availabilityZones?: string[]

Availability zones this VPC spans.

Specify this option only if you do not specify maxAzs.


  • a subset of AZs of the stack
cidr?: string

The CIDR range to use for the VPC, e.g. ''.

Should be a minimum of /28 and maximum size of /16. The range will be split across all subnets per Availability Zone.



defaultInstanceTenancy?: DefaultInstanceTenancy

The default tenancy of instances launched into the VPC.

By setting this to dedicated tenancy, instances will be launched on hardware dedicated to a single AWS customer, unless specifically specified at instance launch time. Please note, not all instance types are usable with Dedicated tenancy.


DefaultInstanceTenancy.Default (shared) tenancy

enableDnsHostnames?: boolean

Indicates whether the instances launched in the VPC get public DNS hostnames.

If this attribute is true, instances in the VPC get public DNS hostnames, but only if the enableDnsSupport attribute is also set to true.



enableDnsSupport?: boolean

Indicates whether the DNS resolution is supported for the VPC.

If this attribute is false, the Amazon-provided DNS server in the VPC that resolves public DNS hostnames to IP addresses is not enabled. If this attribute is true, queries to the Amazon provided DNS server at the IP address, or the reserved IP address at the base of the VPC IPv4 network range plus two will succeed.



flowLogs?: { [id: string]: FlowLogOptions }

Flow logs to add to this VPC.


  • No flow logs.

Type declaration

  • [id: string]: FlowLogOptions
gatewayEndpoints?: { [id: string]: GatewayVpcEndpointOptions }

Gateway endpoints to add to this VPC.


  • None.

Type declaration

  • [id: string]: GatewayVpcEndpointOptions
maxAzs?: number

Define the maximum number of AZs to use in this region

If the region has more AZs than you want to use (for example, because of EIP limits), pick a lower number here. The AZs will be sorted and picked from the start of the list.

If you pick a higher number than the number of AZs in the region, all AZs in the region will be selected. To use "all AZs" available to your account, use a high number (such as 99).

Be aware that environment-agnostic stacks will be created with access to only 2 AZs, so to use more than 2 AZs, be sure to specify the account and region on your stack.

Specify this option only if you do not specify availabilityZones.



natGatewayProvider?: NatProvider

What type of NAT provider to use

Select between NAT gateways or NAT instances. NAT gateways may not be available in all AWS regions.



natGatewaySubnets?: SubnetSelection

Configures the subnets which will have NAT Gateways/Instances

You can pick a specific group of subnets by specifying the group name; the picked subnets must be public subnets.

Only necessary if you have more than one public subnet group.


  • All public subnets.
natGateways?: number

The number of NAT Gateways/Instances to create.

The type of NAT gateway or instance will be determined by the natGatewayProvider parameter.

You can set this number lower than the number of Availability Zones in your VPC in order to save on NAT cost. Be aware you may be charged for cross-AZ data traffic instead.


  • One NAT gateway/instance per Availability Zone
ssmParameters?: boolean

Whether to add SSM Parameters containing VPC metadata, which are expected to exist by many other Guardian CDK patterns.

Defaults to 'true'.

ssmParametersNamespace?: string

An identifier for the VPC to namespace SSM parameters. Customise when you have multiple teams/VPCs in the same account.

This will be combined with the /account/vpc prefix for the full parameter name. e.g. '/account/vpc/primary'.

Defaults to 'primary'.

subnetConfiguration?: SubnetConfiguration[]

Configure the subnets to build for each AZ

Each entry in this list configures a Subnet Group; each group will contain a subnet for each Availability Zone.

For example, if you want 1 public subnet, 1 private subnet, and 1 isolated subnet in each AZ provide the following:

new ec2.Vpc(this, 'VPC', {
subnetConfiguration: [
cidrMask: 24,
name: 'ingress',
subnetType: ec2.SubnetType.PUBLIC,
cidrMask: 24,
name: 'application',
subnetType: ec2.SubnetType.PRIVATE_WITH_NAT,
cidrMask: 28,
name: 'rds',
subnetType: ec2.SubnetType.PRIVATE_ISOLATED,


  • The VPC CIDR will be evenly divided between 1 public and 1 private subnet per AZ.
vpcName?: string

The VPC name.

Since the VPC resource doesn't support providing a physical name, the value provided here will be recorded in the Name tag



vpnConnections?: { [id: string]: VpnConnectionOptions }

VPN connections to this VPC.


  • No connections.

Type declaration

  • [id: string]: VpnConnectionOptions
vpnGateway?: boolean

Indicates whether a VPN gateway should be created and attached to this VPC.


  • true when vpnGatewayAsn or vpnConnections is specified
vpnGatewayAsn?: number

The private Autonomous System Number (ASN) for the VPN gateway.


  • Amazon default ASN.
vpnRoutePropagation?: SubnetSelection[]

Where to propagate VPN routes.


  • On the route tables associated with private subnets. If no private subnets exists, isolated subnets are used. If no isolated subnets exists, public subnets are used.

Generated using TypeDoc