-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ec2.Vpc to support using ipam #21333
Comments
This problem has a more squirly problme layered in underneath, as i've discovered today.. So this is the guts of the code i created. I thought oh yeah, easy i can extract the Cidr using a custom resource. the error is all telling..
So, heres the reality of this situation.. We can use ec2.VPC has it sits, becuase it needs that IP address range at synth time. Maybe this is a case for a custom context lookup, which will get the the range? `class TeRotoVPC(constructs.Construct):
|
This is a bit of a clanger of a problem. ec2.Vpc requires a concrete IP range to work. because its subvidiing it.. if we we want to use a IP range thats been allocated by IPAM we need a new strategy... |
Hey guys, after struggling weeks with IPAM with the L2 construct ( ec2.vpc ) and tried all the solutions provided :
while when I run a subnet lke this : Do you think that is logic for you to use Ipam and also give the cidr block ? I think it's the ipam job to do that or a back end function that provides available cidr block from the main cidr block of the vpc to the subnets created after. So even the normal use of ipam stopped at vpc level and subnets could not be used ! Noted that the configuration of IPAM works fine but the problem is with after using the ipam pool id ! I hope that you could help me and i hope there is a way to solve this problem... |
@peterwoodworth , thanks for marking this as effort/large. This ones import, and we need to do it the right way or we are going to cause our selves a lot of pain moving forward.... Ive been doing more work on this problem in the last few days, and looking at the exisiting construct code.. The things i've established; (a) the construct must return a fully formed ec2.IVpc. Do do anything else will have so much down stream impact, it wont' be workable. So many cdk constructs rely on this construct. (b) The ec2.Vpc construct underlying uses the l1. CfnVpc (c) We cant' establish the cidr block untill deploy time. so the 'task' of dividing the Cidr up and calcuating the Subnets cant' be done at synth time. I propose that we move this task to a Custom Resource Lambda,.. Largely we can take the exisiting code and run it in the lambda.. we can then pass the attrbutes of the custom resource to the CfnVPC. Lastly we will need to create the iVPC.. I think its doable inside the exisiting construct, and keeping it backwards compatible and non breaking.. The prop cidr would be come optional, we would create a new prop ipv4 ( and possibly ipv6 ), that was also optional, but you'd need to one. ( and not both ).
This sounds like a good wee project which i probalby can contribute too.. |
I have may found I workaround to solve this problem, the idea is to exploit the auto import option in the ipam pool. Note : to be sure that the allocation of the tmp vpc will take on consideration others ipam allocation and avoid to attach it while the allocation is empty or not complete even if this case is rare we could use this check in the bash script :
Hope that could help or to be improved to use the ipam param directly in ec2.vpc :) |
@corymhall, thats possibly a good approach. it may be simpler than what i had contemplated, with creating a custom resource to do the computation, ( essentially the required function exisits in CF, so why reinvent it. ) One of my collegues is using Fn::Cidr to allocate subnets, Hes done that in native Cloudformation.. I'll look at the exisiting code and see what effort might be involved. but my gut feeling is that its not a big task, and could be a resonable bolt on.. |
@corymhall @mrpackethead I really appreciate the quality and the efficiency of your response. the solution worked well for me in addition to another workaround that I added I found out that your suggestion what I was missing to have a something working properly. So I want to know what do you think about it, the solution is this following steps : 1- create a VPC with subnets using ec2.vpc ( to have the advantage of automatic configuration )2- override the vpc's cidr to add ipam pool id using :
3- use the ipam cidr allocation in the function Fn.Cidr to generate subnet's cidr and :
4- override the cidr subnets of the vpc previously created :
Thank you guys for talking about this issue. |
@Crycham , could you provide a working example of what you have done.. I hav'tn quite followed.. |
You need before that to create the ipam pool to have an ipam pool ID than you deploy this stack :
You will observe after deploying that the cidr : 9.0.0.0/16 was not used by CF and all it works like you have given the ipam pool id instead |
I like the idea your following.. your code works for the case when all the subnets are equal, so a useful corner case, but it will not quite cover all the use cases. I my example here, I'm wanting to get 6 subnets that are of /28.. and leave some spares so that i can add them as i need. and they might not be of the same mask. Some food for thought, here though.. Modifying the subnets with escape hatches is an interesting idea. Off to try something
|
Actually we could have a custom distribution of subnets I have just choosen in my case to provide the max spaces to my subnets from the vpc Cidr block but we could control that from this function :
In your case if you want to allocate 6 subnets having as a net mask /28 and saving some spaces you need to calculcate first the max subnets you could have for /28 which is 16 subnets https://www.site24x7.com/fr/tools/ipv4-sous-reseau-calculatrice.html
note : the size mask here is not the net mask but the host mask ( host mask = 32 - netmask ) so here size mask is = 32-28 = 4 |
I think this will cover the general case. I've taken a slightly different approach, to what you did. think of this more like a 'address' translation... This should work for any method where the ec2.Vpc construct allocates subnets.. @corymhall , this was a quick hack up in python.. I think the method will work just fine for the ec2.Vpc.. For the time being, i'll rewrite this as a jsii construct, so we can move on.. but then i think we can probalby make this work inside cdk natively.
|
@mrpackethead Well done , this will cover all possible use cases. @corymhall @mrpackethead I'm glad to have this discussion with you and brainstorming about this issue that is finally solved with this hack up, hope that this gonna be taken is consideration for next updates to use it directly in ec2.vcp. |
Typescript construct
|
What I think we're going to want in the I have to say I'm not too familiar with what IPAM is, I'll have to read up on that. |
After looking into IPAM a bit, it seems we need:
It's not clear to me why a pool doesn't seem to have a size, the implication being that it dynamically grows but there must be a maximum to this? And the scope can potentially come for free from "an IPAM" itself, as they have default "public" and "private" scopes. But potentially |
Heyy @rix0rrr hope you have a good day, I'm glad that you have joined our discussion. Actually a pool does have a size block but you need to make difference between pools type : the top level pool and subpools. What IPAM needs in general is the cidr block from which we gonna dynamically allocate IP addresses to VPCs. Imagine the following use case : You can find my full IPAM and vpc configuration in my pull request here : aws-samples/aws-cdk-examples#708 and https://github.com/Crycham/aws-cdk-examples/tree/03e2c6ba39972606c1a3d1786065c0ac65f1d536/python/Ipam-L2-vpc And this is the IPAM configuration alone :
|
Hi.. Just wanted to mention here. I have been working on an early draft RFC to look at VPC and how it could change for the better. Integration of IPAM, provision to work with NetworkFirewall and changes to the API are some of topics covered. As i say its in early draft, rix0rrr has had a quick look and provided some comments that i am working through and expanding on before submitting as a PR. My expectation is the initial draft would be far from perfect but provide a starter for the discussion. |
Hi @nbaillie, thank you for your attention about this subject, I'm happy to hear that the integration of IPAM will be one of the future features in the L2 vpc Construct. Glad to help as much as I can :) |
These are all sufficently supported now with the cfn Types, there may be some value in creating some convience L2 things, but functionally they work..
So the underlying AWS::EC2::Subnet does not have a Ipam property.. its expecting an actual string to represent the Cidr for the subnet. As far as I can see the cloudformation design intent is that your subnets are numbered using Fn::Cidr, based on the Vpcs address. ( added complication is that a Cidr now can have more than one block ! though i've never used that. That being the case there is no need for allocations for each subnet.. just for the VPC itself.. My workaround did'tn attempt to work out the address allocations.. it essentially 'shifts' the allocations that the construct had already done..
I guess there will be some limit, but you can add add additional ( non contigous too ) address space to your pools as required.
yes. |
@nbaillie , as my current need is addressed by my workaround, The way forward seems to be to work together on this.. ec2.Vpc is one of the constructs that we really dont' want to break.. So much stuff has upstream dependancys on it... |
I've been looking at the ec2.Vpc code and how to integrate iPam in.. based on my previous work above.. Essentially, adding a couple of extra props for the ipam pool and length. If the Ipam pool is set then the cidr will get set to 0.0.0.0/mask, (for network builder to use) this is the bit that gets changed in ec2.Vpc
I'll now have a look at the networkbuilder code to set the subnet address as a Fn.Cidr rather than a concrete value. |
I think its very important to distinguish what IPAM does, and what a 'network' builder does.. An IPAM provider provides an IP address allocation.. Lets not confuse the two, and keep them seperate. |
Allows Vpc to Use [Aws IPAM](https://docs.aws.amazon.com/vpc/latest/ipam/what-it-is-ipam.html) for Ip address assignment: ```ts import { IpAddresses } from '@aws-cdk/aws-ec2'; declare const pool: ec2.CfnIPAMPool; new ec2.Vpc(stack, 'TheVPC', { ipAddresses: ec2.IpAddresses.awsIpamAllocation({ ipv4IpamPoolId: pool.ref, ipv4NetmaskLength: 18, defaultSubnetIpv4NetmaskLength: 24 }) }); ``` This is useful for enterprise users that wish to adopt the benefits of centralised IP address management. It introduces `ipAddresses` property to allow the new configuration. ---- Thanks to @rix0rrr for support on this. --- closes #21333 ---- #22443 - Issue adds a fix to allow the clean up of the AWS Ipam resource used in ingeg-test testing. Would be better to implement something like this later. for now disclaimer added to integ-test clean up needed on Ipam. ---- ### All Submissions: * [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### New Features * [X] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Describe the feature
ec2.Vpc currently requires a prop cidr
It would be very helpful if vpc could either take cidr, or optionally take an Ipv4IpamPoolId. This would allow the construct to use IPAM allocated address's. which is exceptionally helpful.
Use Case
We have migrated to the automatic allocation of IP address from IPAM.
Proposed Solution
Add the optional prop to the ec2.Vpc Construct.
Other Information
No response
Acknowledgements
CDK version used
2.33
Environment details (OS name and version, etc.)
Generic.
The text was updated successfully, but these errors were encountered: