{"id":36712718,"url":"https://github.com/hops-ops/aws-network","last_synced_at":"2026-03-15T13:54:06.151Z","repository":{"id":329811977,"uuid":"1091970032","full_name":"hops-ops/aws-network","owner":"hops-ops","description":"Network XRD","archived":false,"fork":false,"pushed_at":"2026-01-19T09:04:06.000Z","size":229,"stargazers_count":0,"open_issues_count":2,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-19T16:51:06.457Z","etag":null,"topics":["aws","aws-ec2","aws-networking","aws-subnet","aws-vpc","crossplane","crossplane-configuration","crossplane-configurations","crossplane-xrd","xrd"],"latest_commit_sha":null,"homepage":"","language":"KCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hops-ops.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2025-11-07T19:42:55.000Z","updated_at":"2026-01-19T09:03:42.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/hops-ops/aws-network","commit_stats":null,"previous_names":["hops-ops/configuration-aws-network","hops-ops/aws-network"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/hops-ops/aws-network","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Faws-network","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Faws-network/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Faws-network/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Faws-network/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hops-ops","download_url":"https://codeload.github.com/hops-ops/aws-network/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Faws-network/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29634839,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-19T18:02:07.722Z","status":"ssl_error","status_checked_at":"2026-02-19T18:01:46.144Z","response_time":117,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-ec2","aws-networking","aws-subnet","aws-vpc","crossplane","crossplane-configuration","crossplane-configurations","crossplane-xrd","xrd"],"created_at":"2026-01-12T11:50:26.859Z","updated_at":"2026-03-15T13:54:06.144Z","avatar_url":"https://github.com/hops-ops.png","language":"KCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS Network Configuration\n\nCreate production-ready AWS VPCs with IPAM-backed CIDR allocation, dual-stack IPv6 support, and flexible NAT strategies. Designed to grow from individual projects to enterprise deployments.\n\n## Quick Start\n\n### Minimal Network (Manual CIDRs)\n\nThe simplest configuration with explicit CIDR blocks:\n\n```yaml\napiVersion: aws.hops.ops.com.ai/v1alpha1\nkind: Network\nmetadata:\n  name: my-network\n  namespace: dev\nspec:\n  region: us-east-1\n  providerConfigRef:\n    name: default\n  vpc:\n    cidr: \"10.1.0.0/16\"\n  subnets:\n    - name: my-network-public-a\n      cidr: \"10.1.0.0/24\"\n      availabilityZone: a\n      public: true\n    - name: my-network-public-b\n      cidr: \"10.1.1.0/24\"\n      availabilityZone: b\n      public: true\n    - name: my-network-private-a\n      cidr: \"10.1.16.0/20\"\n      availabilityZone: a\n    - name: my-network-private-b\n      cidr: \"10.1.32.0/20\"\n      availabilityZone: b\n```\n\n**Cost: ~$0/mo** | **Created: VPC, 4 subnets, IGW, route tables**\n\n### IPAM + Dual-Stack (Recommended)\n\nFor enterprise deployments, use IPAM for automatic CIDR allocation:\n\n```yaml\napiVersion: aws.hops.ops.com.ai/v1alpha1\nkind: Network\nmetadata:\n  name: my-network\n  namespace: dev\nspec:\n  region: us-east-1\n  providerConfigRef:\n    name: default\n  ipam:\n    ipv4:\n      enabled: true\n      poolId: ipam-pool-0123456789abcdef0\n      netmaskLength: 16\n    ipv6Ula:\n      enabled: true\n      poolId: ipam-pool-0fedcba9876543210\n      netmaskLength: 56\n  subnetLayout:\n    availabilityZones: [a, b, c]\n    public:\n      enabled: true\n      netmaskLength: 24\n    private:\n      enabled: true\n      netmaskLength: 20\n  nat:\n    enabled: false\n```\n\n**Cost: ~$0/mo** | **Created: VPC, 6 subnets, IGW, Egress-Only IGW, routes**\n\n### Why No NAT by Default?\n\nFor Kubernetes workloads, NAT Gateways are often unnecessary:\n\n1. **Public ingress via Load Balancers** - The platform handles external traffic to your services\n2. **IPv6 egress is free** - Pods use the Egress-Only Internet Gateway for outbound IPv6 traffic\n3. **VPC Endpoints for AWS services** - Access ECR, S3 via private endpoints\n\nThis saves ~$32/mo. Add NAT later if you need IPv4 egress to external services.\n\n## Why Start with IPAM + IPv6?\n\n### IPAM Benefits\n- **No CIDR planning** - Automatic allocation from centrally managed pools\n- **No conflicts** - IPAM prevents overlapping ranges across VPCs\n- **Multi-account ready** - Share pools via RAM when you scale\n\n### IPv6 Benefits\n- **EKS Auto Mode** - IPv6 prevents IP exhaustion when scaling\n- **Future-proof** - Native dual-stack from day one\n- **Cost savings** - Egress-Only IGW is free (vs $32/mo NAT per AZ for IPv4)\n\n## Understanding NAT Gateways\n\n### What is NAT and Why Do You Need It?\n\n**NAT (Network Address Translation)** allows resources in private subnets to initiate outbound connections to the internet while remaining unreachable from the internet.\n\n**Common use cases requiring outbound internet access:**\n- Pulling container images from Docker Hub or external registries\n- Calling external APIs (payment processors, SaaS services)\n- Downloading OS updates and security patches\n- Sending logs/metrics to external platforms\n\n### NAT Gateway Costs\n\n| Component | Cost |\n|-----------|------|\n| NAT Gateway (per hour) | ~$0.045/hr (~$32/mo) |\n| Data processing | $0.045/GB |\n\n**This is per NAT Gateway.** With HighlyAvailable (one per AZ), you're paying 3x the base cost.\n\n### NAT Strategies Explained\n\n| Strategy | NAT Gateways | Monthly Cost | Use Case |\n|----------|--------------|--------------|----------|\n| **None** | 0 | $0 | Isolated workloads, no internet needed |\n| **SingleAz** | 1 | ~$32 | Dev/test, cost-sensitive |\n| **HighlyAvailable** | 1 per AZ (3) | ~$96 | Production, uptime-critical |\n\n### IPv6 Changes Everything\n\nWith dual-stack networking, IPv6 traffic uses an **Egress-Only Internet Gateway** instead of NAT:\n\n| Feature | NAT Gateway (IPv4) | Egress-Only IGW (IPv6) |\n|---------|-------------------|------------------------|\n| Hourly cost | ~$0.045/hr | **Free** |\n| Data processing | $0.045/GB | **Free** |\n| HA requirement | 1 per AZ | 1 total (regional) |\n\n## Use Cases\n\n### Stage 1: Individual Developer (~$0/mo)\n\n```yaml\napiVersion: aws.hops.ops.com.ai/v1alpha1\nkind: Network\nmetadata:\n  name: dev-vpc\nspec:\n  region: us-east-1\n  providerConfigRef:\n    name: default\n  vpc:\n    cidr: \"10.1.0.0/16\"\n  subnets:\n    - name: dev-public-a\n      cidr: \"10.1.0.0/24\"\n      availabilityZone: a\n      public: true\n    - name: dev-public-b\n      cidr: \"10.1.1.0/24\"\n      availabilityZone: b\n      public: true\n    - name: dev-private-a\n      cidr: \"10.1.16.0/20\"\n      availabilityZone: a\n    - name: dev-private-b\n      cidr: \"10.1.32.0/20\"\n      availabilityZone: b\n```\n\n### Stage 2: Small Team with NAT (~$32/mo)\n\n```yaml\napiVersion: aws.hops.ops.com.ai/v1alpha1\nkind: Network\nmetadata:\n  name: team-vpc\nspec:\n  region: us-west-2\n  providerConfigRef:\n    name: default\n  tags:\n    team: platform\n    environment: production\n  vpc:\n    cidr: \"10.2.0.0/16\"\n  subnets:\n    - name: team-public-a\n      cidr: \"10.2.0.0/24\"\n      availabilityZone: a\n      public: true\n    - name: team-public-b\n      cidr: \"10.2.1.0/24\"\n      availabilityZone: b\n      public: true\n    - name: team-public-c\n      cidr: \"10.2.2.0/24\"\n      availabilityZone: c\n      public: true\n    - name: team-private-a\n      cidr: \"10.2.16.0/20\"\n      availabilityZone: a\n    - name: team-private-b\n      cidr: \"10.2.32.0/20\"\n      availabilityZone: b\n    - name: team-private-c\n      cidr: \"10.2.48.0/20\"\n      availabilityZone: c\n  nat:\n    enabled: true\n    strategy: SingleAz\n```\n\n### Stage 3: Production with HA NAT (~$96/mo)\n\n```yaml\napiVersion: aws.hops.ops.com.ai/v1alpha1\nkind: Network\nmetadata:\n  name: prod-vpc\nspec:\n  region: us-east-1\n  providerConfigRef:\n    name: aws-prod\n  tags:\n    environment: production\n    cost-center: engineering\n  vpc:\n    cidr: \"10.5.0.0/16\"\n  subnets:\n    - name: ha-public-a\n      cidr: \"10.5.0.0/24\"\n      availabilityZone: a\n      public: true\n    - name: ha-public-b\n      cidr: \"10.5.1.0/24\"\n      availabilityZone: b\n      public: true\n    - name: ha-public-c\n      cidr: \"10.5.2.0/24\"\n      availabilityZone: c\n      public: true\n    - name: ha-private-a\n      cidr: \"10.5.16.0/20\"\n      availabilityZone: a\n    - name: ha-private-b\n      cidr: \"10.5.32.0/20\"\n      availabilityZone: b\n    - name: ha-private-c\n      cidr: \"10.5.48.0/20\"\n      availabilityZone: c\n  nat:\n    enabled: true\n    strategy: HighlyAvailable\n```\n\n### Stage 4: Dual-Stack with ULA IPv6\n\n```yaml\napiVersion: aws.hops.ops.com.ai/v1alpha1\nkind: Network\nmetadata:\n  name: dual-stack\nspec:\n  region: us-east-1\n  providerConfigRef:\n    name: default\n  vpc:\n    cidr: \"10.3.0.0/16\"\n    ipv6:\n      ula:\n        enabled: true\n        cidr: \"fd00:dead:beef::/56\"\n        ipamPoolId: ipam-pool-0abc123\n  subnets:\n    - name: ds-public-a\n      cidr: \"10.3.0.0/24\"\n      availabilityZone: a\n      public: true\n      ipv6:\n        ulaCidr: \"fd00:dead:beef:0::/64\"\n    - name: ds-public-b\n      cidr: \"10.3.1.0/24\"\n      availabilityZone: b\n      public: true\n      ipv6:\n        ulaCidr: \"fd00:dead:beef:1::/64\"\n    - name: ds-private-a\n      cidr: \"10.3.16.0/20\"\n      availabilityZone: a\n      ipv6:\n        ulaCidr: \"fd00:dead:beef:100::/64\"\n    - name: ds-private-b\n      cidr: \"10.3.32.0/20\"\n      availabilityZone: b\n      ipv6:\n        ulaCidr: \"fd00:dead:beef:101::/64\"\n  nat:\n    enabled: true\n    strategy: SingleAz\n```\n\n### Stage 5: Dual-Stack with Amazon-Provided IPv6\n\n```yaml\napiVersion: aws.hops.ops.com.ai/v1alpha1\nkind: Network\nmetadata:\n  name: dual-stack-amazon\nspec:\n  region: us-east-1\n  providerConfigRef:\n    name: default\n  vpc:\n    cidr: \"10.4.0.0/16\"\n    ipv6:\n      amazonProvided:\n        enabled: true\n  subnets:\n    - name: dsa-public-a\n      cidr: \"10.4.0.0/24\"\n      availabilityZone: a\n      public: true\n    - name: dsa-public-b\n      cidr: \"10.4.1.0/24\"\n      availabilityZone: b\n      public: true\n    - name: dsa-private-a\n      cidr: \"10.4.16.0/20\"\n      availabilityZone: a\n    - name: dsa-private-b\n      cidr: \"10.4.32.0/20\"\n      availabilityZone: b\n  nat:\n    enabled: true\n    strategy: SingleAz\n```\n\n### Stage 6: Enterprise with IPAM + TGW + Flow Logs\n\n```yaml\napiVersion: aws.hops.ops.com.ai/v1alpha1\nkind: Network\nmetadata:\n  name: enterprise-vpc\n  namespace: acme-prod\nspec:\n  region: us-east-1\n  providerConfigRef:\n    name: acme-aws-prod\n  tags:\n    environment: production\n    compliance: soc2\n    cost-center: \"12345\"\n  ipam:\n    ipv4:\n      enabled: true\n      poolId: ipam-pool-enterprise123\n      netmaskLength: 16\n    ipv6Ula:\n      enabled: true\n      poolId: ipam-pool-ipv6-enterprise\n      netmaskLength: 56\n  subnetLayout:\n    availabilityZones: [a, b, c]\n    public:\n      enabled: true\n      netmaskLength: 24\n    private:\n      enabled: true\n      netmaskLength: 18\n  nat:\n    enabled: true\n    strategy: HighlyAvailable\n  transitGateway:\n    enabled: true\n    config:\n      tgwId: tgw-abc123\n      routeTablePropagation: true\n  flowLogs:\n    enabled: true\n    config:\n      destination: s3\n      logDestinationArn: arn:aws:s3:::acme-vpc-flow-logs\n      trafficType: ALL\n```\n\n## Cost Summary\n\n| Configuration | NAT Strategy | Monthly Cost |\n|--------------|--------------|--------------|\n| Minimal (no NAT) | None | $0 |\n| With SingleAz NAT | SingleAz | ~$32 |\n| Production (HA NAT) | HighlyAvailable | ~$96 |\n| Enterprise (HA + TGW) | HighlyAvailable | ~$132+ |\n\n**Note:** IPv6 egress via Egress-Only IGW is free. Only IPv4 NAT Gateways cost money.\n\n## API Reference\n\n### spec\n\n| Field | Type | Required | Description |\n|-------|------|----------|-------------|\n| `region` | string | Yes | AWS region |\n| `providerConfigRef.name` | string | No | AWS ProviderConfig name (default: \"default\") |\n| `providerConfigRef.kind` | string | No | Provider config kind (default: \"ProviderConfig\") |\n| `tags` | object | No | Additional AWS tags |\n| `managementPolicies` | []string | No | Management policies (default: [\"*\"]) |\n\n### spec.vpc\n\n| Field | Type | Required | Description |\n|-------|------|----------|-------------|\n| `cidr` | string | No* | IPv4 CIDR block (e.g., \"10.1.0.0/16\") |\n| `ipv6.ula.enabled` | boolean | No | Enable ULA IPv6 |\n| `ipv6.ula.cidr` | string | No | ULA IPv6 CIDR (e.g., \"fd00::/56\") |\n| `ipv6.ula.ipamPoolId` | string | No | IPAM pool ID for ULA IPv6 |\n| `ipv6.amazonProvided.enabled` | boolean | No | Request Amazon-provided /56 IPv6 |\n| `forProvider` | object | No | Pass-through for VPC forProvider fields |\n\n*Required unless using `ipam.ipv4`\n\n### spec.subnets[]\n\n| Field | Type | Required | Description |\n|-------|------|----------|-------------|\n| `name` | string | Yes | Subnet name |\n| `cidr` | string | No* | IPv4 CIDR block |\n| `availabilityZone` | string | Yes | AZ suffix (a, b, c) |\n| `public` | boolean | No | Public subnet (default: false) |\n| `ipv6.ulaCidr` | string | No | ULA IPv6 CIDR for subnet |\n| `ipv6.amazonProvidedCidr` | string | No | Amazon IPv6 CIDR for subnet |\n\n*Required unless using `ipam.ipv4`\n\n### spec.ipam\n\n| Field | Type | Description |\n|-------|------|-------------|\n| `ipv4.enabled` | boolean | Enable IPv4 CIDR allocation from IPAM |\n| `ipv4.poolId` | string | IPAM pool ID |\n| `ipv4.netmaskLength` | int | VPC netmask (default: 16) |\n| `ipv6Ula.enabled` | boolean | Enable IPv6 ULA CIDR allocation from IPAM |\n| `ipv6Ula.poolId` | string | IPAM pool ID for IPv6 |\n| `ipv6Ula.netmaskLength` | int | VPC IPv6 netmask (default: 56) |\n\n### spec.subnetLayout\n\n| Field | Type | Description |\n|-------|------|-------------|\n| `availabilityZones` | []string | AZs for subnet creation (default: [a, b, c]) |\n| `public.enabled` | boolean | Create public subnets (default: true) |\n| `public.netmaskLength` | int | Public subnet netmask (default: 24) |\n| `private.enabled` | boolean | Create private subnets (default: true) |\n| `private.netmaskLength` | int | Private subnet netmask (default: 20) |\n\n### spec.nat\n\n| Field | Type | Default | Description |\n|-------|------|---------|-------------|\n| `enabled` | boolean | false | Enable NAT Gateways |\n| `strategy` | string | SingleAz | `SingleAz`, `HighlyAvailable`, `None` |\n\n### spec.transitGateway\n\n| Field | Type | Default | Description |\n|-------|------|---------|-------------|\n| `enabled` | boolean | false | Enable TGW attachment |\n| `config.tgwId` | string | - | Transit Gateway ID |\n| `config.routeTablePropagation` | boolean | true | Enable route propagation |\n\n### spec.flowLogs\n\n| Field | Type | Default | Description |\n|-------|------|---------|-------------|\n| `enabled` | boolean | false | Enable VPC Flow Logs |\n| `config.destination` | string | cloudwatch | `cloudwatch` or `s3` |\n| `config.logDestinationArn` | string | - | Destination ARN |\n| `config.trafficType` | string | ALL | `ALL`, `ACCEPT`, `REJECT` |\n| `config.iamRoleArn` | string | - | IAM role for CloudWatch |\n\n## Status\n\nThe Network exposes observed state in `status`:\n\n```yaml\nstatus:\n  ready: true\n  ipam:  # Only present when using IPAM\n    ipv4:\n      cidr: \"10.100.0.0/16\"\n    ipv6Ula:\n      cidr: \"fd00:dead:beef::/56\"\n  network:\n    name: my-network\n    region: us-east-1\n    vpcId: vpc-abc123\n    cidr:\n      ipv4: \"10.100.0.0/16\"\n      ipv6Ula: \"fd00:dead:beef::/56\"\n      ipv6AmazonProvided: \"2600:1f18:abc::/56\"  # If using Amazon-provided\n    availabilityZones:\n      - us-east-1a\n      - us-east-1b\n    subnets:\n      public:\n        - name: my-network-public-a\n          id: subnet-pub-a\n          availabilityZone: us-east-1a\n          ipv4CidrBlock: \"10.100.0.0/24\"\n          ipv6CidrBlock: \"fd00:dead:beef:0::/64\"\n      private:\n        - name: my-network-private-a\n          id: subnet-priv-a\n          availabilityZone: us-east-1a\n          ipv4CidrBlock: \"10.100.16.0/20\"\n          ipv6CidrBlock: \"fd00:dead:beef:100::/64\"\n    routeTables:\n      public:\n        - name: my-network-public\n          id: rtb-pub\n      private:\n        - name: my-network-private-rt-a\n          id: rtb-priv-a\n          availabilityZone: us-east-1a\n    natGateways:\n      - name: my-network-nat-a\n        id: nat-abc123\n        availabilityZone: us-east-1a\n        eipAllocationId: eipalloc-abc123\n    internetGateway:\n      id: igw-abc123\n    egressOnlyInternetGateway:\n      id: eigw-abc123\n    transitGatewayAttachment:\n      id: tgw-attach-abc123\n      state: available\n```\n\n## License\n\nApache-2.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhops-ops%2Faws-network","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhops-ops%2Faws-network","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhops-ops%2Faws-network/lists"}