Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(ec2): support network interface L2 #28901

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

feat(ec2): support network interface L2 #28901

wants to merge 10 commits into from

Conversation

WinterYukky
Copy link
Contributor

@WinterYukky WinterYukky commented Jan 28, 2024
edited
Loading

What change?

Add ec2.NetworkInterface L2 constructs and ec2.Instance.addNetworkInterface() method.

Why need this change?

There are three reasons.

  1. Currently (v2.124.0), ec2.Instance doesn't support additional IPv4 address. It is hard in the cace of advanced network architects (e.g. Multi-VPC ENI Attacements). To support network interface L2 is very usefull.
  2. L2 interface (INetworkInterface) is neccesarry to support other L2 resources that using network interface such as VerifiedAccess Endpoint.
  3. A created network interface by ec2.Instance can not get ID of network interface. Customers who need a network interface ID wants configure network interface at initialize ec2.Instance.

How to use this?

Following document is README.md.

Network Interface

You can attach additional network interfaces to an EC2 instance. Attaching multiple network interfaces to an instance is useful when you want to:

  • Create a management network.
  • Use network and security appliances in your Virtual Private Cloud (VPC).
  • Create dual-homed instances with workloads/roles on distinct subnets.
  • Create a low-budget, high-availability solution.

The following code how to add additional network interfaces for an EC2 instance.

declare const vpc: ec2.IVpc;
declare const instance: ec2.Instance;

const eni1 = new ec2.NetworkInterface(this, 'NetworkInterface', {
  vpc,
});
// device index is ordered by default
instance.addNetworkInterface(eni1);

// or, you can also specify the device index
declare const eni2: ec2.INetworkInterface;
instance.addNetworkInterface(eni2, {
  deviceIndex: 3,
});

You can also assign private IPv4 address from prefixes or specific IPv4 addresses.
The following code assigns IPv4 address from prefixes.

declare const vpc: ec2.IVpc;

new ec2.NetworkInterface(this, 'NetworkInterface', {
  vpc,
  ipv4: ec2.Ipv4Assign.fromPrefixes('10.0.0.0/28', '10.1.0.0/28')
    .addPrimaryAddress('10.0.0.10'),
});

For more information see Scenarios for network interfaces.

Design decision-making

Additional network interfaces are not allow modify security group rules by ec2.Instance.connections.allowXxx(). For allow network interface security group rules, customers must explicitly allow it in the security group of the network interface. This decision because, I think customers such as using network interface are need advanced networking architects, they wants specify security groups every network interfaces.

declare const instance: ec2.Instance; 
declare const eni: ec2.INetworkInterface; 

Instance.addNetworkInterface(eni); 

// This code does not allow eni.securityGroup ingress. 
instance.connections.allowFromAnyIpv4Address(ec2.Port.tcp(80)); 

// For allow eni.securityGroup ingress, allow individually network interfaces. 
eni.connections.allowFromAnyIpv4Address(ec2.Port.tcp(80));

What to do and what not to do in this PR

For minimize this PR size, I implement part of features. Not implemented features will implement at another PR after marged this.

Do

  • Implement ec2.NetworkInterface construct
  • Define ec2.INetworkInterface construct interface
  • Implement ec2.Instance.addNetworkInterface() method
  • Implement using existing network interface feature (i.e. NetworkInterface.fromNetworkInterfaceAttributes() )

Do not

  • EIP support
  • IPv6 support
  • attach network interface as primary network interface of EC2 instance

Ref

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added admired-contributor [Pilot] contributed between 13-24 PRs to the CDK p2 labels Jan 28, 2024
@github-actions github-actions bot mentioned this pull request Feb 1, 2024
Closed
@WinterYukky WinterYukky marked this pull request as draft February 5, 2024 17:48
@aws-cdk-automation
Copy link
Collaborator

This PR has been in the BUILD FAILING state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

@WinterYukky WinterYukky marked this pull request as ready for review February 23, 2024 07:52
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Feb 23, 2024
@paulhcsun paulhcsun self-assigned this Apr 23, 2024
@aws-cdk-automation
Copy link
Collaborator

This PR has been in the MERGE CONFLICTS state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

@pasiorovuo pasiorovuo mentioned this pull request Jun 19, 2024
Open
1 task
@otaviomacedo
Copy link
Contributor

I suggest we hold off on this PR, as there is a more comprehensive one in progress right now. For more information, check out the RFC.

@khushail khushail mentioned this pull request Jul 23, 2024
Open
2 tasks
@aws-cdk-automation
Copy link
Collaborator

This PR has been in the MERGE CONFLICTS state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 7a6267d
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

shikha372
shikha372 reviewed Dec 16, 2024
View reviewed changes
packages/aws-cdk-lib/aws-ec2/lib/instance.ts
@@ -554,6 +556,13 @@ export class Instance extends Resource implements IInstance {
groupSet: securityGroupsToken,
privateIpAddress: props.privateIpAddress,
}] : undefined;
this.attachedNetworkInterfaces = [
new class DummyNetworkInterface extends Resource implements INetworkInterface {
Copy link
Contributor

@shikha372 shikha372 Dec 16, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could you help me understand why do we need a dummy class here ?

shikha372
shikha372 reviewed Dec 16, 2024
View reviewed changes
packages/aws-cdk-lib/aws-ec2/lib/instance.ts
/**
* Adds a network interface to the instance.
*/
public addNetworkInterface(networkInterface: INetworkInterface, options: AddNetworkInterfaceOptions = {}) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can a same network interface be attached to two instance? i think not.. let me know if that's not the case.
instead of taking a network interface as an argument, create a new one with and take in the parameters that are required to create n/w interface

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shikha372 shikha372 shikha372 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@paulhcsun paulhcsun

Labels
admired-contributor [Pilot] contributed between 13-24 PRs to the CDK p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@WinterYukky @aws-cdk-automation @otaviomacedo @shikha372 @paulhcsun