Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ClientVpnEndpoint: Integration with IPAM for CIDR selection #22889

Open
2 tasks
hscheib opened this issue Nov 11, 2022 · 2 comments
Open
2 tasks

ClientVpnEndpoint: Integration with IPAM for CIDR selection #22889

hscheib opened this issue Nov 11, 2022 · 2 comments
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud feature-request A feature should be added or improved. needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. p2

Comments

@hscheib
Copy link

hscheib commented Nov 11, 2022

Describe the feature

I would like to request the ability to use IPAM for generating a CIDR for a ClientVpnEndpoint. This would be similar to how VPC has integrated with IPAM and can just pick a netmask length and you don't have to create an allocation separately

Use Case

Our team is utilizing AWS IPAM fully and want to automate all CIDR generation. We want to include our VPN client address space in IPAM and ideally its automatically provisioned by just setting a netmask length.

Proposed Solution

Recently VPC with IPAM integration Issue was merged allowing VPC creation to set an IPAM poolID and masks to auto allocate unused range to a VPC as seen below.

    const vpc = new ec2.Vpc(this, "vpc", {
      ipAddresses: ec2.IpAddresses.awsIpamAllocation({
        ipv4IpamPoolId: props.poolId,
        ipv4NetmaskLength: props.netmaskLength,
      }),
     ...
    });

I would like the ability to do the same for ClientVpnEndpoint, instead of passing in a cidr(that my team has to lookup/calculate manually). So the proposed solution would almost be a duplicate of the VPC implementation where I give it a pool ID and a mask and say just give me a range that isn't allocated

    const vpnEndpoint = new ec2.ClientVpnEndpoint(this, "vpn-endpoint", {
      ipAddresses: ec2.IpAddresses.awsIpamAllocation({
        ipv4IpamPoolId: props.poolId,
        ipv4NetmaskLength: props.netmaskLength,
      }),
      ...
    });

Other Information

I have tried creating an IPAM allocation and setting the cidr on the ClientEndPoint with that object but it fails because the cidr is empty.

const allocation = new ec2.CfnIPAMAllocation(this, 'ipam-allocation', {
    ipamPoolId: props.poolId,
    description: 'Client VPN IPAM allocation',
    netmaskLength: props.netmaskLength,
});
    
const vpnEndpoint = new ec2.ClientVpnEndpoint(this, "vpn-endpoint", {
  cidr: allocation.cidr
  ...
});

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.48.0

Environment details (OS name and version, etc.)

macOS 12.5.1
@hscheib hscheib added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Nov 11, 2022
@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Nov 11, 2022
@peterwoodworth
Copy link
Contributor

I'm not sure how possible this is. The Cloudformation VPC resource has some properties that allow for IPAM configuration, however the ClientVpnEndpoint resource only has CIDR configuration with a specific CIDR block. We might need support from CloudFormation here

Regarding your Other Information section - the properties on the CloudFormation resource after creation will be 1:1 with the properties of the same name that you pass in. So, since you can pass in cidr, it will be undefined as there was no value passed in. You could potentially use an AwsCustomResource to make an API call to get the CIDR of the IPAM allocation instead?

@peterwoodworth peterwoodworth added p2 needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. and removed needs-triage This issue or PR still needs to be triaged. labels Nov 12, 2022
@corymhall corymhall removed their assignment Apr 15, 2024
@sbstjn
Copy link

sbstjn commented Jul 1, 2024

From the CloudFormation docs about AWS::EC2::IPAMAllocation it reads:

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the pool ID, allocation ID, and CIDR joined with "|" as a separator.

So, allocating IP addresses first and then getting the CIDR from the returned Ref should do the trick to create a AWS::EC2::ClientVpnEndpoint with IPAM connection.

const vpnAllocation = new aws_ec2.CfnIPAMAllocation(this, 'allocation', {
  description: 'VPN',
  ipamPoolId: 'Your-IPAM-PoolId',
  netmaskLength: 18,
})

this.vpn = new aws_ec2.ClientVpnEndpoint(this, 'vpn', {
  cidr: Fn.select(2, Fn.split('|', vpnAllocation.ref)),
  ...
})

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud feature-request A feature should be added or improved. needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sbstjn @hscheib @corymhall @peterwoodworth