Vpc

The Vpc component lets you add a VPC to your app. It uses Amazon VPC. This is useful for services like RDS and Fargate that need to be hosted inside a VPC.

This creates a VPC with 2 Availability Zones by default. It also creates the following resources:

1. A default security group blocking all incoming internet traffic.
2. A public subnet in each AZ.
3. A private subnet in each AZ.
4. An Internet Gateway. All the traffic from the public subnets are routed through it.
5. If nat is enabled, a NAT Gateway or NAT instance in each AZ. All the traffic from the private subnets are routed to the NAT in the same AZ.

Note

By default, this does not create NAT Gateways or NAT instances.

Create a VPC

sst.config.ts

new sst.aws.Vpc("MyVPC");

Create it with 3 Availability Zones

sst.config.ts

new sst.aws.Vpc("MyVPC", {
  az: 3
});

Enable NAT

sst.config.ts

new sst.aws.Vpc("MyVPC", {
  nat: "managed"
});

---

Cost

By default, this component is free. Following is the cost to enable the nat or bastion options.

Managed NAT

If you enable nat with the managed option, it uses a NAT Gateway per az at $0.045 per hour, and $0.045 per GB processed per month.

That works out to a minimum of $0.045 x 2 x 24 x 30 or $65 per month. Adjust this for the number of az and add $0.045 per GB processed per month.

The above are rough estimates for us-east-1, check out the NAT Gateway pricing for more details.

EC2 NAT

If you enable nat with the ec2 option, it uses t4g.nano EC2 On Demand instances per az at $0.0042 per hour, and $0.09 per GB processed per month for the first 10TB.

That works out to a minimum of $0.0042 x 2 x 24 x 30 or $6 per month. Adjust this for the nat.ec2.instance you are using and add $0.09 per GB processed per month.

The above are rough estimates for us-east-1, check out the EC2 On-Demand pricing and the EC2 Data Transfer pricing for more details.

Bastion

If you enable bastion, it uses a single t4g.nano EC2 On Demand instance at $0.0042 per hour, and $0.09 per GB processed per month for the first 10TB.

That works out to $0.0042 x 24 x 30 or $3 per month. Add $0.09 per GB processed per month.

However if nat: "ec2" is enabled, one of the NAT EC2 instances will be reused; making this free.

The above are rough estimates for us-east-1, check out the EC2 On-Demand pricing and the EC2 Data Transfer pricing for more details.

---

Constructor

new Vpc(name, args?, opts?)

Parameters

• name string

• args? VpcArgs

• opts? ComponentResourceOptions

VpcArgs

az?

Type Input<number>

Default 2

Number of Availability Zones or AZs for the VPC. By default, it creates a VPC with 2 availability zones since services like RDS and Fargate need at least 2 AZs.

{
  az: 3
}

bastion?

Type Input<boolean>

Default false

Configures a bastion host that can be used to connect to resources in the VPC.

When enabled, an EC2 instance of type t4g.nano with the bastion AMI will be launched in a public subnet. The instance will have AWS SSM (AWS Session Manager) enabled for secure access without the need for SSH key.

It costs roughly $3 per month to run the t4g.nano instance.

Note

If nat: "ec2" is enabled, the bastion host will reuse the NAT EC2 instance.

However if nat: "ec2" is enabled, the EC2 instance that NAT creates will be used as the bastion host. No additional EC2 instance will be created.

If you are running sst dev, a tunnel will be automatically created to the bastion host. This uses a network interface to forward traffic from your local machine to the bastion host.

You can learn more about sst tunnel.

{
  bastion: true
}

nat?

Type Input<“ec2” | “managed” | Object>

• ec2 Input<Object>

  • instance

Default NAT is disabled

Configures NAT. Enabling NAT allows resources in private subnets to connect to the internet.

There are two NAT options:

1. "managed" creates a NAT Gateway
2. "ec2" creates an EC2 instance with the fck-nat AMI

For "managed", a NAT Gateway is created in each AZ. All the traffic from the private subnets are routed to the NAT Gateway in the same AZ.

NAT Gateways are billed per hour and per gigabyte of data processed. A NAT Gateway for two AZs costs $65 per month. This is relatively expensive but it automatically scales based on the traffic.

For "ec2", an EC2 instance of type t4g.nano will be launched in each AZ with the fck-nat AMI. All the traffic from the private subnets are routed to the Elastic Network Interface (ENI) of the EC2 instance in the same AZ.

Tip

The "ec2" option uses fck-nat and is 10x cheaper than the "managed" NAT Gateway.

NAT EC2 instances are much cheaper than NAT Gateways, the t4g.nano instance type is around $3 per month. But you’ll need to scale it up manually if you need more bandwidth.

{
  nat: "managed"
}

nat.ec2

Type Input<Object>

Default {instance: “t4g.nano”}

Configures the NAT EC2 instance.

{
  nat: {
    ec2: {
      instance: "t4g.large"
    }
  }
}

nat.ec2.instance

Type Input<string>

Default “t4g.nano”

The type of instance to use for the NAT.

transform?

Type Object

• bastionInstance?

• elasticIp?

• internetGateway?

• natGateway?

• natInstance?

• privateRouteTable?

• privateSubnet?

• publicRouteTable?

• publicSubnet?

• securityGroup?

• vpc?

Transform how this component creates its underlying resources.

transform.bastionInstance?

Type InstanceArgs | (args: InstanceArgs, opts: ComponentResourceOptions, name: string) => void

Transform the EC2 bastion instance resource.

transform.elasticIp?

Type EipArgs | (args: EipArgs, opts: ComponentResourceOptions, name: string) => void

Transform the EC2 Elastic IP resource.

transform.internetGateway?

Type InternetGatewayArgs | (args: InternetGatewayArgs, opts: ComponentResourceOptions, name: string) => void

Transform the EC2 Internet Gateway resource.

transform.natGateway?

Type NatGatewayArgs | (args: NatGatewayArgs, opts: ComponentResourceOptions, name: string) => void

Transform the EC2 NAT Gateway resource.

transform.natInstance?

Type InstanceArgs | (args: InstanceArgs, opts: ComponentResourceOptions, name: string) => void

Transform the EC2 NAT instance resource.

transform.privateRouteTable?

Type RouteTableArgs | (args: RouteTableArgs, opts: ComponentResourceOptions, name: string) => void

Transform the EC2 route table resource for the private subnet.

transform.privateSubnet?

Type SubnetArgs | (args: SubnetArgs, opts: ComponentResourceOptions, name: string) => void

Transform the EC2 private subnet resource.

transform.publicRouteTable?

Type RouteTableArgs | (args: RouteTableArgs, opts: ComponentResourceOptions, name: string) => void

Transform the EC2 route table resource for the public subnet.

transform.publicSubnet?

Type SubnetArgs | (args: SubnetArgs, opts: ComponentResourceOptions, name: string) => void

Transform the EC2 public subnet resource.

transform.securityGroup?

Type SecurityGroupArgs | (args: SecurityGroupArgs, opts: ComponentResourceOptions, name: string) => void

Transform the EC2 Security Group resource.

transform.vpc?

Type VpcArgs | (args: VpcArgs, opts: ComponentResourceOptions, name: string) => void

Transform the EC2 VPC resource.

Properties

bastion

Type Output<string>

The bastion instance ID.

id

Type Output<string>

The VPC ID.

nodes

Type Object

• bastionInstance

• cloudmapNamespace

• elasticIps

• internetGateway

• natGateways

• natInstances

• privateRouteTables

• privateSubnets

• publicRouteTables

• publicSubnets

• securityGroup

• vpc

The underlying resources this component creates.

nodes.bastionInstance

Type Output<undefined | Instance>

The Amazon EC2 bastion instance.

nodes.cloudmapNamespace

Type PrivateDnsNamespace

The AWS Cloudmap namespace.

nodes.elasticIps

Type Output<Eip[]>

The Amazon EC2 Elastic IP.

nodes.internetGateway

Type InternetGateway

The Amazon EC2 Internet Gateway.

nodes.natGateways

Type Output<NatGateway[]>

The Amazon EC2 NAT Gateway.

nodes.natInstances

Type Output<Instance[]>

The Amazon EC2 NAT instances.

nodes.privateRouteTables

Type Output<RouteTable[]>

The Amazon EC2 route table for the private subnet.

nodes.privateSubnets

Type Output<Subnet[]>

The Amazon EC2 private subnet.

nodes.publicRouteTables

Type Output<RouteTable[]>

The Amazon EC2 route table for the public subnet.

nodes.publicSubnets

Type Output<Subnet[]>

The Amazon EC2 public subnet.

nodes.securityGroup

Type SecurityGroup

The Amazon EC2 Security Group.

nodes.vpc

Type Vpc

The Amazon EC2 VPC.

privateSubnets

Type Output<Output<string>[]>

A list of private subnet IDs in the VPC.

publicSubnets

Type Output<Output<string>[]>

A list of public subnet IDs in the VPC.

securityGroups

Type Output<string>[]

A list of VPC security group IDs.

SDK

Use the SDK in your runtime to interact with your infrastructure.

---

Links

This is accessible through the Resource object in the SDK.

• bastion undefined | Output<string>

  The bastion instance ID.

Methods

static get

Vpc.get(name, vpcId, opts?)

Parameters

• name string

  The name of the component.

• vpcId Input<string>

  The ID of the existing VPC.

• opts? ComponentResourceOptions

Returns Output<Vpc>

Reference an existing VPC with the given ID. This is useful when you create a VPC in one stage and want to share it in another stage. It avoids having to create a new VPC in the other stage.

Tip

You can use the static get method to share VPCs across stages.

Imagine you create a VPC in the dev stage. And in your personal stage frank, instead of creating a new VPC, you want to share the VPC from dev.

sst.config.ts

const vpc = $app.stage === "frank"
  ? sst.aws.Vpc.get("MyVPC", "vpc-0be8fa4de860618bb")
  : new sst.aws.Vpc("MyVPC");

Here vpc-0be8fa4de860618bb is the ID of the VPC created in the dev stage. You can find this by outputting the VPC ID in the dev stage.

sst.config.ts

return {
  vpc: vpc.id
};