{"id":48232492,"url":"https://github.com/theonestack/hl-component-vpc-v2","last_synced_at":"2026-04-04T19:43:47.040Z","repository":{"id":36443104,"uuid":"216574636","full_name":"theonestack/hl-component-vpc-v2","owner":"theonestack","description":null,"archived":false,"fork":false,"pushed_at":"2025-01-03T11:33:23.000Z","size":116,"stargazers_count":0,"open_issues_count":1,"forks_count":8,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-01-03T12:28:43.108Z","etag":null,"topics":["cfhighlander","nat-instances","natgateway","subnets","vpc","vpc-gateway-endpoints"],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/theonestack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-10-21T13:25:42.000Z","updated_at":"2024-09-05T04:00:21.000Z","dependencies_parsed_at":"2024-01-09T02:35:16.029Z","dependency_job_id":"d140dcb5-ea57-49d8-8c56-74cf9c513efe","html_url":"https://github.com/theonestack/hl-component-vpc-v2","commit_stats":null,"previous_names":[],"tags_count":25,"template":false,"template_full_name":null,"purl":"pkg:github/theonestack/hl-component-vpc-v2","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theonestack%2Fhl-component-vpc-v2","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theonestack%2Fhl-component-vpc-v2/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theonestack%2Fhl-component-vpc-v2/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theonestack%2Fhl-component-vpc-v2/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/theonestack","download_url":"https://codeload.github.com/theonestack/hl-component-vpc-v2/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theonestack%2Fhl-component-vpc-v2/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31411351,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-04T19:29:44.979Z","status":"ssl_error","status_checked_at":"2026-04-04T19:29:11.535Z","response_time":60,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cfhighlander","nat-instances","natgateway","subnets","vpc","vpc-gateway-endpoints"],"created_at":"2026-04-04T19:43:46.315Z","updated_at":"2026-04-04T19:43:47.035Z","avatar_url":"https://github.com/theonestack.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# vpc-v2 CfHighlander component\n\nBase component in which to build AWS network based resources from such as EC2, RDS and ECS\n\n```bash\nkurgan add vpc-v2\n```\n\n## Requirements\n\n## Parameters\n\n| Name | Use | Default | Global | Type | Allowed Values |\n| ---- | --- | ------- | ------ | ---- | -------------- |\n| EnvironmentName | Tagging | dev | true | string\n| EnvironmentType | Tagging | development | true | string | ['development','production']\n| DnsDomain | create route53 zone | | true | string\n| CIDR | override vpc cidr config | `vpc_cidr:` | false | CommaDelimitedList\n| SubnetBits | The number of subnet bits for the each subnet CIDR. For example, specifying a value \"8\" for this parameter will create a CIDR with a mask of \"/24\" | `32 - subnet_mask` | false | string\n| GroupSubnets | list of subnet ciders for each subnet group |  | false | string\n| AvailabiltiyZones | set the az count for the stack | `max_availability_zones:` | false | string\n| NatType | Select the NAT type | `managed` | false | string | [`managed`,`instances`,`disabled`]\n| NatGateways | NAT Gateway count. If larger than AvailabiltiyZones value, the smaller is used | `max_availability_zones:` | false | string\n| NatGatewayEIPs | List of EIP Ids, must be the same length as NatGateways' | | false | CommaDelimitedList\n| NatInstanceType | Ec2 instance type | `t3.micro` | false | string\n| NatAmi | Amazon Machine Image Id as a string or ssm parameter | `/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-ebs` | false | SSM Parameter\n| NatInstancesSpot | Enable spot for the EC2 Nat Instances | `true` | false | String | ['true','false']\n| EnableTransitVPC | Allows conditional creation of the the transit vpc resources | `true` | false | String | ['true','false']\n\n## Configuration\n\n### Selecting Availability Zones\n\nBy default the `vpc-v2` component will automatically select the AZs. This is achieved by looping over the `max_availability_zones` count and using the `Fn::GetAZs` Cloudformation function to select the AZ id.\n\n```rb\nmax_availability_zones.times |az|\n  selected_az = FnSelect(az, FnGetAZs(Ref('AWS::Region')))\nend\n```\n\nHowever if you wish to define which as AZs you want to use you can by configuring a map per AWS account with the AZs you wish to use. \n**NOTE:** the total count of AZ's defined in the map for each account has to be the same value as `max_availability_zones`.\n\nTo configure your AZ settings, set `az_mapping` to true\n\n```yaml\naz_mapping: true\n```\n\nThen configure a [Map](https://github.com/theonestack/cfhighlander#cloudformation-mappings) in the following structure to define your AZs\n\n```yaml\nAccounts:\n  '000000000000': # AWS Account Id\n    AZs: '3,5,0' # Comma delimited list of numerical values that maps to the Availability Zone for that account\n```\n\nthe numerical values will map to the Availability Zone retuned from the `Fn::GetAZs` function in the AWS account. For example in `us-east-1` returns\n\n```rb\n[ \"us-east-1a\", \"us-east-1b\", \"us-east-1c\", \"us-east-1d\", \"us-east-1e\", \"us-east-1f\" ]\n```\n\ntherefore the mapping `AZs: '3,5,0'` will use AZs `[ \"us-east-1d\", \"us-east-1f\", \"us-east-1a\" ]`\n\nthe new function to retrieve the AZ becomes\n\n```rb\nmax_availability_zones.times |az|\n  selected_az = FnSelect(FnSelect(az, FnSplit(',', FnFindInMap('Accounts', Ref('AWS::AccountId'), 'AZs'))), FnGetAZs(Ref('AWS::Region')))\nend\n```\n\n### Subnetting\n\n**Subnet Allocation**\n\nThere are 2 subnetting options defined by the `subnet_parameters` config option.\n\n```yaml\nsubnet_parameters: false\n```\n\n- **false** \nFalse is the default value set in the config. This option will calculate the subnet cidrs for each subnet using the CloudFormation `Fn::Cidr` function. The `CIDR` and `SubnetBits` parameters can be changed at runtime when creating the stack. The subnets are allocated in sequential order per subnet group with the `subnet_multiplyer` config option determining how many cidrs are allocated per group.\n\n- **true** \nTrue uses a local cidr calculation function which exposes the subnet cidrs as a `CommaDelimitedList` for each subnet group. Useful if you want full control over your subnet cidr allocation. The `SubnetBits` parameter is not available with this option as it has not effect on the subnetting.\n\nFor example, the vpc cidr `192.168.0.0/24` used to generate 3 `/27` subnets.\nThe `VPCCidr` parameter default value is `192.168.0.0/24` and generates the parameter `PublicSubnets` with a default value of `192.168.0.0/27,192.168.0.32/27,192.168.0.64/27`.\n\nTake a look at the AWS [documentation](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html) on the VPC subnetting restrictions.\n\nThe following subnet config bellow apply to both options\n\n**Subnet Groups**\n\nDefault subnet groups that will be created in the VPC stack.\n\n```yaml\nsubnets:\n  public:\n    name: Public\n    type: public\n  compute:\n    name: Compute\n    type: private\n    enable: true\n  persistence:\n    name: Persistence\n    type: private\n    enable: true\n  cache:\n    name: Cache\n    type: private\n    enable: true\n```\n\neach private default private group can be disabled with a cfhighlander project. The following example disables all the default private subnet groups and creates a new `MyCustom` subnet group. **Note** The public subnet group can't be disabled.\n\n```yaml\nsubnets:\n  mycustom:\n    name: MyCustom\n    type: private\n    enable: true\n  compute:\n    enable: false\n  persistence:\n    enable: true\n  cache:\n    enable: true\n```\n\n**Subnet Multiplyer**\n\nDetermines how many subnets will allocated per subnet group.\n**Update** would require replacement of the whole VPC stack.\n```yaml\nsubnet_multiplyer: 4\n```\n\n**Max Availability Zones**\n\nDetermines the maximum amount of availability zones this stack can create.\nCannot be a larger number than `subnet_multiplyer`.\n**Update** to a larger value would have no effect if the `AvailabiltiyZones` parameter stays the same.\n**Update** to a smaller value may remove az's if the value is smaller than the `AvailabiltiyZones` parameter.\n```yaml\nmax_availability_zones: 3\n```\n\n**Subnet Mask**\n\nDetermines the subnet size of the subnets\n```yaml\nsubnet_mask: 24\n```\n\n**VPC Cidr**\n\nThe value is used to generate the subnet bits for each subnet.\n```yaml\nvpc_cidr: 10.0.0.0/16\n```\n\n### NetworkACLs\n\n2 NACLs are created, one for public subnets and the other for private subnets.\nThe rules on these acls can be modified using the `acl_rules` config.\n\nthe default public rules are tcp ports 80, 443 and 1024-65535 from 0.0.0.0/0\nthe default private rules are allow everything\n\n```yaml\nacl_rules:\n  -\n    # public or private nacl\n    acl: public\n    # the rule number. if multiple ips are used this value is incremented by 1 for each ip\n    number: 100\n    # the port range. if to: is not set from is is used\n    from: 1024\n    to: 65535\n    # protocol, defaults to tcp\n    protocol: tcp\n    # specify a specific ip\n    cidr: 0.0.0.0/0\n    # specify a range of ips or ip_block or the vpc cidr using the term `stack`\n    ips:\n      - vpn\n      - stack\n      \nip_blocks:\n  vpn:\n    1.1.1.1/32\n```\n\n### VPC Gateway Endpoints\n\nS3 and DynamoDB VPC Gateway Endpoints are always created and added to all route tables. \n\n### VPC Interface Endpoints\n\nList of aws service interface endpoints to enable access over the private network.\nSee [here](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html) for more info on available endpoints.\n**Note:** each vpce is [priced](https://aws.amazon.com/privatelink/pricing/) per interface per az plus data throughput.\n\n```yaml\nendpoints:\n  - ec2\n  - ec2.api\n```\n\n\nOverride the default vpce interface subnets\n\n```yaml\nendpoint_subnets: Compute\n```\n\n### DNS\n\ndefines the dns format for the project using a `Fn::Fub:`.\nThere a 2 common patterns\n\n1. use the same root domain across all environments and have the stack create a sub domain \n```yaml\ndns_format: ${EnvironmentName}.${DnsDomain}\n```\n\n2. have a different root zone for each environment\n```yaml\ndns_format: ${DnsDomain}\n```\n\n### DHCP\n\nby default a dhcp option group is created using the provided dns name and the amazon provided dns name servers. \nthis can be disabled by setting the following config to remove the `DHCPOptions` and `VPCDHCPOptionsAssociation` resources from the template.\n\n```yaml\nenable_dhcp: false\n```\n\n### NAT\n\nNATs can be toggled between NAT Instances (EC2) and AWS managed NAT Gateways.\nCheck out this [table](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-comparison.html) for comparison\n\nSelect the amount of nat's to deploy for the environment, max is 1 per az and min is 1. If less than the max az count is selected, the default route is directed out through Nat in AZ 0\n\n**Managed**\n\n- AWS managed NAT Gateway\n- Attaches EIP\n- Can be more expensive\n- Can't be shut down\n- Easier to manage\n- Guaranteed high network throughput\n- Recommended for production type environments\n    \n**Instances**\n\n- EC2 instance in an ASG per availabiltiy zone\n- Attaches a secondary ENI with a EIP\n- Creates an extra attack surface\n- Network through put limited by the instance type\n- Can be cheaper using small instance sizes and utilising the spot market\n- Can be shutdown saving on cost\n- Recommended for development type environments\n\n**Disabled**\n\n- No resources associated with NAT Gateways are created\n- Recommended for when no public access is required\n- If you want to move between Managed NAT and Instances you must update to `disabled` first. This is due to EIP's already being attached to the current NAT ENI or Gateway.\n\n**AMI Requirements**\n- linux\n- [awscli](https://github.com/aws/aws-cli)\n- iptables\n- route\n\n### Transit VPC\n\nTo render the resources required in the template set the `enable_transit_vpc` config to `true`. The resources are conditional based upon the `EnableTransitVPC` runtime parameter, set the value to `true` to create the resources for the stack. \n\n```yaml\nenable_transit_vpc: true\n```\n\nTo set the Amazon side Asn for the VpnGateway set the following config with the desired value.\n\n```yaml\nvgw_asn: 64512\n```\n\n### Private VPC\n\nA Private VPC is a vpc without its own access to the internet, it does not require an InternetGateway or NAT Gateway's/Instances.\n\nConfigure the NAT type as `disabled` as outlined [here](#nat)\n\nBy default an internet gateway is created and attached to the VPC, with a route out to the internet configured within the public route table.\nThis can be disabled by setting the following config to remove the `InternetGateway`,`VPCGatewayAttachment` and `Route` resources from the template.\n\n```yaml\nenable_internet_gateway: false\n```\n\n## Outputs/Exports\n\n| Name | Value | Exported |\n| ---- | ----- | -------- |\n| VPCId | VPCId | true\n| VPCCidr | VPCCidr | true\n| HostedZone | Hosted Zone Id | true\n| GroupSubnets | CommaDelimitedList of each subnet group | true\n\n## Included Components\n\n[route53-zone](https://github.com/theonestack/hl-component-route53-zone)\n\nIf your using environment sub domains and you want to automatically delegate the domain to the root, specify \n\n```yaml\nmanage_ns_records: true\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftheonestack%2Fhl-component-vpc-v2","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftheonestack%2Fhl-component-vpc-v2","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftheonestack%2Fhl-component-vpc-v2/lists"}