Package software.amazon.awscdk.services.ec2.alpha

@Stability(Experimental) package software.amazon.awscdk.services.ec2.alpha

Amazon VpcV2 Construct Library

---

cdk-constructs: Developer Preview

The APIs of higher level constructs in this module are in developer preview before they become stable. We will only make breaking changes to address unforeseen API issues. Therefore, these APIs are not subject to Semantic Versioning, and breaking changes will be announced in release notes. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.

VpcV2

VpcV2 is a re-write of the ec2.Vpc construct. This new construct enables higher level of customization on the VPC being created. VpcV2 implements the existing IVpc, therefore, VpcV2 is compatible with other constructs that accepts IVpc (e.g. ApplicationLoadBalancer).

VpcV2 supports the addition of both primary and secondary addresses. The primary address must be an IPv4 address, which can be specified as a CIDR string or assigned from an IPAM pool. Secondary addresses can be either IPv4 or IPv6. By default, VpcV2 assigns 10.0.0.0/16 as the primary CIDR if no other CIDR is specified.

Below is an example of creating a VPC with both IPv4 and IPv6 support: 

 Stack stack = new Stack();
 VpcV2.Builder.create(this, "Vpc")
         .primaryAddressBlock(IpAddresses.ipv4("10.0.0.0/24"))
         .secondaryAddressBlocks(List.of(IpAddresses.amazonProvidedIpv6(SecondaryAddressProps.builder().cidrBlockName("AmazonProvidedIpv6").build())))
         .build();

VpcV2 does not automatically create subnets or allocate IP addresses, which is different from the Vpc construct.

SubnetV2

SubnetV2 is a re-write of the ec2.Subnet construct. This new construct can be used to add subnets to a VpcV2 instance: Note: When defining a subnet with SubnetV2, CDK automatically creates a new route table, unless a route table is explicitly provided as an input to the construct. 

 Stack stack = new Stack();
 VpcV2 myVpc = VpcV2.Builder.create(this, "Vpc")
         .secondaryAddressBlocks(List.of(IpAddresses.amazonProvidedIpv6(SecondaryAddressProps.builder().cidrBlockName("AmazonProvidedIp").build())))
         .build();
 
 SubnetV2.Builder.create(this, "subnetA")
         .vpc(myVpc)
         .availabilityZone("us-east-1a")
         .ipv4CidrBlock(new IpCidr("10.0.0.0/24"))
         .ipv6CidrBlock(new IpCidr("2a05:d02c:25:4000::/60"))
         .subnetType(SubnetType.PRIVATE_ISOLATED)
         .build();

Since VpcV2 does not create subnets automatically, users have full control over IP addresses allocation across subnets.

IP Addresses Management

Additional CIDRs can be added to the VPC via the secondaryAddressBlocks property. The following example illustrates the options of defining these secondary address blocks using IPAM:

Note: There’s currently an issue with IPAM pool deletion that may affect the cdk --destroy command. This is because IPAM takes time to detect when the IP address pool has been deallocated after the VPC is deleted. The current workaround is to wait until the IP address is fully deallocated from the pool before retrying the deletion. Below command can be used to check allocations for a pool using CLI 

 aws ec2 get-ipam-pool-allocations --ipam-pool-id <ipam-pool-id>

Ref: https://docs.aws.amazon.com/cli/latest/reference/ec2/get-ipam-pool-allocations.html 

 Stack stack = new Stack();
 Ipam ipam = Ipam.Builder.create(this, "Ipam")
         .operatingRegions(List.of("us-west-1"))
         .build();
 IIpamPool ipamPublicPool = ipam.publicScope.addPool("PublicPoolA", PoolOptions.builder()
         .addressFamily(AddressFamily.IP_V6)
         .awsService(AwsServiceName.EC2)
         .locale("us-west-1")
         .publicIpSource(IpamPoolPublicIpSource.AMAZON)
         .build());
 ipamPublicPool.provisionCidr("PublicPoolACidrA", IpamPoolCidrProvisioningOptions.builder().netmaskLength(52).build());
 
 IIpamPool ipamPrivatePool = ipam.privateScope.addPool("PrivatePoolA", PoolOptions.builder()
         .addressFamily(AddressFamily.IP_V4)
         .build());
 ipamPrivatePool.provisionCidr("PrivatePoolACidrA", IpamPoolCidrProvisioningOptions.builder().netmaskLength(8).build());
 
 VpcV2.Builder.create(this, "Vpc")
         .primaryAddressBlock(IpAddresses.ipv4("10.0.0.0/24"))
         .secondaryAddressBlocks(List.of(IpAddresses.amazonProvidedIpv6(SecondaryAddressProps.builder().cidrBlockName("AmazonIpv6").build()), IpAddresses.ipv6Ipam(IpamOptions.builder()
                 .ipamPool(ipamPublicPool)
                 .netmaskLength(52)
                 .cidrBlockName("ipv6Ipam")
                 .build()), IpAddresses.ipv4Ipam(IpamOptions.builder()
                 .ipamPool(ipamPrivatePool)
                 .netmaskLength(8)
                 .cidrBlockName("ipv4Ipam")
                 .build())))
         .build();

Bring your own IPv6 addresses (BYOIP)

If you have your own IP address that you would like to use with EC2, you can set up an IPv6 pool via the AWS CLI, and use that pool ID in your application.

Once you have certified your IP address block with an ROA and have obtained an X-509 certificate, you can run the following command to provision your CIDR block in your AWS account: 

 aws ec2 provision-byoip-cidr --region <region> --cidr <your CIDR block> --cidr-authorization-context Message="1|aws|<account>|<your CIDR block>|<expiration date>|SHA256".Signature="<signature>"

When your BYOIP CIDR is provisioned, you can run the following command to retrieve your IPv6 pool ID, which will be used in your VPC declaration: 

 aws ec2 describe-byoip-cidr --region <region>

For more help on setting up your IPv6 address, please review the EC2 Documentation.

Once you have provisioned your address block, you can use the IPv6 in your VPC as follows: 

 VpcV2 myVpc = VpcV2.Builder.create(this, "Vpc")
         .primaryAddressBlock(IpAddresses.ipv4("10.1.0.0/16"))
         .secondaryAddressBlocks(List.of(IpAddresses.ipv6ByoipPool(Ipv6PoolSecondaryAddressProps.builder()
                 .cidrBlockName("MyByoipCidrBlock")
                 .ipv6PoolId("ipv6pool-ec2-someHashValue")
                 .ipv6CidrBlock("2001:db8::/32")
                 .build())))
         .enableDnsHostnames(true)
         .enableDnsSupport(true)
         .build();

Routing

RouteTable is a new construct that allows for route tables to be customized in a variety of ways. Using this construct, a customized route table can be added to the subnets defined using SubnetV2. For instance, the following example shows how a custom route table can be created and appended to a SubnetV2: 

 VpcV2 myVpc = new VpcV2(this, "Vpc");
 RouteTable routeTable = RouteTable.Builder.create(this, "RouteTable")
         .vpc(myVpc)
         .build();
 SubnetV2 subnet = SubnetV2.Builder.create(this, "Subnet")
         .vpc(myVpc)
         .routeTable(routeTable)
         .availabilityZone("eu-west-2a")
         .ipv4CidrBlock(new IpCidr("10.0.0.0/24"))
         .subnetType(SubnetType.PRIVATE_ISOLATED)
         .build();

Routes can be created to link subnets to various different AWS services via gateways and endpoints. Each unique route target has its own dedicated construct that can be routed to a given subnet via the Route construct. An example using the InternetGateway construct can be seen below: 

 Stack stack = new Stack();
 VpcV2 myVpc = new VpcV2(this, "Vpc");
 RouteTable routeTable = RouteTable.Builder.create(this, "RouteTable")
         .vpc(myVpc)
         .build();
 SubnetV2 subnet = SubnetV2.Builder.create(this, "Subnet")
         .vpc(myVpc)
         .availabilityZone("eu-west-2a")
         .ipv4CidrBlock(new IpCidr("10.0.0.0/24"))
         .subnetType(SubnetType.PRIVATE_ISOLATED)
         .build();
 
 InternetGateway igw = InternetGateway.Builder.create(this, "IGW")
         .vpc(myVpc)
         .build();
 Route.Builder.create(this, "IgwRoute")
         .routeTable(routeTable)
         .destination("0.0.0.0/0")
         .target(Map.of("gateway", igw))
         .build();

Alternatively, Routes can also be created via method addRoute in the RouteTable class. An example using the EgressOnlyInternetGateway construct can be seen below: Note: EgressOnlyInternetGateway can only be used to set up outbound IPv6 routing. 

 Stack stack = new Stack();
 VpcV2 myVpc = VpcV2.Builder.create(this, "Vpc")
         .primaryAddressBlock(IpAddresses.ipv4("10.1.0.0/16"))
         .secondaryAddressBlocks(List.of(IpAddresses.amazonProvidedIpv6(SecondaryAddressProps.builder()
                 .cidrBlockName("AmazonProvided")
                 .build())))
         .build();
 
 EgressOnlyInternetGateway eigw = EgressOnlyInternetGateway.Builder.create(this, "EIGW")
         .vpc(myVpc)
         .build();
 
 RouteTable routeTable = RouteTable.Builder.create(this, "RouteTable")
         .vpc(myVpc)
         .build();
 
 routeTable.addRoute("EIGW", "::/0", Map.of("gateway", eigw));

Other route targets may require a deeper set of parameters to set up properly. For instance, the example below illustrates how to set up a NatGateway: 

 VpcV2 myVpc = new VpcV2(this, "Vpc");
 RouteTable routeTable = RouteTable.Builder.create(this, "RouteTable")
         .vpc(myVpc)
         .build();
 SubnetV2 subnet = SubnetV2.Builder.create(this, "Subnet")
         .vpc(myVpc)
         .availabilityZone("eu-west-2a")
         .ipv4CidrBlock(new IpCidr("10.0.0.0/24"))
         .subnetType(SubnetType.PRIVATE_ISOLATED)
         .build();
 
 NatGateway natgw = NatGateway.Builder.create(this, "NatGW")
         .subnet(subnet)
         .vpc(myVpc)
         .connectivityType(NatConnectivityType.PRIVATE)
         .privateIpAddress("10.0.0.42")
         .build();
 Route.Builder.create(this, "NatGwRoute")
         .routeTable(routeTable)
         .destination("0.0.0.0/0")
         .target(Map.of("gateway", natgw))
         .build();

It is also possible to set up endpoints connecting other AWS services. For instance, the example below illustrates the linking of a Dynamo DB endpoint via the existing ec2.GatewayVpcEndpoint construct as a route target: 

 Stack stack = new Stack();
 VpcV2 myVpc = new VpcV2(this, "Vpc");
 RouteTable routeTable = RouteTable.Builder.create(this, "RouteTable")
         .vpc(myVpc)
         .build();
 SubnetV2 subnet = SubnetV2.Builder.create(this, "Subnet")
         .vpc(myVpc)
         .availabilityZone("eu-west-2a")
         .ipv4CidrBlock(new IpCidr("10.0.0.0/24"))
         .subnetType(SubnetType.PRIVATE)
         .build();
 
 GatewayVpcEndpoint dynamoEndpoint = GatewayVpcEndpoint.Builder.create(this, "DynamoEndpoint")
         .service(GatewayVpcEndpointAwsService.DYNAMODB)
         .vpc(myVpc)
         .subnets(List.of(subnet))
         .build();
 Route.Builder.create(this, "DynamoDBRoute")
         .routeTable(routeTable)
         .destination("0.0.0.0/0")
         .target(Map.of("endpoint", dynamoEndpoint))
         .build();

VPC Peering Connection

VPC peering connection allows you to connect two VPCs and route traffic between them using private IP addresses. The VpcV2 construct supports creating VPC peering connections through the VPCPeeringConnection construct from the route module.

Peering Connection cannot be established between two VPCs with overlapping CIDR ranges. Please make sure the two VPC CIDRs do not overlap with each other else it will throw an error.

For more information, see What is VPC peering?.

The following show examples of how to create a peering connection between two VPCs for all possible combinations of same-account or cross-account, and same-region or cross-region configurations.

Note: You cannot create a VPC peering connection between VPCs that have matching or overlapping CIDR blocks

Case 1: Same Account and Same Region Peering Connection 

 Stack stack = new Stack();
 
 VpcV2 vpcA = VpcV2.Builder.create(this, "VpcA")
         .primaryAddressBlock(IpAddresses.ipv4("10.0.0.0/16"))
         .build();
 
 VpcV2 vpcB = VpcV2.Builder.create(this, "VpcB")
         .primaryAddressBlock(IpAddresses.ipv4("10.1.0.0/16"))
         .build();
 
 VPCPeeringConnection peeringConnection = vpcA.createPeeringConnection("sameAccountSameRegionPeering", VPCPeeringConnectionOptions.builder()
         .acceptorVpc(vpcB)
         .build());

Case 2: Same Account and Cross Region Peering Connection

There is no difference from Case 1 when calling createPeeringConnection. The only change is that one of the VPCs are created in another stack with a different region. To establish cross region VPC peering connection, acceptorVpc needs to be imported to the requestor VPC stack using fromVpcV2Attributes method. 

 App app = new App();
 
 Stack stackA = Stack.Builder.create(app, "VpcStackA").env(Environment.builder().account("000000000000").region("us-east-1").build()).build();
 Stack stackB = Stack.Builder.create(app, "VpcStackB").env(Environment.builder().account("000000000000").region("us-west-2").build()).build();
 
 VpcV2 vpcA = VpcV2.Builder.create(stackA, "VpcA")
         .primaryAddressBlock(IpAddresses.ipv4("10.0.0.0/16"))
         .build();
 
 VpcV2.Builder.create(stackB, "VpcB")
         .primaryAddressBlock(IpAddresses.ipv4("10.1.0.0/16"))
         .build();
 
 IVpcV2 vpcB = VpcV2.fromVpcV2Attributes(stackA, "ImportedVpcB", VpcV2Attributes.builder()
         .vpcId("MockVpcBid")
         .vpcCidrBlock("10.1.0.0/16")
         .region("us-west-2")
         .ownerAccountId("000000000000")
         .build());
 
 VPCPeeringConnection peeringConnection = vpcA.createPeeringConnection("sameAccountCrossRegionPeering", VPCPeeringConnectionOptions.builder()
         .acceptorVpc(vpcB)
         .build());

Case 3: Cross Account Peering Connection

For cross-account connections, the acceptor account needs an IAM role that grants the requestor account permission to initiate the connection. Create a new IAM role in the acceptor account using method createAcceptorVpcRole to provide the necessary permissions.

Once role is created in account, provide role arn for field peerRoleArn under method createPeeringConnection 

 Stack stack = new Stack();
 
 VpcV2 acceptorVpc = VpcV2.Builder.create(this, "VpcA")
         .primaryAddressBlock(IpAddresses.ipv4("10.0.0.0/16"))
         .build();
 
 Role acceptorRoleArn = acceptorVpc.createAcceptorVpcRole("000000000000");

After creating an IAM role in the acceptor account, we can initiate the peering connection request from the requestor VPC. Import acceptorVpc to the stack using fromVpcV2Attributes method, it is recommended to specify owner account id of the acceptor VPC in case of cross account peering connection, if acceptor VPC is hosted in different region provide region value for import as well. The following code snippet demonstrates how to set up VPC peering between two VPCs in different AWS accounts using CDK: 

 Stack stack = new Stack();
 
 IVpcV2 acceptorVpc = VpcV2.fromVpcV2Attributes(this, "acceptorVpc", VpcV2Attributes.builder()
         .vpcId("vpc-XXXX")
         .vpcCidrBlock("10.0.0.0/16")
         .region("us-east-2")
         .ownerAccountId("111111111111")
         .build());
 
 String acceptorRoleArn = "arn:aws:iam::111111111111:role/VpcPeeringRole";
 
 VpcV2 requestorVpc = VpcV2.Builder.create(this, "VpcB")
         .primaryAddressBlock(IpAddresses.ipv4("10.1.0.0/16"))
         .build();
 
 VPCPeeringConnection peeringConnection = requestorVpc.createPeeringConnection("crossAccountCrossRegionPeering", VPCPeeringConnectionOptions.builder()
         .acceptorVpc(acceptorVpc)
         .peerRoleArn(acceptorRoleArn)
         .build());

Route Table Configuration

After establishing the VPC peering connection, routes must be added to the respective route tables in the VPCs to enable traffic flow. If a route is added to the requestor stack, information will be able to flow from the requestor VPC to the acceptor VPC, but not in the reverse direction. For bi-directional communication, routes need to be added in both VPCs from their respective stacks.

For more information, see Update your route tables for a VPC peering connection. 

 Stack stack = new Stack();
 
 VpcV2 acceptorVpc = VpcV2.Builder.create(this, "VpcA")
         .primaryAddressBlock(IpAddresses.ipv4("10.0.0.0/16"))
         .build();
 
 VpcV2 requestorVpc = VpcV2.Builder.create(this, "VpcB")
         .primaryAddressBlock(IpAddresses.ipv4("10.1.0.0/16"))
         .build();
 
 VPCPeeringConnection peeringConnection = requestorVpc.createPeeringConnection("peeringConnection", VPCPeeringConnectionOptions.builder()
         .acceptorVpc(acceptorVpc)
         .build());
 
 RouteTable routeTable = RouteTable.Builder.create(this, "RouteTable")
         .vpc(requestorVpc)
         .build();
 
 routeTable.addRoute("vpcPeeringRoute", "10.0.0.0/16", Map.of("gateway", peeringConnection));

This can also be done using AWS CLI. For more information, see create-route. 

 # Add a route to the requestor VPC route table
 aws ec2 create-route --route-table-id rtb-requestor --destination-cidr-block 10.0.0.0/16 --vpc-peering-connection-id pcx-xxxxxxxx
 
 # For bi-directional add a route in the acceptor vpc account as well
 aws ec2 create-route --route-table-id rtb-acceptor --destination-cidr-block 10.1.0.0/16 --vpc-peering-connection-id pcx-xxxxxxxx

Deleting the Peering Connection

To delete a VPC peering connection, use the following command: 

 aws ec2 delete-vpc-peering-connection --vpc-peering-connection-id pcx-xxxxxxxx

For more information, see Delete a VPC peering connection.

Adding Egress-Only Internet Gateway to VPC

An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet, and prevents the internet from initiating an IPv6 connection with your instances.

For more information see Enable outbound IPv6 traffic using an egress-only internet gateway.

VpcV2 supports adding an egress only internet gateway to VPC using the addEgressOnlyInternetGateway method.

By default, this method sets up a route to all outbound IPv6 address ranges, unless a specific destination is provided by the user. It can only be configured for IPv6-enabled VPCs. The Subnets parameter accepts a SubnetFilter, which can be based on a SubnetType in VpcV2. A new route will be added to the route tables of all subnets that match this filter. 

 Stack stack = new Stack();
 VpcV2 myVpc = VpcV2.Builder.create(this, "Vpc")
         .primaryAddressBlock(IpAddresses.ipv4("10.1.0.0/16"))
         .secondaryAddressBlocks(List.of(IpAddresses.amazonProvidedIpv6(SecondaryAddressProps.builder()
                 .cidrBlockName("AmazonProvided")
                 .build())))
         .build();
 RouteTable routeTable = RouteTable.Builder.create(this, "RouteTable")
         .vpc(myVpc)
         .build();
 SubnetV2 subnet = SubnetV2.Builder.create(this, "Subnet")
         .vpc(myVpc)
         .availabilityZone("eu-west-2a")
         .ipv4CidrBlock(new IpCidr("10.0.0.0/24"))
         .ipv6CidrBlock(new IpCidr("2001:db8:1::/64"))
         .subnetType(SubnetType.PRIVATE)
         .build();
 
 myVpc.addEgressOnlyInternetGateway(EgressOnlyInternetGatewayOptions.builder()
         .subnets(List.of(SubnetSelection.builder().subnetType(SubnetType.PRIVATE).build()))
         .destination("::/60")
         .build());

Adding NATGateway to the VPC

A NAT gateway is a Network Address Translation (NAT) service.You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.

For more information, see NAT gateway basics.

When you create a NAT gateway, you specify one of the following connectivity types:

Public – (Default): Instances in private subnets can connect to the internet through a public NAT gateway, but cannot receive unsolicited inbound connections from the internet

Private: Instances in private subnets can connect to other VPCs or your on-premises network through a private NAT gateway.

To define the NAT gateway connectivity type as ConnectivityType.Public, you need to ensure that there is an IGW(Internet Gateway) attached to the subnet's VPC. Since a NATGW is associated with a particular subnet, providing subnet field in the input props is mandatory.

Additionally, you can set up a route in any route table with the target set to the NAT Gateway. The function addNatGateway returns a NATGateway object that you can reference later.

The code example below provides the definition for adding a NAT gateway to your subnet: 

 Stack stack = new Stack();
 VpcV2 myVpc = new VpcV2(this, "Vpc");
 RouteTable routeTable = RouteTable.Builder.create(this, "RouteTable")
         .vpc(myVpc)
         .build();
 SubnetV2 subnet = SubnetV2.Builder.create(this, "Subnet")
         .vpc(myVpc)
         .availabilityZone("eu-west-2a")
         .ipv4CidrBlock(new IpCidr("10.0.0.0/24"))
         .subnetType(SubnetType.PUBLIC)
         .build();
 
 myVpc.addInternetGateway();
 myVpc.addNatGateway(NatGatewayOptions.builder()
         .subnet(subnet)
         .connectivityType(NatConnectivityType.PUBLIC)
         .build());

Enable VPNGateway for the VPC

A virtual private gateway is the endpoint on the VPC side of your VPN connection.

For more information, see What is AWS Site-to-Site VPN?.

VPN route propagation is a feature in Amazon Web Services (AWS) that automatically updates route tables in your Virtual Private Cloud (VPC) with routes learned from a VPN connection.

To enable VPN route propagation, use the vpnRoutePropagation property to specify the subnets as an input to the function. VPN route propagation will then be enabled for each subnet with the corresponding route table IDs.

Additionally, you can set up a route in any route table with the target set to the VPN Gateway. The function enableVpnGatewayV2 returns a VPNGatewayV2 object that you can reference later.

The code example below provides the definition for setting up a VPN gateway with vpnRoutePropagation enabled: 

 Stack stack = new Stack();
 VpcV2 myVpc = new VpcV2(this, "Vpc");
 VPNGatewayV2 vpnGateway = myVpc.enableVpnGatewayV2(VPNGatewayV2Options.builder()
         .vpnRoutePropagation(List.of(SubnetSelection.builder().subnetType(SubnetType.PUBLIC).build()))
         .type(VpnConnectionType.IPSEC_1)
         .build());
 
 RouteTable routeTable = RouteTable.Builder.create(stack, "routeTable")
         .vpc(myVpc)
         .build();
 
 Route.Builder.create(stack, "route")
         .destination("172.31.0.0/24")
         .target(Map.of("gateway", vpnGateway))
         .routeTable(routeTable)
         .build();

Adding InternetGateway to the VPC

An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. It supports both IPv4 and IPv6 traffic.

For more information, see Enable VPC internet access using internet gateways.

You can add an internet gateway to a VPC using addInternetGateway method. By default, this method creates a route in all Public Subnets with outbound destination set to 0.0.0.0 for IPv4 and ::0 for IPv6 enabled VPC. Instead of using the default settings, you can configure a custom destination range by providing an optional input destination to the method. In addition to the custom IP range, you can also choose to filter subnets where default routes should be created.

The code example below shows how to add an internet gateway with a custom outbound destination IP range: 

 Stack stack = new Stack();
 VpcV2 myVpc = new VpcV2(this, "Vpc");
 
 SubnetV2 subnet = SubnetV2.Builder.create(this, "Subnet")
         .vpc(myVpc)
         .availabilityZone("eu-west-2a")
         .ipv4CidrBlock(new IpCidr("10.0.0.0/24"))
         .subnetType(SubnetType.PUBLIC)
         .build();
 
 myVpc.addInternetGateway(InternetGatewayOptions.builder()
         .ipv4Destination("192.168.0.0/16")
         .build());

The following code examples demonstrates how to add an internet gateway with a custom outbound destination IP range for specific subnets: 

 Stack stack = new Stack();
 VpcV2 myVpc = new VpcV2(this, "Vpc");
 
 SubnetV2 mySubnet = SubnetV2.Builder.create(this, "Subnet")
         .vpc(myVpc)
         .availabilityZone("eu-west-2a")
         .ipv4CidrBlock(new IpCidr("10.0.0.0/24"))
         .subnetType(SubnetType.PUBLIC)
         .build();
 
 myVpc.addInternetGateway(InternetGatewayOptions.builder()
         .ipv4Destination("192.168.0.0/16")
         .subnets(List.of(mySubnet))
         .build());
 

 Stack stack = new Stack();
 VpcV2 myVpc = new VpcV2(this, "Vpc");
 
 myVpc.addInternetGateway(InternetGatewayOptions.builder()
         .ipv4Destination("192.168.0.0/16")
         .subnets(List.of(SubnetSelection.builder().subnetType(SubnetType.PRIVATE_WITH_EGRESS).build()))
         .build());

Importing an existing VPC

You can import an existing VPC and its subnets using the VpcV2.fromVpcV2Attributes() method or an individual subnet using SubnetV2.fromSubnetV2Attributes() method.

Importing a VPC

To import an existing VPC, use the VpcV2.fromVpcV2Attributes() method. You'll need to provide the VPC ID, primary CIDR block, and information about the subnets. You can import secondary address as well created through IPAM, BYOIP(IPv4) or enabled through Amazon Provided IPv6. You must provide VPC Id and its primary CIDR block for importing it.

If you wish to add a new subnet to imported VPC, new subnet's IP range(IPv4) will be validated against provided secondary and primary address block to confirm that it is within the the range of VPC.

Here's an example of importing a VPC with only the required parameters 

 Stack stack = new Stack();
 
 IVpcV2 importedVpc = VpcV2.fromVpcV2Attributes(stack, "ImportedVpc", VpcV2Attributes.builder()
         .vpcId("mockVpcID")
         .vpcCidrBlock("10.0.0.0/16")
         .build());

In case of cross account or cross region VPC, its recommended to provide region and ownerAccountId so that these values for the VPC can be used to populate correct arn value for the VPC. If a VPC region and account ID is not provided, then region and account configured in the stack will be used. Furthermore, these fields will be referenced later while setting up VPC peering connection, so its necessary to set these fields to a correct value.

Below is an example of importing a cross region and cross account VPC, VPC arn for this case would be 'arn:aws:ec2:us-west-2:123456789012:vpc/mockVpcID' 

 Stack stack = new Stack();
 
 //Importing a cross account or cross region VPC
 IVpcV2 importedVpc = VpcV2.fromVpcV2Attributes(stack, "ImportedVpc", VpcV2Attributes.builder()
         .vpcId("mockVpcID")
         .vpcCidrBlock("10.0.0.0/16")
         .ownerAccountId("123456789012")
         .region("us-west-2")
         .build());

Here's an example of how to import a VPC with multiple CIDR blocks, IPv6 support, and different subnet types:

In this example, we're importing a VPC with:

  • A primary CIDR block (10.1.0.0/16)
  • One secondary IPv4 CIDR block (10.2.0.0/16)
  • Two secondary address using IPAM pool (IPv4 and IPv6)
  • VPC has Amazon-provided IPv6 CIDR enabled
  • An isolated subnet in us-west-2a
  • A public subnet in us-west-2b

 Stack stack = new Stack();
 
 IVpcV2 importedVpc = VpcV2.fromVpcV2Attributes(this, "ImportedVPC", VpcV2Attributes.builder()
         .vpcId("vpc-XXX")
         .vpcCidrBlock("10.1.0.0/16")
         .secondaryCidrBlocks(List.of(VPCCidrBlockattributes.builder()
                 .cidrBlock("10.2.0.0/16")
                 .cidrBlockName("ImportedBlock1")
                 .build(), VPCCidrBlockattributes.builder()
                 .ipv6IpamPoolId("ipam-pool-XXX")
                 .ipv6NetmaskLength(52)
                 .cidrBlockName("ImportedIpamIpv6")
                 .build(), VPCCidrBlockattributes.builder()
                 .ipv4IpamPoolId("ipam-pool-XXX")
                 .ipv4IpamProvisionedCidrs(List.of("10.2.0.0/16"))
                 .cidrBlockName("ImportedIpamIpv4")
                 .build(), VPCCidrBlockattributes.builder()
                 .amazonProvidedIpv6CidrBlock(true)
                 .build()))
         .subnets(List.of(SubnetV2Attributes.builder()
                 .subnetName("IsolatedSubnet2")
                 .subnetId("subnet-03cd773c0fe08ed26")
                 .subnetType(SubnetType.PRIVATE_ISOLATED)
                 .availabilityZone("us-west-2a")
                 .ipv4CidrBlock("10.2.0.0/24")
                 .routeTableId("rtb-0871c310f98da2cbb")
                 .build(), SubnetV2Attributes.builder()
                 .subnetId("subnet-0fa477e01db27d820")
                 .subnetType(SubnetType.PUBLIC)
                 .availabilityZone("us-west-2b")
                 .ipv4CidrBlock("10.3.0.0/24")
                 .routeTableId("rtb-014f3043098fe4b96")
                 .build()))
         .build());
 
 // You can now use the imported VPC in your stack
 
 // Adding a new subnet to the imported VPC
 SubnetV2 importedSubnet = SubnetV2.Builder.create(this, "NewSubnet")
         .availabilityZone("us-west-2a")
         .ipv4CidrBlock(new IpCidr("10.2.2.0/24"))
         .vpc(importedVpc)
         .subnetType(SubnetType.PUBLIC)
         .build();
 
 // Adding gateways to the imported VPC
 importedVpc.addInternetGateway();
 importedVpc.addNatGateway(NatGatewayOptions.builder().subnet(importedSubnet).build());
 importedVpc.addEgressOnlyInternetGateway();

You can add more subnets as needed by including additional entries in the isolatedSubnets, publicSubnets, or other subnet type arrays (e.g., privateSubnets).

Importing Subnets

You can also import individual subnets using the SubnetV2.fromSubnetV2Attributes() method. This is useful when you need to work with specific subnets independently of a VPC.

Here's an example of how to import a subnet: 

 SubnetV2.fromSubnetV2Attributes(this, "ImportedSubnet", SubnetV2Attributes.builder()
         .subnetId("subnet-0123456789abcdef0")
         .availabilityZone("us-west-2a")
         .ipv4CidrBlock("10.2.0.0/24")
         .routeTableId("rtb-0871c310f98da2cbb")
         .subnetType(SubnetType.PRIVATE_ISOLATED)
         .build());

By importing existing VPCs and subnets, you can easily integrate your existing AWS infrastructure with new resources created through CDK. This is particularly useful when you need to work with pre-existing network configurations or when you're migrating existing infrastructure to CDK.

Tagging VPC and its components

By default, when a resource name is given to the construct, it automatically adds a tag with the key Name and the value set to the provided resource name. To add additional custom tags, use the Tag Manager, like this: Tags.of(myConstruct).add('key', 'value');.

For example, if the vpcName is set to TestVpc, the following code will add a tag to the VPC with key: Name and value: TestVpc. 

 VpcV2 vpc = VpcV2.Builder.create(this, "VPC-integ-test-tag")
         .primaryAddressBlock(IpAddresses.ipv4("10.1.0.0/16"))
         .enableDnsHostnames(true)
         .enableDnsSupport(true)
         .vpcName("CDKintegTestVPC")
         .build();
 
 // Add custom tags if needed
 Tags.of(vpc).add("Environment", "Production");

Transit Gateway

The AWS Transit Gateway construct library allows you to create and configure Transit Gateway resources using AWS CDK.

See AWS Transit Gateway Docs for more info.

Overview

The Transit Gateway construct (TransitGateway) is the main entry point for creating and managing your Transit Gateway infrastructure. It provides methods to create route tables, attach VPCs, and configure cross-account access.

The Transit Gateway construct library provides four main constructs:

  • TransitGateway: The central hub for your network connections
  • TransitGatewayRouteTable: Manages routing between attached networks
  • TransitGatewayVpcAttachment: Connects VPCs to the Transit Gateway
  • TransitGatewayRoute: Defines routing rules within your Transit Gateway

Basic Usage

To create a minimal deployable TransitGateway: 

 TransitGateway transitGateway = new TransitGateway(this, "MyTransitGateway");

Default Transit Gateway Route Table

By default, TransitGateway is created with a default TransitGatewayRouteTable, for which automatic Associations and automatic Propagations are enabled.

Note: When you create a default Transit Gateway in AWS Console, a default Transit Gateway Route Table is automatically created by AWS. However, when using the CDK Transit Gateway L2 construct, the underlying L1 construct is configured with defaultRouteTableAssociation and defaultRouteTablePropagation explicitly disabled. This ensures that AWS does not create the default route table, allowing the CDK to define a custom default route table instead.

As a result, in the AWS Console, the Default association route table and Default propagation route table settings will appear as disabled. Despite this, the CDK still provides automatic association and propagation functionality through its internal implementation, which can be controlled using the defaultRouteTableAssociation and defaultRouteTablePropagation properties within the CDK.

You can disable the automatic Association/Propagation on the default TransitGatewayRouteTable via the TransitGateway properties. This will still create a default route table for you: 

 TransitGateway transitGateway = TransitGateway.Builder.create(this, "MyTransitGateway")
         .defaultRouteTableAssociation(false)
         .defaultRouteTablePropagation(false)
         .build();

Transit Gateway Route Table Management

Add additional Transit Gateway Route Tables using the addRouteTable() method: 

 TransitGateway transitGateway = new TransitGateway(this, "MyTransitGateway");
 
 ITransitGatewayRouteTable routeTable = transitGateway.addRouteTable("CustomRouteTable");

Attaching VPCs to the Transit Gateway

Currently only VPC to Transit Gateway attachments are supported.

Create an attachment from a VPC to the Transit Gateway using the attachVpc() method: 

 VpcV2 myVpc = new VpcV2(this, "Vpc");
 SubnetV2 subnet1 = SubnetV2.Builder.create(this, "Subnet")
         .vpc(myVpc)
         .availabilityZone("eu-west-2a")
         .ipv4CidrBlock(new IpCidr("10.0.0.0/24"))
         .subnetType(SubnetType.PUBLIC)
         .build();
 
 SubnetV2 subnet2 = SubnetV2.Builder.create(this, "Subnet")
         .vpc(myVpc)
         .availabilityZone("eu-west-2a")
         .ipv4CidrBlock(new IpCidr("10.0.1.0/24"))
         .subnetType(SubnetType.PUBLIC)
         .build();
 
 TransitGateway transitGateway = new TransitGateway(this, "MyTransitGateway");
 
 // Create a basic attachment
 ITransitGatewayVpcAttachment attachment = transitGateway.attachVpc("VpcAttachment", AttachVpcOptions.builder()
         .vpc(myVpc)
         .subnets(List.of(subnet1, subnet2))
         .build());
 
 // Create an attachment with optional parameters
 ITransitGatewayVpcAttachment attachmentWithOptions = transitGateway.attachVpc("VpcAttachmentWithOptions", AttachVpcOptions.builder()
         .vpc(myVpc)
         .subnets(List.of(subnet1))
         .vpcAttachmentOptions(Map.of(
                 "dnsSupport", true,
                 "applianceModeSupport", true,
                 "ipv6Support", true,
                 "securityGroupReferencingSupport", true))
         .build());

If you want to automatically associate and propagate routes with transit gateway route tables, you can pass the associationRouteTable and propagationRouteTables parameters. This will automatically create the necessary associations and propagations based on the provided route tables. 

 VpcV2 myVpc = new VpcV2(this, "Vpc");
 SubnetV2 subnet1 = SubnetV2.Builder.create(this, "Subnet")
         .vpc(myVpc)
         .availabilityZone("eu-west-2a")
         .ipv4CidrBlock(new IpCidr("10.0.0.0/24"))
         .subnetType(SubnetType.PUBLIC)
         .build();
 
 SubnetV2 subnet2 = SubnetV2.Builder.create(this, "Subnet")
         .vpc(myVpc)
         .availabilityZone("eu-west-2a")
         .ipv4CidrBlock(new IpCidr("10.0.1.0/24"))
         .subnetType(SubnetType.PUBLIC)
         .build();
 
 TransitGateway transitGateway = new TransitGateway(this, "MyTransitGateway");
 ITransitGatewayRouteTable associationRouteTable = transitGateway.addRouteTable("AssociationRouteTable");
 ITransitGatewayRouteTable propagationRouteTable1 = transitGateway.addRouteTable("PropagationRouteTable1");
 ITransitGatewayRouteTable propagationRouteTable2 = transitGateway.addRouteTable("PropagationRouteTable2");
 
 // Create an attachment with automatically created association + propagations
 ITransitGatewayVpcAttachment attachmentWithRoutes = transitGateway.attachVpc("VpcAttachment", AttachVpcOptions.builder()
         .vpc(myVpc)
         .subnets(List.of(subnet1, subnet2))
         .associationRouteTable(associationRouteTable)
         .propagationRouteTables(List.of(propagationRouteTable1, propagationRouteTable2))
         .build());

In this example, the associationRouteTable is set to associationRouteTable, and propagationRouteTables is set to an array containing propagationRouteTable1 and propagationRouteTable2. This triggers the automatic creation of route table associations and route propagations between the Transit Gateway and the specified route tables.

Adding static routes to the route table

Add static routes using either the addRoute() method to add an active route or addBlackholeRoute() to add a blackhole route: 

 TransitGateway transitGateway = new TransitGateway(this, "MyTransitGateway");
 ITransitGatewayRouteTable routeTable = transitGateway.addRouteTable("CustomRouteTable");
 
 VpcV2 myVpc = new VpcV2(this, "Vpc");
 SubnetV2 subnet = SubnetV2.Builder.create(this, "Subnet")
         .vpc(myVpc)
         .availabilityZone("eu-west-2a")
         .ipv4CidrBlock(new IpCidr("10.0.0.0/24"))
         .subnetType(SubnetType.PUBLIC)
         .build();
 
 ITransitGatewayVpcAttachment attachment = transitGateway.attachVpc("VpcAttachment", AttachVpcOptions.builder()
         .vpc(myVpc)
         .subnets(List.of(subnet))
         .build());
 
 // Add a static route to direct traffic
 routeTable.addRoute("StaticRoute", attachment, "10.0.0.0/16");
 
 // Block unwanted traffic with a blackhole route
 routeTable.addBlackholeRoute("BlackholeRoute", "172.16.0.0/16");

Route Table Associations and Propagations

Configure route table associations and enable route propagation: 

 TransitGateway transitGateway = new TransitGateway(this, "MyTransitGateway");
 ITransitGatewayRouteTable routeTable = transitGateway.addRouteTable("CustomRouteTable");
 VpcV2 myVpc = new VpcV2(this, "Vpc");
 SubnetV2 subnet = SubnetV2.Builder.create(this, "Subnet")
         .vpc(myVpc)
         .availabilityZone("eu-west-2a")
         .ipv4CidrBlock(new IpCidr("10.0.0.0/24"))
         .subnetType(SubnetType.PUBLIC)
         .build();
 ITransitGatewayVpcAttachment attachment = transitGateway.attachVpc("VpcAttachment", AttachVpcOptions.builder()
         .vpc(myVpc)
         .subnets(List.of(subnet))
         .build());
 
 // Associate an attachment with a route table
 routeTable.addAssociation("Association", attachment);
 
 // Enable route propagation for an attachment
 routeTable.enablePropagation("Propagation", attachment);

Associations — The linking of a Transit Gateway attachment to a specific route table, which determines which routes that attachment will use for routing decisions.

Propagation — The automatic advertisement of routes from an attachment to a route table, allowing the route table to learn about available network destinations.