Readonly
account(OPTIONAL) The logical name of the account to deploy the firewall autoscaling group to
This is the logical name
property of the account as defined in accounts-config.yaml.
Readonly
autoscalingAn AutoScaling Group configuration
Readonly
config(OPTIONAL) Specify a relative S3 directory path to pull a firewall configuration directory.
Either configFile or configDir can be set but not both.
For example, if your S3 folder path is s3://path/to/config
, specify path/to/config
for this property.
NOTE: The custom resource backing this feature does not force update on every core pipeline run. To update the resource, update the name of the configuration directory.
Setting this property allows you to make use of firewall configuration replacements. This allows you to configure your firewall instance dynamically using values determined at CDK runtime.
NOTE: The configuration directory must be uploaded to the accelerator-created assets bucket in the home region of
your Management account. This is the ${AcceleratorPrefix}-assets
bucket, not the cdk-accel-assets
bucket.
The transformed configuration directory will be uploaded to ${AcceleratorPrefix}-firewall-config
bucket in the account and region your firewall instance
is deployed to. This config directory can be consumed by third-party firewall vendors that support pulling a configuration directory from S3.
Supported replacements:
Hostname replacement - look up the name of the firewall instance
${ACCEL_LOOKUP::EC2:INSTANCE:HOSTNAME}
-- translates to the logical name of the instance as configured in customizations-config.yaml.VPC replacements - look up metadata about the VPC the firewall is deployed to:
${ACCEL_LOOKUP::EC2:VPC:<METADATA_TYPE>_<INDEX>}
, where <METADATA_TYPE>
is a type listed below,
and <INDEX>
is the index of the VPC CIDR range.0
.${ACCEL_LOOKUP::EC2:VPC:CIDR_0}
- translates to the primary CIDR range of the VPCSubnet replacements - look up metadata about subnets in the VPC the firewall is deployed to:
${ACCEL_LOOKUP::EC2:SUBNET:<METADATA_TYPE>:<SUBNET_NAME>}
, where <METADATA_TYPE>
is a type listed
below, and <SUBNET_NAME>
is the logical name of the subnet as defined in network-config.yaml
.${ACCEL_LOOKUP::EC2:SUBNET:CIDR:firewall-data-subnet-a}
- translates to the CIDR range of a subnet named firewall-data-subnet-a
Network interface IP replacements - look up public and private IP addresses assigned to firewall network interfaces:
${ACCEL_LOOKUP::EC2:ENI_<ENI_INDEX>:<IP_TYPE>_<IP_INDEX>}
, where <ENI_INDEX>
is the device index
of the network interface as defined in the firewall launch template, <IP_TYPE>
is either a public or private IP of the interface,
and <IP_INDEX>
is the index of the interface IP address.0
and its primary IP address is also 0
.${ACCEL_LOOKUP::EC2:ENI_0:PRIVATEIP_0}
- translates to the primary private IP address of the primary network interfaceNetwork interface subnet replacements - look up metadata about the subnet a network interface is deployed to:
${ACCEL_LOOKUP::EC2:ENI_<ENI_INDEX>:SUBNET_<METADATA_TYPE>}
, where <ENI_INDEX>
is the device index
of the network interface as defined in the firewall launch template and <METADATA_TYPE>
is a type listed below.0
.${ACCEL_LOOKUP::EC2:ENI_0:SUBNET_CIDR}
- translates to the subnet CIDR range of the primary network interfaceVPN replacements - look up metadata about VPNs that are directly connected to the EC2 firewall instance. NOTE: these replacements are only supported for EC2 firewalls that are referenced in a CustomerGatewayConfig in network-config.yaml.
${ACCEL_LOOKUP::EC2:VPN:<METADATA_TYPE>:<VPN_NAME>}
, where <METADATA_TYPE>
is a type listed
below, and <VPN_NAME>
is the logical name of the VPN connection as defined in network-config.yaml
.0
.${ACCEL_LOOKUP::EC2:VPN:AWS_OUTSIDEIP_0:accelerator-vpn}
- translates to the AWS-side public IP of the primary VPN tunnel for a VPN named accelerator-vpn
AWS Secrets Manager Secret replacements - look up the secret from AWS Secrets Manager secret in management account. The secret must be stored in the same region the firewall is deployed to.
${ACCEL_LOOKUP::SECRETS_MANAGER:<SECRET_NAME>}
-- translates to the secure string from AWS Secrets Manager secret.For replacements that are supported in firewall userdata, see userData.
Readonly
config(OPTIONAL) Specify a relative S3 object path to pull a firewall configuration file from.
For example, if your S3 object path is s3://path/to/config.txt
, specify path/to/config.txt
for this property.
NOTE: The custom resource backing this feature does not force update on every core pipeline run. To update the resource, update the name of the configuration file.
Setting this property allows you to make use of firewall configuration replacements. This allows you to configure your firewall instance dynamically using values determined at CDK runtime.
NOTE: The configuration file must be uploaded to the accelerator-created assets bucket in the home region of
your Management account. This is the ${AcceleratorPrefix}-assets
bucket, not the cdk-accel-assets
bucket.
The transformed configuration file will be uploaded to ${AcceleratorPrefix}-firewall-config
bucket in the account and region your firewall instance
is deployed to. This config file can be consumed by third-party firewall vendors that support pulling a configuration file from S3.
Supported replacements:
${ACCEL_LOOKUP::EC2:VPC:<METADATA_TYPE>_<INDEX>}
, where <METADATA_TYPE>
is a type listed below,
and <INDEX>
is the index of the VPC CIDR range.0
.${ACCEL_LOOKUP::EC2:VPC:CIDR_0}
- translates to the primary CIDR range of the VPC${ACCEL_LOOKUP::EC2:SUBNET:<METADATA_TYPE>:<SUBNET_NAME>}
, where <METADATA_TYPE>
is a type listed
below, and <SUBNET_NAME>
is the logical name of the subnet as defined in network-config.yaml
.${ACCEL_LOOKUP::EC2:SUBNET:CIDR:firewall-data-subnet-a}
- translates to the CIDR range of a subnet named firewall-data-subnet-a
For replacements that are supported in firewall userdata, see userData.
Readonly
launchThe launch template for the firewall instance
CAUTION: Changing values under this property after initial deployment will cause instance replacements in your autoscaling group. This will not impact downstream dependencies, but may impact your network connectivity and/or throughput.
Readonly
license(OPTIONAL) Specify a relative S3 object path to pull a firewall license file from.
For example, if your S3 object path is s3://path/to/license.lic
, specify path/to/license.lic
for this property.
NOTE: The custom resource backing this feature does not force update on every core pipeline run. To update the resource, update the name of the license file.
The license file must be uploaded to the accelerator-created assets bucket in the home region of
your Management account. This is the ${AcceleratorPrefix}-assets
bucket, not the cdk-accel-assets
bucket.
The license file will be uploaded to ${AcceleratorPrefix}-firewall-config
bucket in the account and region your firewall instance
is deployed to. This license file can be consumed by third-party firewall vendors that support pulling a license file from S3.
Readonly
nameThe friendly name of the firewall instance
CAUTION: Changing values under this property after initial deployment will cause an autoscaling group replacement. Please be aware that any downstream dependencies may cause this property update to fail.
Readonly
static(OPTIONAL) Static firewall configuration replacements definition.
Use this property to define static key/value pairs that can be referenced as replacement variables in firewall configuration files.
If setting this property, the configFile
or configDir
property MUST also be set.
Replacement syntax:
${ACCEL_LOOKUP::CUSTOM:<KEY>}
, where <KEY>
is the key name for the replacement as defined in customizations-config.yaml
.${ACCEL_LOOKUP::CUSTOM:CORP_CIDR_RANGE}
- translates to the static value entered for CORP_CIDR_RANGE.Readonly
tags(OPTIONAL) An array of tags
Readonly
vpcThe friendly name of the VPC to deploy the firewall instance to
This VPC must contain the subnet(s) defined for the network interfaces under the launchTemplate
property
Generated using TypeDoc
CustomizationsConfig / Ec2FirewallConfig / Ec2FirewallAutoScalingGroupConfig
EC2 firewall autoscaling group configuration. Used to define EC2-based firewall instances to be deployed in an autoscaling group.