@aws-cdk/ec2

AWS Compute and Networking Construct Library

The aws-cdk-ec2 package contains primitives for setting up networking, instances, and load balancers.

VPC

Most projects need a Virtual Private Cloud to provide security by means of network partitioning. This is easily achieved by creating an instance of VpcNetwork:

import { VpcNetwork } from '@aws-cdk/ec2';

const vpc = new VpcNetwork(this, 'VPC');

All default Constructs requires EC2 instances to be launched inside a VPC, so you should generally start by defining a VPC whenever you need to launch instances for your project.

Our default VpcNetwork class creates a private and public subnet for every availability zone. Classes that use the VPC will generally launch instances into all private subnets, and provide a parameter called vpcPlacement to allow you to override the placement. Read more about subnets.

Fleet

A Fleet represents a number of instances on which you run your code. You pick the size of the fleet, the instance type and the OS image:

import { Fleet, InstanceClass, InstanceSize, InstanceTypePair, makeLinuxMachineImage, VpcNetwork } from '../lib';

new Fleet(stack, 'Fleet', {
    vpc,
    instanceType: new InstanceTypePair(InstanceClass.Burstable2, InstanceSize.Micro),
    machineImage: new LinuxImage({
        'us-east-1': 'ami-97785bed'
    })
});
NOTE: Fleet has an property called allowAllOutbound (allowing the instances to contact the internet) which is set to true by default. Be sure to set this to false if you don’t want your instances to be able to start arbitrary connections.

AMIs

AMIs control the OS that gets launched when you start your instance.

Depending on the type of AMI, you select it a different way.

The latest version of Windows images are regionally published under labels, so you can select Windows images like this:

new WindowsImage(WindowsVersion.WindowsServer2016EnglishNanoBase)

You can select the latest Amazon Linux image like this:

new AmazonLinuxImage()

Other Linux images are unfortunately not currently published this way, so you have to supply a region-to-AMI map when creating a Linux image:

machineImage: new GenericLinuxImage({
    'us-east-1': 'ami-97785bed',
    'eu-west-1': 'ami-12345678',
    // ...
})
NOTE: Selecting Linux images will change when the information is published in an automatically consumable way.

Load Balancer

Load balancers send traffic to one or more fleets. Create a load balancer, set up listeners and a health check, and supply the fleet(s) you want to load balance to in the targets property.

The load balancer allows all connections by default. If you want to change that, pass the allowConnectionsFrom property while setting up the listener.

new ClassicLoadBalancer(stack, 'LB', {
    vpc,
    internetFacing: true,
    listeners: [{
        externalPort: 80,
    }],
    healthCheck: {
        port: 80
    },
    targets: [fleet]
});

Allowing Connections

In AWS, all connections to and from EC2 instances are governed by Security Groups. You can think of these as a firewall with rules. All Constructs that create instances on your behalf implicitly have such a security group. Unless otherwise indicated using properites, the security groups start out empty; that is, no connections are allowed by default.

In general, whenever you link two Constructs together (such as the load balancer and the fleet in the previous example), the security groups will be automatically updated to allow network connections between the indicated instances. In other cases, you will need to configure these allows connections yourself, for example if the connections you want to allow do not originate from instances in a CDK construct, or if you want to allow connections among instances inside a single security group.

All Constructs with security groups have a member called connections, which can be used to configure permissible connections. In the most general case, a call to allow connections needs both a connection peer and the type of connection to allow:

lb.connections.allowFrom(new AnyIPv4(), new TcpPort(443), 'Allow inbound');

// Or using a convenience function
lb.connections.allowFromAnyIpv4(new TcpPort(443), 'Allow inbound');

Connection Peers

There are various classes that implement the connection peer part:

// Simple connection peers
let peer = new CidrIp("10.0.0.0/16");
let peer = new AnyIPv4();
let peer = new CidrIpv6("::0/0");
let peer = new AnyIPv6();
let peer = new PrefixList("pl-12345");
fleet.connections.allowTo(peer, new TcpPort(443), 'Allow outbound HTTPS');

Any object that has a security group can itself be used as a connection peer:

// These automatically create appropriate ingress and egress rules in both security groups
fleet1.connections.allowTo(fleet2, new TcpPort(80), 'Allow between fleets');

fleet.connections.allowTcpPort(80), 'Allow from load balancer');

Port Ranges

The connections that are allowed are specified by port ranges. A number of classes provide the connection specifier:

new TcpPort(80);
new TcpPortRange(60000, 65535);
new TcpAllPorts();
new AllConnections();
NOTE: This set is not complete yet; for example, there is no library support for ICMP at the moment. However, you can write your own classes to implement those.

Default Ports

Some Constructs have default ports associated with them. For example, the listener of a load balancer does (it’s the public port), or instances of an RDS database (it’s the port the database is accepting connections on).

If the object you’re calling the peering method on has a default port associated with it, you can call allowDefaultPortFrom() and omit the port specifier. If the argument has an associated default port, call allowToDefaultPort().

For example:

// Port implicit in listener
listener.connections.allowDefaultPortFromAnyIpv4('Allow public');

// Port implicit in peer
fleet.connections.allowToDefaultPort(rdsDatabase, 'Fleet can access database');

Reference

AllConnections

class _aws-cdk_ec2.AllConnections

All TCP Ports

Implements:IPortRange
toRuleJSON() → any

Produce the ingress/egress rule JSON for the given connection

Return type:any
canInlineRule
Type:boolean (readonly)

AmazonLinuxEdition (enum)

class _aws-cdk_ec2.AmazonLinuxEdition
Standard
Minimal

AmazonLinuxImage

class _aws-cdk_ec2.AmazonLinuxImage([props])

Selects the latest version of Amazon Linux The AMI ID is selected using the values published to the SSM parameter store.

Implements:IMachineImageSource
Parameters:props (AmazonLinuxImageProps or None) –
getImage(parent) → @aws-cdk/ec2.MachineImage

Return the image to use in the given context

Parameters:parent (Construct) –
Return type:MachineImage

AmazonLinuxImageProps (interface)

class _aws-cdk_ec2.AmazonLinuxImageProps

Amazon Linux image properties

edition

What edition of Amazon Linux to use

Type:string or None
virtualization

Virtualization type

Type:string or None
storage

What storage backed image to use

Type:string or None

AmazonLinuxStorage (enum)

class _aws-cdk_ec2.AmazonLinuxStorage
EBS
S3
GeneralPurpose

AmazonLinuxVirt (enum)

class _aws-cdk_ec2.AmazonLinuxVirt
HVM
PV

AnyIPv4

class _aws-cdk_ec2.AnyIPv4

Any IPv4 address

Extends:CidrIp

AnyIPv6

class _aws-cdk_ec2.AnyIPv6

Any IPv6 address

Extends:CidrIpv6

CidrIp

class _aws-cdk_ec2.CidrIp(cidrIp)

A connection to and from a given IP range

Implements:IConnectionPeer
Implements:IConnectable
Parameters:cidrIp (string) –
toIngressRuleJSON() → any

Produce the ingress rule JSON for the given connection

Return type:any
toEgressRuleJSON() → any

Produce the egress rule JSON for the given connection

Return type:any
canInlineRule

Whether the rule can be inlined into a SecurityGroup or not

Type:boolean (readonly)
connections
Type:IConnections (readonly)

CidrIpv6

class _aws-cdk_ec2.CidrIpv6(cidrIpv6)

A connection to a from a given IPv6 range

Implements:IConnectionPeer
Implements:IConnectable
Parameters:cidrIpv6 (string) –
toIngressRuleJSON() → any

Produce the ingress rule JSON for the given connection

Return type:any
toEgressRuleJSON() → any

Produce the egress rule JSON for the given connection

Return type:any
canInlineRule

Whether the rule can be inlined into a SecurityGroup or not

Type:boolean (readonly)
connections
Type:IConnections (readonly)

ClassicListenerPort

class _aws-cdk_ec2.ClassicListenerPort(securityGroup, defaultPortRange)

Reference to a listener’s port just created This class exists to make it convenient to add port ranges to the load balancer’s security group just for the port ranges that are involved in the listener.

Implements:

IDefaultConnectable

Parameters:
  • securityGroup (ISecurityGroup) –
  • defaultPortRange (IPortRange) –
connections
Type:DefaultConnections (readonly)
defaultPortRange
Type:IPortRange (readonly)

ClassicLoadBalancer

class _aws-cdk_ec2.ClassicLoadBalancer(parent, name, props)

A load balancer with a single listener Routes to a fleet of of instances in a VPC.

Extends:

Construct

Implements:

IConnectable

Parameters:
  • parent (Construct) –
  • name (string) –
  • props (ClassicLoadBalancerProps) –
addListener(listener) → @aws-cdk/ec2.ClassicListenerPort

Add a backend to the load balancer

Parameters:listener (ClassicLoadBalancerListener) –
Returns:A ClassicListenerPort object that controls connections to the listener port
Return type:ClassicListenerPort
addTarget(target)
Parameters:target (IClassicLoadBalancerTarget) –
connections

Control all connections from and to this load balancer

Type:Connections (readonly)
connectionPeer
Type:IConnectionPeer (readonly)
listenerPorts

An object controlling specifically the connections for each listener added to this load balancer

Type:ClassicListenerPort (readonly)
loadBalancerName
Type:Token (readonly)
loadBalancerCanonicalHostedZoneName
Type:LoadBalancerCanonicalHostedZoneName (readonly)
loadBalancerDnsName
Type:LoadBalancerDnsName (readonly)
loadBalancerSourceSecurityGroupGroupName
Type:LoadBalancerSourceSecurityGroupGroupName (readonly)
loadBalancerSourceSecurityGroupOwnerAlias
Type:LoadBalancerSourceSecurityGroupOwnerAlias (readonly)

ClassicLoadBalancerListener (interface)

class _aws-cdk_ec2.ClassicLoadBalancerListener

Add a backend to the load balancer

externalPort

External listening port

Type:number
externalProtocol

What public protocol to use for load balancing Either ‘tcp’, ‘ssl’, ‘http’ or ‘https’. May be omitted if the external port is either 80 or 443.

Type:string or None
internalPort

Instance listening port Same as the externalPort if not specified.

Type:number or None
internalProtocol

What public protocol to use for load balancing Either ‘tcp’, ‘ssl’, ‘http’ or ‘https’. May be omitted if the internal port is either 80 or 443. The instance protocol is ‘tcp’ if the front-end protocol is ‘tcp’ or ‘ssl’, the instance protocol is ‘http’ if the front-end protocol is ‘https’.

Type:string or None
policyNames

SSL policy names

Type:string or None
sslCertificateId

ID of SSL certificate

Type:Arn or None
allowConnectionsFrom

Allow connections to the load balancer from the given set of connection peers By default, connections will be allowed from anywhere. Set this to an empty list to deny connections, or supply a custom list of peers to allow connections from (IP ranges or security groups).

Type:IConnectable or None

ClassicLoadBalancerProps (interface)

class _aws-cdk_ec2.ClassicLoadBalancerProps

Construction properties for a ClassicLoadBalancer

vpc

VPC network of the fleet instances

Type:VpcNetworkRef
internetFacing

Whether this is an internet-facing Load Balancer This controls whether the LB has a public IP address assigned. It does not open up the Load Balancer’s security groups to public internet access.

Type:boolean or None
listeners

What listeners to set up for the load balancer. Can also be added by .addListener()

Type:ClassicLoadBalancerListener or None
targets

What targets to load balance to. Can also be added by .addTarget()

Type:IClassicLoadBalancerTarget or None
healthCheck

Health check settings for the load balancing targets. Not required but recommended.

Type:HealthCheck or None

ConnectionRule (interface)

class _aws-cdk_ec2.ConnectionRule
protocol

The IP protocol name (tcp, udp, icmp) or number (see Protocol Numbers). Use -1 to specify all protocols. If you specify -1, or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6), traffic on all ports is allowed, regardless of any ports you specify. For tcp, udp, and icmp, you must specify a port range. For protocol 58 (ICMPv6), you can optionally specify a port range; if you don’t, traffic for all types and codes is allowed.

Type:string or None
fromPort

Start of port range for the TCP and UDP protocols, or an ICMP type number. If you specify icmp for the IpProtocol property, you can specify -1 as a wildcard (i.e., any ICMP type number).

Type:number
toPort

End of port range for the TCP and UDP protocols, or an ICMP code. If you specify icmp for the IpProtocol property, you can specify -1 as a wildcard (i.e., any ICMP code).

Type:number or None
description

Description of this connection. It is applied to both the ingress rule and the egress rule.

Type:string or None

Connections

class _aws-cdk_ec2.Connections(securityGroup)

Connections for an object that does not have default ports

Implements:IConnections
Parameters:securityGroup (ISecurityGroup) –
allowToDefaultPort(other, description)

Allow connections to the peer on their default port

Parameters:
  • other (IDefaultConnectable) –
  • description (string) –
allowTo(other, portRange, description)

Allow connections to the peer on the given port

Parameters:
  • other (IConnectable) –
  • portRange (IPortRange) –
  • description (string) –
allowFrom(other, portRange, description)

Allow connections from the peer on the given port

Parameters:
  • other (IConnectable) –
  • portRange (IPortRange) –
  • description (string) –
allowInternally(portRange, description)

Allow hosts inside the security group to connect to each other on the given port

Parameters:
  • portRange (IPortRange) –
  • description (string) –
allowToAnyIpv4(portRange, description)

Allow to all IPv4 ranges

Parameters:
  • portRange (IPortRange) –
  • description (string) –
allowFromAnyIpv4(portRange, description)

Allow from any IPv4 ranges

Parameters:
  • portRange (IPortRange) –
  • description (string) –
connectionPeer

Access to the peer that we’re connecting to It’s convenient to put this on the Connections object since all participants in this protocol have one anyway, and the Connections objects have access to it, so they don’t need to implement two interfaces.

Type:IConnectionPeer (readonly)

DefaultConnections

class _aws-cdk_ec2.DefaultConnections(securityGroup, defaultPortRangeProvider)

A class to orchestrate connections that already has default ports

Extends:

Connections

Parameters:
  • securityGroup (ISecurityGroup) –
  • defaultPortRangeProvider (IDefaultConnectable) –
allowDefaultPortFrom(other, description)

Allow connections from the peer on our default port Even if the peer has a default port, we will always use our default port.

Parameters:
  • other (IConnectable) –
  • description (string) –
allowDefaultPortInternally(description)

Allow hosts inside the security group to connect to each other

Parameters:description (string) –
allowDefaultPortFromAnyIpv4(description)

Allow default connections from all IPv4 ranges

Parameters:description (string) –
defaultPortRange
Type:IPortRange (readonly)

DefaultInstanceTenancy (enum)

class _aws-cdk_ec2.DefaultInstanceTenancy
Default
Dedicated

Fleet

class _aws-cdk_ec2.Fleet(parent, name, props)

A Fleet represents a managed set of EC2 instances The Fleet models a number of AutoScalingGroups, a launch configuration, a security group and an instance role. It allows adding arbitrary commands to the startup scripts of the instances in the fleet. The ASG spans all availability zones.

Extends:

Construct

Implements:

IClassicLoadBalancerTarget

Parameters:
  • parent (Construct) –
  • name (string) –
  • props (FleetProps) –
attachToClassicLB(loadBalancer)

Attach load-balanced target to a classic ELB

Parameters:loadBalancer (ClassicLoadBalancer) –
addUserData(script)

Add command to the startup script of fleet instances. The command must be in the scripting language supported by the fleet’s OS (i.e. Linux/Windows).

Parameters:script (string) –
autoScalingGroupName() → @aws-cdk/core.Token
Return type:Token
addToRolePolicy(statement)

Adds a statement to the IAM role assumed by instances of this fleet.

Parameters:statement (PolicyStatement) –
connectionPeer
Type:IConnectionPeer (readonly)
osType

The type of OS instances of this fleet are running.

Type:OperatingSystemType (readonly)
connections

Allows specify security group connections for instances of this fleet.

Type:Connections (readonly)
role

The IAM role assumed by instances of this fleet.

Type:Role (readonly)

FleetProps (interface)

class _aws-cdk_ec2.FleetProps

Properties of a Fleet

instanceType

Type of instance to launch

Type:InstanceType
minSize

Minimum number of instances in the fleet

Type:number or None
maxSize

Maximum number of instances in the fleet

Type:number or None
desiredCapacity

Initial amount of instances in the fleet

Type:number or None
keyName

Name of SSH keypair to grant access to instances

Type:string or None
machineImage

AMI to launch

Type:IMachineImageSource
vpc

VPC to launch these instances in.

Type:VpcNetworkRef
vpcPlacement

Where to place instances within the VPC

Type:VpcPlacementStrategy or None
notificationsTopic

SNS topic to send notifications about fleet changes

Type:TopicResource or None
allowAllOutbound

Whether the instances can initiate connections to anywhere by default

Type:boolean or None

GenericLinuxImage

class _aws-cdk_ec2.GenericLinuxImage(amiMap)

Construct a Linux machine image from an AMI map Linux images IDs are not published to SSM parameter store yet, so you’ll have to manually specify an AMI map.

Implements:IMachineImageSource
Parameters:amiMap (string) –
getImage(parent) → @aws-cdk/ec2.MachineImage

Return the image to use in the given context

Parameters:parent (Construct) –
Return type:MachineImage

HealthCheck (interface)

class _aws-cdk_ec2.HealthCheck

Describe the health check to a load balancer

port

What port number to health check on

Type:number
protocol

What protocol to use for health checking The protocol is automatically determined from the port if it’s not supplied.

Type:string or None
path

What path to use for HTTP or HTTPS health check (must return 200) For SSL and TCP health checks, accepting connections is enough to be considered healthy.

Type:string or None
healthyThreshold

After how many successful checks is an instance considered healthy

Type:number or None
unhealthyThreshold

After how many unsuccessful checks is an instance considered unhealthy

Type:number or None
interval

Number of seconds between health checks

Type:number or None
timeout

Health check timeout

Type:number or None

IClassicLoadBalancerTarget (interface)

class _aws-cdk_ec2.IClassicLoadBalancerTarget

Interface that is going to be implemented by constructs that you can load balance to

Extends:IConnectable
attachToClassicLB(loadBalancer)

Attach load-balanced target to a classic ELB

Parameters:loadBalancer (ClassicLoadBalancer) –

IConnectable (interface)

class _aws-cdk_ec2.IConnectable

The goal of this module is to make possible to write statements like this: `ts  *    database.connections.allowFrom(fleet);  *    fleet.connections.allowTo(database);  *    rdgw.connections.allowFromCidrIp('0.3.1.5/86');  *    rgdw.connections.allowTrafficTo(fleet, new AllPorts());  *    ` The insight here is that some connecting peers have information on what ports should be involved in the connection, and some don’t. Constructs will make their connections property to be equal to an instance of either Connections or ConnectionsWithDefault. An object that has a Connections object

connections
Type:IConnections (readonly)

IConnectionPeer (interface)

class _aws-cdk_ec2.IConnectionPeer

Interface for classes that provide the peer-specification parts of a security group rule

canInlineRule

Whether the rule can be inlined into a SecurityGroup or not

Type:boolean (readonly)
toIngressRuleJSON() → any

Produce the ingress rule JSON for the given connection

Return type:any
toEgressRuleJSON() → any

Produce the egress rule JSON for the given connection

Return type:any

IConnections (interface)

class _aws-cdk_ec2.IConnections

An object that encapsulates connection logic The IConnections object both has knowledge on what peer to use, as well as how to add connection rules.

connectionPeer

Access to the peer that we’re connecting to It’s convenient to put this on the Connections object since all participants in this protocol have one anyway, and the Connections objects have access to it, so they don’t need to implement two interfaces.

Type:IConnectionPeer (readonly)
allowTo(other, portRange, description)

Allow connections to the peer on the given port

Parameters:
  • other (IConnectable) –
  • portRange (IPortRange) –
  • description (string) –
allowFrom(other, portRange, description)

Allow connections from the peer on the given port

Parameters:
  • other (IConnectable) –
  • portRange (IPortRange) –
  • description (string) –

IDefaultConnectable (interface)

class _aws-cdk_ec2.IDefaultConnectable

An object that has a Connections object as well as a default port range.

Extends:IConnectable
defaultPortRange
Type:IPortRange (readonly)

IMachineImageSource (interface)

class _aws-cdk_ec2.IMachineImageSource

Interface for classes that can select an appropriate machine image to use

getImage(parent) → @aws-cdk/ec2.MachineImage

Return the image to use in the given context

Parameters:parent (Construct) –
Return type:MachineImage

IPortRange (interface)

class _aws-cdk_ec2.IPortRange

Interface for classes that provide the connection-specification parts of a security group rule

canInlineRule
Type:boolean (readonly)
toRuleJSON() → any

Produce the ingress/egress rule JSON for the given connection

Return type:any

ISecurityGroup (interface)

class _aws-cdk_ec2.ISecurityGroup

Basic interface for security groups

Extends:IConnectionPeer
securityGroupId
Type:SecurityGroupId (readonly)
canInlineRule

Whether the rule can be inlined into a SecurityGroup or not

Type:boolean (readonly)
addIngressRule(peer, connection, description)
Parameters:
  • peer (IConnectionPeer) –
  • connection (IPortRange) –
  • description (string) –
addEgressRule(peer, connection, description)
Parameters:
  • peer (IConnectionPeer) –
  • connection (IPortRange) –
  • description (string) –

InstanceClass (enum)

class _aws-cdk_ec2.InstanceClass
Standard3
M3
Standard4
M4
Standard5
M5
Memory3
R3
Memory4
R4
Compute3
C3
Compute4
C4
Compute5
C5
Storage2
D2
StorageCompute1
H1
Io3
I3
Burstable2
T2
MemoryIntensive1
X1
MemoryIntensive1Extended
X1e
Fpga1
F1
Graphics3
G3
Parallel2
P2
Parallel3
P3

InstanceSize (enum)

class _aws-cdk_ec2.InstanceSize
Micro
Small
Medium
Large
XLarge
XLarge2
XLarge4
XLarge8
XLarge9
XLarge10
XLarge12
XLarge16
XLarge18
XLarge24
XLarge32

InstanceType

class _aws-cdk_ec2.InstanceType(instanceTypeIdentifier)

Instance type for EC2 instances This class takes a literal string, good if you already know the identifier of the type you want.

Parameters:instanceTypeIdentifier (string) –
toString() → string

Return the instance type as a dotted string

Return type:string

InstanceTypePair

class _aws-cdk_ec2.InstanceTypePair(instanceClass, instanceSize)

Instance type for EC2 instances This class takes a combination of a class and size. Be aware that not all combinations of class and size are available, and not all classes are available in all regions.

Extends:

InstanceType

Parameters:
  • instanceClass (InstanceClass) –
  • instanceSize (InstanceSize) –
instanceClass
Type:InstanceClass (readonly)
instanceSize
Type:InstanceSize (readonly)

LinuxOS

class _aws-cdk_ec2.LinuxOS

OS features specialized for Linux

Extends:OperatingSystem
createUserData(scripts) → string
Parameters:scripts (string) –
Return type:string
type
Type:OperatingSystemType (readonly)

LoadBalancingProtocol (enum)

class _aws-cdk_ec2.LoadBalancingProtocol
Tcp
Ssl
Http
Https

MachineImage

class _aws-cdk_ec2.MachineImage(imageId, os)

Representation of a machine to be launched Combines an AMI ID with an OS.

Parameters:
  • imageId (string) –
  • os (OperatingSystem) –
imageId
Type:string (readonly)
os
Type:OperatingSystem (readonly)

OperatingSystem

class _aws-cdk_ec2.OperatingSystem

Abstraction of OS features we need to be aware of

Abstract:Yes
createUserData(scripts) → string
Parameters:scripts (string) –
Return type:string
Abstract:Yes
type
Type:OperatingSystemType (readonly)

OperatingSystemType (enum)

class _aws-cdk_ec2.OperatingSystemType
Linux
Windows

OutboundTrafficMode (enum)

class _aws-cdk_ec2.OutboundTrafficMode
None
FromPublicSubnetsOnly
FromPublicAndPrivateSubnets

PrefixList

class _aws-cdk_ec2.PrefixList(prefixListId)

A prefix list Prefix lists are used to allow traffic to VPC-local service endpoints. For more information, see this page: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html

Implements:IConnectionPeer
Implements:IConnectable
Parameters:prefixListId (string) –
toIngressRuleJSON() → any

Produce the ingress rule JSON for the given connection

Return type:any
toEgressRuleJSON() → any

Produce the egress rule JSON for the given connection

Return type:any
canInlineRule

Whether the rule can be inlined into a SecurityGroup or not

Type:boolean (readonly)
connections
Type:IConnections (readonly)

Protocol (enum)

class _aws-cdk_ec2.Protocol
All
Tcp
Udp
Icmp
Icmpv6

SecurityGroup

class _aws-cdk_ec2.SecurityGroup(parent, name, props)

Creates an Amazon EC2 security group within a VPC. This class has an additional optimization over SecurityGroupRef that it can also create inline ingress and egress rule (which saves on the total number of resources inside the template).

Extends:

SecurityGroupRef

Parameters:
  • parent (Construct) –
  • name (string) –
  • props (SecurityGroupProps) –
addIngressRule(peer, connection, description)
Parameters:
  • peer (IConnectionPeer) –
  • connection (IPortRange) –
  • description (string) –
addEgressRule(peer, connection, description)
Parameters:
  • peer (IConnectionPeer) –
  • connection (IPortRange) –
  • description (string) –
groupName

An attribute that represents the security group name.

Type:SecurityGroupName (readonly)
vpcId

An attribute that represents the physical VPC ID this security group is part of.

Type:SecurityGroupVpcId (readonly)

SecurityGroupName

class _aws-cdk_ec2.SecurityGroupName([valueOrFunction])
Extends:Token
Parameters:valueOrFunction (any or None) –

SecurityGroupProps (interface)

class _aws-cdk_ec2.SecurityGroupProps
groupName

The name of the security group. For valid values, see the GroupName parameter of the CreateSecurityGroup action in the Amazon EC2 API Reference. It is not recommended to use an explicit group name.

Type:string or None
description

A description of the security group.

Type:string or None
vpc

The VPC in which to create the security group.

Type:VpcNetworkRef

SecurityGroupRef

class _aws-cdk_ec2.SecurityGroupRef(parent, name, props)

A SecurityGroup that is not created in this template

Extends:

Construct

Implements:

ISecurityGroup

Parameters:
  • parent (Construct) –
  • name (string) –
  • props (SecurityGroupRefProps) –
addIngressRule(peer, connection, description)
Parameters:
  • peer (IConnectionPeer) –
  • connection (IPortRange) –
  • description (string) –
addEgressRule(peer, connection, description)
Parameters:
  • peer (IConnectionPeer) –
  • connection (IPortRange) –
  • description (string) –
toIngressRuleJSON() → any

Produce the ingress rule JSON for the given connection

Return type:any
toEgressRuleJSON() → any

Produce the egress rule JSON for the given connection

Return type:any
securityGroupId
Type:SecurityGroupId (readonly)
canInlineRule

Whether the rule can be inlined into a SecurityGroup or not

Type:boolean (readonly)

SecurityGroupRefProps (interface)

class _aws-cdk_ec2.SecurityGroupRefProps
securityGroupId

ID of security group

Type:SecurityGroupId

SecurityGrouplessConnections

class _aws-cdk_ec2.SecurityGrouplessConnections(connectionPeer)

This object is used by peers who don’t allow reverse connections It still has an associated connection peer, but that peer does not have any security groups to add connections to.

Implements:IConnections
Parameters:connectionPeer (IConnectionPeer) –
allowTo(_other, _connection, _description)

Allow connections to the peer on the given port

Parameters:
  • _other (IConnectable) –
  • _connection (IPortRange) –
  • _description (string) –
allowFrom(_other, _connection, _description)

Allow connections from the peer on the given port

Parameters:
  • _other (IConnectable) –
  • _connection (IPortRange) –
  • _description (string) –
connectionPeer
Type:IConnectionPeer (readonly)

TcpAllPorts

class _aws-cdk_ec2.TcpAllPorts

All TCP Ports

Implements:IPortRange
toRuleJSON() → any

Produce the ingress/egress rule JSON for the given connection

Return type:any
canInlineRule
Type:boolean (readonly)

TcpPort

class _aws-cdk_ec2.TcpPort(port)

A single TCP port

Implements:IPortRange
Parameters:port (number) –
toRuleJSON() → any

Produce the ingress/egress rule JSON for the given connection

Return type:any
canInlineRule
Type:boolean (readonly)

TcpPortFromAttribute

class _aws-cdk_ec2.TcpPortFromAttribute(port)

A single TCP port that is provided by a resource attribute

Implements:IPortRange
Parameters:port (Token) –
toRuleJSON() → any

Produce the ingress/egress rule JSON for the given connection

Return type:any
canInlineRule
Type:boolean (readonly)

TcpPortRange

class _aws-cdk_ec2.TcpPortRange(startPort, endPort)

A TCP port range

Implements:

IPortRange

Parameters:
  • startPort (number) –
  • endPort (number) –
toRuleJSON() → any

Produce the ingress/egress rule JSON for the given connection

Return type:any
canInlineRule
Type:boolean (readonly)

VpcNetwork

class _aws-cdk_ec2.VpcNetwork(parent, name[, props])

VpcNetwork deploys an AWS VPC, with public and private subnets per Availability Zone. For example: import { VpcNetwork } from @aws-cdk/ec2’ const vpc = new VpcNetwork(this, { cidr: “10.0.0.0/16” }) // Iterate the public subnets for (let subnet of vpc.publicSubnets) { } // Iterate the private subnets for (let subnet of vpc.privateSubnets) { }

Extends:

VpcNetworkRef

Parameters:
  • parent (Construct) –
  • name (string) –
  • props (VpcNetworkProps or None) –
DEFAULT_CIDR_RANGE

The default CIDR range used when creating VPCs. This can be overridden using VpcNetworkProps when creating a VPCNetwork resource. e.g. new VpcResource(this, { cidr: ‘192.168.0.0./16’ })

Type:string (readonly) (static)
vpcId

Identifier for this VPC

Type:VpcNetworkId (readonly)
publicSubnets

List of public subnets in this VPC

Type:VpcSubnetRef (readonly)
privateSubnets

List of private subnets in this VPC

Type:VpcSubnetRef (readonly)
cidr
Type:Token (readonly)

VpcNetworkId

class _aws-cdk_ec2.VpcNetworkId([valueOrFunction])

Identifier for a VPC

Extends:Token
Parameters:valueOrFunction (any or None) –

VpcNetworkProps (interface)

class _aws-cdk_ec2.VpcNetworkProps

VpcNetworkProps allows you to specify configuration options for a VPC

cidr

The CIDR range to use for the VPC (e.g. ‘10.0.0.0/16’). Should be a minimum of /28 and maximum size of /16. The range will be split evenly into two subnets per Availability Zone (one public, one private).

Type:string or None
enableDnsHostnames

Indicates whether the instances launched in the VPC get public DNS hostnames. If this attribute is true, instances in the VPC get public DNS hostnames, but only if the enableDnsSupport attribute is also set to true.

Type:boolean or None
enableDnsSupport

Indicates whether the DNS resolution is supported for the VPC. If this attribute is false, the Amazon-provided DNS server in the VPC that resolves public DNS hostnames to IP addresses is not enabled. If this attribute is true, queries to the Amazon provided DNS server at the 169.254.169.253 IP address, or the reserved IP address at the base of the VPC IPv4 network range plus two will succeed.

Type:boolean or None
defaultInstanceTenancy

The default tenancy of instances launched into the VPC. By default, instances will be launched with default (shared) tenancy. By setting this to dedicated tenancy, instances will be launched on hardware dedicated to a single AWS customer, unless specifically specified at instance launch time. Please note, not all instance types are usable with Dedicated tenancy.

Type:string or None
tags

The AWS resource tags to associate with the VPC.

Type:Tag or None
outboundTraffic

Defines whether the VPC is configured to route outbound traffic from private and/or public subnets. By default, outbound traffic will be allowed from public and private subnets.

Type:number or None
maxAZs

Define the maximum number of AZs to use in this region If the region has more AZs than you want to use (for example, because of EIP limits), pick a lower number here. The AZs will be sorted and picked from the start of the list.

Type:number or None

VpcNetworkRef

class _aws-cdk_ec2.VpcNetworkRef(parent, name)

A new or imported VPC

Extends:

Construct

Implements:

IDependable

Abstract:

Yes

Parameters:
  • parent (Construct) – The parent construct
  • name (string) –
static import(parent, name, props) → @aws-cdk/ec2.VpcNetworkRef

Import an exported VPC

Parameters:
  • parent (Construct) –
  • name (string) –
  • props (VpcNetworkRefProps) –
Return type:

VpcNetworkRef

subnets([placement]) → @aws-cdk/ec2.VpcSubnetRef[]

Return the subnets appropriate for the placement strategy

Parameters:placement (VpcPlacementStrategy or None) –
Return type:VpcSubnetRef
export() → @aws-cdk/ec2.VpcNetworkRefProps

Export this VPC from the stack

Return type:VpcNetworkRefProps
vpcId

Identifier for this VPC

Type:VpcNetworkId (readonly) (abstract)
publicSubnets

List of public subnets in this VPC

Type:VpcSubnetRef (readonly) (abstract)
privateSubnets

List of private subnets in this VPC

Type:VpcSubnetRef (readonly) (abstract)
dependencyElements

Parts of the VPC that constitute full construction

Type:IDependable (readonly)

VpcNetworkRefProps (interface)

class _aws-cdk_ec2.VpcNetworkRefProps

Properties that reference an external VpcNetwork

vpcId

VPC’s identifier

Type:VpcNetworkId
availabilityZones

List of a availability zones, one for every subnet. The first half are for the public subnets, the second half are for the private subnets.

Type:string
publicSubnetIds

List of public subnet IDs, one for every subnet Must match the availability zones and private subnet ids in length and order.

Type:VpcSubnetId
privateSubnetIds

List of private subnet IDs, one for every subnet Must match the availability zones and public subnet ids in length and order.

Type:VpcSubnetId

VpcPlacementStrategy (interface)

class _aws-cdk_ec2.VpcPlacementStrategy

Customize how instances are placed inside a VPC Constructs that allow customization of VPC placement use parameters of this type to provide placement settings.

usePublicSubnets

Whether to use the VPC’s public subnets to start instances If false, the instances are started in the private subnets.

Type:boolean or None

VpcPrivateSubnet

class _aws-cdk_ec2.VpcPrivateSubnet(parent, name, props)

Represents a private VPC subnet resource

Extends:

VpcSubnet

Parameters:
  • parent (Construct) –
  • name (string) –
  • props (VpcSubnetProps) –
addDefaultNatRouteEntry(natGatewayId)

Adds an entry to this subnets route table that points to the passed NATGatwayId

Parameters:natGatewayId (Token) –

VpcPublicSubnet

class _aws-cdk_ec2.VpcPublicSubnet(parent, name, props)

Represents a public VPC subnet resource

Extends:

VpcSubnet

Parameters:
  • parent (Construct) –
  • name (string) –
  • props (VpcSubnetProps) –
addDefaultIGWRouteEntry(gatewayId)

Create a default route that points to a passed IGW

Parameters:gatewayId (Token) –
addNatGateway() → @aws-cdk/core.Token

Creates a new managed NAT gateway attached to this public subnet. Also adds the EIP for the managed NAT. Returns the NAT Gateway ref

Return type:Token

VpcSubnet

class _aws-cdk_ec2.VpcSubnet(parent, name, props)

Represents a new VPC subnet resource

Extends:

VpcSubnetRef

Parameters:
  • parent (Construct) –
  • name (string) –
  • props (VpcSubnetProps) –
addDefaultRouteToNAT(natGatewayId)
Parameters:natGatewayId (Token) –
addDefaultRouteToIGW(gatewayId)
Parameters:gatewayId (Token) –
availabilityZone

The Availability Zone the subnet is located in

Type:string (readonly)
subnetId

The subnetId for this particular subnet

Type:VpcSubnetId (readonly)

VpcSubnetId

class _aws-cdk_ec2.VpcSubnetId([valueOrFunction])

Id of a VPC Subnet

Extends:Token
Parameters:valueOrFunction (any or None) –

VpcSubnetProps (interface)

class _aws-cdk_ec2.VpcSubnetProps

Specify configuration parameters for a VPC subnet

availabilityZone
Type:string
vpcId
Type:Token
cidrBlock
Type:string
mapPublicIpOnLaunch
Type:boolean or None

VpcSubnetRef

class _aws-cdk_ec2.VpcSubnetRef(parent, name)

A new or imported VPC Subnet

Extends:

Construct

Implements:

IDependable

Abstract:

Yes

Parameters:
  • parent (Construct) – The parent construct
  • name (string) –
static import(parent, name, props) → @aws-cdk/ec2.VpcSubnetRef
Parameters:
  • parent (Construct) –
  • name (string) –
  • props (VpcSubnetRefProps) –
Return type:

VpcSubnetRef

availabilityZone

The Availability Zone the subnet is located in

Type:string (readonly) (abstract)
subnetId

The subnetId for this particular subnet

Type:VpcSubnetId (readonly) (abstract)
dependencyElements

Parts of this VPC subnet

Type:IDependable (readonly)

VpcSubnetRefProps (interface)

class _aws-cdk_ec2.VpcSubnetRefProps
availabilityZone

The Availability Zone the subnet is located in

Type:string
subnetId

The subnetId for this particular subnet

Type:VpcSubnetId

WindowsImage

class _aws-cdk_ec2.WindowsImage(version)

Select the latest version of the indicated Windows version The AMI ID is selected using the values published to the SSM parameter store. https://aws.amazon.com/blogs/mt/query-for-the-latest-windows-ami-using-systems-manager-parameter-store/

Implements:IMachineImageSource
Parameters:version (WindowsVersion) –
getImage(parent) → @aws-cdk/ec2.MachineImage

Return the image to use in the given context

Parameters:parent (Construct) –
Return type:MachineImage

WindowsOS

class _aws-cdk_ec2.WindowsOS

OS features specialized for Windows

Extends:OperatingSystem
createUserData(scripts) → string
Parameters:scripts (string) –
Return type:string
type
Type:OperatingSystemType (readonly)

WindowsVersion (enum)

class _aws-cdk_ec2.WindowsVersion
WindowsServer2016TurksihFullBase
WindowsServer2016SwedishFullBase
WindowsServer2016SpanishFullBase
WindowsServer2016RussianFullBase
WindowsServer2016PortuguesePortugalFullBase
WindowsServer2016PortugueseBrazilFullBase
WindowsServer2016PolishFullBase
WindowsServer2016KoreanFullSQL2016Base
WindowsServer2016KoreanFullBase
WindowsServer2016JapaneseFullSQL2016Web
WindowsServer2016JapaneseFullSQL2016Standard
WindowsServer2016JapaneseFullSQL2016Express
WindowsServer2016JapaneseFullSQL2016Enterprise
WindowsServer2016JapaneseFullBase
WindowsServer2016ItalianFullBase
WindowsServer2016HungarianFullBase
WindowsServer2016GermanFullBase
WindowsServer2016FrenchFullBase
WindowsServer2016EnglishNanoBase
WindowsServer2016EnglishFullSQL2017Web
WindowsServer2016EnglishFullSQL2017Standard
WindowsServer2016EnglishFullSQL2017Express
WindowsServer2016EnglishFullSQL2017Enterprise