@aws-cdk/aws-globalaccelerator

AWS::GlobalAccelerator Construct Library

---

All classes with the Cfn prefix in this module (CFN Resources) are always stable and safe to use.

The APIs of higher level constructs in this module are experimental and under active development. They are subject to non-backward compatible changes or removal in any future version. These are not subject to the Semantic Versioning model and breaking changes will be announced in the release notes. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.

---

Introduction

AWS Global Accelerator (AGA) is a service that improves the availability and performance of your applications with local or global users. It provides static IP addresses that act as a fixed entry point to your application endpoints in a single or multiple AWS Regions, such as your Application Load Balancers, Network Load Balancers or Amazon EC2 instances.

This module supports features under AWS Global Accelerator that allows users set up resources using the @aws-cdk/aws-globalaccelerator module.

Accelerator

The Accelerator resource is a Global Accelerator resource type that contains information about how you create an accelerator. An accelerator includes one or more listeners that process inbound connections and direct traffic to one or more endpoint groups, each of which includes endpoints, such as Application Load Balancers, Network Load Balancers, and Amazon EC2 instances.

To create the Accelerator:

import globalaccelerator = require('@aws-cdk/aws-globalaccelerator');

new globalaccelerator.Accelerator(stack, 'Accelerator');

Listener

The Listener resource is a Global Accelerator resource type that contains information about how you create a listener to process inbound connections from clients to an accelerator. Connections arrive to assigned static IP addresses on a port, port range, or list of port ranges that you specify.

To create the Listener listening on TCP 80:

new globalaccelerator.Listener(stack, 'Listener', {
  accelerator,
  portRanges: [
    {
      fromPort: 80,
      toPort: 80,
    },
  ],
});

EndpointGroup

The EndpointGroup resource is a Global Accelerator resource type that contains information about how you create an endpoint group for the specified listener. An endpoint group is a collection of endpoints in one AWS Region.

To create the EndpointGroup:

new globalaccelerator.EndpointGroup(stack, 'Group', { listener });

Add Endpoint into EndpointGroup

You may use the following methods to add endpoints into the EndpointGroup:

• addEndpoint to add a generic endpoint into the EndpointGroup.
• addLoadBalancer to add an Application Load Balancer or Network Load Balancer.
• addEc2Instance to add an EC2 Instance.
• addElasticIpAddress to add an Elastic IP Address.

const endpointGroup = new globalaccelerator.EndpointGroup(stack, 'Group', { listener });
const alb = new elbv2.ApplicationLoadBalancer(stack, 'ALB', { vpc, internetFacing: true  });
const nlb = new elbv2.NetworkLoadBalancer(stack, 'NLB', { vpc, internetFacing: true });
const eip = new ec2.CfnEIP(stack, 'ElasticIpAddress');
const instances = new Array<ec2.Instance>();

for ( let i = 0; i < 2; i++) {
  instances.push(new ec2.Instance(stack, `Instance${i}`, {
    vpc,
    machineImage: new ec2.AmazonLinuxImage(),
    instanceType: new ec2.InstanceType('t3.small'),
  }));
}

endpointGroup.addLoadBalancer('AlbEndpoint', alb);
endpointGroup.addLoadBalancer('NlbEndpoint', nlb);
endpointGroup.addElasticIpAddress('EipEndpoint', eip);
endpointGroup.addEc2Instance('InstanceEndpoint', instances[0]);
endpointGroup.addEndpoint('InstanceEndpoint2', instances[1].instanceId);

Accelerator Security Groups

When using certain AGA features (client IP address preservation), AGA creates elastic network interfaces (ENI) in your AWS account which are associated with a Security Group, and which are reused for all AGAs associated with that VPC. Per the best practices page, AGA creates a specific security group called GlobalAccelerator for each VPC it has an ENI in. You can use the security group created by AGA as a source group in other security groups, such as those for EC2 instances or Elastic Load Balancers, in order to implement least-privilege security group rules.

CloudFormation doesn't support referencing the security group created by AGA. CDK has a library that enables you to reference the AGA security group for a VPC using an AwsCustomResource.

const vpc = new Vpc(stack, 'VPC', {});
const alb = new elbv2.ApplicationLoadBalancer(stack, 'ALB', { vpc, internetFacing: false  });
const accelerator = new ga.Accelerator(stack, 'Accelerator');
const listener = new ga.Listener(stack, 'Listener', {
  accelerator,
  portRanges: [
    {
      fromPort: 443,
      toPort: 443,
    },
  ],
});
const endpointGroup = new ga.EndpointGroup(stack, 'Group', { listener });
endpointGroup.addLoadBalancer('AlbEndpoint', alb);

// Remember that there is only one AGA security group per VPC.
// This code will fail at CloudFormation deployment time if you do not have an AGA
const agaSg = ga.AcceleratorSecurityGroup.fromVpc(stack, 'GlobalAcceleratorSG', vpc);

// Allow connections from the AGA to the ALB
alb.connections.allowFrom(agaSg, Port.tcp(443));

Changelog

1.63.0 (2020-09-12)

⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES

• appsync: force apiKeyConfig require a Expiration class instead of string

• appsync: Parameter apiKeyConfig takes Expiration class instead of string

• core: custom implementations of IStackSynthesizer must now implement synthesize() instead of synthesizeStackArtifacts().
• aws-batch: Changed type of ComputeResources.computeResourcesTags from Tag to map

Features

• appsync: add authorization config to the HttpDataSource (#10171) (b2cc277), closes #9971 #9934
• appsync: add support for subscriptions for code-first schema generation (#10078) (65db131), closes #9345
• appsync: implement directives for code-first approach (#9973) (088cd48), closes #9879
• appsync: support enumeration types for code-first approach (#10023) (30a5b80), closes #10023
• appsync: support union types for code-first approach (#10025) (28a9834)
• cfn-include: add support for Hooks (#10143) (4de68c0), closes #9713
• cfn-include: allow renaming the template elements logical IDs (#10169) (cf746a0), closes #9714
• chatbot: log retention support and metrics utility methods (#10137) (0f0d1e7), closes #10135
• cli: support credential_source in aws shared config file (#10272) (940a443)
• codebuild: add git submodule options of codebuild (#10283) (698e5ef), closes #10271
• eks: arm64 support (#9875) (ffb84c6), closes #9915
• eks: bump aws-node-termination-handler to 0.9.5 (#10278) (8cfc190), closes aws/aws-cdk#10277
• eks: managed nodegroup with custom AMI and launch template support (#9881) (5c294fb), closes #9873
• elasticloadbalancingv2: more health check validations to NLB target group (#3703) (#10205) (e3f3332)
• elasticloadbalancingv2: multiple security groups for ALBs (#10244) (1ebf362), closes #5138
• lambda-nodejs: improved project root detection (#10182) (cce83dc), closes #10174
• pipelines: adding IAM permissions to ShellScriptAction (#10149) (ec15485), closes #9600
• rds: database clusters from snapshots (#10130) (915eb4b), closes #4379
• rds: deprecate OracleSE and OracleSE1 engine versions (#10241) (562f891), closes #9249
• rds: metrics for clusters (#10162) (49f6034), closes #5212
• route53-patterns: support IPv6 in HttpsRedirect (#10203) (a1f6e1b)
• secrets-manager: exclude characters for password rotation applications (#10110) (1260d52), closes #4144

Bug Fixes

• appsync: strongly type expires prop in apiKeyConfig (#9122) (287f808), closes #8698
• aws-batch: computeResources tags are not configured properly (#10209) (40222ef), closes #7350
• cfn-include: correctly parse YAML strings in short-form GetAtt (#10197) (a388d70), closes #10177
• cfn-include: correctly substitute falsy parameter values (#10195) (8791f88), closes #10107
• cli: metadata not recorded for templates >50k (#10184) (dfd2baf)
• cli: simplify lib template (#10175) (fc3ec9b)
• cli: unable to set termination protection for pipeline stacks (#9938) (a00a4ee)
• cloudfront: comment for origin access identity is too long (#10266) (495aeb9), closes #10211
• codepipeline: cross-region support stack requires bootstrapping (#10217) (b5ff4d6), closes #10215
• core: DefaultSynthesizer breaks this.node.setContext() on Stack (#10246) (61865aa)
• core: Stacks render CloudFormation elements in nested Stages (#10156) (5f36f6b), closes #9792 #9669
• custom-resources: deleting custom resource fails when using two or more (#10012) (8d23f24)
• ec2: cfn-init user data hash not updated if file asset changes (#10216) (0d7ca63), closes #10206
• eks: restricted public access breaks cluster functionality (#10103) (a1b5bf6)
• kms: do not change the principal to root for imported resources in dependent Stacks (#10299) (54dfe83), closes #10166
• lambda-nodejs: permission denied, mkdir '/.parcel-cache' (#10181) (20f5535)
• pipelines: changing synth action doesn't restart pipeline (#10176) (14c8a98), closes #9458
• pipelines: check for an empty Stage object (#10153) (cec20c8), closes #9559
• rds: Make most DatabaseClusterAttributes properties optional (#10291) (0653e6b), closes #3587