabilityZone: 'eu-west-2a',
ipv4CidrBlock: new IpCidr('10.0.0.0/24'),
subnetType: ec2.SubnetType.PRIVATE_ISOLATED });
subnetType: SubnetType.PRIVATE_ISOLATED });

const natgw = new vpc_v2.NatGateway(this, 'NatGW', {
const natgw = new NatGateway(this, 'NatGW', {
subnet: subnet,
vpc: myVpc,
connectivityType: NatConnectivityType.PRIVATE,
privateIpAddress: '10.0.0.42',
});
new vpc_v2.Route(this, 'NatGwRoute', {
new Route(this, 'NatGwRoute', {
routeTable,
destination: '0.0.0.0/0',
target: { gateway: natgw },
Expand All @@ -184,24 +208,161 @@ It is also possible to set up endpoints connecting other AWS services. For insta

```ts

const myVpc = new vpc_v2.VpcV2(this, 'Vpc');
const routeTable = new vpc_v2.RouteTable(this, 'RouteTable', {
const stack = new Stack();
const myVpc = new VpcV2(this, 'Vpc');
const routeTable = new RouteTable(this, 'RouteTable', {
vpc: myVpc,
});
const subnet = new vpc_v2.SubnetV2(this, 'Subnet', {
const subnet = new SubnetV2(this, 'Subnet', {
vpc: myVpc,
availabilityZone: 'eu-west-2a',
ipv4CidrBlock: new IpCidr('10.0.0.0/24'),
subnetType: ec2.SubnetType.PRIVATE });
subnetType: SubnetType.PRIVATE });

const dynamoEndpoint = new ec2.GatewayVpcEndpoint(this, 'DynamoEndpoint', {
service: ec2.GatewayVpcEndpointAwsService.DYNAMODB,
vpc: myVpc,
subnets: [subnet],
});
new vpc_v2.Route(this, 'DynamoDBRoute', {
new Route(this, 'DynamoDBRoute', {
routeTable,
destination: '0.0.0.0/0',
target: { endpoint: dynamoEndpoint },
});
```

## Adding Egress-Only Internet Gateway to VPC

An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet, and prevents the internet from initiating an IPv6 connection with your instances.

For more information see [Enable outbound IPv6 traffic using an egress-only internet gateway](https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html).

VpcV2 supports adding an egress only internet gateway to VPC using the `addEgressOnlyInternetGateway` method.

By default, this method sets up a route to all outbound IPv6 address ranges, unless a specific destination is provided by the user. It can only be configured for IPv6-enabled VPCs.
The `Subnets` parameter accepts a `SubnetFilter`, which can be based on a `SubnetType` in VpcV2. A new route will be added to the route tables of all subnets that match this filter.

```ts

const stack = new Stack();
const myVpc = new VpcV2(this, 'Vpc',{
primaryAddressBlock: IpAddresses.ipv4('10.1.0.0/16'),
secondaryAddressBlocks: [IpAddresses.amazonProvidedIpv6({
cidrBlockName: 'AmazonProvided',
})]
});
const routeTable = new RouteTable(this, 'RouteTable', {
vpc: myVpc,
});
const subnet = new SubnetV2(this, 'Subnet', {
vpc: myVpc,
availabilityZone: 'eu-west-2a',
ipv4CidrBlock: new IpCidr('10.0.0.0/24'),
ipv6CidrBlock: new IpCidr('2001:db8:1::/64'),
subnetType: SubnetType.PRIVATE });

myVpc.addEgressOnlyInternetGateway({
subnets: [{subnetType: SubnetType.PRIVATE}],
destination: '::/60',
})
```

## Adding NATGateway to the VPC

A NAT gateway is a Network Address Translation (NAT) service.You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.

For more information, see [NAT gateway basics](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html).

When you create a NAT gateway, you specify one of the following connectivity types:

**Public – (Default)**: Instances in private subnets can connect to the internet through a public NAT gateway, but cannot receive unsolicited inbound connections from the internet

**Private**: Instances in private subnets can connect to other VPCs or your on-premises network through a private NAT gateway.

To define the NAT gateway connectivity type as `ConnectivityType.Public`, you need to ensure that there is an IGW(Internet Gateway) attached to the subnet's VPC.
Since a NATGW is associated with a particular subnet, providing `subnet` field in the input props is mandatory.

Additionally, you can set up a route in any route table with the target set to the NAT Gateway. The function `addNatGateway` returns a `NATGateway` object that you can reference later.

The code example below provides the definition for adding a NAT gateway to your subnet:

```ts

const stack = new Stack();
const myVpc = new VpcV2(this, 'Vpc');
const routeTable = new RouteTable(this, 'RouteTable', {
vpc: myVpc,
});
const subnet = new SubnetV2(this, 'Subnet', {
vpc: myVpc,
availabilityZone: 'eu-west-2a',
ipv4CidrBlock: new IpCidr('10.0.0.0/24'),
subnetType: SubnetType.PUBLIC });

myVpc.addInternetGateway();
myVpc.addNatGateway({
subnet: subnet,
connectivityType: NatConnectivityType.PUBLIC,
});
```

## Enable VPNGateway for the VPC

A virtual private gateway is the endpoint on the VPC side of your VPN connection.

For more information, see [What is AWS Site-to-Site VPN?](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html).

VPN route propagation is a feature in Amazon Web Services (AWS) that automatically updates route tables in your Virtual Private Cloud (VPC) with routes learned from a VPN connection.

To enable VPN route propogation, use the `vpnRoutePropagation` property to specify the subnets as an input to the function. VPN route propagation will then be enabled for each subnet with the corresponding route table IDs.

Additionally, you can set up a route in any route table with the target set to the VPN Gateway. The function `enableVpnGatewayV2` returns a `VPNGatewayV2` object that you can reference later.

The code example below provides the definition for setting up a VPN gateway with `vpnRoutePropogation` enabled:

```ts

const stack = new Stack();
const myVpc = new VpcV2(this, 'Vpc');
const vpnGateway = myVpc.enableVpnGatewayV2({
vpnRoutePropagation: [{ subnetType: SubnetType.PUBLIC }],
type: VpnConnectionType.IPSEC_1,
});

const routeTable = new RouteTable(stack, 'routeTable', {
vpc: myVpc
} );

new Route(stack, 'route', {
destination: '172.31.0.0/24',
target: { gateway: vpnGateway },
routeTable: routeTable,
});
```

## Adding InternetGateway to the VPC

An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. It supports both IPv4 and IPv6 traffic.

For more information, see [Enable VPC internet access using internet gateways](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-igw-internet-access.html).

You can add an internet gateway to a VPC using `addInternetGateway` method. By default, this method creates a route in all Public Subnets with outbound destination set to `0.0.0.0` for IPv4 and `::0` for IPv6 enabled VPC.
Instead of using the default settings, you can configure a custom destinatation range by providing an optional input `destination` to the method.

The code example below shows how to add an internet gateway with a custom outbound destination IP range:

```ts

const stack = new Stack();
const myVpc = new VpcV2(this, 'Vpc');

const subnet = new SubnetV2(this, 'Subnet', {
vpc: myVpc,
availabilityZone: 'eu-west-2a',
ipv4CidrBlock: new IpCidr('10.0.0.0/24'),
subnetType: SubnetType.PUBLIC });

myVpc.addInternetGateway({
ipv4Destination: '192.168.0.0/16',
});
```
3 changes: 2 additions & 1 deletion packages/@aws-cdk/aws-ec2-alpha/awslint.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
"exclude": [
"from-method:@aws-cdk/aws-ec2-alpha.VpcV2",
"attribute-tag:@aws-cdk/aws-ec2-alpha.RouteTable.routeTableId",
"from-method:@aws-cdk/aws-ec2-alpha.SubnetV2"
"from-method:@aws-cdk/aws-ec2-alpha.SubnetV2",
"from-method:@aws-cdk/aws-ec2-alpha.Route"
Comment on lines +5 to +6
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For my knowledge, what does these two lines do?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is enforced from awslint to have the import methods in classes extending Resource , since we haven't introduced it yet these are part of exceptions

]
}
Loading
Loading