This CDK project demonstrates a shared egress-VPC design pattern. Furthermore, the stack uses AWS Systems Manager Session Manager to securely access a demo EC2 instance in a private VPC / subnet.

The architecture diagram that follows shows the egress VPC pattern and elements created by the template. The private VPC contains a single EC2 instance. It lacks a direct route to the internet and has no public subnets or internet gateway. Instead, traffic destined for the internet is routed to the Transit Gateway.

The second VPC contains two pairs of public and private subnets, an internet gateway and two NAT gateways. Both VPCs are attached to the Transit Gateway, which allows north-south connectivity. All relevant routes are depicted in tables connected by dotted lines.

In this section you will familiarize yourself with using AWS Cloud Development Kit (CDK) by downloading and deploying an egress VPC demo into your AWS account.

This will include:

• Installing CDK and closing this demo repository
• Deploying the example environment into your AWS account
• Familiarizing yourself with the egress VPC pattern and the associated constructs and routing
• Securely accessing the shell of a fully private EC2 instance via AWS Systems Manager Session Manager

• An AWS account
• Installed and authenticated AWS CLI (authenticate with an IAM user or an AWS STS Security Token)
• AWS CDK installed (typically via npm install aws-cdk -g)

1. Make sure that you completed the prerequisite above and git pulled the CDK example by running the following command in a local directory: git clone [email protected]:aws-samples/aws-transit-gateway-egress-vpc-pattern.git

2. Open the repository in your preferred local editor and inspect lib/egress_vpc-tg-demo-stack.ts

3. Run npm install to include dependencies

4. Run npm run build once or keep a separate terminal window open running npm run watch to start compilation to JavaScript in watch mode

5. Run cdk synth and check out the synthesized AWS CloudFormation YAML syntax that will be used for deployment of the stack. Due to the higher-level programming languages used in CDK and the use of constructor libraries the CDK code is significantly more compact and more powerful than conventional markup.

6. Now you can deploy the stack simply by running cdk deploy and observe the progress in your terminal window

7. Once stack creation is complete open the AWS Console, select the AWS Systems Manager, choose the automatically listed instance we created with the stack and click on “Start Session”

8. Execute any command to test internet connectivity, for instance a nice and simple ping amazon.com

• The image to create the EC2 instance is selected based on a higher level constructor AmazonLinuxImage and the AMI ID is automatically retrieved via the SSM parameter store. This means that the stack can be deployed to multiple regions and will automatically retrieve the latest managed image of the selected OS. By default CDK will use your default AWS cli configuration, however multiple environments can easily be integrated via CDK native functionality.

• AWS Systems Manager Agent (SSM Agent) is included in the utilized AMI and requires two managed policies to work, which are attached to the instance’s role.

• The CDK template includes commented out examples of adding VPC Endpoint for Systems Manager and illustrates the use of mandatory, as well as optional endpoints.

• npm run build compile typescript to js
• npm run watch watch for changes and compile
• cdk deploy deploy this stack to your default AWS account/region
• cdk diff compare deployed stack with current state
• cdk synth emits the synthesized CloudFormation template

To avoid incurring future charges, delete the resources by simply running cdk destroy and confirm deletion.

This library is licensed under the MIT-0 License. See the LICENSE file.