CustomizationsConfig / Ec2FirewallConfig / Ec2FirewallInstanceConfig

EC2 firewall instance configuration. Use to define an array of standalone firewall instances

Example

- name: accelerator-firewall
launchTemplate:
name: firewall-lt
blockDeviceMappings:
- deviceName: /dev/xvda
ebs:
deleteOnTermination: true
encrypted: true
volumeSize: 20
enforceImdsv2: true
iamInstanceProfile: firewall-profile
imageId: ami-123xyz
instanceType: c6i.xlarge
networkInterfaces:
- deleteOnTermination: true
description: Primary interface
deviceIndex: 0
groups:
- firewall-data-sg
subnetId: firewall-data-subnet-a
- deleteOnTermination: true
description: Management interface
deviceIndex: 1
groups:
- firewall-mgmt-sg
subnetId: firewall-mgmt-subnet-a
userData: path/to/userdata.txt
vpc: Network-Inspection
tags: []

Hierarchy

  • Ec2FirewallInstanceConfig

Implements

Constructors

Properties

account: undefined | string = undefined

(OPTIONAL) The logical name of the account to deploy the firewall instance to

Remarks

This is the logical name property of the account as defined in accounts-config.yaml.

configDir: undefined | string = undefined

(OPTIONAL) Specify a relative S3 directory path to pull a firewall configuration directory.

Either configFile or configDir can be set but not both.

For example, if your S3 folder path is s3://path/to/config, specify path/to/config for this property.

NOTE: The custom resource backing this feature does not force update on every core pipeline run. To update the resource, update the name of the configuration directory.

Remarks

Setting this property allows you to make use of firewall configuration replacements. This allows you to configure your firewall instance dynamically using values determined at CDK runtime.

NOTE: The configuration directory must be uploaded to the accelerator-created assets bucket in the home region of your Management account. This is the ${AcceleratorPrefix}-assets bucket, not the cdk-accel-assets bucket.

The transformed configuration directory will be uploaded to ${AcceleratorPrefix}-firewall-config bucket in the account and region your firewall instance is deployed to. This config directory can be consumed by third-party firewall vendors that support pulling a configuration directory from S3.

Supported replacements:

  • Hostname replacement - look up the name of the firewall instance

    • Format: ${ACCEL_LOOKUP::EC2:INSTANCE:HOSTNAME} -- translates to the logical name of the instance as configured in customizations-config.yaml.
  • VPC replacements - look up metadata about the VPC the firewall is deployed to:

    • Format: ${ACCEL_LOOKUP::EC2:VPC:<METADATA_TYPE>_<INDEX>}, where <METADATA_TYPE> is a type listed below, and <INDEX> is the index of the VPC CIDR range.
    • Metadata types:
      • CIDR - the VPC CIDR range in CIDR notation (i.e. 10.0.0.0/16)
      • NETMASK - the network mask of the VPC CIDR (i.e. 255.255.0.0)
      • NETWORKIP - the network address of the VPC CIDR (i.e. 10.0.0.0)
      • ROUTERIP - the VPC router address of the VPC CIDR (i.e. 10.0.0.1)
    • Index numbering is zero-based, so the primary VPC CIDR is index 0.
    • Example usage: ${ACCEL_LOOKUP::EC2:VPC:CIDR_0} - translates to the primary CIDR range of the VPC
  • Subnet replacements - look up metadata about subnets in the VPC the firewall is deployed to:

    • Format: ${ACCEL_LOOKUP::EC2:SUBNET:<METADATA_TYPE>:<SUBNET_NAME>}, where <METADATA_TYPE> is a type listed below, and <SUBNET_NAME> is the logical name of the subnet as defined in network-config.yaml.
    • Metadata types:
      • CIDR - the subnet CIDR range in CIDR notation (i.e. 10.0.0.0/16)
      • NETMASK - the network mask of the subnet (i.e. 255.255.0.0)
      • NETWORKIP - the network address of the subnet (i.e. 10.0.0.0)
      • ROUTERIP - the VPC router address of the subnet (i.e. 10.0.0.1)
    • Example usage: ${ACCEL_LOOKUP::EC2:SUBNET:CIDR:firewall-data-subnet-a} - translates to the CIDR range of a subnet named firewall-data-subnet-a
  • Network interface IP replacements - look up public and private IP addresses assigned to firewall network interfaces:

    • Format: ${ACCEL_LOOKUP::EC2:ENI_<ENI_INDEX>:<IP_TYPE>_<IP_INDEX>}, where <ENI_INDEX> is the device index of the network interface as defined in the firewall launch template, <IP_TYPE> is either a public or private IP of the interface, and <IP_INDEX> is the index of the interface IP address.
    • IP types:
      • PRIVATEIP - a private IP associated with the interface
      • PUBLICIP - a public IP associated with the interface
    • Index numbering is zero-based, so the primary interface of the instance is 0 and its primary IP address is also 0.
    • Example usage: ${ACCEL_LOOKUP::EC2:ENI_0:PRIVATEIP_0} - translates to the primary private IP address of the primary network interface
  • Network interface subnet replacements - look up metadata about the subnet a network interface is deployed to:

    • Format: ${ACCEL_LOOKUP::EC2:ENI_<ENI_INDEX>:SUBNET_<METADATA_TYPE>}, where <ENI_INDEX> is the device index of the network interface as defined in the firewall launch template and <METADATA_TYPE> is a type listed below.
    • Metadata types:
      • CIDR - the subnet CIDR range in CIDR notation (i.e. 10.0.0.0/16)
      • NETMASK - the network mask of the subnet (i.e. 255.255.0.0)
      • NETWORKIP - the network address of the subnet (i.e. 10.0.0.0)
      • ROUTERIP - the VPC router address of the subnet (i.e. 10.0.0.1)
    • Index numbering is zero-based, so the primary interface of the instance is 0.
    • Example usage: ${ACCEL_LOOKUP::EC2:ENI_0:SUBNET_CIDR} - translates to the subnet CIDR range of the primary network interface
  • VPN replacements - look up metadata about VPNs that are directly connected to the EC2 firewall instance. NOTE: these replacements are only supported for EC2 firewalls that are referenced in a CustomerGatewayConfig in network-config.yaml.

    • Format: ${ACCEL_LOOKUP::EC2:VPN:<METADATA_TYPE>:<VPN_NAME>}, where <METADATA_TYPE> is a type listed below, and <VPN_NAME> is the logical name of the VPN connection as defined in network-config.yaml.
    • Metadata types:
      • AWS_BGPASN - the BGP autonomous system number (ASN) of the AWS gateway device
      • CGW_BGPASN - the BGP autonomous system number (ASN) of the customer gateway device
      • CGW_OUTSIDEIP - the outside (public) IP address of the customer gateway device
      • AWS_INSIDEIP_ - the inside (link-local) IP address of the AWS gateway device, where is the index number of the VPN tunnel
      • CGW_INSIDEIP_ - the inside (link-local) IP address of the customer gateway device, where is the index number of the VPN tunnel
      • AWS_OUTSIDEIP_ - the outside (public) IP address of the AWS gateway device, where is the index number of the VPN tunnel
      • INSIDE_CIDR_ - the inside (link-local) CIDR range of the tunnel, where is the index number of the VPN tunnel
      • INSIDE_NETMASK_ - the inside (link-local) subnet mask of the tunnel, where is the index number of the VPN tunnel
      • PSK_ - the pre-shared key of the tunnel, where is the index number of the VPN tunnel
    • Index numbering is zero-based, so the primary VPN tunnel is 0.
    • Example usage: ${ACCEL_LOOKUP::EC2:VPN:AWS_OUTSIDEIP_0:accelerator-vpn} - translates to the AWS-side public IP of the primary VPN tunnel for a VPN named accelerator-vpn
  • AWS Secrets Manager Secret replacements - look up the secret from AWS Secrets Manager secret in management account. The secret must be stored in the same region the firewall is deployed to.

    • Format: ${ACCEL_LOOKUP::SECRETS_MANAGER:<SECRET_NAME>} -- translates to the secure string from AWS Secrets Manager secret.
  • For replacements that are supported in firewall userdata, see userData.

configFile: undefined | string = undefined

(OPTIONAL) Specify a relative S3 object path to pull a firewall configuration file from.

For example, if your S3 object path is s3://path/to/config.txt, specify path/to/config.txt for this property.

NOTE: The custom resource backing this feature does not force update on every core pipeline run. To update the resource, update the name of the configuration file.

Remarks

Setting this property allows you to make use of firewall configuration replacements. This allows you to configure your firewall instance dynamically using values determined at CDK runtime.

NOTE: The configuration file must be uploaded to the accelerator-created assets bucket in the home region of your Management account. This is the ${AcceleratorPrefix}-assets bucket, not the cdk-accel-assets bucket.

The transformed configuration file will be uploaded to ${AcceleratorPrefix}-firewall-config bucket in the account and region your firewall instance is deployed to. This config file can be consumed by third-party firewall vendors that support pulling a configuration file from S3.

Supported replacements:

  • Hostname replacement - look up the name of the firewall instance

    • Format: ${ACCEL_LOOKUP::EC2:INSTANCE:HOSTNAME} -- translates to the logical name of the instance as configured in customizations-config.yaml.
  • VPC replacements - look up metadata about the VPC the firewall is deployed to:

    • Format: ${ACCEL_LOOKUP::EC2:VPC:<METADATA_TYPE>_<INDEX>}, where <METADATA_TYPE> is a type listed below, and <INDEX> is the index of the VPC CIDR range.
    • Metadata types:
      • CIDR - the VPC CIDR range in CIDR notation (i.e. 10.0.0.0/16)
      • NETMASK - the network mask of the VPC CIDR (i.e. 255.255.0.0)
      • NETWORKIP - the network address of the VPC CIDR (i.e. 10.0.0.0)
      • ROUTERIP - the VPC router address of the VPC CIDR (i.e. 10.0.0.1)
    • Index numbering is zero-based, so the primary VPC CIDR is index 0.
    • Example usage: ${ACCEL_LOOKUP::EC2:VPC:CIDR_0} - translates to the primary CIDR range of the VPC
  • Subnet replacements - look up metadata about subnets in the VPC the firewall is deployed to:

    • Format: ${ACCEL_LOOKUP::EC2:SUBNET:<METADATA_TYPE>:<SUBNET_NAME>}, where <METADATA_TYPE> is a type listed below, and <SUBNET_NAME> is the logical name of the subnet as defined in network-config.yaml.
    • Metadata types:
      • CIDR - the subnet CIDR range in CIDR notation (i.e. 10.0.0.0/16)
      • NETMASK - the network mask of the subnet (i.e. 255.255.0.0)
      • NETWORKIP - the network address of the subnet (i.e. 10.0.0.0)
      • ROUTERIP - the VPC router address of the subnet (i.e. 10.0.0.1)
    • Example usage: ${ACCEL_LOOKUP::EC2:SUBNET:CIDR:firewall-data-subnet-a} - translates to the CIDR range of a subnet named firewall-data-subnet-a
  • Network interface IP replacements - look up public and private IP addresses assigned to firewall network interfaces:

    • Format: ${ACCEL_LOOKUP::EC2:ENI_<ENI_INDEX>:<IP_TYPE>_<IP_INDEX>}, where <ENI_INDEX> is the device index of the network interface as defined in the firewall launch template, <IP_TYPE> is either a public or private IP of the interface, and <IP_INDEX> is the index of the interface IP address.
    • IP types:
      • PRIVATEIP - a private IP associated with the interface
      • PUBLICIP - a public IP associated with the interface
    • Index numbering is zero-based, so the primary interface of the instance is 0 and its primary IP address is also 0.
    • Example usage: ${ACCEL_LOOKUP::EC2:ENI_0:PRIVATEIP_0} - translates to the primary private IP address of the primary network interface
  • Network interface subnet replacements - look up metadata about the subnet a network interface is deployed to:

    • Format: ${ACCEL_LOOKUP::EC2:ENI_<ENI_INDEX>:SUBNET_<METADATA_TYPE>}, where <ENI_INDEX> is the device index of the network interface as defined in the firewall launch template and <METADATA_TYPE> is a type listed below.
    • Metadata types:
      • CIDR - the subnet CIDR range in CIDR notation (i.e. 10.0.0.0/16)
      • NETMASK - the network mask of the subnet (i.e. 255.255.0.0)
      • NETWORKIP - the network address of the subnet (i.e. 10.0.0.0)
      • ROUTERIP - the VPC router address of the subnet (i.e. 10.0.0.1)
    • Index numbering is zero-based, so the primary interface of the instance is 0.
    • Example usage: ${ACCEL_LOOKUP::EC2:ENI_0:SUBNET_CIDR} - translates to the subnet CIDR range of the primary network interface
  • VPN replacements - look up metadata about VPNs that are directly connected to the EC2 firewall instance. NOTE: these replacements are only supported for EC2 firewalls that are referenced in a CustomerGatewayConfig in network-config.yaml.

    • Format: ${ACCEL_LOOKUP::EC2:VPN:<METADATA_TYPE>:<VPN_NAME>}, where <METADATA_TYPE> is a type listed below, and <VPN_NAME> is the logical name of the VPN connection as defined in network-config.yaml.
    • Metadata types:
      • AWS_BGPASN - the BGP autonomous system number (ASN) of the AWS gateway device
      • CGW_BGPASN - the BGP autonomous system number (ASN) of the customer gateway device
      • CGW_OUTSIDEIP - the outside (public) IP address of the customer gateway device
      • AWS_INSIDEIP_ - the inside (link-local) IP address of the AWS gateway device, where is the index number of the VPN tunnel
      • CGW_INSIDEIP_ - the inside (link-local) IP address of the customer gateway device, where is the index number of the VPN tunnel
      • AWS_OUTSIDEIP_ - the outside (public) IP address of the AWS gateway device, where is the index number of the VPN tunnel
      • INSIDE_CIDR_ - the inside (link-local) CIDR range of the tunnel, where is the index number of the VPN tunnel
      • INSIDE_NETMASK_ - the inside (link-local) subnet mask of the tunnel, where is the index number of the VPN tunnel
      • PSK_ - the pre-shared key of the tunnel, where is the index number of the VPN tunnel
    • Index numbering is zero-based, so the primary VPN tunnel is 0.
    • Example usage: ${ACCEL_LOOKUP::EC2:VPN:AWS_OUTSIDEIP_0:accelerator-vpn} - translates to the AWS-side public IP of the primary VPN tunnel for a VPN named accelerator-vpn
  • For replacements that are supported in firewall userdata, see userData.

detailedMonitoring: undefined | boolean = undefined

(OPTIONAL) Specify true to enable detailed monitoring. Otherwise, basic monitoring is enabled.

launchTemplate: LaunchTemplateConfig = ...

The launch template for the firewall instance

Remarks

CAUTION: Changing values under this property after initial deployment will cause an instance replacement. Please be aware that any downstream dependencies may cause this property update to fail.

licenseFile: undefined | string = undefined

(OPTIONAL) Specify a relative S3 object path to pull a firewall license file from.

For example, if your S3 object path is s3://path/to/license.lic, specify path/to/license.lic for this property.

NOTE: The custom resource backing this feature does not force update on every core pipeline run. To update the resource, update the name of the license file.

Remarks

The license file must be uploaded to the accelerator-created assets bucket in the home region of your Management account. This is the ${AcceleratorPrefix}-assets bucket, not the cdk-accel-assets bucket.

The license file will be uploaded to ${AcceleratorPrefix}-firewall-config bucket in the account and region your firewall instance is deployed to. This license file can be consumed by third-party firewall vendors that support pulling a license file from S3.

  • For replacements that are supported in firewall userdata, see userData.
name: string = ''

The friendly name of the firewall instance

Remarks

CAUTION: Changing values under this property after initial deployment will cause an instance replacement. Please be aware that any downstream dependencies may cause this property update to fail.

staticReplacements: undefined | FirewallStaticReplacementsConfig[] = undefined

(OPTIONAL) Static firewall configuration replacements definition.

Remarks

Use this property to define static key/value pairs that can be referenced as variables in firewall configuration files.

If setting this property, the configFile or configDir property MUST also be set.

Replacement syntax:

  • Format: ${ACCEL_LOOKUP::CUSTOM:<KEY>}, where <KEY> is the key name for the replacement as defined in customizations-config.yaml.
  • Example usage: ${ACCEL_LOOKUP::CUSTOM:CORP_CIDR_RANGE} - translates to the static value entered for CORP_CIDR_RANGE.

See

tags: undefined | Tag[] = undefined

(OPTIONAL) An array of tags

terminationProtection: undefined | boolean = undefined

(OPTIONAL) If you set this parameter to true , you can't terminate the instance using the Amazon EC2 console, CLI, or API.

More information: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html#Using_ChangingDisableAPITermination

Remarks

When finished configuring your firewall instance, it is highly recommended to enable this property in order to prevent accidental instance replacement or termination.

vpc: string = ''

The friendly name of the VPC to deploy the firewall instance to

Remarks

This VPC must contain the subnet(s) defined for the network interfaces under the launchTemplate property

Generated using TypeDoc