Class Ec2FirewallAutoScalingGroupConfig

CustomizationsConfig / Ec2FirewallConfig / Ec2FirewallAutoScalingGroupConfig

EC2 firewall autoscaling group configuration. Used to define EC2-based firewall instances to be deployed in an autoscaling group.

- name: accelerator-firewall-asg
  autoscaling:
    name: firewall-asg
    maxSize: 4
    minSize: 1
    desiredSize: 2
    launchTemplate: firewall-lt
    healthCheckGracePeriod: 300
    healthCheckType: ELB
    targetGroups:
      - firewall-gwlb-tg
    subnets:
      - firewall-subnet-a
      - firewall-subnet-b
  launchTemplate:
    name: firewall-lt
    blockDeviceMappings:
      - deviceName: /dev/xvda
        ebs:
          deleteOnTermination: true
          encrypted: true
          volumeSize: 20
    enforceImdsv2: true
    iamInstanceProfile: firewall-profile
    imageId: ami-123xyz
    instanceType: c6i.xlarge
    networkInterfaces:
      - deleteOnTermination: true
        description: Primary interface
        deviceIndex: 0
        groups:
          - firewall-data-sg
      - deleteOnTermination: true
        description: Management interface
        deviceIndex: 1
        groups:
          - firewall-mgmt-sg
    userData: path/to/userdata.txt
  vpc: Network-Inspection
  tags: []

Hierarchy

  • Ec2FirewallAutoScalingGroupConfig

Implements

Constructors

constructor

Properties

autoscaling configFile launchTemplate licenseFile name tags vpc

Constructors

constructor

Properties

Readonly autoscaling

autoscaling: AutoScalingConfig = ...

An AutoScaling Group configuration

Readonly configFile

configFile: undefined | string = undefined

(OPTIONAL) Specify a relative S3 object path to pull a firewall configuration file from.

For example, if your S3 object path is s3://path/to/config.txt, specify path/to/config.txt for this property.

NOTE: The custom resource backing this feature does not force update on every core pipeline run. To update the resource, update the name of the configuration file.

Remarks

Setting this property allows you to make use of firewall configuration replacements. This allows you to configure your firewall instance dynamically using values determined at CDK runtime.

NOTE: The configuration file must be uploaded to the accelerator-created assets bucket in the home region of your Management account. This is the ${AcceleratorPrefix}-assets bucket, not the cdk-accel-assets bucket.

The transformed configuration file will be uploaded to ${AcceleratorPrefix}-firewall-config bucket in the account and region your firewall instance is deployed to. This config file can be consumed by third-party firewall vendors that support pulling a configuration file from S3.

Supported replacements:

  • VPC replacements - look up metadata about the VPC the firewall is deployed to:
    • Format: ${ACCEL_LOOKUP::EC2:VPC:<METADATA_TYPE>_<INDEX>}, where <METADATA_TYPE> is a type listed below, and <INDEX> is the index of the VPC CIDR range.
    • Metadata types:
      • CIDR - the VPC CIDR range in CIDR notation (i.e. 10.0.0.0/16)
      • NETMASK - the network mask of the VPC CIDR (i.e. 255.255.0.0)
      • NETWORKIP - the network address of the VPC CIDR (i.e. 10.0.0.0)
      • ROUTERIP - the VPC router address of the VPC CIDR (i.e. 10.0.0.1)
    • Index numbering is zero-based, so the primary VPC CIDR is index 0.
    • Example usage: ${ACCEL_LOOKUP::EC2:VPC:CIDR_0} - translates to the primary CIDR range of the VPC
  • Subnet replacements - look up metadata about subnets in the VPC the firewall is deployed to:
    • Format: ${ACCEL_LOOKUP::EC2:SUBNET:<METADATA_TYPE>:<SUBNET_NAME>}, where <METADATA_TYPE> is a type listed below, and <SUBNET_NAME> is the logical name of the subnet as defined in network-config.yaml.
    • Metadata types:
      • CIDR - the subnet CIDR range in CIDR notation (i.e. 10.0.0.0/16)
      • NETMASK - the network mask of the subnet (i.e. 255.255.0.0)
      • NETWORKIP - the network address of the subnet (i.e. 10.0.0.0)
      • ROUTERIP - the VPC router address of the subnet (i.e. 10.0.0.1)
    • Example usage: ${ACCEL_LOOKUP::EC2:SUBNET:CIDR:firewall-data-subnet-a} - translates to the CIDR range of a subnet named firewall-data-subnet-a
  • Hostname, network interface, and VPN replacements are NOT supported for firewall AutoScaling groups.

For replacements that are supported in firewall userdata, see userData.

Readonly launchTemplate

launchTemplate: LaunchTemplateConfig = ...

The launch template for the firewall instance

Remarks

CAUTION: Changing values under this property after initial deployment will cause instance replacements in your autoscaling group. This will not impact downstream dependencies, but may impact your network connectivity and/or throughput.

Readonly licenseFile

licenseFile: undefined | string = undefined

(OPTIONAL) Specify a relative S3 object path to pull a firewall license file from.

For example, if your S3 object path is s3://path/to/license.lic, specify path/to/license.lic for this property.

NOTE: The custom resource backing this feature does not force update on every core pipeline run. To update the resource, update the name of the license file.

Remarks

The license file must be uploaded to the accelerator-created assets bucket in the home region of your Management account. This is the ${AcceleratorPrefix}-assets bucket, not the cdk-accel-assets bucket.

The license file will be uploaded to ${AcceleratorPrefix}-firewall-config bucket in the account and region your firewall instance is deployed to. This license file can be consumed by third-party firewall vendors that support pulling a license file from S3.

  • For replacements that are supported in firewall userdata, see userData.

Readonly name

name: string = ''

The friendly name of the firewall instance

Remarks

CAUTION: Changing values under this property after initial deployment will cause an autoscaling group replacement. Please be aware that any downstream dependencies may cause this property update to fail.

Readonly tags

tags: undefined | Tag[] = undefined

(OPTIONAL) An array of tags

Readonly vpc

vpc: string = ''

The friendly name of the VPC to deploy the firewall instance to

Remarks

This VPC must contain the subnet(s) defined for the network interfaces under the launchTemplate property

Settings

Member Visibility

Theme

Generated using TypeDoc