Elastic IP association for generated NAT in VPC

[rafiek]

🚀 Feature Request

General Information

• 👋 I may be able to implement this feature request

• ⚠️ This feature might incur a breaking change

Description

It would be great to be able to create a NAT gateway and associate an EIP with it. Currently I create a VPC and that automatically generates a NAT for me. But it's not possible to alter the NAT or to associate an EIP with the generated NAT.

My use case is that I need a Fargate outbound request mapped to a static IP. This IP will be whitelisted in our on-premise datacenter.

Proposed Solution

new Vpc(this, "myVpc", {
    maxAzs: 2,
    cidr: '10.0.0.0/16',
    natGateways: 1,
    allocationIDs: ['eipalloc-12abcde34a5fab67']           
    subnetConfiguration: [
        {
            cidrMask: 24,
            name: 'sonar_nat_lb',
            subnetType: SubnetType.PUBLIC
         },
         {
            cidrMask: 24,
            name: 'sonar_fargate',
            subnetType: SubnetType.PRIVATE
          }
    ]
});

Allocation ID can be optional as the NAT Gateway will default create its own EIP.

Environment

• CDK CLI Version: 1.8.0
• Module Version: 1.8.0
• OS: all
• Language: TypeScript

Other information

On a sidenote, it is also not possible to create an EIP with CDK, but that's a different feature-request.

[kevin-lindsay-1]

@rafiek I still need to test this, but I have a super jank workaround until this is addressed.
@rix0rrr apologies for what you're about to witness.

// PrefSet is not exported, so grabbing it for this workaround
class PrefSet<A> {
  private readonly map: Record<string, A> = {};
  private readonly vals = new Array<A>();
  private next = 0;

  public add(pref: string, value: A) {
    this.map[pref] = value;
    this.vals.push(value);
  }

  public pick(pref: string): A {
    if (this.vals.length === 0) {
      throw new Error("Cannot pick, set is empty");
    }

    if (pref in this.map) {
      return this.map[pref];
    }
    return this.vals[this.next++ % this.vals.length];
  }
}

// allocation ids of EIPs
const allocationIds = ["eipalloc-xxx1", "eipalloc-xxx2"];

/**
 * create default NAT Gateway Provider, overriding the `configureNat` method
 * to manually specify the allocation IDs
 */
const natGatewayProvider = NatProvider.gateway();
natGatewayProvider.configureNat = options => {
  const gatewayIds = new PrefSet<string>();

  // modified
  let count = 0;

  for (const sub of options.natSubnets) {
    sub.addNatGateway = () => {
      // Create a NAT Gateway in this public subnet
      const ngw = new CfnNatGateway(sub, `NATGateway`, {
        subnetId: sub.subnetId,

        // modified
        allocationId: allocationIds[count]
      });
      return ngw;
    };
    const gateway = sub.addNatGateway();
    gatewayIds.add(sub.availabilityZone, gateway.ref);

    // modified
    count += 1;
  }

  // Add routes to them in the private subnets
  for (const sub of options.privateSubnets) {
    sub.addRoute("DefaultRoute", {
      routerType: RouterType.NAT_GATEWAY,
      routerId: gatewayIds.pick(sub.availabilityZone),
      enablesInternetConnectivity: true
    });
  }
};

const vpc = new Vpc(this, "Vpc", {
  natGatewayProvider
});

[rix0rrr]

My suggestion would indeed have been to implement your custom NatProvider subclass, which configures the provider exactly the way you want it to.

@kevin-lindsay-1 has as good as done that, except done it by instantiating the existing class and then replacing its implementation, which JavaScript totally lets you do :).

I don't think this is a feature we'll add to the core library. We've added an extension point that will let you inject your customization at the point where you need it, which is the NatProvider base class.

[lbjay]

Is the NatGatewayProvider class not exported on purpose? I'm looking at doing this janky workaround myself and wishing I could simply extend that class. Did that maybe contribute to some of the jank in the workaround by @kevin-lindsay-1?

[zoonderkins]

I hope cdk can implement this feature.
Cuz on many commercial use case as far I know, they only allow whitelist IPs to call their Api. Its kinda ugly to work around.

Will run cdk deploy and force to run modifyIP.js to rewrite cloudformation template

const vpc = new ec2.Vpc(this, `VPC-${environment.ENV}`, {
      cidr: '10.0.0.0/16',
      maxAzs: 3,
      natGateways: 2,
      enableDnsHostnames: true,
      enableDnsSupport: true,
    });

    // Iterate the private subnets
    const selectionPrivate = vpc.selectSubnets({
      subnetType: ec2.SubnetType.PRIVATE,
    });
    const selectionPublic = vpc.selectSubnets({
      subnetType: ec2.SubnetType.PUBLIC,
    });

    selectionPublic.subnets[0].node.defaultChild['cidrBlock'] = '10.0.0.0/24';
    selectionPrivate.subnets[0].node.defaultChild['cidrBlock'] = '10.0.10.0/24';
    
    selectionPublic.subnets[1].node.defaultChild['cidrBlock'] = '10.0.1.0/24';
    selectionPrivate.subnets[1].node.defaultChild['cidrBlock'] = '10.0.11.0/24';

// modifiyIP.js
const path1 = './packages/infra/cdk.out/infra-dev.template.json';
const rawdata = fs.readFileSync(path);
const te = JSON.parse(rawdata);
const newJson = te;
const publicIP1 = 'eipalloc-0cxxxxxd66';
const publicIP2 = 'eipalloc-0930xxxx8a6a';
delete newJson.Resources.BridgeVPCdevPublicSubnet1EIPAAC8BBEA;
delete newJson.Resources.BridgeVPCdevPublicSubnet2EIP4C41D39A;
newJson.Resources.BridgeVPCdevPublicSubnet1NATGateway90C16FAD.Properties.AllocationId = publicIP1;
newJson.Resources.BridgeVPCdevPublicSubnet2NATGatewayA1415266.Properties.AllocationId = publicIP2;
fs.writeFile(path, JSON.stringify(newJson), err => {
  if (err) throw err;
  console.log("It's saved!");
});