def __init__(self, scope: core.Construct, id: str, props, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# Subnet configurations for a public and private tier
subnet1 = SubnetConfiguration(
name="Public",
subnet_type=SubnetType.PUBLIC,
cidr_mask=24)
subnet2 = SubnetConfiguration(
name="Private",
subnet_type=SubnetType.PRIVATE,
cidr_mask=24)
vpc = Vpc(self,
"TheVPC",
cidr="10.0.0.0/16",
enable_dns_hostnames=True,
enable_dns_support=True,
max_azs=2,
nat_gateway_provider=NatProvider.gateway(),
nat_gateways=1,
subnet_configuration=[subnet1, subnet2]
)
# This will export the VPC's ID in CloudFormation under the key
# 'vpcid'
core.CfnOutput(self, "vpcid", value=vpc.vpc_id)
# Prepares output attributes to be passed into other stacks
# In this case, it is our VPC and subnets.
self.output_props = props.copy()
self.output_props['vpc'] = vpc
self.output_props['subnets'] = vpc.public_subnets
def __init__(self, scope: core.Construct, id_: str,
num_of_azs: int) -> None:
super().__init__(scope, id_)
self.audit_vpc = Vpc(
self,
id_,
max_azs=num_of_azs,
subnet_configuration=[
#Currently IOT, AppConfig & Cloudmap are not accessable via VPC endpoint, so we use NAT GW access them
SubnetConfiguration(name=PRIVATE_SUBNET_GROUP,
subnet_type=SubnetType.PRIVATE,
cidr_mask=24),
SubnetConfiguration(name=PUBLIC_NAT_GWS_SUBNET_GROUP,
subnet_type=SubnetType.PUBLIC,
cidr_mask=24)
],
gateway_endpoints={
'S3':
GatewayVpcEndpointOptions(
service=GatewayVpcEndpointAwsService.S3,
subnets=[
SubnetSelection(subnet_group_name=PRIVATE_SUBNET_GROUP)
]),
'DynamoDb':
GatewayVpcEndpointOptions(
service=GatewayVpcEndpointAwsService.DYNAMODB,
subnets=[
SubnetSelection(subnet_group_name=PRIVATE_SUBNET_GROUP)
]),
},
enable_dns_support=True, # For the ElasticSearch Public Domain
enable_dns_hostnames=True)
self.audit_vpc.add_interface_endpoint(
'SsmVpcEndpoint',
service=InterfaceVpcEndpointAwsService.SSM,
subnets=SubnetSelection(one_per_az=True))
self.audit_vpc.add_interface_endpoint(
'SqsVpcEndpoint',
service=InterfaceVpcEndpointAwsService.SQS,
subnets=SubnetSelection(one_per_az=True))
self.audit_vpc.add_interface_endpoint(
'Ec2VpcEndpoint',
service=InterfaceVpcEndpointAwsService.EC2,
subnets=SubnetSelection(one_per_az=True))
self.audit_vpc.add_interface_endpoint(
'LambdaVpcEndpoint',
service=InterfaceVpcEndpointAwsService.LAMBDA_,
subnets=SubnetSelection(one_per_az=True))
self.lambdas_sg = SecurityGroup(self,
id='LambdaSg',
vpc=self.audit_vpc,
security_group_name='Audit-Lambda')
def __init__(self, scope: cdk.Construct, construct_id: str, config,
**kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
self.vpc = Vpc(self,
"ec2-vpc-altimeter",
max_azs=1,
subnet_configuration=[
SubnetConfiguration(name="Public",
subnet_type=SubnetType.PUBLIC),
SubnetConfiguration(name="Private",
subnet_type=SubnetType.PRIVATE)
])
cdk.Tags.of(self.vpc).add("Name", "vpc-audit--altimeter")
def __init__(self, scope: Construct, stack_id: str, **kwargs) -> None:
"""
Initializes a new instance of NetworkTier
"""
super().__init__(scope, stack_id, **kwargs)
# We're creating a SubnetSelection with only the standard availability zones to be used to put
# the NAT gateway in and the VPC interface endpoints, because the local zones do no have
# these available.
standard_zone_subnets = SubnetSelection(
availability_zones=config.availability_zones_standard,
subnet_type=SubnetType.PUBLIC)
# The VPC that all components of the render farm will be created in. We are using the `availability_zones()`
# method to override the availability zones that this VPC will use.
self.vpc = Vpc(self,
'Vpc',
max_azs=len(self.availability_zones),
subnet_configuration=[
SubnetConfiguration(name='Public',
subnet_type=SubnetType.PUBLIC,
cidr_mask=28),
SubnetConfiguration(
name='Private',
subnet_type=SubnetType.PRIVATE_WITH_NAT,
cidr_mask=18)
],
nat_gateway_subnets=standard_zone_subnets)
# Add interface endpoints
for idx, service_info in enumerate(_INTERFACE_ENDPOINT_SERVICES):
service_name = service_info['name']
service = service_info['service']
self.vpc.add_interface_endpoint(service_name,
service=service,
subnets=standard_zone_subnets)
# Add gateway endpoints
for idx, service_info in enumerate(_GATEWAY_ENDPOINT_SERVICES):
service_name = service_info['name']
service = service_info['service']
self.vpc.add_gateway_endpoint(service_name,
service=service,
subnets=[standard_zone_subnets])
# Internal DNS zone for the VPC.
self.dns_zone = PrivateHostedZone(self,
'DnsZone',
vpc=self.vpc,
zone_name='deadline-test.internal')
def execute() -> list:
subnet_configurations = [
SubnetConfiguration(
cidr_mask=20,
name="Public",
subnet_type=SubnetType.PUBLIC
),
SubnetConfiguration(
cidr_mask=20,
name="Private",
subnet_type=SubnetType.PRIVATE
)
]
return subnet_configurations
def __init__(self, scope: cdk.Stack, construct_id: str, vpc_cidr: str,
jump_host: str, mgmt_ports: list, subnet_len: int,
**kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
# args:
# - vpc_cidr (str): The CIDR range for the VPC.
# - jump_host (str): An optional IP address for the jump host. If this
# is not specified, te Security Group will not be
# created.
# - mgmt_ports (list): A list of TCP ports which the jump host is
# allowed to connect to.
# - subnet_len (int): The prefix length for subnet CIDR addresses.
# Create the VPC resource. The VPC does not have an internet gateway,
# or NAT gateway. Subnets are created in 2 zones.
subnets = [
SubnetConfiguration(name="MyVPC-Private",
subnet_type=SubnetType.ISOLATED,
cidr_mask=subnet_len)
]
self._vpc = Vpc(self,
"MyVPC",
cidr=vpc_cidr,
max_azs=2,
nat_gateways=None,
subnet_configuration=subnets)
# Security Group only created if the jump host parameter was
# specified.
if jump_host is not None and len(jump_host) > 0:
self.create_sg(jump_host, mgmt_ports)
def _get_subnet_configuration(self, scope) -> List[SubnetConfiguration]:
"""
Get VPC subnets based on desired configuration.
:param scope:
:return:
"""
subnet_configuration = []
"""
To generate a Private-only configuration we need one of [
NatGatewayId,
NetworkInterfaceId,
GatewayId,
EgressOnlyInternetGatewayId,
VpcPeeringConnectionId,
TransitGatewayId,
InstanceId
] to specify the default route.
For now we stick to use the default (NatGateway in the public subnets)
"""
if True:
subnet_configuration.append(
SubnetConfiguration(subnet_type=SubnetType.PUBLIC,
cidr_mask=scope.environment_config.get(
'vpc', {}).get('subnetsCIDRSuffixes',
{}).get('public'),
name='Public'))
if True:
subnet_configuration.append(
SubnetConfiguration(
subnet_type=SubnetType.PRIVATE,
cidr_mask=scope.environment_config.get('vpc', {}).get(
'subnetsCIDRSuffixes', {}).get('private'),
name='Private',
))
if True:
subnet_configuration.append(
SubnetConfiguration(subnet_type=SubnetType.ISOLATED,
cidr_mask=scope.environment_config.get(
'vpc', {}).get('subnetsCIDRSuffixes',
{}).get('isolated'),
name='Isolated'))
return subnet_configuration
def __init__(self, scope: core.Construct, construct_id: str,
**kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
custom_vpc = Vpc(
self,
"Vpc",
max_azs=3,
cidr="10.0.0.0/16",
subnet_configuration=[
SubnetConfiguration(cidr_mask=24,
name="ingress",
subnet_type=SubnetType.PUBLIC),
SubnetConfiguration(cidr_mask=24,
name="app",
subnet_type=SubnetType.ISOLATED),
])
core.Tag.add(custom_vpc, "Author", "Tinette")
core.CfnOutput(self,
"Vpc",
value=custom_vpc.vpc_id,
export_name="custom_vpc_id")
def __init__(self, scope: Construct, stack_id: str, **kwargs) -> None:
"""
Initializes a new instance of NetworkTier
:param scope: The scope of this construct.
:param stack_id: The ID of this construct.
:param kwargs: The stack properties.
"""
super().__init__(scope, stack_id, **kwargs)
# The VPC that all components of the render farm will be created in.
self.vpc = Vpc(
self,
'Vpc',
max_azs=2,
subnet_configuration=[
SubnetConfiguration(
name='Public',
subnet_type=SubnetType.PUBLIC,
cidr_mask=28
),
SubnetConfiguration(
name='Private',
subnet_type=SubnetType.PRIVATE,
cidr_mask=18 # 16,382 IP addresses
)
]
)
# VPC flow logs are a security best-practice as they allow us
# to capture information about the traffic going in and out of
# the VPC. For more information, see the README for this app.
self.vpc.add_flow_log(
'NetworkTierFlowLogs',
destination=FlowLogDestination.to_cloud_watch_logs(),
traffic_type=FlowLogTrafficType.ALL
)
# TODO - Create a NetworkAcl for your VPC that only allows
# network traffic required for your render farm. This is a
# security best-practice to ensure the safety of your farm.
# The default network ACLs allow all traffic by default,
# whereas custom network ACLs deny all traffic by default.
# For more information, see the README for this app.
#
# Example code to create a custom network ACL:
# acl = NetworkAcl(
# self,
# 'ACL',
# vpc=self.vpc,
# subnet_selection=SubnetSelection(
# subnets=self.vpc.public_subnets
# )
# )
#
# You can optionally add rules to allow traffic (e.g. SSH):
# acl.add_entry(
# 'SSH',
# cidr=AclCidr.ipv4(
# # some-ipv4-address-cidr
# ),
# traffic=AclTraffic.tcp_port(22),
# rule_number=1
# )
endpoint_subnets = SubnetSelection(subnet_type=SubnetType.PRIVATE)
# Add interface endpoints
for idx, service_info in enumerate(_INTERFACE_ENDPOINT_SERVICES):
service_name = service_info['name']
service = service_info['service']
self.vpc.add_interface_endpoint(
f'{service_name}{idx}',
service=service,
subnets=endpoint_subnets
)
# Add gateway endpoints
for idx, service_info in enumerate(_GATEWAY_ENDPOINT_SERVICES):
service_name = service_info['name']
service = service_info['service']
self.vpc.add_gateway_endpoint(
service_name,
service=service,
subnets=[endpoint_subnets]
)
# Internal DNS zone for the VPC.
self.dns_zone = PrivateHostedZone(
self,
'DnsZone',
vpc=self.vpc,
zone_name='deadline-test.internal'
)
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
from aws_cdk.aws_ec2 import SubnetConfiguration, SubnetType
# Subnets for undistinguished render farm back-end infrastructure
INFRASTRUCTURE = SubnetConfiguration(
name='Infrastructure',
subnet_type=SubnetType.PRIVATE_WITH_NAT,
# 1,022 IP addresses
cidr_mask=22)
# Subnets for publicly accessible infrastructure
PUBLIC = SubnetConfiguration(
name='Public',
subnet_type=SubnetType.PUBLIC,
# 14 IP addresses. We only require one ENI per internet gateway per AZ, but leave some extra room
# should there be a need for externally accessible ENIs
cidr_mask=28)
# Subnets for the Render Queue Application Load Balancer (ALB).
#
# It is considered good practice to put a load blanacer in dedicated subnets. Additionally, the subnets
# must have a CIDR block with a bitmask of at least /27 and at least 8 free IP addresses per subnet.
# ALBs can scale up to a maximum of 100 IP addresses distributed across all subnets. Assuming only 2 AZs
# (the minimum) we should have 50 IPs per subnet = CIDR mask of /26
#
# See:
# - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#subnets-load-balancer
# - https://github.com/aws/aws-rfdk/blob/release/packages/aws-rfdk/lib/deadline/README.md#render-queue-subnet-placement
RENDER_QUEUE_ALB = SubnetConfiguration(