From 2023004cc941a0e7a908bf3c90ad9887c6679564 Mon Sep 17 00:00:00 2001 From: Nick Lynch Date: Fri, 3 Sep 2021 11:01:35 +0100 Subject: [PATCH] feat(ec2): rename SubnetTypes to improve clarity with EC2 conventions (#16348) Early on in the CDK history, a decision was made to delineate between subnets with Internet access (i.e., those with a NAT) and those without. The convention chosen at that time was to label the subnets as `PRIVATE` and `ISOLATED`, respectively. The intent was to make it clear that subnets without a NAT were completely isolated from the broader Internet (unless connected through another subnet). However, this introduction of a new subnet type that does not match EC2 documentation and naming conventions can cause confusion. Most critically, a user may select a `PRIVATE` subnet without realizing that it automatically requires one (or more) NAT gateways. As NAT gateways are not free, this can lead to unintended charges. To realign to the EC2 terminology -- while retaining the existing logic surrounding SubnetTypes -- the existing types of `PRIVATE` and `ISOLATED` are being renamed to `PRIVATE_WITH_NAT` and `PRIVATE_ISOLATED`, respectively. fixes #15929 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/aws-ec2/README.md | 14 +-- packages/@aws-cdk/aws-ec2/lib/util.ts | 6 +- packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts | 2 +- packages/@aws-cdk/aws-ec2/lib/vpc.ts | 90 ++++++++++++++----- .../aws-ec2/test/bastion-host.test.ts | 4 +- .../test/integ.reserved-private-subnet.ts | 2 +- .../aws-ec2/test/integ.vpc-gateway.ts | 2 +- .../aws-ec2/test/integ.vpc-networkacl.ts | 2 +- .../aws-ec2/test/vpc-endpoint.test.ts | 2 +- .../aws-ec2/test/vpc.from-lookup.test.ts | 2 +- packages/@aws-cdk/aws-ec2/test/vpc.test.ts | 68 +++++++------- 11 files changed, 119 insertions(+), 75 deletions(-) diff --git a/packages/@aws-cdk/aws-ec2/README.md b/packages/@aws-cdk/aws-ec2/README.md index ae628ce7d21dc..0ed5fc82d0252 100644 --- a/packages/@aws-cdk/aws-ec2/README.md +++ b/packages/@aws-cdk/aws-ec2/README.md @@ -38,15 +38,15 @@ instances for your project. A VPC consists of one or more subnets that instances can be placed into. CDK distinguishes three different subnet types: -* **Public** - public subnets connect directly to the Internet using an +* **Public (`SubnetType.PUBLIC`)** - public subnets connect directly to the Internet using an Internet Gateway. If you want your instances to have a public IP address and be directly reachable from the Internet, you must place them in a public subnet. -* **Private** - instances in private subnets are not directly routable from the +* **Private with Internet Access (`SubnetType.PRIVATE_WITH_NAT`)** - instances in private subnets are not directly routable from the Internet, and connect out to the Internet via a NAT gateway. By default, a NAT gateway is created in every public subnet for maximum availability. Be aware that you will be charged for NAT gateways. -* **Isolated** - isolated subnets do not route from or to the Internet, and +* **Isolated (`SubnetType.PRIVATE_ISOLATED`)** - isolated subnets do not route from or to the Internet, and as such do not require NAT gateways. They can only connect to or be connected to from other instances in the same VPC. A default VPC configuration will not include isolated subnets, @@ -245,12 +245,12 @@ const vpc = new ec2.Vpc(this, 'TheVPC', { { cidrMask: 24, name: 'Application', - subnetType: ec2.SubnetType.PRIVATE, + subnetType: ec2.SubnetType.PRIVATE_WITH_NAT, }, { cidrMask: 28, name: 'Database', - subnetType: ec2.SubnetType.ISOLATED, + subnetType: ec2.SubnetType.PRIVATE_ISOLATED, // 'reserved' can be used to reserve IP address space. No resources will // be created for this subnet, but the IP range will be kept available for @@ -345,12 +345,12 @@ const vpc = new ec2.Vpc(this, 'TheVPC', { { cidrMask: 26, name: 'Application1', - subnetType: ec2.SubnetType.PRIVATE, + subnetType: ec2.SubnetType.PRIVATE_WITH_NAT, }, { cidrMask: 26, name: 'Application2', - subnetType: ec2.SubnetType.PRIVATE, + subnetType: ec2.SubnetType.PRIVATE_WITH_NAT, reserved: true, // <---- This subnet group is reserved }, { diff --git a/packages/@aws-cdk/aws-ec2/lib/util.ts b/packages/@aws-cdk/aws-ec2/lib/util.ts index 7ad31d02e54ec..31814d5cc45e5 100644 --- a/packages/@aws-cdk/aws-ec2/lib/util.ts +++ b/packages/@aws-cdk/aws-ec2/lib/util.ts @@ -16,8 +16,8 @@ export function slugify(x: string): string { export function defaultSubnetName(type: SubnetType) { switch (type) { case SubnetType.PUBLIC: return 'Public'; - case SubnetType.PRIVATE: return 'Private'; - case SubnetType.ISOLATED: return 'Isolated'; + case SubnetType.PRIVATE_WITH_NAT: return 'Private'; + case SubnetType.PRIVATE_ISOLATED: return 'Isolated'; } } @@ -132,4 +132,4 @@ export function allRouteTableIds(subnets: ISubnet[]): string[] { export function flatten(xs: A[][]): A[] { return Array.prototype.concat.apply([], xs); -} \ No newline at end of file +} diff --git a/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts b/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts index 69ad4aab88404..f9cb70afea180 100644 --- a/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts +++ b/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts @@ -125,7 +125,7 @@ export interface GatewayVpcEndpointOptions { * service: ec2.GatewayVpcEndpointAwsService.DYNAMODB, * // Add only to ISOLATED subnets * subnets: [ - * { subnetType: ec2.SubnetType.ISOLATED } + * { subnetType: ec2.SubnetType.PRIVATE_ISOLATED } * ] * }); * diff --git a/packages/@aws-cdk/aws-ec2/lib/vpc.ts b/packages/@aws-cdk/aws-ec2/lib/vpc.ts index 1fe534df6c483..b8194eb161c1d 100644 --- a/packages/@aws-cdk/aws-ec2/lib/vpc.ts +++ b/packages/@aws-cdk/aws-ec2/lib/vpc.ts @@ -159,26 +159,69 @@ export interface IVpc extends IResource { */ export enum SubnetType { /** - * Isolated Subnets do not route traffic to the Internet (in this VPC). + * Isolated Subnets do not route traffic to the Internet (in this VPC), + * and as such, do not require NAT gateways. + * + * Isolated subnets can only connect to or be connected to from other + * instances in the same VPC. A default VPC configuration will not include + * isolated subnets. * * This can be good for subnets with RDS or Elasticache instances, * or which route Internet traffic through a peer VPC. + * + * @deprecated use `SubnetType.PRIVATE_ISOLATED` */ ISOLATED = 'Isolated', + /** + * Isolated Subnets do not route traffic to the Internet (in this VPC), + * and as such, do not require NAT gateways. + * + * Isolated subnets can only connect to or be connected to from other + * instances in the same VPC. A default VPC configuration will not include + * isolated subnets. + * + * This can be good for subnets with RDS or Elasticache instances, + * or which route Internet traffic through a peer VPC. + */ + PRIVATE_ISOLATED = 'Isolated', + /** * Subnet that routes to the internet, but not vice versa. * * Instances in a private subnet can connect to the Internet, but will not - * allow connections to be initiated from the Internet. Internet traffic will - * be routed via a NAT Gateway. + * allow connections to be initiated from the Internet. NAT Gateway(s) are + * required with this subnet type to route the Internet traffic through. + * If a NAT Gateway is not required or desired, use `SubnetType.PRIVATE_ISOLATED` instead. + * + * By default, a NAT gateway is created in every public subnet for maximum availability. + * Be aware that you will be charged for NAT gateways. * * Normally a Private subnet will use a NAT gateway in the same AZ, but * if `natGateways` is used to reduce the number of NAT gateways, a NAT * gateway from another AZ will be used instead. + * + * @deprecated use `PRIVATE_WITH_NAT` */ PRIVATE = 'Private', + /** + * Subnet that routes to the internet (via a NAT gateway), but not vice versa. + * + * Instances in a private subnet can connect to the Internet, but will not + * allow connections to be initiated from the Internet. NAT Gateway(s) are + * required with this subnet type to route the Internet traffic through. + * If a NAT Gateway is not required or desired, use `SubnetType.PRIVATE_ISOLATED` instead. + * + * By default, a NAT gateway is created in every public subnet for maximum availability. + * Be aware that you will be charged for NAT gateways. + * + * Normally a Private subnet will use a NAT gateway in the same AZ, but + * if `natGateways` is used to reduce the number of NAT gateways, a NAT + * gateway from another AZ will be used instead. + */ + PRIVATE_WITH_NAT = 'Private', + /** * Subnet connected to the Internet * @@ -206,7 +249,7 @@ export interface SubnetSelection { * * At most one of `subnetType` and `subnetGroupName` can be supplied. * - * @default SubnetType.PRIVATE (or ISOLATED or PUBLIC if there are no PRIVATE subnets) + * @default SubnetType.PRIVATE_WITH_NAT (or ISOLATED or PUBLIC if there are no PRIVATE_WITH_NAT subnets) */ readonly subnetType?: SubnetType; @@ -490,7 +533,7 @@ abstract class VpcBase extends Resource implements IVpc { subnets = this.selectSubnetObjectsByName(selection.subnetGroupName); } else { // Or specify by type - const type = selection.subnetType || SubnetType.PRIVATE; + const type = selection.subnetType || SubnetType.PRIVATE_WITH_NAT; subnets = this.selectSubnetObjectsByType(type); } @@ -523,8 +566,8 @@ abstract class VpcBase extends Resource implements IVpc { private selectSubnetObjectsByType(subnetType: SubnetType) { const allSubnets = { - [SubnetType.ISOLATED]: this.isolatedSubnets, - [SubnetType.PRIVATE]: this.privateSubnets, + [SubnetType.PRIVATE_ISOLATED]: this.isolatedSubnets, + [SubnetType.PRIVATE_WITH_NAT]: this.privateSubnets, [SubnetType.PUBLIC]: this.publicSubnets, }; @@ -566,7 +609,8 @@ abstract class VpcBase extends Resource implements IVpc { if (placement.subnetType === undefined && placement.subnetGroupName === undefined && placement.subnets === undefined) { // Return default subnet type based on subnets that actually exist - let subnetType = this.privateSubnets.length ? SubnetType.PRIVATE : this.isolatedSubnets.length ? SubnetType.ISOLATED : SubnetType.PUBLIC; + let subnetType = this.privateSubnets.length + ? SubnetType.PRIVATE_WITH_NAT : this.isolatedSubnets.length ? SubnetType.PRIVATE_ISOLATED : SubnetType.PUBLIC; placement = { ...placement, subnetType: subnetType }; } @@ -839,12 +883,12 @@ export interface VpcProps { * { * cidrMask: 24, * name: 'application', - * subnetType: ec2.SubnetType.PRIVATE, + * subnetType: ec2.SubnetType.PRIVATE_WITH_NAT, * }, * { * cidrMask: 28, * name: 'rds', - * subnetType: ec2.SubnetType.ISOLATED, + * subnetType: ec2.SubnetType.PRIVATE_ISOLATED, * } * ] * }); @@ -975,7 +1019,7 @@ export interface SubnetConfiguration { * * // Iterate the private subnets * const selection = vpc.selectSubnets({ - * subnetType: ec2.SubnetType.PRIVATE + * subnetType: ec2.SubnetType.PRIVATE_WITH_NAT * }); * * for (const subnet of selection.subnets) { @@ -1004,8 +1048,8 @@ export class Vpc extends VpcBase { name: defaultSubnetName(SubnetType.PUBLIC), }, { - subnetType: SubnetType.PRIVATE, - name: defaultSubnetName(SubnetType.PRIVATE), + subnetType: SubnetType.PRIVATE_WITH_NAT, + name: defaultSubnetName(SubnetType.PRIVATE_WITH_NAT), }, ]; @@ -1020,8 +1064,8 @@ export class Vpc extends VpcBase { name: defaultSubnetName(SubnetType.PUBLIC), }, { - subnetType: SubnetType.ISOLATED, - name: defaultSubnetName(SubnetType.ISOLATED), + subnetType: SubnetType.PRIVATE_ISOLATED, + name: defaultSubnetName(SubnetType.PRIVATE_ISOLATED), }, ]; @@ -1244,7 +1288,7 @@ export class Vpc extends VpcBase { this.createSubnets(); const allowOutbound = this.subnetConfiguration.filter( - subnet => (subnet.subnetType !== SubnetType.ISOLATED)).length > 0; + subnet => (subnet.subnetType !== SubnetType.PRIVATE_ISOLATED)).length > 0; // Create an Internet Gateway and attach it if necessary if (allowOutbound) { @@ -1396,12 +1440,12 @@ export class Vpc extends VpcBase { this.publicSubnets.push(publicSubnet); subnet = publicSubnet; break; - case SubnetType.PRIVATE: + case SubnetType.PRIVATE_WITH_NAT: const privateSubnet = new PrivateSubnet(this, name, subnetProps); this.privateSubnets.push(privateSubnet); subnet = privateSubnet; break; - case SubnetType.ISOLATED: + case SubnetType.PRIVATE_ISOLATED: const isolatedSubnet = new PrivateSubnet(this, name, subnetProps); this.isolatedSubnets.push(isolatedSubnet); subnet = isolatedSubnet; @@ -1424,8 +1468,8 @@ const SUBNETNAME_TAG = 'aws-cdk:subnet-name'; function subnetTypeTagValue(type: SubnetType) { switch (type) { case SubnetType.PUBLIC: return 'Public'; - case SubnetType.PRIVATE: return 'Private'; - case SubnetType.ISOLATED: return 'Isolated'; + case SubnetType.PRIVATE_WITH_NAT: return 'Private'; + case SubnetType.PRIVATE_ISOLATED: return 'Isolated'; } } @@ -1834,8 +1878,8 @@ class ImportedVpc extends VpcBase { /* eslint-disable max-len */ const pub = new ImportSubnetGroup(props.publicSubnetIds, props.publicSubnetNames, props.publicSubnetRouteTableIds, SubnetType.PUBLIC, this.availabilityZones, 'publicSubnetIds', 'publicSubnetNames', 'publicSubnetRouteTableIds'); - const priv = new ImportSubnetGroup(props.privateSubnetIds, props.privateSubnetNames, props.privateSubnetRouteTableIds, SubnetType.PRIVATE, this.availabilityZones, 'privateSubnetIds', 'privateSubnetNames', 'privateSubnetRouteTableIds'); - const iso = new ImportSubnetGroup(props.isolatedSubnetIds, props.isolatedSubnetNames, props.isolatedSubnetRouteTableIds, SubnetType.ISOLATED, this.availabilityZones, 'isolatedSubnetIds', 'isolatedSubnetNames', 'isolatedSubnetRouteTableIds'); + const priv = new ImportSubnetGroup(props.privateSubnetIds, props.privateSubnetNames, props.privateSubnetRouteTableIds, SubnetType.PRIVATE_WITH_NAT, this.availabilityZones, 'privateSubnetIds', 'privateSubnetNames', 'privateSubnetRouteTableIds'); + const iso = new ImportSubnetGroup(props.isolatedSubnetIds, props.isolatedSubnetNames, props.isolatedSubnetRouteTableIds, SubnetType.PRIVATE_ISOLATED, this.availabilityZones, 'isolatedSubnetIds', 'isolatedSubnetNames', 'isolatedSubnetRouteTableIds'); /* eslint-enable max-len */ this.publicSubnets = pub.import(this); @@ -2028,7 +2072,7 @@ class ImportedSubnet extends Resource implements ISubnet, IPublicSubnet, IPrivat * They seem pointless but I see no reason to prevent it. */ function determineNatGatewayCount(requestedCount: number | undefined, subnetConfig: SubnetConfiguration[], azCount: number) { - const hasPrivateSubnets = subnetConfig.some(c => c.subnetType === SubnetType.PRIVATE && !c.reserved); + const hasPrivateSubnets = subnetConfig.some(c => c.subnetType === SubnetType.PRIVATE_WITH_NAT && !c.reserved); const hasPublicSubnets = subnetConfig.some(c => c.subnetType === SubnetType.PUBLIC); const count = requestedCount !== undefined ? Math.min(requestedCount, azCount) : (hasPrivateSubnets ? azCount : 0); diff --git a/packages/@aws-cdk/aws-ec2/test/bastion-host.test.ts b/packages/@aws-cdk/aws-ec2/test/bastion-host.test.ts index f774cf9aaa3d8..2bacb5e918920 100644 --- a/packages/@aws-cdk/aws-ec2/test/bastion-host.test.ts +++ b/packages/@aws-cdk/aws-ec2/test/bastion-host.test.ts @@ -28,7 +28,7 @@ nodeunitShim({ const vpc = new Vpc(stack, 'VPC', { subnetConfiguration: [ { - subnetType: SubnetType.ISOLATED, + subnetType: SubnetType.PRIVATE_ISOLATED, name: 'Isolated', }, ], @@ -53,7 +53,7 @@ nodeunitShim({ const vpc = new Vpc(stack, 'VPC', { subnetConfiguration: [ { - subnetType: SubnetType.ISOLATED, + subnetType: SubnetType.PRIVATE_ISOLATED, name: 'Isolated', }, ], diff --git a/packages/@aws-cdk/aws-ec2/test/integ.reserved-private-subnet.ts b/packages/@aws-cdk/aws-ec2/test/integ.reserved-private-subnet.ts index 8caf7fcdf087d..76c0b35eb2d8e 100644 --- a/packages/@aws-cdk/aws-ec2/test/integ.reserved-private-subnet.ts +++ b/packages/@aws-cdk/aws-ec2/test/integ.reserved-private-subnet.ts @@ -27,7 +27,7 @@ class VpcReservedPrivateSubnetStack extends cdk.Stack { }, { name: 'private', - subnetType: ec2.SubnetType.PRIVATE, + subnetType: ec2.SubnetType.PRIVATE_WITH_NAT, reserved: true, }, ], diff --git a/packages/@aws-cdk/aws-ec2/test/integ.vpc-gateway.ts b/packages/@aws-cdk/aws-ec2/test/integ.vpc-gateway.ts index 6e1a4d5648a04..6f84541a29911 100644 --- a/packages/@aws-cdk/aws-ec2/test/integ.vpc-gateway.ts +++ b/packages/@aws-cdk/aws-ec2/test/integ.vpc-gateway.ts @@ -12,7 +12,7 @@ const vpc = new ec2.Vpc(stack, 'MyVpc', { name: 'Public', }, { - subnetType: ec2.SubnetType.ISOLATED, + subnetType: ec2.SubnetType.PRIVATE_ISOLATED, name: 'Isolated', }, ], diff --git a/packages/@aws-cdk/aws-ec2/test/integ.vpc-networkacl.ts b/packages/@aws-cdk/aws-ec2/test/integ.vpc-networkacl.ts index 0167af2bdc168..348f18be18ed2 100644 --- a/packages/@aws-cdk/aws-ec2/test/integ.vpc-networkacl.ts +++ b/packages/@aws-cdk/aws-ec2/test/integ.vpc-networkacl.ts @@ -10,7 +10,7 @@ const vpc = new ec2.Vpc(stack, 'MyVpc'); const nacl1 = new ec2.NetworkAcl(stack, 'myNACL1', { vpc, - subnetSelection: { subnetType: ec2.SubnetType.PRIVATE }, + subnetSelection: { subnetType: ec2.SubnetType.PRIVATE_WITH_NAT }, }); nacl1.addEntry('AllowDNSEgress', { diff --git a/packages/@aws-cdk/aws-ec2/test/vpc-endpoint.test.ts b/packages/@aws-cdk/aws-ec2/test/vpc-endpoint.test.ts index 267c48a9e4145..79a9f3594479e 100644 --- a/packages/@aws-cdk/aws-ec2/test/vpc-endpoint.test.ts +++ b/packages/@aws-cdk/aws-ec2/test/vpc-endpoint.test.ts @@ -64,7 +64,7 @@ nodeunitShim({ subnetType: SubnetType.PUBLIC, }, { - subnetType: SubnetType.PRIVATE, + subnetType: SubnetType.PRIVATE_WITH_NAT, }, ], }, diff --git a/packages/@aws-cdk/aws-ec2/test/vpc.from-lookup.test.ts b/packages/@aws-cdk/aws-ec2/test/vpc.from-lookup.test.ts index 12ed7d05329d5..65e4b071a0b53 100644 --- a/packages/@aws-cdk/aws-ec2/test/vpc.from-lookup.test.ts +++ b/packages/@aws-cdk/aws-ec2/test/vpc.from-lookup.test.ts @@ -166,7 +166,7 @@ nodeunitShim({ }); // WHEN - const subnets = vpc.selectSubnets({ subnetType: SubnetType.PRIVATE, onePerAz: true }); + const subnets = vpc.selectSubnets({ subnetType: SubnetType.PRIVATE_WITH_NAT, onePerAz: true }); // THEN: we got 2 subnets and not 4 test.deepEqual(subnets.subnets.map(s => s.availabilityZone), ['us-east-1c', 'us-east-1d']); diff --git a/packages/@aws-cdk/aws-ec2/test/vpc.test.ts b/packages/@aws-cdk/aws-ec2/test/vpc.test.ts index d65bc016271be..355f4fd3662c7 100644 --- a/packages/@aws-cdk/aws-ec2/test/vpc.test.ts +++ b/packages/@aws-cdk/aws-ec2/test/vpc.test.ts @@ -146,7 +146,7 @@ nodeunitShim({ new Vpc(stack, 'TheVPC', { subnetConfiguration: [ { - subnetType: SubnetType.ISOLATED, + subnetType: SubnetType.PRIVATE_ISOLATED, name: 'Isolated', }, ], @@ -168,7 +168,7 @@ nodeunitShim({ name: 'Public', }, { - subnetType: SubnetType.ISOLATED, + subnetType: SubnetType.PRIVATE_ISOLATED, name: 'Isolated', }, ], @@ -186,7 +186,7 @@ nodeunitShim({ name: 'Public', }, { - subnetType: SubnetType.PRIVATE, + subnetType: SubnetType.PRIVATE_WITH_NAT, name: 'private', }, ], @@ -194,7 +194,7 @@ nodeunitShim({ const nacl1 = new NetworkAcl(stack, 'myNACL1', { vpc, - subnetSelection: { subnetType: SubnetType.PRIVATE }, + subnetSelection: { subnetType: SubnetType.PRIVATE_WITH_NAT }, }); new NetworkAclEntry(stack, 'AllowDNSEgress', { @@ -233,7 +233,7 @@ nodeunitShim({ const vpc = new Vpc(stack, 'TheVPC', { subnetConfiguration: [ { - subnetType: SubnetType.ISOLATED, + subnetType: SubnetType.PRIVATE_ISOLATED, name: 'isolated', }, { @@ -260,7 +260,7 @@ nodeunitShim({ const vpc = new Vpc(stack, 'TheVPC', { subnetConfiguration: [ { - subnetType: SubnetType.ISOLATED, + subnetType: SubnetType.PRIVATE_ISOLATED, name: 'isolated', }, ], @@ -283,13 +283,13 @@ nodeunitShim({ { cidrMask: 24, name: 'reserved', - subnetType: SubnetType.PRIVATE, + subnetType: SubnetType.PRIVATE_WITH_NAT, reserved: true, }, { cidrMask: 28, name: 'rds', - subnetType: SubnetType.ISOLATED, + subnetType: SubnetType.PRIVATE_ISOLATED, }, ], maxAzs: 3, @@ -310,13 +310,13 @@ nodeunitShim({ { cidrMask: 24, name: 'reserved', - subnetType: SubnetType.PRIVATE, + subnetType: SubnetType.PRIVATE_WITH_NAT, reserved: true, }, { cidrMask: 24, name: 'rds', - subnetType: SubnetType.PRIVATE, + subnetType: SubnetType.PRIVATE_WITH_NAT, }, ], maxAzs: 3, @@ -352,12 +352,12 @@ nodeunitShim({ { cidrMask: 24, name: 'application', - subnetType: SubnetType.PRIVATE, + subnetType: SubnetType.PRIVATE_WITH_NAT, }, { cidrMask: 28, name: 'rds', - subnetType: SubnetType.ISOLATED, + subnetType: SubnetType.PRIVATE_ISOLATED, }, ], maxAzs: 3, @@ -391,12 +391,12 @@ nodeunitShim({ { cidrMask: 24, name: 'application', - subnetType: SubnetType.PRIVATE, + subnetType: SubnetType.PRIVATE_WITH_NAT, }, { cidrMask: 28, name: 'rds', - subnetType: SubnetType.ISOLATED, + subnetType: SubnetType.PRIVATE_ISOLATED, }, ], maxAzs: 3, @@ -509,7 +509,7 @@ nodeunitShim({ { cidrMask: 24, name: 'private', - subnetType: SubnetType.PRIVATE, + subnetType: SubnetType.PRIVATE_WITH_NAT, }, ], natGatewaySubnets: { @@ -541,7 +541,7 @@ nodeunitShim({ }, { name: 'private', - subnetType: SubnetType.PRIVATE, + subnetType: SubnetType.PRIVATE_WITH_NAT, }, ], }); @@ -583,7 +583,7 @@ nodeunitShim({ }, { name: 'private', - subnetType: SubnetType.PRIVATE, + subnetType: SubnetType.PRIVATE_WITH_NAT, reserved: true, }, ], @@ -608,7 +608,7 @@ nodeunitShim({ { cidrMask: 24, name: 'private', - subnetType: SubnetType.PRIVATE, + subnetType: SubnetType.PRIVATE_WITH_NAT, }, ], natGatewaySubnets: { @@ -662,12 +662,12 @@ nodeunitShim({ new Vpc(stack, 'VPC', { subnetConfiguration: [ { subnetType: SubnetType.PUBLIC, name: 'Public' }, - { subnetType: SubnetType.ISOLATED, name: 'Isolated' }, + { subnetType: SubnetType.PRIVATE_ISOLATED, name: 'Isolated' }, ], vpnGateway: true, vpnRoutePropagation: [ { - subnetType: SubnetType.ISOLATED, + subnetType: SubnetType.PRIVATE_ISOLATED, }, ], }); @@ -696,16 +696,16 @@ nodeunitShim({ new Vpc(stack, 'VPC', { subnetConfiguration: [ { subnetType: SubnetType.PUBLIC, name: 'Public' }, - { subnetType: SubnetType.PRIVATE, name: 'Private' }, - { subnetType: SubnetType.ISOLATED, name: 'Isolated' }, + { subnetType: SubnetType.PRIVATE_WITH_NAT, name: 'Private' }, + { subnetType: SubnetType.PRIVATE_ISOLATED, name: 'Isolated' }, ], vpnGateway: true, vpnRoutePropagation: [ { - subnetType: SubnetType.PRIVATE, + subnetType: SubnetType.PRIVATE_WITH_NAT, }, { - subnetType: SubnetType.ISOLATED, + subnetType: SubnetType.PRIVATE_ISOLATED, }, ], }); @@ -743,7 +743,7 @@ nodeunitShim({ new Vpc(stack, 'VPC', { subnetConfiguration: [ { subnetType: SubnetType.PUBLIC, name: 'Public' }, - { subnetType: SubnetType.ISOLATED, name: 'Isolated' }, + { subnetType: SubnetType.PRIVATE_ISOLATED, name: 'Isolated' }, ], vpnGateway: true, }); @@ -1292,12 +1292,12 @@ nodeunitShim({ const vpc = new Vpc(stack, 'VPC', { subnetConfiguration: [ { subnetType: SubnetType.PUBLIC, name: 'Public' }, - { subnetType: SubnetType.ISOLATED, name: 'Isolated' }, + { subnetType: SubnetType.PRIVATE_ISOLATED, name: 'Isolated' }, ], }); // WHEN - const { subnetIds } = vpc.selectSubnets({ subnetType: SubnetType.ISOLATED }); + const { subnetIds } = vpc.selectSubnets({ subnetType: SubnetType.PRIVATE_ISOLATED }); // THEN test.deepEqual(subnetIds, vpc.isolatedSubnets.map(s => s.subnetId)); @@ -1311,8 +1311,8 @@ nodeunitShim({ const vpc = new Vpc(stack, 'VPC', { subnetConfiguration: [ { subnetType: SubnetType.PUBLIC, name: 'BlaBla' }, - { subnetType: SubnetType.PRIVATE, name: 'DontTalkToMe' }, - { subnetType: SubnetType.ISOLATED, name: 'DontTalkAtAll' }, + { subnetType: SubnetType.PRIVATE_WITH_NAT, name: 'DontTalkToMe' }, + { subnetType: SubnetType.PRIVATE_ISOLATED, name: 'DontTalkAtAll' }, ], }); @@ -1330,8 +1330,8 @@ nodeunitShim({ const vpc = new Vpc(stack, 'VPC', { subnetConfiguration: [ { subnetType: SubnetType.PUBLIC, name: 'BlaBla' }, - { subnetType: SubnetType.PRIVATE, name: 'DontTalkToMe' }, - { subnetType: SubnetType.ISOLATED, name: 'DontTalkAtAll' }, + { subnetType: SubnetType.PRIVATE_WITH_NAT, name: 'DontTalkToMe' }, + { subnetType: SubnetType.PRIVATE_ISOLATED, name: 'DontTalkAtAll' }, ], }); @@ -1398,8 +1398,8 @@ nodeunitShim({ maxAzs: 1, subnetConfiguration: [ { name: 'lb', subnetType: SubnetType.PUBLIC }, - { name: 'app', subnetType: SubnetType.PRIVATE }, - { name: 'db', subnetType: SubnetType.PRIVATE }, + { name: 'app', subnetType: SubnetType.PRIVATE_WITH_NAT }, + { name: 'db', subnetType: SubnetType.PRIVATE_WITH_NAT }, ], }); @@ -1579,7 +1579,7 @@ nodeunitShim({ privateDnsEnabled: false, service: new InterfaceVpcEndpointService('com.amazonaws.vpce.us-east-1.vpce-svc-uuddlrlrbastrtsvc', 443), subnets: { - subnetType: SubnetType.PRIVATE, + subnetType: SubnetType.PRIVATE_WITH_NAT, availabilityZones: ['dummy1a', 'dummy1c'], }, });