VpcV2

class aws_cdk.aws_ec2_alpha.VpcV2(scope, id, *, default_instance_tenancy=None, enable_dns_hostnames=None, enable_dns_support=None, primary_address_block=None, secondary_address_blocks=None, vpc_name=None)

Bases: VpcV2Base

(experimental) This class provides a foundation for creating and configuring a VPC with advanced features such as IPAM (IP Address Management) and IPv6 support.

For more information, see the {@link https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Vpc.html AWS CDK Documentation on VPCs}.

Stability:

experimental

Resource:

AWS::EC2::VPC

ExampleMetadata:

infused

Example:

stack = Stack()
my_vpc = VpcV2(self, "Vpc")
route_table = RouteTable(self, "RouteTable",
    vpc=my_vpc
)
subnet = SubnetV2(self, "Subnet",
    vpc=my_vpc,
    availability_zone="eu-west-2a",
    ipv4_cidr_block=IpCidr("10.0.0.0/24"),
    subnet_type=SubnetType.PUBLIC
)

my_vpc.add_internet_gateway()
my_vpc.add_nat_gateway(
    subnet=subnet,
    connectivity_type=NatConnectivityType.PUBLIC
)
Parameters:

  • scope (Construct) –

  • id (str) –

  • default_instance_tenancy (Optional[DefaultInstanceTenancy]) – (experimental) The default tenancy of instances launched into the VPC. By setting this to dedicated tenancy, instances will be launched on hardware dedicated to a single AWS customer, unless specifically specified at instance launch time. Please note, not all instance types are usable with Dedicated tenancy. Default: DefaultInstanceTenancy.Default (shared) tenancy

  • enable_dns_hostnames (Optional[bool]) – (experimental) Indicates whether the instances launched in the VPC get DNS hostnames. Default: true

  • enable_dns_support (Optional[bool]) – (experimental) Indicates whether the DNS resolution is supported for the VPC. Default: true

  • primary_address_block (Optional[IIpAddresses]) – (experimental) A must IPv4 CIDR block for the VPC. Default: - Ipv4 CIDR Block (‘10.0.0.0/16’)

  • secondary_address_blocks (Optional[Sequence[IIpAddresses]]) – (experimental) The secondary CIDR blocks associated with the VPC. Can be IPv4 or IPv6, two IPv4 ranges must follow RFC#1918 convention For more information, Default: - No secondary IP address

  • vpc_name (Optional[str]) – (experimental) Physical name for the VPC. Default: - autogenerated by CDK

Stability:

experimental

Methods

add_client_vpn_endpoint(id, *, cidr, server_certificate_arn, authorize_all_users_to_vpc_cidr=None, client_certificate_arn=None, client_connection_handler=None, client_login_banner=None, description=None, dns_servers=None, logging=None, log_group=None, log_stream=None, port=None, security_groups=None, self_service_portal=None, session_timeout=None, split_tunnel=None, transport_protocol=None, user_based_authentication=None, vpc_subnets=None)

(experimental) Adds a new client VPN endpoint to this VPC.

Parameters:

  • id (str) –

  • cidr (str) – The IPv4 address range, in CIDR notation, from which to assign client IP addresses. The address range cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or the routes that you add manually. Changing the address range will replace the Client VPN endpoint. The CIDR block should be /22 or greater.

  • server_certificate_arn (str) – The ARN of the server certificate.

  • authorize_all_users_to_vpc_cidr (Optional[bool]) – Whether to authorize all users to the VPC CIDR. This automatically creates an authorization rule. Set this to false and use addAuthorizationRule() to create your own rules instead. Default: true

  • client_certificate_arn (Optional[str]) – The ARN of the client certificate for mutual authentication. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Default: - use user-based authentication

  • client_connection_handler (Optional[IClientVpnConnectionHandler]) – The AWS Lambda function used for connection authorization. The name of the Lambda function must begin with the AWSClientVPN- prefix Default: - no connection handler

  • client_login_banner (Optional[str]) – Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters. Default: - no banner is presented to the client

  • description (Optional[str]) – A brief description of the Client VPN endpoint. Default: - no description

  • dns_servers (Optional[Sequence[str]]) – Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the device

  • logging (Optional[bool]) – Whether to enable connections logging. Default: true

  • log_group (Optional[ILogGroup]) – A CloudWatch Logs log group for connection logging. Default: - a new group is created

  • log_stream (Optional[ILogStream]) – A CloudWatch Logs log stream for connection logging. Default: - a new stream is created

  • port (Optional[VpnPort]) – The port number to assign to the Client VPN endpoint for TCP and UDP traffic. Default: VpnPort.HTTPS

  • security_groups (Optional[Sequence[ISecurityGroup]]) – The security groups to apply to the target network. Default: - a new security group is created

  • self_service_portal (Optional[bool]) – Specify whether to enable the self-service portal for the Client VPN endpoint. Default: true

  • session_timeout (Optional[ClientVpnSessionTimeout]) – The maximum VPN session duration time. Default: ClientVpnSessionTimeout.TWENTY_FOUR_HOURS

  • split_tunnel (Optional[bool]) – Indicates whether split-tunnel is enabled on the AWS Client VPN endpoint. Default: false

  • transport_protocol (Optional[TransportProtocol]) – The transport protocol to be used by the VPN session. Default: TransportProtocol.UDP

  • user_based_authentication (Optional[ClientVpnUserBasedAuthentication]) – The type of user-based authentication to use. Default: - use mutual authentication

  • vpc_subnets (Union[SubnetSelection, Dict[str, Any], None]) – Subnets to associate to the client VPN endpoint. Default: - the VPC default strategy

Stability:

experimental

Return type:

ClientVpnEndpoint

add_egress_only_internet_gateway(*, destination=None, subnets=None)

(experimental) Adds a new Egress Only Internet Gateway to this VPC and defines a new route to the route table of given subnets.

Parameters:

  • destination (Optional[str]) – (experimental) Destination Ipv6 address for EGW route. Default: - ‘::/0’ all Ipv6 traffic

  • subnets (Optional[Sequence[Union[SubnetSelection, Dict[str, Any]]]]) – (experimental) List of subnets where route to EGW will be added. Default: - no route created

Default:

  • in case of no input subnets, no route is created

Stability:

experimental

Return type:

None

add_flow_log(id, *, destination=None, log_format=None, max_aggregation_interval=None, traffic_type=None)

(experimental) Adds a new flow log to this VPC.

Parameters:

  • id (str) –

  • destination (Optional[FlowLogDestination]) – Specifies the type of destination to which the flow log data is to be published. Flow log data can be published to CloudWatch Logs or Amazon S3 Default: FlowLogDestinationType.toCloudWatchLogs()

  • log_format (Optional[Sequence[LogFormat]]) – The fields to include in the flow log record, in the order in which they should appear. If multiple fields are specified, they will be separated by spaces. For full control over the literal log format string, pass a single field constructed with LogFormat.custom(). See https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-log-records Default: - default log format is used.

  • max_aggregation_interval (Optional[FlowLogMaxAggregationInterval]) – The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. When creating flow logs for a Transit Gateway or Transit Gateway Attachment, this property must be ONE_MINUTES. Default: - FlowLogMaxAggregationInterval.ONE_MINUTES if creating flow logs for Transit Gateway, otherwise FlowLogMaxAggregationInterval.TEN_MINUTES.

  • traffic_type (Optional[FlowLogTrafficType]) – The type of traffic to log. You can log traffic that the resource accepts or rejects, or all traffic. When the target is either TransitGateway or TransitGatewayAttachment, setting the traffic type is not possible. Default: ALL

Stability:

experimental

Return type:

FlowLog

add_gateway_endpoint(id, *, service, subnets=None)

(experimental) Adds a new gateway endpoint to this VPC.

Parameters:

  • id (str) –

  • service (IGatewayVpcEndpointService) – The service to use for this gateway VPC endpoint.

  • subnets (Optional[Sequence[Union[SubnetSelection, Dict[str, Any]]]]) – Where to add endpoint routing. By default, this endpoint will be routable from all subnets in the VPC. Specify a list of subnet selection objects here to be more specific. Default: - All subnets in the VPC

Stability:

experimental

Return type:

GatewayVpcEndpoint

add_interface_endpoint(id, *, service, lookup_supported_azs=None, open=None, private_dns_enabled=None, security_groups=None, subnets=None)

(experimental) Adds a new interface endpoint to this VPC.

Parameters:

  • id (str) –

  • service (IInterfaceVpcEndpointService) – The service to use for this interface VPC endpoint.

  • lookup_supported_azs (Optional[bool]) – Limit to only those availability zones where the endpoint service can be created. Setting this to ‘true’ requires a lookup to be performed at synthesis time. Account and region must be set on the containing stack for this to work. Default: false

  • open (Optional[bool]) – Whether to automatically allow VPC traffic to the endpoint. If enabled, all traffic to the endpoint from within the VPC will be automatically allowed. This is done based on the VPC’s CIDR range. Default: true

  • private_dns_enabled (Optional[bool]) – Whether to associate a private hosted zone with the specified VPC. This allows you to make requests to the service using its default DNS hostname. Default: set by the instance of IInterfaceVpcEndpointService, or true if not defined by the instance of IInterfaceVpcEndpointService

  • security_groups (Optional[Sequence[ISecurityGroup]]) – The security groups to associate with this interface VPC endpoint. Default: - a new security group is created

  • subnets (Union[SubnetSelection, Dict[str, Any], None]) – The subnets in which to create an endpoint network interface. At most one per availability zone. Default: - private subnets

Stability:

experimental

Return type:

InterfaceVpcEndpoint

add_internet_gateway(*, ipv4_destination=None, ipv6_destination=None)

(experimental) Adds a new Internet Gateway to this VPC.

Parameters:

  • ipv4_destination (Optional[str]) – (experimental) Destination Ipv6 address for EGW route. Default: - ‘0.0.0.0’ all Ipv4 traffic

  • ipv6_destination (Optional[str]) – (experimental) Destination Ipv6 address for EGW route. Default: - ‘::/0’ all Ipv6 traffic

Default:

  • creates a new route for public subnets(with all outbound access) to the Internet Gateway.

Stability:

experimental

Return type:

None

add_nat_gateway(*, subnet, allocation_id=None, connectivity_type=None, max_drain_duration=None, nat_gateway_name=None, private_ip_address=None, secondary_allocation_ids=None, secondary_private_ip_address_count=None, secondary_private_ip_addresses=None)

(experimental) Adds a new NAT Gateway to the given subnet of this VPC of given subnets.

Parameters:

  • subnet (ISubnetV2) – (experimental) The subnet in which the NAT gateway is located.

  • allocation_id (Optional[str]) – (experimental) AllocationID of Elastic IP address that’s associated with the NAT gateway. This property is required for a public NAT gateway and cannot be specified with a private NAT gateway. Default: - attr.allocationID of a new Elastic IP created by default //TODO: ADD L2 for elastic ip

  • connectivity_type (Optional[NatConnectivityType]) – (experimental) Indicates whether the NAT gateway supports public or private connectivity. Default: NatConnectivityType.Public

  • max_drain_duration (Optional[Duration]) – (experimental) The maximum amount of time to wait before forcibly releasing the IP addresses if connections are still in progress. Default: 350seconds

  • nat_gateway_name (Optional[str]) – (experimental) The resource name of the NAT gateway. Default: - NATGW provisioned without any name

  • private_ip_address (Optional[str]) – (experimental) The private IPv4 address to assign to the NAT gateway. Default: - If you don’t provide an address, a private IPv4 address will be automatically assigned.

  • secondary_allocation_ids (Optional[Sequence[str]]) – (experimental) Secondary EIP allocation IDs. Default: - no secondary allocation IDs attached to NATGW

  • secondary_private_ip_address_count (Union[int, float, None]) – (experimental) The number of secondary private IPv4 addresses you want to assign to the NAT gateway. SecondaryPrivateIpAddressCount and SecondaryPrivateIpAddresses cannot be set at the same time. Default: - no secondary allocation IDs associated with NATGW

  • secondary_private_ip_addresses (Optional[Sequence[str]]) – (experimental) Secondary private IPv4 addresses. SecondaryPrivateIpAddressCount and SecondaryPrivateIpAddresses cannot be set at the same time. Default: - no secondary private IpAddresses associated with NATGW

Stability:

experimental

Return type:

NatGateway

add_vpn_connection(id, *, ip, asn=None, static_routes=None, tunnel_options=None)

(experimental) Adds a new VPN connection to this VPC.

Parameters:

  • id (str) –

  • ip (str) – The ip address of the customer gateway.

  • asn (Union[int, float, None]) – The ASN of the customer gateway. Default: 65000

  • static_routes (Optional[Sequence[str]]) – The static routes to be routed from the VPN gateway to the customer gateway. Default: Dynamic routing (BGP)

  • tunnel_options (Optional[Sequence[Union[VpnTunnelOption, Dict[str, Any]]]]) – The tunnel options for the VPN connection. At most two elements (one per tunnel). Duplicates not allowed. Default: Amazon generated tunnel options

Stability:

experimental

Return type:

VpnConnection

apply_removal_policy(policy)

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you’ve removed it from the CDK application or because you’ve made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

Parameters:

policy (RemovalPolicy) –

Return type:

None

enable_vpn_gateway(*, vpn_route_propagation=None, type, amazon_side_asn=None)

(deprecated) Adds a VPN Gateway to this VPC.

Parameters:

  • vpn_route_propagation (Optional[Sequence[Union[SubnetSelection, Dict[str, Any]]]]) – Provide an array of subnets where the route propagation should be added. Default: noPropagation

  • type (str) – Default type ipsec.1.

  • amazon_side_asn (Union[int, float, None]) – Explicitly specify an Asn or let aws pick an Asn for you. Default: 65000

Deprecated:

use enableVpnGatewayV2 for compatibility with VPCV2.Route

Stability:

deprecated

Return type:

None

enable_vpn_gateway_v2(*, type, amazon_side_asn=None, vpn_gateway_name=None, vpn_route_propagation=None)

(experimental) Adds VPNGAtewayV2 to this VPC.

Parameters:

  • type (VpnConnectionType) – (experimental) The type of VPN connection the virtual private gateway supports.

  • amazon_side_asn (Union[int, float, None]) – (experimental) The private Autonomous System Number (ASN) for the Amazon side of a BGP session. Default: - no ASN set for BGP session

  • vpn_gateway_name (Optional[str]) – (experimental) The resource name of the VPN gateway. Default: - resource provisioned without any name

  • vpn_route_propagation (Optional[Sequence[Union[SubnetSelection, Dict[str, Any]]]]) – (experimental) Subnets where the route propagation should be added. Default: - no propogation for routes

Stability:

experimental

Return type:

VPNGatewayV2

select_subnets(*, availability_zones=None, one_per_az=None, subnet_filters=None, subnet_group_name=None, subnets=None, subnet_type=None)

(experimental) Return information on the subnets appropriate for the given selection strategy.

Requires that at least one subnet is matched, throws a descriptive error message otherwise.

Parameters:

  • availability_zones (Optional[Sequence[str]]) – Select subnets only in the given AZs. Default: no filtering on AZs is done

  • one_per_az (Optional[bool]) – If true, return at most one subnet per AZ. Default: false

  • subnet_filters (Optional[Sequence[SubnetFilter]]) – List of provided subnet filters. Default: - none

  • subnet_group_name (Optional[str]) – Select the subnet group with the given name. Select the subnet group with the given name. This only needs to be used if you have multiple subnet groups of the same type and you need to distinguish between them. Otherwise, prefer subnetType. This field does not select individual subnets, it selects all subnets that share the given subnet group name. This is the name supplied in subnetConfiguration. At most one of subnetType and subnetGroupName can be supplied. Default: - Selection by type instead of by name

  • subnets (Optional[Sequence[ISubnet]]) – Explicitly select individual subnets. Use this if you don’t want to automatically use all subnets in a group, but have a need to control selection down to individual subnets. Cannot be specified together with subnetType or subnetGroupName. Default: - Use all subnets in a selected group (all private subnets by default)

  • subnet_type (Optional[SubnetType]) – Select all subnets of the given type. At most one of subnetType and subnetGroupName can be supplied. Default: SubnetType.PRIVATE_WITH_EGRESS (or ISOLATED or PUBLIC if there are no PRIVATE_WITH_EGRESS subnets)

Stability:

experimental

Return type:

SelectedSubnets

to_string()

Returns a string representation of this construct.

Return type:

str

Attributes

availability_zones

(experimental) AZs for this VPC.

Stability:

experimental

dns_hostnames_enabled

(experimental) Indicates if instances launched in this VPC will have public DNS hostnames.

Stability:

experimental

dns_support_enabled

(experimental) Indicates if DNS support is enabled for this VPC.

Stability:

experimental

env

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

internet_connectivity_established

(experimental) To define dependency on internet connectivity.

Stability:

experimental

internet_gateway_id

(experimental) Returns the id of the Internet Gateway (if enabled).

Stability:

experimental

ip_addresses

(experimental) The provider of ipv4 addresses.

Stability:

experimental

ipv4_cidr_block

(experimental) The primary IPv4 CIDR block associated with the VPC.

Needed in order to validate the vpc range of subnet current prop vpcCidrBlock refers to the token value For more information, see the {@link https://docs.aws.amazon.com/vpc/latest/userguide/vpc-cidr-blocks.html#vpc-sizing-ipv4}.

Stability:

experimental

ipv6_cidr_blocks

(experimental) The IPv6 CIDR blocks for the VPC.

See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpc.html#aws-resource-ec2-vpc-return-values

Stability:

experimental

isolated_subnets

(experimental) Isolated Subnets that are part of this VPC.

Stability:

experimental

node

The tree node.

private_subnets

(experimental) Pbulic Subnets that are part of this VPC.

Stability:

experimental

public_subnets

(experimental) Public Subnets that are part of this VPC.

Stability:

experimental

resource

(experimental) The AWS CloudFormation resource representing the VPC.

Stability:

experimental

secondary_cidr_block

(experimental) reference to all secondary blocks attached.

Stability:

experimental

stack

The stack in which this resource is defined.

use_ipv6

(experimental) For validation to define IPv6 subnets, set to true in case of Amazon Provided IPv6 cidr range if true, IPv6 addresses can be attached to the subnets.

Default:

false

Stability:

experimental

vpc_arn

(experimental) Arn of this VPC.

Stability:

experimental

Attribute:

true

vpc_cidr_block

(experimental) CIDR range for this VPC.

Stability:

experimental

Attribute:

true

vpc_id

(experimental) Identifier for this VPC.

Stability:

experimental

vpn_gateway_id

(experimental) Returns the id of the VPN Gateway (if enabled).

Stability:

experimental

Static Methods

classmethod is_construct(x)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

Parameters:

x (Any) – Any object.

Return type:

bool

Returns:

true if x is an object created from a class which extends Construct.

classmethod is_owned_resource(construct)

Returns true if the construct was created by CDK, and false otherwise.

Parameters:

construct (IConstruct) –

Return type:

bool

classmethod is_resource(construct)

Check whether the given construct is a Resource.

Parameters:

construct (IConstruct) –

Return type:

bool