IVpc
- class aws_cdk.aws_ec2.IVpc(*args, **kwargs)
Bases:
IResource
,Protocol
Methods
- add_client_vpn_endpoint(id, *, cidr, server_certificate_arn, authorize_all_users_to_vpc_cidr=None, client_certificate_arn=None, client_connection_handler=None, client_login_banner=None, description=None, dns_servers=None, logging=None, log_group=None, log_stream=None, port=None, security_groups=None, self_service_portal=None, session_timeout=None, split_tunnel=None, transport_protocol=None, user_based_authentication=None, vpc_subnets=None)
Adds a new client VPN endpoint to this VPC.
- Parameters:
id (
str
) –cidr (
str
) – The IPv4 address range, in CIDR notation, from which to assign client IP addresses. The address range cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or the routes that you add manually. Changing the address range will replace the Client VPN endpoint. The CIDR block should be /22 or greater.server_certificate_arn (
str
) – The ARN of the server certificate.authorize_all_users_to_vpc_cidr (
Optional
[bool
]) – Whether to authorize all users to the VPC CIDR. This automatically creates an authorization rule. Set this tofalse
and useaddAuthorizationRule()
to create your own rules instead. Default: trueclient_certificate_arn (
Optional
[str
]) – The ARN of the client certificate for mutual authentication. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Default: - use user-based authenticationclient_connection_handler (
Optional
[IClientVpnConnectionHandler
]) – The AWS Lambda function used for connection authorization. The name of the Lambda function must begin with theAWSClientVPN-
prefix Default: - no connection handlerclient_login_banner (
Optional
[str
]) – Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters. Default: - no banner is presented to the clientdescription (
Optional
[str
]) – A brief description of the Client VPN endpoint. Default: - no descriptiondns_servers (
Optional
[Sequence
[str
]]) – Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. Default: - use the DNS address configured on the devicelogging (
Optional
[bool
]) – Whether to enable connections logging. Default: truelog_group (
Optional
[ILogGroup
]) – A CloudWatch Logs log group for connection logging. Default: - a new group is createdlog_stream (
Optional
[ILogStream
]) – A CloudWatch Logs log stream for connection logging. Default: - a new stream is createdport (
Optional
[VpnPort
]) – The port number to assign to the Client VPN endpoint for TCP and UDP traffic. Default: VpnPort.HTTPSsecurity_groups (
Optional
[Sequence
[ISecurityGroup
]]) – The security groups to apply to the target network. Default: - a new security group is createdself_service_portal (
Optional
[bool
]) – Specify whether to enable the self-service portal for the Client VPN endpoint. Default: truesession_timeout (
Optional
[ClientVpnSessionTimeout
]) – The maximum VPN session duration time. Default: ClientVpnSessionTimeout.TWENTY_FOUR_HOURSsplit_tunnel (
Optional
[bool
]) – Indicates whether split-tunnel is enabled on the AWS Client VPN endpoint. Default: falsetransport_protocol (
Optional
[TransportProtocol
]) – The transport protocol to be used by the VPN session. Default: TransportProtocol.UDPuser_based_authentication (
Optional
[ClientVpnUserBasedAuthentication
]) – The type of user-based authentication to use. Default: - use mutual authenticationvpc_subnets (
Union
[SubnetSelection
,Dict
[str
,Any
],None
]) – Subnets to associate to the client VPN endpoint. Default: - the VPC default strategy
- Return type:
- add_flow_log(id, *, destination=None, log_format=None, max_aggregation_interval=None, traffic_type=None)
Adds a new Flow Log to this VPC.
- Parameters:
id (
str
) –destination (
Optional
[FlowLogDestination
]) – Specifies the type of destination to which the flow log data is to be published. Flow log data can be published to CloudWatch Logs or Amazon S3 Default: FlowLogDestinationType.toCloudWatchLogs()log_format (
Optional
[Sequence
[LogFormat
]]) – The fields to include in the flow log record, in the order in which they should appear. If multiple fields are specified, they will be separated by spaces. For full control over the literal log format string, pass a single field constructed withLogFormat.custom()
. See https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-log-records Default: - default log format is used.max_aggregation_interval (
Optional
[FlowLogMaxAggregationInterval
]) – The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. When creating flow logs for a Transit Gateway or Transit Gateway Attachment, this property must be ONE_MINUTES. Default: - FlowLogMaxAggregationInterval.ONE_MINUTES if creating flow logs for Transit Gateway, otherwise FlowLogMaxAggregationInterval.TEN_MINUTES.traffic_type (
Optional
[FlowLogTrafficType
]) – The type of traffic to log. You can log traffic that the resource accepts or rejects, or all traffic. When the target is eitherTransitGateway
orTransitGatewayAttachment
, setting the traffic type is not possible. Default: ALL
- Return type:
- add_gateway_endpoint(id, *, service, subnets=None)
Adds a new gateway endpoint to this VPC.
- Parameters:
id (
str
) –service (
IGatewayVpcEndpointService
) – The service to use for this gateway VPC endpoint.subnets (
Optional
[Sequence
[Union
[SubnetSelection
,Dict
[str
,Any
]]]]) – Where to add endpoint routing. By default, this endpoint will be routable from all subnets in the VPC. Specify a list of subnet selection objects here to be more specific. Default: - All subnets in the VPC
- Return type:
- add_interface_endpoint(id, *, service, lookup_supported_azs=None, open=None, private_dns_enabled=None, security_groups=None, subnets=None)
Adds a new interface endpoint to this VPC.
- Parameters:
id (
str
) –service (
IInterfaceVpcEndpointService
) – The service to use for this interface VPC endpoint.lookup_supported_azs (
Optional
[bool
]) – Limit to only those availability zones where the endpoint service can be created. Setting this to ‘true’ requires a lookup to be performed at synthesis time. Account and region must be set on the containing stack for this to work. Default: falseopen (
Optional
[bool
]) – Whether to automatically allow VPC traffic to the endpoint. If enabled, all traffic to the endpoint from within the VPC will be automatically allowed. This is done based on the VPC’s CIDR range. Default: trueprivate_dns_enabled (
Optional
[bool
]) – Whether to associate a private hosted zone with the specified VPC. This allows you to make requests to the service using its default DNS hostname. Default: set by the instance of IInterfaceVpcEndpointService, or true if not defined by the instance of IInterfaceVpcEndpointServicesecurity_groups (
Optional
[Sequence
[ISecurityGroup
]]) – The security groups to associate with this interface VPC endpoint. Default: - a new security group is createdsubnets (
Union
[SubnetSelection
,Dict
[str
,Any
],None
]) – The subnets in which to create an endpoint network interface. At most one per availability zone. Default: - private subnets
- Return type:
- add_vpn_connection(id, *, ip, asn=None, static_routes=None, tunnel_options=None)
Adds a new VPN connection to this VPC.
- Parameters:
id (
str
) –ip (
str
) – The ip address of the customer gateway.asn (
Union
[int
,float
,None
]) – The ASN of the customer gateway. Default: 65000static_routes (
Optional
[Sequence
[str
]]) – The static routes to be routed from the VPN gateway to the customer gateway. Default: Dynamic routing (BGP)tunnel_options (
Optional
[Sequence
[Union
[VpnTunnelOption
,Dict
[str
,Any
]]]]) – The tunnel options for the VPN connection. At most two elements (one per tunnel). Duplicates not allowed. Default: Amazon generated tunnel options
- Return type:
- apply_removal_policy(policy)
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you’ve removed it from the CDK application or because you’ve made a change that requires the resource to be replaced.
The resource can be deleted (
RemovalPolicy.DESTROY
), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN
).- Parameters:
policy (
RemovalPolicy
) –- Return type:
None
- enable_vpn_gateway(*, vpn_route_propagation=None, type, amazon_side_asn=None)
Adds a VPN Gateway to this VPC.
- Parameters:
vpn_route_propagation (
Optional
[Sequence
[Union
[SubnetSelection
,Dict
[str
,Any
]]]]) – Provide an array of subnets where the route propagation should be added. Default: noPropagationtype (
str
) – Default type ipsec.1.amazon_side_asn (
Union
[int
,float
,None
]) – Explicitly specify an Asn or let aws pick an Asn for you. Default: 65000
- Return type:
None
- select_subnets(*, availability_zones=None, one_per_az=None, subnet_filters=None, subnet_group_name=None, subnets=None, subnet_type=None)
Return information on the subnets appropriate for the given selection strategy.
Requires that at least one subnet is matched, throws a descriptive error message otherwise.
- Parameters:
availability_zones (
Optional
[Sequence
[str
]]) – Select subnets only in the given AZs. Default: no filtering on AZs is doneone_per_az (
Optional
[bool
]) – If true, return at most one subnet per AZ. Default: falsesubnet_filters (
Optional
[Sequence
[SubnetFilter
]]) – List of provided subnet filters. Default: - nonesubnet_group_name (
Optional
[str
]) – Select the subnet group with the given name. Select the subnet group with the given name. This only needs to be used if you have multiple subnet groups of the same type and you need to distinguish between them. Otherwise, prefersubnetType
. This field does not select individual subnets, it selects all subnets that share the given subnet group name. This is the name supplied insubnetConfiguration
. At most one ofsubnetType
andsubnetGroupName
can be supplied. Default: - Selection by type instead of by namesubnets (
Optional
[Sequence
[ISubnet
]]) – Explicitly select individual subnets. Use this if you don’t want to automatically use all subnets in a group, but have a need to control selection down to individual subnets. Cannot be specified together withsubnetType
orsubnetGroupName
. Default: - Use all subnets in a selected group (all private subnets by default)subnet_type (
Optional
[SubnetType
]) – Select all subnets of the given type. At most one ofsubnetType
andsubnetGroupName
can be supplied. Default: SubnetType.PRIVATE_WITH_EGRESS (or ISOLATED or PUBLIC if there are no PRIVATE_WITH_EGRESS subnets)
- Return type:
Attributes
- availability_zones
AZs for this VPC.
- env
The environment this resource belongs to.
For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.
- internet_connectivity_established
Dependable that can be depended upon to force internet connectivity established on the VPC.
- isolated_subnets
List of isolated subnets in this VPC.
- node
The tree node.
- private_subnets
List of private subnets in this VPC.
- public_subnets
List of public subnets in this VPC.
- stack
The stack in which this resource is defined.
- vpc_arn
ARN for this VPC.
- Attribute:
true
- vpc_cidr_block
CIDR range for this VPC.
- Attribute:
true
- vpc_id
Identifier for this VPC.
- Attribute:
true
- vpn_gateway_id
Identifier for the VPN gateway.