Creating AWS VPC using CDK with Python
whoami
Hello! I’m Jayachandhar, Principal Member of Technical Staff at Fyle. I work on infrastructure projects and also help Fyle stay secure.
Introduction to VPC and CDK
AWS VPC (Virtual Private Cloud) enables you to launch virtual networks logically separated from other virtual networks in the cloud. In addition, it lets you control your network configuration, including IP addressing, subnets, routing, and security.
AWS CDK (Cloud Development Kit) is a software development framework defining cloud infrastructure as code (IaC). CDK simplifies provisioning AWS resources by providing a high-level object-oriented abstraction over the AWS CloudFormation templates. CDK can help you define your infrastructure as code in familiar programming languages like TypeScript, Python, Java, C#, and Go. Then use the CDK CLI to deploy it to your AWS account.
Why is this important?
VPCs are a critical element of cloud infrastructure, allowing businesses to create and maintain their own secure and customised network, isolated from other public networks within the AWS ecosystem. This network isolation provides essential protection for sensitive data and resources against potential cyber attacks, while also helping organisations meet regulatory and security compliance requirements, such as PCI DSS and HIPAA.
Configuring VPC via AWS CDK offers several advantages, including IaC (Infrastructure as Code), automation, flexibility, reusability, and collaboration, leading to more efficient, scalable, and manageable infrastructure deployments compared to manual configuration. In addition, CDK makes it easy to version, manage, peer-review, and track changes to your infrastructure.
Overview of the solution
The solution consists of an AWS VPC spread across two availability zones and the subnets required to run three-tier architecture applications.
In this blog, we will explore how to provide the above setup using AWS CDK with Python.
Pre-requisites
Lets create a new CDK project in python
# create project directory
mkdir vpc-demo
cd vpc-demo
# initialise a CDK python project
cdk init app --language python
# install required python packages
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
Folder structure after above steps
Lets configure AWS VPC
Modify vpc_demo/vpc_demo_stack.py with following
import aws_cdk.aws_ec2 as ec2
import aws_cdk.aws_s3 as s3
from aws_cdk import Stack, Tags
from constructs import Construct
class VpcDemoStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
self.vpc_name = 'vpc-demo'
self.vpc_cidr = '192.168.0.0/16'
self.__create_vpc()
def __create_vpc(self):
vpc_construct_id = 'vpc'
audit_bucket_construct_id = 'audit-bucket'
audit_bucket_name = 'vpc-demo-audit-bucket'
self.audit_bucket = s3.Bucket.from_bucket_name(
self, audit_bucket_construct_id, audit_bucket_name
)
self.vpc: ec2.Vpc = ec2.Vpc(
self, vpc_construct_id,
vpc_name=self.vpc_name,
ip_addresses=ec2.IpAddresses.cidr(self.vpc_cidr),
max_azs=2,
subnet_configuration=[
ec2.SubnetConfiguration(
subnet_type=ec2.SubnetType.PUBLIC,
name='Public',
cidr_mask=20
), ec2.SubnetConfiguration(
subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS,
name='Compute',
cidr_mask=20
), ec2.SubnetConfiguration(
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED,
name='RDS',
cidr_mask=20
)
],
nat_gateways=1,
flow_logs={
'flow-logs-s3': {
'destination': ec2.FlowLogDestination.to_s3(
bucket=self.audit_bucket,
key_prefix='vpc-logs/{vpc_name}'.format(vpc_name=self.vpc_name)
)
}
}
)
Here we are creating an AWS VPC named vpc-demo with two availability zones and six subnets.
Two public subnets for running load balancer or any publicly exposed AWS service.
Two private subnets with NAT gateway for running backend applications.
Two isolated subnets for running RDS instances.
We are creating one NAT gateway required for backend applications / host machines to connect to internet. Common use case is to install a package or pull docker images, etc.
Finally, configuring VPC flow logs to an existing s3 bucket named
vpc-demo-audit-bucket
.
Know your changes
cdk synth
command converts CDK app code and synthesising it into a CloudFormation stack. You can verify generated CloudFormation template before deploying the stack. You can use the following cmd.
cdk synth
cdk diff
command helps you identify the changes that will be made when you deploy your app, allowing you to review and validate your infrastructure changes before they are implemented. You can use the following cmd.
cdk diff
Output of the cdk diff should be like the following
Deploying your changes
Once you have reviewed the infrastructure changes using cdk diff
cmd (yes always make sure to review the changes), you can use the following command to deploy your changes to AWS.
cdk deploy
Cleanup
Now that we have deployed & tested our demo code, its time for cleanup.
cdk destroy
cmd cleans up the resources that are created during the deployment process.
cdk destroy
⚠️ Proceed with caution for the destroy
command in production CDK stacks.