-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(vpcv2): implementation of add gateway method #31224
Conversation
const useIpv6 = (this.secondaryCidrBlock.some((secondaryAddress) => secondaryAddress.amazonProvidedIpv6CidrBlock === true || | ||
secondaryAddress.ipv6IpamPoolId != undefined))? true : false; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is this doing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we can have multiple secondary address attached to VPC, this is to check if any of the secondary address is a IPv6 meaning created using IPAMIpv6
or is a AmazonProvidedIpv6
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add a comment to describe that behaviour.
if (options?.subnets) { | ||
const subnets = flatten(options.subnets.map(s => this.selectSubnets(s).subnets)); | ||
subnets.forEach((subnet) => { | ||
this.createEgressRoute(subnet, egw, options.destination); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is this doing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is the default route that we are creating under provided subnet's routeTable. It will add an entry to subnet's routeTable either with the specified destination address or with default(::/0)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add a comment to describe that here? It's just not super obvious to anyone who might need to work on and understand this code in the future.
add documentation nits Co-authored-by: paulhcsun <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only half way through.
I'm a bit worried by the number of breaking changes. I understand it is an alpha module and breaking changes are allowed. However, a number of changes are removing an old construct and introduced V2, i.e. VPNGateway
is removed and introduced VPNGatewayV2
. It's breaking changes anyway, should we just use the same name?
routeTable, | ||
destination: '0.0.0.0/0', | ||
target: { gateway: igw }, | ||
}); | ||
``` | ||
|
||
Alternatively, `Route`s can be created via a method in the `RouteTable` class. An example using the `EgressOnlyInternetGateway` construct can be seen below: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Route
s looks weird.- Maybe mention the method
routeTable.addRoute. Right now it's immediately followed with
An example using Egress...which doesn't have anything to do with
Routes can be created via ...`
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- corrected
- it does relate with creating the route in line , you cannot create a route without a target so we need a target first(in this case, it is EgressOnlyInternetGateway).
routeTable.addRoute('::/0', { gateway: eigw });
To make it more clear mentioned the method name
VPCv2 supports adding an egress only internet gateway to VPC with the help of `addEgressOnlyInternetGateway` method as well. | ||
|
||
By Default, it sets up a route to all outbound IPv6 Address ranges unless specified to a specific destination by the user. It can only be set up for IPv6 enabled VPCs. | ||
`Subnets` takes in value of `SubnetFilter` which can be based on a SubnetType in VPCV2. A new route will be added to route tables of all subnets filtered out with this property. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You explained SubnetFilter
but I don't see it in the example below?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Selecting a type of subnet is a SubnetFilter
:)
subnets:
[subnetType: {SubnetType.PUBLIC}]
subnetType: ec2.SubnetType.PRIVATE }); | ||
|
||
myVpc.addEgressOnlyInternetGateway({ | ||
subnets: [{SubnetType.PUBLIC}], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Haven't looked into implementation but this already looks weird to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is as per the current implementations we have in place for addInterfaceEndpoint and addgatewayEndpoint and provides a better way for the users to select multiple subnets at once without forming an array list first and then pass it. This seems to be the best option for specifying multiple subnets as an input.
Let me know if you've thoughts on any other way to do it.
"from-method:@aws-cdk/aws-ec2-alpha.SubnetV2", | ||
"from-method:@aws-cdk/aws-ec2-alpha.Route" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For my knowledge, what does these two lines do?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is enforced from awslint
to have the import methods in classes extending Resource
, since we haven't introduced it yet these are part of exceptions
/** | ||
* The subnet in which the NAT gateway is located. | ||
*/ | ||
readonly subnet: ISubnet; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't this a breaking change for users?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if you mean by changing the ISubnet to ISubnetv2, its not breaking change since ISubnetv2
extends ISubnet
Co-authored-by: GZ <[email protected]> Co-authored-by: paulhcsun <[email protected]>
So one is compatible with |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left some more minor feedbacks.
* Subnets where the route propagation should be added. | ||
* @default noPropagation | ||
*/ | ||
readonly vpnRoutePropagation?: SubnetSelection[]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A general comment, for a text explaining @default
, we prefer to do @default - <description
. For property value used with @default
, we can do @default value
.
For this specific property, it feels confusing to me because it talks about route propagation but the type is subnet selection.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, got to know it from @paulhcsun , so working to reformat this for entire repo in next revision,
/** | ||
* The type of subnet (public or private) that this subnet represents. | ||
* @attribute SubnetType | ||
*/ | ||
public readonly subnetType: SubnetType; | ||
public readonly subnetType?: SubnetType; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this becomes optional, what's the default value?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not optional under props, so user still needs to define it but it is marked as optional under the new interface ISubnetV2
because if not it will cause issues with the existing property in SubnetSelection
for subnets which we are leveraging in some of the places like here..
Also why this is added as a part of interface : we added a check under some of the add methods to verify whether provided subnets are of correct type eg. SubnetType.Public .
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Shikha for this great work. The code generally looks good to me. I have two high-level thoughts:
- I know I've mentioned this, but seeing the usage and it's in
alpha
modules, I'm not convinced why we need to remove the original constructs, i.e.VPNGateway, Subnet
and create aVPNGatewayV2, SubnetV2
. Either way, it's breaking changes for customers, wouldn't keep using the nameVPNGateway and Subnet
but with new implementation be better if in the future we decide to make it stable and it won't be starting fromV2
by default. - Subnets have to be attached with a VPC resource. Can we introduces methods in VPC construct like
vpc.addSubnet(...)
just like how you addedvpc.addNatGateway, vpc.addInternetGateway
. I peronsally think it makes sense to add subnet this way and prefer creating subnets this way instead ofnew SubnetV2
. Want to see your thoughts.
Co-authored-by: GZ <[email protected]>
8dffdbe
to
753273f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, deferring final approval to @GavinZZ. Nice work @shikha372!
753273f
to
dcb11e6
Compare
@Mergifyio update |
✅ Branch has been successfully updated |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Comments on closed issues and PRs are hard for our team to see. |
Issue # (if applicable)
Tracking #30762.
Reason for this change
implementing below methods for vpcV2.
routeTable.addroute(destination, target)
: Adds a new route to the existing route table of the subnet.vpc.enableVpnGatewayV2()
: added a new function for the customer to add VPNGateway to their VPC. In the options, user can specify list of subnets for VPNRoutePropogation. This is similar to previous implementation, only difference is with VPNGateway L2, it is now creating VPNGatewayV2 which implements IRouteTarget and hence can be used a destination to be set up in route tables.addInternetGateway
: adds internetGW to the VPC.Default behaviour: add default route with destination set to ‘0.0.0.0’ and ‘::0’(in case of subnet with ipv6). Also a check in place to verify SubnetType is set to public as IGW is meant to be added to public subnets.
addNatGateway
: NatGateways are subnet specific and are usually associated with PRIVATE_WITH_EGRESS or PUBLIC subnet. Also, one can’t attach NGW(Public) to subnet if VPC doesn’t have an IGW attached to it. This is validated in method implementation to prevent runtime deployment error.No default behaviour for the routes, it takes in the single subnet option and associates a NATGW with it.
vpc.addEgressOnlyInternetGateway()
: Egress Only internet GW are meant for outbound ipv6 traffic which can be custom or all ipv6(::/0).Default behaviour: Associates a EIGW to the vpc and takes optional input for subnets to define a default route in associated route Table, if a destination is not provided, then it is defined as all outbound ipv6 in subnet’s route table.
Additional changes:
-> Modify Readme
-> Separate ipam related Tests
Use Case
Allows user to define gateways in their vpc with a simple method and an optional default route setup on provided subnets.
Note: Breaking change since previously VPNGateway was released under route class, we’ve modified it to VPNGatewayV2.
vpc.enableVpnGateway
is marked as deprecated in vpcv2 base class.Description of how you validated changes
Added unit tests and integration tests.
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license