class NetworkTier(Stack):
"""
The network tier consists of all constructs that are required for the foundational
networking between the various components of the Deadline render farm.
"""
@builtins.property # type: ignore
@jsii.member(jsii_name="availabilityZones")
def availability_zones(self) -> typing.List[builtins.str]:
"""
This overrides the availability zones the Stack will use. The zones that we set here are what
our VPC will use, so adding local zones to this return value will enable us to then deploy
infrastructure to them.
"""
return config.availability_zones_standard + config.availability_zones_local
def __init__(self, scope: Construct, stack_id: str, **kwargs) -> None:
"""
Initializes a new instance of NetworkTier
"""
super().__init__(scope, stack_id, **kwargs)
# We're creating a SubnetSelection with only the standard availability zones to be used to put
# the NAT gateway in and the VPC interface endpoints, because the local zones do no have
# these available.
standard_zone_subnets = SubnetSelection(
availability_zones=config.availability_zones_standard,
subnet_type=SubnetType.PUBLIC)
# The VPC that all components of the render farm will be created in. We are using the `availability_zones()`
# method to override the availability zones that this VPC will use.
self.vpc = Vpc(self,
'Vpc',
max_azs=len(self.availability_zones),
subnet_configuration=[
SubnetConfiguration(name='Public',
subnet_type=SubnetType.PUBLIC,
cidr_mask=28),
SubnetConfiguration(name='Private',
subnet_type=SubnetType.PRIVATE,
cidr_mask=18)
],
nat_gateway_subnets=standard_zone_subnets)
# Add interface endpoints
for idx, service_info in enumerate(_INTERFACE_ENDPOINT_SERVICES):
service_name = service_info['name']
service = service_info['service']
self.vpc.add_interface_endpoint(service_name,
service=service,
subnets=standard_zone_subnets)
# Add gateway endpoints
for idx, service_info in enumerate(_GATEWAY_ENDPOINT_SERVICES):
service_name = service_info['name']
service = service_info['service']
self.vpc.add_gateway_endpoint(service_name,
service=service,
subnets=[standard_zone_subnets])
# Internal DNS zone for the VPC.
self.dns_zone = PrivateHostedZone(self,
'DnsZone',
vpc=self.vpc,
zone_name='deadline-test.internal')
class NetworkTier(Stack):
"""
The network tier consists of all constructs that are required for the foundational
networking between the various components of the Deadline render farm.
"""
def __init__(self, scope: Construct, stack_id: str, **kwargs) -> None:
"""
Initializes a new instance of NetworkTier
:param scope: The scope of this construct.
:param stack_id: The ID of this construct.
:param kwargs: The stack properties.
"""
super().__init__(scope, stack_id, **kwargs)
# The VPC that all components of the render farm will be created in.
self.vpc = Vpc(
self,
'Vpc',
max_azs=2,
subnet_configuration=[
SubnetConfiguration(
name='Public',
subnet_type=SubnetType.PUBLIC,
cidr_mask=28
),
SubnetConfiguration(
name='Private',
subnet_type=SubnetType.PRIVATE,
cidr_mask=18 # 16,382 IP addresses
)
]
)
# VPC flow logs are a security best-practice as they allow us
# to capture information about the traffic going in and out of
# the VPC. For more information, see the README for this app.
self.vpc.add_flow_log(
'NetworkTierFlowLogs',
destination=FlowLogDestination.to_cloud_watch_logs(),
traffic_type=FlowLogTrafficType.ALL
)
# TODO - Create a NetworkAcl for your VPC that only allows
# network traffic required for your render farm. This is a
# security best-practice to ensure the safety of your farm.
# The default network ACLs allow all traffic by default,
# whereas custom network ACLs deny all traffic by default.
# For more information, see the README for this app.
#
# Example code to create a custom network ACL:
# acl = NetworkAcl(
# self,
# 'ACL',
# vpc=self.vpc,
# subnet_selection=SubnetSelection(
# subnets=self.vpc.public_subnets
# )
# )
#
# You can optionally add rules to allow traffic (e.g. SSH):
# acl.add_entry(
# 'SSH',
# cidr=AclCidr.ipv4(
# # some-ipv4-address-cidr
# ),
# traffic=AclTraffic.tcp_port(22),
# rule_number=1
# )
endpoint_subnets = SubnetSelection(subnet_type=SubnetType.PRIVATE)
# Add interface endpoints
for idx, service_info in enumerate(_INTERFACE_ENDPOINT_SERVICES):
service_name = service_info['name']
service = service_info['service']
self.vpc.add_interface_endpoint(
f'{service_name}{idx}',
service=service,
subnets=endpoint_subnets
)
# Add gateway endpoints
for idx, service_info in enumerate(_GATEWAY_ENDPOINT_SERVICES):
service_name = service_info['name']
service = service_info['service']
self.vpc.add_gateway_endpoint(
service_name,
service=service,
subnets=[endpoint_subnets]
)
# Internal DNS zone for the VPC.
self.dns_zone = PrivateHostedZone(
self,
'DnsZone',
vpc=self.vpc,
zone_name='deadline-test.internal'
)
class VPCConstruct(core.Construct):
def __init__(self, scope: core.Construct, id_: str,
num_of_azs: int) -> None:
super().__init__(scope, id_)
self.audit_vpc = Vpc(
self,
id_,
max_azs=num_of_azs,
subnet_configuration=[
#Currently IOT, AppConfig & Cloudmap are not accessable via VPC endpoint, so we use NAT GW access them
SubnetConfiguration(name=PRIVATE_SUBNET_GROUP,
subnet_type=SubnetType.PRIVATE,
cidr_mask=24),
SubnetConfiguration(name=PUBLIC_NAT_GWS_SUBNET_GROUP,
subnet_type=SubnetType.PUBLIC,
cidr_mask=24)
],
gateway_endpoints={
'S3':
GatewayVpcEndpointOptions(
service=GatewayVpcEndpointAwsService.S3,
subnets=[
SubnetSelection(subnet_group_name=PRIVATE_SUBNET_GROUP)
]),
'DynamoDb':
GatewayVpcEndpointOptions(
service=GatewayVpcEndpointAwsService.DYNAMODB,
subnets=[
SubnetSelection(subnet_group_name=PRIVATE_SUBNET_GROUP)
]),
},
enable_dns_support=True, # For the ElasticSearch Public Domain
enable_dns_hostnames=True)
self.audit_vpc.add_interface_endpoint(
'SsmVpcEndpoint',
service=InterfaceVpcEndpointAwsService.SSM,
subnets=SubnetSelection(one_per_az=True))
self.audit_vpc.add_interface_endpoint(
'SqsVpcEndpoint',
service=InterfaceVpcEndpointAwsService.SQS,
subnets=SubnetSelection(one_per_az=True))
self.audit_vpc.add_interface_endpoint(
'Ec2VpcEndpoint',
service=InterfaceVpcEndpointAwsService.EC2,
subnets=SubnetSelection(one_per_az=True))
self.audit_vpc.add_interface_endpoint(
'LambdaVpcEndpoint',
service=InterfaceVpcEndpointAwsService.LAMBDA_,
subnets=SubnetSelection(one_per_az=True))
self.lambdas_sg = SecurityGroup(self,
id='LambdaSg',
vpc=self.audit_vpc,
security_group_name='Audit-Lambda')
def _get_subnets(self, subnet_group: str) -> List[ISubnet]:
return self.audit_vpc.select_subnets(
subnet_group_name=subnet_group).subnets