Interface IVpcConfig

NetworkConfig / VpcConfig

Virtual Private Cloud (VPC) configuration.

Description

Use this configuration to define a VPC that is deployed to a single account and region. With Amazon Virtual Private Cloud (Amazon VPC), you can launch AWS resources in a logically isolated virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

Example

Static CIDR:

vpcs:
  - name: Network-Inspection
    account: Network
    region: us-east-1
    cidrs:
      - 10.0.0.0/24
    enableDnsHostnames: true
    enableDnsSupport: true
    instanceTenancy: default
    routeTables: []
    subnets: []
    natGateways: []
    transitGatewayAttachments: []
    tags: []

IPAM allocation:

vpcs:
  - name: Network-Inspection
    account: Network
    region: us-east-1
    ipamAllocations:
      - ipamPoolName: accelerator-regional-pool
        netmaskLength: 24
    enableDnsHostnames: true
    enableDnsSupport: true
    instanceTenancy: default
    routeTables: []
    subnets: []
    natGateways: []
    transitGatewayAttachments: []
    tags: []

IPv6 static CIDR:

vpcs:
  - name: Network-Inspection
    account: Network
    region: us-east-1
    cidrs:
      - 10.0.0.0/24
    ipv6Cidrs:
      - byoipPool: ipv6Pool-ec2-123abcxyz
    enableDnsHostnames: true
    enableDnsSupport: true
    instanceTenancy: default
    routeTables: []
    subnets: []
    natGateways: []
    transitGatewayAttachments: []
    tags: []
interface IVpcConfig {
    account: string;
    cidrs?: string[];
    defaultSecurityGroupRulesDeletion?: boolean;
    dhcpOptions?: string;
    dnsFirewallRuleGroups?: IVpcDnsFirewallAssociationConfig[];
    egressOnlyIgw?: boolean;
    enableDnsHostnames?: boolean;
    enableDnsSupport?: boolean;
    gatewayEndpoints?: IGatewayEndpointConfig;
    instanceTenancy?: InstanceTenancyType;
    interfaceEndpoints?: IInterfaceEndpointConfig;
    internetGateway?: boolean;
    ipamAllocations?: IIpamAllocationConfig[];
    ipv6Cidrs?: IVpcIpv6Config[];
    loadBalancers?: ILoadBalancersConfig;
    name: string;
    natGateways?: INatGatewayConfig[];
    networkAcls?: INetworkAclConfig[];
    outposts?: IOutpostsConfig[];
    queryLogs?: string[];
    region:
        | "af-south-1"
        | "ap-east-1"
        | "ap-northeast-1"
        | "ap-northeast-2"
        | "ap-northeast-3"
        | "ap-south-1"
        | "ap-south-2"
        | "ap-southeast-1"
        | "ap-southeast-2"
        | "ap-southeast-3"
        | "ap-southeast-4"
        | "ap-southeast-5"
        | "ca-central-1"
        | "ca-west-1"
        | "cn-north-1"
        | "cn-northwest-1"
        | "eu-central-1"
        | "eu-central-2"
        | "eu-north-1"
        | "eu-south-1"
        | "eu-south-2"
        | "eu-west-1"
        | "eu-west-2"
        | "eu-west-3"
        | "eu-isoe-west-1"
        | "il-central-1"
        | "me-central-1"
        | "me-south-1"
        | "mx-central-1"
        | "sa-east-1"
        | "us-east-1"
        | "us-east-2"
        | "us-gov-west-1"
        | "us-gov-east-1"
        | "us-iso-east-1"
        | "us-isob-east-1"
        | "us-iso-west-1"
        | "us-isof-south-1"
        | "us-isof-east-1"
        | "us-west-1"
        | "us-west-2";
    resolverRules?: string[];
    routeTables?: IRouteTableConfig[];
    securityGroups?: ISecurityGroupConfig[];
    subnets?: ISubnetConfig[];
    tags?: ITag[];
    targetGroups?: ITargetGroupItem[];
    transitGatewayAttachments?: ITransitGatewayAttachmentConfig[];
    useCentralEndpoints?: boolean;
    virtualPrivateGateway?: IVirtualPrivateGatewayConfig;
    vpcFlowLogs?: IVpcFlowLogsConfig;
    vpcRoute53Resolver?: IResolverConfig;
}

Properties

account cidrs? defaultSecurityGroupRulesDeletion? dhcpOptions? dnsFirewallRuleGroups? egressOnlyIgw? enableDnsHostnames? enableDnsSupport? gatewayEndpoints? instanceTenancy? interfaceEndpoints? internetGateway? ipamAllocations? ipv6Cidrs? loadBalancers? name natGateways? networkAcls? outposts? queryLogs? region resolverRules? routeTables? securityGroups? subnets? tags? targetGroups? transitGatewayAttachments? useCentralEndpoints? virtualPrivateGateway? vpcFlowLogs? vpcRoute53Resolver?

Properties

Readonlyaccount

account: string

The logical name of the account to deploy the VPC to

Remarks

This is the logical name property of the account as defined in accounts-config.yaml.

Optional Readonlycidrs

cidrs?: string[]

(OPTIONAL) A list of IPv4 CIDRs to associate with the VPC.

Remarks

CAUTION: Changing or removing an existing CIDR value after initial deployment causes the VPC to be recreated. Please be aware that any downstream dependencies may cause this property update to fail. You can add additional CIDRs to the VPC without this recreation occurring.

WARNING: Adding a secondary CIDR anywhere except the end of the list will cause the VPC to be recreated.

NOTE: Expanding a VPC with additional CIDRs is subject to these restrictions. At least one CIDR should be provided if not using ipamAllocations.

Use IPv4 CIDR notation, i.e. 10.0.0.0/16

Optional ReadonlydefaultSecurityGroupRulesDeletion

defaultSecurityGroupRulesDeletion?: boolean

(OPTIONAL) Determine if the all traffic ingress and egress rules are deleted in the default security group of a VPC.

Remarks

If the defaultSecurityGroupRulesDeletion parameter is set to true, the solution will proceed in removing the default ingress and egress All Traffic (0.0.0.0/0) for that respective VPC's default security group.

See

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/default-custom-security-groups.html#default-security-group

Optional ReadonlydhcpOptions

dhcpOptions?: string

(OPTIONAL) The friendly name of a custom DHCP options set.

Remarks

This is the logical name property of the DHCP options set as defined in network-config.yaml.

See

DhcpOptsConfig

Optional ReadonlydnsFirewallRuleGroups

dnsFirewallRuleGroups?: IVpcDnsFirewallAssociationConfig[]

(OPTIONAL) An array of DNS firewall VPC association configurations. Use this property to associate Route 53 resolver DNS firewall rule groups with the VPC.

See

  • NetworkConfigTypes.vpcDnsFirewallAssociationConfig
  • DnsFirewallRuleGroupConfig

Remarks

The DNS firewall rule groups must be deployed in the same region of the VPC and shareTargets must be configured to capture the account that this VPC is deployed to. If deploying this VPC to the delegated admin account, shareTargets is not required.

Optional ReadonlyegressOnlyIgw

egressOnlyIgw?: boolean

(OPTIONAL) Create an Egress-only internet gateway (EIGW) for the VPC

Optional ReadonlyenableDnsHostnames

enableDnsHostnames?: boolean

Enable DNS hostname support for the VPC.

See

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html

Optional ReadonlyenableDnsSupport

enableDnsSupport?: boolean

Enable DNS support for the VPC.

See

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html

Optional ReadonlygatewayEndpoints

gatewayEndpoints?: IGatewayEndpointConfig

(OPTIONAL) An array of gateway endpoints for the VPC. Use this property to define S3 or DynamoDB gateway endpoints for the VPC.

See

GatewayEndpointConfig

Optional ReadonlyinstanceTenancy

instanceTenancy?: InstanceTenancyType

(OPTIONAL) Define instance tenancy for the VPC. The default value is default.

See

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-instance.html

Optional ReadonlyinterfaceEndpoints

interfaceEndpoints?: IInterfaceEndpointConfig

(OPTIONAL) A list of VPC interface endpoints. Use this property to define VPC interface endpoints for the VPC.

See

InterfaceEndpointConfig

Optional ReadonlyinternetGateway

internetGateway?: boolean

Defines if an internet gateway should be added to the VPC

Optional ReadonlyipamAllocations

ipamAllocations?: IIpamAllocationConfig[]

(OPTIONAL) An array of IPAM allocation configurations.

See

  • IpamAllocationConfig
  • IpamPoolConfig

Remarks

CAUTION: Changing or removing an existing IPAM allocation value after initial deployment causes the VPC to be recreated. Please be aware that any downstream dependencies may cause this property update to fail. You can add additional IPAM allocations to the VPC without this recreation occurring.

NOTE: Expanding a VPC with additional CIDRs is subject to these restrictions.

IPAM pools defined in network-config.yaml must be deployed to the same region of the VPC and shareTargets must be configured to capture the account that this VPC is deployed to. If deploying this VPC to the delegated admin account, shareTargets is not required.

Optional Readonlyipv6Cidrs

ipv6Cidrs?: IVpcIpv6Config[]

(OPTIONAL) An array of IPv6 CIDR block configurations.

See

VpcIpv6Config

Remarks

CAUTION: Changing or removing an existing IPv6 CIDR block may cause unexpected behavior if there are subnets provisioned using the CIDR. Please be aware that any downstream dependencies may cause this property update to fail. You can add additional IPv6 CIDR blocks to the VPC without interruptions occurring.

At least one IPv4 static CIDR or IPAM allocation MUST be configured along with any IPv6 CIDR blocks. A VPC cannot be created without an IPv4 CIDR.

Optional ReadonlyloadBalancers

loadBalancers?: ILoadBalancersConfig

Elastic Load Balancing configuration. Use this property to define Elastic Load Balancers for this VPC.

See

LoadBalancersConfig

Readonlyname

name: string

The friendly name of the VPC.

The value of this property will be utilized as the logical id for this resource. Any references to this object should specify this value.

Remarks

CAUTION: Changing this property value after initial deployment causes the VPC to be recreated. Please be aware that any downstream dependencies may cause this property update to fail.

Optional ReadonlynatGateways

natGateways?: INatGatewayConfig[]

(OPTIONAL) An array of NAT gateway configurations for the VPC. Use this property to configure the NAT gateways for the VPC.

See

NatGatewayConfig

Optional ReadonlynetworkAcls

networkAcls?: INetworkAclConfig[]

(OPTIONAL) A list of Network Access Control Lists (ACLs) to deploy for this VPC

Default

undefined

See

NetworkAclConfig

Optional Readonlyoutposts

outposts?: IOutpostsConfig[]

(OPTIONAL) An array of Local Gateway Route table configurations. Use this configuration to associate Outposts Local Gateway Route tables with the VPC.

Optional ReadonlyqueryLogs

queryLogs?: string[]

(OPTIONAL) A list of DNS query log configuration names.

Remarks

This is the logical name property of the Route 53 resolver query logs configuration as defined in network-config.yaml. The shareTargets property must be configured to capture the account that this VPC is deployed to. If deploying this VPC to the delegated admin account, shareTargets is not required.

See

DnsQueryLogsConfig

Readonlyregion

region:
    | "af-south-1"
    | "ap-east-1"
    | "ap-northeast-1"
    | "ap-northeast-2"
    | "ap-northeast-3"
    | "ap-south-1"
    | "ap-south-2"
    | "ap-southeast-1"
    | "ap-southeast-2"
    | "ap-southeast-3"
    | "ap-southeast-4"
    | "ap-southeast-5"
    | "ca-central-1"
    | "ca-west-1"
    | "cn-north-1"
    | "cn-northwest-1"
    | "eu-central-1"
    | "eu-central-2"
    | "eu-north-1"
    | "eu-south-1"
    | "eu-south-2"
    | "eu-west-1"
    | "eu-west-2"
    | "eu-west-3"
    | "eu-isoe-west-1"
    | "il-central-1"
    | "me-central-1"
    | "me-south-1"
    | "mx-central-1"
    | "sa-east-1"
    | "us-east-1"
    | "us-east-2"
    | "us-gov-west-1"
    | "us-gov-east-1"
    | "us-iso-east-1"
    | "us-isob-east-1"
    | "us-iso-west-1"
    | "us-isof-south-1"
    | "us-isof-east-1"
    | "us-west-1"
    | "us-west-2"

The AWS region to deploy the VPC to

Optional ReadonlyresolverRules

resolverRules?: string[]

(OPTIONAL) A list of Route 53 resolver rule names.

Remarks

This is the logical name property of the Route 53 resolver rules configuration as defined in network-config.yaml. The shareTargets property must be configured to capture the account that this VPC is deployed to. If deploying this VPC to the delegated admin account, shareTargets is not required.

See

ResolverRuleConfig

Optional ReadonlyrouteTables

routeTables?: IRouteTableConfig[]

(OPTIONAL) An array of route table configurations for the VPC. Use this property to configure the route tables for the VPC.

See

RouteTableConfig

Optional ReadonlysecurityGroups

securityGroups?: ISecurityGroupConfig[]

(OPTIONAL) A list of Security Groups to deploy for this VPC

Default

undefined

Remarks

As of version 1.4.0, if any SubnetConfig for this VPC is configured with a shareTargets property, the accelerator automatically replicates security groups configured in this VPC to the shared account(s).

Optional Readonlysubnets

subnets?: ISubnetConfig[]

(OPTIONAL) An array of subnet configurations for the VPC. Use this property to configure the subnets for the VPC.

See

SubnetConfig

Optional Readonlytags

tags?: ITag[]

(OPTIONAL) A list of tags to apply to this VPC

Default

undefined

Remarks

As of version 1.2.0, if any SubnetConfig for this VPC is configured with a shareTargets property, the accelerator automatically replicates tags configured in this VPC to the shared account(s).

Optional ReadonlytargetGroups

targetGroups?: ITargetGroupItem[]

Target group configuration. Use this property to define target groups for this VPC.

See

TargetGroupItemConfig

Optional ReadonlytransitGatewayAttachments

transitGatewayAttachments?: ITransitGatewayAttachmentConfig[]

(OPTIONAL) An array of Transit Gateway attachment configurations. Use this property to configure the Transit Gateway attachments for the VPC.

See

TransitGatewayAttachmentConfig

Optional ReadonlyuseCentralEndpoints

useCentralEndpoints?: boolean

(OPTIONAL) When set to true, this VPC will be configured to utilize centralized endpoints. This includes having the Route 53 Private Hosted Zone associated with this VPC. Centralized endpoints are configured per region, and can span to spoke accounts.

NOTE: The AWS partition and regions must support the creation of Route 53 private hosted zones and DNS alias records for AWS VPC Endpoint resource types or the pipeline will fail. Ensure your partition and regions will support useCentralEndpoints before enabling it.

Default

false

Remarks

A VPC deployed in the same region as this VPC in network-config.yaml must be configured with InterfaceEndpointConfig central property set to true to utilize centralized endpoints.

Optional ReadonlyvirtualPrivateGateway

virtualPrivateGateway?: IVirtualPrivateGatewayConfig

(OPTIONAL) Virtual Private Gateway configuration. Use this property to configure a Virtual Private Gateway for the VPC.

Default

undefined

Optional ReadonlyvpcFlowLogs

vpcFlowLogs?: IVpcFlowLogsConfig

VPC flog log configuration. Use this property to define a VPC-specific VPC flow logs configuration.

Remarks

If defined, this configuration is preferred over a global VPC flow logs configuration.

See

VpcFlowLogsConfig

Optional ReadonlyvpcRoute53Resolver

vpcRoute53Resolver?: IResolverConfig

A Route 53 resolver configuration local to the VPC.

See

ResolverConfig

Settings

Member Visibility

On This Page

Properties