opensearch-project · peternied · Nov 20, 2024 · Nov 19, 2024 · Nov 19, 2024 · Nov 19, 2024
@@ -165,7 +165,8 @@ export class MigrationAssistanceStack extends Stack {
 
         const streamingSecurityGroup = new SecurityGroup(this, 'trafficStreamSourceSG', {
             vpc: props.vpc,
-            allowAllOutbound: false
+            allowAllOutbound: false,
+            allowAllIpv6Outbound: false,
         });
         streamingSecurityGroup.addIngressRule(streamingSecurityGroup, Port.allTraffic())
         createMigrationStringParameter(this, streamingSecurityGroup.securityGroupId, {
@@ -180,6 +181,7 @@ export class MigrationAssistanceStack extends Stack {
         const sharedLogsSG = new SecurityGroup(this, 'sharedLogsSG', {
             vpc: props.vpc,
             allowAllOutbound: false,
+            allowAllIpv6Outbound: false,
         });
         sharedLogsSG.addIngressRule(sharedLogsSG, Port.allTraffic());
 
@@ -205,6 +207,7 @@ export class MigrationAssistanceStack extends Stack {
             vpc: props.vpc,
             // Required for retrieving ECR image at service startup
             allowAllOutbound: true,
+            allowAllIpv6Outbound: true,
         })
         serviceSecurityGroup.addIngressRule(serviceSecurityGroup, Port.allTraffic());
 

@@ -252,6 +252,7 @@ export class NetworkStack extends Stack {
             const defaultSecurityGroup = new SecurityGroup(this, 'osClusterAccessSG', {
                 vpc: this.vpc,
                 allowAllOutbound: false,
+                allowAllIpv6Outbound: false,
             });
             defaultSecurityGroup.addIngressRule(defaultSecurityGroup, Port.allTraffic());
 

@@ -11,14 +11,21 @@ import {Construct} from 'constructs';
 import {
     BlockDeviceVolume,
     CloudFormationInit,
+    GatewayVpcEndpoint,
+    GatewayVpcEndpointAwsService,
+    IVpc,
     InitCommand,
     InitElement,
     InitFile,
     Instance,
     InstanceClass,
     InstanceSize,
     InstanceType,
+    InterfaceVpcEndpoint,
+    InterfaceVpcEndpointAwsService,
+    IpProtocol,
     MachineImage,
+    SecurityGroup,
     Vpc
 } from "aws-cdk-lib/aws-ec2";
 import {InstanceProfile, ManagedPolicy, Role, ServicePrincipal} from "aws-cdk-lib/aws-iam";
@@ -79,7 +86,7 @@ function addParameterLabel(labels: Record<string, ParameterLabel>, parameter: Cf
     labels[parameter.logicalId] = {"default": labelName}
 }
 
-function importVPC(stack: Stack, vpdIdParameter: CfnParameter, availabilityZonesParameter: CfnParameter, privateSubnetIdsParameter: CfnParameter) {
+function importVPC(stack: Stack, vpdIdParameter: CfnParameter, availabilityZonesParameter: CfnParameter, privateSubnetIdsParameter: CfnParameter): IVpc {
     const availabilityZones = availabilityZonesParameter.valueAsList
     const privateSubnetIds = privateSubnetIdsParameter.valueAsList
     return Vpc.fromVpcAttributes(stack, 'ImportedVPC', {
@@ -95,6 +102,14 @@ function generateExportString(exports:  Record<string, string>): string {
         .join("; ");
 }
 
+function getVpcEndpointForEFS(stack: Stack): InterfaceVpcEndpointAwsService {
+    const isGovRegion = stack.region?.startsWith('us-gov-')
+    if (isGovRegion) {
+        return InterfaceVpcEndpointAwsService.ELASTIC_FILESYSTEM_FIPS;
+    }
+    return InterfaceVpcEndpointAwsService.ELASTIC_FILESYSTEM;
+}
+
 export class SolutionsInfrastructureStack extends Stack {
 
     constructor(scope: Construct, id: string, props: SolutionsInfrastructureStackProps) {
@@ -162,9 +177,33 @@ export class SolutionsInfrastructureStack extends Stack {
             role: bootstrapRole
         })
 
-        let vpc;
+        let vpc: IVpc;
         if (props.createVPC) {
-            vpc = new Vpc(this, 'Vpc', {});
+            vpc = new Vpc(this, 'Vpc', {
+                ipProtocol: IpProtocol.DUAL_STACK
+            });
+            // S3 used for storage and retrieval of snapshot data for backfills
+            new GatewayVpcEndpoint(this, 'S3VpcEndpoint', {
+                service: GatewayVpcEndpointAwsService.S3,
+                vpc: vpc,
+            });
+
+            const serviceEndpoints = [
+                // Logs and disk usage scales based on total data transfer 
+                InterfaceVpcEndpointAwsService.CLOUDWATCH_LOGS,
+                getVpcEndpointForEFS(this),
+
+                // Elastic container registry is used for all images in the solution
+                InterfaceVpcEndpointAwsService.ECR,
+                InterfaceVpcEndpointAwsService.ECR_DOCKER,
+            ];
+
+            serviceEndpoints.forEach(service => {
+                new InterfaceVpcEndpoint(this, `${service.shortName}VpcEndpoint`, {
+                    service,
+                    vpc: vpc,
+                });
+            })
         }
         else {
             const vpcIdParameter = new CfnParameter(this, 'VPCId', {
@@ -201,6 +240,11 @@ export class SolutionsInfrastructureStack extends Stack {
             }),
         ]
 
+        const securityGroup = new SecurityGroup(this, 'BootstrapSecurityGroup', {
+            vpc: vpc,
+            allowAllOutbound: true,
+            allowAllIpv6Outbound: true,
+        });
         new Instance(this, 'BootstrapEC2Instance', {
             vpc: vpc,
             vpcSubnets: {
@@ -220,6 +264,7 @@ export class SolutionsInfrastructureStack extends Stack {
             initOptions: {
                 printLog: true,
             },
+            securityGroup
         });
 
         const dynamicEc2ImageParameter = this.node.findAll()