Skip to main content

DataVpc

Amazon VPC optimized for data solutions.

Overview

DataVpc construct provides a standard Amazon VPC with best practices for security and data solutions implementations:

  • The VPC is created with public and private subnets across 3 availability zones (1 of each per AZ) and 3 NAT gateways.
  • VPC CIDR mask should be larger than 28. The CIDR is split between public and private subnets with private subnets being twice as large as public subnet.
  • The flow logs maaged by a dedicated least-privilege IAM Role. The role can be customized.
  • The flow logs exported to an Amazon CloudWatch LogGroup encrypted with an Amazon KMS customer managed key. The KMS key can be customized.
  • A gateway VPC endpoint is created for S3 access.

Usage

class ExampleDefaultDataVpcStack extends cdk.Stack {
constructor(scope: Construct, id: string) {
  super(scope, id);
  new dsf.utils.DataVpc(this, 'MyDataVpc', {
    vpcCidr: '10.0.0.0/16',
  });
}
}

VPC Flow Logs

The construct logs VPC Flow logs in a Cloudwatch Log Group that is encrypted with a customer managed KMS Key. Exporting VPC Flow Logs to CloudWatch requires an IAM Role. You can customize the VPC Flow Logs management with:

  • your own KMS Key. Be sure to attach the right permissions to your key. Refer to the AWS documentation for full description.
  • your own IAM Role. Be sure to configure the proper trust policy and permissions. Refer to the AWS documentation for full description.
  • a custom log retention policy. Default is one week.
  const flowLogKey = Key.fromKeyArn(this, 'FlowLogKey', 'XXXXXXXXXXXXXXXXXXXXXXXX');

  const flowLogRole = Role.fromRoleArn(this, 'FlowLogRole', 'XXXXXXXXXXXXXXXXXXXXXXXX');

  new dsf.utils.DataVpc(this, 'MyDataVpc', {
    vpcCidr: '10.0.0.0/16',
    flowLogKey,
    flowLogRole,
    flowLogRetention: RetentionDays.TWO_WEEKS,
  });
}
}

Removal policy

You can specify if the Cloudwatch Log Group and the KMS encryption Key should be deleted when the CDK resource is destroyed using removalPolicy. To have an additional layer of protection, we require users to set a global context value for data removal in their CDK applications.

Log group and encryption key can be destroyed when the CDK resource is destroyed only if both data vpc removal policy and DSF on AWS global removal policy are set to remove objects.

You can set @data-solutions-framework-on-aws/removeDataOnDestroy (true or false) global data removal policy in cdk.json:

{
  "context": {
    "@data-solutions-framework-on-aws/removeDataOnDestroy": true
  }
}

Or programmatically in your CDK app:

  // Set context value for global data removal policy
  this.node.setContext('@data-solutions-framework-on-aws/removeDataOnDestroy', true);

  new dsf.utils.DataVpc(this, 'MyDataVpc', {
    vpcCidr: '10.0.0.0/16',
    removalPolicy: RemovalPolicy.DESTROY
  });
}
}

Client VPN Endpoint

You can add client VPN endpoint to the DataVpc. Current impelementation supports SAML based authentication only and requires SSL certificate created in Amazon Certificate Manager.

If you don't have an SSL certificate, you can follow this workshop lab to generate a self-signed certificate and import it into Amazon Certificate Manager.

Refer to the documentation on setting up SAML federated authentication. If you don't currently use any IdP, we suggest AWS IAM Identity Center that can also be used with other DSF constructs, such as OpenSearch construct.

class ExampleDefaultDataVpcStack extends cdk.Stack {
constructor(scope: Construct, id: string) {
  super(scope, id);
  new dsf.utils.DataVpc(this, 'MyDataVpc', {
    vpcCidr: '10.0.0.0/16',
    clientVpnEndpointProps: {
      serverCertificateArn: 'arn:aws:acm:us-east-1:XXXXXXXX:certificate/XXXXXXXXXX',
      samlMetadataDocument: `<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://portal.sso.us-east-1.amazonaws.com/saml/assertion/XXXXXXXXXXXXXX">
        <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
          <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
              <ds:X509Data>
                <ds:X509Certificate>XXXXXXXXXXXXXXXXXXXXXXXXX</ds:X509Certificate>
              </ds:X509Data>
            </ds:KeyInfo>
          </md:KeyDescriptor>
          <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://portal.sso.us-east-1.amazonaws.com/saml/logout/XXXXXXXXXXXXXX"/>
          <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://portal.sso.us-east-1.amazonaws.com/saml/logout/XXXXXXXXXXXXXX"/>
          <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
          <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://portal.sso.us-east-1.amazonaws.com/saml/assertion/XXXXXXXXXXXXXX"/>
          <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://portal.sso.us-east-1.amazonaws.com/saml/assertion/XXXXXXXXXXXXXX"/>
        </md:IDPSSODescriptor>
      </md:EntityDescriptor>`,
      selfServicePortal:false
    }
  });
}
}