This CDK project demonstrates a shared egress-VPC design pattern. Furthermore, the stack uses AWS Systems Manager Session Manager to securely access a demo EC2 instance in a private VPC / subnet.
The architecture diagram that follows shows the egress VPC pattern and elements created by the template. The private VPC contains a single EC2 instance. It lacks a direct route to the internet and has no public subnets or internet gateway. Instead, traffic destined for the internet is routed to the Transit Gateway.
The second VPC contains two pairs of public and private subnets, an internet gateway and two NAT gateways. Both VPCs are attached to the Transit Gateway, which allows north-south connectivity. All relevant routes are depicted in tables connected by dotted lines.
In this section you will familiarize yourself with using AWS Cloud Development Kit (CDK) by downloading and deploying an egress VPC demo into your AWS account.
This will include:
- Installing CDK and closing this demo repository
- Deploying the example environment into your AWS account
- Familiarizing yourself with the egress VPC pattern and the associated constructs and routing
- Securely accessing the shell of a fully private EC2 instance via AWS Systems Manager Session Manager
- An AWS account
- Installed and authenticated AWS CLI (authenticate with an IAM user or an AWS STS Security Token)
- AWS CDK installed (typically via
npm install aws-cdk -g
)
-
Make sure that you completed the prerequisite above and git pulled the CDK example by running the following command in a local directory:
git clone [email protected]:aws-samples/aws-transit-gateway-egress-vpc-pattern.git
-
Open the repository in your preferred local editor and inspect lib/egress_vpc-tg-demo-stack.ts
-
Run
npm install
to include dependencies -
Run
npm run build
once or keep a separate terminal window open runningnpm run watch
to start compilation to JavaScript in watch mode -
Run
cdk synth
and check out the synthesized AWS CloudFormation YAML syntax that will be used for deployment of the stack. Due to the higher-level programming languages used in CDK and the use of constructor libraries the CDK code is significantly more compact and more powerful than conventional markup. -
Now you can deploy the stack simply by running
cdk deploy
and observe the progress in your terminal window -
Once stack creation is complete open the AWS Console, select the AWS Systems Manager, choose the automatically listed instance we created with the stack and click on “Start Session”
-
Execute any command to test internet connectivity, for instance a nice and simple
ping amazon.com
-
The image to create the EC2 instance is selected based on a higher level constructor AmazonLinuxImage and the AMI ID is automatically retrieved via the SSM parameter store. This means that the stack can be deployed to multiple regions and will automatically retrieve the latest managed image of the selected OS. By default CDK will use your default AWS cli configuration, however multiple environments can easily be integrated via CDK native functionality.
-
AWS Systems Manager Agent (SSM Agent) is included in the utilized AMI and requires two managed policies to work, which are attached to the instance’s role.
-
The CDK template includes commented out examples of adding VPC Endpoint for Systems Manager and illustrates the use of mandatory, as well as optional endpoints.
npm run build
compile typescript to jsnpm run watch
watch for changes and compilecdk deploy
deploy this stack to your default AWS account/regioncdk diff
compare deployed stack with current statecdk synth
emits the synthesized CloudFormation template
To avoid incurring future charges, delete the resources by simply running cdk destroy
and confirm deletion.
This library is licensed under the MIT-0 License. See the LICENSE file.