@aws-cdk/ec2¶
AWS Compute and Networking Construct Library¶
The aws-cdk-ec2
package contains primitives for setting up networking,
instances, and load balancers.
VPC¶
Most projects need a Virtual Private Cloud to provide security by means of
network partitioning. This is easily achieved by creating an instance of
VpcNetwork
:
import { VpcNetwork } from '@aws-cdk/ec2';
const vpc = new VpcNetwork(this, 'VPC');
All default Constructs requires EC2 instances to be launched inside a VPC, so you should generally start by defining a VPC whenever you need to launch instances for your project.
Our default VpcNetwork
class creates a private and public subnet for every
availability zone. Classes that use the VPC will generally launch instances
into all private subnets, and provide a parameter called vpcPlacement
to
allow you to override the placement. Read more about
subnets.
Fleet¶
A Fleet
represents a number of instances on which you run your code. You
pick the size of the fleet, the instance type and the OS image:
import { Fleet, InstanceClass, InstanceSize, InstanceTypePair, makeLinuxMachineImage, VpcNetwork } from '../lib';
new Fleet(stack, 'Fleet', {
vpc,
instanceType: new InstanceTypePair(InstanceClass.Burstable2, InstanceSize.Micro),
machineImage: new LinuxImage({
'us-east-1': 'ami-97785bed'
})
});
NOTE: Fleet has an property calledallowAllOutbound
(allowing the instances to contact the internet) which is set totrue
by default. Be sure to set this tofalse
if you don’t want your instances to be able to start arbitrary connections.
AMIs¶
AMIs control the OS that gets launched when you start your instance.
Depending on the type of AMI, you select it a different way.
The latest version of Windows images are regionally published under labels, so you can select Windows images like this:
new WindowsImage(WindowsVersion.WindowsServer2016EnglishNanoBase)
You can select the latest Amazon Linux image like this:
new AmazonLinuxImage()
Other Linux images are unfortunately not currently published this way, so you have to supply a region-to-AMI map when creating a Linux image:
machineImage: new GenericLinuxImage({
'us-east-1': 'ami-97785bed',
'eu-west-1': 'ami-12345678',
// ...
})
NOTE: Selecting Linux images will change when the information is published in an automatically consumable way.
Load Balancer¶
Load balancers send traffic to one or more fleets. Create a load balancer,
set up listeners and a health check, and supply the fleet(s) you want to load
balance to in the targets
property.
The load balancer allows all connections by default. If you want to change that,
pass the allowConnectionsFrom
property while setting up the listener.
new ClassicLoadBalancer(stack, 'LB', {
vpc,
internetFacing: true,
listeners: [{
externalPort: 80,
}],
healthCheck: {
port: 80
},
targets: [fleet]
});
Allowing Connections¶
In AWS, all connections to and from EC2 instances are governed by Security Groups. You can think of these as a firewall with rules. All Constructs that create instances on your behalf implicitly have such a security group. Unless otherwise indicated using properites, the security groups start out empty; that is, no connections are allowed by default.
In general, whenever you link two Constructs together (such as the load balancer and the fleet in the previous example), the security groups will be automatically updated to allow network connections between the indicated instances. In other cases, you will need to configure these allows connections yourself, for example if the connections you want to allow do not originate from instances in a CDK construct, or if you want to allow connections among instances inside a single security group.
All Constructs with security groups have a member called connections
, which
can be used to configure permissible connections. In the most general case, a
call to allow connections needs both a connection peer and the type of
connection to allow:
lb.connections.allowFrom(new AnyIPv4(), new TcpPort(443), 'Allow inbound');
// Or using a convenience function
lb.connections.allowFromAnyIpv4(new TcpPort(443), 'Allow inbound');
Connection Peers¶
There are various classes that implement the connection peer part:
// Simple connection peers
let peer = new CidrIp("10.0.0.0/16");
let peer = new AnyIPv4();
let peer = new CidrIpv6("::0/0");
let peer = new AnyIPv6();
let peer = new PrefixList("pl-12345");
fleet.connections.allowTo(peer, new TcpPort(443), 'Allow outbound HTTPS');
Any object that has a security group can itself be used as a connection peer:
// These automatically create appropriate ingress and egress rules in both security groups
fleet1.connections.allowTo(fleet2, new TcpPort(80), 'Allow between fleets');
fleet.connections.allowTcpPort(80), 'Allow from load balancer');
Port Ranges¶
The connections that are allowed are specified by port ranges. A number of classes provide the connection specifier:
new TcpPort(80);
new TcpPortRange(60000, 65535);
new TcpAllPorts();
new AllConnections();
NOTE: This set is not complete yet; for example, there is no library support for ICMP at the moment. However, you can write your own classes to implement those.
Default Ports¶
Some Constructs have default ports associated with them. For example, the listener of a load balancer does (it’s the public port), or instances of an RDS database (it’s the port the database is accepting connections on).
If the object you’re calling the peering method on has a default port associated with it, you can call
allowDefaultPortFrom()
and omit the port specifier. If the argument has an associated default port, call
allowToDefaultPort()
.
For example:
// Port implicit in listener
listener.connections.allowDefaultPortFromAnyIpv4('Allow public');
// Port implicit in peer
fleet.connections.allowToDefaultPort(rdsDatabase, 'Fleet can access database');
Reference¶
AllConnections¶
AmazonLinuxImage¶
-
class
_aws-cdk_ec2.
AmazonLinuxImage
([props])¶ Selects the latest version of Amazon Linux The AMI ID is selected using the values published to the SSM parameter store.
Implements: IMachineImageSource
Parameters: props ( AmazonLinuxImageProps
or None) –-
getImage
(parent) → @aws-cdk/ec2.MachineImage¶ Return the image to use in the given context
Parameters: parent ( Construct
) –Return type: MachineImage
-
AmazonLinuxImageProps (interface)¶
CidrIp¶
-
class
_aws-cdk_ec2.
CidrIp
(cidrIp)¶ A connection to and from a given IP range
Implements: IConnectionPeer
Implements: IConnectable
Parameters: cidrIp (string) – -
toIngressRuleJSON
() → any¶ Produce the ingress rule JSON for the given connection
Return type: any
-
toEgressRuleJSON
() → any¶ Produce the egress rule JSON for the given connection
Return type: any
-
canInlineRule
¶ Whether the rule can be inlined into a SecurityGroup or not
Type: boolean (readonly)
-
connections
¶ Type: IConnections
(readonly)
-
CidrIpv6¶
-
class
_aws-cdk_ec2.
CidrIpv6
(cidrIpv6)¶ A connection to a from a given IPv6 range
Implements: IConnectionPeer
Implements: IConnectable
Parameters: cidrIpv6 (string) – -
toIngressRuleJSON
() → any¶ Produce the ingress rule JSON for the given connection
Return type: any
-
toEgressRuleJSON
() → any¶ Produce the egress rule JSON for the given connection
Return type: any
-
canInlineRule
¶ Whether the rule can be inlined into a SecurityGroup or not
Type: boolean (readonly)
-
connections
¶ Type: IConnections
(readonly)
-
ClassicListenerPort¶
-
class
_aws-cdk_ec2.
ClassicListenerPort
(securityGroup, defaultPortRange)¶ Reference to a listener’s port just created This class exists to make it convenient to add port ranges to the load balancer’s security group just for the port ranges that are involved in the listener.
Implements: IDefaultConnectable
Parameters: - securityGroup (
ISecurityGroup
) – - defaultPortRange (
IPortRange
) –
-
connections
¶ Type: DefaultConnections
(readonly)
-
defaultPortRange
¶ Type: IPortRange
(readonly)
- securityGroup (
ClassicLoadBalancer¶
-
class
_aws-cdk_ec2.
ClassicLoadBalancer
(parent, name, props)¶ A load balancer with a single listener Routes to a fleet of of instances in a VPC.
Extends: Construct
Implements: IConnectable
Parameters: - parent (
Construct
) – - name (string) –
- props (
ClassicLoadBalancerProps
) –
-
addListener
(listener) → @aws-cdk/ec2.ClassicListenerPort¶ Add a backend to the load balancer
Parameters: listener ( ClassicLoadBalancerListener
) –Returns: A ClassicListenerPort object that controls connections to the listener port Return type: ClassicListenerPort
-
addTarget
(target)¶ Parameters: target ( IClassicLoadBalancerTarget
) –
-
connections
¶ Control all connections from and to this load balancer
Type: Connections
(readonly)
-
connectionPeer
¶ Type: IConnectionPeer
(readonly)
-
listenerPorts
¶ An object controlling specifically the connections for each listener added to this load balancer
Type: ClassicListenerPort
(readonly)
-
loadBalancerName
¶ Type: Token
(readonly)
-
loadBalancerCanonicalHostedZoneName
¶ Type: LoadBalancerCanonicalHostedZoneName
(readonly)
-
loadBalancerDnsName
¶ Type: LoadBalancerDnsName
(readonly)
-
loadBalancerSourceSecurityGroupGroupName
¶ Type: LoadBalancerSourceSecurityGroupGroupName
(readonly)
-
loadBalancerSourceSecurityGroupOwnerAlias
¶ Type: LoadBalancerSourceSecurityGroupOwnerAlias
(readonly)
- parent (
ClassicLoadBalancerListener (interface)¶
-
class
_aws-cdk_ec2.
ClassicLoadBalancerListener
¶ Add a backend to the load balancer
-
externalPort
¶ External listening port
Type: number
-
externalProtocol
¶ What public protocol to use for load balancing Either ‘tcp’, ‘ssl’, ‘http’ or ‘https’. May be omitted if the external port is either 80 or 443.
Type: string or None
-
internalPort
¶ Instance listening port Same as the externalPort if not specified.
Type: number or None
-
internalProtocol
¶ What public protocol to use for load balancing Either ‘tcp’, ‘ssl’, ‘http’ or ‘https’. May be omitted if the internal port is either 80 or 443. The instance protocol is ‘tcp’ if the front-end protocol is ‘tcp’ or ‘ssl’, the instance protocol is ‘http’ if the front-end protocol is ‘https’.
Type: string or None
-
policyNames
¶ SSL policy names
Type: string or None
-
sslCertificateId
¶ ID of SSL certificate
Type: Arn
or None
-
allowConnectionsFrom
¶ Allow connections to the load balancer from the given set of connection peers By default, connections will be allowed from anywhere. Set this to an empty list to deny connections, or supply a custom list of peers to allow connections from (IP ranges or security groups).
Type: IConnectable
or None
-
ClassicLoadBalancerProps (interface)¶
-
class
_aws-cdk_ec2.
ClassicLoadBalancerProps
¶ Construction properties for a ClassicLoadBalancer
-
vpc
¶ VPC network of the fleet instances
Type: VpcNetworkRef
-
internetFacing
¶ Whether this is an internet-facing Load Balancer This controls whether the LB has a public IP address assigned. It does not open up the Load Balancer’s security groups to public internet access.
Type: boolean or None
-
listeners
¶ What listeners to set up for the load balancer. Can also be added by .addListener()
Type: ClassicLoadBalancerListener
or None
-
targets
¶ What targets to load balance to. Can also be added by .addTarget()
Type: IClassicLoadBalancerTarget
or None
-
healthCheck
¶ Health check settings for the load balancing targets. Not required but recommended.
Type: HealthCheck
or None
-
ConnectionRule (interface)¶
-
class
_aws-cdk_ec2.
ConnectionRule
¶ -
protocol
¶ The IP protocol name (tcp, udp, icmp) or number (see Protocol Numbers). Use -1 to specify all protocols. If you specify -1, or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6), traffic on all ports is allowed, regardless of any ports you specify. For tcp, udp, and icmp, you must specify a port range. For protocol 58 (ICMPv6), you can optionally specify a port range; if you don’t, traffic for all types and codes is allowed.
Type: string or None
-
fromPort
¶ Start of port range for the TCP and UDP protocols, or an ICMP type number. If you specify icmp for the IpProtocol property, you can specify -1 as a wildcard (i.e., any ICMP type number).
Type: number
-
toPort
¶ End of port range for the TCP and UDP protocols, or an ICMP code. If you specify icmp for the IpProtocol property, you can specify -1 as a wildcard (i.e., any ICMP code).
Type: number or None
-
description
¶ Description of this connection. It is applied to both the ingress rule and the egress rule.
Type: string or None
-
Connections¶
-
class
_aws-cdk_ec2.
Connections
(securityGroup)¶ Connections for an object that does not have default ports
Implements: IConnections
Parameters: securityGroup ( ISecurityGroup
) –-
allowToDefaultPort
(other, description)¶ Allow connections to the peer on their default port
Parameters: - other (
IDefaultConnectable
) – - description (string) –
- other (
-
allowTo
(other, portRange, description)¶ Allow connections to the peer on the given port
Parameters: - other (
IConnectable
) – - portRange (
IPortRange
) – - description (string) –
- other (
-
allowFrom
(other, portRange, description)¶ Allow connections from the peer on the given port
Parameters: - other (
IConnectable
) – - portRange (
IPortRange
) – - description (string) –
- other (
-
allowInternally
(portRange, description)¶ Allow hosts inside the security group to connect to each other on the given port
Parameters: - portRange (
IPortRange
) – - description (string) –
- portRange (
-
allowToAnyIpv4
(portRange, description)¶ Allow to all IPv4 ranges
Parameters: - portRange (
IPortRange
) – - description (string) –
- portRange (
-
allowFromAnyIpv4
(portRange, description)¶ Allow from any IPv4 ranges
Parameters: - portRange (
IPortRange
) – - description (string) –
- portRange (
-
connectionPeer
¶ Access to the peer that we’re connecting to It’s convenient to put this on the Connections object since all participants in this protocol have one anyway, and the Connections objects have access to it, so they don’t need to implement two interfaces.
Type: IConnectionPeer
(readonly)
-
DefaultConnections¶
-
class
_aws-cdk_ec2.
DefaultConnections
(securityGroup, defaultPortRangeProvider)¶ A class to orchestrate connections that already has default ports
Extends: Connections
Parameters: - securityGroup (
ISecurityGroup
) – - defaultPortRangeProvider (
IDefaultConnectable
) –
-
allowDefaultPortFrom
(other, description)¶ Allow connections from the peer on our default port Even if the peer has a default port, we will always use our default port.
Parameters: - other (
IConnectable
) – - description (string) –
- other (
-
allowDefaultPortInternally
(description)¶ Allow hosts inside the security group to connect to each other
Parameters: description (string) –
-
allowDefaultPortFromAnyIpv4
(description)¶ Allow default connections from all IPv4 ranges
Parameters: description (string) –
-
defaultPortRange
¶ Type: IPortRange
(readonly)
- securityGroup (
Fleet¶
-
class
_aws-cdk_ec2.
Fleet
(parent, name, props)¶ A Fleet represents a managed set of EC2 instances The Fleet models a number of AutoScalingGroups, a launch configuration, a security group and an instance role. It allows adding arbitrary commands to the startup scripts of the instances in the fleet. The ASG spans all availability zones.
Extends: Construct
Implements: IClassicLoadBalancerTarget
Parameters: - parent (
Construct
) – - name (string) –
- props (
FleetProps
) –
-
attachToClassicLB
(loadBalancer)¶ Attach load-balanced target to a classic ELB
Parameters: loadBalancer ( ClassicLoadBalancer
) –
-
addUserData
(script)¶ Add command to the startup script of fleet instances. The command must be in the scripting language supported by the fleet’s OS (i.e. Linux/Windows).
Parameters: script (string) –
-
autoScalingGroupName
() → @aws-cdk/core.Token¶ Return type: Token
-
addToRolePolicy
(statement)¶ Adds a statement to the IAM role assumed by instances of this fleet.
Parameters: statement ( PolicyStatement
) –
-
connectionPeer
¶ Type: IConnectionPeer
(readonly)
-
osType
¶ The type of OS instances of this fleet are running.
Type: OperatingSystemType
(readonly)
-
connections
¶ Allows specify security group connections for instances of this fleet.
Type: Connections
(readonly)
-
role
¶ The IAM role assumed by instances of this fleet.
Type: Role
(readonly)
- parent (
FleetProps (interface)¶
-
class
_aws-cdk_ec2.
FleetProps
¶ Properties of a Fleet
-
instanceType
¶ Type of instance to launch
Type: InstanceType
-
minSize
¶ Minimum number of instances in the fleet
Type: number or None
-
maxSize
¶ Maximum number of instances in the fleet
Type: number or None
-
desiredCapacity
¶ Initial amount of instances in the fleet
Type: number or None
-
keyName
¶ Name of SSH keypair to grant access to instances
Type: string or None
-
machineImage
¶ AMI to launch
Type: IMachineImageSource
-
vpc
¶ VPC to launch these instances in.
Type: VpcNetworkRef
-
vpcPlacement
¶ Where to place instances within the VPC
Type: VpcPlacementStrategy
or None
-
notificationsTopic
¶ SNS topic to send notifications about fleet changes
Type: TopicResource
or None
-
allowAllOutbound
¶ Whether the instances can initiate connections to anywhere by default
Type: boolean or None
-
GenericLinuxImage¶
-
class
_aws-cdk_ec2.
GenericLinuxImage
(amiMap)¶ Construct a Linux machine image from an AMI map Linux images IDs are not published to SSM parameter store yet, so you’ll have to manually specify an AMI map.
Implements: IMachineImageSource
Parameters: amiMap (string) – -
getImage
(parent) → @aws-cdk/ec2.MachineImage¶ Return the image to use in the given context
Parameters: parent ( Construct
) –Return type: MachineImage
-
HealthCheck (interface)¶
-
class
_aws-cdk_ec2.
HealthCheck
¶ Describe the health check to a load balancer
-
port
¶ What port number to health check on
Type: number
-
protocol
¶ What protocol to use for health checking The protocol is automatically determined from the port if it’s not supplied.
Type: string or None
-
path
¶ What path to use for HTTP or HTTPS health check (must return 200) For SSL and TCP health checks, accepting connections is enough to be considered healthy.
Type: string or None
-
healthyThreshold
¶ After how many successful checks is an instance considered healthy
Type: number or None
-
unhealthyThreshold
¶ After how many unsuccessful checks is an instance considered unhealthy
Type: number or None
-
interval
¶ Number of seconds between health checks
Type: number or None
-
timeout
¶ Health check timeout
Type: number or None
-
IClassicLoadBalancerTarget (interface)¶
IConnectable (interface)¶
-
class
_aws-cdk_ec2.
IConnectable
¶ The goal of this module is to make possible to write statements like this:
`ts * database.connections.allowFrom(fleet); * fleet.connections.allowTo(database); * rdgw.connections.allowFromCidrIp('0.3.1.5/86'); * rgdw.connections.allowTrafficTo(fleet, new AllPorts()); * `
The insight here is that some connecting peers have information on what ports should be involved in the connection, and some don’t. Constructs will make their connections property to be equal to an instance of either Connections or ConnectionsWithDefault. An object that has a Connections object-
connections
¶ Type: IConnections
(readonly)
-
IConnectionPeer (interface)¶
-
class
_aws-cdk_ec2.
IConnectionPeer
¶ Interface for classes that provide the peer-specification parts of a security group rule
-
canInlineRule
¶ Whether the rule can be inlined into a SecurityGroup or not
Type: boolean (readonly)
-
toIngressRuleJSON
() → any¶ Produce the ingress rule JSON for the given connection
Return type: any
-
toEgressRuleJSON
() → any¶ Produce the egress rule JSON for the given connection
Return type: any
-
IConnections (interface)¶
-
class
_aws-cdk_ec2.
IConnections
¶ An object that encapsulates connection logic The IConnections object both has knowledge on what peer to use, as well as how to add connection rules.
-
connectionPeer
¶ Access to the peer that we’re connecting to It’s convenient to put this on the Connections object since all participants in this protocol have one anyway, and the Connections objects have access to it, so they don’t need to implement two interfaces.
Type: IConnectionPeer
(readonly)
-
allowTo
(other, portRange, description)¶ Allow connections to the peer on the given port
Parameters: - other (
IConnectable
) – - portRange (
IPortRange
) – - description (string) –
- other (
-
allowFrom
(other, portRange, description)¶ Allow connections from the peer on the given port
Parameters: - other (
IConnectable
) – - portRange (
IPortRange
) – - description (string) –
- other (
-
IDefaultConnectable (interface)¶
IMachineImageSource (interface)¶
IPortRange (interface)¶
ISecurityGroup (interface)¶
-
class
_aws-cdk_ec2.
ISecurityGroup
¶ Basic interface for security groups
Extends: IConnectionPeer
-
securityGroupId
¶ Type: SecurityGroupId
(readonly)
-
canInlineRule
¶ Whether the rule can be inlined into a SecurityGroup or not
Type: boolean (readonly)
-
addIngressRule
(peer, connection, description)¶ Parameters: - peer (
IConnectionPeer
) – - connection (
IPortRange
) – - description (string) –
- peer (
-
addEgressRule
(peer, connection, description)¶ Parameters: - peer (
IConnectionPeer
) – - connection (
IPortRange
) – - description (string) –
- peer (
-
InstanceClass (enum)¶
-
class
_aws-cdk_ec2.
InstanceClass
¶ -
Standard3
¶
-
M3
¶
-
Standard4
¶
-
M4
¶
-
Standard5
¶
-
M5
¶
-
Memory3
¶
-
R3
¶
-
Memory4
¶
-
R4
¶
-
Compute3
¶
-
C3
¶
-
Compute4
¶
-
C4
¶
-
Compute5
¶
-
C5
¶
-
Storage2
¶
-
D2
¶
-
StorageCompute1
¶
-
H1
¶
-
Io3
¶
-
I3
¶
-
Burstable2
¶
-
T2
¶
-
MemoryIntensive1
¶
-
X1
¶
-
MemoryIntensive1Extended
¶
-
X1e
¶
-
Fpga1
¶
-
F1
¶
-
Graphics3
¶
-
G3
¶
-
Parallel2
¶
-
P2
¶
-
Parallel3
¶
-
P3
¶
-
InstanceSize (enum)¶
InstanceType¶
-
class
_aws-cdk_ec2.
InstanceType
(instanceTypeIdentifier)¶ Instance type for EC2 instances This class takes a literal string, good if you already know the identifier of the type you want.
Parameters: instanceTypeIdentifier (string) – -
toString
() → string¶ Return the instance type as a dotted string
Return type: string
-
InstanceTypePair¶
-
class
_aws-cdk_ec2.
InstanceTypePair
(instanceClass, instanceSize)¶ Instance type for EC2 instances This class takes a combination of a class and size. Be aware that not all combinations of class and size are available, and not all classes are available in all regions.
Extends: InstanceType
Parameters: - instanceClass (
InstanceClass
) – - instanceSize (
InstanceSize
) –
-
instanceClass
¶ Type: InstanceClass
(readonly)
-
instanceSize
¶ Type: InstanceSize
(readonly)
- instanceClass (
LinuxOS¶
MachineImage¶
OperatingSystem¶
OutboundTrafficMode (enum)¶
PrefixList¶
-
class
_aws-cdk_ec2.
PrefixList
(prefixListId)¶ A prefix list Prefix lists are used to allow traffic to VPC-local service endpoints. For more information, see this page: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html
Implements: IConnectionPeer
Implements: IConnectable
Parameters: prefixListId (string) – -
toIngressRuleJSON
() → any¶ Produce the ingress rule JSON for the given connection
Return type: any
-
toEgressRuleJSON
() → any¶ Produce the egress rule JSON for the given connection
Return type: any
-
canInlineRule
¶ Whether the rule can be inlined into a SecurityGroup or not
Type: boolean (readonly)
-
connections
¶ Type: IConnections
(readonly)
-
SecurityGroup¶
-
class
_aws-cdk_ec2.
SecurityGroup
(parent, name, props)¶ Creates an Amazon EC2 security group within a VPC. This class has an additional optimization over SecurityGroupRef that it can also create inline ingress and egress rule (which saves on the total number of resources inside the template).
Extends: SecurityGroupRef
Parameters: - parent (
Construct
) – - name (string) –
- props (
SecurityGroupProps
) –
-
addIngressRule
(peer, connection, description)¶ Parameters: - peer (
IConnectionPeer
) – - connection (
IPortRange
) – - description (string) –
- peer (
-
addEgressRule
(peer, connection, description)¶ Parameters: - peer (
IConnectionPeer
) – - connection (
IPortRange
) – - description (string) –
- peer (
-
groupName
¶ An attribute that represents the security group name.
Type: SecurityGroupName
(readonly)
-
vpcId
¶ An attribute that represents the physical VPC ID this security group is part of.
Type: SecurityGroupVpcId
(readonly)
- parent (
SecurityGroupName¶
SecurityGroupProps (interface)¶
-
class
_aws-cdk_ec2.
SecurityGroupProps
¶ -
groupName
¶ The name of the security group. For valid values, see the GroupName parameter of the CreateSecurityGroup action in the Amazon EC2 API Reference. It is not recommended to use an explicit group name.
Type: string or None
-
description
¶ A description of the security group.
Type: string or None
-
vpc
¶ The VPC in which to create the security group.
Type: VpcNetworkRef
-
SecurityGroupRef¶
-
class
_aws-cdk_ec2.
SecurityGroupRef
(parent, name, props)¶ A SecurityGroup that is not created in this template
Extends: Construct
Implements: ISecurityGroup
Parameters: - parent (
Construct
) – - name (string) –
- props (
SecurityGroupRefProps
) –
-
addIngressRule
(peer, connection, description)¶ Parameters: - peer (
IConnectionPeer
) – - connection (
IPortRange
) – - description (string) –
- peer (
-
addEgressRule
(peer, connection, description)¶ Parameters: - peer (
IConnectionPeer
) – - connection (
IPortRange
) – - description (string) –
- peer (
-
toIngressRuleJSON
() → any¶ Produce the ingress rule JSON for the given connection
Return type: any
-
toEgressRuleJSON
() → any¶ Produce the egress rule JSON for the given connection
Return type: any
-
securityGroupId
¶ Type: SecurityGroupId
(readonly)
-
canInlineRule
¶ Whether the rule can be inlined into a SecurityGroup or not
Type: boolean (readonly)
- parent (
SecurityGroupRefProps (interface)¶
SecurityGrouplessConnections¶
-
class
_aws-cdk_ec2.
SecurityGrouplessConnections
(connectionPeer)¶ This object is used by peers who don’t allow reverse connections It still has an associated connection peer, but that peer does not have any security groups to add connections to.
Implements: IConnections
Parameters: connectionPeer ( IConnectionPeer
) –-
allowTo
(_other, _connection, _description)¶ Allow connections to the peer on the given port
Parameters: - _other (
IConnectable
) – - _connection (
IPortRange
) – - _description (string) –
- _other (
-
allowFrom
(_other, _connection, _description)¶ Allow connections from the peer on the given port
Parameters: - _other (
IConnectable
) – - _connection (
IPortRange
) – - _description (string) –
- _other (
-
connectionPeer
¶ Type: IConnectionPeer
(readonly)
-
TcpAllPorts¶
TcpPort¶
TcpPortFromAttribute¶
TcpPortRange¶
VpcNetwork¶
-
class
_aws-cdk_ec2.
VpcNetwork
(parent, name[, props])¶ VpcNetwork deploys an AWS VPC, with public and private subnets per Availability Zone. For example: import { VpcNetwork } from ‘@aws-cdk/ec2’ const vpc = new VpcNetwork(this, { cidr: “10.0.0.0/16” }) // Iterate the public subnets for (let subnet of vpc.publicSubnets) { } // Iterate the private subnets for (let subnet of vpc.privateSubnets) { }
Extends: VpcNetworkRef
Parameters: - parent (
Construct
) – - name (string) –
- props (
VpcNetworkProps
or None) –
-
DEFAULT_CIDR_RANGE
¶ The default CIDR range used when creating VPCs. This can be overridden using VpcNetworkProps when creating a VPCNetwork resource. e.g. new VpcResource(this, { cidr: ‘192.168.0.0./16’ })
Type: string (readonly) (static)
-
vpcId
¶ Identifier for this VPC
Type: VpcNetworkId
(readonly)
-
publicSubnets
¶ List of public subnets in this VPC
Type: VpcSubnetRef
(readonly)
-
privateSubnets
¶ List of private subnets in this VPC
Type: VpcSubnetRef
(readonly)
-
cidr
¶ Type: Token
(readonly)
- parent (
VpcNetworkId¶
VpcNetworkProps (interface)¶
-
class
_aws-cdk_ec2.
VpcNetworkProps
¶ VpcNetworkProps allows you to specify configuration options for a VPC
-
cidr
¶ The CIDR range to use for the VPC (e.g. ‘10.0.0.0/16’). Should be a minimum of /28 and maximum size of /16. The range will be split evenly into two subnets per Availability Zone (one public, one private).
Type: string or None
-
enableDnsHostnames
¶ Indicates whether the instances launched in the VPC get public DNS hostnames. If this attribute is true, instances in the VPC get public DNS hostnames, but only if the enableDnsSupport attribute is also set to true.
Type: boolean or None
-
enableDnsSupport
¶ Indicates whether the DNS resolution is supported for the VPC. If this attribute is false, the Amazon-provided DNS server in the VPC that resolves public DNS hostnames to IP addresses is not enabled. If this attribute is true, queries to the Amazon provided DNS server at the 169.254.169.253 IP address, or the reserved IP address at the base of the VPC IPv4 network range plus two will succeed.
Type: boolean or None
-
defaultInstanceTenancy
¶ The default tenancy of instances launched into the VPC. By default, instances will be launched with default (shared) tenancy. By setting this to dedicated tenancy, instances will be launched on hardware dedicated to a single AWS customer, unless specifically specified at instance launch time. Please note, not all instance types are usable with Dedicated tenancy.
Type: string or None
The AWS resource tags to associate with the VPC.
Type: Tag
or None
-
outboundTraffic
¶ Defines whether the VPC is configured to route outbound traffic from private and/or public subnets. By default, outbound traffic will be allowed from public and private subnets.
Type: number or None
-
maxAZs
¶ Define the maximum number of AZs to use in this region If the region has more AZs than you want to use (for example, because of EIP limits), pick a lower number here. The AZs will be sorted and picked from the start of the list.
Type: number or None
-
VpcNetworkRef¶
-
class
_aws-cdk_ec2.
VpcNetworkRef
(parent, name)¶ A new or imported VPC
Extends: Construct
Implements: IDependable
Abstract: Yes
Parameters: - parent (
Construct
) – The parent construct - name (string) –
-
static
import
(parent, name, props) → @aws-cdk/ec2.VpcNetworkRef¶ Import an exported VPC
Parameters: - parent (
Construct
) – - name (string) –
- props (
VpcNetworkRefProps
) –
Return type: VpcNetworkRef
- parent (
-
subnets
([placement]) → @aws-cdk/ec2.VpcSubnetRef[]¶ Return the subnets appropriate for the placement strategy
Parameters: placement ( VpcPlacementStrategy
or None) –Return type: VpcSubnetRef
-
export
() → @aws-cdk/ec2.VpcNetworkRefProps¶ Export this VPC from the stack
Return type: VpcNetworkRefProps
-
vpcId
¶ Identifier for this VPC
Type: VpcNetworkId
(readonly) (abstract)
-
publicSubnets
¶ List of public subnets in this VPC
Type: VpcSubnetRef
(readonly) (abstract)
-
privateSubnets
¶ List of private subnets in this VPC
Type: VpcSubnetRef
(readonly) (abstract)
-
dependencyElements
¶ Parts of the VPC that constitute full construction
Type: IDependable
(readonly)
- parent (
VpcNetworkRefProps (interface)¶
-
class
_aws-cdk_ec2.
VpcNetworkRefProps
¶ Properties that reference an external VpcNetwork
-
vpcId
¶ VPC’s identifier
Type: VpcNetworkId
-
availabilityZones
¶ List of a availability zones, one for every subnet. The first half are for the public subnets, the second half are for the private subnets.
Type: string
-
publicSubnetIds
¶ List of public subnet IDs, one for every subnet Must match the availability zones and private subnet ids in length and order.
Type: VpcSubnetId
-
privateSubnetIds
¶ List of private subnet IDs, one for every subnet Must match the availability zones and public subnet ids in length and order.
Type: VpcSubnetId
-
VpcPlacementStrategy (interface)¶
-
class
_aws-cdk_ec2.
VpcPlacementStrategy
¶ Customize how instances are placed inside a VPC Constructs that allow customization of VPC placement use parameters of this type to provide placement settings.
-
usePublicSubnets
¶ Whether to use the VPC’s public subnets to start instances If false, the instances are started in the private subnets.
Type: boolean or None
-
VpcPrivateSubnet¶
-
class
_aws-cdk_ec2.
VpcPrivateSubnet
(parent, name, props)¶ Represents a private VPC subnet resource
Extends: VpcSubnet
Parameters: - parent (
Construct
) – - name (string) –
- props (
VpcSubnetProps
) –
-
addDefaultNatRouteEntry
(natGatewayId)¶ Adds an entry to this subnets route table that points to the passed NATGatwayId
Parameters: natGatewayId ( Token
) –
- parent (
VpcPublicSubnet¶
-
class
_aws-cdk_ec2.
VpcPublicSubnet
(parent, name, props)¶ Represents a public VPC subnet resource
Extends: VpcSubnet
Parameters: - parent (
Construct
) – - name (string) –
- props (
VpcSubnetProps
) –
-
addDefaultIGWRouteEntry
(gatewayId)¶ Create a default route that points to a passed IGW
Parameters: gatewayId ( Token
) –
-
addNatGateway
() → @aws-cdk/core.Token¶ Creates a new managed NAT gateway attached to this public subnet. Also adds the EIP for the managed NAT. Returns the NAT Gateway ref
Return type: Token
- parent (
VpcSubnet¶
-
class
_aws-cdk_ec2.
VpcSubnet
(parent, name, props)¶ Represents a new VPC subnet resource
Extends: VpcSubnetRef
Parameters: - parent (
Construct
) – - name (string) –
- props (
VpcSubnetProps
) –
-
addDefaultRouteToNAT
(natGatewayId)¶ Parameters: natGatewayId ( Token
) –
-
addDefaultRouteToIGW
(gatewayId)¶ Parameters: gatewayId ( Token
) –
-
availabilityZone
¶ The Availability Zone the subnet is located in
Type: string (readonly)
-
subnetId
¶ The subnetId for this particular subnet
Type: VpcSubnetId
(readonly)
- parent (
VpcSubnetId¶
VpcSubnetProps (interface)¶
VpcSubnetRef¶
-
class
_aws-cdk_ec2.
VpcSubnetRef
(parent, name)¶ A new or imported VPC Subnet
Extends: Construct
Implements: IDependable
Abstract: Yes
Parameters: - parent (
Construct
) – The parent construct - name (string) –
-
static
import
(parent, name, props) → @aws-cdk/ec2.VpcSubnetRef¶ Parameters: - parent (
Construct
) – - name (string) –
- props (
VpcSubnetRefProps
) –
Return type: VpcSubnetRef
- parent (
-
availabilityZone
¶ The Availability Zone the subnet is located in
Type: string (readonly) (abstract)
-
subnetId
¶ The subnetId for this particular subnet
Type: VpcSubnetId
(readonly) (abstract)
-
dependencyElements
¶ Parts of this VPC subnet
Type: IDependable
(readonly)
- parent (
VpcSubnetRefProps (interface)¶
WindowsImage¶
-
class
_aws-cdk_ec2.
WindowsImage
(version)¶ Select the latest version of the indicated Windows version The AMI ID is selected using the values published to the SSM parameter store. https://aws.amazon.com/blogs/mt/query-for-the-latest-windows-ami-using-systems-manager-parameter-store/
Implements: IMachineImageSource
Parameters: version ( WindowsVersion
) –-
getImage
(parent) → @aws-cdk/ec2.MachineImage¶ Return the image to use in the given context
Parameters: parent ( Construct
) –Return type: MachineImage
-
WindowsOS¶
WindowsVersion (enum)¶
-
class
_aws-cdk_ec2.
WindowsVersion
¶ -
WindowsServer2016TurksihFullBase
¶
-
WindowsServer2016SwedishFullBase
¶
-
WindowsServer2016SpanishFullBase
¶
-
WindowsServer2016RussianFullBase
¶
-
WindowsServer2016PortuguesePortugalFullBase
¶
-
WindowsServer2016PortugueseBrazilFullBase
¶
-
WindowsServer2016PolishFullBase
¶
-
WindowsServer2016KoreanFullSQL2016Base
¶
-
WindowsServer2016KoreanFullBase
¶
-
WindowsServer2016JapaneseFullSQL2016Web
¶
-
WindowsServer2016JapaneseFullSQL2016Standard
¶
-
WindowsServer2016JapaneseFullSQL2016Express
¶
-
WindowsServer2016JapaneseFullSQL2016Enterprise
¶
-
WindowsServer2016JapaneseFullBase
¶
-
WindowsServer2016ItalianFullBase
¶
-
WindowsServer2016HungarianFullBase
¶
-
WindowsServer2016GermanFullBase
¶
-
WindowsServer2016FrenchFullBase
¶
-
WindowsServer2016EnglishNanoBase
¶
-
WindowsServer2016EnglishFullSQL2017Web
¶
-
WindowsServer2016EnglishFullSQL2017Standard
¶
-
WindowsServer2016EnglishFullSQL2017Express
¶
-
WindowsServer2016EnglishFullSQL2017Enterprise
¶
-