Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(vpcv2): implementation of add gateway method #31224

Merged
merged 51 commits into from
Sep 12, 2024
Merged

Conversation

shikha372
Copy link
Contributor

@shikha372 shikha372 commented Aug 26, 2024

Issue # (if applicable)

Tracking #30762.

Reason for this change

implementing below methods for vpcV2.
routeTable.addroute(destination, target): Adds a new route to the existing route table of the subnet.

vpc.enableVpnGatewayV2(): added a new function for the customer to add VPNGateway to their VPC. In the options, user can specify list of subnets for VPNRoutePropogation. This is similar to previous implementation, only difference is with VPNGateway L2, it is now creating VPNGatewayV2 which implements IRouteTarget and hence can be used a destination to be set up in route tables.

addInternetGateway : adds internetGW to the VPC.
Default behaviour: add default route with destination set to ‘0.0.0.0’ and ‘::0’(in case of subnet with ipv6). Also a check in place to verify SubnetType is set to public as IGW is meant to be added to public subnets.

addNatGateway: NatGateways are subnet specific and are usually associated with PRIVATE_WITH_EGRESS or PUBLIC subnet. Also, one can’t attach NGW(Public) to subnet if VPC doesn’t have an IGW attached to it. This is validated in method implementation to prevent runtime deployment error.

No default behaviour for the routes, it takes in the single subnet option and associates a NATGW with it.

vpc.addEgressOnlyInternetGateway(): Egress Only internet GW are meant for outbound ipv6 traffic which can be custom or all ipv6(::/0).

Default behaviour: Associates a EIGW to the vpc and takes optional input for subnets to define a default route in associated route Table, if a destination is not provided, then it is defined as all outbound ipv6 in subnet’s route table.

Additional changes:
-> Modify Readme
-> Separate ipam related Tests

Use Case

Allows user to define gateways in their vpc with a simple method and an optional default route setup on provided subnets.

Note: Breaking change since previously VPNGateway was released under route class, we’ve modified it to VPNGatewayV2.
vpc.enableVpnGateway is marked as deprecated in vpcv2 base class.

Description of how you validated changes

Added unit tests and integration tests.

Checklist


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Sep 3, 2024
packages/@aws-cdk/aws-ec2-alpha/README.md Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-ec2-alpha/README.md Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-ec2-alpha/lib/route.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-ec2-alpha/lib/route.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-ec2-alpha/lib/route.ts Show resolved Hide resolved
packages/@aws-cdk/aws-ec2-alpha/lib/vpc-v2-base.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-ec2-alpha/lib/vpc-v2-base.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-ec2-alpha/lib/vpc-v2-base.ts Outdated Show resolved Hide resolved
Comment on lines 336 to 337
const useIpv6 = (this.secondaryCidrBlock.some((secondaryAddress) => secondaryAddress.amazonProvidedIpv6CidrBlock === true ||
secondaryAddress.ipv6IpamPoolId != undefined))? true : false;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this doing?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we can have multiple secondary address attached to VPC, this is to check if any of the secondary address is a IPv6 meaning created using IPAMIpv6 or is a AmazonProvidedIpv6

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add a comment to describe that behaviour.

Comment on lines +343 to +346
if (options?.subnets) {
const subnets = flatten(options.subnets.map(s => this.selectSubnets(s).subnets));
subnets.forEach((subnet) => {
this.createEgressRoute(subnet, egw, options.destination);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this doing?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is the default route that we are creating under provided subnet's routeTable. It will add an entry to subnet's routeTable either with the specified destination address or with default(::/0)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a comment to describe that here? It's just not super obvious to anyone who might need to work on and understand this code in the future.

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Sep 5, 2024
add documentation nits

Co-authored-by: paulhcsun <47882901+paulhcsun@users.noreply.github.com>
Copy link
Contributor

@GavinZZ GavinZZ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only half way through.

I'm a bit worried by the number of breaking changes. I understand it is an alpha module and breaking changes are allowed. However, a number of changes are removing an old construct and introduced V2, i.e. VPNGateway is removed and introduced VPNGatewayV2. It's breaking changes anyway, should we just use the same name?

packages/@aws-cdk/aws-ec2-alpha/README.md Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-ec2-alpha/README.md Outdated Show resolved Hide resolved
routeTable,
destination: '0.0.0.0/0',
target: { gateway: igw },
});
```

Alternatively, `Route`s can be created via a method in the `RouteTable` class. An example using the `EgressOnlyInternetGateway` construct can be seen below:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Routes looks weird.
  2. Maybe mention the method routeTable.addRoute. Right now it's immediately followed with An example using Egress...which doesn't have anything to do withRoutes can be created via ...`

Copy link
Contributor Author

@shikha372 shikha372 Sep 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. corrected
  2. it does relate with creating the route in line , you cannot create a route without a target so we need a target first(in this case, it is EgressOnlyInternetGateway).
    routeTable.addRoute('::/0', { gateway: eigw });
    To make it more clear mentioned the method name

packages/@aws-cdk/aws-ec2-alpha/README.md Outdated Show resolved Hide resolved
VPCv2 supports adding an egress only internet gateway to VPC with the help of `addEgressOnlyInternetGateway` method as well.

By Default, it sets up a route to all outbound IPv6 Address ranges unless specified to a specific destination by the user. It can only be set up for IPv6 enabled VPCs.
`Subnets` takes in value of `SubnetFilter` which can be based on a SubnetType in VPCV2. A new route will be added to route tables of all subnets filtered out with this property.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You explained SubnetFilter but I don't see it in the example below?

Copy link
Contributor Author

@shikha372 shikha372 Sep 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Selecting a type of subnet is a SubnetFilter :)
subnets: [subnetType: {SubnetType.PUBLIC}]

subnetType: ec2.SubnetType.PRIVATE });

myVpc.addEgressOnlyInternetGateway({
subnets: [{SubnetType.PUBLIC}],
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Haven't looked into implementation but this already looks weird to me.

Copy link
Contributor Author

@shikha372 shikha372 Sep 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is as per the current implementations we have in place for addInterfaceEndpoint and addgatewayEndpoint and provides a better way for the users to select multiple subnets at once without forming an array list first and then pass it. This seems to be the best option for specifying multiple subnets as an input.
Let me know if you've thoughts on any other way to do it.

Comment on lines +5 to +6
"from-method:@aws-cdk/aws-ec2-alpha.SubnetV2",
"from-method:@aws-cdk/aws-ec2-alpha.Route"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For my knowledge, what does these two lines do?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is enforced from awslint to have the import methods in classes extending Resource , since we haven't introduced it yet these are part of exceptions

packages/@aws-cdk/aws-ec2-alpha/lib/route.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-ec2-alpha/lib/route.ts Show resolved Hide resolved
/**
* The subnet in which the NAT gateway is located.
*/
readonly subnet: ISubnet;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this a breaking change for users?

Copy link
Contributor Author

@shikha372 shikha372 Sep 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if you mean by changing the ISubnet to ISubnetv2, its not breaking change since ISubnetv2 extends ISubnet

Co-authored-by: GZ <yuanhaoz@amazon.com>
Co-authored-by: paulhcsun <47882901+paulhcsun@users.noreply.github.com>
@shikha372
Copy link
Contributor Author

Only half way through.

I'm a bit worried by the number of breaking changes. I understand it is an alpha module and breaking changes are allowed. However, a number of changes are removing an old construct and introduced V2, i.e. VPNGateway is removed and introduced VPNGatewayV2. It's breaking changes anyway, should we just use the same name?

So one is compatible with Route construct and other lives in the main lib VPNGateway is not implementing IRouteTarget so that can not be set as an target while defining a route. So, the V2 is aligned with features (i.e. Route and RouteTable) in this new module, it is more clear that this is latest. Also, if there is already a construct with same name in main lib, not sure if its best practice to introduce another with same name as it can create issue with graduation.

Copy link
Contributor

@GavinZZ GavinZZ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some more minor feedbacks.

packages/@aws-cdk/aws-ec2-alpha/lib/route.ts Outdated Show resolved Hide resolved
Comment on lines 70 to 73
* Subnets where the route propagation should be added.
* @default noPropagation
*/
readonly vpnRoutePropagation?: SubnetSelection[];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A general comment, for a text explaining @default, we prefer to do @default - <description. For property value used with @default, we can do @default value.

For this specific property, it feels confusing to me because it talks about route propagation but the type is subnet selection.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, got to know it from @paulhcsun , so working to reformat this for entire repo in next revision,

packages/@aws-cdk/aws-ec2-alpha/lib/route.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-ec2-alpha/lib/route.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-ec2-alpha/lib/route.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-ec2-alpha/lib/route.ts Show resolved Hide resolved
packages/@aws-cdk/aws-ec2-alpha/lib/route.ts Outdated Show resolved Hide resolved
/**
* The type of subnet (public or private) that this subnet represents.
* @attribute SubnetType
*/
public readonly subnetType: SubnetType;
public readonly subnetType?: SubnetType;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this becomes optional, what's the default value?

Copy link
Contributor Author

@shikha372 shikha372 Sep 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not optional under props, so user still needs to define it but it is marked as optional under the new interface ISubnetV2 because if not it will cause issues with the existing property in SubnetSelection for subnets which we are leveraging in some of the places like here..

Also why this is added as a part of interface : we added a check under some of the add methods to verify whether provided subnets are of correct type eg. SubnetType.Public .

packages/@aws-cdk/aws-ec2-alpha/lib/vpc-v2-base.ts Outdated Show resolved Hide resolved
Copy link
Contributor

@GavinZZ GavinZZ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Shikha for this great work. The code generally looks good to me. I have two high-level thoughts:

  1. I know I've mentioned this, but seeing the usage and it's in alpha modules, I'm not convinced why we need to remove the original constructs, i.e. VPNGateway, Subnet and create a VPNGatewayV2, SubnetV2. Either way, it's breaking changes for customers, wouldn't keep using the name VPNGateway and Subnet but with new implementation be better if in the future we decide to make it stable and it won't be starting from V2 by default.
  2. Subnets have to be attached with a VPC resource. Can we introduces methods in VPC construct like vpc.addSubnet(...) just like how you added vpc.addNatGateway, vpc.addInternetGateway. I peronsally think it makes sense to add subnet this way and prefer creating subnets this way instead of new SubnetV2. Want to see your thoughts.

packages/@aws-cdk/aws-ec2-alpha/lib/route.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-ec2-alpha/lib/vpc-v2-base.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-ec2-alpha/lib/vpc-v2-base.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-ec2-alpha/lib/vpc-v2-base.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-ec2-alpha/test/integ.ipam.ts Outdated Show resolved Hide resolved
Co-authored-by: GZ <yuanhaoz@amazon.com>
@paulhcsun paulhcsun added the pr/do-not-merge This PR should not be merged at this time. label Sep 11, 2024
Copy link
Contributor

@paulhcsun paulhcsun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, deferring final approval to @GavinZZ. Nice work @shikha372!

@shikha372
Copy link
Contributor Author

@Mergifyio update

Copy link
Contributor

mergify bot commented Sep 12, 2024

update

✅ Branch has been successfully updated

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: f30e1da
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@shikha372 shikha372 removed the pr/do-not-merge This PR should not be merged at this time. label Sep 12, 2024
Copy link
Contributor

mergify bot commented Sep 12, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 4b90bfc into main Sep 12, 2024
14 of 15 checks passed
@mergify mergify bot deleted the vpcv2-rt-addGateway branch September 12, 2024 16:26
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 12, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
contribution/core This is a PR that came from AWS. p2
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants