def __init__(self, scope: core.Construct, id: str, props, **kwargs) -> None: super().__init__(scope, id, **kwargs) # Subnet configurations for a public and private tier subnet1 = SubnetConfiguration( name="Public", subnet_type=SubnetType.PUBLIC, cidr_mask=24) subnet2 = SubnetConfiguration( name="Private", subnet_type=SubnetType.PRIVATE, cidr_mask=24) vpc = Vpc(self, "TheVPC", cidr="10.0.0.0/16", enable_dns_hostnames=True, enable_dns_support=True, max_azs=2, nat_gateway_provider=NatProvider.gateway(), nat_gateways=1, subnet_configuration=[subnet1, subnet2] ) # This will export the VPC's ID in CloudFormation under the key # 'vpcid' core.CfnOutput(self, "vpcid", value=vpc.vpc_id) # Prepares output attributes to be passed into other stacks # In this case, it is our VPC and subnets. self.output_props = props.copy() self.output_props['vpc'] = vpc self.output_props['subnets'] = vpc.public_subnets
def __init__(self, scope: core.Construct, id_: str, num_of_azs: int) -> None: super().__init__(scope, id_) self.audit_vpc = Vpc( self, id_, max_azs=num_of_azs, subnet_configuration=[ #Currently IOT, AppConfig & Cloudmap are not accessable via VPC endpoint, so we use NAT GW access them SubnetConfiguration(name=PRIVATE_SUBNET_GROUP, subnet_type=SubnetType.PRIVATE, cidr_mask=24), SubnetConfiguration(name=PUBLIC_NAT_GWS_SUBNET_GROUP, subnet_type=SubnetType.PUBLIC, cidr_mask=24) ], gateway_endpoints={ 'S3': GatewayVpcEndpointOptions( service=GatewayVpcEndpointAwsService.S3, subnets=[ SubnetSelection(subnet_group_name=PRIVATE_SUBNET_GROUP) ]), 'DynamoDb': GatewayVpcEndpointOptions( service=GatewayVpcEndpointAwsService.DYNAMODB, subnets=[ SubnetSelection(subnet_group_name=PRIVATE_SUBNET_GROUP) ]), }, enable_dns_support=True, # For the ElasticSearch Public Domain enable_dns_hostnames=True) self.audit_vpc.add_interface_endpoint( 'SsmVpcEndpoint', service=InterfaceVpcEndpointAwsService.SSM, subnets=SubnetSelection(one_per_az=True)) self.audit_vpc.add_interface_endpoint( 'SqsVpcEndpoint', service=InterfaceVpcEndpointAwsService.SQS, subnets=SubnetSelection(one_per_az=True)) self.audit_vpc.add_interface_endpoint( 'Ec2VpcEndpoint', service=InterfaceVpcEndpointAwsService.EC2, subnets=SubnetSelection(one_per_az=True)) self.audit_vpc.add_interface_endpoint( 'LambdaVpcEndpoint', service=InterfaceVpcEndpointAwsService.LAMBDA_, subnets=SubnetSelection(one_per_az=True)) self.lambdas_sg = SecurityGroup(self, id='LambdaSg', vpc=self.audit_vpc, security_group_name='Audit-Lambda')
def __init__(self, scope: cdk.Construct, construct_id: str, config, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) self.vpc = Vpc(self, "ec2-vpc-altimeter", max_azs=1, subnet_configuration=[ SubnetConfiguration(name="Public", subnet_type=SubnetType.PUBLIC), SubnetConfiguration(name="Private", subnet_type=SubnetType.PRIVATE) ]) cdk.Tags.of(self.vpc).add("Name", "vpc-audit--altimeter")
def __init__(self, scope: Construct, stack_id: str, **kwargs) -> None: """ Initializes a new instance of NetworkTier """ super().__init__(scope, stack_id, **kwargs) # We're creating a SubnetSelection with only the standard availability zones to be used to put # the NAT gateway in and the VPC interface endpoints, because the local zones do no have # these available. standard_zone_subnets = SubnetSelection( availability_zones=config.availability_zones_standard, subnet_type=SubnetType.PUBLIC) # The VPC that all components of the render farm will be created in. We are using the `availability_zones()` # method to override the availability zones that this VPC will use. self.vpc = Vpc(self, 'Vpc', max_azs=len(self.availability_zones), subnet_configuration=[ SubnetConfiguration(name='Public', subnet_type=SubnetType.PUBLIC, cidr_mask=28), SubnetConfiguration( name='Private', subnet_type=SubnetType.PRIVATE_WITH_NAT, cidr_mask=18) ], nat_gateway_subnets=standard_zone_subnets) # Add interface endpoints for idx, service_info in enumerate(_INTERFACE_ENDPOINT_SERVICES): service_name = service_info['name'] service = service_info['service'] self.vpc.add_interface_endpoint(service_name, service=service, subnets=standard_zone_subnets) # Add gateway endpoints for idx, service_info in enumerate(_GATEWAY_ENDPOINT_SERVICES): service_name = service_info['name'] service = service_info['service'] self.vpc.add_gateway_endpoint(service_name, service=service, subnets=[standard_zone_subnets]) # Internal DNS zone for the VPC. self.dns_zone = PrivateHostedZone(self, 'DnsZone', vpc=self.vpc, zone_name='deadline-test.internal')
def execute() -> list: subnet_configurations = [ SubnetConfiguration( cidr_mask=20, name="Public", subnet_type=SubnetType.PUBLIC ), SubnetConfiguration( cidr_mask=20, name="Private", subnet_type=SubnetType.PRIVATE ) ] return subnet_configurations
def __init__(self, scope: cdk.Stack, construct_id: str, vpc_cidr: str, jump_host: str, mgmt_ports: list, subnet_len: int, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) # args: # - vpc_cidr (str): The CIDR range for the VPC. # - jump_host (str): An optional IP address for the jump host. If this # is not specified, te Security Group will not be # created. # - mgmt_ports (list): A list of TCP ports which the jump host is # allowed to connect to. # - subnet_len (int): The prefix length for subnet CIDR addresses. # Create the VPC resource. The VPC does not have an internet gateway, # or NAT gateway. Subnets are created in 2 zones. subnets = [ SubnetConfiguration(name="MyVPC-Private", subnet_type=SubnetType.ISOLATED, cidr_mask=subnet_len) ] self._vpc = Vpc(self, "MyVPC", cidr=vpc_cidr, max_azs=2, nat_gateways=None, subnet_configuration=subnets) # Security Group only created if the jump host parameter was # specified. if jump_host is not None and len(jump_host) > 0: self.create_sg(jump_host, mgmt_ports)
def _get_subnet_configuration(self, scope) -> List[SubnetConfiguration]: """ Get VPC subnets based on desired configuration. :param scope: :return: """ subnet_configuration = [] """ To generate a Private-only configuration we need one of [ NatGatewayId, NetworkInterfaceId, GatewayId, EgressOnlyInternetGatewayId, VpcPeeringConnectionId, TransitGatewayId, InstanceId ] to specify the default route. For now we stick to use the default (NatGateway in the public subnets) """ if True: subnet_configuration.append( SubnetConfiguration(subnet_type=SubnetType.PUBLIC, cidr_mask=scope.environment_config.get( 'vpc', {}).get('subnetsCIDRSuffixes', {}).get('public'), name='Public')) if True: subnet_configuration.append( SubnetConfiguration( subnet_type=SubnetType.PRIVATE, cidr_mask=scope.environment_config.get('vpc', {}).get( 'subnetsCIDRSuffixes', {}).get('private'), name='Private', )) if True: subnet_configuration.append( SubnetConfiguration(subnet_type=SubnetType.ISOLATED, cidr_mask=scope.environment_config.get( 'vpc', {}).get('subnetsCIDRSuffixes', {}).get('isolated'), name='Isolated')) return subnet_configuration
def __init__(self, scope: core.Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) custom_vpc = Vpc( self, "Vpc", max_azs=3, cidr="10.0.0.0/16", subnet_configuration=[ SubnetConfiguration(cidr_mask=24, name="ingress", subnet_type=SubnetType.PUBLIC), SubnetConfiguration(cidr_mask=24, name="app", subnet_type=SubnetType.ISOLATED), ]) core.Tag.add(custom_vpc, "Author", "Tinette") core.CfnOutput(self, "Vpc", value=custom_vpc.vpc_id, export_name="custom_vpc_id")
def __init__(self, scope: Construct, stack_id: str, **kwargs) -> None: """ Initializes a new instance of NetworkTier :param scope: The scope of this construct. :param stack_id: The ID of this construct. :param kwargs: The stack properties. """ super().__init__(scope, stack_id, **kwargs) # The VPC that all components of the render farm will be created in. self.vpc = Vpc( self, 'Vpc', max_azs=2, subnet_configuration=[ SubnetConfiguration( name='Public', subnet_type=SubnetType.PUBLIC, cidr_mask=28 ), SubnetConfiguration( name='Private', subnet_type=SubnetType.PRIVATE, cidr_mask=18 # 16,382 IP addresses ) ] ) # VPC flow logs are a security best-practice as they allow us # to capture information about the traffic going in and out of # the VPC. For more information, see the README for this app. self.vpc.add_flow_log( 'NetworkTierFlowLogs', destination=FlowLogDestination.to_cloud_watch_logs(), traffic_type=FlowLogTrafficType.ALL ) # TODO - Create a NetworkAcl for your VPC that only allows # network traffic required for your render farm. This is a # security best-practice to ensure the safety of your farm. # The default network ACLs allow all traffic by default, # whereas custom network ACLs deny all traffic by default. # For more information, see the README for this app. # # Example code to create a custom network ACL: # acl = NetworkAcl( # self, # 'ACL', # vpc=self.vpc, # subnet_selection=SubnetSelection( # subnets=self.vpc.public_subnets # ) # ) # # You can optionally add rules to allow traffic (e.g. SSH): # acl.add_entry( # 'SSH', # cidr=AclCidr.ipv4( # # some-ipv4-address-cidr # ), # traffic=AclTraffic.tcp_port(22), # rule_number=1 # ) endpoint_subnets = SubnetSelection(subnet_type=SubnetType.PRIVATE) # Add interface endpoints for idx, service_info in enumerate(_INTERFACE_ENDPOINT_SERVICES): service_name = service_info['name'] service = service_info['service'] self.vpc.add_interface_endpoint( f'{service_name}{idx}', service=service, subnets=endpoint_subnets ) # Add gateway endpoints for idx, service_info in enumerate(_GATEWAY_ENDPOINT_SERVICES): service_name = service_info['name'] service = service_info['service'] self.vpc.add_gateway_endpoint( service_name, service=service, subnets=[endpoint_subnets] ) # Internal DNS zone for the VPC. self.dns_zone = PrivateHostedZone( self, 'DnsZone', vpc=self.vpc, zone_name='deadline-test.internal' )
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 from aws_cdk.aws_ec2 import SubnetConfiguration, SubnetType # Subnets for undistinguished render farm back-end infrastructure INFRASTRUCTURE = SubnetConfiguration( name='Infrastructure', subnet_type=SubnetType.PRIVATE_WITH_NAT, # 1,022 IP addresses cidr_mask=22) # Subnets for publicly accessible infrastructure PUBLIC = SubnetConfiguration( name='Public', subnet_type=SubnetType.PUBLIC, # 14 IP addresses. We only require one ENI per internet gateway per AZ, but leave some extra room # should there be a need for externally accessible ENIs cidr_mask=28) # Subnets for the Render Queue Application Load Balancer (ALB). # # It is considered good practice to put a load blanacer in dedicated subnets. Additionally, the subnets # must have a CIDR block with a bitmask of at least /27 and at least 8 free IP addresses per subnet. # ALBs can scale up to a maximum of 100 IP addresses distributed across all subnets. Assuming only 2 AZs # (the minimum) we should have 50 IPs per subnet = CIDR mask of /26 # # See: # - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#subnets-load-balancer # - https://github.com/aws/aws-rfdk/blob/release/packages/aws-rfdk/lib/deadline/README.md#render-queue-subnet-placement RENDER_QUEUE_ALB = SubnetConfiguration(