IVpcEndpointService, JSDoc, README and integ test

jogold · Mar 28, 2019 · 65293e4 · 65293e4
1 parent a8e827e
commit 65293e4
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 29 deletions.
diff --git a/packages/@aws-cdk/aws-ec2/README.md b/packages/@aws-cdk/aws-ec2/README.md
@@ -355,6 +355,8 @@ const state = vpnConnection.metricTunnelState();
 ```
 
 ### VPC endpoints
-VPC gateway and interface endpoints can be added to a VPC:
+A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.
+
+Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic.
 
 [example of setting up VPC endpoints](test/integ.vpc-endpoint.lit.ts)
diff --git a/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts b/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts
@@ -32,19 +32,26 @@ export interface IVpcGatewayEndpoint extends IVpcEndpoint {
 export enum VpcEndpointType {
   /**
    * Interface
+   *
+   * An interface endpoint is an elastic network interface with a private IP
+   * address that serves as an entry point for traffic destined to a supported
+   * service.
    */
   Interface = 'Interface',
 
   /**
    * Gateway
+   *
+   * A gateway endpoint is a gateway that is a target for a specified route in
+   * your route table, used for traffic destined to a supported AWS service.
    */
   Gateway = 'Gateway'
 }
 
 /**
  * A VPC endpoint service.
  */
-export interface VpcEndpointService {
+export interface IVpcEndpointService {
   /**
    * The name of the service.
    */
@@ -59,7 +66,7 @@ export interface VpcEndpointService {
 /**
  * A VPC endpoint AWS service.
  */
-export class VpcEndpointAwsService implements VpcEndpointService {
+export class VpcEndpointAwsService implements IVpcEndpointService {
   public static readonly SageMakerNotebook = new VpcEndpointAwsService('sagemaker', VpcEndpointType.Interface, 'aws.sagemaker');
   public static readonly CloudFormation = new VpcEndpointAwsService('cloudformation');
   public static readonly CloudTrail = new VpcEndpointAwsService('cloudtrail');
@@ -123,7 +130,7 @@ export interface VpcEndpointOptions {
   /**
    * The service to use for this VPC endpoint.
    */
-  readonly service: VpcEndpointService;
+  readonly service: IVpcEndpointService;
 }
 
 /**

diff --git a/packages/@aws-cdk/aws-ec2/test/integ.vpc-endpoint.lit.ts b/packages/@aws-cdk/aws-ec2/test/integ.vpc-endpoint.lit.ts
@@ -3,34 +3,45 @@ import cdk = require('@aws-cdk/cdk');
 import ec2 = require('../lib');
 
 const app = new cdk.App();
-const stack = new cdk.Stack(app, 'aws-cdk-ec2-vpc-endpoint');
-
-/// !show
-const vpc = new ec2.VpcNetwork(stack, 'MyVpc', {
-  gatewayEndpoints: {
-    S3: {
-      service: ec2.VpcEndpointAwsService.S3
-    }
-  }
-});
 
-const dynamoDbEndpoint = vpc.addGatewayEndpoint('DynamoDbEndpoint', {
-  service: ec2.VpcEndpointAwsService.DynamoDb
-});
+class VpcEndpointStack extends cdk.Stack {
+  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    /// !show
+    // Add gateway endpoints when creating the VPC
+    const vpc = new ec2.VpcNetwork(this, 'MyVpc', {
+      gatewayEndpoints: {
+        S3: {
+          service: ec2.VpcEndpointAwsService.S3
+        }
+      }
+    });
 
-// Restrict to listing and describing tables
-dynamoDbEndpoint.addToPolicy(
-  new iam.PolicyStatement()
-    .addAnyPrincipal()
-    .addActions('dynamodb:DescribeTable', 'dynamodb:ListTables')
-    .addAllResources()
-);
+    // Alternatively gateway endpoints can be added on the VPC
+    const dynamoDbEndpoint = vpc.addGatewayEndpoint('DynamoDbEndpoint', {
+      service: ec2.VpcEndpointAwsService.DynamoDb
+    });
 
-const ecrDockerEndpoint = vpc.addInterfaceEndpoint('EcrDockerEndpoint', {
-  service: ec2.VpcEndpointAwsService.EcrDocker
-});
+    // This allows to customize the endpoint policy
+    dynamoDbEndpoint.addToPolicy(
+      new iam.PolicyStatement() // Restrict to listing and describing tables
+        .addAnyPrincipal()
+        .addActions('dynamodb:DescribeTable', 'dynamodb:ListTables')
+        .addAllResources()
+    );
 
-ecrDockerEndpoint.connections.allowFromAnyIPv4(new ec2.TcpPort(443));
-/// !hide
+    // Add an interface endpoint
+    const ecrDockerEndpoint = vpc.addInterfaceEndpoint('EcrDockerEndpoint', {
+      service: ec2.VpcEndpointAwsService.EcrDocker
+    });
+
+    // When working with an interface endpoint, use the connections object to
+    // allow traffic to flow to the endpoint.
+    ecrDockerEndpoint.connections.allowFromAnyIPv4(new ec2.TcpPort(443));
+    /// !hide
+  }
+}
 
+new VpcEndpointStack(app, 'aws-cdk-ec2-vpc-endpoint');
 app.run();