Readonly
account(OPTIONAL) The logical name of the account to deploy the firewall instance to
This is the logical name
property of the account as defined in accounts-config.yaml.
Readonly
config(OPTIONAL) Specify a relative S3 directory path to pull a firewall configuration directory.
Either configFile or configDir can be set but not both.
For example, if your S3 folder path is s3://path/to/config
, specify path/to/config
for this property.
NOTE: The custom resource backing this feature does not force update on every core pipeline run. To update the resource, update the name of the configuration directory.
Setting this property allows you to make use of firewall configuration replacements. This allows you to configure your firewall instance dynamically using values determined at CDK runtime.
NOTE: The configuration directory must be uploaded to the accelerator-created assets bucket in the home region of
your Management account. This is the ${AcceleratorPrefix}-assets
bucket, not the cdk-accel-assets
bucket.
The transformed configuration directory will be uploaded to ${AcceleratorPrefix}-firewall-config
bucket in the account and region your firewall instance
is deployed to. This config directory can be consumed by third-party firewall vendors that support pulling a configuration directory from S3.
Supported replacements:
Hostname replacement - look up the name of the firewall instance
${ACCEL_LOOKUP::EC2:INSTANCE:HOSTNAME}
-- translates to the logical name of the instance as configured in customizations-config.yaml.VPC replacements - look up metadata about the VPC the firewall is deployed to:
${ACCEL_LOOKUP::EC2:VPC:<METADATA_TYPE>_<INDEX>}
, where <METADATA_TYPE>
is a type listed below,
and <INDEX>
is the index of the VPC CIDR range.0
.${ACCEL_LOOKUP::EC2:VPC:CIDR_0}
- translates to the primary CIDR range of the VPCSubnet replacements - look up metadata about subnets in the VPC the firewall is deployed to:
${ACCEL_LOOKUP::EC2:SUBNET:<METADATA_TYPE>:<SUBNET_NAME>}
, where <METADATA_TYPE>
is a type listed
below, and <SUBNET_NAME>
is the logical name of the subnet as defined in network-config.yaml
.${ACCEL_LOOKUP::EC2:SUBNET:CIDR:firewall-data-subnet-a}
- translates to the CIDR range of a subnet named firewall-data-subnet-a
Network interface IP replacements - look up public and private IP addresses assigned to firewall network interfaces:
${ACCEL_LOOKUP::EC2:ENI_<ENI_INDEX>:<IP_TYPE>_<IP_INDEX>}
, where <ENI_INDEX>
is the device index
of the network interface as defined in the firewall launch template, <IP_TYPE>
is either a public or private IP of the interface,
and <IP_INDEX>
is the index of the interface IP address.0
and its primary IP address is also 0
.${ACCEL_LOOKUP::EC2:ENI_0:PRIVATEIP_0}
- translates to the primary private IP address of the primary network interfaceNetwork interface subnet replacements - look up metadata about the subnet a network interface is deployed to:
${ACCEL_LOOKUP::EC2:ENI_<ENI_INDEX>:SUBNET_<METADATA_TYPE>}
, where <ENI_INDEX>
is the device index
of the network interface as defined in the firewall launch template and <METADATA_TYPE>
is a type listed below.0
.${ACCEL_LOOKUP::EC2:ENI_0:SUBNET_CIDR}
- translates to the subnet CIDR range of the primary network interfaceVPN replacements - look up metadata about VPNs that are directly connected to the EC2 firewall instance. NOTE: these replacements are only supported for EC2 firewalls that are referenced in a CustomerGatewayConfig in network-config.yaml.
${ACCEL_LOOKUP::EC2:VPN:<METADATA_TYPE>:<VPN_NAME>}
, where <METADATA_TYPE>
is a type listed
below, and <VPN_NAME>
is the logical name of the VPN connection as defined in network-config.yaml
.0
.${ACCEL_LOOKUP::EC2:VPN:AWS_OUTSIDEIP_0:accelerator-vpn}
- translates to the AWS-side public IP of the primary VPN tunnel for a VPN named accelerator-vpn
AWS Secrets Manager Secret replacements - look up the secret from AWS Secrets Manager secret in management account. The secret must be stored in the same region the firewall is deployed to.
${ACCEL_LOOKUP::SECRETS_MANAGER:<SECRET_NAME>}
-- translates to the secure string from AWS Secrets Manager secret.For replacements that are supported in firewall userdata, see userData.
Readonly
config(OPTIONAL) Specify a relative S3 object path to pull a firewall configuration file from.
For example, if your S3 object path is s3://path/to/config.txt
, specify path/to/config.txt
for this property.
NOTE: The custom resource backing this feature does not force update on every core pipeline run. To update the resource, update the name of the configuration file.
Setting this property allows you to make use of firewall configuration replacements. This allows you to configure your firewall instance dynamically using values determined at CDK runtime.
NOTE: The configuration file must be uploaded to the accelerator-created assets bucket in the home region of
your Management account. This is the ${AcceleratorPrefix}-assets
bucket, not the cdk-accel-assets
bucket.
The transformed configuration file will be uploaded to ${AcceleratorPrefix}-firewall-config
bucket in the account and region your firewall instance
is deployed to. This config file can be consumed by third-party firewall vendors that support pulling a configuration file from S3.
Supported replacements:
Hostname replacement - look up the name of the firewall instance
${ACCEL_LOOKUP::EC2:INSTANCE:HOSTNAME}
-- translates to the logical name of the instance as configured in customizations-config.yaml.VPC replacements - look up metadata about the VPC the firewall is deployed to:
${ACCEL_LOOKUP::EC2:VPC:<METADATA_TYPE>_<INDEX>}
, where <METADATA_TYPE>
is a type listed below,
and <INDEX>
is the index of the VPC CIDR range.0
.${ACCEL_LOOKUP::EC2:VPC:CIDR_0}
- translates to the primary CIDR range of the VPCSubnet replacements - look up metadata about subnets in the VPC the firewall is deployed to:
${ACCEL_LOOKUP::EC2:SUBNET:<METADATA_TYPE>:<SUBNET_NAME>}
, where <METADATA_TYPE>
is a type listed
below, and <SUBNET_NAME>
is the logical name of the subnet as defined in network-config.yaml
.${ACCEL_LOOKUP::EC2:SUBNET:CIDR:firewall-data-subnet-a}
- translates to the CIDR range of a subnet named firewall-data-subnet-a
Network interface IP replacements - look up public and private IP addresses assigned to firewall network interfaces:
${ACCEL_LOOKUP::EC2:ENI_<ENI_INDEX>:<IP_TYPE>_<IP_INDEX>}
, where <ENI_INDEX>
is the device index
of the network interface as defined in the firewall launch template, <IP_TYPE>
is either a public or private IP of the interface,
and <IP_INDEX>
is the index of the interface IP address.0
and its primary IP address is also 0
.${ACCEL_LOOKUP::EC2:ENI_0:PRIVATEIP_0}
- translates to the primary private IP address of the primary network interfaceNetwork interface subnet replacements - look up metadata about the subnet a network interface is deployed to:
${ACCEL_LOOKUP::EC2:ENI_<ENI_INDEX>:SUBNET_<METADATA_TYPE>}
, where <ENI_INDEX>
is the device index
of the network interface as defined in the firewall launch template and <METADATA_TYPE>
is a type listed below.0
.${ACCEL_LOOKUP::EC2:ENI_0:SUBNET_CIDR}
- translates to the subnet CIDR range of the primary network interfaceVPN replacements - look up metadata about VPNs that are directly connected to the EC2 firewall instance. NOTE: these replacements are only supported for EC2 firewalls that are referenced in a CustomerGatewayConfig in network-config.yaml.
${ACCEL_LOOKUP::EC2:VPN:<METADATA_TYPE>:<VPN_NAME>}
, where <METADATA_TYPE>
is a type listed
below, and <VPN_NAME>
is the logical name of the VPN connection as defined in network-config.yaml
.0
.${ACCEL_LOOKUP::EC2:VPN:AWS_OUTSIDEIP_0:accelerator-vpn}
- translates to the AWS-side public IP of the primary VPN tunnel for a VPN named accelerator-vpn
For replacements that are supported in firewall userdata, see userData.
Readonly
detailed(OPTIONAL) Specify true to enable detailed monitoring. Otherwise, basic monitoring is enabled.
Readonly
launchThe launch template for the firewall instance
CAUTION: Changing values under this property after initial deployment will cause an instance replacement. Please be aware that any downstream dependencies may cause this property update to fail.
Readonly
license(OPTIONAL) Specify a relative S3 object path to pull a firewall license file from.
For example, if your S3 object path is s3://path/to/license.lic
, specify path/to/license.lic
for this property.
NOTE: The custom resource backing this feature does not force update on every core pipeline run. To update the resource, update the name of the license file.
The license file must be uploaded to the accelerator-created assets bucket in the home region of
your Management account. This is the ${AcceleratorPrefix}-assets
bucket, not the cdk-accel-assets
bucket.
The license file will be uploaded to ${AcceleratorPrefix}-firewall-config
bucket in the account and region your firewall instance
is deployed to. This license file can be consumed by third-party firewall vendors that support pulling a license file from S3.
Readonly
nameThe friendly name of the firewall instance
CAUTION: Changing values under this property after initial deployment will cause an instance replacement. Please be aware that any downstream dependencies may cause this property update to fail.
Readonly
static(OPTIONAL) Static firewall configuration replacements definition.
Use this property to define static key/value pairs that can be referenced as variables in firewall configuration files.
If setting this property, the configFile
or configDir
property MUST also be set.
Replacement syntax:
${ACCEL_LOOKUP::CUSTOM:<KEY>}
, where <KEY>
is the key name for the replacement as defined in customizations-config.yaml
.${ACCEL_LOOKUP::CUSTOM:CORP_CIDR_RANGE}
- translates to the static value entered for CORP_CIDR_RANGE.Readonly
tags(OPTIONAL) An array of tags
Readonly
termination(OPTIONAL) If you set this parameter to true , you can't terminate the instance using the Amazon EC2 console, CLI, or API.
More information: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html#Using_ChangingDisableAPITermination
When finished configuring your firewall instance, it is highly recommended to enable this property in order to prevent accidental instance replacement or termination.
Readonly
vpcThe friendly name of the VPC to deploy the firewall instance to
This VPC must contain the subnet(s) defined for the network interfaces under the launchTemplate
property
Generated using TypeDoc
CustomizationsConfig / Ec2FirewallConfig / Ec2FirewallInstanceConfig
EC2 firewall instance configuration. Use to define an array of standalone firewall instances
Example