Skip to content

Instantly share code, notes, and snippets.

@mrpackethead
Created January 12, 2023 18:02
Show Gist options
  • Save mrpackethead/dae981042ac03fa7153f179364431de6 to your computer and use it in GitHub Desktop.
Save mrpackethead/dae981042ac03fa7153f179364431de6 to your computer and use it in GitHub Desktop.
import * as cdk from 'aws-cdk-lib';
import {
aws_ec2 as ec2,
}
from 'aws-cdk-lib';
import * as constructs from 'constructs';
import * as raindancersNetwork from 'raindancers-network';
export interface TgDXS2SProps extends cdk.StackProps{
raindancersNetwork: raindancersNetwork.CoreNetwork;
redSegment: raindancersNetwork.CoreNetworkSegment
}
export class TgDXS2S extends cdk.Stack {
constructor(scope: constructs.Construct, id: string, props: TgDXS2SProps) {
super(scope, id, props);
// Create a Transit Gateway, and attach it to the Core Network
const tg = new raindancersNetwork.raindancersNetworkTGW(this, 'tg', {
amazonSideAsn: '65200',
attachmentSegment: props.redSegment.segmentName,
description: 'DXTransitGateway',
raindancersNetwork: props.raindancersNetwork,
tgCidr: ['10.64.254.0/24'], // this is the address block which the TG will use to create prviate VPN tunnels against.
});
// Attach the Transit Gateway to an exisiting DX Gateway
const dXAssociationId = tg.createDirectConnectGatewayAssociation('<yourdxgatewayId>');
// Create Customer Endpoints
const endPointOne = new ec2.CfnCustomerGateway(this, 'endpointone', {
bgpAsn: 65001,
ipAddress: '192.168.168.168',
type: 'ipsec.1',
tags: [
{
key: 'Name',
value: 'endPointOne',
},
],
});
const endPointTwo = new ec2.CfnCustomerGateway(this, 'endpointtwo', {
bgpAsn: 65002,
ipAddress: '192.168.192.168',
type: 'ipsec.1',
tags: [
{
key: 'Name',
value: 'endPointTwo',
},
],
});
// create a Specification Set to build ipsec VPN's out of
const VPNSpec: raindancersNetwork.VpnSpecProps = {
// Options
enableAcceleration: false,
localIpv4NetworkCidr: '0.0.0.0/0',
remoteIpv4NetworkCidr: '0.0.0.0/0',
outsideIpAddressType: raindancersNetwork.OutsideIpAddressType.PRIVATE,
staticRoutesOnly: false,
tunnelInsideIpVersion: raindancersNetwork.TunnelInsideIpVersion.IPV4,
//tunnel options
dpdTimeoutAction: raindancersNetwork.DPDTimeoutAction.RESTART,
dpdTimeoutSeconds: 30,
ikeVersions: [raindancersNetwork.IkeVersion.IKEV2],
enableLogging: true,
phase1DHGroupNumbers: [16, 20],
phase1EncryptionAlgorithms: [raindancersNetwork.Phase1EncryptionAlgorithms.AES256],
phase1IntegrityAlgorithms: [raindancersNetwork.Phase1IntegrityAlgorithms.SHA2_512],
phase1LifetimeSeconds: 14400, // fourhours
phase2DHGroupNumbers: [16, 20],
phase2EncryptionAlgorithms: [raindancersNetwork.Phase2EncryptionAlgorithms.AES256_GCM_16],
phase2IntegrityAlgorithms: [raindancersNetwork.Phase2IntegrityAlgorithms.SHA2_512],
phase2LifeTimeSeconds: 1800,
replayWindowSize: 512,
};
// Create an IPAM pool for assigning Tunnels. This creates a pool that has specific rules.
const tunnelIPAMPool = new raindancersNetwork.IpsecTunnelPool(this, 'ipampool', {
ipamScopeId: '<yourscopeId>',
cidr: '169.254.100.0/27',
description: 'Addressing for IPSec Tunnels',
name: 'OnPremVPNTunnels',
});
tg.adds2sVPN('endpointOneVpn', {
customerGateway: endPointOne,
tunnelIpamPool: tunnelIPAMPool.ipampool,
vpnspec: VPNSpec,
});
tg.adds2sVPN('endpointTwoVpn', {
customerGateway: endPointTwo,
tunnelIpamPool: tunnelIPAMPool.ipampool,
vpnspec: VPNSpec,
});
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment