feat(ec2): add support for vpn connections

packages/@aws-cdk/aws-ec2/README.md

@@ -303,3 +303,41 @@ selectable by instantiating one of these classes:
 > section of your `cdk.json`.
 >
 > We will add command-line options to make this step easier in the future.
+
+### VPN connections to a VPC
+
+Create your VPC with VPN connections by specifying the `vpnConnections` props (keys are construct `id`s):
+
+```ts
+const vpc = new ec2.VpcNetwork(stack, 'MyVpc', {
+  vpnConnections: {
+    dynamic: { // Dynamic routing (BGP)
+      ip: '1.2.3.4'
+    },
+    static: { // Static routing
+      ip: '4.5.6.7',
+      staticRoutes: [
+        '192.168.10.0/24',
+        '192.168.20.0/24'
+      ]
+    }
+  }
+});
+```
+
+To export a VPC that can accept VPN connections, set `vpnGateway` to `true`:
+
+```ts
+const vpc = new ec2.VpcNetwork(stack, 'MyVpc', {
+  vpnGateway: true
+});
+```
+
+VPN connections can then be added:
+```ts
+vpc.addVpnConnection('Dynamic', {
+  ip: '1.2.3.4'
+});
+```
+
+Routes will be propagated on the route tables associated with the private subnets.

packages/@aws-cdk/aws-ec2/lib/index.ts

@@ -6,6 +6,7 @@ export * from './security-group-rule';
 export * from './vpc';
 export * from './vpc-ref';
 export * from './vpc-network-provider';
+export * from './vpn';
 
 // AWS::EC2 CloudFormation Resources:
 export * from './ec2.generated';

packages/@aws-cdk/aws-ec2/lib/vpc-ref.ts

@@ -1,5 +1,6 @@
 import { Construct, IConstruct, IDependable } from "@aws-cdk/cdk";
 import { subnetName } from './util';
+import { VpnConnection, VpnConnectionOptions } from './vpn';
 
 export interface IVpcSubnet extends IConstruct {
   /**
@@ -54,6 +55,11 @@ export interface IVpcNetwork extends IConstruct {
    */
   readonly vpcRegion: string;
 
+  /**
+   * Identifier for the VPN gateway
+   */
+  readonly vpnGatewayId?: string;
+
   /**
    * Return the subnets appropriate for the placement strategy
    */
@@ -68,6 +74,11 @@ export interface IVpcNetwork extends IConstruct {
    */
   isPublicSubnet(subnet: IVpcSubnet): boolean;
 
+  /**
+   * Adds a new VPN connection to this VPC
+   */
+  addVpnConnection(id: string, options: VpnConnectionOptions): VpnConnection;
+
   /**
    * Exports this VPC so it can be consumed by another stack.
    */
@@ -173,6 +184,11 @@ export abstract class VpcNetworkBase extends Construct implements IVpcNetwork {
    */
   public abstract readonly availabilityZones: string[];
 
+  /**
+   * Identifier for the VPN gateway
+   */
+  public abstract readonly vpnGatewayId?: string;
+
   /**
    * Dependencies for internet connectivity
    */
@@ -211,6 +227,16 @@ export abstract class VpcNetworkBase extends Construct implements IVpcNetwork {
     }[placement.subnetsToUse];
   }
 
+  /**
+   * Adds a new VPN connection to this VPC
+   */
+  public addVpnConnection(id: string, options: VpnConnectionOptions): VpnConnection {
+    return new VpnConnection(this, id, {
+      vpc: this,
+      ...options
+    });
+  }
+
   /**
    * Export this VPC from the stack
    */
@@ -291,6 +317,11 @@ export interface VpcNetworkImportProps {
    * Must be undefined or have a name for every isolated subnet group.
    */
   isolatedSubnetNames?: string[];
+
+  /**
+   * VPN gateway's identifier
+   */
+  vpnGatewayId?: string;
 }
 
 export interface VpcSubnetImportProps {

packages/@aws-cdk/aws-ec2/lib/vpc.ts

@@ -1,11 +1,12 @@
 import cdk = require('@aws-cdk/cdk');
 import { ConcreteDependable, IDependable } from '@aws-cdk/cdk';
-import { CfnEIP, CfnInternetGateway, CfnNatGateway, CfnRoute } from './ec2.generated';
+import { CfnEIP, CfnInternetGateway, CfnNatGateway, CfnRoute, CfnVPNGateway, CfnVPNGatewayRoutePropagation } from './ec2.generated';
 import { CfnRouteTable, CfnSubnet, CfnSubnetRouteTableAssociation, CfnVPC, CfnVPCGatewayAttachment } from './ec2.generated';
 import { NetworkBuilder } from './network-util';
 import { DEFAULT_SUBNET_NAME, ExportSubnetGroup, ImportSubnetGroup, subnetId  } from './util';
 import { VpcNetworkProvider, VpcNetworkProviderProps } from './vpc-network-provider';
 import { IVpcNetwork, IVpcSubnet, SubnetType, VpcNetworkBase, VpcNetworkImportProps, VpcPlacementStrategy, VpcSubnetImportProps } from './vpc-ref';
+import { VpnConnectionOptions, VpnConnectionType } from './vpn';
 
 /**
  * Name tag constant
@@ -115,6 +116,27 @@ export interface VpcNetworkProps {
    * private subnet per AZ
    */
   subnetConfiguration?: SubnetConfiguration[];
+
+  /**
+   * Indicates whether a VPN gateway should be created and attached to this VPC.
+   *
+   * @default true when vpnGatewayAsn or vpnConnections is specified.
+   */
+  vpnGateway?: boolean;
+
+  /**
+   * The private Autonomous System Number (ASN) for the VPN gateway.
+   *
+   * @default Amazon default ASN
+   */
+  vpnGatewayAsn?: number;
+
+  /**
+   * VPN connections to this VPC.
+   *
+   * @default no connections
+   */
+  vpnConnections?: { [id: string]: VpnConnectionOptions }
 }
 
 /**
@@ -250,6 +272,11 @@ export class VpcNetwork extends VpcNetworkBase {
    */
   public readonly availabilityZones: string[];
 
+  /**
+   * Identifier for the VPN gateway
+   */
+  public readonly vpnGatewayId?: string;
+
   /**
    * The VPC resource
    */
@@ -343,6 +370,40 @@ export class VpcNetwork extends VpcNetworkBase {
         privateSubnet.addDefaultNatRouteEntry(ngwId);
       });
     }
+
+    if (props.vpnConnections && props.vpnGateway === false) {
+      throw new Error('Cannot specify `vpnConnections` when `vpnGateway` is set to false.');
+    }
+
+    if (props.vpnGateway || props.vpnConnections || props.vpnGatewayAsn) {
+      const vpnGateway = new CfnVPNGateway(this, 'VpnGateway', {
+        amazonSideAsn: props.vpnGatewayAsn,
+        type: VpnConnectionType.IPsec1
+      });
+
+      const attachment = new CfnVPCGatewayAttachment(this, 'VPCVPNGW', {
+        vpcId: this.vpcId,
+        vpnGatewayId: vpnGateway.vpnGatewayName
+      });
+
+      this.vpnGatewayId = vpnGateway.vpnGatewayName;
+
+      // Propagate routes on route tables associated with private subnets
+      const routePropagation = new CfnVPNGatewayRoutePropagation(this, 'RoutePropagation', {
+        routeTableIds: (this.privateSubnets as VpcPrivateSubnet[]).map(subnet => subnet.routeTableId),
+        vpnGatewayId: this.vpnGatewayId
+      });
+
+      // The AWS::EC2::VPNGatewayRoutePropagation resource cannot use the VPN gateway
+      // until it has successfully attached to the VPC.
+      // See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpn-gatewayrouteprop.html
+      routePropagation.node.addDependency(attachment);
+
+      const vpnConnections = props.vpnConnections || {};
+      Object.keys(vpnConnections).forEach(cId => {
+        this.addVpnConnection(cId, vpnConnections[cId]);
+      });
+    }
   }
 
   /**
@@ -355,6 +416,7 @@ export class VpcNetwork extends VpcNetworkBase {
 
     return {
       vpcId: new cdk.Output(this, 'VpcId', { value: this.vpcId }).makeImportValue().toString(),
+      vpnGatewayId: new cdk.Output(this, 'VpnGatewayId', { value: this.vpnGatewayId }).makeImportValue().toString(),
       availabilityZones: this.availabilityZones,
       publicSubnetIds: pub.ids,
       publicSubnetNames: pub.names,
@@ -523,7 +585,7 @@ export class VpcSubnet extends cdk.Construct implements IVpcSubnet {
   /**
    * The routeTableId attached to this subnet.
    */
-  private readonly routeTableId: string;
+  public readonly routeTableId: string;
 
   private readonly internetDependencies = new ConcreteDependable();
 
@@ -653,12 +715,14 @@ class ImportedVpcNetwork extends VpcNetworkBase {
   public readonly privateSubnets: IVpcSubnet[];
   public readonly isolatedSubnets: IVpcSubnet[];
   public readonly availabilityZones: string[];
+  public readonly vpnGatewayId?: string;
 
   constructor(scope: cdk.Construct, id: string, private readonly props: VpcNetworkImportProps) {
     super(scope, id);
 
     this.vpcId = props.vpcId;
     this.availabilityZones = props.availabilityZones;
+    this.vpnGatewayId = props.vpnGatewayId;
 
     // tslint:disable:max-line-length
     const pub = new ImportSubnetGroup(props.publicSubnetIds, props.publicSubnetNames, SubnetType.Public, this.availabilityZones, 'publicSubnetIds', 'publicSubnetNames');

packages/@aws-cdk/aws-ec2/lib/vpn.ts

@@ -0,0 +1,128 @@
+import cdk = require('@aws-cdk/cdk');
+import { CfnCustomerGateway, CfnVPNConnection, CfnVPNConnectionRoute } from './ec2.generated';
+import { IVpcNetwork } from './vpc-ref';
+
+export interface IVpnConnection extends cdk.IConstruct {
+  /**
+   * The id of the VPN connection.
+   */
+  readonly vpnId: string;
+
+  /**
+   * The id of the customer gateway.
+   */
+  readonly customerGatewayId: string;
+
+  /**
+   * The ip address of the customer gateway.
+   */
+  readonly customerGatewayIp: string;
+
+  /**
+   * The ASN of the customer gateway.
+   */
+  readonly customerGatewayAsn: number;
+}
+export interface VpnTunnelOption {
+  /**
+   * The pre-shared key (PSK) to establish initial authentication between the virtual
+   * private gateway and customer gateway.
+   */
+  presharedKey: string;
+
+  /**
+   * The range of inside IP addresses for the tunnel. Any specified CIDR blocks must be
+   * unique across all VPN connections that use the same virtual private gateway.
+   */
+  tunnelInsideCidr: string;
+}
+
+export interface VpnConnectionOptions {
+  /**
+   * The ip address of the customer gateway.
+   */
+  ip: string;
+
+  /**
+   * The ASN of the customer gateway.
+   *
+   * @default 65000
+   */
+  asn?: number;
+
+  /**
+   * The static routes to be routed from the VPN gateway to the customer gateway.
+   *
+   * @default Dynamic routing (BGP)
+   */
+  staticRoutes?: string[];
+
+  /**
+   * Tunnel options for the VPN connection.
+   */
+  vpnTunnelOptions?: VpnTunnelOption[];
+}
+
+export interface VpnConnectionProps extends VpnConnectionOptions {
+  /**
+   * The VPC to connect to.
+   */
+  vpc: IVpcNetwork;
+}
+
+/**
+ * The VPN connection type.
+ */
+export enum VpnConnectionType {
+  /**
+   * The IPsec 1 VPN connection type.
+   */
+  IPsec1 = 'ipsec.1'
+}
+
+export class VpnConnection extends cdk.Construct implements IVpnConnection {
+  public readonly vpnId: string;
+  public readonly customerGatewayId: string;
+  public readonly customerGatewayIp: string;
+  public readonly customerGatewayAsn: number;
+
+  constructor(scope: cdk.Construct, id: string, props: VpnConnectionProps) {
+    super(scope, id);
+
+    if (!props.vpc.vpnGatewayId) {
+      throw new Error('Cannot create a VPN connection when VPC has no VPN gateway.');
+    }
+
+    const type = VpnConnectionType.IPsec1;
+    const bgpAsn = props.asn || 65000;
+
+    const customerGateway = new CfnCustomerGateway(this, 'CustomerGateway', {
+      bgpAsn,
+      ipAddress: props.ip,
+      type
+    });
+
+    this.customerGatewayId = customerGateway.customerGatewayName;
+    this.customerGatewayAsn = bgpAsn;
+    this.customerGatewayIp = props.ip;
+
+    const vpnConnection = new CfnVPNConnection(this, 'Resource', {
+      type,
+      customerGatewayId: customerGateway.customerGatewayName,
+      staticRoutesOnly: props.staticRoutes ? true : false,
+      vpnGatewayId: props.vpc.vpnGatewayId,
+      vpnTunnelOptionsSpecifications: props.vpnTunnelOptions
+    });
+
+    this.vpnId = vpnConnection.vpnConnectionName;
+
+    if (props.staticRoutes) {
+      props.staticRoutes.forEach(route => {
+        new CfnVPNConnectionRoute(this, `Route${route.replace(/[^\d]/g, '')}`, {
+          destinationCidrBlock: route,
+          vpnConnectionId: this.vpnId
+        });
+      });
+    }
+  }
+}