feat(ec2): support network interface L2

[WinterYukky]

What change?

Add ec2.NetworkInterface L2 constructs and ec2.Instance.addNetworkInterface() method.

Why need this change?

There are three reasons.

1. Currently (v2.124.0), ec2.Instance doesn't support additional IPv4 address. It is hard in the cace of advanced network architects (e.g. Multi-VPC ENI Attacements). To support network interface L2 is very usefull.
2. L2 interface (INetworkInterface) is neccesarry to support other L2 resources that using network interface such as VerifiedAccess Endpoint.
3. A created network interface by ec2.Instance can not get ID of network interface. Customers who need a network interface ID wants configure network interface at initialize ec2.Instance.

How to use this?

Following document is README.md.

Network Interface

You can attach additional network interfaces to an EC2 instance. Attaching multiple network interfaces to an instance is useful when you want to:

• Create a management network.
• Use network and security appliances in your Virtual Private Cloud (VPC).
• Create dual-homed instances with workloads/roles on distinct subnets.
• Create a low-budget, high-availability solution.

The following code how to add additional network interfaces for an EC2 instance.

declare const vpc: ec2.IVpc;
declare const instance: ec2.Instance;

const eni1 = new ec2.NetworkInterface(this, 'NetworkInterface', {
  vpc,
});
// device index is ordered by default
instance.addNetworkInterface(eni1);

// or, you can also specify the device index
declare const eni2: ec2.INetworkInterface;
instance.addNetworkInterface(eni2, {
  deviceIndex: 3,
});

You can also assign private IPv4 address from prefixes or specific IPv4 addresses.
The following code assigns IPv4 address from prefixes.

declare const vpc: ec2.IVpc;

new ec2.NetworkInterface(this, 'NetworkInterface', {
  vpc,
  ipv4: ec2.Ipv4Assign.fromPrefixes('10.0.0.0/28', '10.1.0.0/28')
    .addPrimaryAddress('10.0.0.10'),
});

For more information see Scenarios for network interfaces.

Design decision-making

Additional network interfaces are not allow modify security group rules by ec2.Instance.connections.allowXxx(). For allow network interface security group rules, customers must explicitly allow it in the security group of the network interface. This decision because, I think customers such as using network interface are need advanced networking architects, they wants specify security groups every network interfaces.

declare const instance: ec2.Instance; 
declare const eni: ec2.INetworkInterface; 

Instance.addNetworkInterface(eni); 

// This code does not allow eni.securityGroup ingress. 
instance.connections.allowFromAnyIpv4Address(ec2.Port.tcp(80)); 

// For allow eni.securityGroup ingress, allow individually network interfaces. 
eni.connections.allowFromAnyIpv4Address(ec2.Port.tcp(80)); 

What to do and what not to do in this PR

For minimize this PR size, I implement part of features. Not implemented features will implement at another PR after marged this.

Do

• Implement ec2.NetworkInterface construct
• Define ec2.INetworkInterface construct interface
• Implement ec2.Instance.addNetworkInterface() method
• Implement using existing network interface feature (i.e. NetworkInterface.fromNetworkInterfaceAttributes() )

Do not

• EIP support
• IPv6 support
• attach network interface as primary network interface of EC2 instance

Ref

• Scenarios for network interfaces

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

This PR has been in the BUILD FAILING state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

[aws-cdk-automation]

This PR has been in the MERGE CONFLICTS state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

[otaviomacedo]

I suggest we hold off on this PR, as there is a more comprehensive one in progress right now. For more information, check out the RFC.

[aws-cdk-automation]

This PR has been in the MERGE CONFLICTS state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

[shikha372]

could you help me understand why do we need a dummy class here ?

[shikha372]

can a same network interface be attached to two instance? i think not.. let me know if that's not the case.
instead of taking a network interface as an argument, create a new one with and take in the parameters that are required to create n/w interface

[aws-cdk-automation]

This PR has been in the BUILD FAILING state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

[aws-cdk-automation]

This PR has been in the BUILD FAILING state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

[aws-cdk-automation]

This PR has been in the BUILD FAILING state for 3 weeks, and looks abandoned. Note that PRs with failing linting check or builds are not reviewed, please ensure your build is passing

To prevent automatic closure:

• Resume work on the PR
• OR request an exemption by adding a comment containing 'Exemption Request' with justification e.x "Exemption Request: "
• OR request clarification by adding a comment containing 'Clarification Request' with a question e.x "Clarification Request: "

This PR will automatically close in 7 days if no action is taken.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: a08ce3f
• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[ozelalisen]

Thank you for your contribution! Since there is now a more comprehensive solution with the VpcV2 construct that has been merged, I suggest we close this PR. If you have additional network interface improvements you'd like to propose, please feel free to open new PRs against the VpcV2 construct at package.

Closing this PR to avoid duplicate implementations.

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.