RFC 507: Full control over VPC and subnet configuration #508
Conversation
text/0507-subnets.md
Outdated
| const natGateway = publicSubnet.addNatGateway('natgw', {elasticIp}); | ||
|
|
||
| const routeTable = vpc.addRouteTable('routeTable', { | ||
| routes: [ | ||
| Route.to({ | ||
| destination: '0.0.0.0/0', | ||
|
|
||
| // targets must implement the IRouter interface | ||
| target: natGateway, | ||
| }), | ||
| ], | ||
| }); |
There was a problem hiding this comment.
Do we expect people to do this 3 times? What does that look like, and are we still happy with that?
There was a problem hiding this comment.
What's an alternative that allows users to define 3 identical route tables without repeating the properties? A clone() method, perhaps?
const routeTable = vpc.addRouteTable(...);
vpc.addSubnet('sn1', {
...,
routeTable,
});
vpc.addSubnet('sn2', {
...,
routeTable: routeTable.clone(),
});
vpc.addSubnet('sn3', {
...,
routeTable: routeTable.clone(),
});Then again, if you are defining your own route tables, why would you do this, instead of reusing the same one?
text/0507-subnets.md
Outdated
| ```ts | ||
| const subnet = vpc.addSubnet('subnet', { | ||
| cidrBlock: '10.2.0.0/20', | ||
| availabilityZone: 'us-west-2a' |
There was a problem hiding this comment.
Is availabilityZone optional? If not, is it possible to make this construct region-agnostic?
| more secondary IP blocks, by providing them in the CIDR format: | ||
|
|
||
| ```ts | ||
| const vpc = new VpcV2(this, 'vpc', { |
There was a problem hiding this comment.
Does VpcV2 implements IVpc interface? I think it's necessary for compatibility with other constructs.
text/0507-subnets.md
Outdated
|
|
||
| They will serve two separate sets of customers, with different use cases. | ||
| For example, `Vpc` creates all the subnets on behalf of the user, while | ||
| `VpcV2` will not create any subnet other than the ones requested by the user. |
There was a problem hiding this comment.
My first impression to the name VpcV2 was the current Vpc construct will be deprecated. But after reading this RFC carefully, it seems that they will coexist for different purposes. (Vpc for simple use case, and VpcV2 for advanced users.)
I'm afraid that users might get confused and misunderstand that they should not use the Vpc construct any more.
text/0507-subnets.md
Outdated
| ### Why all the `.addXxx()` methods? | ||
|
|
||
| To keep the current way of organizing constructs in the tree, in which | ||
| everything that is logically part of the VPC is a direct or indirect |
There was a problem hiding this comment.
Cool, so migrating from Vpc to VpcV2 is not very difficult, right? I'd like to see reference to migration in this FAQ section as well.
|
Its not clear to me, but it seems SubnetGroups have dissapeared somewhere. Subnet groups are an exceptionally powerful things.; I like having an abstracted 'routing table' associated with a subnetgroup. ( but underneath it still has individual routing tables for each subnet ).. I don't think that its desirable to have people needing to add a routing table... If you want to do this kind of thing, you can ( using the L1 Constructs which is painful ). ec2.Vpc, is a L3 Construct, and this ec2.Vpc2 will be to. I think the way forward here, is not to create another L3 Construct in the library. ( But by all means, create them for your own use cases .. What would be much more valuable is to create a solid set of L2 Constructs. For me, I' have been able to extend ec2.Vpc to do some things that are not easy otherwise. But really, if there had been some Good L2 Constructs, i'd probalby have started there. Underneath, i need subnets to use endpoints ( for cloudwan, transit gateways, firewalls etc ) that are in their specific AZ, but i don't want to have to consider that when i'm building my vpc.. Its a deployment detail, that the construct can deal with. I also need to be able to route to specific subnets, within my vpc from other subnets, so that i can force traffic via firewalls. this is a feature that was added a while ago, so you can route to smaller routes than the vpc's cidr. I've essentially created my own EVpc which wraps around eVpc to provide some extra methods to the exisiting vpc. This is to meet MY specific use-cases. They are opinionated and solve my problems. My fear is that the Vpc2 construct seems more opinionated than the Vpc construct, and while it will meet the needs of some people, for their quite specific use cases, it wont' actually help most people. Could we have some examples of where the current ec2.Vpc does not |
+1 to this. I think the first step is to create solid L2s for everything so a user could create their own Vpc from scratch. We could then build more utility on top of that. |
| * **Tracking Issue**: #507 | ||
| * **API Bar Raiser**: @{BAR_RAISER_USER} | ||
|
|
||
| New L2 constructs to allow for greater control over VPC design. Among other |
There was a problem hiding this comment.
I think it would be interesting to see a breakdown of all the L1s that are used in creating a Vpc and which ones we do not have L2 coverage for. To me this breaks down into 3 steps
- Show how to create the current default
Vpcwith a new complete set of L2s. - Show how to create a complicated non-default Vpc with the new set of L2s.
- Can we make the above two easier with opinionated abstractions
There was a problem hiding this comment.
I think it might be quite a short list.
- the vpc itself. ( its kind of unforuantate that ec2.Vpc was called Vpc, becuase a vpc in cdk and a vpc in the rest of amazon are two differnet thigns )
- subnets
- route tables.
…to a VPC; Make Cory that bar-raiser.
This is a request for comments about a new API in the
aws-ec2module to give users full control over VPC and subnet configuration. See #507 for additional details.APIs are signed off by @corymhall
Rendered version
By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache-2.0 license