Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(ec2): client vpn endpoint #12234

Merged
merged 25 commits into from
Mar 22, 2021
Merged
Show file tree
Hide file tree
Changes from 24 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
86220bf
feat(ec2): client vpn endpoint
jogold Dec 25, 2020
b9009f9
self service portal
jogold Dec 26, 2020
a8375a7
simplify userBasedAuthentication
jogold Dec 26, 2020
d3ec85d
README
jogold Dec 26, 2020
64e437a
AuthorizeAll
jogold Dec 26, 2020
09f9755
Merge branch 'master' into ec2-client-vpn
jogold Dec 26, 2020
4c2a3f9
integ expectation
jogold Dec 26, 2020
880d47c
Merge branch 'master' into ec2-client-vpn
jogold Jan 4, 2021
e9620a0
Merge branch 'master' into ec2-client-vpn
jogold Jan 10, 2021
72c6145
Merge branch 'master' into ec2-client-vpn
jogold Jan 14, 2021
42d6cd7
Merge branch 'master' into ec2-client-vpn
jogold Jan 21, 2021
700087a
Merge branch 'master' into ec2-client-vpn
jogold Jan 27, 2021
a4edb00
Merge branch 'master' into ec2-client-vpn
jogold Feb 1, 2021
be8bc1f
Merge branch 'master' into ec2-client-vpn
jogold Feb 4, 2021
833db87
isolate CoreConstruct import
jogold Feb 4, 2021
7663819
Merge branch 'master' into ec2-client-vpn
jogold Feb 16, 2021
8ea25c5
Merge branch 'master' into ec2-client-vpn
jogold Feb 24, 2021
f4bb91d
Merge branch 'master' into ec2-client-vpn
jogold Feb 25, 2021
daba82b
handle list-encoded subnetids
jogold Feb 25, 2021
7132ff5
PR feedback
jogold Feb 25, 2021
adffdb2
Merge branch 'master' into ec2-client-vpn
jogold Mar 8, 2021
3aaa992
saml provider and ClientVpnUserBasedAuthentication
jogold Mar 8, 2021
4e207e0
REAMDE
jogold Mar 8, 2021
cc5a50e
certificate ARN
jogold Mar 8, 2021
1a1ca00
Merge branch 'master' into ec2-client-vpn
mergify[bot] Mar 22, 2021
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 65 additions & 0 deletions packages/@aws-cdk/aws-ec2/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -678,6 +678,71 @@ Note: The domain name must be owned (registered through Route53) by the account
The VpcEndpointServiceDomainName will handle the AWS side of domain verification, the process for which can be found
[here](https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-services-dns-validation.html)

### Client VPN endpoint

AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS
resources and resources in your on-premises network. With Client VPN, you can access your resources
from any location using an OpenVPN-based VPN client.

Use the `addClientVpnEndpoint()` method to add a client VPN endpoint to a VPC:

```ts fixture=client-vpn
vpc.addClientVpnEndpoint('Endpoint', {
cidr: '10.100.0.0/16',
serverCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/server-certificate-id',
// Mutual authentication
clientCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/client-certificate-id',
// User-based authentication
userBasedAuthentication: ec2.ClientVpnUserBasedAuthentication.federated(samlProvider),
});
```

The endpoint must use at least one [authentication method](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html):

* Mutual authentication with a client certificate
* User-based authentication (directory or federated)

If user-based authentication is used, the [self-service portal URL](https://docs.aws.amazon.com/vpn/latest/clientvpn-user/self-service-portal.html)
is made available via a CloudFormation output.

By default, a new security group is created and logging is enabled. Moreover, a rule to
authorize all users to the VPC CIDR is created.

To customize authorization rules, set the `authorizeAllUsersToVpcCidr` prop to `false`
and use `addaddAuthorizationRule()`:

```ts fixture=client-vpn
const endpoint = vpc.addClientVpnEndpoint('Endpoint', {
cidr: '10.100.0.0/16',
serverCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/server-certificate-id',
userBasedAuthentication: ec2.ClientVpnUserBasedAuthentication.federated(samlProvider),
authorizeAllUsersToVpcCidr: false,
});

endpoint.addAuthorizationRule('Rule', {
cidr: '10.0.10.0/32',
groupId: 'group-id',
});
```

Use `addRoute()` to configure network routes:

```ts fixture=client-vpn
const endpoint = vpc.addClientVpnEndpoint('Endpoint', {
cidr: '10.100.0.0/16',
serverCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/server-certificate-id',
userBasedAuthentication: ec2.ClientVpnUserBasedAuthentication.federated(samlProvider),
});

// Client-to-client access
endpoint.addRoute('Route', {
cidr: '10.100.0.0/16',
target: ec2.ClientVpnRouteTarget.local(),
});
```

Use the `connections` object of the endpoint to allow traffic to other security groups.

## Instances

You can use the `Instance` class to start up a single EC2 instance. For production setups, we recommend
Expand Down
57 changes: 57 additions & 0 deletions packages/@aws-cdk/aws-ec2/lib/client-vpn-authorization-rule.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
import { Resource } from '@aws-cdk/core';
import { Construct } from 'constructs';
import { IClientVpnEndpoint } from './client-vpn-endpoint-types';
import { CfnClientVpnAuthorizationRule } from './ec2.generated';

/**
* Options for a ClientVpnAuthorizationRule
*/
export interface ClientVpnAuthorizationRuleOptions {
/**
* The IPv4 address range, in CIDR notation, of the network for which access
* is being authorized.
*/
readonly cidr: string;

/**
* The ID of the group to grant access to, for example, the Active Directory
* group or identity provider (IdP) group.
*
* @default - authorize all groups
*/
readonly groupId?: string;

/**
* A brief description of the authorization rule.
*
* @default - no description
*/
readonly description?: string;
}

/**
* Properties for a ClientVpnAuthorizationRule
*/
export interface ClientVpnAuthorizationRuleProps extends ClientVpnAuthorizationRuleOptions {
/**
* The client VPN endpoint to which to add the rule.
*/
readonly clientVpnEndoint: IClientVpnEndpoint;
}

/**
* A client VPN authorization rule
*/
export class ClientVpnAuthorizationRule extends Resource {
constructor(scope: Construct, id: string, props: ClientVpnAuthorizationRuleProps) {
super(scope, id);

new CfnClientVpnAuthorizationRule(this, 'Resource', {
clientVpnEndpointId: props.clientVpnEndoint.endpointId,
targetNetworkCidr: props.cidr,
accessGroupId: props.groupId,
authorizeAllGroups: !props.groupId,
description: props.description,
});
}
}
52 changes: 52 additions & 0 deletions packages/@aws-cdk/aws-ec2/lib/client-vpn-endpoint-types.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
import { IDependable, IResource } from '@aws-cdk/core';
import { IConnectable } from './connections';

/**
* A client VPN endpoint
*/
export interface IClientVpnEndpoint extends IResource, IConnectable {
/**
* The endpoint ID
*/
readonly endpointId: string;

/**
* Dependable that can be depended upon to force target networks associations
*/
readonly targetNetworksAssociated: IDependable;
}

/**
* A connection handler for client VPN endpoints
*/
export interface IClientVpnConnectionHandler {
/**
* The name of the function
*/
readonly functionName: string;

/**
* The ARN of the function.
*/
readonly functionArn: string;
}

/**
* Transport protocol for client VPN
*/
export enum TransportProtocol {
/** Transmission Control Protocol (TCP) */
TCP = 'tcp',
/** User Datagram Protocol (UDP) */
UDP = 'udp',
}

/**
* Port for client VPN
*/
export enum VpnPort {
/** HTTPS */
HTTPS = 443,
/** OpenVPN */
OPENVPN = 1194,
}
Loading