mrpackethead · January 10, 2023 15:26
diff --git a/gistfile1.txt b/gistfile1.txt
 import * as cdk from 'aws-cdk-lib';
 import { Construct } from 'constructs';
 import { 
 	aws_ec2 as ec2,
 	aws_s3 as s3,
 }
 from 'aws-cdk-lib';
 import * as raindancersNetwork from 'raindancers-network';
 import { FirewallRules } from './firewallpolicy'

 interface EgressVpcProps extends cdk.StackProps {
 	corenetwork: raindancersNetwork.CoreNetwork
 	blueSegment: raindancersNetwork.CoreNetworkSegment
 	greenSegment: raindancersNetwork.CoreNetworkSegment
 	redSegment: raindancersNetwork.CoreNetworkSegment
 }

 export class EgressVpc extends cdk.Stack {
  constructor(scope: Construct, id: string, props: EgressVpcProps) {
    super(scope, id, props);

 	// create the egress VPC

 	const egressVpc = new raindancersNetwork.EnterpriseVpc(this, 'tiritahiEnterpriseVPC', {
 		vpc: new ec2.Vpc(this, 'tiritahiVPC', {
 			ipAddresses: ec2.IpAddresses.cidr('10.10.128.0/22'),
 			natGateways: 2,
 			natGatewayProvider: ec2.NatProvider.gateway({
 			eipAllocationIds: [ 
 					new ec2.CfnEIP(this, 'EIP1forNatGateway').attrAllocationId,
 					new ec2.CfnEIP(this, 'EIP2forNatGateway').attrAllocationId
 				]
 			}),
 			maxAzs: 2,
 			vpcName: 'egressVpc',
 			subnetConfiguration: [
 				{
 				name: 'inside',
 				subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
 				cidrMask: 24,
 				},
 				{
 				name: 'firewall',
 				subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,	
 				cidrMask: 28,
 				},
 				{
 				name: 'linknet',
 				subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
 				cidrMask: 28,
 				},
 				{
 				name: 'public',
 				subnetType: ec2.SubnetType.PUBLIC,
 				cidrMask: 28,
 				},
 			],
 		}),
 	  });

 	// attach it to the Cloudwan in appliance Mode.  We need to use appliance mode, so that we do not have asymetric routing to the firewalls.
 	const attachmentId = egressVpc.attachToCloudWan({
 		coreNetworkName: props.corenetwork.coreName,
 		segmentName: props.redSegment.segmentName,
 		applianceMode: true
 	})

 	// set up VPCFlow Logs, and Athena Querys for the logs, with one minute increments.
 	egressVpc.createFlowLog({
 		bucket: new s3.Bucket(this, 'flowlogbucket', {
 			blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
 			encryption: s3.BucketEncryption.S3_MANAGED,
 			enforceSSL: true,
 		}),
 		localAthenaQuerys: true,
 		oneMinuteFlowLogs: true,
 	});

 	// all traffic between segments will be inspected by the firewall cluster
 	// This can be improved.   Pass Segments..  and corenetwork only. 

    egressVpc.addCoreRoutes({
 		policyTableArn: props.corenetwork.policyTable.tableArn,
 		segments: [
 		  props.redSegment.segmentName,
 		  props.greenSegment.segmentName,
 		  props.blueSegment.segmentName,
 		],
 		destinationCidrBlocks: ['0.0.0.0/0'],
 		description: 'defaultroutetoManagedEgress',
 		coreName: props.corenetwork.coreName,
 		attachmentId: attachmentId
 	  })


 	// build AWS NWFW cluster.   
 	const firewall = new raindancersNetwork.NetworkFirewall(this, 'FirewallCluster', {
 		firewallName: 'firewall',
 		firewallPolicy: new FirewallRules(this, 'firewallrules', {
 			cloudwanCidr: '10.0.0.0/8',
 		}).firewallPolicy,
 		subnetGroup: 'firewall',
 		vpc: egressVpc.vpc,
 	});

 	// set up additional routing in the vpc
 	// note,  default routes are already added to subnets which are configured as 
 	// PRIVATE_WITH_EGRESS and PUBLIC

 	egressVpc.addRoutes({
 		cidr: ['10.0.0.0/8'],				// our private networks is 10/8
 		description: 'inside2cloudwan',		
 		subnetGroups: [
 		  'linknet',		
 		  'inside',
 		  'firewall',
 		],
 		destination: raindancersNetwork.Destination.CLOUDWAN,
 		cloudwanName: props.corenetwork.coreName
 	  });
  

 	  egressVpc.addRoutes({
 		description: 'public2inside',
 		cidr: [
 		  '10.0.0.0/8'
 		],
 		subnetGroups: [
 		  'public',
 		],
 		destination: raindancersNetwork.Destination.NWFIREWALL,
 		networkFirewallArn: firewall.firewallArn,
 	  });
  
 	


  }
 }
	import * as cdk from 'aws-cdk-lib';
	import { Construct } from 'constructs';
	import {
	aws_ec2 as ec2,
	aws_s3 as s3,
	}
	from 'aws-cdk-lib';
	import * as raindancersNetwork from 'raindancers-network';
	import { FirewallRules } from './firewallpolicy'

	interface EgressVpcProps extends cdk.StackProps {
	corenetwork: raindancersNetwork.CoreNetwork
	blueSegment: raindancersNetwork.CoreNetworkSegment
	greenSegment: raindancersNetwork.CoreNetworkSegment
	redSegment: raindancersNetwork.CoreNetworkSegment
	}

	export class EgressVpc extends cdk.Stack {
	constructor(scope: Construct, id: string, props: EgressVpcProps) {
	super(scope, id, props);

	// create the egress VPC

	const egressVpc = new raindancersNetwork.EnterpriseVpc(this, 'tiritahiEnterpriseVPC', {
	vpc: new ec2.Vpc(this, 'tiritahiVPC', {
	ipAddresses: ec2.IpAddresses.cidr('10.10.128.0/22'),
	natGateways: 2,
	natGatewayProvider: ec2.NatProvider.gateway({
	eipAllocationIds: [
	new ec2.CfnEIP(this, 'EIP1forNatGateway').attrAllocationId,
	new ec2.CfnEIP(this, 'EIP2forNatGateway').attrAllocationId
	]
	}),
	maxAzs: 2,
	vpcName: 'egressVpc',
	subnetConfiguration: [
	{
	name: 'inside',
	subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
	cidrMask: 24,
	},
	{
	name: 'firewall',
	subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
	cidrMask: 28,
	},
	{
	name: 'linknet',
	subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
	cidrMask: 28,
	},
	{
	name: 'public',
	subnetType: ec2.SubnetType.PUBLIC,
	cidrMask: 28,
	},
	],
	}),
	});

	// attach it to the Cloudwan in appliance Mode. We need to use appliance mode, so that we do not have asymetric routing to the firewalls.
	const attachmentId = egressVpc.attachToCloudWan({
	coreNetworkName: props.corenetwork.coreName,
	segmentName: props.redSegment.segmentName,
	applianceMode: true
	})

	// set up VPCFlow Logs, and Athena Querys for the logs, with one minute increments.
	egressVpc.createFlowLog({
	bucket: new s3.Bucket(this, 'flowlogbucket', {
	blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL,
	encryption: s3.BucketEncryption.S3_MANAGED,
	enforceSSL: true,
	}),
	localAthenaQuerys: true,
	oneMinuteFlowLogs: true,
	});

	// all traffic between segments will be inspected by the firewall cluster
	// This can be improved. Pass Segments.. and corenetwork only.

	egressVpc.addCoreRoutes({
	policyTableArn: props.corenetwork.policyTable.tableArn,
	segments: [
	props.redSegment.segmentName,
	props.greenSegment.segmentName,
	props.blueSegment.segmentName,
	],
	destinationCidrBlocks: ['0.0.0.0/0'],
	description: 'defaultroutetoManagedEgress',
	coreName: props.corenetwork.coreName,
	attachmentId: attachmentId
	})


	// build AWS NWFW cluster.
	const firewall = new raindancersNetwork.NetworkFirewall(this, 'FirewallCluster', {
	firewallName: 'firewall',
	firewallPolicy: new FirewallRules(this, 'firewallrules', {
	cloudwanCidr: '10.0.0.0/8',
	}).firewallPolicy,
	subnetGroup: 'firewall',
	vpc: egressVpc.vpc,
	});

	// set up additional routing in the vpc
	// note, default routes are already added to subnets which are configured as
	// PRIVATE_WITH_EGRESS and PUBLIC

	egressVpc.addRoutes({
	cidr: ['10.0.0.0/8'], // our private networks is 10/8
	description: 'inside2cloudwan',
	subnetGroups: [
	'linknet',
	'inside',
	'firewall',
	],
	destination: raindancersNetwork.Destination.CLOUDWAN,
	cloudwanName: props.corenetwork.coreName
	});


	egressVpc.addRoutes({
	description: 'public2inside',
	cidr: [
	'10.0.0.0/8'
	],
	subnetGroups: [
	'public',
	],
	destination: raindancersNetwork.Destination.NWFIREWALL,
	networkFirewallArn: firewall.firewallArn,
	});




	}
	}