How Do I Build an AWS EC2 VPC Endpoint With Pulumi?

Introduction

Creating a Virtual Private Cloud (VPC) Endpoint with Pulumi is an essential step for securely connecting your VPC to AWS services. By doing so, you can access these services without the need for an internet gateway, NAT device, VPN connection, or AWS Direct Connect. This guide will walk you through the process of setting up a VPC Endpoint using Pulumi in TypeScript, highlighting its importance in enhancing security and efficiency in your cloud infrastructure.

Key Points

• We will create a VPC with both public and private subnets.
• A VPC Endpoint will be created and associated with the private subnets.
• This setup allows secure access to AWS services without internet exposure.

Step-by-Step Process

1. Create a VPC: Begin by defining a VPC with DNS support and hostnames enabled. Assign a CIDR block for the network range.

2. Set Up an Internet Gateway: Attach an internet gateway to the VPC to facilitate internet access for public subnets.

3. Define Subnets: Create both public and private subnets within the VPC. The public subnet will have a CIDR block that allows public IP mapping.

4. Configure Route Tables: Establish a route table for the public subnet, directing traffic to the internet gateway.

5. Associate Route Table: Link the public route table with the public subnet to manage its traffic.

6. Create a VPC Endpoint: Set up a VPC Endpoint for AWS services (e.g., S3) within the private subnet. This endpoint will use the gateway type and leverage the public route table for connectivity.

7. Export Resources: Finally, export the VPC ID and VPC Endpoint ID for reference and further configuration.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create a VPC
const vpc = new aws.ec2.Vpc("myVpc", {
    cidrBlock: "10.0.0.0/16",
    enableDnsSupport: true,
    enableDnsHostnames: true,
    tags: { Name: "myVpc" },
});

// Create an Internet Gateway
const internetGateway = new aws.ec2.InternetGateway("myInternetGateway", {
    vpcId: vpc.id,
    tags: { Name: "myInternetGateway" },
});

// Create a Public Subnet
const publicSubnet = new aws.ec2.Subnet("myPublicSubnet", {
    vpcId: vpc.id,
    cidrBlock: "10.0.1.0/24",
    mapPublicIpOnLaunch: true,
    tags: { Name: "myPublicSubnet" },
});

// Create a Private Subnet
const privateSubnet = new aws.ec2.Subnet("myPrivateSubnet", {
    vpcId: vpc.id,
    cidrBlock: "10.0.2.0/24",
    tags: { Name: "myPrivateSubnet" },
});

// Create a Route Table for the Public Subnet
const publicRouteTable = new aws.ec2.RouteTable("myPublicRouteTable", {
    vpcId: vpc.id,
    routes: [
        {
            cidrBlock: "0.0.0.0/0",
            gatewayId: internetGateway.id,
        },
    ],
    tags: { Name: "myPublicRouteTable" },
});

// Associate the Public Route Table with the Public Subnet
new aws.ec2.RouteTableAssociation("myPublicRouteTableAssociation", {
    subnetId: publicSubnet.id,
    routeTableId: publicRouteTable.id,
});

// Create a VPC Endpoint for S3 in the Private Subnet
const vpcEndpoint = new aws.ec2.VpcEndpoint("myVpcEndpoint", {
    vpcId: vpc.id,
    serviceName: `com.amazonaws.${aws.config.region}.s3`,
    vpcEndpointType: "Gateway",
    routeTableIds: [publicRouteTable.id],
    tags: { Name: "myVpcEndpoint" },
});

// Export the VPC ID and VPC Endpoint ID
export const vpcId = vpc.id;
export const vpcEndpointId = vpcEndpoint.id;

Summary

In this guide, we successfully created a VPC with both public and private subnets and established a VPC Endpoint for S3. By associating the endpoint with the private subnets, we enabled secure and private access to AWS services, eliminating the need for internet gateways or NAT devices. This setup not only enhances security but also optimizes the connectivity within your AWS infrastructure.