OpenMCF logoOpenMCF

Loading...

AWS VPC

Deploys an AWS Virtual Private Cloud with automatic subnet calculation, public and private subnet creation across specified Availability Zones, an Internet Gateway for public routing, and optional NAT Gateways for private subnet internet access.

What Gets Created

When you deploy an AwsVpc resource, OpenMCF provisions:

  • VPC — an ec2.Vpc resource with the specified CIDR block, DNS support, and DNS hostname settings
  • Internet Gateway — an ec2.InternetGateway attached to the VPC for public internet access
  • Public Route Table — an ec2.RouteTable with a default route (0.0.0.0/0) pointing to the Internet Gateway
  • Public Subnets — one or more ec2.Subnet resources per Availability Zone with MapPublicIpOnLaunch enabled, each associated with the public route table via ec2.RouteTableAssociation
  • Private Subnets — one or more ec2.Subnet resources per Availability Zone with MapPublicIpOnLaunch disabled
  • Elastic IPs (NAT only) — one ec2.Eip per Availability Zone, created only when isNatGatewayEnabled is true
  • NAT Gateways (NAT only) — one ec2.NatGateway per Availability Zone placed in the first public subnet, created only when isNatGatewayEnabled is true
  • Private Route Tables (NAT only) — one ec2.RouteTable per private subnet routing 0.0.0.0/0 through the AZ's NAT Gateway, each associated via ec2.RouteTableAssociation

Prerequisites

  • AWS credentials configured via environment variables or OpenMCF provider config
  • A valid CIDR block for the VPC (e.g., 10.0.0.0/16)
  • At least one Availability Zone in the target AWS region

Quick Start

Create a file vpc.yaml:

apiVersion: aws.openmcf.org/v1
kind: AwsVpc
metadata:
  name: my-vpc
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: dev.AwsVpc.my-vpc
spec:
  region: us-west-2
  vpcCidr: "10.0.0.0/16"
  subnetsPerAvailabilityZone: 1
  subnetSize: 24

Deploy:

openmcf apply -f vpc.yaml

This creates a VPC with the 10.0.0.0/16 CIDR block. No subnets are created until you also specify availabilityZones.

Configuration Reference

Required Fields

FieldTypeDescriptionValidation
regionstringAWS region where the VPC will be created (e.g., us-west-2, eu-west-1).Required; non-empty
vpcCidrstringCIDR block for the VPC (e.g., 10.0.0.0/16). Defines the full IP address range.Must be a valid CIDR notation
subnetsPerAvailabilityZoneint32Number of subnets to create in each Availability Zone. Recommended default: 1.Required
subnetSizeint32Subnet mask size (e.g., 24 for /24 subnets with 256 addresses). Must not be larger than the VPC CIDR mask. Recommended default: 1.Required; must be >= VPC CIDR mask size

Optional Fields

FieldTypeDefaultDescription
availabilityZonesstring[][]List of Availability Zones to span (e.g., ["us-west-2a", "us-west-2b"]). Public and private subnets are created in each AZ.
isNatGatewayEnabledboolfalseWhen true, creates one NAT Gateway per AZ in the first public subnet, with an Elastic IP and private route tables for outbound internet access from private subnets.
isDnsHostnamesEnabledboolfalseWhen true, instances with public IPs receive corresponding public DNS hostnames.
isDnsSupportEnabledboolfalseWhen true, enables DNS resolution through the Amazon-provided DNS server within the VPC.

Examples

Two-AZ VPC with Public and Private Subnets

A typical VPC spanning two Availability Zones with one public and one private subnet per AZ:

apiVersion: aws.openmcf.org/v1
kind: AwsVpc
metadata:
  name: two-az-vpc
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: dev.AwsVpc.two-az-vpc
spec:
  region: us-east-1
  vpcCidr: "10.0.0.0/16"
  availabilityZones:
    - us-east-1a
    - us-east-1b
  subnetsPerAvailabilityZone: 1
  subnetSize: 24

VPC with NAT Gateway

Private subnets that can reach the internet through NAT Gateways, with DNS support enabled:

apiVersion: aws.openmcf.org/v1
kind: AwsVpc
metadata:
  name: nat-vpc
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: staging.AwsVpc.nat-vpc
spec:
  region: us-west-2
  vpcCidr: "10.1.0.0/16"
  availabilityZones:
    - us-west-2a
    - us-west-2b
  subnetsPerAvailabilityZone: 1
  subnetSize: 24
  isNatGatewayEnabled: true
  isDnsSupportEnabled: true
  isDnsHostnamesEnabled: true

Three-AZ Production VPC

A production VPC spanning three Availability Zones with multiple subnets per AZ, NAT Gateways, and full DNS support:

apiVersion: aws.openmcf.org/v1
kind: AwsVpc
metadata:
  name: prod-vpc
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: prod.AwsVpc.prod-vpc
spec:
  region: eu-west-1
  vpcCidr: "10.10.0.0/16"
  availabilityZones:
    - eu-west-1a
    - eu-west-1b
    - eu-west-1c
  subnetsPerAvailabilityZone: 2
  subnetSize: 24
  isNatGatewayEnabled: true
  isDnsSupportEnabled: true
  isDnsHostnamesEnabled: true

Large VPC with Small Subnets

A VPC with a /20 address space divided into /28 subnets (16 addresses each) for fine-grained network segmentation:

apiVersion: aws.openmcf.org/v1
kind: AwsVpc
metadata:
  name: segmented-vpc
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: dev.AwsVpc.segmented-vpc
spec:
  region: ap-southeast-1
  vpcCidr: "172.16.0.0/20"
  availabilityZones:
    - ap-southeast-1a
    - ap-southeast-1b
  subnetsPerAvailabilityZone: 3
  subnetSize: 28

Stack Outputs

After deployment, the following outputs are available in status.outputs:

OutputTypeDescription
vpc_idstringID of the created VPC
internet_gateway_idstringID of the Internet Gateway attached to the VPC
vpc_cidrstringCIDR block associated with the VPC
public_subnetsAwsVpcSubnetStackOutputs[]List of public subnet details (see below)
private_subnetsAwsVpcSubnetStackOutputs[]List of private subnet details (see below)

Each subnet entry in public_subnets and private_subnets contains:

FieldTypeDescription
namestringName of the subnet (e.g., public-subnet-us-east-1a-0)
idstringAWS subnet ID
cidrstringCIDR block of the subnet
nat_gateway.idstringNAT Gateway ID (public subnets only, when NAT is enabled)
nat_gateway.private_ipstringNAT Gateway private IP address
nat_gateway.public_ipstringNAT Gateway public IP (Elastic IP) address

Related Components

  • AwsSecurityGroup — controls network traffic for resources deployed in the VPC
  • AwsAlb — deploys an Application Load Balancer in the VPC's subnets
  • AwsEksCluster — deploys a Kubernetes cluster in the VPC
  • AwsClientVpn — provides VPN access into the VPC
  • AwsEc2Instance — launches EC2 instances in the VPC's subnets

Next article

AWS WAF Web ACL

AWS WAF Web ACL Deploys an AWS WAFv2 Web Access Control List with ordered rules for managed rule groups, rate limiting, geographic filtering, and IP-based access control. Includes optional request logging with field redaction. Rules are evaluated by priority; the first match takes action. What Gets Created When you deploy an AwsWafWebAcl resource, OpenMCF provisions: WAFv2 Web ACL — an awswafv2webacl resource with the specified scope (REGIONAL or CLOUDFRONT), default action, visibility config,...
Read next article
Presets
2 ready-to-deploy configurationsView presets →