DEV Community: Rafal Krol The latest articles on DEV Community by Rafal Krol (@rafalkrolxyz). https://dev.to/rafalkrolxyz https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F639193%2F26e9704c-738b-42c4-835d-aff440fdab52.png DEV Community: Rafal Krol https://dev.to/rafalkrolxyz en Ping Me! (Part 3: Transit Gateway Using CDK) Rafal Krol Mon, 26 Jul 2021 12:27:54 +0000 https://dev.to/aws-builders/ping-me-part-3-transit-gateway-using-cdk-18bf https://dev.to/aws-builders/ping-me-part-3-transit-gateway-using-cdk-18bf <h2> Overview </h2> <p><a href="https://aws.amazon.com/about-aws/whats-new/2018/11/introducing-aws-transit-gateway/" rel="noopener noreferrer">Transit Gateway (TGW) is a relatively new thing on AWS</a>, but one that has greatly simplified networking, especially for the more complex topologies (e.g. dozens or even hundreds of VPCs spanned across different AWS regions and accounts).</p> <p>In short, it's a powerful beast that <a href="https://aws.amazon.com/transit-gateway/?whats-new-cards.sort-by=item.additionalFields.postDateTime&amp;whats-new-cards.sort-order=desc" rel="noopener noreferrer">acts as a highly scalable cloud router</a>. <a href="https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html#attachments-quota" rel="noopener noreferrer">A single TGW can support up to 5,000 attachments</a>, where an attachment can be a VPC, a <a href="https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html" rel="noopener noreferrer">Direct Connect Gateway (DXGW)</a>, a VPN connection or a peering connection to another TGW.</p> <p>Traffic between a TGW and a VPC, as well as any inter-region traffic, stays on <a href="https://www.infrastructure.aws/" rel="noopener noreferrer">the AWS backbone network</a>.</p> <p>There is a multitude of scenarios for using a TGW (mesh networks, hub-and-spoke networks, isolated VPCs with shared services, etc.) and it'd be virtually impossible to build an <a href="https://aws.amazon.com/blogs/networking-and-content-delivery/building-a-global-network-using-aws-transit-gateway-inter-region-peering/" rel="noopener noreferrer">enterprise-grade infrastructure on AWS</a> without using one.</p> <p>Cost-wise, you pay for two things: <a href="https://aws.amazon.com/transit-gateway/pricing/" rel="noopener noreferrer">the number of attachments to a TGW (there's an hourly rate) and data transfer</a>.</p> <h2> Implementation </h2> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkpfd8eqodpqe79qlnnlu.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkpfd8eqodpqe79qlnnlu.png" alt="A rudimentary diagram of the complete solution"></a></p> <p>As is the common theme in this series, we'll connect two VPCs together to make a successful ping between EC2 instances placed in both of them. This time a Transit Gateway (TGW) is going to be the glue.</p> <p>Once again, we'll reuse the <code>VpcStack</code> and <code>InstanceStack</code> classes that we created in <a href="https://dev.to/aws-builders/ping-me-part-1-vpc-peering-using-cdk-2kpd">part 1</a>. Additionally, we'll create two classes, both will live in one file, one for a TGW and the other for routes leading to it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>➜ ping-me-cdk-example<span class="nv">$ </span><span class="nb">touch </span>lib/tgw.ts </code></pre> </div> <ul> <li> <code>ping-me-cdk-example/lib/tgw.ts</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-ec2</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">TransitGatewayProps</span> <span class="kd">extends</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span> <span class="p">{</span> <span class="nl">vpcs</span><span class="p">:</span> <span class="p">[</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">Vpc</span><span class="p">,</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Vpc</span><span class="p">,</span> <span class="p">...</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">Vpc</span><span class="p">[]];</span> <span class="c1">// &lt;--- a list of VPC objects (at least two are required) to be attached to the Transit Gateway; NB only routes between the first two VPCs will be created</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">TransitGatewayStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">TransitGatewayProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="c1">// create a Transit Gateway</span> <span class="kd">const</span> <span class="nx">tgw</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">CfnTransitGateway</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Tgw</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// For each supplied VPC, create a Transit Gateway attachment</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpcs</span><span class="p">.</span><span class="nf">forEach</span><span class="p">((</span><span class="nx">vpc</span><span class="p">,</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">CfnTransitGatewayAttachment</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="s2">`TgwVpcAttachment</span><span class="p">${</span><span class="nx">index</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">subnetIds</span><span class="p">:</span> <span class="nx">vpc</span><span class="p">.</span><span class="nx">privateSubnets</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">privateSubnet</span> <span class="o">=&gt;</span> <span class="nx">privateSubnet</span><span class="p">.</span><span class="nx">subnetId</span><span class="p">),</span> <span class="na">transitGatewayId</span><span class="p">:</span> <span class="nx">tgw</span><span class="p">.</span><span class="nx">ref</span><span class="p">,</span> <span class="na">vpcId</span><span class="p">:</span> <span class="nx">vpc</span><span class="p">.</span><span class="nx">vpcId</span><span class="p">,</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Output the Transit Gateway's ID</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">TransitGatewayId</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nx">tgw</span><span class="p">.</span><span class="nx">ref</span><span class="p">,</span> <span class="na">exportName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">TransitGatewayId</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">RoutesToTransitGatewayStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">TransitGatewayProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="c1">// Add route from the private subnet of the first VPC to the second VPC over the Transit Gateway</span> <span class="c1">// NB the below was taken from: https://stackoverflow.com/questions/62525195/adding-entry-to-route-table-with-cdk-typescript-when-its-private-subnet-alread</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpcs</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">privateSubnets</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(({</span> <span class="na">routeTable</span><span class="p">:</span> <span class="p">{</span> <span class="nx">routeTableId</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">CfnRoute</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">RouteFromPrivateSubnetOfVpc1ToVpc2</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">index</span><span class="p">,</span> <span class="p">{</span> <span class="na">destinationCidrBlock</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpcs</span><span class="p">[</span><span class="mi">1</span><span class="p">].</span><span class="nx">vpcCidrBlock</span><span class="p">,</span> <span class="nx">routeTableId</span><span class="p">,</span> <span class="na">transitGatewayId</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Fn</span><span class="p">.</span><span class="nf">importValue</span><span class="p">(</span><span class="dl">'</span><span class="s1">TransitGatewayId</span><span class="dl">'</span><span class="p">),</span> <span class="c1">// Transit Gateway must already exist</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Add route from the private subnet of the second VPC to the first VPC over the Transit Gateway</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpcs</span><span class="p">[</span><span class="mi">1</span><span class="p">].</span><span class="nx">privateSubnets</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(({</span> <span class="na">routeTable</span><span class="p">:</span> <span class="p">{</span> <span class="nx">routeTableId</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">CfnRoute</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">RouteFromPrivateSubnetOfVpc2ToVpc1</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">index</span><span class="p">,</span> <span class="p">{</span> <span class="na">destinationCidrBlock</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpcs</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">vpcCidrBlock</span><span class="p">,</span> <span class="nx">routeTableId</span><span class="p">,</span> <span class="na">transitGatewayId</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Fn</span><span class="p">.</span><span class="nf">importValue</span><span class="p">(</span><span class="dl">'</span><span class="s1">TransitGatewayId</span><span class="dl">'</span><span class="p">),</span> <span class="c1">// Transit Gateway must already exist</span> <span class="p">});</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>With these four classes at our disposal, we can initialize the necessary stacks:</p> <ul> <li> <code>ping-me-cdk-example/bin/ping-me-cdk-example.ts</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">VpcStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/vpc</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">InstanceStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/instance</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PeeringStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/peering</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">CustomerGatewayDeviceStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/cgd</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">TransitGatewayStack</span><span class="p">,</span> <span class="nx">RoutesToTransitGatewayStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/tgw</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">App</span><span class="p">();</span> <span class="c1">// &lt;--- you can read more about the App construct here: https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_core.App.html</span> <span class="cm">/** * CODE FROM "Ping Me! (Part 1: VPC Peering Using CDK)" AND "Ping Me! (Part 2: Site-to-Site VPN Using CDK)" WAS REMOVED FOR VISIBILITY */</span> <span class="c1">// Create two VPCs</span> <span class="kd">const</span> <span class="nx">vpcsMetInTransit</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">VpcStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">VpcsMetInTransitStack</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpcSetup</span><span class="p">:</span> <span class="p">{</span> <span class="na">cidrs</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">10.0.4.0/24</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">10.0.5.0/24</span><span class="dl">'</span><span class="p">],</span> <span class="c1">// &lt;--- two non-overlapping CIDR ranges for our two VPCs</span> <span class="na">maxAzs</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="c1">// &lt;--- to keep the costs down, we'll stick to 1 availability zone per VPC (obviously, not something you'd want to do in production)</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// Create two EC2 instances, one in each VPC</span> <span class="k">new</span> <span class="nc">InstanceStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">InstanceTransitStack</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpcs</span><span class="p">:</span> <span class="nx">vpcsMetInTransit</span><span class="p">.</span><span class="nx">createdVpcs</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Create a Transit Gateway and attach both VPCs to it</span> <span class="k">new</span> <span class="nc">TransitGatewayStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">TransitGatewayStack</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpcs</span><span class="p">:</span> <span class="p">[</span><span class="nx">vpcsMetInTransit</span><span class="p">.</span><span class="nx">createdVpcs</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="nx">vpcsMetInTransit</span><span class="p">.</span><span class="nx">createdVpcs</span><span class="p">[</span><span class="mi">1</span><span class="p">]],</span> <span class="p">});</span> <span class="c1">// Create routes between both VPCs over the Transit Gateway</span> <span class="k">new</span> <span class="nc">RoutesToTransitGatewayStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">RoutesToTransitGatewayStack</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpcs</span><span class="p">:</span> <span class="p">[</span><span class="nx">vpcsMetInTransit</span><span class="p">.</span><span class="nx">createdVpcs</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="nx">vpcsMetInTransit</span><span class="p">.</span><span class="nx">createdVpcs</span><span class="p">[</span><span class="mi">1</span><span class="p">]],</span> <span class="p">});</span> </code></pre> </div> <p>The deployment will be done in three stages:</p> <ul> <li>first, <code>InstanceTransitStack</code> (implicitly with <code>VpcsMetInTransitStack</code>).</li> </ul> <p>(During this step you can grab the ID of your source EC2 instance and the private IP of your destination EC2 instance.<br> Both will come in handy in a bit when we'll attempt to ping one from the other.)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>➜ ping-me-cdk-example<span class="nv">$ </span>cdk deploy InstanceTransitStack <span class="nt">--require-approval</span> never Including dependency stacks: VpcsMetInTransitStack VpcsMetInTransitStack VpcsMetInTransitStack: deploying... VpcsMetInTransitStack: creating CloudFormation changeset... <span class="o">[</span>██████████████████████████████████████████████████████████] <span class="o">(</span>30/30<span class="o">)</span> ✅ VpcsMetInTransitStack Outputs: VpcsMetInTransitStack.ExportsOutputFnGetAttVpc07C831B30CidrBlockB8164F9E <span class="o">=</span> 10.0.4.0/24 VpcsMetInTransitStack.ExportsOutputFnGetAttVpc07C831B30DefaultSecurityGroup52C351BF <span class="o">=</span> sg-0b97deeeacfd5627d VpcsMetInTransitStack.ExportsOutputFnGetAttVpc1C211860BCidrBlock933A5AA8 <span class="o">=</span> 10.0.5.0/24 VpcsMetInTransitStack.ExportsOutputFnGetAttVpc1C211860BDefaultSecurityGroup87C47BC2 <span class="o">=</span> sg-0dfe3c25a0cd42e84 VpcsMetInTransitStack.ExportsOutputRefVpc07C831B304FE08623 <span class="o">=</span> vpc-063e0aaa8aaf32b32 VpcsMetInTransitStack.ExportsOutputRefVpc0privateSubnet1RouteTableB5C6777D52F53FE8 <span class="o">=</span> rtb-053b342d2f9950c58 VpcsMetInTransitStack.ExportsOutputRefVpc0privateSubnet1SubnetD6383522ACB05B9B <span class="o">=</span> subnet-002286581738a15da VpcsMetInTransitStack.ExportsOutputRefVpc1C211860B64169B74 <span class="o">=</span> vpc-0020c0197873df61c VpcsMetInTransitStack.ExportsOutputRefVpc1privateSubnet1RouteTable339A93B3DFC75FCA <span class="o">=</span> rtb-0b3cac3abd02c16d6 VpcsMetInTransitStack.ExportsOutputRefVpc1privateSubnet1Subnet41967AFDFF883DAB <span class="o">=</span> subnet-0c10da57ee874b680 Stack ARN: arn:aws:cloudformation:eu-west-1:REDACTED:stack/VpcsMetInTransitStack/a54b7350-3560-11eb-ae91-0643678755c5 InstanceTransitStack InstanceTransitStack: deploying... InstanceTransitStack: creating CloudFormation changeset... <span class="o">[</span>██████████████████████████████████████████████████████████] <span class="o">(</span>10/10<span class="o">)</span> ✅ InstanceTransitStack Outputs: InstanceTransitStack.Instance0BastionHostId1959CA92 <span class="o">=</span> i-03d7c391c35302d4a <span class="c"># &lt;--- COPY THE ID OF YOUR SOURCE EC2 INSTANCE!</span> InstanceTransitStack.Instance0PrivateIp <span class="o">=</span> 10.0.4.58 InstanceTransitStack.Instance1BastionHostIdEF2AA144 <span class="o">=</span> i-0d315dbb89ed80f82 InstanceTransitStack.Instance1PrivateIp <span class="o">=</span> 10.0.5.54 <span class="c"># &lt;--- COPY THE PRIVATE IP OF YOUR DESTINATION EC2 INSTANCE!</span> Stack ARN: arn:aws:cloudformation:eu-west-1:REDACTED:stack/InstanceTransitStack/11f0b6a0-3561-11eb-842c-0aa13688a741 </code></pre> </div> <ul> <li>then <code>TransitGatewayStack</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>➜ ping-me-cdk-example<span class="nv">$ </span>cdk deploy TransitGatewayStack <span class="nt">--require-approval</span> never Including dependency stacks: VpcsMetInTransitStack VpcsMetInTransitStack VpcsMetInTransitStack: deploying... ✅ VpcsMetInTransitStack <span class="o">(</span>no changes<span class="o">)</span> Outputs: VpcsMetInTransitStack.ExportsOutputFnGetAttVpc07C831B30CidrBlockB8164F9E <span class="o">=</span> 10.0.4.0/24 VpcsMetInTransitStack.ExportsOutputFnGetAttVpc07C831B30DefaultSecurityGroup52C351BF <span class="o">=</span> sg-0b97deeeacfd5627d VpcsMetInTransitStack.ExportsOutputFnGetAttVpc1C211860BCidrBlock933A5AA8 <span class="o">=</span> 10.0.5.0/24 VpcsMetInTransitStack.ExportsOutputFnGetAttVpc1C211860BDefaultSecurityGroup87C47BC2 <span class="o">=</span> sg-0dfe3c25a0cd42e84 VpcsMetInTransitStack.ExportsOutputRefVpc07C831B304FE08623 <span class="o">=</span> vpc-063e0aaa8aaf32b32 VpcsMetInTransitStack.ExportsOutputRefVpc0privateSubnet1RouteTableB5C6777D52F53FE8 <span class="o">=</span> rtb-053b342d2f9950c58 VpcsMetInTransitStack.ExportsOutputRefVpc0privateSubnet1SubnetD6383522ACB05B9B <span class="o">=</span> subnet-002286581738a15da VpcsMetInTransitStack.ExportsOutputRefVpc1C211860B64169B74 <span class="o">=</span> vpc-0020c0197873df61c VpcsMetInTransitStack.ExportsOutputRefVpc1privateSubnet1RouteTable339A93B3DFC75FCA <span class="o">=</span> rtb-0b3cac3abd02c16d6 VpcsMetInTransitStack.ExportsOutputRefVpc1privateSubnet1Subnet41967AFDFF883DAB <span class="o">=</span> subnet-0c10da57ee874b680 Stack ARN: arn:aws:cloudformation:eu-west-1:REDACTED:stack/VpcsMetInTransitStack/a54b7350-3560-11eb-ae91-0643678755c5 TransitGatewayStack TransitGatewayStack: deploying... TransitGatewayStack: creating CloudFormation changeset... <span class="o">[</span>██████████████████████████████████████████████████████████] <span class="o">(</span>5/5<span class="o">)</span> ✅ TransitGatewayStack Outputs: TransitGatewayStack.TransitGatewayId <span class="o">=</span> tgw-057de86d7c789626e Stack ARN: arn:aws:cloudformation:eu-west-1:REDACTED:stack/TransitGatewayStack/e86b7b70-3561-11eb-b82a-0ad12ebbcfd9 </code></pre> </div> <ul> <li>and finally <code>RoutesToTransitGatewayStack</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>➜ ping-me-cdk-example<span class="nv">$ </span>cdk deploy RoutesToTransitGatewayStack <span class="nt">--require-approval</span> never Including dependency stacks: VpcsMetInTransitStack VpcsMetInTransitStack VpcsMetInTransitStack: deploying... ✅ VpcsMetInTransitStack <span class="o">(</span>no changes<span class="o">)</span> Outputs: VpcsMetInTransitStack.ExportsOutputFnGetAttVpc07C831B30CidrBlockB8164F9E <span class="o">=</span> 10.0.4.0/24 VpcsMetInTransitStack.ExportsOutputFnGetAttVpc07C831B30DefaultSecurityGroup52C351BF <span class="o">=</span> sg-0b97deeeacfd5627d VpcsMetInTransitStack.ExportsOutputFnGetAttVpc1C211860BCidrBlock933A5AA8 <span class="o">=</span> 10.0.5.0/24 VpcsMetInTransitStack.ExportsOutputFnGetAttVpc1C211860BDefaultSecurityGroup87C47BC2 <span class="o">=</span> sg-0dfe3c25a0cd42e84 VpcsMetInTransitStack.ExportsOutputRefVpc07C831B304FE08623 <span class="o">=</span> vpc-063e0aaa8aaf32b32 VpcsMetInTransitStack.ExportsOutputRefVpc0privateSubnet1RouteTableB5C6777D52F53FE8 <span class="o">=</span> rtb-053b342d2f9950c58 VpcsMetInTransitStack.ExportsOutputRefVpc0privateSubnet1SubnetD6383522ACB05B9B <span class="o">=</span> subnet-002286581738a15da VpcsMetInTransitStack.ExportsOutputRefVpc1C211860B64169B74 <span class="o">=</span> vpc-0020c0197873df61c VpcsMetInTransitStack.ExportsOutputRefVpc1privateSubnet1RouteTable339A93B3DFC75FCA <span class="o">=</span> rtb-0b3cac3abd02c16d6 VpcsMetInTransitStack.ExportsOutputRefVpc1privateSubnet1Subnet41967AFDFF883DAB <span class="o">=</span> subnet-0c10da57ee874b680 Stack ARN: arn:aws:cloudformation:eu-west-1:REDACTED:stack/VpcsMetInTransitStack/a54b7350-3560-11eb-ae91-0643678755c5 RoutesToTransitGatewayStack RoutesToTransitGatewayStack: deploying... RoutesToTransitGatewayStack: creating CloudFormation changeset... <span class="o">[</span>██████████████████████████████████████████████████████████] <span class="o">(</span>4/4<span class="o">)</span> ✅ RoutesToTransitGatewayStack Stack ARN: arn:aws:cloudformation:eu-west-1:REDACTED:stack/RoutesToTransitGatewayStack/d803d8d0-3562-11eb-aaeb-02e586bc56f0 </code></pre> </div> <h2> Validation </h2> <p>It's time to unleash the ping!</p> <p>If you're following along, be sure to swap the ID of the source EC2 instance (<code>i-03d7c391c35302d4a</code>) and the private IP of the destination EC2 instance (<code>10.0.5.54</code>) for appropriate values before running the below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ssm send-command <span class="se">\</span> <span class="nt">--document-name</span> <span class="s2">"AWS-RunShellScript"</span> <span class="se">\</span> <span class="nt">--document-version</span> <span class="s2">"1"</span> <span class="se">\</span> <span class="nt">--targets</span> <span class="s1">'[{"Key":"InstanceIds","Values":["i-03d7c391c35302d4a"]}]'</span> <span class="se">\</span> <span class="nt">--parameters</span> <span class="s1">'{"workingDirectory":[""],"executionTimeout":["3600"],"commands":["ping 10.0.5.54 -c 3"]}'</span> <span class="se">\</span> <span class="nt">--timeout-seconds</span> 600 <span class="se">\</span> <span class="nt">--max-concurrency</span> <span class="s2">"50"</span> <span class="se">\</span> <span class="nt">--max-errors</span> <span class="s2">"0"</span> <span class="o">{</span> <span class="s2">"Command"</span>: <span class="o">{</span> <span class="s2">"CommandId"</span>: <span class="s2">"f7ed8e0e-a313-405a-a811-7885b4d532e7"</span>, <span class="s2">"DocumentName"</span>: <span class="s2">"AWS-RunShellScript"</span>, <span class="s2">"DocumentVersion"</span>: <span class="s2">"1"</span>, <span class="s2">"Comment"</span>: <span class="s2">""</span>, <span class="s2">"ExpiresAfter"</span>: <span class="s2">"2020-12-03T15:06:43.691000+01:00"</span>, <span class="s2">"Parameters"</span>: <span class="o">{</span> <span class="s2">"commands"</span>: <span class="o">[</span> <span class="s2">"ping 10.0.5.54 -c 3"</span> <span class="o">]</span>, <span class="s2">"executionTimeout"</span>: <span class="o">[</span> <span class="s2">"3600"</span> <span class="o">]</span>, <span class="s2">"workingDirectory"</span>: <span class="o">[</span> <span class="s2">""</span> <span class="o">]</span> <span class="o">}</span>, <span class="s2">"InstanceIds"</span>: <span class="o">[]</span>, <span class="s2">"Targets"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"Key"</span>: <span class="s2">"InstanceIds"</span>, <span class="s2">"Values"</span>: <span class="o">[</span> <span class="s2">"i-03d7c391c35302d4a"</span> <span class="o">]</span> <span class="o">}</span> <span class="o">]</span>, <span class="s2">"RequestedDateTime"</span>: <span class="s2">"2020-12-03T13:56:43.691000+01:00"</span>, <span class="s2">"Status"</span>: <span class="s2">"Pending"</span>, <span class="s2">"StatusDetails"</span>: <span class="s2">"Pending"</span>, <span class="s2">"OutputS3BucketName"</span>: <span class="s2">""</span>, <span class="s2">"OutputS3KeyPrefix"</span>: <span class="s2">""</span>, <span class="s2">"MaxConcurrency"</span>: <span class="s2">"50"</span>, <span class="s2">"MaxErrors"</span>: <span class="s2">"0"</span>, <span class="s2">"TargetCount"</span>: 0, <span class="s2">"CompletedCount"</span>: 0, <span class="s2">"ErrorCount"</span>: 0, <span class="s2">"DeliveryTimedOutCount"</span>: 0, <span class="s2">"ServiceRole"</span>: <span class="s2">""</span>, <span class="s2">"NotificationConfig"</span>: <span class="o">{</span> <span class="s2">"NotificationArn"</span>: <span class="s2">""</span>, <span class="s2">"NotificationEvents"</span>: <span class="o">[]</span>, <span class="s2">"NotificationType"</span>: <span class="s2">""</span> <span class="o">}</span>, <span class="s2">"CloudWatchOutputConfig"</span>: <span class="o">{</span> <span class="s2">"CloudWatchLogGroupName"</span>: <span class="s2">""</span>, <span class="s2">"CloudWatchOutputEnabled"</span>: <span class="nb">false</span> <span class="o">}</span>, <span class="s2">"TimeoutSeconds"</span>: 600 <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Now, let's check whether that succeeded by using AWS CLI's <a href="https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ssm/get-command-invocation.html" rel="noopener noreferrer"><code>aws ssm get-command-invocation</code> command</a>.</p> <p>Again, if you're following along, be sure to swap the command ID (<code>f7ed8e0e-a313-405a-a811-7885b4d532e7</code>) and the ID of the source EC2 instance (<code>i-03d7c391c35302d4a</code>) for appropriate values before running the below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>➜ ping-me-cdk-example<span class="nv">$ </span>aws ssm get-command-invocation <span class="nt">--command-id</span> f7ed8e0e-a313-405a-a811-7885b4d532e7 <span class="nt">--instance-id</span> i-03d7c391c35302d4a <span class="o">{</span> <span class="s2">"CommandId"</span>: <span class="s2">"f7ed8e0e-a313-405a-a811-7885b4d532e7"</span>, <span class="s2">"InstanceId"</span>: <span class="s2">"i-03d7c391c35302d4a"</span>, <span class="s2">"Comment"</span>: <span class="s2">""</span>, <span class="s2">"DocumentName"</span>: <span class="s2">"AWS-RunShellScript"</span>, <span class="s2">"DocumentVersion"</span>: <span class="s2">"1"</span>, <span class="s2">"PluginName"</span>: <span class="s2">"aws:runShellScript"</span>, <span class="s2">"ResponseCode"</span>: 0, <span class="s2">"ExecutionStartDateTime"</span>: <span class="s2">"2020-12-03T12:56:44.343Z"</span>, <span class="s2">"ExecutionElapsedTime"</span>: <span class="s2">"PT2.044S"</span>, <span class="s2">"ExecutionEndDateTime"</span>: <span class="s2">"2020-12-03T12:56:46.343Z"</span>, <span class="s2">"Status"</span>: <span class="s2">"Success"</span>, <span class="s2">"StatusDetails"</span>: <span class="s2">"Success"</span>, <span class="s2">"StandardOutputContent"</span>: <span class="s2">"PING 10.0.5.54 (10.0.5.54) 56(84) bytes of data.</span><span class="se">\n</span><span class="s2">64 bytes from 10.0.5.54: icmp_seq=1 ttl=254 time=0.489 ms</span><span class="se">\n</span><span class="s2">64 bytes from 10.0.5.54: icmp_seq=2 ttl=254 time=0.311 ms</span><span class="se">\n</span><span class="s2">64 bytes from 10.0.5.54: icmp_seq=3 ttl=254 time=0.306 ms</span><span class="se">\n\n</span><span class="s2">--- 10.0.5.54 ping statistics ---</span><span class="se">\n</span><span class="s2">3 packets transmitted, 3 received, 0% packet loss, time 2027ms</span><span class="se">\n</span><span class="s2">rtt min/avg/max/mdev = 0.306/0.368/0.489/0.087 ms</span><span class="se">\n</span><span class="s2">"</span>, <span class="s2">"StandardOutputUrl"</span>: <span class="s2">""</span>, <span class="s2">"StandardErrorContent"</span>: <span class="s2">""</span>, <span class="s2">"StandardErrorUrl"</span>: <span class="s2">""</span>, <span class="s2">"CloudWatchOutputConfig"</span>: <span class="o">{</span> <span class="s2">"CloudWatchLogGroupName"</span>: <span class="s2">""</span>, <span class="s2">"CloudWatchOutputEnabled"</span>: <span class="nb">false</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p><code>3 packets transmitted, 3 received, 0% packet loss</code>. That's an astounding success!</p> <h2> Cleanup </h2> <p>For the sake of our wallets, let's promptly destroy the current infrastructure before wrapping everything up.</p> <p>As was the case with the building process, the destroying part must also be done in stages:</p> <ul> <li>first we need to remove the routes to the Transit Gateway. When prompted, type <code>y</code> for yes: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>➜ ping-me-cdk-example<span class="nv">$ </span>cdk destroy RoutesToTransitGatewayStack Are you sure you want to delete: RoutesToTransitGatewayStack <span class="o">(</span>y/n<span class="o">)</span>? y RoutesToTransitGatewayStack: destroying... 14:08:49 | DELETE_IN_PROGRESS | AWS::CloudFormation::Stack | RoutesToTransitGatewayStack 14:08:51 | DELETE_IN_PROGRESS | AWS::EC2::Route | RouteFromPrivateSubnetOfVpc2ToVpc10 ✅ RoutesToTransitGatewayStack: destroyed </code></pre> </div> <ul> <li>once the routes are removed we can safely delete the remaining stacks. When prompted, type <code>y</code> for yes: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>➜ ping-me-cdk-example<span class="nv">$ </span>cdk destroy <span class="nt">--all</span> Are you sure you want to delete: InstanceVpnDestinationStack, VpcVpnDestinationStack, TransitGatewayStack, RoutesToTransitGatewayStack, PeeringStack, InstanceTransitStack, InstancePeersStack, CustomerGatewayDeviceStack, VpcsMetInTransitStack, VpcVpnSourceStack, VpcPeersStack <span class="o">(</span>y/n<span class="o">)</span>? y InstanceVpnDestinationStack: destroying... ✅ InstanceVpnDestinationStack: destroyed VpcVpnDestinationStack: destroying... ✅ VpcVpnDestinationStack: destroyed TransitGatewayStack: destroying... 14:12:23 | DELETE_IN_PROGRESS | AWS::CloudFormation::Stack | TransitGatewayStack ✅ TransitGatewayStack: destroyed RoutesToTransitGatewayStack: destroying... ✅ RoutesToTransitGatewayStack: destroyed PeeringStack: destroying... ✅ PeeringStack: destroyed InstanceTransitStack: destroying... 14:15:30 | DELETE_IN_PROGRESS | AWS::CloudFormation::Stack | InstanceTransitStack ✅ InstanceTransitStack: destroyed InstancePeersStack: destroying... ✅ InstancePeersStack: destroyed CustomerGatewayDeviceStack: destroying... ✅ CustomerGatewayDeviceStack: destroyed VpcsMetInTransitStack: destroying... 14:16:49 | DELETE_IN_PROGRESS | AWS::CloudFormation::Stack | VpcsMetInTransitStack 14:18:56 | DELETE_IN_PROGRESS | AWS::EC2::InternetGateway | Vpc0/IGW 14:18:56 | DELETE_IN_PROGRESS | AWS::EC2::VPC | Vpc0 ✅ VpcsMetInTransitStack: destroyed VpcVpnSourceStack: destroying... ✅ VpcVpnSourceStack: destroyed VpcPeersStack: destroying... ✅ VpcPeersStack: destroyed </code></pre> </div> <h2> Conclusion </h2> <p>In this series of articles, we saw how with relative ease you can use <a href="https://docs.aws.amazon.com/cdk/latest/guide/home.html" rel="noopener noreferrer">Cloud Development Kit (CDK)</a> to create, update and destroy various AWS resources, and further bind them all together in a configuration that best suits your needs.</p> <p><a href="https://dev.to/aws-builders/ping-me-intro-iac-and-prep-work-41le">Ping Me! (Intro: IaC and Prep Work)</a> discussed why we even bother with such things like Infrastructure as Code (IaC).</p> <p>In <a href="https://dev.to/aws-builders/ping-me-part-1-vpc-peering-using-cdk-2kpd">Ping Me! (Part 1: VPC Peering Using CDK)</a> we wrote our first classes and then initialized them as stacks.</p> <p><a href="https://dev.to/aws-builders/ping-me-part-2-site-to-site-vpn-using-cdk-236h">Ping Me! (Part 2: Site-to-Site VPN Using CDK)</a> focused on a more complex construct that needed additional configuration through the AWS CLI.</p> <p>The final part centered around one of the coolest AWS network resources, namely the Transit Gateway (TGW).</p> <p><strong>Please remember that <a href="https://github.com/rafalkrol-xyz/ping-me-cdk-example" rel="noopener noreferrer">all of the code is available on GitHub</a>.</strong></p> <p><em>"That's all Folks!"</em> Hope you enjoyed the read and until next time!</p> aws typescript devops tutorial Ping Me! (Part 2: Site-to-Site VPN Using CDK) Rafal Krol Sun, 25 Jul 2021 11:55:48 +0000 https://dev.to/aws-builders/ping-me-part-2-site-to-site-vpn-using-cdk-236h https://dev.to/aws-builders/ping-me-part-2-site-to-site-vpn-using-cdk-236h <h2> Overview </h2> <p>Thanks to <a href="https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html" rel="noopener noreferrer">AWS Site-to-Site VPN</a> you can establish a secure connection over insecure infrastructure (e.g. the public internet) between a VPC and your on-premises data center. With such a connection in place, you can communicate with your EC2 instances as if they were within your existing corporate network.</p> <p>It is much cheaper and quicker to establish this option rather than <a href="https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html" rel="noopener noreferrer">AWS Direct Connect</a>, although it is less reliable in terms of performance and has a lower cap for bandwidth. It's not uncommon to have both in place, with AWS Site-to-Site VPN being the backup option.</p> <p>Furthermore, if you have multiple data centers, each with an AWS Site-to-Site VPN connection to a central Virtual Private Gateway (that's the logical construct on which the VPN connection is terminated), you can provide secure communications between those in a hub-and-spoke model using something that AWS advertises as <a href="https://docs.aws.amazon.com/vpn/latest/s2svpn/VPN_CloudHub.html#vpn-cloudhub-overview" rel="noopener noreferrer">VPN CloudHub</a>.</p> <p>As far as billing is concerned, <a href="https://aws.amazon.com/vpn/pricing/" rel="noopener noreferrer">you pay for each hour during which the VPN connection is in the <em>available</em> state</a> (thus, to avoid unnecessary costs you should terminate it whenever it's not in use), plus <a href="https://aws.amazon.com/ec2/pricing/on-demand/" rel="noopener noreferrer">the usual fee for the data out transfer</a>.</p> <h2> Implementation and validation </h2> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsua220xneew0mgc55am0.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsua220xneew0mgc55am0.png" alt="A rudimentary diagram of the complete solution"></a></p> <p>As mentioned in the overview section, in most cases you'd use AWS Site-to-Site VPN to connect your on-premises data center to AWS. However, for the sake of simplicity, we're going to connect two VPCs together using the <a href="https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/software-vpn-to-aws-managed-vpn.html" rel="noopener noreferrer">Software VPN-to-AWS Managed VPN approach</a>.</p> <p>Since we'll reuse the <code>VpcStack</code> and <code>InstanceStack</code> classes that we've created in <a href="https://dev.to/aws-builders/ping-me-part-1-vpc-peering-using-cdk-2kpd">part 1</a>, the only class we're missing is the one for the <a href="https://docs.aws.amazon.com/vpn/latest/s2svpn/your-cgw.html#example-configuration-files" rel="noopener noreferrer">Customer Gateway Device (CGD)</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>➜ ping-me-cdk-example<span class="nv">$ </span><span class="nb">touch </span>lib/cgd.ts </code></pre> </div> <ul> <li> <code>ping-me-cdk-example/lib/instance.ts</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-ec2</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">iam</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-iam</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// &lt;--- this module is not available from the start; remember to import it: `npm install @aws-cdk/aws-iam`</span> <span class="kr">interface</span> <span class="nx">CustomerGatewayDeviceProps</span> <span class="kd">extends</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span> <span class="p">{</span> <span class="nl">vpc</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Vpc</span><span class="p">;</span> <span class="c1">// &lt;--- the VPC in which the Customer Gateway Device will be created</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">CustomerGatewayDeviceStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">CustomerGatewayDeviceProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="c1">// Prepare the user data to be applied to the Windows EC2 instance on its initial boot-up</span> <span class="kd">const</span> <span class="nx">userData</span> <span class="o">=</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">UserData</span><span class="p">.</span><span class="nf">forWindows</span><span class="p">();</span> <span class="nx">userData</span><span class="p">.</span><span class="nf">addCommands</span><span class="p">(</span> <span class="c1">// The below PowerShell commands were taken from here: https://github.com/ACloudGuru-Resources/course-aws-certified-advanced-networking-specialty/blob/3a687ba5c70d507a53743037b8f1c5a52d05d357/SteveResources/OnPremNet.yaml#L126</span> <span class="dl">'</span><span class="s1">&lt;powershell&gt;</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1"># Disable Internet Explorer Enhanced Security Configuration for Administrators</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Set-ItemProperty -Path "HKLM:</span><span class="se">\</span><span class="s1">SOFTWARE</span><span class="se">\</span><span class="s1">Microsoft</span><span class="se">\</span><span class="s1">Active Setup</span><span class="se">\</span><span class="s1">Installed Components</span><span class="se">\</span><span class="s1">{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" -Name "IsInstalled" -Value 0 -Force</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Stop-Process -Name iexplore -ErrorAction SilentlyContinue</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1"># Begin configuration for VPN services</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Set-NetAdapterAdvancedProperty -DisplayName "IPv4 Checksum Offload" -DisplayValue "Disabled"</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Set-NetAdapterAdvancedProperty -DisplayName "TCP Checksum Offload (IPv4)" -DisplayValue "Disabled"</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Set-NetAdapterAdvancedProperty -DisplayName "UDP Checksum Offload (IPv4)" -DisplayValue "Disabled"</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Invoke-WebRequest https://steveatacg.s3-us-west-1.amazonaws.com/advnetspec/Win2019VPNServerConfig.xml -OutFile c:</span><span class="se">\</span><span class="s1">config.xml</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Install-WindowsFeature -ConfigurationFilePath c:</span><span class="se">\</span><span class="s1">config.xml -computername $env:COMPUTERNAME -Restart</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Install-RemoteAccess -VpnType VpnS2S</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">&lt;/powershell&gt;</span><span class="dl">'</span><span class="p">,</span> <span class="p">)</span> <span class="c1">// Create an IAM role allowing the instance to be managed by SSM</span> <span class="kd">const</span> <span class="nx">ssmRoleForEc2</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">SsmRoleForEc2</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span><span class="dl">'</span><span class="s1">ec2.amazonaws.com</span><span class="dl">'</span><span class="p">),</span> <span class="na">managedPolicies</span><span class="p">:</span> <span class="p">[</span><span class="nx">iam</span><span class="p">.</span><span class="nx">ManagedPolicy</span><span class="p">.</span><span class="nf">fromAwsManagedPolicyName</span><span class="p">(</span><span class="dl">'</span><span class="s1">AmazonSSMManagedInstanceCore</span><span class="dl">'</span><span class="p">)],</span> <span class="p">});</span> <span class="c1">// Create an EC2 instance to serve as the software VPN</span> <span class="kd">const</span> <span class="nx">cgd</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">Instance</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">CGW</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpc</span><span class="p">,</span> <span class="na">instanceType</span><span class="p">:</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">InstanceType</span><span class="p">(</span><span class="dl">'</span><span class="s1">t2.micro</span><span class="dl">'</span><span class="p">),</span> <span class="na">machineImage</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">MachineImage</span><span class="p">.</span><span class="nf">fromSSMParameter</span><span class="p">(</span><span class="dl">'</span><span class="s1">/aws/service/ami-windows-latest/Windows_Server-2019-English-Full-Base</span><span class="dl">'</span><span class="p">,</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">OperatingSystemType</span><span class="p">.</span><span class="nx">WINDOWS</span><span class="p">,</span> <span class="nx">userData</span><span class="p">),</span> <span class="c1">// &lt;--- use the latest Amazon Machine Image for Windows Server 2019</span> <span class="na">vpcSubnets</span><span class="p">:</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PUBLIC</span><span class="p">,</span> <span class="c1">// &lt;--- place the instance in a public subnet</span> <span class="p">},</span> <span class="na">role</span><span class="p">:</span> <span class="nx">ssmRoleForEc2</span><span class="p">,</span> <span class="c1">// &lt;--- use the created earlier IAM role as the instance profile</span> <span class="na">sourceDestCheck</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="c1">// &lt;--- make sure the source/destination check is turned off</span> <span class="p">});</span> <span class="c1">// Output the instance's public IP</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">CustomerGatewayDevicePublicIp</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nx">cgd</span><span class="p">.</span><span class="nx">instancePublicIp</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Since the <a href="https://docs.aws.amazon.com/cdk/api/latest/docs/aws-iam-readme.html" rel="noopener noreferrer"><code>@aws-cdk/aws-iam</code> module</a> was not imported during the cdk initialization, let's install it now:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>➜ ping-me-cdk-example<span class="nv">$ </span>npm <span class="nb">install</span> @aws-cdk/aws-iam@1.73.0 npm WARN ping-me-cdk-example@0.1.0 No repository field. npm WARN ping-me-cdk-example@0.1.0 No license field. + @aws-cdk/aws-iam@1.73.0 updated 1 package and audited 847 packages <span class="k">in </span>5.085s 27 packages are looking <span class="k">for </span>funding run <span class="sb">`</span>npm fund<span class="sb">`</span> <span class="k">for </span>details found 0 vulnerabilities </code></pre> </div> <p>We explicitly chose the <code>1.73.0</code> version (the exact same one as for our <code>@aws-cdk/core</code> and <code>@aws-cdk/aws-ec2</code> modules) to avoid the possibility of seeing <a href="https://github.com/aws/aws-cdk/issues/3416" rel="noopener noreferrer">the <code>Argument of type 'this' is not assignable to parameter of type 'Construct'</code> error</a>.</p> <p>Since we got all the pieces of the puzzle, let's start putting them together.</p> <p>First, we'll initialize the VPN source VPC (that's the one that mocks an on-prem network) and place a Customer Gateway Device (a software VPN in our case) in it:</p> <ul> <li> <code>ping-me-cdk-example/bin/ping-me-cdk-example.ts</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">VpcStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/vpc</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">InstanceStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/instance</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PeeringStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/peering</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">CustomerGatewayDeviceStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/cgd</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// &lt;--- added in part 2</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">App</span><span class="p">();</span> <span class="c1">// &lt;--- you can read more about the App construct here: https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_core.App.html</span> <span class="cm">/** * CODE FROM "Ping Me! (Part 1: VPC Peering Using CDK)" WAS REMOVED FOR VISIBILITY */</span> <span class="c1">// Create a VPN source VPC</span> <span class="kd">const</span> <span class="nx">vpcVpnSource</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">VpcStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">VpcVpnSourceStack</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpcSetup</span><span class="p">:</span> <span class="p">{</span> <span class="na">cidrs</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">10.0.2.0/24</span><span class="dl">'</span><span class="p">],</span> <span class="na">maxAzs</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="c1">// &lt;--- to keep the costs down, we'll stick to 1 availability zone per VPC (obviously, not something you'd want to do in production)</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// Create a Customer Gateway Device in the VPN source VPC</span> <span class="k">new</span> <span class="nc">CustomerGatewayDeviceStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">CustomerGatewayDeviceStack</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">vpcVpnSource</span><span class="p">.</span><span class="nx">createdVpcs</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="p">});</span> </code></pre> </div> <p>Now, we can deploy these two stacks. And since <code>VpcVpnSourceStack</code> is a dependency of <code>CustomerGatewayDeviceStack</code> we can just call the latter in our command and still both are going to be built out:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>➜ ping-me-cdk-example<span class="nv">$ </span>cdk deploy CustomerGatewayDeviceStack <span class="nt">--require-approval</span> never Including dependency stacks: VpcVpnSourceStack VpcVpnSourceStack VpcVpnSourceStack: deploying... VpcVpnSourceStack: creating CloudFormation changeset... <span class="o">[</span>██████████████████████████████████████████████████████████] <span class="o">(</span>16/16<span class="o">)</span> ✅ VpcVpnSourceStack Outputs: VpcVpnSourceStack.ExportsOutputFnGetAttVpc07C831B30CidrBlockB8164F9E <span class="o">=</span> 10.0.2.0/24 VpcVpnSourceStack.ExportsOutputRefVpc07C831B304FE08623 <span class="o">=</span> vpc-0d8d8118923b40b85 VpcVpnSourceStack.ExportsOutputRefVpc0publicSubnet1SubnetB977A71E8C9155C7 <span class="o">=</span> subnet-037467ea871b103c1 Stack ARN: arn:aws:cloudformation:eu-west-1:REDACTED:stack/VpcVpnSourceStack/f9d46c70-3005-11eb-8c3a-06fab0925578 CustomerGatewayDeviceStack CustomerGatewayDeviceStack: deploying... CustomerGatewayDeviceStack: creating CloudFormation changeset... <span class="o">[</span>██████████████████████████████████████████████████████████] <span class="o">(</span>6/6<span class="o">)</span> ✅ CustomerGatewayDeviceStack Outputs: CustomerGatewayDeviceStack.CustomerGatewayDevicePublicIp <span class="o">=</span> 52.51.199.29 <span class="c"># &lt;--- COPY THE PUBLIC IP OF THE CUSTOMER GATEWAY DEVICE (CGD)</span> Stack ARN: arn:aws:cloudformation:eu-west-1:REDACTED:stack/CustomerGatewayDeviceStack/665a19d0-3006-11eb-9492-0a91d0eaa80f </code></pre> </div> <p>Let's grab the public IP of the CGD from the above output, or by using AWS CLI (like so: <code>aws cloudformation describe-stacks --stack-name CustomerGatewayDeviceStack --query "Stacks[].Outputs[].OutputValue"</code>) and move on to creating a VPN destination VPC, with a Site-to-Site VPN connection to the VPN source VPC already in place, and an EC2 instance that'll serve as our ping destination.</p> <ul> <li> <code>ping-me-cdk-example/bin/ping-me-cdk-example.ts</code> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="cm">/** * ALL PRECEDING CODE WAS REMOVED FOR VISIBILITY */</span> <span class="kd">const</span> <span class="nx">vpcVpnDestination</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">VpcStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">VpcVpnDestinationStack</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpcSetup</span><span class="p">:</span> <span class="p">{</span> <span class="na">cidrs</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">10.0.3.0/24</span><span class="dl">'</span><span class="p">],</span> <span class="na">maxAzs</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="c1">// &lt;--- to keep the costs down, we'll stick to 1 availability zone per VPC (obviously, not something you'd want to do in production)</span> <span class="na">vpnConnections</span><span class="p">:</span> <span class="p">{</span> <span class="na">toOnPrem</span><span class="p">:</span> <span class="p">{</span> <span class="na">ip</span><span class="p">:</span> <span class="dl">'</span><span class="s1">52.51.199.29</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// &lt;--- grab this from the outputs of CustomerGatewayDeviceStack, e.g.: aws cloudformation describe-stacks --stack-name CustomerGatewayDeviceStack --query "Stacks[].Outputs[].OutputValue"</span> <span class="na">staticRoutes</span><span class="p">:</span> <span class="p">[</span> <span class="nx">vpcVpnSource</span><span class="p">.</span><span class="nx">createdVpcs</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">vpcCidrBlock</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="p">});</span> <span class="k">new</span> <span class="nc">InstanceStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">InstanceVpnDestinationStack</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpcs</span><span class="p">:</span> <span class="nx">vpcVpnDestination</span><span class="p">.</span><span class="nx">createdVpcs</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>➜ ping-me-cdk-example<span class="nv">$ </span>cdk deploy InstanceVpnDestinationStack <span class="nt">--require-approval</span> never Including dependency stacks: VpcVpnDestinationStack, VpcVpnSourceStack VpcVpnSourceStack VpcVpnSourceStack: deploying... ✅ VpcVpnSourceStack <span class="o">(</span>no changes<span class="o">)</span> Outputs: VpcVpnSourceStack.ExportsOutputFnGetAttVpc07C831B30CidrBlockB8164F9E <span class="o">=</span> 10.0.2.0/24 VpcVpnSourceStack.ExportsOutputRefVpc07C831B304FE08623 <span class="o">=</span> vpc-0d8d8118923b40b85 VpcVpnSourceStack.ExportsOutputRefVpc0publicSubnet1SubnetB977A71E8C9155C7 <span class="o">=</span> subnet-037467ea871b103c1 Stack ARN: arn:aws:cloudformation:eu-west-1:REDACTED:stack/VpcVpnSourceStack/f9d46c70-3005-11eb-8c3a-06fab0925578 VpcVpnDestinationStack VpcVpnDestinationStack: deploying... VpcVpnDestinationStack: creating CloudFormation changeset... <span class="o">[</span>██████████████████████████████████████████████████████████] <span class="o">(</span>22/22<span class="o">)</span> ✅ VpcVpnDestinationStack Outputs: VpcVpnDestinationStack.ExportsOutputFnGetAttVpc07C831B30DefaultSecurityGroup52C351BF <span class="o">=</span> sg-0e750a0ff54ed08aa VpcVpnDestinationStack.ExportsOutputRefVpc0privateSubnet1SubnetD6383522ACB05B9B <span class="o">=</span> subnet-0149bc2a09ea2bc34 Stack ARN: arn:aws:cloudformation:eu-west-1:REDACTED:stack/VpcVpnDestinationStack/af2f9e90-3007-11eb-93e5-0a4cff3749d5 InstanceVpnDestinationStack InstanceVpnDestinationStack: deploying... InstanceVpnDestinationStack: creating CloudFormation changeset... <span class="o">[</span>██████████████████████████████████████████████████████████] <span class="o">(</span>6/6<span class="o">)</span> ✅ InstanceVpnDestinationStack Outputs: InstanceVpnDestinationStack.Instance0BastionHostId1959CA92 <span class="o">=</span> i-02e376354bcb4b094 InstanceVpnDestinationStack.Instance0PrivateIp <span class="o">=</span> 10.0.3.49 Stack ARN: arn:aws:cloudformation:eu-west-1:REDACTED:stack/InstanceVpnDestinationStack/c2a92a30-3008-11eb-a26f-0639b3b50e04 </code></pre> </div> <p>The necessary infrastructure is standing, but we still need to configure the CGD. To accomplish that we'll head over to the AWS Console and download a config file that was generated for us:</p> <ul> <li>AWS Console -&gt; VPC -&gt; Site-to-Site VPN Connections -&gt; select our new connection -&gt; click on "Download Configuration"</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdhor58xxii7f9v5mqswe.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdhor58xxii7f9v5mqswe.png" alt="AWS download VPN configuration"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6avf8dqaw5yvn3jfw8ks.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6avf8dqaw5yvn3jfw8ks.png" alt="AWS choose the type of the Customer Gateway Device"></a></p> <p>In this text file we're interested in the lines 111 to 129 containing two scripts we'll need to execute on the CGD. Those should look something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>! Script for Tunnel 1: netsh advfirewall consec add rule Name="vgw-0e89a3295d6b100c2 Tunnel 1" ^ Enable=Yes Profile=any Type=Static Mode=Tunnel ^ LocalTunnelEndpoint=[Windows_Server_Private_IP_address] ^ RemoteTunnelEndpoint=34.253.60.42 Endpoint1=[Your_Static_Route_IP_Prefix] ^ Endpoint2=[Your_VPC_CIDR_Block] Protocol=Any Action=RequireInClearOut ^ Auth1=ComputerPSK Auth1PSK=iKV4pvEVAxVk6wKeVma38F8ZDxVfPhNA ^ QMSecMethods=ESP:SHA1-AES128+60min+100000kb ^ ExemptIPsecProtectedConnections=No ApplyAuthz=No QMPFS=dhgroup2 ! Script for Tunnel 2: netsh advfirewall consec add rule Name="vgw-0e89a3295d6b100c2 Tunnel 2" ^ Enable=Yes Profile=any Type=Static Mode=Tunnel ^ LocalTunnelEndpoint=[Windows_Server_Private_IP_address] ^ RemoteTunnelEndpoint=52.50.166.48 Endpoint1=[Your_Static_Route_IP_Prefix] ^ Endpoint2=[Your_VPC_CIDR_Block] Protocol=Any Action=RequireInClearOut ^ Auth1=ComputerPSK Auth1PSK=PAoYUDzM_V93hRcJxvVkMCV6VjpWFtKt ^ QMSecMethods=ESP:SHA1-AES128+60min+100000kb ^ ExemptIPsecProtectedConnections=No ApplyAuthz=No QMPFS=dhgroup2 </code></pre> </div> <p>Swap <code>[Windows_Server_Private_IP_address]</code> for the private IP address of your CGD (you can get it using the AWS CLI: <code>aws ec2 describe-instances --filters "Name=tag:Name,Values=CustomerGatewayDeviceStack/CGW" --query "Reservations[].Instances[].PrivateIpAddress"</code>), <code>[Your_Static_Route_IP_Prefix]</code> for the VPN source VPC's CIDR (<code>10.0.2.0/24</code>), <code>[Your_VPC_CIDR_Block]</code> for the VPN destination VPC's CIDR (<code>10.0.3.0/24</code>), escape the quotation marks (<code>"</code>) by preceding them with backslashes (<code>\</code>) and remove all the carets (<code>^</code>) and following new lines to make both scripts into one-liners, e.g.:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>netsh advfirewall consec add rule <span class="nv">Name</span><span class="o">=</span><span class="se">\"</span>vgw-06fab417114297dd1 Tunnel 1<span class="se">\"</span> <span class="nv">Enable</span><span class="o">=</span>Yes <span class="nv">Profile</span><span class="o">=</span>any <span class="nv">Type</span><span class="o">=</span>Static <span class="nv">Mode</span><span class="o">=</span>Tunnel <span class="nv">LocalTunnelEndpoint</span><span class="o">=</span>10.0.2.18 <span class="nv">RemoteTunnelEndpoint</span><span class="o">=</span>34.249.222.228 <span class="nv">Endpoint1</span><span class="o">=</span>10.0.2.0/24 <span class="nv">Endpoint2</span><span class="o">=</span>10.0.3.0/24 <span class="nv">Protocol</span><span class="o">=</span>Any <span class="nv">Action</span><span class="o">=</span>RequireInClearOut <span class="nv">Auth1</span><span class="o">=</span>ComputerPSK <span class="nv">Auth1PSK</span><span class="o">=</span>F_BjSjPg8ctE6XeX183INrtAPxkaktXm <span class="nv">QMSecMethods</span><span class="o">=</span>ESP:SHA1-AES128+60min+100000kb <span class="nv">ExemptIPsecProtectedConnections</span><span class="o">=</span>No <span class="nv">ApplyAuthz</span><span class="o">=</span>No <span class="nv">QMPFS</span><span class="o">=</span>dhgroup2 </code></pre> </div> <p>We'll run them on the Windows instance remotely using SSM.</p> <p>If you're following along, be sure to swap the ID of the Windows instance (<code>i-03dd90e66a0e6a145</code>) for the appropriate value before running the below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>➜ ping-me-cdk-example<span class="nv">$ </span>aws ssm send-command <span class="nt">--document-name</span> <span class="s2">"AWS-RunPowerShellScript"</span> <span class="se">\</span> <span class="nt">--document-version</span> <span class="s2">"1"</span> <span class="se">\</span> <span class="nt">--targets</span> <span class="s1">'[{"Key":"InstanceIds","Values":["i-03dd90e66a0e6a145"]}]'</span> <span class="se">\</span> <span class="nt">--parameters</span> <span class="s1">'{"workingDirectory":[""],"executionTimeout":["3600"],"commands":["netsh advfirewall consec add rule Name=\"vgw-06fab417114297dd1 Tunnel 1\" Enable=Yes Profile=any Type=Static Mode=Tunnel LocalTunnelEndpoint=10.0.2.18 RemoteTunnelEndpoint=34.249.222.228 Endpoint1=10.0.2.0/24 Endpoint2=10.0.3.0/24 Protocol=Any Action=RequireInClearOut Auth1=ComputerPSK Auth1PSK=F_BjSjPg8ctE6XeX183INrtAPxkaktXm QMSecMethods=ESP:SHA1-AES128+60min+100000kb ExemptIPsecProtectedConnections=No ApplyAuthz=No QMPFS=dhgroup2"]}'</span> <span class="se">\</span> <span class="nt">--timeout-seconds</span> 600 <span class="se">\</span> <span class="nt">--max-concurrency</span> <span class="s2">"50"</span> <span class="se">\</span> <span class="nt">--max-errors</span> <span class="s2">"0"</span> <span class="o">{</span> <span class="s2">"Command"</span>: <span class="o">{</span> <span class="s2">"CommandId"</span>: <span class="s2">"ab32f5e8-78c9-4e5b-95d4-944e02814682"</span>, <span class="s2">"DocumentName"</span>: <span class="s2">"AWS-RunPowerShellScript"</span>, <span class="s2">"DocumentVersion"</span>: <span class="s2">"1"</span>, <span class="s2">"Comment"</span>: <span class="s2">""</span>, <span class="s2">"ExpiresAfter"</span>: <span class="s2">"2020-11-26T19:27:48.114000+01:00"</span>, <span class="s2">"Parameters"</span>: <span class="o">{</span> <span class="s2">"commands"</span>: <span class="o">[</span> <span class="s2">"netsh advfirewall consec add rule Name=</span><span class="se">\"</span><span class="s2">vgw-06fab417114297dd1 Tunnel 1</span><span class="se">\"</span><span class="s2"> Enable=Yes Profile=any Type=Static Mode=Tunnel LocalTunnelEndpoint=10.0.2.18 RemoteTunnelEndpoint=34.249.222.228 Endpoint1=10.0.2.0/24 Endpoint2=10.0.3.0/24 Protocol=Any Action=RequireInClearOut Auth1=ComputerPSK Auth1PSK=F_BjSjPg8ctE6XeX183INrtAPxkaktXm QMSecMethods=ESP:SHA1-AES128+60min+100000kb ExemptIPsecProtectedConnections=No ApplyAuthz=No QMPFS=dhgroup2"</span> <span class="o">]</span>, <span class="s2">"executionTimeout"</span>: <span class="o">[</span> <span class="s2">"3600"</span> <span class="o">]</span>, <span class="s2">"workingDirectory"</span>: <span class="o">[</span> <span class="s2">""</span> <span class="o">]</span> <span class="o">}</span>, <span class="s2">"InstanceIds"</span>: <span class="o">[]</span>, <span class="s2">"Targets"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"Key"</span>: <span class="s2">"InstanceIds"</span>, <span class="s2">"Values"</span>: <span class="o">[</span> <span class="s2">"i-03dd90e66a0e6a145"</span> <span class="o">]</span> <span class="o">}</span> <span class="o">]</span>, <span class="s2">"RequestedDateTime"</span>: <span class="s2">"2020-11-26T18:17:48.114000+01:00"</span>, <span class="s2">"Status"</span>: <span class="s2">"Pending"</span>, <span class="s2">"StatusDetails"</span>: <span class="s2">"Pending"</span>, <span class="s2">"OutputS3BucketName"</span>: <span class="s2">""</span>, <span class="s2">"OutputS3KeyPrefix"</span>: <span class="s2">""</span>, <span class="s2">"MaxConcurrency"</span>: <span class="s2">"50"</span>, <span class="s2">"MaxErrors"</span>: <span class="s2">"0"</span>, <span class="s2">"TargetCount"</span>: 0, <span class="s2">"CompletedCount"</span>: 0, <span class="s2">"ErrorCount"</span>: 0, <span class="s2">"DeliveryTimedOutCount"</span>: 0, <span class="s2">"ServiceRole"</span>: <span class="s2">""</span>, <span class="s2">"NotificationConfig"</span>: <span class="o">{</span> <span class="s2">"NotificationArn"</span>: <span class="s2">""</span>, <span class="s2">"NotificationEvents"</span>: <span class="o">[]</span>, <span class="s2">"NotificationType"</span>: <span class="s2">""</span> <span class="o">}</span>, <span class="s2">"CloudWatchOutputConfig"</span>: <span class="o">{</span> <span class="s2">"CloudWatchLogGroupName"</span>: <span class="s2">""</span>, <span class="s2">"CloudWatchOutputEnabled"</span>: <span class="nb">false</span> <span class="o">}</span>, <span class="s2">"TimeoutSeconds"</span>: 600 <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Now, let's check whether that succeeded using AWS CLI's <a href="https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ssm/get-command-invocation.html" rel="noopener noreferrer"><code>aws ssm get-command-invocation</code> command</a>.</p> <p>Again, if you're following along, be sure to swap the command ID (<code>ab32f5e8-78c9-4e5b-95d4-944e02814682</code>) and the ID of the Windows instance (<code>i-03dd90e66a0e6a145</code>) for appropriate values before running the below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>➜ ping-me-cdk-example<span class="nv">$ </span>aws ssm get-command-invocation <span class="nt">--command-id</span> ab32f5e8-78c9-4e5b-95d4-944e02814682 <span class="nt">--instance-id</span> i-03dd90e66a0e6a145 <span class="o">{</span> <span class="s2">"CommandId"</span>: <span class="s2">"ab32f5e8-78c9-4e5b-95d4-944e02814682"</span>, <span class="s2">"InstanceId"</span>: <span class="s2">"i-03dd90e66a0e6a145"</span>, <span class="s2">"Comment"</span>: <span class="s2">""</span>, <span class="s2">"DocumentName"</span>: <span class="s2">"AWS-RunPowerShellScript"</span>, <span class="s2">"DocumentVersion"</span>: <span class="s2">"1"</span>, <span class="s2">"PluginName"</span>: <span class="s2">"aws:runPowerShellScript"</span>, <span class="s2">"ResponseCode"</span>: 0, <span class="s2">"ExecutionStartDateTime"</span>: <span class="s2">"2020-11-26T17:17:49.795Z"</span>, <span class="s2">"ExecutionElapsedTime"</span>: <span class="s2">"PT1.96S"</span>, <span class="s2">"ExecutionEndDateTime"</span>: <span class="s2">"2020-11-26T17:17:50.795Z"</span>, <span class="s2">"Status"</span>: <span class="s2">"Success"</span>, <span class="s2">"StatusDetails"</span>: <span class="s2">"Success"</span>, <span class="s2">"StandardOutputContent"</span>: <span class="s2">"Ok.</span><span class="se">\r\n\r\n</span><span class="s2">"</span>, <span class="s2">"StandardOutputUrl"</span>: <span class="s2">""</span>, <span class="s2">"StandardErrorContent"</span>: <span class="s2">""</span>, <span class="s2">"StandardErrorUrl"</span>: <span class="s2">""</span>, <span class="s2">"CloudWatchOutputConfig"</span>: <span class="o">{</span> <span class="s2">"CloudWatchLogGroupName"</span>: <span class="s2">""</span>, <span class="s2">"CloudWatchOutputEnabled"</span>: <span class="nb">false</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>All's A-OKAY, so let's repeat these two steps for the second script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>➜ ping-me-cdk-example<span class="nv">$ </span>aws ssm send-command <span class="nt">--document-name</span> <span class="s2">"AWS-RunPowerShellScript"</span> <span class="se">\</span> <span class="nt">--document-version</span> <span class="s2">"1"</span> <span class="se">\</span> <span class="nt">--targets</span> <span class="s1">'[{"Key":"InstanceIds","Values":["i-03dd90e66a0e6a145"]}]'</span> <span class="se">\</span> <span class="nt">--parameters</span> <span class="s1">'{"workingDirectory":[""],"executionTimeout":["3600"],"commands":["netsh advfirewall consec add rule Name=\"vgw-06fab417114297dd1 Tunnel 2\" Enable=Yes Profile=any Type=Static Mode=Tunnel LocalTunnelEndpoint=10.0.2.18 RemoteTunnelEndpoint=54.77.85.166 Endpoint1=10.0.2.0/24 Endpoint2=10.0.3.0/24 Protocol=Any Action=RequireInClearOut Auth1=ComputerPSK Auth1PSK=sPGbITqCkW.PSrwuhlycnn6CgFFbjS0w QMSecMethods=ESP:SHA1-AES128+60min+100000kb ExemptIPsecProtectedConnections=No ApplyAuthz=No QMPFS=dhgroup2"]}'</span> <span class="se">\</span> <span class="nt">--timeout-seconds</span> 600 <span class="se">\</span> <span class="nt">--max-concurrency</span> <span class="s2">"50"</span> <span class="se">\</span> <span class="nt">--max-errors</span> <span class="s2">"0"</span> <span class="o">{</span> <span class="s2">"Command"</span>: <span class="o">{</span> <span class="s2">"CommandId"</span>: <span class="s2">"dd7bb695-51e2-41eb-a898-eec8fc4562f4"</span>, <span class="s2">"DocumentName"</span>: <span class="s2">"AWS-RunPowerShellScript"</span>, <span class="s2">"DocumentVersion"</span>: <span class="s2">"1"</span>, <span class="s2">"Comment"</span>: <span class="s2">""</span>, <span class="s2">"ExpiresAfter"</span>: <span class="s2">"2020-11-26T19:30:10.955000+01:00"</span>, <span class="s2">"Parameters"</span>: <span class="o">{</span> <span class="s2">"commands"</span>: <span class="o">[</span> <span class="s2">"netsh advfirewall consec add rule Name=</span><span class="se">\"</span><span class="s2">vgw-06fab417114297dd1 Tunnel 2</span><span class="se">\"</span><span class="s2"> Enable=Yes Profile=any Type=Static Mode=Tunnel LocalTunnelEndpoint=10.0.2.18 RemoteTunnelEndpoint=54.77.85.166 Endpoint1=10.0.2.0/24 Endpoint2=10.0.3.0/24 Protocol=Any Action=RequireInClearOut Auth1=ComputerPSK Auth1PSK=sPGbITqCkW.PSrwuhlycnn6CgFFbjS0w QMSecMethods=ESP:SHA1-AES128+60min+100000kb ExemptIPsecProtectedConnections=No ApplyAuthz=No QMPFS=dhgroup2"</span> <span class="o">]</span>, <span class="s2">"executionTimeout"</span>: <span class="o">[</span> <span class="s2">"3600"</span> <span class="o">]</span>, <span class="s2">"workingDirectory"</span>: <span class="o">[</span> <span class="s2">""</span> <span class="o">]</span> <span class="o">}</span>, <span class="s2">"InstanceIds"</span>: <span class="o">[]</span>, <span class="s2">"Targets"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"Key"</span>: <span class="s2">"InstanceIds"</span>, <span class="s2">"Values"</span>: <span class="o">[</span> <span class="s2">"i-03dd90e66a0e6a145"</span> <span class="o">]</span> <span class="o">}</span> <span class="o">]</span>, <span class="s2">"RequestedDateTime"</span>: <span class="s2">"2020-11-26T18:20:10.955000+01:00"</span>, <span class="s2">"Status"</span>: <span class="s2">"Pending"</span>, <span class="s2">"StatusDetails"</span>: <span class="s2">"Pending"</span>, <span class="s2">"OutputS3BucketName"</span>: <span class="s2">""</span>, <span class="s2">"OutputS3KeyPrefix"</span>: <span class="s2">""</span>, <span class="s2">"MaxConcurrency"</span>: <span class="s2">"50"</span>, <span class="s2">"MaxErrors"</span>: <span class="s2">"0"</span>, <span class="s2">"TargetCount"</span>: 0, <span class="s2">"CompletedCount"</span>: 0, <span class="s2">"ErrorCount"</span>: 0, <span class="s2">"DeliveryTimedOutCount"</span>: 0, <span class="s2">"ServiceRole"</span>: <span class="s2">""</span>, <span class="s2">"NotificationConfig"</span>: <span class="o">{</span> <span class="s2">"NotificationArn"</span>: <span class="s2">""</span>, <span class="s2">"NotificationEvents"</span>: <span class="o">[]</span>, <span class="s2">"NotificationType"</span>: <span class="s2">""</span> <span class="o">}</span>, <span class="s2">"CloudWatchOutputConfig"</span>: <span class="o">{</span> <span class="s2">"CloudWatchLogGroupName"</span>: <span class="s2">""</span>, <span class="s2">"CloudWatchOutputEnabled"</span>: <span class="nb">false</span> <span class="o">}</span>, <span class="s2">"TimeoutSeconds"</span>: 600 <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>➜ ping-me-cdk-example<span class="nv">$ </span>aws ssm get-command-invocation <span class="nt">--command-id</span> dd7bb695-51e2-41eb-a898-eec8fc4562f4 <span class="nt">--instance-id</span> i-03dd90e66a0e6a145 <span class="o">{</span> <span class="s2">"CommandId"</span>: <span class="s2">"dd7bb695-51e2-41eb-a898-eec8fc4562f4"</span>, <span class="s2">"InstanceId"</span>: <span class="s2">"i-03dd90e66a0e6a145"</span>, <span class="s2">"Comment"</span>: <span class="s2">""</span>, <span class="s2">"DocumentName"</span>: <span class="s2">"AWS-RunPowerShellScript"</span>, <span class="s2">"DocumentVersion"</span>: <span class="s2">"1"</span>, <span class="s2">"PluginName"</span>: <span class="s2">"aws:runPowerShellScript"</span>, <span class="s2">"ResponseCode"</span>: 0, <span class="s2">"ExecutionStartDateTime"</span>: <span class="s2">"2020-11-26T17:20:11.557Z"</span>, <span class="s2">"ExecutionElapsedTime"</span>: <span class="s2">"PT0.647S"</span>, <span class="s2">"ExecutionEndDateTime"</span>: <span class="s2">"2020-11-26T17:20:11.557Z"</span>, <span class="s2">"Status"</span>: <span class="s2">"Success"</span>, <span class="s2">"StatusDetails"</span>: <span class="s2">"Success"</span>, <span class="s2">"StandardOutputContent"</span>: <span class="s2">"Ok.</span><span class="se">\r\n\r\n</span><span class="s2">"</span>, <span class="s2">"StandardOutputUrl"</span>: <span class="s2">""</span>, <span class="s2">"StandardErrorContent"</span>: <span class="s2">""</span>, <span class="s2">"StandardErrorUrl"</span>: <span class="s2">""</span>, <span class="s2">"CloudWatchOutputConfig"</span>: <span class="o">{</span> <span class="s2">"CloudWatchLogGroupName"</span>: <span class="s2">""</span>, <span class="s2">"CloudWatchOutputEnabled"</span>: <span class="nb">false</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Another A-OKAY, so let's ping the EC2 instance in the VPN destination VPC from the Windows instance in the VPN source VPC to make sure the Site-to-Site VPN connection is working as expected.</p> <p>Again, if you're following along, be sure to swap the ID of the Windows instance (<code>i-03dd90e66a0e6a145</code>) and the private IP of the Linux instance for appropriate values before running the below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ssm send-command <span class="nt">--document-name</span> <span class="s2">"AWS-RunPowerShellScript"</span> <span class="nt">--document-version</span> <span class="s2">"1"</span> <span class="nt">--targets</span> <span class="s1">'[{"Key":"InstanceIds","Values":["i-03dd90e66a0e6a145"]}]'</span> <span class="nt">--parameters</span> <span class="s1">'{"workingDirectory":[""],"executionTimeout":["3600"],"commands":["ping 10.0.3.49"]}'</span> <span class="nt">--timeout-seconds</span> 600 <span class="nt">--max-concurrency</span> <span class="s2">"50"</span> <span class="nt">--max-errors</span> <span class="s2">"0"</span> <span class="o">{</span> <span class="s2">"Command"</span>: <span class="o">{</span> <span class="s2">"CommandId"</span>: <span class="s2">"09785d32-8b7e-4f24-9581-90aed774aa7d"</span>, <span class="s2">"DocumentName"</span>: <span class="s2">"AWS-RunPowerShellScript"</span>, <span class="s2">"DocumentVersion"</span>: <span class="s2">"1"</span>, <span class="s2">"Comment"</span>: <span class="s2">""</span>, <span class="s2">"ExpiresAfter"</span>: <span class="s2">"2020-11-26T20:16:40.640000+01:00"</span>, <span class="s2">"Parameters"</span>: <span class="o">{</span> <span class="s2">"commands"</span>: <span class="o">[</span> <span class="s2">"ping 10.0.3.49"</span> <span class="o">]</span>, <span class="s2">"executionTimeout"</span>: <span class="o">[</span> <span class="s2">"3600"</span> <span class="o">]</span>, <span class="s2">"workingDirectory"</span>: <span class="o">[</span> <span class="s2">""</span> <span class="o">]</span> <span class="o">}</span>, <span class="s2">"InstanceIds"</span>: <span class="o">[]</span>, <span class="s2">"Targets"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"Key"</span>: <span class="s2">"InstanceIds"</span>, <span class="s2">"Values"</span>: <span class="o">[</span> <span class="s2">"i-03dd90e66a0e6a145"</span> <span class="o">]</span> <span class="o">}</span> <span class="o">]</span>, <span class="s2">"RequestedDateTime"</span>: <span class="s2">"2020-11-26T19:06:40.640000+01:00"</span>, <span class="s2">"Status"</span>: <span class="s2">"Pending"</span>, <span class="s2">"StatusDetails"</span>: <span class="s2">"Pending"</span>, <span class="s2">"OutputS3BucketName"</span>: <span class="s2">""</span>, <span class="s2">"OutputS3KeyPrefix"</span>: <span class="s2">""</span>, <span class="s2">"MaxConcurrency"</span>: <span class="s2">"50"</span>, <span class="s2">"MaxErrors"</span>: <span class="s2">"0"</span>, <span class="s2">"TargetCount"</span>: 0, <span class="s2">"CompletedCount"</span>: 0, <span class="s2">"ErrorCount"</span>: 0, <span class="s2">"DeliveryTimedOutCount"</span>: 0, <span class="s2">"ServiceRole"</span>: <span class="s2">""</span>, <span class="s2">"NotificationConfig"</span>: <span class="o">{</span> <span class="s2">"NotificationArn"</span>: <span class="s2">""</span>, <span class="s2">"NotificationEvents"</span>: <span class="o">[]</span>, <span class="s2">"NotificationType"</span>: <span class="s2">""</span> <span class="o">}</span>, <span class="s2">"CloudWatchOutputConfig"</span>: <span class="o">{</span> <span class="s2">"CloudWatchLogGroupName"</span>: <span class="s2">""</span>, <span class="s2">"CloudWatchOutputEnabled"</span>: <span class="nb">false</span> <span class="o">}</span>, <span class="s2">"TimeoutSeconds"</span>: 600 <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Let's see the result's output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>➜ ping-me-cdk-example<span class="nv">$ </span>aws ssm get-command-invocation <span class="nt">--command-id</span> 09785d32-8b7e-4f24-9581-90aed774aa7d <span class="nt">--instance-id</span> i-03dd90e66a0e6a145 <span class="o">{</span> <span class="s2">"CommandId"</span>: <span class="s2">"09785d32-8b7e-4f24-9581-90aed774aa7d"</span>, <span class="s2">"InstanceId"</span>: <span class="s2">"i-03dd90e66a0e6a145"</span>, <span class="s2">"Comment"</span>: <span class="s2">""</span>, <span class="s2">"DocumentName"</span>: <span class="s2">"AWS-RunPowerShellScript"</span>, <span class="s2">"DocumentVersion"</span>: <span class="s2">"1"</span>, <span class="s2">"PluginName"</span>: <span class="s2">"aws:runPowerShellScript"</span>, <span class="s2">"ResponseCode"</span>: 0, <span class="s2">"ExecutionStartDateTime"</span>: <span class="s2">"2020-11-26T18:06:41.265Z"</span>, <span class="s2">"ExecutionElapsedTime"</span>: <span class="s2">"PT7.529S"</span>, <span class="s2">"ExecutionEndDateTime"</span>: <span class="s2">"2020-11-26T18:06:48.265Z"</span>, <span class="s2">"Status"</span>: <span class="s2">"Success"</span>, <span class="s2">"StatusDetails"</span>: <span class="s2">"Success"</span>, <span class="s2">"StandardOutputContent"</span>: <span class="s2">"</span><span class="se">\r\n</span><span class="s2">Pinging 10.0.3.49 with 32 bytes of data:</span><span class="se">\r\n</span><span class="s2">Request timed out.</span><span class="se">\r\n</span><span class="s2">Reply from 10.0.3.49: bytes=32 time=1ms TTL=254</span><span class="se">\r\n</span><span class="s2">Reply from 10.0.3.49: bytes=32 time&lt;1ms TTL=254</span><span class="se">\r\n</span><span class="s2">Reply from 10.0.3.49: bytes=32 time&lt;1ms TTL=254</span><span class="se">\r\n\r\n</span><span class="s2">Ping statistics for 10.0.3.49:</span><span class="se">\r\n</span><span class="s2"> Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),</span><span class="se">\r\n</span><span class="s2">Approximate round trip times in milli-seconds:</span><span class="se">\r\n</span><span class="s2"> Minimum = 0ms, Maximum = 1ms, Average = 0ms</span><span class="se">\r\n</span><span class="s2">"</span>, <span class="s2">"StandardOutputUrl"</span>: <span class="s2">""</span>, <span class="s2">"StandardErrorContent"</span>: <span class="s2">""</span>, <span class="s2">"StandardErrorUrl"</span>: <span class="s2">""</span>, <span class="s2">"CloudWatchOutputConfig"</span>: <span class="o">{</span> <span class="s2">"CloudWatchLogGroupName"</span>: <span class="s2">""</span>, <span class="s2">"CloudWatchOutputEnabled"</span>: <span class="nb">false</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>The first ping was lost, the other three came back. <a href="https://docs.aws.amazon.com/vpn/latest/s2svpn/initiate-vpn-tunnels.html" rel="noopener noreferrer">It's a perfectly valid behavior since by default the Customer Gateway Device must bring up the VPN tunnels by generating traffic into AWS</a>.</p> <p>Wait, tunnels? Yep, AWS Site-to-site VPN creates two tunnels from the Customer Gateway Device and they operate in an active/passive failover configuration. You can check their status in the AWS Console:</p> <ul> <li>before the ping</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw2mfsulq2lcj4uptbbr8.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw2mfsulq2lcj4uptbbr8.png" alt="AWS, the state of the VPN tunnels before the ping"></a></p> <ul> <li>after the ping</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3tssj3l0r5yr85x0m5xo.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3tssj3l0r5yr85x0m5xo.png" alt="AWS, the state of the VPN tunnels after the ping"></a></p> <h2> Cleanup </h2> <p>For the sake of our wallets, let's promptly destroy the current infrastructure before moving on. When prompted, type <code>y</code> for yes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>➜ ping-me-cdk-example<span class="nv">$ </span>cdk destroy <span class="nt">--all</span> Are you sure you want to delete: InstanceVpnDestinationStack, VpcVpnDestinationStack, PeeringStack, InstancePeersStack, CustomerGatewayDeviceStack, VpcVpnSourceStack, VpcPeersStack <span class="o">(</span>y/n<span class="o">)</span>? y InstanceVpnDestinationStack: destroying... 19:15:58 | DELETE_IN_PROGRESS | AWS::CloudFormation::Stack | InstanceVpnDestinationStack ✅ InstanceVpnDestinationStack: destroyed VpcVpnDestinationStack: destroying... 19:16:55 | DELETE_IN_PROGRESS | AWS::CloudFormation::Stack | VpcVpnDestinationStack 19:18:39 | DELETE_IN_PROGRESS | AWS::EC2::InternetGateway | Vpc0/IGW 19:18:39 | DELETE_IN_PROGRESS | AWS::EC2::VPC | Vpc0 ✅ VpcVpnDestinationStack: destroyed PeeringStack: destroying... ✅ PeeringStack: destroyed InstancePeersStack: destroying... ✅ InstancePeersStack: destroyed CustomerGatewayDeviceStack: destroying... 19:19:00 | DELETE_IN_PROGRESS | AWS::CloudFormation::Stack | CustomerGatewayDeviceStack 19:19:52 | DELETE_IN_PROGRESS | AWS::IAM::Role | SsmRoleForEc2 ✅ CustomerGatewayDeviceStack: destroyed VpcVpnSourceStack: destroying... 19:19:58 | DELETE_IN_PROGRESS | AWS::CloudFormation::Stack | VpcVpnSourceStack ✅ VpcVpnSourceStack: destroyed VpcPeersStack: destroying... ✅ VpcPeersStack: destroyed </code></pre> </div> <p>Well then, we've already pinged over a VPC Peering and just a moment ago we've seen AWS Site-to-Site VPN in action. Hence, <a href="https://dev.to/aws-builders/ping-me-part-3-transit-gateway-using-cdk-18bf">what's left is taking AWS Transit Gateway for a spin</a>!</p> aws typescript devops tutorial Ping Me! (Part 1: VPC Peering Using CDK) Rafal Krol Sat, 24 Jul 2021 09:30:41 +0000 https://dev.to/aws-builders/ping-me-part-1-vpc-peering-using-cdk-2kpd https://dev.to/aws-builders/ping-me-part-1-vpc-peering-using-cdk-2kpd <h2> Overview </h2> <p><a href="https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html" rel="noopener noreferrer">VPC Peering</a> is a networking connection that you can establish between two VPCs to allow instances on either end to communicate with each other, using their private IPs (both IPv4 and IPv6 are supported), in exactly the same way as if they were inside one VPC. Traffic never leaves <a href="https://www.infrastructure.aws/" rel="noopener noreferrer">the AWS backbone network</a>, thus avoiding the dirty pipes of the Internet. The connection itself is free of charge. However, <a href="https://aws.amazon.com/ec2/pricing/on-demand/" rel="noopener noreferrer">you have to pay for the data transferred between the VPCs</a>.</p> <p>Intra-region (between VPCs within the same region), inter-region (between VPCs in different regions) and cross-account (between VPCs belonging to different AWS accounts) peering are all possible. Of course, <a href="https://docs.aws.amazon.com/vpc/latest/peering/invalid-peering-configurations.html#overlapping-cidr" rel="noopener noreferrer">in either case, the CIDR ranges of the peered VPCs mustn't overlap with each other</a>, e.g. peering VPC A with the CIDR range of 10.0.0.0/16 and VPC B with the CIDR range of 10.0.1.0/24 would not be possible as IP addresses from 10.0.1.0 to 10.0.1.255 exist in both VPCs.</p> <p>One more gotcha is that <a href="https://docs.aws.amazon.com/vpc/latest/peering/invalid-peering-configurations.html#transitive-peering" rel="noopener noreferrer">transitive peering is also disallowed</a>. Hence, if you got VPC A peered to VPC B and VPC B peered to VPC C, you wouldn't be able to reach VPC C from VPC A through VPC B. Instead, you'd need to peer VPC A directly with VPC C. With three VPCs it shouldn't be such a hard thing to accomplish (and then to maintain), but imagine having hundreds of VPCs... To achieve full mesh topology in that scenario, you'd need a Transit Gateway. But I'm getting a little ahead of myself.</p> <h2> Implementation </h2> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz9uog73ihwenxkkht9rr.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz9uog73ihwenxkkht9rr.png" alt="A rudimentary diagram of the complete solution"></a></p> <p>We'll need three stacks: one for the two VPCs, another one for the two EC2 instances and the third one for the actual peering connection and appropriate routes.</p> <p>Let's begin by creating the file for our <code>VpcStack</code> class:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ➜ ping-me-cdk-example<span class="nv">$ </span><span class="nb">touch </span>lib/vpc.ts </code></pre> </div> <p>Now, the class itself:</p> <ul> <li><code>ping-me-cdk-example/lib/vpc.ts</code></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-ec2</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// &lt;--- this module is not available from the start; remember to import it: `npm install @aws-cdk/aws-ec2`</span> <span class="kr">interface</span> <span class="nx">VpcProps</span> <span class="kd">extends</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span> <span class="p">{</span> <span class="nl">vpcSetup</span><span class="p">:</span> <span class="p">{</span> <span class="na">cidrs</span><span class="p">:</span> <span class="kr">string</span><span class="p">[],</span> <span class="c1">// &lt;--- each VPC will need a list of CIDRs</span> <span class="nx">maxAzs</span><span class="p">?:</span> <span class="kr">number</span><span class="p">,</span> <span class="c1">// &lt;--- optionally the number of Availability Zones can be provided; defaults to 2 in our particular case</span> <span class="nx">vpnConnections</span><span class="p">?:</span> <span class="p">{</span> <span class="c1">// &lt;--- if dealing with Site-to-Site VPN, the VPN connection details can be provided</span> <span class="p">[</span><span class="na">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">]:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">VpnConnectionOptions</span><span class="p">;</span> <span class="p">},</span> <span class="p">};</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">VpcStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="k">readonly</span> <span class="nx">createdVpcs</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Vpc</span><span class="p">[];</span> <span class="c1">// &lt;-- create a class property for exposing the list of VPC objects</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">VpcProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">createdVpcs</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Vpc</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[];</span> <span class="c1">// for each of the provided CIDR ranges, create a VPC with two /27 subnets (one public and one private) per AZ</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpcSetup</span><span class="p">.</span><span class="nx">cidrs</span><span class="p">.</span><span class="nf">forEach</span><span class="p">((</span><span class="nx">cidr</span><span class="p">,</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">createdVpcs</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">Vpc</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Vpc</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">index</span><span class="p">,</span> <span class="p">{</span> <span class="nx">cidr</span><span class="p">,</span> <span class="na">maxAzs</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpcSetup</span><span class="p">.</span><span class="nx">maxAzs</span><span class="p">,</span> <span class="na">subnetConfiguration</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">27</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">public</span><span class="dl">'</span><span class="p">,</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PUBLIC</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">27</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">private</span><span class="dl">'</span><span class="p">,</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PRIVATE</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="na">vpnConnections</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpcSetup</span><span class="p">.</span><span class="nx">vpnConnections</span><span class="p">,</span> <span class="p">}));</span> <span class="p">});</span> <span class="c1">// For each VPC's default security group, allow inbound ICMP (ping) requests from anywhere</span> <span class="nx">createdVpcs</span><span class="p">.</span><span class="nf">forEach</span><span class="p">((</span><span class="nx">vpc</span><span class="p">,</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SecurityGroup</span><span class="p">.</span><span class="nf">fromSecurityGroupId</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DefaultSecurityGroup</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">index</span><span class="p">,</span> <span class="nx">vpc</span><span class="p">.</span><span class="nx">vpcDefaultSecurityGroup</span><span class="p">)</span> <span class="p">.</span><span class="nf">addIngressRule</span><span class="p">(</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">Peer</span><span class="p">.</span><span class="nf">anyIpv4</span><span class="p">(),</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">icmpPing</span><span class="p">(),</span> <span class="dl">'</span><span class="s1">Allow ping from anywhere</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="k">this</span><span class="p">.</span><span class="nx">createdVpcs</span> <span class="o">=</span> <span class="nx">createdVpcs</span><span class="p">;</span> <span class="c1">// &lt;-- expose the list of created VPC objects so that they can be used by different stacks</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Since the <a href="https://docs.aws.amazon.com/cdk/api/latest/docs/aws-ec2-readme.html" rel="noopener noreferrer"><code>@aws-cdk/aws-ec2</code> module</a> was not imported during the cdk initialization, let's install it now:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ➜ ping-me-cdk-example<span class="nv">$ </span>npm <span class="nb">install</span> @aws-cdk/aws-ec2@1.73.0 npm WARN @aws-cdk/aws-ec2@1.74.0 requires a peer of @aws-cdk/core@1.74.0 but none is installed. You must <span class="nb">install </span>peer dependencies yourself. npm WARN @aws-cdk/aws-ec2@1.74.0 requires a peer of @aws-cdk/cx-api@1.74.0 but none is installed. You must <span class="nb">install </span>peer dependencies yourself. npm WARN @aws-cdk/aws-ec2@1.74.0 requires a peer of @aws-cdk/cloud-assembly-schema@1.74.0 but none is installed. You must <span class="nb">install </span>peer dependencies yourself. npm WARN @aws-cdk/aws-ec2@1.74.0 requires a peer of @aws-cdk/region-info@1.74.0 but none is installed. You must <span class="nb">install </span>peer dependencies yourself. npm WARN @aws-cdk/aws-cloudwatch@1.74.0 requires a peer of @aws-cdk/core@1.74.0 but none is installed. You must <span class="nb">install </span>peer dependencies yourself. npm WARN @aws-cdk/aws-ssm@1.74.0 requires a peer of @aws-cdk/core@1.74.0 but none is installed. You must <span class="nb">install </span>peer dependencies yourself. npm WARN @aws-cdk/aws-ssm@1.74.0 requires a peer of @aws-cdk/cloud-assembly-schema@1.74.0 but none is installed. You must <span class="nb">install </span>peer dependencies yourself. npm WARN @aws-cdk/aws-logs@1.74.0 requires a peer of @aws-cdk/core@1.74.0 but none is installed. You must <span class="nb">install </span>peer dependencies yourself. npm WARN @aws-cdk/aws-s3-assets@1.74.0 requires a peer of @aws-cdk/core@1.74.0 but none is installed. You must <span class="nb">install </span>peer dependencies yourself. npm WARN @aws-cdk/aws-s3-assets@1.74.0 requires a peer of @aws-cdk/cx-api@1.74.0 but none is installed. You must <span class="nb">install </span>peer dependencies yourself. npm WARN @aws-cdk/aws-kms@1.74.0 requires a peer of @aws-cdk/core@1.74.0 but none is installed. You must <span class="nb">install </span>peer dependencies yourself. npm WARN @aws-cdk/aws-s3@1.74.0 requires a peer of @aws-cdk/core@1.74.0 but none is installed. You must <span class="nb">install </span>peer dependencies yourself. npm WARN @aws-cdk/aws-iam@1.74.0 requires a peer of @aws-cdk/core@1.74.0 but none is installed. You must <span class="nb">install </span>peer dependencies yourself. npm WARN @aws-cdk/aws-iam@1.74.0 requires a peer of @aws-cdk/region-info@1.74.0 but none is installed. You must <span class="nb">install </span>peer dependencies yourself. npm WARN @aws-cdk/assets@1.74.0 requires a peer of @aws-cdk/core@1.74.0 but none is installed. You must <span class="nb">install </span>peer dependencies yourself. npm WARN @aws-cdk/assets@1.74.0 requires a peer of @aws-cdk/cx-api@1.74.0 but none is installed. You must <span class="nb">install </span>peer dependencies yourself. npm WARN @aws-cdk/aws-events@1.74.0 requires a peer of @aws-cdk/core@1.74.0 but none is installed. You must <span class="nb">install </span>peer dependencies yourself. npm WARN ping-me-cdk-example@0.1.0 No repository field. npm WARN ping-me-cdk-example@0.1.0 No license field. + @aws-cdk/aws-ec2@1.74.0 added 190 packages from 9 contributors and audited 932 packages <span class="k">in </span>10.624s 27 packages are looking <span class="k">for </span>funding run <span class="sb">`</span>npm fund<span class="sb">`</span> <span class="k">for </span>details found 0 vulnerabilities </code></pre> </div> <p>We chose the <code>1.73.0</code> version on purpose (the exact same one we used for our <code>@aws-cdk/core</code> module) to avoid the possibility of seeing <a href="https://github.com/aws/aws-cdk/issues/3416" rel="noopener noreferrer">the <code>Argument of type 'this' is not assignable to parameter of type 'Construct'</code> error</a>.</p> <p>Next, we'll initialize an instance of our <code>VpcStack</code> class in <code>ping-me-cdk-example/bin/ping-me-cdk-example.ts</code>:</p> <ul> <li><code>ping-me-cdk-example/bin/ping-me-cdk-example.ts</code></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">VpcStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/vpc</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">App</span><span class="p">();</span> <span class="c1">// &lt;--- you can read more about the App construct here: https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_core.App.html</span> <span class="kd">const</span> <span class="nx">vpcPeers</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">VpcStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">VpcPeersStack</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpcSetup</span><span class="p">:</span> <span class="p">{</span> <span class="na">cidrs</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">10.0.0.0/24</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">10.0.1.0/24</span><span class="dl">'</span><span class="p">],</span> <span class="c1">// &lt;--- two non-overlapping CIDR ranges for our two VPCs</span> <span class="na">maxAzs</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="c1">// &lt;--- to keep the costs down, we'll stick to 1 availability zone per VPC (obviously, not something you'd want to do in production)</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p><a href="https://docs.aws.amazon.com/cdk/latest/guide/hello_world.html#hello_world_tutorial_build" rel="noopener noreferrer">TypeScript should be compiled to JavaScript after each modification to our source code</a>. To avoid manually executing the <code>npm run build</code> command every time that happens, we'll run the below:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ➜ ping-me-cdk-example<span class="nv">$ </span>npm run watch <span class="o">[</span>19:50:46] Starting compilation <span class="k">in </span>watch mode... <span class="o">[</span>19:50:51] Found 0 errors. Watching <span class="k">for </span>file changes. <span class="c"># KEEP THIS RUNNING!</span> </code></pre> </div> <p>We're ready to synthesize our code into a CloudFormation template. As this is an optional step, we shall do it now for the sake of demonstration, but refrain from doing it later on:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="s">➜ ping-me-cdk-example$ cdk synth</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">Vpc07C831B30</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::VPC</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="s">10.0.0.0/24</span> <span class="na">EnableDnsHostnames</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">EnableDnsSupport</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">InstanceTenancy</span><span class="pi">:</span> <span class="s">default</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc0</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc0/Resource</span> <span class="na">Vpc0publicSubnet1SubnetB977A71E</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Subnet</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="s">10.0.0.0/27</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc07C831B30</span> <span class="na">AvailabilityZone</span><span class="pi">:</span> <span class="na">Fn::Select</span><span class="pi">:</span> <span class="pi">-</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">Fn::GetAZs</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">MapPublicIpOnLaunch</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">aws-cdk:subnet-name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">public</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">aws-cdk:subnet-type</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">Public</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc0/publicSubnet1</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc0/publicSubnet1/Subnet</span> <span class="na">Vpc0publicSubnet1RouteTable2012E33A</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::RouteTable</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc07C831B30</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc0/publicSubnet1</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc0/publicSubnet1/RouteTable</span> <span class="na">Vpc0publicSubnet1RouteTableAssociation0E1C3D4B</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SubnetRouteTableAssociation</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc0publicSubnet1RouteTable2012E33A</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc0publicSubnet1SubnetB977A71E</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc0/publicSubnet1/RouteTableAssociation</span> <span class="na">Vpc0publicSubnet1DefaultRouteC03283FF</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Route</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc0publicSubnet1RouteTable2012E33A</span> <span class="na">DestinationCidrBlock</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span> <span class="na">GatewayId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc0IGW3080DF7F</span> <span class="na">DependsOn</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Vpc0VPCGW9FBA9469</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc0/publicSubnet1/DefaultRoute</span> <span class="na">Vpc0publicSubnet1EIP16FED7DC</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::EIP</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Domain</span><span class="pi">:</span> <span class="s">vpc</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc0/publicSubnet1</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc0/publicSubnet1/EIP</span> <span class="na">Vpc0publicSubnet1NATGateway40294DF4</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::NatGateway</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AllocationId</span><span class="pi">:</span> <span class="na">Fn::GetAtt</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Vpc0publicSubnet1EIP16FED7DC</span> <span class="pi">-</span> <span class="s">AllocationId</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc0publicSubnet1SubnetB977A71E</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc0/publicSubnet1</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc0/publicSubnet1/NATGateway</span> <span class="na">Vpc0privateSubnet1SubnetD6383522</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Subnet</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="s">10.0.0.32/27</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc07C831B30</span> <span class="na">AvailabilityZone</span><span class="pi">:</span> <span class="na">Fn::Select</span><span class="pi">:</span> <span class="pi">-</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">Fn::GetAZs</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">MapPublicIpOnLaunch</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">aws-cdk:subnet-name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">private</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">aws-cdk:subnet-type</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">Private</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc0/privateSubnet1</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc0/privateSubnet1/Subnet</span> <span class="na">Vpc0privateSubnet1RouteTableB5C6777D</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::RouteTable</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc07C831B30</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc0/privateSubnet1</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc0/privateSubnet1/RouteTable</span> <span class="na">Vpc0privateSubnet1RouteTableAssociationC17661A1</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SubnetRouteTableAssociation</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc0privateSubnet1RouteTableB5C6777D</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc0privateSubnet1SubnetD6383522</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc0/privateSubnet1/RouteTableAssociation</span> <span class="na">Vpc0privateSubnet1DefaultRoute1EA0AEFE</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Route</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc0privateSubnet1RouteTableB5C6777D</span> <span class="na">DestinationCidrBlock</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span> <span class="na">NatGatewayId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc0publicSubnet1NATGateway40294DF4</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc0/privateSubnet1/DefaultRoute</span> <span class="na">Vpc0IGW3080DF7F</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::InternetGateway</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc0</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc0/IGW</span> <span class="na">Vpc0VPCGW9FBA9469</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::VPCGatewayAttachment</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc07C831B30</span> <span class="na">InternetGatewayId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc0IGW3080DF7F</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc0/VPCGW</span> <span class="na">Vpc1C211860B</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::VPC</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="s">10.0.1.0/24</span> <span class="na">EnableDnsHostnames</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">EnableDnsSupport</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">InstanceTenancy</span><span class="pi">:</span> <span class="s">default</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc1</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc1/Resource</span> <span class="na">Vpc1publicSubnet1SubnetB43EFACE</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Subnet</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="s">10.0.1.0/27</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc1C211860B</span> <span class="na">AvailabilityZone</span><span class="pi">:</span> <span class="na">Fn::Select</span><span class="pi">:</span> <span class="pi">-</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">Fn::GetAZs</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">MapPublicIpOnLaunch</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">aws-cdk:subnet-name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">public</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">aws-cdk:subnet-type</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">Public</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc1/publicSubnet1</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc1/publicSubnet1/Subnet</span> <span class="na">Vpc1publicSubnet1RouteTable1C630681</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::RouteTable</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc1C211860B</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc1/publicSubnet1</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc1/publicSubnet1/RouteTable</span> <span class="na">Vpc1publicSubnet1RouteTableAssociation4DA13984</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SubnetRouteTableAssociation</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc1publicSubnet1RouteTable1C630681</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc1publicSubnet1SubnetB43EFACE</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc1/publicSubnet1/RouteTableAssociation</span> <span class="na">Vpc1publicSubnet1DefaultRouteB4C85D62</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Route</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc1publicSubnet1RouteTable1C630681</span> <span class="na">DestinationCidrBlock</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span> <span class="na">GatewayId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc1IGW15AE5E6B</span> <span class="na">DependsOn</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Vpc1VPCGW4C1BD07A</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc1/publicSubnet1/DefaultRoute</span> <span class="na">Vpc1publicSubnet1EIP5F1D9658</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::EIP</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Domain</span><span class="pi">:</span> <span class="s">vpc</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc1/publicSubnet1</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc1/publicSubnet1/EIP</span> <span class="na">Vpc1publicSubnet1NATGateway06106699</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::NatGateway</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AllocationId</span><span class="pi">:</span> <span class="na">Fn::GetAtt</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Vpc1publicSubnet1EIP5F1D9658</span> <span class="pi">-</span> <span class="s">AllocationId</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc1publicSubnet1SubnetB43EFACE</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc1/publicSubnet1</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc1/publicSubnet1/NATGateway</span> <span class="na">Vpc1privateSubnet1Subnet41967AFD</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Subnet</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">CidrBlock</span><span class="pi">:</span> <span class="s">10.0.1.32/27</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc1C211860B</span> <span class="na">AvailabilityZone</span><span class="pi">:</span> <span class="na">Fn::Select</span><span class="pi">:</span> <span class="pi">-</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">Fn::GetAZs</span><span class="pi">:</span> <span class="s2">"</span><span class="s">"</span> <span class="na">MapPublicIpOnLaunch</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">aws-cdk:subnet-name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">private</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">aws-cdk:subnet-type</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">Private</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc1/privateSubnet1</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc1/privateSubnet1/Subnet</span> <span class="na">Vpc1privateSubnet1RouteTable339A93B3</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::RouteTable</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc1C211860B</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc1/privateSubnet1</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc1/privateSubnet1/RouteTable</span> <span class="na">Vpc1privateSubnet1RouteTableAssociation4FB53340</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SubnetRouteTableAssociation</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc1privateSubnet1RouteTable339A93B3</span> <span class="na">SubnetId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc1privateSubnet1Subnet41967AFD</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc1/privateSubnet1/RouteTableAssociation</span> <span class="na">Vpc1privateSubnet1DefaultRoute4ACBA7B3</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::Route</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">RouteTableId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc1privateSubnet1RouteTable339A93B3</span> <span class="na">DestinationCidrBlock</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span> <span class="na">NatGatewayId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc1publicSubnet1NATGateway06106699</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc1/privateSubnet1/DefaultRoute</span> <span class="na">Vpc1IGW15AE5E6B</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::InternetGateway</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc1</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc1/IGW</span> <span class="na">Vpc1VPCGW4C1BD07A</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::VPCGatewayAttachment</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc1C211860B</span> <span class="na">InternetGatewayId</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">Vpc1IGW15AE5E6B</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/Vpc1/VPCGW</span> <span class="na">DefaultSecurityGroup0from00000ICMPType829E2C81F</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SecurityGroupIngress</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s">icmp</span> <span class="na">CidrIp</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Allow ping from anywhere</span> <span class="na">FromPort</span><span class="pi">:</span> <span class="m">8</span> <span class="na">GroupId</span><span class="pi">:</span> <span class="na">Fn::GetAtt</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Vpc07C831B30</span> <span class="pi">-</span> <span class="s">DefaultSecurityGroup</span> <span class="na">ToPort</span><span class="pi">:</span> <span class="s">-1</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/DefaultSecurityGroup0/from 0.0.0.0_0:ICMP Type </span><span class="m">8</span> <span class="na">DefaultSecurityGroup1from00000ICMPType8D69AB703</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SecurityGroupIngress</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s">icmp</span> <span class="na">CidrIp</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Allow ping from anywhere</span> <span class="na">FromPort</span><span class="pi">:</span> <span class="m">8</span> <span class="na">GroupId</span><span class="pi">:</span> <span class="na">Fn::GetAtt</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Vpc1C211860B</span> <span class="pi">-</span> <span class="s">DefaultSecurityGroup</span> <span class="na">ToPort</span><span class="pi">:</span> <span class="s">-1</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/DefaultSecurityGroup1/from 0.0.0.0_0:ICMP Type </span><span class="m">8</span> <span class="na">CDKMetadata</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CDK::Metadata</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Modules</span><span class="pi">:</span> <span class="s">aws-cdk=1.74.0,@aws-cdk/assets=1.74.0,@aws-cdk/aws-cloudwatch=1.74.0,@aws-cdk/aws-ec2=1.74.0,@aws-cdk/aws-events=1.74.0,@aws-cdk/aws-iam=1.74.0,@aws-cdk/aws-kms=1.74.0,@aws-cdk/aws-logs=1.74.0,@aws-cdk/aws-s3=1.74.0,@aws-cdk/aws-s3-assets=1.74.0,@aws-cdk/aws-ssm=1.74.0,@aws-cdk/cloud-assembly-schema=1.74.0,@aws-cdk/core=1.74.0,@aws-cdk/cx-api=1.74.0,@aws-cdk/region-info=1.74.0,jsii-runtime=node.js/v14.14.0</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">aws:cdk:path</span><span class="pi">:</span> <span class="s">VpcPeersStack/CDKMetadata/Default</span> <span class="na">Condition</span><span class="pi">:</span> <span class="s">CDKMetadataAvailable</span> <span class="na">Conditions</span><span class="pi">:</span> <span class="na">CDKMetadataAvailable</span><span class="pi">:</span> <span class="na">Fn::Or</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Fn::Or</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Fn::Equals</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">AWS::Region</span> <span class="pi">-</span> <span class="s">ap-east-1</span> <span class="pi">-</span> <span class="na">Fn::Equals</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">AWS::Region</span> <span class="pi">-</span> <span class="s">ap-northeast-1</span> <span class="pi">-</span> <span class="na">Fn::Equals</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">AWS::Region</span> <span class="pi">-</span> <span class="s">ap-northeast-2</span> <span class="pi">-</span> <span class="na">Fn::Equals</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">AWS::Region</span> <span class="pi">-</span> <span class="s">ap-south-1</span> <span class="pi">-</span> <span class="na">Fn::Equals</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">AWS::Region</span> <span class="pi">-</span> <span class="s">ap-southeast-1</span> <span class="pi">-</span> <span class="na">Fn::Equals</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">AWS::Region</span> <span class="pi">-</span> <span class="s">ap-southeast-2</span> <span class="pi">-</span> <span class="na">Fn::Equals</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">AWS::Region</span> <span class="pi">-</span> <span class="s">ca-central-1</span> <span class="pi">-</span> <span class="na">Fn::Equals</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">AWS::Region</span> <span class="pi">-</span> <span class="s">cn-north-1</span> <span class="pi">-</span> <span class="na">Fn::Equals</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">AWS::Region</span> <span class="pi">-</span> <span class="s">cn-northwest-1</span> <span class="pi">-</span> <span class="na">Fn::Equals</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">AWS::Region</span> <span class="pi">-</span> <span class="s">eu-central-1</span> <span class="pi">-</span> <span class="na">Fn::Or</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Fn::Equals</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">AWS::Region</span> <span class="pi">-</span> <span class="s">eu-north-1</span> <span class="pi">-</span> <span class="na">Fn::Equals</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">AWS::Region</span> <span class="pi">-</span> <span class="s">eu-west-1</span> <span class="pi">-</span> <span class="na">Fn::Equals</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">AWS::Region</span> <span class="pi">-</span> <span class="s">eu-west-2</span> <span class="pi">-</span> <span class="na">Fn::Equals</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">AWS::Region</span> <span class="pi">-</span> <span class="s">eu-west-3</span> <span class="pi">-</span> <span class="na">Fn::Equals</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">AWS::Region</span> <span class="pi">-</span> <span class="s">me-south-1</span> <span class="pi">-</span> <span class="na">Fn::Equals</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">AWS::Region</span> <span class="pi">-</span> <span class="s">sa-east-1</span> <span class="pi">-</span> <span class="na">Fn::Equals</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">AWS::Region</span> <span class="pi">-</span> <span class="s">us-east-1</span> <span class="pi">-</span> <span class="na">Fn::Equals</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">AWS::Region</span> <span class="pi">-</span> <span class="s">us-east-2</span> <span class="pi">-</span> <span class="na">Fn::Equals</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">AWS::Region</span> <span class="pi">-</span> <span class="s">us-west-1</span> <span class="pi">-</span> <span class="na">Fn::Equals</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">AWS::Region</span> <span class="pi">-</span> <span class="s">us-west-2</span> </code></pre> </div> <p>Yep, yep, Ladies and Gentleman, without the CDK we would be forced to write all of the above lines ourselves if we wanted to deploy our infrastructure with CloudFormation (that's one giant leap right there).</p> <p>Instead of looking at the CloudFormation template, you can run the <code>cdk diff</code> command to see what changes can be applied:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ➜ ping-me-cdk-example<span class="nv">$ </span>cdk diff Stack VpcPeersStack Security Group Changes ┌───┬──────────────────────────────┬─────┬───────────┬─────────────────┐ │ │ Group │ Dir │ Protocol │ Peer │ ├───┼──────────────────────────────┼─────┼───────────┼─────────────────┤ │ + │ <span class="k">${</span><span class="nv">Vpc0</span><span class="p">.DefaultSecurityGroup</span><span class="k">}</span> │ In │ ICMP 8--1 │ Everyone <span class="o">(</span>IPv4<span class="o">)</span> │ ├───┼──────────────────────────────┼─────┼───────────┼─────────────────┤ │ + │ <span class="k">${</span><span class="nv">Vpc1</span><span class="p">.DefaultSecurityGroup</span><span class="k">}</span> │ In │ ICMP 8--1 │ Everyone <span class="o">(</span>IPv4<span class="o">)</span> │ └───┴──────────────────────────────┴─────┴───────────┴─────────────────┘ <span class="o">(</span>NOTE: There may be security-related changes not <span class="k">in </span>this list. See https://github.com/aws/aws-cdk/issues/1299<span class="o">)</span> Conditions <span class="o">[</span>+] Condition CDKMetadata/Condition CDKMetadataAvailable: <span class="o">{</span><span class="s2">"Fn::Or"</span>:[<span class="o">{</span><span class="s2">"Fn::Or"</span>:[<span class="o">{</span><span class="s2">"Fn::Equals"</span>:[<span class="o">{</span><span class="s2">"Ref"</span>:<span class="s2">"AWS::Region"</span><span class="o">}</span>,<span class="s2">"ap-east-1"</span><span class="o">]}</span>,<span class="o">{</span><span class="s2">"Fn::Equals"</span>:[<span class="o">{</span><span class="s2">"Ref"</span>:<span class="s2">"AWS::Region"</span><span class="o">}</span>,<span class="s2">"ap-northeast-1"</span><span class="o">]}</span>,<span class="o">{</span><span class="s2">"Fn::Equals"</span>:[<span class="o">{</span><span class="s2">"Ref"</span>:<span class="s2">"AWS::Region"</span><span class="o">}</span>,<span class="s2">"ap-northeast-2"</span><span class="o">]}</span>,<span class="o">{</span><span class="s2">"Fn::Equals"</span>:[<span class="o">{</span><span class="s2">"Ref"</span>:<span class="s2">"AWS::Region"</span><span class="o">}</span>,<span class="s2">"ap-south-1"</span><span class="o">]}</span>,<span class="o">{</span><span class="s2">"Fn::Equals"</span>:[<span class="o">{</span><span class="s2">"Ref"</span>:<span class="s2">"AWS::Region"</span><span class="o">}</span>,<span class="s2">"ap-southeast-1"</span><span class="o">]}</span>,<span class="o">{</span><span class="s2">"Fn::Equals"</span>:[<span class="o">{</span><span class="s2">"Ref"</span>:<span class="s2">"AWS::Region"</span><span class="o">}</span>,<span class="s2">"ap-southeast-2"</span><span class="o">]}</span>,<span class="o">{</span><span class="s2">"Fn::Equals"</span>:[<span class="o">{</span><span class="s2">"Ref"</span>:<span class="s2">"AWS::Region"</span><span class="o">}</span>,<span class="s2">"ca-central-1"</span><span class="o">]}</span>,<span class="o">{</span><span class="s2">"Fn::Equals"</span>:[<span class="o">{</span><span class="s2">"Ref"</span>:<span class="s2">"AWS::Region"</span><span class="o">}</span>,<span class="s2">"cn-north-1"</span><span class="o">]}</span>,<span class="o">{</span><span class="s2">"Fn::Equals"</span>:[<span class="o">{</span><span class="s2">"Ref"</span>:<span class="s2">"AWS::Region"</span><span class="o">}</span>,<span class="s2">"cn-northwest-1"</span><span class="o">]}</span>,<span class="o">{</span><span class="s2">"Fn::Equals"</span>:[<span class="o">{</span><span class="s2">"Ref"</span>:<span class="s2">"AWS::Region"</span><span class="o">}</span>,<span class="s2">"eu-central-1"</span><span class="o">]}]}</span>,<span class="o">{</span><span class="s2">"Fn::Or"</span>:[<span class="o">{</span><span class="s2">"Fn::Equals"</span>:[<span class="o">{</span><span class="s2">"Ref"</span>:<span class="s2">"AWS::Region"</span><span class="o">}</span>,<span class="s2">"eu-north-1"</span><span class="o">]}</span>,<span class="o">{</span><span class="s2">"Fn::Equals"</span>:[<span class="o">{</span><span class="s2">"Ref"</span>:<span class="s2">"AWS::Region"</span><span class="o">}</span>,<span class="s2">"eu-west-1"</span><span class="o">]}</span>,<span class="o">{</span><span class="s2">"Fn::Equals"</span>:[<span class="o">{</span><span class="s2">"Ref"</span>:<span class="s2">"AWS::Region"</span><span class="o">}</span>,<span class="s2">"eu-west-2"</span><span class="o">]}</span>,<span class="o">{</span><span class="s2">"Fn::Equals"</span>:[<span class="o">{</span><span class="s2">"Ref"</span>:<span class="s2">"AWS::Region"</span><span class="o">}</span>,<span class="s2">"eu-west-3"</span><span class="o">]}</span>,<span class="o">{</span><span class="s2">"Fn::Equals"</span>:[<span class="o">{</span><span class="s2">"Ref"</span>:<span class="s2">"AWS::Region"</span><span class="o">}</span>,<span class="s2">"me-south-1"</span><span class="o">]}</span>,<span class="o">{</span><span class="s2">"Fn::Equals"</span>:[<span class="o">{</span><span class="s2">"Ref"</span>:<span class="s2">"AWS::Region"</span><span class="o">}</span>,<span class="s2">"sa-east-1"</span><span class="o">]}</span>,<span class="o">{</span><span class="s2">"Fn::Equals"</span>:[<span class="o">{</span><span class="s2">"Ref"</span>:<span class="s2">"AWS::Region"</span><span class="o">}</span>,<span class="s2">"us-east-1"</span><span class="o">]}</span>,<span class="o">{</span><span class="s2">"Fn::Equals"</span>:[<span class="o">{</span><span class="s2">"Ref"</span>:<span class="s2">"AWS::Region"</span><span class="o">}</span>,<span class="s2">"us-east-2"</span><span class="o">]}</span>,<span class="o">{</span><span class="s2">"Fn::Equals"</span>:[<span class="o">{</span><span class="s2">"Ref"</span>:<span class="s2">"AWS::Region"</span><span class="o">}</span>,<span class="s2">"us-west-1"</span><span class="o">]}</span>,<span class="o">{</span><span class="s2">"Fn::Equals"</span>:[<span class="o">{</span><span class="s2">"Ref"</span>:<span class="s2">"AWS::Region"</span><span class="o">}</span>,<span class="s2">"us-west-2"</span><span class="o">]}]}]}</span> Resources <span class="o">[</span>+] AWS::EC2::VPC Vpc0 Vpc07C831B30 <span class="o">[</span>+] AWS::EC2::Subnet Vpc0/publicSubnet1/Subnet Vpc0publicSubnet1SubnetB977A71E <span class="o">[</span>+] AWS::EC2::RouteTable Vpc0/publicSubnet1/RouteTable Vpc0publicSubnet1RouteTable2012E33A <span class="o">[</span>+] AWS::EC2::SubnetRouteTableAssociation Vpc0/publicSubnet1/RouteTableAssociation Vpc0publicSubnet1RouteTableAssociation0E1C3D4B <span class="o">[</span>+] AWS::EC2::Route Vpc0/publicSubnet1/DefaultRoute Vpc0publicSubnet1DefaultRouteC03283FF <span class="o">[</span>+] AWS::EC2::EIP Vpc0/publicSubnet1/EIP Vpc0publicSubnet1EIP16FED7DC <span class="o">[</span>+] AWS::EC2::NatGateway Vpc0/publicSubnet1/NATGateway Vpc0publicSubnet1NATGateway40294DF4 <span class="o">[</span>+] AWS::EC2::Subnet Vpc0/privateSubnet1/Subnet Vpc0privateSubnet1SubnetD6383522 <span class="o">[</span>+] AWS::EC2::RouteTable Vpc0/privateSubnet1/RouteTable Vpc0privateSubnet1RouteTableB5C6777D <span class="o">[</span>+] AWS::EC2::SubnetRouteTableAssociation Vpc0/privateSubnet1/RouteTableAssociation Vpc0privateSubnet1RouteTableAssociationC17661A1 <span class="o">[</span>+] AWS::EC2::Route Vpc0/privateSubnet1/DefaultRoute Vpc0privateSubnet1DefaultRoute1EA0AEFE <span class="o">[</span>+] AWS::EC2::InternetGateway Vpc0/IGW Vpc0IGW3080DF7F <span class="o">[</span>+] AWS::EC2::VPCGatewayAttachment Vpc0/VPCGW Vpc0VPCGW9FBA9469 <span class="o">[</span>+] AWS::EC2::VPC Vpc1 Vpc1C211860B <span class="o">[</span>+] AWS::EC2::Subnet Vpc1/publicSubnet1/Subnet Vpc1publicSubnet1SubnetB43EFACE <span class="o">[</span>+] AWS::EC2::RouteTable Vpc1/publicSubnet1/RouteTable Vpc1publicSubnet1RouteTable1C630681 <span class="o">[</span>+] AWS::EC2::SubnetRouteTableAssociation Vpc1/publicSubnet1/RouteTableAssociation Vpc1publicSubnet1RouteTableAssociation4DA13984 <span class="o">[</span>+] AWS::EC2::Route Vpc1/publicSubnet1/DefaultRoute Vpc1publicSubnet1DefaultRouteB4C85D62 <span class="o">[</span>+] AWS::EC2::EIP Vpc1/publicSubnet1/EIP Vpc1publicSubnet1EIP5F1D9658 <span class="o">[</span>+] AWS::EC2::NatGateway Vpc1/publicSubnet1/NATGateway Vpc1publicSubnet1NATGateway06106699 <span class="o">[</span>+] AWS::EC2::Subnet Vpc1/privateSubnet1/Subnet Vpc1privateSubnet1Subnet41967AFD <span class="o">[</span>+] AWS::EC2::RouteTable Vpc1/privateSubnet1/RouteTable Vpc1privateSubnet1RouteTable339A93B3 <span class="o">[</span>+] AWS::EC2::SubnetRouteTableAssociation Vpc1/privateSubnet1/RouteTableAssociation Vpc1privateSubnet1RouteTableAssociation4FB53340 <span class="o">[</span>+] AWS::EC2::Route Vpc1/privateSubnet1/DefaultRoute Vpc1privateSubnet1DefaultRoute4ACBA7B3 <span class="o">[</span>+] AWS::EC2::InternetGateway Vpc1/IGW Vpc1IGW15AE5E6B <span class="o">[</span>+] AWS::EC2::VPCGatewayAttachment Vpc1/VPCGW Vpc1VPCGW4C1BD07A <span class="o">[</span>+] AWS::EC2::SecurityGroupIngress DefaultSecurityGroup0/from 0.0.0.0_0:ICMP Type 8 DefaultSecurityGroup0from00000ICMPType829E2C81F <span class="o">[</span>+] AWS::EC2::SecurityGroupIngress DefaultSecurityGroup1/from 0.0.0.0_0:ICMP Type 8 DefaultSecurityGroup1from00000ICMPType8D69AB703 </code></pre> </div> <p>All looks good. Hence, without further ado, let's deploy these changes:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ➜ ping-me-cdk-example<span class="nv">$ </span>cdk deploy <span class="nt">--require-approval</span> never VpcPeersStack: deploying... VpcPeersStack: creating CloudFormation changeset... <span class="o">[</span>██████████████████████████████████████████████████████████] <span class="o">(</span>30/30<span class="o">)</span> ✅ VpcPeersStack Stack ARN: arn:aws:cloudformation:eu-west-1:REDACTED:stack/VpcPeersStack/1057bae0-2cc0-11eb-8cd5-0a517997c0b3 </code></pre> </div> <p>We've set the <code>--require-approval</code> flag to <code>never</code> to avoid manually confirming the creation of the <code>Allow ping from anywhere</code> rules, which were deemed as potentially insecure by the CDK.</p> <p>We got the VPCs. Now, on to the EC2s and the peering connection itself:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ➜ ping-me-cdk-example<span class="nv">$ </span><span class="nb">touch </span>lib/instance.ts </code></pre> </div> <ul> <li><code>ping-me-cdk-example/lib/instance.ts</code></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-ec2</span><span class="dl">'</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">InstanceProps</span> <span class="kd">extends</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span> <span class="p">{</span> <span class="nl">vpcs</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Vpc</span><span class="p">[];</span> <span class="c1">// &lt;--- a list of VPC objects required for the creation of the EC2 instance(s)</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">InstanceStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">InstanceProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="c1">// For each supplied VPC, create a Linux-based EC2 instance in the private subnet and attach the VPC's default security group to it</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpcs</span><span class="p">.</span><span class="nf">forEach</span><span class="p">((</span><span class="nx">vpc</span><span class="p">,</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">instanceName</span> <span class="o">=</span> <span class="s2">`Instance</span><span class="p">${</span><span class="nx">index</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">instanceResource</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">BastionHostLinux</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="nx">instanceName</span><span class="p">,</span> <span class="p">{</span> <span class="nx">vpc</span><span class="p">,</span> <span class="nx">instanceName</span><span class="p">,</span> <span class="na">securityGroup</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SecurityGroup</span><span class="p">.</span><span class="nf">fromSecurityGroupId</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="nx">instanceName</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">SecurityGroup</span><span class="dl">'</span><span class="p">,</span> <span class="nx">vpc</span><span class="p">.</span><span class="nx">vpcDefaultSecurityGroup</span><span class="p">),</span> <span class="p">});</span> <span class="c1">// Output the instance's private IP</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="nx">instanceName</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">PrivateIp</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nx">instanceResource</span><span class="p">.</span><span class="nx">instancePrivateIp</span><span class="p">,</span> <span class="p">});</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ➜ ping-me-cdk-example<span class="nv">$ </span><span class="nb">touch </span>lib/peering.ts </code></pre> </div> <ul> <li><code>ping-me-cdk-example/lib/peering.ts</code></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-ec2</span><span class="dl">'</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">PeeringProps</span> <span class="kd">extends</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span> <span class="p">{</span> <span class="nl">vpcs</span><span class="p">:</span> <span class="p">[</span><span class="nx">ec2</span><span class="p">.</span><span class="nx">Vpc</span><span class="p">,</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Vpc</span><span class="p">];</span> <span class="c1">// &lt;--- a fixed-length array (a tuple type in TypeScript parlance) consisting of two VPC objects between which the peering connection will be made</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">PeeringStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">PeeringProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="c1">// Create the peering connection</span> <span class="kd">const</span> <span class="nx">peer</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">CfnVPCPeeringConnection</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Peer</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpcId</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpcs</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">vpcId</span><span class="p">,</span> <span class="na">peerVpcId</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpcs</span><span class="p">[</span><span class="mi">1</span><span class="p">].</span><span class="nx">vpcId</span> <span class="p">});</span> <span class="c1">// Add route from the private subnet of the first VPC to the second VPC over the peering connection</span> <span class="c1">// NB the below was taken from: https://stackoverflow.com/questions/62525195/adding-entry-to-route-table-with-cdk-typescript-when-its-private-subnet-alread</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpcs</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">privateSubnets</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(({</span> <span class="na">routeTable</span><span class="p">:</span> <span class="p">{</span> <span class="nx">routeTableId</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">CfnRoute</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">RouteFromPrivateSubnetOfVpc1ToVpc2</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">index</span><span class="p">,</span> <span class="p">{</span> <span class="na">destinationCidrBlock</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpcs</span><span class="p">[</span><span class="mi">1</span><span class="p">].</span><span class="nx">vpcCidrBlock</span><span class="p">,</span> <span class="nx">routeTableId</span><span class="p">,</span> <span class="na">vpcPeeringConnectionId</span><span class="p">:</span> <span class="nx">peer</span><span class="p">.</span><span class="nx">ref</span><span class="p">,</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Add route from the private subnet of the second VPC to the first VPC over the peering connection</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpcs</span><span class="p">[</span><span class="mi">1</span><span class="p">].</span><span class="nx">privateSubnets</span><span class="p">.</span><span class="nf">forEach</span><span class="p">(({</span> <span class="na">routeTable</span><span class="p">:</span> <span class="p">{</span> <span class="nx">routeTableId</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">CfnRoute</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">RouteFromPrivateSubnetOfVpc2ToVpc1</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">index</span><span class="p">,</span> <span class="p">{</span> <span class="na">destinationCidrBlock</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpcs</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">vpcCidrBlock</span><span class="p">,</span> <span class="nx">routeTableId</span><span class="p">,</span> <span class="na">vpcPeeringConnectionId</span><span class="p">:</span> <span class="nx">peer</span><span class="p">.</span><span class="nx">ref</span><span class="p">,</span> <span class="p">});</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Back to the <code>ping-me-cdk-example/bin/ping-me-cdk-example.ts</code> file to initialize our newly created classes:</p> <ul> <li><code>ping-me-cdk-example/bin/ping-me-cdk-example.ts</code></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">VpcStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/vpc</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">InstanceStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/instance</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PeeringStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/peering</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">App</span><span class="p">();</span> <span class="c1">// &lt;--- you can read more about the App construct here: https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_core.App.html</span> <span class="kd">const</span> <span class="nx">vpcPeers</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">VpcStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">VpcPeersStack</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpcSetup</span><span class="p">:</span> <span class="p">{</span> <span class="na">cidrs</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">10.0.0.0/24</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">10.0.1.0/24</span><span class="dl">'</span><span class="p">],</span> <span class="c1">// &lt;--- two non-overlapping CIDR ranges for our two VPCs</span> <span class="na">maxAzs</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="c1">// &lt;--- to keep the costs down, we'll stick to 1 availability zone per VPC (obviously, not something you'd want to do in production)</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// Create two EC2 instances, one in each VPC</span> <span class="k">new</span> <span class="nc">InstanceStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">InstancePeersStack</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpcs</span><span class="p">:</span> <span class="nx">vpcPeers</span><span class="p">.</span><span class="nx">createdVpcs</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Establish a VPC Peering connection between the two VPCs</span> <span class="k">new</span> <span class="nc">PeeringStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">PeeringStack</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpcs</span><span class="p">:</span> <span class="p">[</span><span class="nx">vpcPeers</span><span class="p">.</span><span class="nx">createdVpcs</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="nx">vpcPeers</span><span class="p">.</span><span class="nx">createdVpcs</span><span class="p">[</span><span class="mi">1</span><span class="p">]],</span> <span class="p">});</span> </code></pre> </div> <p>Finally, we can deploy the two EC2 instances (one in each of the earlier created VPCs) and the VPC Peering connection itself:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ➜ ping-me-cdk-example<span class="nv">$ </span>cdk deploy <span class="nt">--all</span> <span class="nt">--require-approval</span> never VpcPeersStack VpcPeersStack: deploying... ✅ VpcPeersStack <span class="o">(</span>no changes<span class="o">)</span> Outputs: VpcPeersStack.ExportsOutputFnGetAttVpc07C831B30CidrBlockB8164F9E <span class="o">=</span> 10.0.0.0/24 VpcPeersStack.ExportsOutputFnGetAttVpc07C831B30DefaultSecurityGroup52C351BF <span class="o">=</span> sg-0dd8a9cd265dc8acb VpcPeersStack.ExportsOutputFnGetAttVpc1C211860BCidrBlock933A5AA8 <span class="o">=</span> 10.0.1.0/24 VpcPeersStack.ExportsOutputFnGetAttVpc1C211860BDefaultSecurityGroup87C47BC2 <span class="o">=</span> sg-0496c16092cdd8311 VpcPeersStack.ExportsOutputRefVpc07C831B304FE08623 <span class="o">=</span> vpc-07277da5218b90290 VpcPeersStack.ExportsOutputRefVpc0privateSubnet1RouteTableB5C6777D52F53FE8 <span class="o">=</span> rtb-005f39777bccd74f4 VpcPeersStack.ExportsOutputRefVpc0privateSubnet1SubnetD6383522ACB05B9B <span class="o">=</span> subnet-0a018df57060948a4 VpcPeersStack.ExportsOutputRefVpc1C211860B64169B74 <span class="o">=</span> vpc-0c5433d68b3f2f67c VpcPeersStack.ExportsOutputRefVpc1privateSubnet1RouteTable339A93B3DFC75FCA <span class="o">=</span> rtb-02ca74736f4f0ea17 VpcPeersStack.ExportsOutputRefVpc1privateSubnet1Subnet41967AFDFF883DAB <span class="o">=</span> subnet-048b1e861592d392c Stack ARN: arn:aws:cloudformation:eu-west-1:REDACTED:stack/VpcPeersStack/d91b71b0-2dbf-11eb-8c69-06b222f0b0a4 InstancePeersStack InstancePeersStack: deploying... InstancePeersStack: creating CloudFormation changeset... <span class="o">[</span>██████████████████████████████████████████████████████████] <span class="o">(</span>10/10<span class="o">)</span> ✅ InstancePeersStack Outputs: InstancePeersStack.Instance0BastionHostId1959CA92 <span class="o">=</span> i-0ca24549d1646cccd <span class="c"># &lt;--- COPY THE ID OF YOUR SOURCE EC2 INSTANCE!</span> InstancePeersStack.Instance0PrivateIp <span class="o">=</span> 10.0.0.36 InstancePeersStack.Instance1BastionHostIdEF2AA144 <span class="o">=</span> i-0fec2bdd51392974d InstancePeersStack.Instance1PrivateIp <span class="o">=</span> 10.0.1.59 <span class="c"># &lt;--- COPY THE PRIVATE IP OF YOUR DESTINATION EC2 INSTANCE!</span> Stack ARN: arn:aws:cloudformation:eu-west-1:REDACTED:stack/InstancePeersStack/9e40f500-2dc0-11eb-aab0-0a253e5a178e PeeringStack PeeringStack: deploying... PeeringStack: creating CloudFormation changeset... <span class="o">[</span>██████████████████████████████████████████████████████████] <span class="o">(</span>5/5<span class="o">)</span> ✅ PeeringStack Stack ARN: arn:aws:cloudformation:eu-west-1:REDACTED:stack/PeeringStack/15e96f10-2dc1-11eb-ae91-0643678755c5 </code></pre> </div> <h2> Validation </h2> <p>To test if the VPC Peering has been properly set up, we're gonna send 3 pings from one of the EC2 instances to the other using the AWS CLI and its <a href="https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ssm/send-command.html" rel="noopener noreferrer"><code>aws ssm send-command</code> command</a>.</p> <p>If you're following along, be sure to swap the ID of the source EC2 instance (<code>i-0ca24549d1646cccd</code>) and the private IP of the destination EC2 instance (<code>10.0.1.59</code>) for appropriate values before running the below:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ➜ ping-me-cdk-example<span class="nv">$ </span>aws ssm send-command <span class="se">\</span> <span class="nt">--document-name</span> <span class="s2">"AWS-RunShellScript"</span> <span class="se">\</span> <span class="nt">--document-version</span> <span class="s2">"1"</span> <span class="se">\</span> <span class="nt">--targets</span> <span class="s1">'[{"Key":"InstanceIds","Values":["i-0ca24549d1646cccd"]}]'</span> <span class="se">\</span> <span class="nt">--parameters</span> <span class="s1">'{"workingDirectory":[""],"executionTimeout":["3600"],"commands":["ping 10.0.1.59 -c 3"]}'</span> <span class="se">\</span> <span class="nt">--timeout-seconds</span> 600 <span class="se">\</span> <span class="nt">--max-concurrency</span> <span class="s2">"50"</span> <span class="se">\</span> <span class="nt">--max-errors</span> <span class="s2">"0"</span> <span class="o">{</span> <span class="s2">"Command"</span>: <span class="o">{</span> <span class="s2">"CommandId"</span>: <span class="s2">"e2171883-d9d1-478c-9ad2-2c7c51ca6c2e"</span>, <span class="s2">"DocumentName"</span>: <span class="s2">"AWS-RunShellScript"</span>, <span class="s2">"DocumentVersion"</span>: <span class="s2">"1"</span>, <span class="s2">"Comment"</span>: <span class="s2">""</span>, <span class="s2">"ExpiresAfter"</span>: <span class="s2">"2020-11-23T22:04:17.410000+01:00"</span>, <span class="s2">"Parameters"</span>: <span class="o">{</span> <span class="s2">"commands"</span>: <span class="o">[</span> <span class="s2">"ping 10.0.1.59 -c 3"</span> <span class="o">]</span>, <span class="s2">"executionTimeout"</span>: <span class="o">[</span> <span class="s2">"3600"</span> <span class="o">]</span>, <span class="s2">"workingDirectory"</span>: <span class="o">[</span> <span class="s2">""</span> <span class="o">]</span> <span class="o">}</span>, <span class="s2">"InstanceIds"</span>: <span class="o">[]</span>, <span class="s2">"Targets"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"Key"</span>: <span class="s2">"InstanceIds"</span>, <span class="s2">"Values"</span>: <span class="o">[</span> <span class="s2">"i-0ca24549d1646cccd"</span> <span class="o">]</span> <span class="o">}</span> <span class="o">]</span>, <span class="s2">"RequestedDateTime"</span>: <span class="s2">"2020-11-23T20:54:17.410000+01:00"</span>, <span class="s2">"Status"</span>: <span class="s2">"Pending"</span>, <span class="s2">"StatusDetails"</span>: <span class="s2">"Pending"</span>, <span class="s2">"OutputS3BucketName"</span>: <span class="s2">""</span>, <span class="s2">"OutputS3KeyPrefix"</span>: <span class="s2">""</span>, <span class="s2">"MaxConcurrency"</span>: <span class="s2">"50"</span>, <span class="s2">"MaxErrors"</span>: <span class="s2">"0"</span>, <span class="s2">"TargetCount"</span>: 0, <span class="s2">"CompletedCount"</span>: 0, <span class="s2">"ErrorCount"</span>: 0, <span class="s2">"DeliveryTimedOutCount"</span>: 0, <span class="s2">"ServiceRole"</span>: <span class="s2">""</span>, <span class="s2">"NotificationConfig"</span>: <span class="o">{</span> <span class="s2">"NotificationArn"</span>: <span class="s2">""</span>, <span class="s2">"NotificationEvents"</span>: <span class="o">[]</span>, <span class="s2">"NotificationType"</span>: <span class="s2">""</span> <span class="o">}</span>, <span class="s2">"CloudWatchOutputConfig"</span>: <span class="o">{</span> <span class="s2">"CloudWatchLogGroupName"</span>: <span class="s2">""</span>, <span class="s2">"CloudWatchOutputEnabled"</span>: <span class="nb">false</span> <span class="o">}</span>, <span class="s2">"TimeoutSeconds"</span>: 600 <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Now, let's check whether that succeeded using AWS CLI's <a href="https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ssm/get-command-invocation.html" rel="noopener noreferrer"><code>aws ssm get-command-invocation</code> command</a>.</p> <p>Again, if you're following along, be sure to swap the command ID (<code>e2171883-d9d1-478c-9ad2-2c7c51ca6c2e</code>) and the ID of the source EC2 instance (<code>i-0ca24549d1646cccd</code>) for appropriate values before running the below:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ➜ ping-me-cdk-example<span class="nv">$ </span>aws ssm get-command-invocation <span class="nt">--command-id</span> e2171883-d9d1-478c-9ad2-2c7c51ca6c2e <span class="nt">--instance-id</span> i-0ca24549d1646cccd <span class="o">{</span> <span class="s2">"CommandId"</span>: <span class="s2">"e2171883-d9d1-478c-9ad2-2c7c51ca6c2e"</span>, <span class="s2">"InstanceId"</span>: <span class="s2">"i-0ca24549d1646cccd"</span>, <span class="s2">"Comment"</span>: <span class="s2">""</span>, <span class="s2">"DocumentName"</span>: <span class="s2">"AWS-RunShellScript"</span>, <span class="s2">"DocumentVersion"</span>: <span class="s2">"1"</span>, <span class="s2">"PluginName"</span>: <span class="s2">"aws:runShellScript"</span>, <span class="s2">"ResponseCode"</span>: 0, <span class="s2">"ExecutionStartDateTime"</span>: <span class="s2">"2020-11-23T19:54:17.876Z"</span>, <span class="s2">"ExecutionElapsedTime"</span>: <span class="s2">"PT2.032S"</span>, <span class="s2">"ExecutionEndDateTime"</span>: <span class="s2">"2020-11-23T19:54:19.876Z"</span>, <span class="s2">"Status"</span>: <span class="s2">"Success"</span>, <span class="s2">"StatusDetails"</span>: <span class="s2">"Success"</span>, <span class="s2">"StandardOutputContent"</span>: <span class="s2">"PING 10.0.1.59 (10.0.1.59) 56(84) bytes of data.</span><span class="se">\n</span><span class="s2">64 bytes from 10.0.1.59: icmp_seq=1 ttl=255 time=0.140 ms</span><span class="se">\n</span><span class="s2">64 bytes from 10.0.1.59: icmp_seq=2 ttl=255 time=0.152 ms</span><span class="se">\n</span><span class="s2">64 bytes from 10.0.1.59: icmp_seq=3 ttl=255 time=0.138 ms</span><span class="se">\n\n</span><span class="s2">--- 10.0.1.59 ping statistics ---</span><span class="se">\n</span><span class="s2">3 packets transmitted, 3 received, 0% packet loss, time 2025ms</span><span class="se">\n</span><span class="s2">rtt min/avg/max/mdev = 0.138/0.143/0.152/0.011 ms</span><span class="se">\n</span><span class="s2">"</span>, <span class="s2">"StandardOutputUrl"</span>: <span class="s2">""</span>, <span class="s2">"StandardErrorContent"</span>: <span class="s2">""</span>, <span class="s2">"StandardErrorUrl"</span>: <span class="s2">""</span>, <span class="s2">"CloudWatchOutputConfig"</span>: <span class="o">{</span> <span class="s2">"CloudWatchLogGroupName"</span>: <span class="s2">""</span>, <span class="s2">"CloudWatchOutputEnabled"</span>: <span class="nb">false</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p><code>3 packets transmitted, 3 received, 0% packet loss</code>, woop woop!</p> <h2> Cleanup </h2> <p>For the sake of our wallets, let's promptly destroy the current infrastructure before moving on. When prompted, type <code>y</code> for yes:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ➜ ping-me-cdk-example<span class="nv">$ </span>cdk destroy <span class="nt">--all</span> Are you sure you want to delete: PeeringStack, InstancePeersStack, VpcPeersStack <span class="o">(</span>y/n<span class="o">)</span>? y PeeringStack: destroying... 21:15:12 | DELETE_IN_PROGRESS | AWS::CloudFormation::Stack | PeeringStack ✅ PeeringStack: destroyed InstancePeersStack: destroying... 21:16:03 | DELETE_IN_PROGRESS | AWS::CloudFormation::Stack | InstancePeersStack ✅ InstancePeersStack: destroyed VpcPeersStack: destroying... 21:17:01 | DELETE_IN_PROGRESS | AWS::CloudFormation::Stack | VpcPeersStack 21:18:55 | DELETE_IN_PROGRESS | AWS::EC2::InternetGateway | Vpc1/IGW 21:18:55 | DELETE_IN_PROGRESS | AWS::EC2::VPC | Vpc1 ✅ VpcPeersStack: destroyed </code></pre> </div> <p>Okey doke, <a href="https://dev.to/aws-builders/ping-me-part-2-site-to-site-vpn-using-cdk-236h">pinging over Site-to-Site VPN is next</a>!</p> aws typescript devops tutorial Ping Me! (Intro: IaC and Prep Work) Rafal Krol Fri, 23 Jul 2021 09:24:45 +0000 https://dev.to/aws-builders/ping-me-intro-iac-and-prep-work-41le https://dev.to/aws-builders/ping-me-intro-iac-and-prep-work-41le <h2> Introduction </h2> <p>Hello, everyone! Welcome to <em>Ping Me!</em>, a short series of articles in which we are going to build out and compare three different solutions - <a href="https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html">VPC Peering</a>, <a href="https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html">Site-to-Site VPN</a> and <a href="https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html">Transit Gateway</a> - for connecting VPCs together.</p> <p>The building part will be done using <a href="https://docs.aws.amazon.com/cdk/latest/guide/home.html">AWS Cloud Development Kit</a>. Then, we will prove that each connection works by deploying two EC2 instances, one on each end of the connection, and making a successful ping between them.</p> <h2> Infrastructure as Code (IaC) </h2> <p>Before we jump headfirst into hacking out our infra, I'd like to take a minute to talk about <a href="https://en.wikipedia.org/wiki/Infrastructure_as_code">Infrastructure as Code (IaC)</a>, and why it is important. IaC is a powerful concept! Thanks to it instead of clicking through graphical user interfaces you can code your infrastructure exactly the same way you would code any other application. And since it is code, then it means you can apply all the best coding practices to it, e.g. version control, static code analysis, peer review, etc. With IaC your infra can be immutable, replicable, less error-prone than manual changes (especially when a lot of repetitiveness is involved); it works great at scale, can be automated, you can write tests for it... I'd daresay there's no DevOps without IaC. <a href="https://www.hashicorp.com/resources/everything-as-code-the-future-of-ops-tools">Everything as Code</a>? Hell yeah!!!</p> <p>There are many tools to pick and choose from when it comes to implementing Infrastructure as Code; <a href="https://puppet.com/">Puppet</a>, <a href="https://www.chef.io/products/chef-infra">Chef</a> and <a href="https://www.ansible.com/">Ansible</a> just to name a few. <a href="https://www.terraform.io/">Hashicorp's Terraform</a> is one that shines exceptionally bright on the IaC firmament. <a href="https://github.com/hashicorp/terraform/releases/tag/v1.0.0">Despite just reaching the v1</a>, it is a mature and battle-tested tool that <a href="https://www.hashicorp.com/resources?content_type=Case%20Study&amp;product=Terraform">has been used by both big and small in recent years</a>.</p> <p>Nonetheless, a new kid showed up on the block recently, the name's AWS CDK, and may soon disturb the peace. <a href="https://docs.aws.amazon.com/cdk/latest/guide/home.html">AWS CDK is a software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation</a>.</p> <p>What that means is that instead of declaring your resources and their interconnections in YAML (like you would do in Ansible, for instance) or in JSON (like you could do in CloudFormation, which also supports YAML) or in a <a href="https://en.wikipedia.org/wiki/Domain-specific_language">Domain-Specific Language</a> (as is the case with Terraform and its Hashicorp Configuration Language (HCL); JSON is also supported if you're a masochist) you can actually code in TypeScript or Javascript or Python or Java or C# (<a href="https://aws.amazon.com/blogs/developer/getting-started-with-the-aws-cloud-development-kit-and-go/">or, in Developer Preview, Go</a>).</p> <p>One apparent limitation of the CDK is that, <a href="https://github.com/aws/aws-cdk-rfcs/issues/217">at least for the nonce</a>, it can only be used with AWS (there are two notable projects in the work right now that will greatly expand CDK's reach: <a href="https://github.com/awslabs/cdk8s">cdk8s</a> and <a href="https://github.com/hashicorp/terraform-cdk">cdktf</a>). With Terraform you can use choose from <a href="https://registry.terraform.io/browse/providers">a plethora of providers</a>. Hell, I was able to set up <a href="https://github.com/rafalkrol-xyz/ubiquity-unifi-dream-machine-setup-example">my home network running on Unifi Dream Machine using Terraform</a>. How cool is that?!</p> <p>PS. <a href="https://www.pulumi.com/">Pulumi</a>, <del>which I haven't fiddled with yet but definitely will</del>, deserves an honorable mention in this little digression of mine, since it might be just the right mix of <a href="https://www.pulumi.com/docs/intro/vs/terraform/#using-terraform-providers">Terraform's providers</a> and <a href="https://www.pulumi.com/docs/intro/vs/cloud_template_transpilers/#aws-cdk-and-troposphere">CDK's general-purpose languages support</a>.</p> <h2> Prerequisites </h2> <p>If you want to follow me along, you'll need to have:</p> <p><strong>a)</strong> access, with <a href="https://stackoverflow.com/questions/57118082/what-iam-permissions-are-needed-to-use-cdk-deploy">adequate permissions</a>, to <a href="https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account/">an AWS account</a></p> <p><strong>b)</strong> <a href="https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html">AWS CLI v2</a> that's properly <a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html">configured</a></p> <p><strong>c)</strong> <a href="https://nodejs.org/en/">Node v10.3 or higher</a> (I'll be using node v14.14.0 with npm v6.14.9)</p> <ul> <li>I recommend installing it with <a href="https://github.com/nvm-sh/nvm">NVM</a>, e.g.: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nvm <span class="nb">install </span>v14.14.0 nvm use v14.14.0 </code></pre> </div> <p><strong>d)</strong> CDK<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> <span class="nt">-g</span> aws-cdk </code></pre> </div> <p><strong>e)</strong> TypeScript<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> <span class="nt">-g</span> typescript </code></pre> </div> <p><strong>f)</strong> some dollars to spend // <strong>even with the free tier on, be prepared to incur a few dollars of costs (be sure to destroy your stacks as soon as possible to avoid incurring much bigger costs!!!)</strong></p> <h2> Preparations </h2> <p>Before we commence with provisioning any resources, we ought to do some prep work. Let's kick-off by creating a folder for our project and entering it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>➜ ~<span class="nv">$ </span><span class="nb">mkdir </span>ping-me-cdk-example <span class="o">&amp;&amp;</span> <span class="nb">cd</span> <span class="nv">$_</span> </code></pre> </div> <p>Now, we shall scaffold our project using CDK's neat <code>init</code> command specifying <code>app</code> as the template and <code>typescript</code> as the language:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>➜ ping-me-cdk-example<span class="nv">$ </span>cdk init app <span class="nt">--language</span><span class="o">=</span>typescript Applying project template app <span class="k">for </span>typescript <span class="c"># Welcome to your CDK TypeScript project!</span> This is a blank project <span class="k">for </span>TypeScript development with CDK. The <span class="sb">`</span>cdk.json<span class="sb">`</span> file tells the CDK Toolkit how to execute your app. <span class="c">## Useful commands</span> <span class="k">*</span> <span class="sb">`</span>npm run build<span class="sb">`</span> compile typescript to js <span class="k">*</span> <span class="sb">`</span>npm run watch<span class="sb">`</span> watch <span class="k">for </span>changes and compile <span class="k">*</span> <span class="sb">`</span>npm run <span class="nb">test</span><span class="sb">`</span> perform the jest unit tests <span class="k">*</span> <span class="sb">`</span>cdk deploy<span class="sb">`</span> deploy this stack to your default AWS account/region <span class="k">*</span> <span class="sb">`</span>cdk diff<span class="sb">`</span> compare deployed stack with current state <span class="k">*</span> <span class="sb">`</span>cdk synth<span class="sb">`</span> emits the synthesized CloudFormation template Executing npm install... npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142 npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142 npm WARN deprecated har-validator@5.1.5: this library is no longer supported npm notice created a lockfile as package-lock.json. You should commit this file. npm WARN ping-me-cdk-example@0.1.0 No repository field. npm WARN ping-me-cdk-example@0.1.0 No license field. ✅ All <span class="k">done</span><span class="o">!</span> </code></pre> </div> <p>You should end up with the following structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ping-me-cdk-example <span class="c"># we're here</span> ├── bin │ └── ping-me-cdk-example.ts ├── lib │ └── ping-me-cdk-example-stack.ts ├── node_modules │ └── ... <span class="c"># Many, many subfolders here</span> ├── <span class="nb">test</span> │ └── ping-me-cdk-example.test.ts ├── .gitignore ├── .npmignore ├── cdk.json ├── jest.config.js ├── package-lock.json ├── package.json ├── README.md └── tsconfig .json </code></pre> </div> <p>As you can see, CDK has created a rather intimidating host of files and subdirectories for us. Well, not so intimidating if you've ever worked with Node and/or TypeScript before. Most of it is boilerplate and throughout these articles we shall only deal with the <code>ping-me-cdk-example/bin/ping-me-cdk-example.ts</code> file and the <code>ping-me-cdk-example/lib</code> directory.</p> <p>Let's remove <code>ping-me-cdk-example/lib/ping-me-cdk-example-stack.ts</code> and <code>ping-me-cdk-example/test/ping-me-cdk-example.test.ts</code> as they'd just get in the way:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>➜ ping-me-cdk-example<span class="nv">$ </span><span class="nb">rm </span>lib/ping-me-cdk-example-stack.ts <span class="nb">test</span>/ping-me-cdk-example.test.ts </code></pre> </div> <p>Also, <a href="https://superuser.com/questions/90008/how-to-clear-the-contents-of-a-file-from-the-command-line">let's wipe clear the contents of the <code>ping-me-cdk-example/bin/ping-me-cdk-example.ts</code> file</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>:&gt; bin/ping-me-cdk-example.ts </code></pre> </div> <p>Okay, seems the groundwork's done and thus we're ready to peer some VPCs. <a href="https://dev.to/rafalkrolxyz/ping-me-part-1-vpc-peering-using-cdk-2kpd">Follow me</a>!</p> aws typescript devops tutorial