feat(ec2): add support for vpn connections #1899
Conversation
packages/@aws-cdk/aws-ec2/README.md
Outdated
|
|
||
| ```ts | ||
| // Dynamic routing | ||
| vpc.newVpnConnection('Dynamic', { |
packages/@aws-cdk/aws-ec2/README.md
Outdated
|
|
||
| ```ts | ||
| const vpc = new ec2.VpcNetwork(stack, 'MyVpc', { | ||
| vpnGateway: true |
There was a problem hiding this comment.
allow specifying vpnConnections in props as well via a map from ID to options:
new VpcNetwork(this, 'MyVpc', {
vpnConnections: {
dynamic: { ip: '1.2.3.4' }
}
});| @@ -12,6 +13,12 @@ export interface IVpcSubnet extends IConstruct { | |||
| */ | |||
| readonly subnetId: string; | |||
|
|
|||
| /** | |||
| * The id of the route table associated with this subnet. | |||
| * Not available for an imported subnet. | |||
There was a problem hiding this comment.
Will this throw for imported subnets?
There was a problem hiding this comment.
No, it won't. We need routeTableId in order to propagate routes. The AWS::EC2::VPNGatewayRoutePropagation references it and is created inside the VpcNetwork construct. For imported networks/subnets we just don't need this routeTableId
packages/@aws-cdk/aws-ec2/lib/vpc.ts
Outdated
|
|
||
| // Propagate routes on route tables associated with private subnets | ||
| const routePropagation = new CfnVPNGatewayRoutePropagation(this, 'RoutePropagation', { | ||
| routeTableIds: this.privateSubnets.map(subnet => subnet.routeTableId!), |
There was a problem hiding this comment.
No !s please (it indicates that either the model is wrong or that we need a check with a good error thrown). Seems like routeTableId cannot be undefined
There was a problem hiding this comment.
It's indeed a mistake.
packages/@aws-cdk/aws-ec2/lib/vpc.ts
Outdated
|
|
||
| constructor(scope: cdk.Construct, id: string, private readonly props: VpcSubnetImportProps) { | ||
| super(scope, id); | ||
|
|
||
| this.subnetId = props.subnetId; | ||
| this.availabilityZone = props.availabilityZone; | ||
| this.routeTableId = ''; |
packages/@aws-cdk/aws-ec2/lib/vpn.ts
Outdated
| tunnelInsideCidr: string; | ||
| } | ||
|
|
||
| export interface BaseVpnConnectionProps { |
There was a problem hiding this comment.
Please rename to VpnConnectionOptions (see #1740)
packages/@aws-cdk/aws-ec2/lib/vpn.ts
Outdated
| /** | ||
| * The IPsec 1 VPN connection type. | ||
| */ | ||
| export const IPsec1 = 'ipsec.1'; |
There was a problem hiding this comment.
Should this be an enum maybe?
There was a problem hiding this comment.
Switching to an enum with only one member seems problematic for jsii? See build logs...
There was a problem hiding this comment.
You are correct: aws/jsii#231
Can you add another member, even a dummy one?
There was a problem hiding this comment.
And you can add this to the jsii issue and we'll fix once the jsii bug is fixed.
packages/@aws-cdk/aws-ec2/lib/vpc.ts
Outdated
| /** | ||
| * Indicates whether a VPN gateway should be created and attached to this VPC. | ||
| * | ||
| * @default false |
There was a problem hiding this comment.
Can we make this default smarter, so if I define vpn connections on this VPC, it will default to "true", and otherwise to "false". I would expect this to Just Work (TM):
new VpcNetwork(this, 'VPC', {
vpnConnections: {
dynamic: { ip: '1.2.3.4' }
}
});
|
Hey @jogold great work by the way! |
There was a problem hiding this comment.
Looks good! I'd like @rix0rrr or @PaulMaddox 's feedback here as well
packages/@aws-cdk/aws-ec2/README.md
Outdated
| }); | ||
| ``` | ||
|
|
||
| To export a VPC that can accept VPN connections, set `vpnGateway` to `true`: |
packages/@aws-cdk/aws-ec2/lib/vpc.ts
Outdated
| routePropagation.node.addDependency(attachment); | ||
|
|
||
| const vpnConnections = props.vpnConnections || {}; | ||
| Object.keys(vpnConnections).forEach(cId => { |
There was a problem hiding this comment.
Style: I prefer:
for (const [ id, vpn ] of Object.entries(vpnConnections)) {
// ...
}
|
@leepa if you have some time to take a quick look, it will be much appreciated. |
|
@jogold 👍 |
|
Do we need to support an option to propagate routes on isolated subnets? We could have something like: export enum RoutesPropagationType {
PrivateOnly,
PrivateIsolated
}export interface VpcNetworkProps {
...
/**
* Where to propagate VPN routes.
*
* @default on the route tables associated with the private subnets
*/
vpnRoutesPropagation?: RoutesPropagationType
...
} |
|
@jogold sounds useful |
There was a problem hiding this comment.
Love this addition - it will make handling VPN connections nicer. There's the case of handing subnet groups rather than being opinionated about only allowing private subnets (so for example, some customers want to just SSH directly to hosts via the VPN connection).
packages/@aws-cdk/aws-ec2/lib/vpc.ts
Outdated
|
|
||
| // Propagate routes on route tables associated with private subnets | ||
| const routePropagation = new CfnVPNGatewayRoutePropagation(this, 'RoutePropagation', { | ||
| routeTableIds: (this.privateSubnets as VpcPrivateSubnet[]).map(subnet => subnet.routeTableId), |
There was a problem hiding this comment.
We should consider allowing an option to allow for subnetgroups to be chosen by the user of this to decide what to propogate - there are reasons you might want to route public (and isolated)
packages/@aws-cdk/aws-ec2/lib/vpn.ts
Outdated
| * The range of inside IP addresses for the tunnel. Any specified CIDR blocks must be | ||
| * unique across all VPN connections that use the same virtual private gateway. | ||
| */ | ||
| tunnelInsideCidr: string; |
There was a problem hiding this comment.
Both things here are independently optional https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-vpnconnection-vpntunneloptionsspecification.html and so one might want to set one and not the other.
packages/@aws-cdk/aws-ec2/lib/vpn.ts
Outdated
| /** | ||
| * Tunnel options for the VPN connection. | ||
| */ | ||
| vpnTunnelOptions?: VpnTunnelOption[]; |
There was a problem hiding this comment.
Tests don't appear to cover this.
|
@leepa are you happy with this? Can we merge? |
|
@eladb if the tests are passing, the changes look good! |
|
@jogold may I ask that you write up a nice PR description so we can use as a commit message? |
|
@eladb updated description, is this ok? |
|
Perfect. Thanks! |
Add support for Site-to-Site VPN connections to VPC networks.
When VPN connections are specified, a VPN gateway is automatically
created and attached to the VPC. By default, routes are propagated on the
route tables associated with the private subnets. Propagation to routes
tables associated with public and/or isolated subnets is supported.
Update VPC context provider to also import
vpnGatewayId.References aws/jsii#231
Pull Request Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.