@guardian/cdk
    Preparing search index...

    Construct which creates a Virtual Private Cloud.

    NOTE: This construct requires an environment to be set to function correctly. Without this, an environment-agnostic template will be produced, which will only use two AZs even if the region contains more than that. To set this, set the env prop when instantiating your stack.

    NOTE: If using this construct outside eu-west-1, you'll need to commit the cdk.context.json file that's created after synthesising locally.

    Be aware that account IDs are considered sensitive information and should NOT be committed to public repos.

    The VPC is provisioned with a public and private subnet for each availability zone, with IPs spread evenly across these. Instances in private subnets cannot be accessed directly over the internet. You should locate services in instances in the private subnets, and provide HTTP(S) as required via load balancers living in the public subnets.

    A CIDR block is a combined IP and network mask that specifies the IP addresses in your VPC. For testing purposes any (AWS supported) CIDR block will do, but for production you should:

    • use a /21 network mask (providing up to 2048 IPs, which is plenty for most accounts)
    • ask Enterprise Tech for an IP address to go with this range (so that peering with other company VPCs is possible without IP clashes)

    A managed NAT is created for each private subnet to allow access to the internet.

    For recommendations on how best to configure your VPC see: https://github.com/guardian/recommendations/blob/main/AWS.md#vpc

    For more information on VPCs and AWS see: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html.

    Hierarchy

    • Vpc
      • GuVpc
    Index

    Constructors

    Properties

    _vpnGatewayId?: string

    Mutable private field for the vpnGatewayId

    availabilityZones: string[]

    AZs for this VPC

    dnsHostnamesEnabled: boolean

    Indicates if instances launched in this VPC will have public DNS hostnames.

    dnsSupportEnabled: boolean

    Indicates if DNS support is enabled for this VPC.

    env: ResourceEnvironment

    The environment this resource belongs to. For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

    incompleteSubnetDefinition: boolean

    If this is set to true, don't error out on trying to select subnets

    internetConnectivityEstablished: IDependable

    Dependencies for internet connectivity

    internetGatewayId?: string

    Internet Gateway for the VPC. Note that in case the VPC is configured only with ISOLATED subnets, this attribute will be undefined.

    isolatedSubnets: ISubnet[]

    List of isolated subnets in this VPC

    node: Node

    The tree node.

    physicalName: string

    Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.

    This value will resolve to one of the following:

    • a concrete value (e.g. "my-awesome-bucket")
    • undefined, when a name should be generated by CloudFormation
    • a concrete name generated automatically during synthesis, in cross-environment scenarios.
    privateSubnets: ISubnet[]

    List of private subnets in this VPC

    publicSubnets: ISubnet[]

    List of public subnets in this VPC

    stack: Stack

    The stack in which this resource is defined.

    vpcArn: string
    vpcCidrBlock: string
    vpcCidrBlockAssociations: string[]
    vpcDefaultNetworkAcl: string
    vpcDefaultSecurityGroup: string
    vpcId: string

    Identifier for this VPC

    vpcIpv6CidrBlocks: string[]
    DEFAULT_CIDR_RANGE: string

    The default CIDR range used when creating VPCs. This can be overridden using VpcProps when creating a VPCNetwork resource. e.g. new VpcResource(this, { cidr: '192.168.0.0./16' })

    Note this is specific to the IPv4 CIDR.

    DEFAULT_SUBNETS: SubnetConfiguration[]

    The default subnet configuration

    1 Public and 1 Private subnet per AZ evenly split

    DEFAULT_SUBNETS_NO_NAT: SubnetConfiguration[]

    The default subnet configuration if natGateways specified to be 0

    1 Public and 1 Isolated Subnet per AZ evenly split

    PROPERTY_INJECTION_ID: string

    Uniquely identifies this class.

    Accessors

    • get vpnGatewayId(): undefined | string

      Returns the id of the VPN Gateway (if enabled)

      Returns undefined | string

    Methods

    • Internal

      Called when this resource is referenced across environments (account/region) to order to request that a physical name will be generated for this resource during synthesis, so the resource can be referenced through its absolute name/arn.

      Returns void

    • Adds a new client VPN endpoint to this VPC

      Parameters

      • id: string
      • options: ClientVpnEndpointOptions

      Returns ClientVpnEndpoint

    • Adds a new flow log to this VPC

      Parameters

      • id: string
      • Optionaloptions: FlowLogOptions

      Returns FlowLog

    • Adds a new gateway endpoint to this VPC

      Parameters

      • id: string
      • options: GatewayVpcEndpointOptions

      Returns GatewayVpcEndpoint

    • Adds a new interface endpoint to this VPC

      Parameters

      • id: string
      • options: InterfaceVpcEndpointOptions

      Returns InterfaceVpcEndpoint

    • Adds a new VPN connection to this VPC

      Parameters

      • id: string
      • options: VpnConnectionOptions

      Returns VpnConnection

    • Apply the given removal policy to this resource

      The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

      The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

      Parameters

      • policy: RemovalPolicy

      Returns void

    • Adds a VPN Gateway to this VPC

      Parameters

      • options: EnableVpnGatewayOptions

      Returns void

    • Returns string

    • Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. bucket.bucketArn).

      Normally, this token will resolve to arnAttr, but if the resource is referenced across environments, arnComponents will be used to synthesize a concrete ARN with the resource's physical name. Make sure to reference this.physicalName in arnComponents.

      Parameters

      • arnAttr: string

        The CFN attribute which resolves to the ARN of the resource. Commonly it will be called "Arn" (e.g. resource.attrArn), but sometimes it's the CFN resource's ref.

      • arnComponents: ArnComponents

        The format of the ARN of this resource. You must reference this.physicalName somewhere within the ARN in order for cross-environment references to work.

      Returns string

    • Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. bucket.bucketName).

      Normally, this token will resolve to nameAttr, but if the resource is referenced across environments, it will be resolved to this.physicalName, which will be a concrete name.

      Parameters

      • nameAttr: string

        The CFN attribute which resolves to the resource's name. Commonly this is the resource's ref.

      Returns string

    • Return the subnets appropriate for the placement strategy

      Parameters

      • Optionalselection: SubnetSelection

      Returns ISubnet[]

    • Returns IDs of selected subnets

      Parameters

      • Optionalselection: SubnetSelection

      Returns SelectedSubnets

    • Returns a string representation of this construct.

      Returns string

    • Import an existing VPC by querying the AWS environment this stack is deployed to.

      This function only needs to be used to use VPCs not defined in your CDK application. If you are looking to share a VPC between stacks, you can pass the Vpc object between stacks and use it as normal.

      Calling this method will lead to a lookup when the CDK CLI is executed. You can therefore not use any values that will only be available at CloudFormation execution time (i.e., Tokens).

      The VPC information will be cached in cdk.context.json and the same VPC will be used on future runs. To refresh the lookup, you will have to evict the value from the cache using the cdk context command. See https://docs.aws.amazon.com/cdk/latest/guide/context.html for more information.

      Parameters

      • scope: Construct
      • id: string
      • options: VpcLookupOptions

      Returns IVpc

    • Import a VPC by supplying all attributes directly

      NOTE: using fromVpcAttributes() with deploy-time parameters (like a Fn.importValue() or CfnParameter to represent a list of subnet IDs) sometimes accidentally works. It happens to work for constructs that need a list of subnets (like AutoScalingGroup and eks.Cluster) but it does not work for constructs that need individual subnets (like Instance). See https://github.com/aws/aws-cdk/issues/4118 for more information.

      Prefer to use Vpc.fromLookup() instead.

      Parameters

      • scope: Construct
      • id: string
      • attrs: VpcAttributes

      Returns IVpc

    • Checks if x is a construct.

      Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

      Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

      Parameters

      • x: any

        Any object

      Returns x is Construct

      true if x is an object created from a class which extends Construct.

    • Returns true if the construct was created by CDK, and false otherwise

      Parameters

      • construct: IConstruct

      Returns boolean

    • Check whether the given construct is a Resource

      Parameters

      • construct: IConstruct

      Returns construct is Resource