Skip to content
SST
Blog Docs Console Examples
22K

Vpc

Reference doc for the `sst.aws.Vpc` component.

The Vpc component lets you add a VPC to your app. It uses Amazon VPC. This is useful for services like RDS and Fargate that need to be hosted inside a VPC.

This creates a VPC with 2 Availability Zones by default. It also creates the following resources:

  1. A default security group blocking all incoming internet traffic.
  2. A public subnet in each AZ.
  3. A private subnet in each AZ.
  4. An Internet Gateway. All the traffic from the public subnets are routed through it.
  5. If nat is enabled, a NAT Gateway or NAT instance in each AZ. All the traffic from the private subnets are routed to the NAT in the same AZ.

Create a VPC

sst.config.ts
new sst.aws.Vpc("MyVPC");

Create it with 3 Availability Zones

sst.config.ts
new sst.aws.Vpc("MyVPC", {
  az: 3
});

Enable NAT

sst.config.ts
new sst.aws.Vpc("MyVPC", {
  nat: "managed"
});

Cost

By default, this component is free. Following is the cost to enable the nat or bastion options.

Managed NAT

If you enable nat with the managed option, it uses a NAT Gateway per az at $0.045 per hour, and $0.045 per GB processed per month.

That works out to a minimum of $0.045 x 2 x 24 x 30 or $65 per month. Adjust this for the number of az and add $0.045 per GB processed per month.

The above are rough estimates for us-east-1, check out the NAT Gateway pricing for more details. Standard data transfer charges apply.

EC2 NAT

If you enable nat with the ec2 option, it uses t4g.nano EC2 On Demand instances per az at $0.0042 per hour, and $0.09 per GB processed per month for the first 10TB.

That works out to a minimum of $0.0042 x 2 x 24 x 30 or $6 per month. Adjust this for the nat.ec2.instance you are using and add $0.09 per GB processed per month.

The above are rough estimates for us-east-1, check out the EC2 On-Demand pricing and the EC2 Data Transfer pricing for more details.

Bastion

If you enable bastion, it uses a single t4g.nano EC2 On Demand instance at $0.0042 per hour, and $0.09 per GB processed per month for the first 10TB.

That works out to $0.0042 x 24 x 30 or $3 per month. Add $0.09 per GB processed per month.

However if nat: "ec2" is enabled, one of the NAT EC2 instances will be reused; making this free.

The above are rough estimates for us-east-1, check out the EC2 On-Demand pricing and the EC2 Data Transfer pricing for more details.

Constructor

new Vpc(name, args?, opts?)

Parameters

VpcArgs

az?

Type Input<number | Input<string>[]>

Default 2

Specify the Availability Zones or AZs for the VPC.

You can specify a number of AZs or a list of AZs. If you specify a number, it will look up the availability zones in the region and automatically select that number of AZs. If you specify a list of AZs, it will use that list of AZs.

By default, it creates a VPC with 2 availability zones since services like RDS and Fargate need at least 2 AZs.

Create a VPC with 3 AZs

{
  az: 3
}

Create a VPC with specific AZs

{
  az: ["us-east-1a", "us-east-1b"]
}

bastion?

Type Input<boolean>

Default false

Configures a bastion host that can be used to connect to resources in the VPC.

When enabled, an EC2 instance of type t4g.nano with the bastion AMI will be launched in a public subnet. The instance will have AWS SSM (AWS Session Manager) enabled for secure access without the need for SSH key.

It costs roughly $3 per month to run the t4g.nano instance.

However if nat: "ec2" is enabled, the EC2 instance that NAT creates will be used as the bastion host. No additional EC2 instance will be created.

If you are running sst dev, a tunnel will be automatically created to the bastion host. This uses a network interface to forward traffic from your local machine to the bastion host.

You can learn more about sst tunnel.

{
  bastion: true
}

nat?

Type Input<ec2 | managed | Object>

Default NAT is disabled

Configures NAT. Enabling NAT allows resources in private subnets to connect to the internet.

There are two NAT options:

  1. "managed" creates a NAT Gateway
  2. "ec2" creates an EC2 instance with the fck-nat AMI

For "managed", a NAT Gateway is created in each AZ. All the traffic from the private subnets are routed to the NAT Gateway in the same AZ.

NAT Gateways are billed per hour and per gigabyte of data processed. A NAT Gateway for two AZs costs $65 per month. This is relatively expensive but it automatically scales based on the traffic.

For "ec2", an EC2 instance of type t4g.nano will be launched in each AZ with the fck-nat AMI. All the traffic from the private subnets are routed to the Elastic Network Interface (ENI) of the EC2 instance in the same AZ.

NAT EC2 instances are much cheaper than NAT Gateways, the t4g.nano instance type is around $3 per month. But you’ll need to scale it up manually if you need more bandwidth.

{
  nat: "managed"
}

nat.ec2

Type Input<Object>

Default {instance: “t4g.nano”}

Configures the NAT EC2 instance.

{
  nat: {
    ec2: {
      instance: "t4g.large"
    }
  }
}
nat.ec2.ami?

Type Input<string>

Default The latest fck-nat AMI

The AMI to use for the NAT.

By default, the latest public fck-nat AMI is used. However, if the AMI is not available in the region you are deploying to or you want to use a custom AMI, you can specify a different AMI.

{
  nat: {
    ec2: {
      ami: "ami-1234567890abcdef0"
    }
  }
}
nat.ec2.instance

Type Input<string>

Default “t4g.nano”

The type of instance to use for the NAT.

transform?

Type Object

Transform how this component creates its underlying resources.

transform.bastionInstance?

Type InstanceArgs | (args: InstanceArgs, opts: ComponentResourceOptions, name: string) => void

Transform the EC2 bastion instance resource.

transform.bastionSecurityGroup?

Type SecurityGroupArgs | (args: SecurityGroupArgs, opts: ComponentResourceOptions, name: string) => void

Transform the EC2 bastion security group resource.

transform.elasticIp?

Type EipArgs | (args: EipArgs, opts: ComponentResourceOptions, name: string) => void

Transform the EC2 Elastic IP resource.

transform.internetGateway?

Type InternetGatewayArgs | (args: InternetGatewayArgs, opts: ComponentResourceOptions, name: string) => void

Transform the EC2 Internet Gateway resource.

transform.natGateway?

Type NatGatewayArgs | (args: NatGatewayArgs, opts: ComponentResourceOptions, name: string) => void

Transform the EC2 NAT Gateway resource.

transform.natInstance?

Type InstanceArgs | (args: InstanceArgs, opts: ComponentResourceOptions, name: string) => void

Transform the EC2 NAT instance resource.

transform.privateRouteTable?

Type RouteTableArgs | (args: RouteTableArgs, opts: ComponentResourceOptions, name: string) => void

Transform the EC2 route table resource for the private subnet.

transform.privateSubnet?

Type SubnetArgs | (args: SubnetArgs, opts: ComponentResourceOptions, name: string) => void

Transform the EC2 private subnet resource.

transform.publicRouteTable?

Type RouteTableArgs | (args: RouteTableArgs, opts: ComponentResourceOptions, name: string) => void

Transform the EC2 route table resource for the public subnet.

transform.publicSubnet?

Type SubnetArgs | (args: SubnetArgs, opts: ComponentResourceOptions, name: string) => void

Transform the EC2 public subnet resource.

transform.securityGroup?

Type SecurityGroupArgs | (args: SecurityGroupArgs, opts: ComponentResourceOptions, name: string) => void

Transform the EC2 Security Group resource.

transform.vpc?

Type VpcArgs | (args: VpcArgs, opts: ComponentResourceOptions, name: string) => void

Transform the EC2 VPC resource.

Properties

bastion

Type Output<string>

The bastion instance ID.

id

Type Output<string>

The VPC ID.

nodes

Type Object

The underlying resources this component creates.

nodes.bastionInstance

Type Output<undefined | Instance>

The Amazon EC2 bastion instance.

nodes.cloudmapNamespace

Type PrivateDnsNamespace

The AWS Cloudmap namespace.

nodes.elasticIps

Type Output<Eip[]>

The Amazon EC2 Elastic IP.

nodes.internetGateway

Type InternetGateway

The Amazon EC2 Internet Gateway.

nodes.natGateways

Type Output<NatGateway[]>

The Amazon EC2 NAT Gateway.

nodes.natInstances

Type Output<Instance[]>

The Amazon EC2 NAT instances.

nodes.privateRouteTables

Type Output<RouteTable[]>

The Amazon EC2 route table for the private subnet.

nodes.privateSubnets

Type Output<Subnet[]>

The Amazon EC2 private subnet.

nodes.publicRouteTables

Type Output<RouteTable[]>

The Amazon EC2 route table for the public subnet.

nodes.publicSubnets

Type Output<Subnet[]>

The Amazon EC2 public subnet.

nodes.securityGroup

Type SecurityGroup

The Amazon EC2 Security Group.

nodes.vpc

Type Vpc

The Amazon EC2 VPC.

privateSubnets

Type Output<Output<string>[]>

A list of private subnet IDs in the VPC.

publicSubnets

Type Output<Output<string>[]>

A list of public subnet IDs in the VPC.

securityGroups

Type Output<Output<string>[]>

A list of VPC security group IDs.

SDK

Use the SDK in your runtime to interact with your infrastructure.

This is accessible through the Resource object in the SDK.

  • bastion undefined | string

    The bastion instance ID.

Methods

static get

Vpc.get(name, vpcId, opts?)

Parameters

Returns Vpc

Reference an existing VPC with the given ID. This is useful when you create a VPC in one stage and want to share it in another stage. It avoids having to create a new VPC in the other stage.

Imagine you create a VPC in the dev stage. And in your personal stage frank, instead of creating a new VPC, you want to share the VPC from dev.

sst.config.ts
const vpc = $app.stage === "frank"
  ? sst.aws.Vpc.get("MyVPC", "vpc-0be8fa4de860618bb")
  : new sst.aws.Vpc("MyVPC");

Here vpc-0be8fa4de860618bb is the ID of the VPC created in the dev stage. You can find this by outputting the VPC ID in the dev stage.

sst.config.ts
return {
  vpc: vpc.id
};