2025/11/20 - Amazon Elastic Compute Cloud - 14 new37 updated api methods
Changes This release adds support for multiple features including: VPC Encryption Control for the status of traffic flow; S2S VPN BGP Logging; TGW Flexible Costs; IPAM allocation of static IPs from IPAM pools to CF Anycast IP lists used on CloudFront distribution; and EBS Volume Integration with Recycle Bin
Creates a VPC Encryption Control configuration for a specified VPC. VPC Encryption Control enables you to enforce encryption for all data in transit within and between VPCs to meet compliance requirements for standards like HIPAA, FedRAMP, and PCI DSS.
For more information, see Enforce VPC encryption in transit in the Amazon VPC User Guide.
See also: AWS API Documentation
Request Syntax
client.create_vpc_encryption_control(
DryRun=True|False,
VpcId='string',
TagSpecifications=[
{
'ResourceType': 'capacity-reservation'|'client-vpn-endpoint'|'customer-gateway'|'carrier-gateway'|'coip-pool'|'declarative-policies-report'|'dedicated-host'|'dhcp-options'|'egress-only-internet-gateway'|'elastic-ip'|'elastic-gpu'|'export-image-task'|'export-instance-task'|'fleet'|'fpga-image'|'host-reservation'|'image'|'image-usage-report'|'import-image-task'|'import-snapshot-task'|'instance'|'instance-event-window'|'internet-gateway'|'ipam'|'ipam-pool'|'ipam-scope'|'ipv4pool-ec2'|'ipv6pool-ec2'|'key-pair'|'launch-template'|'local-gateway'|'local-gateway-route-table'|'local-gateway-virtual-interface'|'local-gateway-virtual-interface-group'|'local-gateway-route-table-vpc-association'|'local-gateway-route-table-virtual-interface-group-association'|'natgateway'|'network-acl'|'network-interface'|'network-insights-analysis'|'network-insights-path'|'network-insights-access-scope'|'network-insights-access-scope-analysis'|'outpost-lag'|'placement-group'|'prefix-list'|'replace-root-volume-task'|'reserved-instances'|'route-table'|'security-group'|'security-group-rule'|'service-link-virtual-interface'|'snapshot'|'spot-fleet-request'|'spot-instances-request'|'subnet'|'subnet-cidr-reservation'|'traffic-mirror-filter'|'traffic-mirror-session'|'traffic-mirror-target'|'transit-gateway'|'transit-gateway-attachment'|'transit-gateway-connect-peer'|'transit-gateway-multicast-domain'|'transit-gateway-policy-table'|'transit-gateway-metering-policy'|'transit-gateway-route-table'|'transit-gateway-route-table-announcement'|'volume'|'vpc'|'vpc-endpoint'|'vpc-endpoint-connection'|'vpc-endpoint-service'|'vpc-endpoint-service-permission'|'vpc-peering-connection'|'vpn-connection'|'vpn-gateway'|'vpc-flow-log'|'capacity-reservation-fleet'|'traffic-mirror-filter-rule'|'vpc-endpoint-connection-device-type'|'verified-access-instance'|'verified-access-group'|'verified-access-endpoint'|'verified-access-policy'|'verified-access-trust-provider'|'vpn-connection-device-type'|'vpc-block-public-access-exclusion'|'vpc-encryption-control'|'route-server'|'route-server-endpoint'|'route-server-peer'|'ipam-resource-discovery'|'ipam-resource-discovery-association'|'instance-connect-endpoint'|'verified-access-endpoint-target'|'ipam-external-resource-verification-token'|'capacity-block'|'mac-modification-task'|'ipam-prefix-list-resolver'|'ipam-policy'|'ipam-prefix-list-resolver-target'|'capacity-manager-data-export'|'vpn-concentrator',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
]
)
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
[REQUIRED]
The ID of the VPC for which to create the encryption control configuration.
list
The tags to apply to the VPC Encryption Control resource.
(dict) --
The tags to apply to a resource when the resource is being created. When you specify a tag, you must specify the resource type to tag, otherwise the request will fail.
ResourceType (string) --
The type of resource to tag on creation.
Tags (list) --
The tags to apply to the resource.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
dict
Response Syntax
{
'VpcEncryptionControl': {
'VpcId': 'string',
'VpcEncryptionControlId': 'string',
'Mode': 'monitor'|'enforce',
'State': 'enforce-in-progress'|'monitor-in-progress'|'enforce-failed'|'monitor-failed'|'deleting'|'deleted'|'available'|'creating'|'delete-failed',
'StateMessage': 'string',
'ResourceExclusions': {
'InternetGateway': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'EgressOnlyInternetGateway': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'NatGateway': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'VirtualPrivateGateway': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'VpcPeering': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'Lambda': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'VpcLattice': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'ElasticFileSystem': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
}
},
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
}
}
Response Structure
(dict) --
VpcEncryptionControl (dict) --
Information about the VPC Encryption Control configuration.
VpcId (string) --
The ID of the VPC associated with the encryption control configuration.
VpcEncryptionControlId (string) --
The ID of the VPC Encryption Control configuration.
Mode (string) --
The encryption mode for the VPC Encryption Control configuration.
State (string) --
The current state of the VPC Encryption Control configuration.
StateMessage (string) --
A message providing additional information about the encryption control state.
ResourceExclusions (dict) --
Information about resource exclusions for the VPC Encryption Control configuration.
InternetGateway (dict) --
The exclusion configuration for internet gateway traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
EgressOnlyInternetGateway (dict) --
The exclusion configuration for egress-only internet gateway traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
NatGateway (dict) --
The exclusion configuration for NAT gateway traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
VirtualPrivateGateway (dict) --
The exclusion configuration for virtual private gateway traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
VpcPeering (dict) --
The exclusion configuration for VPC peering connection traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
Lambda (dict) --
The exclusion configuration for Lambda function traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
VpcLattice (dict) --
The exclusion configuration for VPC Lattice traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
ElasticFileSystem (dict) --
The exclusion configuration for Elastic File System traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
Tags (list) --
The tags assigned to the VPC Encryption Control configuration.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
Gets information about resources in a VPC that are blocking encryption enforcement.
For more information, see Enforce VPC encryption in transit in the Amazon VPC User Guide.
See also: AWS API Documentation
Request Syntax
client.get_vpc_resources_blocking_encryption_enforcement(
VpcId='string',
MaxResults=123,
NextToken='string',
DryRun=True|False
)
string
[REQUIRED]
The ID of the VPC to check for resources blocking encryption enforcement.
integer
The maximum number of items to return for this request. To get the next page of items, make another request with the token returned in the output. For more information, see Pagination.
string
The token returned from a previous paginated request. Pagination continues from the end of the items returned by the previous request.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'NonCompliantResources': [
{
'Id': 'string',
'Type': 'string',
'Description': 'string',
'IsExcludable': True|False
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
NonCompliantResources (list) --
Information about resources that are blocking encryption enforcement.
(dict) --
Describes a resource that is not compliant with VPC encryption requirements.
For more information, see Enforce VPC encryption in transit in the Amazon VPC User Guide.
Id (string) --
The ID of the non-compliant resource.
Type (string) --
The type of the non-compliant resource.
Description (string) --
A description of the non-compliant resource.
IsExcludable (boolean) --
Indicates whether the resource can be excluded from encryption enforcement.
NextToken (string) --
The token to include in another request to get the next page of items. This value is null when there are no more items to return.
Creates a metering policy for a transit gateway to track and measure network traffic.
See also: AWS API Documentation
Request Syntax
client.create_transit_gateway_metering_policy(
TransitGatewayId='string',
MiddleboxAttachmentIds=[
'string',
],
TagSpecifications=[
{
'ResourceType': 'capacity-reservation'|'client-vpn-endpoint'|'customer-gateway'|'carrier-gateway'|'coip-pool'|'declarative-policies-report'|'dedicated-host'|'dhcp-options'|'egress-only-internet-gateway'|'elastic-ip'|'elastic-gpu'|'export-image-task'|'export-instance-task'|'fleet'|'fpga-image'|'host-reservation'|'image'|'image-usage-report'|'import-image-task'|'import-snapshot-task'|'instance'|'instance-event-window'|'internet-gateway'|'ipam'|'ipam-pool'|'ipam-scope'|'ipv4pool-ec2'|'ipv6pool-ec2'|'key-pair'|'launch-template'|'local-gateway'|'local-gateway-route-table'|'local-gateway-virtual-interface'|'local-gateway-virtual-interface-group'|'local-gateway-route-table-vpc-association'|'local-gateway-route-table-virtual-interface-group-association'|'natgateway'|'network-acl'|'network-interface'|'network-insights-analysis'|'network-insights-path'|'network-insights-access-scope'|'network-insights-access-scope-analysis'|'outpost-lag'|'placement-group'|'prefix-list'|'replace-root-volume-task'|'reserved-instances'|'route-table'|'security-group'|'security-group-rule'|'service-link-virtual-interface'|'snapshot'|'spot-fleet-request'|'spot-instances-request'|'subnet'|'subnet-cidr-reservation'|'traffic-mirror-filter'|'traffic-mirror-session'|'traffic-mirror-target'|'transit-gateway'|'transit-gateway-attachment'|'transit-gateway-connect-peer'|'transit-gateway-multicast-domain'|'transit-gateway-policy-table'|'transit-gateway-metering-policy'|'transit-gateway-route-table'|'transit-gateway-route-table-announcement'|'volume'|'vpc'|'vpc-endpoint'|'vpc-endpoint-connection'|'vpc-endpoint-service'|'vpc-endpoint-service-permission'|'vpc-peering-connection'|'vpn-connection'|'vpn-gateway'|'vpc-flow-log'|'capacity-reservation-fleet'|'traffic-mirror-filter-rule'|'vpc-endpoint-connection-device-type'|'verified-access-instance'|'verified-access-group'|'verified-access-endpoint'|'verified-access-policy'|'verified-access-trust-provider'|'vpn-connection-device-type'|'vpc-block-public-access-exclusion'|'vpc-encryption-control'|'route-server'|'route-server-endpoint'|'route-server-peer'|'ipam-resource-discovery'|'ipam-resource-discovery-association'|'instance-connect-endpoint'|'verified-access-endpoint-target'|'ipam-external-resource-verification-token'|'capacity-block'|'mac-modification-task'|'ipam-prefix-list-resolver'|'ipam-policy'|'ipam-prefix-list-resolver-target'|'capacity-manager-data-export'|'vpn-concentrator',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
],
DryRun=True|False
)
string
[REQUIRED]
The ID of the transit gateway for which to create the metering policy.
list
The IDs of the middlebox attachments to include in the metering policy.
(string) --
list
The tags to assign to the metering policy.
(dict) --
The tags to apply to a resource when the resource is being created. When you specify a tag, you must specify the resource type to tag, otherwise the request will fail.
ResourceType (string) --
The type of resource to tag on creation.
Tags (list) --
The tags to apply to the resource.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'TransitGatewayMeteringPolicy': {
'TransitGatewayMeteringPolicyId': 'string',
'TransitGatewayId': 'string',
'MiddleboxAttachmentIds': [
'string',
],
'State': 'available'|'deleted'|'pending'|'modifying'|'deleting',
'UpdateEffectiveAt': datetime(2015, 1, 1),
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
}
}
Response Structure
(dict) --
TransitGatewayMeteringPolicy (dict) --
Information about the created transit gateway metering policy.
TransitGatewayMeteringPolicyId (string) --
The ID of the transit gateway metering policy.
TransitGatewayId (string) --
The ID of the transit gateway associated with the metering policy.
MiddleboxAttachmentIds (list) --
The IDs of the middlebox attachments associated with the metering policy.
(string) --
State (string) --
The state of the transit gateway metering policy.
UpdateEffectiveAt (datetime) --
The date and time when the metering policy update becomes effective.
Tags (list) --
The tags assigned to the transit gateway metering policy.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
Modifies a transit gateway metering policy.
See also: AWS API Documentation
Request Syntax
client.modify_transit_gateway_metering_policy(
TransitGatewayMeteringPolicyId='string',
AddMiddleboxAttachmentIds=[
'string',
],
RemoveMiddleboxAttachmentIds=[
'string',
],
DryRun=True|False
)
string
[REQUIRED]
The ID of the transit gateway metering policy to modify.
list
The IDs of middlebox attachments to add to the metering policy.
(string) --
list
The IDs of middlebox attachments to remove from the metering policy.
(string) --
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'TransitGatewayMeteringPolicy': {
'TransitGatewayMeteringPolicyId': 'string',
'TransitGatewayId': 'string',
'MiddleboxAttachmentIds': [
'string',
],
'State': 'available'|'deleted'|'pending'|'modifying'|'deleting',
'UpdateEffectiveAt': datetime(2015, 1, 1),
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
}
}
Response Structure
(dict) --
TransitGatewayMeteringPolicy (dict) --
Information about the modified transit gateway metering policy.
TransitGatewayMeteringPolicyId (string) --
The ID of the transit gateway metering policy.
TransitGatewayId (string) --
The ID of the transit gateway associated with the metering policy.
MiddleboxAttachmentIds (list) --
The IDs of the middlebox attachments associated with the metering policy.
(string) --
State (string) --
The state of the transit gateway metering policy.
UpdateEffectiveAt (datetime) --
The date and time when the metering policy update becomes effective.
Tags (list) --
The tags assigned to the transit gateway metering policy.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
Restores a volume from the Recycle Bin. For more information, see Restore volumes from the Recycle Bin in the Amazon EBS User Guide.
See also: AWS API Documentation
Request Syntax
client.restore_volume_from_recycle_bin(
VolumeId='string',
DryRun=True|False
)
string
[REQUIRED]
The ID of the volume to restore.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'Return': True|False
}
Response Structure
(dict) --
Return (boolean) --
Returns true if the request succeeds; otherwise, it returns an error.
Deletes an entry from a transit gateway metering policy.
See also: AWS API Documentation
Request Syntax
client.delete_transit_gateway_metering_policy_entry(
TransitGatewayMeteringPolicyId='string',
PolicyRuleNumber=123,
DryRun=True|False
)
string
[REQUIRED]
The ID of the transit gateway metering policy containing the entry to delete.
integer
[REQUIRED]
The rule number of the metering policy entry to delete.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'TransitGatewayMeteringPolicyEntry': {
'PolicyRuleNumber': 'string',
'MeteredAccount': 'source-attachment-owner'|'destination-attachment-owner'|'transit-gateway-owner',
'State': 'available'|'deleted',
'UpdatedAt': datetime(2015, 1, 1),
'UpdateEffectiveAt': datetime(2015, 1, 1),
'MeteringPolicyRule': {
'SourceTransitGatewayAttachmentId': 'string',
'SourceTransitGatewayAttachmentType': 'vpc'|'vpn'|'vpn-concentrator'|'direct-connect-gateway'|'connect'|'peering'|'tgw-peering'|'network-function',
'SourceCidrBlock': 'string',
'SourcePortRange': 'string',
'DestinationTransitGatewayAttachmentId': 'string',
'DestinationTransitGatewayAttachmentType': 'vpc'|'vpn'|'vpn-concentrator'|'direct-connect-gateway'|'connect'|'peering'|'tgw-peering'|'network-function',
'DestinationCidrBlock': 'string',
'DestinationPortRange': 'string',
'Protocol': 'string'
}
}
}
Response Structure
(dict) --
TransitGatewayMeteringPolicyEntry (dict) --
Information about the deleted transit gateway metering policy entry.
PolicyRuleNumber (string) --
The rule number of the metering policy entry.
MeteredAccount (string) --
The Amazon Web Services account ID to which the metered traffic is attributed.
State (string) --
The state of the metering policy entry.
UpdatedAt (datetime) --
The date and time when the metering policy entry was last updated.
UpdateEffectiveAt (datetime) --
The date and time when the metering policy entry update becomes effective.
MeteringPolicyRule (dict) --
The metering policy rule that defines traffic matching criteria.
SourceTransitGatewayAttachmentId (string) --
The ID of the source transit gateway attachment.
SourceTransitGatewayAttachmentType (string) --
The type of the source transit gateway attachment. Note that the tgw-peering resource type has been deprecated. To configure metering policies for Connect, use the transport attachment type.
SourceCidrBlock (string) --
The source CIDR block for the rule.
SourcePortRange (string) --
The source port range for the rule.
DestinationTransitGatewayAttachmentId (string) --
The ID of the destination transit gateway attachment.
DestinationTransitGatewayAttachmentType (string) --
The type of the destination transit gateway attachment. Note that the tgw-peering resource type has been deprecated. To configure metering policies for Connect, use the transport attachment type.
DestinationCidrBlock (string) --
The destination CIDR block for the rule.
DestinationPortRange (string) --
The destination port range for the rule.
Protocol (string) --
The protocol for the rule (1, 6, 17, etc.).
Retrieves the entries for a transit gateway metering policy.
See also: AWS API Documentation
Request Syntax
client.get_transit_gateway_metering_policy_entries(
TransitGatewayMeteringPolicyId='string',
Filters=[
{
'Name': 'string',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string',
DryRun=True|False
)
string
[REQUIRED]
The ID of the transit gateway metering policy to retrieve entries for.
list
One or more filters to apply when retrieving metering policy entries.
(dict) --
A filter name and value pair that is used to return a more specific list of results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.
If you specify multiple filters, the filters are joined with an AND, and the request returns only results that match all of the specified filters.
For more information, see List and filter using the CLI and API in the Amazon EC2 User Guide.
Name (string) --
The name of the filter. Filter names are case-sensitive.
Values (list) --
The filter values. Filter values are case-sensitive. If you specify multiple values for a filter, the values are joined with an OR, and the request returns all results that match any of the specified values.
(string) --
integer
The maximum number of results to return with a single call. To retrieve the remaining results, make another call with the returned nextToken value.
string
The token for the next page of results.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'TransitGatewayMeteringPolicyEntries': [
{
'PolicyRuleNumber': 'string',
'MeteredAccount': 'source-attachment-owner'|'destination-attachment-owner'|'transit-gateway-owner',
'State': 'available'|'deleted',
'UpdatedAt': datetime(2015, 1, 1),
'UpdateEffectiveAt': datetime(2015, 1, 1),
'MeteringPolicyRule': {
'SourceTransitGatewayAttachmentId': 'string',
'SourceTransitGatewayAttachmentType': 'vpc'|'vpn'|'vpn-concentrator'|'direct-connect-gateway'|'connect'|'peering'|'tgw-peering'|'network-function',
'SourceCidrBlock': 'string',
'SourcePortRange': 'string',
'DestinationTransitGatewayAttachmentId': 'string',
'DestinationTransitGatewayAttachmentType': 'vpc'|'vpn'|'vpn-concentrator'|'direct-connect-gateway'|'connect'|'peering'|'tgw-peering'|'network-function',
'DestinationCidrBlock': 'string',
'DestinationPortRange': 'string',
'Protocol': 'string'
}
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
TransitGatewayMeteringPolicyEntries (list) --
Information about the transit gateway metering policy entries.
(dict) --
Describes an entry in a transit gateway metering policy.
PolicyRuleNumber (string) --
The rule number of the metering policy entry.
MeteredAccount (string) --
The Amazon Web Services account ID to which the metered traffic is attributed.
State (string) --
The state of the metering policy entry.
UpdatedAt (datetime) --
The date and time when the metering policy entry was last updated.
UpdateEffectiveAt (datetime) --
The date and time when the metering policy entry update becomes effective.
MeteringPolicyRule (dict) --
The metering policy rule that defines traffic matching criteria.
SourceTransitGatewayAttachmentId (string) --
The ID of the source transit gateway attachment.
SourceTransitGatewayAttachmentType (string) --
The type of the source transit gateway attachment. Note that the tgw-peering resource type has been deprecated. To configure metering policies for Connect, use the transport attachment type.
SourceCidrBlock (string) --
The source CIDR block for the rule.
SourcePortRange (string) --
The source port range for the rule.
DestinationTransitGatewayAttachmentId (string) --
The ID of the destination transit gateway attachment.
DestinationTransitGatewayAttachmentType (string) --
The type of the destination transit gateway attachment. Note that the tgw-peering resource type has been deprecated. To configure metering policies for Connect, use the transport attachment type.
DestinationCidrBlock (string) --
The destination CIDR block for the rule.
DestinationPortRange (string) --
The destination port range for the rule.
Protocol (string) --
The protocol for the rule (1, 6, 17, etc.).
NextToken (string) --
The token to use to retrieve the next page of results. This value is null when there are no more results to return.
Lists one or more volumes that are currently in the Recycle Bin.
See also: AWS API Documentation
Request Syntax
client.list_volumes_in_recycle_bin(
VolumeIds=[
'string',
],
DryRun=True|False,
MaxResults=123,
NextToken='string'
)
list
The IDs of the volumes to list. Omit this parameter to list all of the volumes that are in the Recycle Bin.
(string) --
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
integer
The maximum number of items to return for this request. To get the next page of items, make another request with the token returned in the output. For more information, see Pagination.
Valid range: 5 - 500
string
The token returned from a previous paginated request. Pagination continues from the end of the items returned by the previous request.
dict
Response Syntax
{
'Volumes': [
{
'VolumeId': 'string',
'VolumeType': 'standard'|'io1'|'io2'|'gp2'|'sc1'|'st1'|'gp3',
'State': 'creating'|'available'|'in-use'|'deleting'|'deleted'|'error',
'Size': 123,
'Iops': 123,
'Throughput': 123,
'OutpostArn': 'string',
'AvailabilityZone': 'string',
'AvailabilityZoneId': 'string',
'SourceVolumeId': 'string',
'SnapshotId': 'string',
'Operator': {
'Managed': True|False,
'Principal': 'string'
},
'CreateTime': datetime(2015, 1, 1),
'RecycleBinEnterTime': datetime(2015, 1, 1),
'RecycleBinExitTime': datetime(2015, 1, 1)
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Volumes (list) --
Information about the volumes.
(dict) --
Information about a volume that is currently in the Recycle Bin.
VolumeId (string) --
The ID of the volume.
VolumeType (string) --
The volume type.
State (string) --
The state of the volume.
Size (integer) --
The size of the volume, in GiB.
Iops (integer) --
The number of I/O operations per second (IOPS) for the volume.
Throughput (integer) --
The throughput that the volume supports, in MiB/s.
OutpostArn (string) --
The ARN of the Outpost on which the volume is stored. For more information, see Amazon EBS volumes on Outposts in the Amazon EBS User Guide.
AvailabilityZone (string) --
The Availability Zone for the volume.
AvailabilityZoneId (string) --
The ID of the Availability Zone for the volume.
SourceVolumeId (string) --
The ID of the source volume.
SnapshotId (string) --
The snapshot from which the volume was created, if applicable.
Operator (dict) --
The service provider that manages the volume.
Managed (boolean) --
If true, the resource is managed by a service provider.
Principal (string) --
If managed is true, then the principal is returned. The principal is the service provider that manages the resource.
CreateTime (datetime) --
The time stamp when volume creation was initiated.
RecycleBinEnterTime (datetime) --
The date and time when the volume entered the Recycle Bin.
RecycleBinExitTime (datetime) --
The date and time when the volume is to be permanently deleted from the Recycle Bin.
NextToken (string) --
The token to include in another request to get the next page of items. This value is null when there are no more items to return.
Creates an entry in a transit gateway metering policy to define traffic measurement rules.
See also: AWS API Documentation
Request Syntax
client.create_transit_gateway_metering_policy_entry(
TransitGatewayMeteringPolicyId='string',
PolicyRuleNumber=123,
SourceTransitGatewayAttachmentId='string',
SourceTransitGatewayAttachmentType='vpc'|'vpn'|'vpn-concentrator'|'direct-connect-gateway'|'connect'|'peering'|'tgw-peering'|'network-function',
SourceCidrBlock='string',
SourcePortRange='string',
DestinationTransitGatewayAttachmentId='string',
DestinationTransitGatewayAttachmentType='vpc'|'vpn'|'vpn-concentrator'|'direct-connect-gateway'|'connect'|'peering'|'tgw-peering'|'network-function',
DestinationCidrBlock='string',
DestinationPortRange='string',
Protocol='string',
MeteredAccount='source-attachment-owner'|'destination-attachment-owner'|'transit-gateway-owner',
DryRun=True|False
)
string
[REQUIRED]
The ID of the transit gateway metering policy to add the entry to.
integer
[REQUIRED]
The rule number for the metering policy entry. Rules are processed in order from lowest to highest number.
string
The ID of the source transit gateway attachment for traffic matching.
string
The type of the source transit gateway attachment for traffic matching. Note that the tgw-peering resource type has been deprecated. To configure metering policies for Connect, use the transport attachment type.
string
The source CIDR block for traffic matching.
string
The source port range for traffic matching.
string
The ID of the destination transit gateway attachment for traffic matching.
string
The type of the destination transit gateway attachment for traffic matching. Note that the tgw-peering resource type has been deprecated. To configure metering policies for Connect, use the transport attachment type.
string
The destination CIDR block for traffic matching.
string
The destination port range for traffic matching.
string
The protocol for traffic matching (1, 6, 17, etc.).
string
[REQUIRED]
The Amazon Web Services account ID to which the metered traffic should be attributed.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'TransitGatewayMeteringPolicyEntry': {
'PolicyRuleNumber': 'string',
'MeteredAccount': 'source-attachment-owner'|'destination-attachment-owner'|'transit-gateway-owner',
'State': 'available'|'deleted',
'UpdatedAt': datetime(2015, 1, 1),
'UpdateEffectiveAt': datetime(2015, 1, 1),
'MeteringPolicyRule': {
'SourceTransitGatewayAttachmentId': 'string',
'SourceTransitGatewayAttachmentType': 'vpc'|'vpn'|'vpn-concentrator'|'direct-connect-gateway'|'connect'|'peering'|'tgw-peering'|'network-function',
'SourceCidrBlock': 'string',
'SourcePortRange': 'string',
'DestinationTransitGatewayAttachmentId': 'string',
'DestinationTransitGatewayAttachmentType': 'vpc'|'vpn'|'vpn-concentrator'|'direct-connect-gateway'|'connect'|'peering'|'tgw-peering'|'network-function',
'DestinationCidrBlock': 'string',
'DestinationPortRange': 'string',
'Protocol': 'string'
}
}
}
Response Structure
(dict) --
TransitGatewayMeteringPolicyEntry (dict) --
Information about the created transit gateway metering policy entry.
PolicyRuleNumber (string) --
The rule number of the metering policy entry.
MeteredAccount (string) --
The Amazon Web Services account ID to which the metered traffic is attributed.
State (string) --
The state of the metering policy entry.
UpdatedAt (datetime) --
The date and time when the metering policy entry was last updated.
UpdateEffectiveAt (datetime) --
The date and time when the metering policy entry update becomes effective.
MeteringPolicyRule (dict) --
The metering policy rule that defines traffic matching criteria.
SourceTransitGatewayAttachmentId (string) --
The ID of the source transit gateway attachment.
SourceTransitGatewayAttachmentType (string) --
The type of the source transit gateway attachment. Note that the tgw-peering resource type has been deprecated. To configure metering policies for Connect, use the transport attachment type.
SourceCidrBlock (string) --
The source CIDR block for the rule.
SourcePortRange (string) --
The source port range for the rule.
DestinationTransitGatewayAttachmentId (string) --
The ID of the destination transit gateway attachment.
DestinationTransitGatewayAttachmentType (string) --
The type of the destination transit gateway attachment. Note that the tgw-peering resource type has been deprecated. To configure metering policies for Connect, use the transport attachment type.
DestinationCidrBlock (string) --
The destination CIDR block for the rule.
DestinationPortRange (string) --
The destination port range for the rule.
Protocol (string) --
The protocol for the rule (1, 6, 17, etc.).
Describes one or more VPC Encryption Control configurations. VPC Encryption Control enables you to enforce encryption for all data in transit within and between VPCs to meet compliance requirements You can filter the results to return information about specific encryption controls or VPCs.
For more information, see Enforce VPC encryption in transit in the Amazon VPC User Guide.
See also: AWS API Documentation
Request Syntax
client.describe_vpc_encryption_controls(
DryRun=True|False,
Filters=[
{
'Name': 'string',
'Values': [
'string',
]
},
],
VpcEncryptionControlIds=[
'string',
],
VpcIds=[
'string',
],
NextToken='string',
MaxResults=123
)
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
list
The filters to apply to the request.
(dict) --
A filter name and value pair that is used to return a more specific list of results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.
If you specify multiple filters, the filters are joined with an AND, and the request returns only results that match all of the specified filters.
For more information, see List and filter using the CLI and API in the Amazon EC2 User Guide.
Name (string) --
The name of the filter. Filter names are case-sensitive.
Values (list) --
The filter values. Filter values are case-sensitive. If you specify multiple values for a filter, the values are joined with an OR, and the request returns all results that match any of the specified values.
(string) --
list
The IDs of the VPC Encryption Control configurations to describe.
(string) --
list
The IDs of the VPCs to describe encryption control configurations for.
(string) --
string
The token returned from a previous paginated request. Pagination continues from the end of the items returned by the previous request.
integer
The maximum number of items to return for this request. To get the next page of items, make another request with the token returned in the output. For more information, see Pagination.
dict
Response Syntax
{
'VpcEncryptionControls': [
{
'VpcId': 'string',
'VpcEncryptionControlId': 'string',
'Mode': 'monitor'|'enforce',
'State': 'enforce-in-progress'|'monitor-in-progress'|'enforce-failed'|'monitor-failed'|'deleting'|'deleted'|'available'|'creating'|'delete-failed',
'StateMessage': 'string',
'ResourceExclusions': {
'InternetGateway': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'EgressOnlyInternetGateway': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'NatGateway': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'VirtualPrivateGateway': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'VpcPeering': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'Lambda': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'VpcLattice': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'ElasticFileSystem': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
}
},
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
VpcEncryptionControls (list) --
Information about the VPC Encryption Control configurations.
(dict) --
Describes the configuration and state of VPC encryption controls.
For more information, see Enforce VPC encryption in transit in the Amazon VPC User Guide.
VpcId (string) --
The ID of the VPC associated with the encryption control configuration.
VpcEncryptionControlId (string) --
The ID of the VPC Encryption Control configuration.
Mode (string) --
The encryption mode for the VPC Encryption Control configuration.
State (string) --
The current state of the VPC Encryption Control configuration.
StateMessage (string) --
A message providing additional information about the encryption control state.
ResourceExclusions (dict) --
Information about resource exclusions for the VPC Encryption Control configuration.
InternetGateway (dict) --
The exclusion configuration for internet gateway traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
EgressOnlyInternetGateway (dict) --
The exclusion configuration for egress-only internet gateway traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
NatGateway (dict) --
The exclusion configuration for NAT gateway traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
VirtualPrivateGateway (dict) --
The exclusion configuration for virtual private gateway traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
VpcPeering (dict) --
The exclusion configuration for VPC peering connection traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
Lambda (dict) --
The exclusion configuration for Lambda function traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
VpcLattice (dict) --
The exclusion configuration for VPC Lattice traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
ElasticFileSystem (dict) --
The exclusion configuration for Elastic File System traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
Tags (list) --
The tags assigned to the VPC Encryption Control configuration.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
NextToken (string) --
The token to include in another request to get the next page of items. This value is null when there are no more items to return.
Describes one or more transit gateway metering policies.
See also: AWS API Documentation
Request Syntax
client.describe_transit_gateway_metering_policies(
TransitGatewayMeteringPolicyIds=[
'string',
],
Filters=[
{
'Name': 'string',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string',
DryRun=True|False
)
list
The IDs of the transit gateway metering policies to describe.
(string) --
list
One or more filters to apply when describing transit gateway metering policies.
(dict) --
A filter name and value pair that is used to return a more specific list of results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.
If you specify multiple filters, the filters are joined with an AND, and the request returns only results that match all of the specified filters.
For more information, see List and filter using the CLI and API in the Amazon EC2 User Guide.
Name (string) --
The name of the filter. Filter names are case-sensitive.
Values (list) --
The filter values. Filter values are case-sensitive. If you specify multiple values for a filter, the values are joined with an OR, and the request returns all results that match any of the specified values.
(string) --
integer
The maximum number of results to return with a single call. To retrieve the remaining results, make another call with the returned nextToken value.
string
The token for the next page of results.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'TransitGatewayMeteringPolicies': [
{
'TransitGatewayMeteringPolicyId': 'string',
'TransitGatewayId': 'string',
'MiddleboxAttachmentIds': [
'string',
],
'State': 'available'|'deleted'|'pending'|'modifying'|'deleting',
'UpdateEffectiveAt': datetime(2015, 1, 1),
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
TransitGatewayMeteringPolicies (list) --
Information about the transit gateway metering policies.
(dict) --
Describes a transit gateway metering policy.
TransitGatewayMeteringPolicyId (string) --
The ID of the transit gateway metering policy.
TransitGatewayId (string) --
The ID of the transit gateway associated with the metering policy.
MiddleboxAttachmentIds (list) --
The IDs of the middlebox attachments associated with the metering policy.
(string) --
State (string) --
The state of the transit gateway metering policy.
UpdateEffectiveAt (datetime) --
The date and time when the metering policy update becomes effective.
Tags (list) --
The tags assigned to the transit gateway metering policy.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
NextToken (string) --
The token to use to retrieve the next page of results. This value is null when there are no more results to return.
Modifies the encryption control configuration for a VPC. You can update the encryption mode and exclusion settings for various gateway types and peering connections.
For more information, see Enforce VPC encryption in transit in the Amazon VPC User Guide.
See also: AWS API Documentation
Request Syntax
client.modify_vpc_encryption_control(
DryRun=True|False,
VpcEncryptionControlId='string',
Mode='monitor'|'enforce',
InternetGatewayExclusion='enable'|'disable',
EgressOnlyInternetGatewayExclusion='enable'|'disable',
NatGatewayExclusion='enable'|'disable',
VirtualPrivateGatewayExclusion='enable'|'disable',
VpcPeeringExclusion='enable'|'disable',
LambdaExclusion='enable'|'disable',
VpcLatticeExclusion='enable'|'disable',
ElasticFileSystemExclusion='enable'|'disable'
)
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
[REQUIRED]
The ID of the VPC Encryption Control resource to modify.
string
The encryption mode for the VPC Encryption Control configuration.
string
Specifies whether to exclude internet gateway traffic from encryption enforcement.
string
Specifies whether to exclude egress-only internet gateway traffic from encryption enforcement.
string
Specifies whether to exclude NAT gateway traffic from encryption enforcement.
string
Specifies whether to exclude virtual private gateway traffic from encryption enforcement.
string
Specifies whether to exclude VPC peering connection traffic from encryption enforcement.
string
Specifies whether to exclude Lambda function traffic from encryption enforcement.
string
Specifies whether to exclude VPC Lattice traffic from encryption enforcement.
string
Specifies whether to exclude Elastic File System traffic from encryption enforcement.
dict
Response Syntax
{
'VpcEncryptionControl': {
'VpcId': 'string',
'VpcEncryptionControlId': 'string',
'Mode': 'monitor'|'enforce',
'State': 'enforce-in-progress'|'monitor-in-progress'|'enforce-failed'|'monitor-failed'|'deleting'|'deleted'|'available'|'creating'|'delete-failed',
'StateMessage': 'string',
'ResourceExclusions': {
'InternetGateway': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'EgressOnlyInternetGateway': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'NatGateway': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'VirtualPrivateGateway': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'VpcPeering': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'Lambda': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'VpcLattice': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'ElasticFileSystem': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
}
},
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
}
}
Response Structure
(dict) --
VpcEncryptionControl (dict) --
Information about the VPC Encryption Control configuration.
VpcId (string) --
The ID of the VPC associated with the encryption control configuration.
VpcEncryptionControlId (string) --
The ID of the VPC Encryption Control configuration.
Mode (string) --
The encryption mode for the VPC Encryption Control configuration.
State (string) --
The current state of the VPC Encryption Control configuration.
StateMessage (string) --
A message providing additional information about the encryption control state.
ResourceExclusions (dict) --
Information about resource exclusions for the VPC Encryption Control configuration.
InternetGateway (dict) --
The exclusion configuration for internet gateway traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
EgressOnlyInternetGateway (dict) --
The exclusion configuration for egress-only internet gateway traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
NatGateway (dict) --
The exclusion configuration for NAT gateway traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
VirtualPrivateGateway (dict) --
The exclusion configuration for virtual private gateway traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
VpcPeering (dict) --
The exclusion configuration for VPC peering connection traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
Lambda (dict) --
The exclusion configuration for Lambda function traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
VpcLattice (dict) --
The exclusion configuration for VPC Lattice traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
ElasticFileSystem (dict) --
The exclusion configuration for Elastic File System traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
Tags (list) --
The tags assigned to the VPC Encryption Control configuration.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
Deletes a VPC Encryption Control configuration. This removes the encryption policy enforcement from the specified VPC.
For more information, see Enforce VPC encryption in transit in the Amazon VPC User Guide.
See also: AWS API Documentation
Request Syntax
client.delete_vpc_encryption_control(
DryRun=True|False,
VpcEncryptionControlId='string'
)
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
[REQUIRED]
The ID of the VPC Encryption Control resource to delete.
dict
Response Syntax
{
'VpcEncryptionControl': {
'VpcId': 'string',
'VpcEncryptionControlId': 'string',
'Mode': 'monitor'|'enforce',
'State': 'enforce-in-progress'|'monitor-in-progress'|'enforce-failed'|'monitor-failed'|'deleting'|'deleted'|'available'|'creating'|'delete-failed',
'StateMessage': 'string',
'ResourceExclusions': {
'InternetGateway': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'EgressOnlyInternetGateway': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'NatGateway': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'VirtualPrivateGateway': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'VpcPeering': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'Lambda': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'VpcLattice': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'ElasticFileSystem': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
}
},
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
}
}
Response Structure
(dict) --
VpcEncryptionControl (dict) --
Information about the deleted VPC Encryption Control configuration.
VpcId (string) --
The ID of the VPC associated with the encryption control configuration.
VpcEncryptionControlId (string) --
The ID of the VPC Encryption Control configuration.
Mode (string) --
The encryption mode for the VPC Encryption Control configuration.
State (string) --
The current state of the VPC Encryption Control configuration.
StateMessage (string) --
A message providing additional information about the encryption control state.
ResourceExclusions (dict) --
Information about resource exclusions for the VPC Encryption Control configuration.
InternetGateway (dict) --
The exclusion configuration for internet gateway traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
EgressOnlyInternetGateway (dict) --
The exclusion configuration for egress-only internet gateway traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
NatGateway (dict) --
The exclusion configuration for NAT gateway traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
VirtualPrivateGateway (dict) --
The exclusion configuration for virtual private gateway traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
VpcPeering (dict) --
The exclusion configuration for VPC peering connection traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
Lambda (dict) --
The exclusion configuration for Lambda function traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
VpcLattice (dict) --
The exclusion configuration for VPC Lattice traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
ElasticFileSystem (dict) --
The exclusion configuration for Elastic File System traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
Tags (list) --
The tags assigned to the VPC Encryption Control configuration.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
Deletes a transit gateway metering policy.
See also: AWS API Documentation
Request Syntax
client.delete_transit_gateway_metering_policy(
TransitGatewayMeteringPolicyId='string',
DryRun=True|False
)
string
[REQUIRED]
The ID of the transit gateway metering policy to delete.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'TransitGatewayMeteringPolicy': {
'TransitGatewayMeteringPolicyId': 'string',
'TransitGatewayId': 'string',
'MiddleboxAttachmentIds': [
'string',
],
'State': 'available'|'deleted'|'pending'|'modifying'|'deleting',
'UpdateEffectiveAt': datetime(2015, 1, 1),
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
}
}
Response Structure
(dict) --
TransitGatewayMeteringPolicy (dict) --
Information about the deleted transit gateway metering policy.
TransitGatewayMeteringPolicyId (string) --
The ID of the transit gateway metering policy.
TransitGatewayId (string) --
The ID of the transit gateway associated with the metering policy.
MiddleboxAttachmentIds (list) --
The IDs of the middlebox attachments associated with the metering policy.
(string) --
State (string) --
The state of the transit gateway metering policy.
UpdateEffectiveAt (datetime) --
The date and time when the metering policy update becomes effective.
Tags (list) --
The tags assigned to the transit gateway metering policy.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
{'ByoipCidr': {'AdvertisementType': 'string',
'State': {'pending-withdrawal', 'pending-advertising'}}}
Advertises an IPv4 or IPv6 address range that is provisioned for use with your Amazon Web Services resources through bring your own IP addresses (BYOIP).
You can perform this operation at most once every 10 seconds, even if you specify different address ranges each time.
We recommend that you stop advertising the BYOIP CIDR from other locations when you advertise it from Amazon Web Services. To minimize down time, you can configure your Amazon Web Services resources to use an address from a BYOIP CIDR before it is advertised, and then simultaneously stop advertising it from the current location and start advertising it through Amazon Web Services.
It can take a few minutes before traffic to the specified addresses starts routing to Amazon Web Services because of BGP propagation delays.
See also: AWS API Documentation
Request Syntax
client.advertise_byoip_cidr(
Cidr='string',
Asn='string',
DryRun=True|False,
NetworkBorderGroup='string'
)
string
[REQUIRED]
The address range, in CIDR notation. This must be the exact range that you provisioned. You can't advertise only a portion of the provisioned range.
string
The public 2-byte or 4-byte ASN that you want to advertise.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
If you have Local Zones enabled, you can choose a network border group for Local Zones when you provision and advertise a BYOIPv4 CIDR. Choose the network border group carefully as the EIP and the Amazon Web Services resource it is associated with must reside in the same network border group.
You can provision BYOIP address ranges to and advertise them in the following Local Zone network border groups:
us-east-1-dfw-2
us-west-2-lax-1
us-west-2-phx-2
dict
Response Syntax
{
'ByoipCidr': {
'Cidr': 'string',
'Description': 'string',
'AsnAssociations': [
{
'Asn': 'string',
'Cidr': 'string',
'StatusMessage': 'string',
'State': 'disassociated'|'failed-disassociation'|'failed-association'|'pending-disassociation'|'pending-association'|'associated'
},
],
'StatusMessage': 'string',
'State': 'advertised'|'deprovisioned'|'failed-deprovision'|'failed-provision'|'pending-advertising'|'pending-deprovision'|'pending-provision'|'pending-withdrawal'|'provisioned'|'provisioned-not-publicly-advertisable',
'NetworkBorderGroup': 'string',
'AdvertisementType': 'string'
}
}
Response Structure
(dict) --
ByoipCidr (dict) --
Information about the address range.
Cidr (string) --
The address range, in CIDR notation.
Description (string) --
The description of the address range.
AsnAssociations (list) --
The BYOIP CIDR associations with ASNs.
(dict) --
An Autonomous System Number (ASN) and BYOIP CIDR association.
Asn (string) --
The association's ASN.
Cidr (string) --
The association's CIDR.
StatusMessage (string) --
The association's status message.
State (string) --
The association's state.
StatusMessage (string) --
Upon success, contains the ID of the address pool. Otherwise, contains an error message.
State (string) --
The state of the address range.
advertised: The address range is being advertised to the internet by Amazon Web Services.
deprovisioned: The address range is deprovisioned.
failed-deprovision: The request to deprovision the address range was unsuccessful. Ensure that all EIPs from the range have been deallocated and try again.
failed-provision: The request to provision the address range was unsuccessful.
pending-deprovision: You’ve submitted a request to deprovision an address range and it's pending.
pending-provision: You’ve submitted a request to provision an address range and it's pending.
provisioned: The address range is provisioned and can be advertised. The range is not currently advertised.
provisioned-not-publicly-advertisable: The address range is provisioned and cannot be advertised.
NetworkBorderGroup (string) --
If you have Local Zones enabled, you can choose a network border group for Local Zones when you provision and advertise a BYOIPv4 CIDR. Choose the network border group carefully as the EIP and the Amazon Web Services resource it is associated with must reside in the same network border group.
You can provision BYOIP address ranges to and advertise them in the following Local Zone network border groups:
us-east-1-dfw-2
us-west-2-lax-1
us-west-2-phx-2
AdvertisementType (string) --
Specifies the advertisement method for the BYOIP CIDR. Valid values are:
unicast: IP is advertised from a single location (regional services like EC2)
anycast: IP is advertised from multiple global locations simultaneously (global services like CloudFront)
For more information, see Bring your own IP to CloudFront using IPAM in the Amazon VPC IPAM User Guide.
{'IpamPoolAllocation': {'ResourceType': {'anycast-ip-list'}}}
Allocate a CIDR from an IPAM pool. The Region you use should be the IPAM pool locale. The locale is the Amazon Web Services Region where this IPAM pool is available for allocations.
In IPAM, an allocation is a CIDR assignment from an IPAM pool to another IPAM pool or to a resource. For more information, see Allocate CIDRs in the Amazon VPC IPAM User Guide.
See also: AWS API Documentation
Request Syntax
client.allocate_ipam_pool_cidr(
DryRun=True|False,
IpamPoolId='string',
Cidr='string',
NetmaskLength=123,
ClientToken='string',
Description='string',
PreviewNextCidr=True|False,
AllowedCidrs=[
'string',
],
DisallowedCidrs=[
'string',
]
)
boolean
A check for whether you have the required permissions for the action without actually making the request and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
[REQUIRED]
The ID of the IPAM pool from which you would like to allocate a CIDR.
string
The CIDR you would like to allocate from the IPAM pool. Note the following:
If there is no DefaultNetmaskLength allocation rule set on the pool, you must specify either the NetmaskLength or the CIDR.
If the DefaultNetmaskLength allocation rule is set on the pool, you can specify either the NetmaskLength or the CIDR and the DefaultNetmaskLength allocation rule will be ignored.
Possible values: Any available IPv4 or IPv6 CIDR.
integer
The netmask length of the CIDR you would like to allocate from the IPAM pool. Note the following:
If there is no DefaultNetmaskLength allocation rule set on the pool, you must specify either the NetmaskLength or the CIDR.
If the DefaultNetmaskLength allocation rule is set on the pool, you can specify either the NetmaskLength or the CIDR and the DefaultNetmaskLength allocation rule will be ignored.
Possible netmask lengths for IPv4 addresses are 0 - 32. Possible netmask lengths for IPv6 addresses are 0 - 128.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
string
A description for the allocation.
boolean
A preview of the next available CIDR in a pool.
list
Include a particular CIDR range that can be returned by the pool. Allowed CIDRs are only allowed if using netmask length for allocation.
(string) --
list
Exclude a particular CIDR range from being returned by the pool. Disallowed CIDRs are only allowed if using netmask length for allocation.
(string) --
dict
Response Syntax
{
'IpamPoolAllocation': {
'Cidr': 'string',
'IpamPoolAllocationId': 'string',
'Description': 'string',
'ResourceId': 'string',
'ResourceType': 'ipam-pool'|'vpc'|'ec2-public-ipv4-pool'|'custom'|'subnet'|'eip'|'anycast-ip-list',
'ResourceRegion': 'string',
'ResourceOwner': 'string'
}
}
Response Structure
(dict) --
IpamPoolAllocation (dict) --
Information about the allocation created.
Cidr (string) --
The CIDR for the allocation. A CIDR is a representation of an IP address and its associated network mask (or netmask) and refers to a range of IP addresses. An IPv4 CIDR example is 10.24.34.0/23. An IPv6 CIDR example is 2001:DB8::/32.
IpamPoolAllocationId (string) --
The ID of an allocation.
Description (string) --
A description of the pool allocation.
ResourceId (string) --
The ID of the resource.
ResourceType (string) --
The type of the resource.
ResourceRegion (string) --
The Amazon Web Services Region of the resource.
ResourceOwner (string) --
The owner of the resource.
{'AwsService': {'global-services'}}
Response {'IpamPool': {'AwsService': {'global-services'}}}
Create an IP address pool for Amazon VPC IP Address Manager (IPAM). In IPAM, a pool is a collection of contiguous IP addresses CIDRs. Pools enable you to organize your IP addresses according to your routing and security needs. For example, if you have separate routing and security needs for development and production applications, you can create a pool for each.
For more information, see Create a top-level pool in the Amazon VPC IPAM User Guide.
See also: AWS API Documentation
Request Syntax
client.create_ipam_pool(
DryRun=True|False,
IpamScopeId='string',
Locale='string',
SourceIpamPoolId='string',
Description='string',
AddressFamily='ipv4'|'ipv6',
AutoImport=True|False,
PubliclyAdvertisable=True|False,
AllocationMinNetmaskLength=123,
AllocationMaxNetmaskLength=123,
AllocationDefaultNetmaskLength=123,
AllocationResourceTags=[
{
'Key': 'string',
'Value': 'string'
},
],
TagSpecifications=[
{
'ResourceType': 'capacity-reservation'|'client-vpn-endpoint'|'customer-gateway'|'carrier-gateway'|'coip-pool'|'declarative-policies-report'|'dedicated-host'|'dhcp-options'|'egress-only-internet-gateway'|'elastic-ip'|'elastic-gpu'|'export-image-task'|'export-instance-task'|'fleet'|'fpga-image'|'host-reservation'|'image'|'image-usage-report'|'import-image-task'|'import-snapshot-task'|'instance'|'instance-event-window'|'internet-gateway'|'ipam'|'ipam-pool'|'ipam-scope'|'ipv4pool-ec2'|'ipv6pool-ec2'|'key-pair'|'launch-template'|'local-gateway'|'local-gateway-route-table'|'local-gateway-virtual-interface'|'local-gateway-virtual-interface-group'|'local-gateway-route-table-vpc-association'|'local-gateway-route-table-virtual-interface-group-association'|'natgateway'|'network-acl'|'network-interface'|'network-insights-analysis'|'network-insights-path'|'network-insights-access-scope'|'network-insights-access-scope-analysis'|'outpost-lag'|'placement-group'|'prefix-list'|'replace-root-volume-task'|'reserved-instances'|'route-table'|'security-group'|'security-group-rule'|'service-link-virtual-interface'|'snapshot'|'spot-fleet-request'|'spot-instances-request'|'subnet'|'subnet-cidr-reservation'|'traffic-mirror-filter'|'traffic-mirror-session'|'traffic-mirror-target'|'transit-gateway'|'transit-gateway-attachment'|'transit-gateway-connect-peer'|'transit-gateway-multicast-domain'|'transit-gateway-policy-table'|'transit-gateway-metering-policy'|'transit-gateway-route-table'|'transit-gateway-route-table-announcement'|'volume'|'vpc'|'vpc-endpoint'|'vpc-endpoint-connection'|'vpc-endpoint-service'|'vpc-endpoint-service-permission'|'vpc-peering-connection'|'vpn-connection'|'vpn-gateway'|'vpc-flow-log'|'capacity-reservation-fleet'|'traffic-mirror-filter-rule'|'vpc-endpoint-connection-device-type'|'verified-access-instance'|'verified-access-group'|'verified-access-endpoint'|'verified-access-policy'|'verified-access-trust-provider'|'vpn-connection-device-type'|'vpc-block-public-access-exclusion'|'vpc-encryption-control'|'route-server'|'route-server-endpoint'|'route-server-peer'|'ipam-resource-discovery'|'ipam-resource-discovery-association'|'instance-connect-endpoint'|'verified-access-endpoint-target'|'ipam-external-resource-verification-token'|'capacity-block'|'mac-modification-task'|'ipam-prefix-list-resolver'|'ipam-policy'|'ipam-prefix-list-resolver-target'|'capacity-manager-data-export'|'vpn-concentrator',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
],
ClientToken='string',
AwsService='ec2'|'global-services',
PublicIpSource='amazon'|'byoip',
SourceResource={
'ResourceId': 'string',
'ResourceType': 'vpc',
'ResourceRegion': 'string',
'ResourceOwner': 'string'
}
)
boolean
A check for whether you have the required permissions for the action without actually making the request and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
[REQUIRED]
The ID of the scope in which you would like to create the IPAM pool.
string
The locale for the pool should be one of the following:
An Amazon Web Services Region where you want this IPAM pool to be available for allocations.
The network border group for an Amazon Web Services Local Zone where you want this IPAM pool to be available for allocations ( supported Local Zones). This option is only available for IPAM IPv4 pools in the public scope.
Possible values: Any Amazon Web Services Region or supported Amazon Web Services Local Zone. Default is none and means any locale.
string
The ID of the source IPAM pool. Use this option to create a pool within an existing pool. Note that the CIDR you provision for the pool within the source pool must be available in the source pool's CIDR range.
string
A description for the IPAM pool.
string
[REQUIRED]
The IP protocol assigned to this IPAM pool. You must choose either IPv4 or IPv6 protocol for a pool.
boolean
If selected, IPAM will continuously look for resources within the CIDR range of this pool and automatically import them as allocations into your IPAM. The CIDRs that will be allocated for these resources must not already be allocated to other resources in order for the import to succeed. IPAM will import a CIDR regardless of its compliance with the pool's allocation rules, so a resource might be imported and subsequently marked as noncompliant. If IPAM discovers multiple CIDRs that overlap, IPAM will import the largest CIDR only. If IPAM discovers multiple CIDRs with matching CIDRs, IPAM will randomly import one of them only.
A locale must be set on the pool for this feature to work.
boolean
Determines if the pool is publicly advertisable. The request can only contain PubliclyAdvertisable if AddressFamily is ipv6 and PublicIpSource is byoip.
integer
The minimum netmask length required for CIDR allocations in this IPAM pool to be compliant. The minimum netmask length must be less than the maximum netmask length. Possible netmask lengths for IPv4 addresses are 0 - 32. Possible netmask lengths for IPv6 addresses are 0 - 128.
integer
The maximum netmask length possible for CIDR allocations in this IPAM pool to be compliant. The maximum netmask length must be greater than the minimum netmask length. Possible netmask lengths for IPv4 addresses are 0 - 32. Possible netmask lengths for IPv6 addresses are 0 - 128.
integer
The default netmask length for allocations added to this pool. If, for example, the CIDR assigned to this pool is 10.0.0.0/8 and you enter 16 here, new allocations will default to 10.0.0.0/16.
list
Tags that are required for resources that use CIDRs from this IPAM pool. Resources that do not have these tags will not be allowed to allocate space from the pool. If the resources have their tags changed after they have allocated space or if the allocation tagging requirements are changed on the pool, the resource may be marked as noncompliant.
(dict) --
A tag on an IPAM resource.
Key (string) --
The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
Value (string) --
The value for the tag.
list
The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
(dict) --
The tags to apply to a resource when the resource is being created. When you specify a tag, you must specify the resource type to tag, otherwise the request will fail.
ResourceType (string) --
The type of resource to tag on creation.
Tags (list) --
The tags to apply to the resource.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
string
Limits which service in Amazon Web Services that the pool can be used in. "ec2", for example, allows users to use space for Elastic IP addresses and VPCs.
string
The IP address source for pools in the public scope. Only used for provisioning IP address CIDRs to pools in the public scope. Default is byoip. For more information, see Create IPv6 pools in the Amazon VPC IPAM User Guide. By default, you can add only one Amazon-provided IPv6 CIDR block to a top-level IPv6 pool if PublicIpSource is amazon. For information on increasing the default limit, see Quotas for your IPAM in the Amazon VPC IPAM User Guide.
dict
The resource used to provision CIDRs to a resource planning pool.
ResourceId (string) --
The source resource ID.
ResourceType (string) --
The source resource type.
ResourceRegion (string) --
The source resource Region.
ResourceOwner (string) --
The source resource owner.
dict
Response Syntax
{
'IpamPool': {
'OwnerId': 'string',
'IpamPoolId': 'string',
'SourceIpamPoolId': 'string',
'IpamPoolArn': 'string',
'IpamScopeArn': 'string',
'IpamScopeType': 'public'|'private',
'IpamArn': 'string',
'IpamRegion': 'string',
'Locale': 'string',
'PoolDepth': 123,
'State': 'create-in-progress'|'create-complete'|'create-failed'|'modify-in-progress'|'modify-complete'|'modify-failed'|'delete-in-progress'|'delete-complete'|'delete-failed'|'isolate-in-progress'|'isolate-complete'|'restore-in-progress',
'StateMessage': 'string',
'Description': 'string',
'AutoImport': True|False,
'PubliclyAdvertisable': True|False,
'AddressFamily': 'ipv4'|'ipv6',
'AllocationMinNetmaskLength': 123,
'AllocationMaxNetmaskLength': 123,
'AllocationDefaultNetmaskLength': 123,
'AllocationResourceTags': [
{
'Key': 'string',
'Value': 'string'
},
],
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'AwsService': 'ec2'|'global-services',
'PublicIpSource': 'amazon'|'byoip',
'SourceResource': {
'ResourceId': 'string',
'ResourceType': 'vpc',
'ResourceRegion': 'string',
'ResourceOwner': 'string'
}
}
}
Response Structure
(dict) --
IpamPool (dict) --
Information about the IPAM pool created.
OwnerId (string) --
The Amazon Web Services account ID of the owner of the IPAM pool.
IpamPoolId (string) --
The ID of the IPAM pool.
SourceIpamPoolId (string) --
The ID of the source IPAM pool. You can use this option to create an IPAM pool within an existing source pool.
IpamPoolArn (string) --
The Amazon Resource Name (ARN) of the IPAM pool.
IpamScopeArn (string) --
The ARN of the scope of the IPAM pool.
IpamScopeType (string) --
In IPAM, a scope is the highest-level container within IPAM. An IPAM contains two default scopes. Each scope represents the IP space for a single network. The private scope is intended for all private IP address space. The public scope is intended for all public IP address space. Scopes enable you to reuse IP addresses across multiple unconnected networks without causing IP address overlap or conflict.
IpamArn (string) --
The ARN of the IPAM.
IpamRegion (string) --
The Amazon Web Services Region of the IPAM pool.
Locale (string) --
The locale of the IPAM pool.
The locale for the pool should be one of the following:
An Amazon Web Services Region where you want this IPAM pool to be available for allocations.
The network border group for an Amazon Web Services Local Zone where you want this IPAM pool to be available for allocations ( supported Local Zones). This option is only available for IPAM IPv4 pools in the public scope.
If you choose an Amazon Web Services Region for locale that has not been configured as an operating Region for the IPAM, you'll get an error.
PoolDepth (integer) --
The depth of pools in your IPAM pool. The pool depth quota is 10. For more information, see Quotas in IPAM in the Amazon VPC IPAM User Guide.
State (string) --
The state of the IPAM pool.
StateMessage (string) --
The state message.
Description (string) --
The description of the IPAM pool.
AutoImport (boolean) --
If selected, IPAM will continuously look for resources within the CIDR range of this pool and automatically import them as allocations into your IPAM. The CIDRs that will be allocated for these resources must not already be allocated to other resources in order for the import to succeed. IPAM will import a CIDR regardless of its compliance with the pool's allocation rules, so a resource might be imported and subsequently marked as noncompliant. If IPAM discovers multiple CIDRs that overlap, IPAM will import the largest CIDR only. If IPAM discovers multiple CIDRs with matching CIDRs, IPAM will randomly import one of them only.
A locale must be set on the pool for this feature to work.
PubliclyAdvertisable (boolean) --
Determines if a pool is publicly advertisable. This option is not available for pools with AddressFamily set to ipv4.
AddressFamily (string) --
The address family of the pool.
AllocationMinNetmaskLength (integer) --
The minimum netmask length required for CIDR allocations in this IPAM pool to be compliant. The minimum netmask length must be less than the maximum netmask length. Possible netmask lengths for IPv4 addresses are 0 - 32. Possible netmask lengths for IPv6 addresses are 0 - 128.
AllocationMaxNetmaskLength (integer) --
The maximum netmask length possible for CIDR allocations in this IPAM pool to be compliant. The maximum netmask length must be greater than the minimum netmask length. Possible netmask lengths for IPv4 addresses are 0 - 32. Possible netmask lengths for IPv6 addresses are 0 - 128.
AllocationDefaultNetmaskLength (integer) --
The default netmask length for allocations added to this pool. If, for example, the CIDR assigned to this pool is 10.0.0.0/8 and you enter 16 here, new allocations will default to 10.0.0.0/16.
AllocationResourceTags (list) --
Tags that are required for resources that use CIDRs from this IPAM pool. Resources that do not have these tags will not be allowed to allocate space from the pool. If the resources have their tags changed after they have allocated space or if the allocation tagging requirements are changed on the pool, the resource may be marked as noncompliant.
(dict) --
The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
Key (string) --
The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
Value (string) --
The value of the tag.
Tags (list) --
The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
AwsService (string) --
Limits which service in Amazon Web Services that the pool can be used in. "ec2", for example, allows users to use space for Elastic IP addresses and VPCs.
PublicIpSource (string) --
The IP address source for pools in the public scope. Only used for provisioning IP address CIDRs to pools in the public scope. Default is BYOIP. For more information, see Create IPv6 pools in the Amazon VPC IPAM User Guide. By default, you can add only one Amazon-provided IPv6 CIDR block to a top-level IPv6 pool. For information on increasing the default limit, see Quotas for your IPAM in the Amazon VPC IPAM User Guide.
SourceResource (dict) --
The resource used to provision CIDRs to a resource planning pool.
ResourceId (string) --
The source resource ID.
ResourceType (string) --
The source resource type.
ResourceRegion (string) --
The source resource Region.
ResourceOwner (string) --
The source resource owner.
{'Rules': {'ResourceType': {'anycast-ip-list'}}}
Creates an IPAM prefix list resolver.
An IPAM prefix list resolver is a component that manages the synchronization between IPAM's CIDR selection rules and customer-managed prefix lists. It automates connectivity configurations by selecting CIDRs from IPAM's database based on your business logic and synchronizing them with prefix lists used in resources such as VPC route tables and security groups.
For more information about IPAM prefix list resolver, see Automate prefix list updates with IPAM in the Amazon VPC IPAM User Guide.
See also: AWS API Documentation
Request Syntax
client.create_ipam_prefix_list_resolver(
DryRun=True|False,
IpamId='string',
Description='string',
AddressFamily='ipv4'|'ipv6',
Rules=[
{
'RuleType': 'static-cidr'|'ipam-resource-cidr'|'ipam-pool-cidr',
'StaticCidr': 'string',
'IpamScopeId': 'string',
'ResourceType': 'vpc'|'subnet'|'eip'|'public-ipv4-pool'|'ipv6-pool'|'eni'|'anycast-ip-list',
'Conditions': [
{
'Operation': 'equals'|'not-equals'|'subnet-of',
'IpamPoolId': 'string',
'ResourceId': 'string',
'ResourceOwner': 'string',
'ResourceRegion': 'string',
'ResourceTag': {
'Key': 'string',
'Value': 'string'
},
'Cidr': 'string'
},
]
},
],
TagSpecifications=[
{
'ResourceType': 'capacity-reservation'|'client-vpn-endpoint'|'customer-gateway'|'carrier-gateway'|'coip-pool'|'declarative-policies-report'|'dedicated-host'|'dhcp-options'|'egress-only-internet-gateway'|'elastic-ip'|'elastic-gpu'|'export-image-task'|'export-instance-task'|'fleet'|'fpga-image'|'host-reservation'|'image'|'image-usage-report'|'import-image-task'|'import-snapshot-task'|'instance'|'instance-event-window'|'internet-gateway'|'ipam'|'ipam-pool'|'ipam-scope'|'ipv4pool-ec2'|'ipv6pool-ec2'|'key-pair'|'launch-template'|'local-gateway'|'local-gateway-route-table'|'local-gateway-virtual-interface'|'local-gateway-virtual-interface-group'|'local-gateway-route-table-vpc-association'|'local-gateway-route-table-virtual-interface-group-association'|'natgateway'|'network-acl'|'network-interface'|'network-insights-analysis'|'network-insights-path'|'network-insights-access-scope'|'network-insights-access-scope-analysis'|'outpost-lag'|'placement-group'|'prefix-list'|'replace-root-volume-task'|'reserved-instances'|'route-table'|'security-group'|'security-group-rule'|'service-link-virtual-interface'|'snapshot'|'spot-fleet-request'|'spot-instances-request'|'subnet'|'subnet-cidr-reservation'|'traffic-mirror-filter'|'traffic-mirror-session'|'traffic-mirror-target'|'transit-gateway'|'transit-gateway-attachment'|'transit-gateway-connect-peer'|'transit-gateway-multicast-domain'|'transit-gateway-policy-table'|'transit-gateway-metering-policy'|'transit-gateway-route-table'|'transit-gateway-route-table-announcement'|'volume'|'vpc'|'vpc-endpoint'|'vpc-endpoint-connection'|'vpc-endpoint-service'|'vpc-endpoint-service-permission'|'vpc-peering-connection'|'vpn-connection'|'vpn-gateway'|'vpc-flow-log'|'capacity-reservation-fleet'|'traffic-mirror-filter-rule'|'vpc-endpoint-connection-device-type'|'verified-access-instance'|'verified-access-group'|'verified-access-endpoint'|'verified-access-policy'|'verified-access-trust-provider'|'vpn-connection-device-type'|'vpc-block-public-access-exclusion'|'vpc-encryption-control'|'route-server'|'route-server-endpoint'|'route-server-peer'|'ipam-resource-discovery'|'ipam-resource-discovery-association'|'instance-connect-endpoint'|'verified-access-endpoint-target'|'ipam-external-resource-verification-token'|'capacity-block'|'mac-modification-task'|'ipam-prefix-list-resolver'|'ipam-policy'|'ipam-prefix-list-resolver-target'|'capacity-manager-data-export'|'vpn-concentrator',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
],
ClientToken='string'
)
boolean
A check for whether you have the required permissions for the action without actually making the request and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
[REQUIRED]
The ID of the IPAM that will serve as the source of the IP address database for CIDR selection. The IPAM must be in the Advanced tier to use this feature.
string
A description for the IPAM prefix list resolver to help you identify its purpose and configuration.
string
[REQUIRED]
The address family for the IPAM prefix list resolver. Valid values are ipv4 and ipv6. You must create separate resolvers for IPv4 and IPv6 CIDRs as they cannot be mixed in the same resolver.
list
The CIDR selection rules for the resolver.
CIDR selection rules define the business logic for selecting CIDRs from IPAM. If a CIDR matches any of the rules, it will be included. If a rule has multiple conditions, the CIDR has to match every condition of that rule. You can create a prefix list resolver without any CIDR selection rules, but it will generate empty versions (containing no CIDRs) until you add rules.
(dict) --
Describes a CIDR selection rule to include in a request. This is used when creating or modifying resolver rules.
CIDR selection rules define the business logic for selecting CIDRs from IPAM. If a CIDR matches any of the rules, it will be included. If a rule has multiple conditions, the CIDR has to match every condition of that rule. You can create a prefix list resolver without any CIDR selection rules, but it will generate empty versions (containing no CIDRs) until you add rules.
There are three rule types. Only 2 of the 3 rule types support conditions - IPAM pool CIDR and Scope resource CIDR. Static CIDR rules cannot have conditions.
Static CIDR: A fixed list of CIDRs that do not change (like a manual list replicated across Regions)
IPAM pool CIDR: CIDRs from specific IPAM pools (like all CIDRs from your IPAM production pool) If you choose this option, choose the following:
IPAM scope: Select the IPAM scope to search for resources
Conditions:
Property
IPAM pool ID: Select an IPAM pool that contains the resources
CIDR (like 10.24.34.0/23)
Operation: Equals/Not equals
Value: The value on which to match the condition
Scope resource CIDR: CIDRs from Amazon Web Services resources like VPCs, subnets, EIPs within an IPAM scope If you choose this option, choose the following:
IPAM scope: Select the IPAM scope to search for resources
Resource type: Select a resource, like a VPC or subnet.
Conditions:
Property:
Resource ID: The unique ID of a resource (like vpc-1234567890abcdef0)
Resource owner (like 111122223333)
Resource region (like us-east-1)
Resource tag (like key: name, value: dev-vpc-1)
CIDR (like 10.24.34.0/23)
Operation: Equals/Not equals
Value: The value on which to match the condition
RuleType (string) -- [REQUIRED]
The type of CIDR selection rule. Valid values include include for selecting CIDRs that match the conditions, and exclude for excluding CIDRs that match the conditions.
StaticCidr (string) --
A fixed list of CIDRs that do not change (like a manual list replicated across Regions).
IpamScopeId (string) --
The ID of the IPAM scope from which to select CIDRs. This determines whether to select from public or private IP address space.
ResourceType (string) --
For rules of type ipam-resource-cidr, this is the resource type.
Conditions (list) --
The conditions that determine which CIDRs are selected by this rule. Conditions specify criteria such as resource type, tags, account IDs, and Regions.
(dict) --
Describes a condition used when creating or modifying resolver rules.
CIDR selection rules define the business logic for selecting CIDRs from IPAM. If a CIDR matches any of the rules, it will be included. If a rule has multiple conditions, the CIDR has to match every condition of that rule. You can create a prefix list resolver without any CIDR selection rules, but it will generate empty versions (containing no CIDRs) until you add rules.
There are three rule types. Only 2 of the 3 rule types support conditions - IPAM pool CIDR and Scope resource CIDR. Static CIDR rules cannot have conditions.
Static CIDR: A fixed list of CIDRs that do not change (like a manual list replicated across Regions)
IPAM pool CIDR: CIDRs from specific IPAM pools (like all CIDRs from your IPAM production pool) If you choose this option, choose the following:
IPAM scope: Select the IPAM scope to search for resources
Conditions:
Property
IPAM pool ID: Select an IPAM pool that contains the resources
CIDR (like 10.24.34.0/23)
Operation: Equals/Not equals
Value: The value on which to match the condition
Scope resource CIDR: CIDRs from Amazon Web Services resources like VPCs, subnets, EIPs within an IPAM scope If you choose this option, choose the following:
IPAM scope: Select the IPAM scope to search for resources
Resource type: Select a resource, like a VPC or subnet.
Conditions:
Property:
Resource ID: The unique ID of a resource (like vpc-1234567890abcdef0)
Resource owner (like 111122223333)
Resource region (like us-east-1)
Resource tag (like key: name, value: dev-vpc-1)
CIDR (like 10.24.34.0/23)
Operation: Equals/Not equals
Value: The value on which to match the condition
Operation (string) -- [REQUIRED]
The operation to perform when evaluating this condition.
IpamPoolId (string) --
The ID of the IPAM pool to match against. This condition selects CIDRs that belong to the specified IPAM pool.
ResourceId (string) --
The ID of the Amazon Web Services resource to match against. This condition selects CIDRs associated with the specified resource.
ResourceOwner (string) --
The Amazon Web Services account ID that owns the resources to match against. This condition selects CIDRs from resources owned by the specified account.
ResourceRegion (string) --
The Amazon Web Services Region where the resources are located. This condition selects CIDRs from resources in the specified Region.
ResourceTag (dict) --
A tag key-value pair to match against. This condition selects CIDRs from resources that have the specified tag.
Key (string) --
The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
Value (string) --
The value for the tag.
Cidr (string) --
A CIDR block to match against. This condition selects CIDRs that fall within or match the specified CIDR range.
list
The tags to apply to the IPAM prefix list resolver during creation. Tags help you organize and manage your Amazon Web Services resources.
(dict) --
The tags to apply to a resource when the resource is being created. When you specify a tag, you must specify the resource type to tag, otherwise the request will fail.
ResourceType (string) --
The type of resource to tag on creation.
Tags (list) --
The tags to apply to the resource.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
dict
Response Syntax
{
'IpamPrefixListResolver': {
'OwnerId': 'string',
'IpamPrefixListResolverId': 'string',
'IpamPrefixListResolverArn': 'string',
'IpamArn': 'string',
'IpamRegion': 'string',
'Description': 'string',
'AddressFamily': 'ipv4'|'ipv6',
'State': 'create-in-progress'|'create-complete'|'create-failed'|'modify-in-progress'|'modify-complete'|'modify-failed'|'delete-in-progress'|'delete-complete'|'delete-failed'|'isolate-in-progress'|'isolate-complete'|'restore-in-progress',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'LastVersionCreationStatus': 'pending'|'success'|'failure',
'LastVersionCreationStatusMessage': 'string'
}
}
Response Structure
(dict) --
IpamPrefixListResolver (dict) --
Information about the IPAM prefix list resolver that was created.
OwnerId (string) --
The ID of the Amazon Web Services account that owns the IPAM prefix list resolver.
IpamPrefixListResolverId (string) --
The ID of the IPAM prefix list resolver.
IpamPrefixListResolverArn (string) --
The Amazon Resource Name (ARN) of the IPAM prefix list resolver.
IpamArn (string) --
The Amazon Resource Name (ARN) of the IPAM associated with this resolver.
IpamRegion (string) --
The Amazon Web Services Region where the associated IPAM is located.
Description (string) --
The description of the IPAM prefix list resolver.
AddressFamily (string) --
The address family (IPv4 or IPv6) for the IPAM prefix list resolver.
State (string) --
The current state of the IPAM prefix list resolver. Valid values include create-in-progress, create-complete, create-failed, modify-in-progress, modify-complete, modify-failed, delete-in-progress, delete-complete, and delete-failed.
Tags (list) --
The tags assigned to the IPAM prefix list resolver.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
LastVersionCreationStatus (string) --
The status for the last time a version was created.
Each version is a snapshot of what CIDRs matched your rules at that moment in time. The version number increments every time the CIDR list changes due to infrastructure changes.
LastVersionCreationStatusMessage (string) --
The status message for the last time a version was created.
Each version is a snapshot of what CIDRs matched your rules at that moment in time. The version number increments every time the CIDR list changes due to infrastructure changes.
{'LaunchTemplateData': {'TagSpecifications': {'ResourceType': {'transit-gateway-metering-policy',
'vpc-encryption-control'}}}}
{'LaunchTemplateData': {'TagSpecifications': {'ResourceType': {'transit-gateway-metering-policy',
'vpc-encryption-control'}}}}
Response {'LaunchTemplateVersion': {'LaunchTemplateData': {'TagSpecifications': {'ResourceType': {'transit-gateway-metering-policy',
'vpc-encryption-control'}}}}}
{'TransitGateway': {'Options': {'EncryptionSupport': {'EncryptionState': 'enabling '
'| '
'enabled '
'| '
'disabling '
'| '
'disabled',
'StateMessage': 'string'}}}}
Creates a transit gateway.
You can use a transit gateway to interconnect your virtual private clouds (VPC) and on-premises networks. After the transit gateway enters the available state, you can attach your VPCs and VPN connections to the transit gateway.
To attach your VPCs, use CreateTransitGatewayVpcAttachment.
To attach a VPN connection, use CreateCustomerGateway to create a customer gateway and specify the ID of the customer gateway and the ID of the transit gateway in a call to CreateVpnConnection.
When you create a transit gateway, we create a default transit gateway route table and use it as the default association route table and the default propagation route table. You can use CreateTransitGatewayRouteTable to create additional transit gateway route tables. If you disable automatic route propagation, we do not create a default transit gateway route table. You can use EnableTransitGatewayRouteTablePropagation to propagate routes from a resource attachment to a transit gateway route table. If you disable automatic associations, you can use AssociateTransitGatewayRouteTable to associate a resource attachment with a transit gateway route table.
See also: AWS API Documentation
Request Syntax
client.create_transit_gateway(
Description='string',
Options={
'AmazonSideAsn': 123,
'AutoAcceptSharedAttachments': 'enable'|'disable',
'DefaultRouteTableAssociation': 'enable'|'disable',
'DefaultRouteTablePropagation': 'enable'|'disable',
'VpnEcmpSupport': 'enable'|'disable',
'DnsSupport': 'enable'|'disable',
'SecurityGroupReferencingSupport': 'enable'|'disable',
'MulticastSupport': 'enable'|'disable',
'TransitGatewayCidrBlocks': [
'string',
]
},
TagSpecifications=[
{
'ResourceType': 'capacity-reservation'|'client-vpn-endpoint'|'customer-gateway'|'carrier-gateway'|'coip-pool'|'declarative-policies-report'|'dedicated-host'|'dhcp-options'|'egress-only-internet-gateway'|'elastic-ip'|'elastic-gpu'|'export-image-task'|'export-instance-task'|'fleet'|'fpga-image'|'host-reservation'|'image'|'image-usage-report'|'import-image-task'|'import-snapshot-task'|'instance'|'instance-event-window'|'internet-gateway'|'ipam'|'ipam-pool'|'ipam-scope'|'ipv4pool-ec2'|'ipv6pool-ec2'|'key-pair'|'launch-template'|'local-gateway'|'local-gateway-route-table'|'local-gateway-virtual-interface'|'local-gateway-virtual-interface-group'|'local-gateway-route-table-vpc-association'|'local-gateway-route-table-virtual-interface-group-association'|'natgateway'|'network-acl'|'network-interface'|'network-insights-analysis'|'network-insights-path'|'network-insights-access-scope'|'network-insights-access-scope-analysis'|'outpost-lag'|'placement-group'|'prefix-list'|'replace-root-volume-task'|'reserved-instances'|'route-table'|'security-group'|'security-group-rule'|'service-link-virtual-interface'|'snapshot'|'spot-fleet-request'|'spot-instances-request'|'subnet'|'subnet-cidr-reservation'|'traffic-mirror-filter'|'traffic-mirror-session'|'traffic-mirror-target'|'transit-gateway'|'transit-gateway-attachment'|'transit-gateway-connect-peer'|'transit-gateway-multicast-domain'|'transit-gateway-policy-table'|'transit-gateway-metering-policy'|'transit-gateway-route-table'|'transit-gateway-route-table-announcement'|'volume'|'vpc'|'vpc-endpoint'|'vpc-endpoint-connection'|'vpc-endpoint-service'|'vpc-endpoint-service-permission'|'vpc-peering-connection'|'vpn-connection'|'vpn-gateway'|'vpc-flow-log'|'capacity-reservation-fleet'|'traffic-mirror-filter-rule'|'vpc-endpoint-connection-device-type'|'verified-access-instance'|'verified-access-group'|'verified-access-endpoint'|'verified-access-policy'|'verified-access-trust-provider'|'vpn-connection-device-type'|'vpc-block-public-access-exclusion'|'vpc-encryption-control'|'route-server'|'route-server-endpoint'|'route-server-peer'|'ipam-resource-discovery'|'ipam-resource-discovery-association'|'instance-connect-endpoint'|'verified-access-endpoint-target'|'ipam-external-resource-verification-token'|'capacity-block'|'mac-modification-task'|'ipam-prefix-list-resolver'|'ipam-policy'|'ipam-prefix-list-resolver-target'|'capacity-manager-data-export'|'vpn-concentrator',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
],
DryRun=True|False
)
string
A description of the transit gateway.
dict
The transit gateway options.
AmazonSideAsn (integer) --
A private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is 64512 to 65534 for 16-bit ASNs and 4200000000 to 4294967294 for 32-bit ASNs. The default is 64512.
AutoAcceptSharedAttachments (string) --
Enable or disable automatic acceptance of attachment requests. Disabled by default.
DefaultRouteTableAssociation (string) --
Enable or disable automatic association with the default association route table. Enabled by default.
DefaultRouteTablePropagation (string) --
Enable or disable automatic propagation of routes to the default propagation route table. Enabled by default.
VpnEcmpSupport (string) --
Enable or disable Equal Cost Multipath Protocol support. Enabled by default.
DnsSupport (string) --
Enable or disable DNS support. Enabled by default.
SecurityGroupReferencingSupport (string) --
Enables you to reference a security group across VPCs attached to a transit gateway to simplify security group management.
This option is disabled by default.
For more information about security group referencing, see Security group referencing in the Amazon Web Services Transit Gateways Guide.
MulticastSupport (string) --
Indicates whether multicast is enabled on the transit gateway
TransitGatewayCidrBlocks (list) --
One or more IPv4 or IPv6 CIDR blocks for the transit gateway. Must be a size /24 CIDR block or larger for IPv4, or a size /64 CIDR block or larger for IPv6.
(string) --
list
The tags to apply to the transit gateway.
(dict) --
The tags to apply to a resource when the resource is being created. When you specify a tag, you must specify the resource type to tag, otherwise the request will fail.
ResourceType (string) --
The type of resource to tag on creation.
Tags (list) --
The tags to apply to the resource.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'TransitGateway': {
'TransitGatewayId': 'string',
'TransitGatewayArn': 'string',
'State': 'pending'|'available'|'modifying'|'deleting'|'deleted',
'OwnerId': 'string',
'Description': 'string',
'CreationTime': datetime(2015, 1, 1),
'Options': {
'AmazonSideAsn': 123,
'TransitGatewayCidrBlocks': [
'string',
],
'AutoAcceptSharedAttachments': 'enable'|'disable',
'DefaultRouteTableAssociation': 'enable'|'disable',
'AssociationDefaultRouteTableId': 'string',
'DefaultRouteTablePropagation': 'enable'|'disable',
'PropagationDefaultRouteTableId': 'string',
'VpnEcmpSupport': 'enable'|'disable',
'DnsSupport': 'enable'|'disable',
'SecurityGroupReferencingSupport': 'enable'|'disable',
'MulticastSupport': 'enable'|'disable',
'EncryptionSupport': {
'EncryptionState': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
}
},
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
}
}
Response Structure
(dict) --
TransitGateway (dict) --
Information about the transit gateway.
TransitGatewayId (string) --
The ID of the transit gateway.
TransitGatewayArn (string) --
The Amazon Resource Name (ARN) of the transit gateway.
State (string) --
The state of the transit gateway.
OwnerId (string) --
The ID of the Amazon Web Services account that owns the transit gateway.
Description (string) --
The description of the transit gateway.
CreationTime (datetime) --
The creation time.
Options (dict) --
The transit gateway options.
AmazonSideAsn (integer) --
A private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is 64512 to 65534 for 16-bit ASNs and 4200000000 to 4294967294 for 32-bit ASNs.
TransitGatewayCidrBlocks (list) --
The transit gateway CIDR blocks.
(string) --
AutoAcceptSharedAttachments (string) --
Indicates whether attachment requests are automatically accepted.
DefaultRouteTableAssociation (string) --
Indicates whether resource attachments are automatically associated with the default association route table. Enabled by default. Either defaultRouteTableAssociation or defaultRouteTablePropagation must be set to enable for Amazon Web Services Transit Gateway to create the default transit gateway route table.
AssociationDefaultRouteTableId (string) --
The ID of the default association route table.
DefaultRouteTablePropagation (string) --
Indicates whether resource attachments automatically propagate routes to the default propagation route table. Enabled by default. If defaultRouteTablePropagation is set to enable, Amazon Web Services Transit Gateway creates the default transit gateway route table.
PropagationDefaultRouteTableId (string) --
The ID of the default propagation route table.
VpnEcmpSupport (string) --
Indicates whether Equal Cost Multipath Protocol support is enabled.
DnsSupport (string) --
Indicates whether DNS support is enabled.
SecurityGroupReferencingSupport (string) --
Enables you to reference a security group across VPCs attached to a transit gateway to simplify security group management.
This option is disabled by default.
MulticastSupport (string) --
Indicates whether multicast is enabled on the transit gateway
EncryptionSupport (dict) --
Defines if the Transit Gateway supports VPC Encryption Control.
EncryptionState (string) --
The current encryption state of the resource.
StateMessage (string) --
A message describing the encryption state.
Tags (list) --
The tags for the transit gateway.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
{'VpcEncryptionControl': {'EgressOnlyInternetGatewayExclusion': 'enable | '
'disable',
'ElasticFileSystemExclusion': 'enable | disable',
'InternetGatewayExclusion': 'enable | disable',
'LambdaExclusion': 'enable | disable',
'Mode': 'monitor | enforce',
'NatGatewayExclusion': 'enable | disable',
'VirtualPrivateGatewayExclusion': 'enable | disable',
'VpcLatticeExclusion': 'enable | disable',
'VpcPeeringExclusion': 'enable | disable'}}
Creates a VPC with the specified CIDR blocks.
A VPC must have an associated IPv4 CIDR block. You can choose an IPv4 CIDR block or an IPAM-allocated IPv4 CIDR block. You can optionally associate an IPv6 CIDR block with a VPC. You can choose an IPv6 CIDR block, an Amazon-provided IPv6 CIDR block, an IPAM-allocated IPv6 CIDR block, or an IPv6 CIDR block that you brought to Amazon Web Services. For more information, see IP addressing for your VPCs and subnets in the Amazon VPC User Guide.
By default, each instance that you launch in the VPC has the default DHCP options, which include only a default DNS server that we provide (AmazonProvidedDNS). For more information, see DHCP option sets in the Amazon VPC User Guide.
You can specify DNS options and tenancy for a VPC when you create it. You can't change the tenancy of a VPC after you create it. For more information, see VPC configuration options in the Amazon VPC User Guide.
See also: AWS API Documentation
Request Syntax
client.create_vpc(
CidrBlock='string',
Ipv6Pool='string',
Ipv6CidrBlock='string',
Ipv4IpamPoolId='string',
Ipv4NetmaskLength=123,
Ipv6IpamPoolId='string',
Ipv6NetmaskLength=123,
Ipv6CidrBlockNetworkBorderGroup='string',
VpcEncryptionControl={
'Mode': 'monitor'|'enforce',
'InternetGatewayExclusion': 'enable'|'disable',
'EgressOnlyInternetGatewayExclusion': 'enable'|'disable',
'NatGatewayExclusion': 'enable'|'disable',
'VirtualPrivateGatewayExclusion': 'enable'|'disable',
'VpcPeeringExclusion': 'enable'|'disable',
'LambdaExclusion': 'enable'|'disable',
'VpcLatticeExclusion': 'enable'|'disable',
'ElasticFileSystemExclusion': 'enable'|'disable'
},
TagSpecifications=[
{
'ResourceType': 'capacity-reservation'|'client-vpn-endpoint'|'customer-gateway'|'carrier-gateway'|'coip-pool'|'declarative-policies-report'|'dedicated-host'|'dhcp-options'|'egress-only-internet-gateway'|'elastic-ip'|'elastic-gpu'|'export-image-task'|'export-instance-task'|'fleet'|'fpga-image'|'host-reservation'|'image'|'image-usage-report'|'import-image-task'|'import-snapshot-task'|'instance'|'instance-event-window'|'internet-gateway'|'ipam'|'ipam-pool'|'ipam-scope'|'ipv4pool-ec2'|'ipv6pool-ec2'|'key-pair'|'launch-template'|'local-gateway'|'local-gateway-route-table'|'local-gateway-virtual-interface'|'local-gateway-virtual-interface-group'|'local-gateway-route-table-vpc-association'|'local-gateway-route-table-virtual-interface-group-association'|'natgateway'|'network-acl'|'network-interface'|'network-insights-analysis'|'network-insights-path'|'network-insights-access-scope'|'network-insights-access-scope-analysis'|'outpost-lag'|'placement-group'|'prefix-list'|'replace-root-volume-task'|'reserved-instances'|'route-table'|'security-group'|'security-group-rule'|'service-link-virtual-interface'|'snapshot'|'spot-fleet-request'|'spot-instances-request'|'subnet'|'subnet-cidr-reservation'|'traffic-mirror-filter'|'traffic-mirror-session'|'traffic-mirror-target'|'transit-gateway'|'transit-gateway-attachment'|'transit-gateway-connect-peer'|'transit-gateway-multicast-domain'|'transit-gateway-policy-table'|'transit-gateway-metering-policy'|'transit-gateway-route-table'|'transit-gateway-route-table-announcement'|'volume'|'vpc'|'vpc-endpoint'|'vpc-endpoint-connection'|'vpc-endpoint-service'|'vpc-endpoint-service-permission'|'vpc-peering-connection'|'vpn-connection'|'vpn-gateway'|'vpc-flow-log'|'capacity-reservation-fleet'|'traffic-mirror-filter-rule'|'vpc-endpoint-connection-device-type'|'verified-access-instance'|'verified-access-group'|'verified-access-endpoint'|'verified-access-policy'|'verified-access-trust-provider'|'vpn-connection-device-type'|'vpc-block-public-access-exclusion'|'vpc-encryption-control'|'route-server'|'route-server-endpoint'|'route-server-peer'|'ipam-resource-discovery'|'ipam-resource-discovery-association'|'instance-connect-endpoint'|'verified-access-endpoint-target'|'ipam-external-resource-verification-token'|'capacity-block'|'mac-modification-task'|'ipam-prefix-list-resolver'|'ipam-policy'|'ipam-prefix-list-resolver-target'|'capacity-manager-data-export'|'vpn-concentrator',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
],
DryRun=True|False,
InstanceTenancy='default'|'dedicated'|'host',
AmazonProvidedIpv6CidrBlock=True|False
)
string
The IPv4 network range for the VPC, in CIDR notation. For example, 10.0.0.0/16. We modify the specified CIDR block to its canonical form; for example, if you specify 100.68.0.18/18, we modify it to 100.68.0.0/18.
string
The ID of an IPv6 address pool from which to allocate the IPv6 CIDR block.
string
The IPv6 CIDR block from the IPv6 address pool. You must also specify Ipv6Pool in the request.
To let Amazon choose the IPv6 CIDR block for you, omit this parameter.
string
The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR. For more information, see What is IPAM? in the Amazon VPC IPAM User Guide.
integer
The netmask length of the IPv4 CIDR you want to allocate to this VPC from an Amazon VPC IP Address Manager (IPAM) pool. For more information about IPAM, see What is IPAM? in the Amazon VPC IPAM User Guide.
string
The ID of an IPv6 IPAM pool which will be used to allocate this VPC an IPv6 CIDR. IPAM is a VPC feature that you can use to automate your IP address management workflows including assigning, tracking, troubleshooting, and auditing IP addresses across Amazon Web Services Regions and accounts throughout your Amazon Web Services Organization. For more information, see What is IPAM? in the Amazon VPC IPAM User Guide.
integer
The netmask length of the IPv6 CIDR you want to allocate to this VPC from an Amazon VPC IP Address Manager (IPAM) pool. For more information about IPAM, see What is IPAM? in the Amazon VPC IPAM User Guide.
string
The name of the location from which we advertise the IPV6 CIDR block. Use this parameter to limit the address to this location.
You must set AmazonProvidedIpv6CidrBlock to true to use this parameter.
dict
Specifies the encryption control configuration to apply to the VPC during creation. VPC Encryption Control enables you to enforce encryption for all data in transit within and between VPCs to meet compliance requirements.
For more information, see Enforce VPC encryption in transit in the Amazon VPC User Guide.
Mode (string) -- [REQUIRED]
The encryption mode for the VPC Encryption Control configuration.
InternetGatewayExclusion (string) --
Specifies whether to exclude internet gateway traffic from encryption enforcement.
EgressOnlyInternetGatewayExclusion (string) --
Specifies whether to exclude egress-only internet gateway traffic from encryption enforcement.
NatGatewayExclusion (string) --
Specifies whether to exclude NAT gateway traffic from encryption enforcement.
VirtualPrivateGatewayExclusion (string) --
Specifies whether to exclude virtual private gateway traffic from encryption enforcement.
VpcPeeringExclusion (string) --
Specifies whether to exclude VPC peering connection traffic from encryption enforcement.
LambdaExclusion (string) --
Specifies whether to exclude Lambda function traffic from encryption enforcement.
VpcLatticeExclusion (string) --
Specifies whether to exclude VPC Lattice traffic from encryption enforcement.
ElasticFileSystemExclusion (string) --
Specifies whether to exclude Elastic File System traffic from encryption enforcement.
list
The tags to assign to the VPC.
(dict) --
The tags to apply to a resource when the resource is being created. When you specify a tag, you must specify the resource type to tag, otherwise the request will fail.
ResourceType (string) --
The type of resource to tag on creation.
Tags (list) --
The tags to apply to the resource.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
The tenancy options for instances launched into the VPC. For default, instances are launched with shared tenancy by default. You can launch instances with any tenancy into a shared tenancy VPC. For dedicated, instances are launched as dedicated tenancy instances by default. You can only launch instances with a tenancy of dedicated or host into a dedicated tenancy VPC.
Important: The host value cannot be used with this parameter. Use the default or dedicated values only.
Default: default
boolean
Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block.
dict
Response Syntax
{
'Vpc': {
'OwnerId': 'string',
'InstanceTenancy': 'default'|'dedicated'|'host',
'Ipv6CidrBlockAssociationSet': [
{
'AssociationId': 'string',
'Ipv6CidrBlock': 'string',
'Ipv6CidrBlockState': {
'State': 'associating'|'associated'|'disassociating'|'disassociated'|'failing'|'failed',
'StatusMessage': 'string'
},
'NetworkBorderGroup': 'string',
'Ipv6Pool': 'string',
'Ipv6AddressAttribute': 'public'|'private',
'IpSource': 'amazon'|'byoip'|'none'
},
],
'CidrBlockAssociationSet': [
{
'AssociationId': 'string',
'CidrBlock': 'string',
'CidrBlockState': {
'State': 'associating'|'associated'|'disassociating'|'disassociated'|'failing'|'failed',
'StatusMessage': 'string'
}
},
],
'IsDefault': True|False,
'EncryptionControl': {
'VpcId': 'string',
'VpcEncryptionControlId': 'string',
'Mode': 'monitor'|'enforce',
'State': 'enforce-in-progress'|'monitor-in-progress'|'enforce-failed'|'monitor-failed'|'deleting'|'deleted'|'available'|'creating'|'delete-failed',
'StateMessage': 'string',
'ResourceExclusions': {
'InternetGateway': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'EgressOnlyInternetGateway': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'NatGateway': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'VirtualPrivateGateway': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'VpcPeering': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'Lambda': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'VpcLattice': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
},
'ElasticFileSystem': {
'State': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
}
},
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'BlockPublicAccessStates': {
'InternetGatewayBlockMode': 'off'|'block-bidirectional'|'block-ingress'
},
'VpcId': 'string',
'State': 'pending'|'available',
'CidrBlock': 'string',
'DhcpOptionsId': 'string'
}
}
Response Structure
(dict) --
Vpc (dict) --
Information about the VPC.
OwnerId (string) --
The ID of the Amazon Web Services account that owns the VPC.
InstanceTenancy (string) --
The allowed tenancy of instances launched into the VPC.
Ipv6CidrBlockAssociationSet (list) --
Information about the IPv6 CIDR blocks associated with the VPC.
(dict) --
Describes an IPv6 CIDR block associated with a VPC.
AssociationId (string) --
The association ID for the IPv6 CIDR block.
Ipv6CidrBlock (string) --
The IPv6 CIDR block.
Ipv6CidrBlockState (dict) --
Information about the state of the CIDR block.
State (string) --
The state of the CIDR block.
StatusMessage (string) --
A message about the status of the CIDR block, if applicable.
NetworkBorderGroup (string) --
The name of the unique set of Availability Zones, Local Zones, or Wavelength Zones from which Amazon Web Services advertises IP addresses, for example, us-east-1-wl1-bos-wlz-1.
Ipv6Pool (string) --
The ID of the IPv6 address pool from which the IPv6 CIDR block is allocated.
Ipv6AddressAttribute (string) --
Public IPv6 addresses are those advertised on the internet from Amazon Web Services. Private IP addresses are not and cannot be advertised on the internet from Amazon Web Services.
IpSource (string) --
The source that allocated the IP address space. byoip or amazon indicates public IP address space allocated by Amazon or space that you have allocated with Bring your own IP (BYOIP). none indicates private space.
CidrBlockAssociationSet (list) --
Information about the IPv4 CIDR blocks associated with the VPC.
(dict) --
Describes an IPv4 CIDR block associated with a VPC.
AssociationId (string) --
The association ID for the IPv4 CIDR block.
CidrBlock (string) --
The IPv4 CIDR block.
CidrBlockState (dict) --
Information about the state of the CIDR block.
State (string) --
The state of the CIDR block.
StatusMessage (string) --
A message about the status of the CIDR block, if applicable.
IsDefault (boolean) --
Indicates whether the VPC is the default VPC.
EncryptionControl (dict) --
Describes the configuration and state of VPC encryption controls.
For more information, see Enforce VPC encryption in transit in the Amazon VPC User Guide.
VpcId (string) --
The ID of the VPC associated with the encryption control configuration.
VpcEncryptionControlId (string) --
The ID of the VPC Encryption Control configuration.
Mode (string) --
The encryption mode for the VPC Encryption Control configuration.
State (string) --
The current state of the VPC Encryption Control configuration.
StateMessage (string) --
A message providing additional information about the encryption control state.
ResourceExclusions (dict) --
Information about resource exclusions for the VPC Encryption Control configuration.
InternetGateway (dict) --
The exclusion configuration for internet gateway traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
EgressOnlyInternetGateway (dict) --
The exclusion configuration for egress-only internet gateway traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
NatGateway (dict) --
The exclusion configuration for NAT gateway traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
VirtualPrivateGateway (dict) --
The exclusion configuration for virtual private gateway traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
VpcPeering (dict) --
The exclusion configuration for VPC peering connection traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
Lambda (dict) --
The exclusion configuration for Lambda function traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
VpcLattice (dict) --
The exclusion configuration for VPC Lattice traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
ElasticFileSystem (dict) --
The exclusion configuration for Elastic File System traffic.
State (string) --
The current state of the exclusion configuration.
StateMessage (string) --
A message providing additional information about the exclusion state.
Tags (list) --
The tags assigned to the VPC Encryption Control configuration.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
Tags (list) --
Any tags assigned to the VPC.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
BlockPublicAccessStates (dict) --
The state of VPC Block Public Access (BPA).
InternetGatewayBlockMode (string) --
The mode of VPC BPA.
off: VPC BPA is not enabled and traffic is allowed to and from internet gateways and egress-only internet gateways in this Region.
block-bidirectional: Block all traffic to and from internet gateways and egress-only internet gateways in this Region (except for excluded VPCs and subnets).
block-ingress: Block all internet traffic to the VPCs in this Region (except for VPCs or subnets which are excluded). Only traffic to and from NAT gateways and egress-only internet gateways is allowed because these gateways only allow outbound connections to be established.
VpcId (string) --
The ID of the VPC.
State (string) --
The current state of the VPC.
CidrBlock (string) --
The primary IPv4 CIDR block for the VPC.
DhcpOptionsId (string) --
The ID of the set of DHCP options you've associated with the VPC.
{'Options': {'TunnelOptions': {'LogOptions': {'CloudWatchLogOptions': {'BgpLogEnabled': 'boolean',
'BgpLogGroupArn': 'string',
'BgpLogOutputFormat': 'string'}}}}}
Response {'VpnConnection': {'Options': {'TunnelOptions': {'LogOptions': {'CloudWatchLogOptions': {'BgpLogEnabled': 'boolean',
'BgpLogGroupArn': 'string',
'BgpLogOutputFormat': 'string'}}}}}}
Creates a VPN connection between an existing virtual private gateway or transit gateway and a customer gateway. The supported connection type is ipsec.1.
The response includes information that you need to give to your network administrator to configure your customer gateway.
If you decide to shut down your VPN connection for any reason and later create a new VPN connection, you must reconfigure your customer gateway with the new information returned from this call.
This is an idempotent operation. If you perform the operation more than once, Amazon EC2 doesn't return an error.
For more information, see Amazon Web Services Site-to-Site VPN in the Amazon Web Services Site-to-Site VPN User Guide.
See also: AWS API Documentation
Request Syntax
client.create_vpn_connection(
CustomerGatewayId='string',
Type='string',
VpnGatewayId='string',
TransitGatewayId='string',
VpnConcentratorId='string',
TagSpecifications=[
{
'ResourceType': 'capacity-reservation'|'client-vpn-endpoint'|'customer-gateway'|'carrier-gateway'|'coip-pool'|'declarative-policies-report'|'dedicated-host'|'dhcp-options'|'egress-only-internet-gateway'|'elastic-ip'|'elastic-gpu'|'export-image-task'|'export-instance-task'|'fleet'|'fpga-image'|'host-reservation'|'image'|'image-usage-report'|'import-image-task'|'import-snapshot-task'|'instance'|'instance-event-window'|'internet-gateway'|'ipam'|'ipam-pool'|'ipam-scope'|'ipv4pool-ec2'|'ipv6pool-ec2'|'key-pair'|'launch-template'|'local-gateway'|'local-gateway-route-table'|'local-gateway-virtual-interface'|'local-gateway-virtual-interface-group'|'local-gateway-route-table-vpc-association'|'local-gateway-route-table-virtual-interface-group-association'|'natgateway'|'network-acl'|'network-interface'|'network-insights-analysis'|'network-insights-path'|'network-insights-access-scope'|'network-insights-access-scope-analysis'|'outpost-lag'|'placement-group'|'prefix-list'|'replace-root-volume-task'|'reserved-instances'|'route-table'|'security-group'|'security-group-rule'|'service-link-virtual-interface'|'snapshot'|'spot-fleet-request'|'spot-instances-request'|'subnet'|'subnet-cidr-reservation'|'traffic-mirror-filter'|'traffic-mirror-session'|'traffic-mirror-target'|'transit-gateway'|'transit-gateway-attachment'|'transit-gateway-connect-peer'|'transit-gateway-multicast-domain'|'transit-gateway-policy-table'|'transit-gateway-metering-policy'|'transit-gateway-route-table'|'transit-gateway-route-table-announcement'|'volume'|'vpc'|'vpc-endpoint'|'vpc-endpoint-connection'|'vpc-endpoint-service'|'vpc-endpoint-service-permission'|'vpc-peering-connection'|'vpn-connection'|'vpn-gateway'|'vpc-flow-log'|'capacity-reservation-fleet'|'traffic-mirror-filter-rule'|'vpc-endpoint-connection-device-type'|'verified-access-instance'|'verified-access-group'|'verified-access-endpoint'|'verified-access-policy'|'verified-access-trust-provider'|'vpn-connection-device-type'|'vpc-block-public-access-exclusion'|'vpc-encryption-control'|'route-server'|'route-server-endpoint'|'route-server-peer'|'ipam-resource-discovery'|'ipam-resource-discovery-association'|'instance-connect-endpoint'|'verified-access-endpoint-target'|'ipam-external-resource-verification-token'|'capacity-block'|'mac-modification-task'|'ipam-prefix-list-resolver'|'ipam-policy'|'ipam-prefix-list-resolver-target'|'capacity-manager-data-export'|'vpn-concentrator',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
],
PreSharedKeyStorage='string',
DryRun=True|False,
Options={
'EnableAcceleration': True|False,
'TunnelInsideIpVersion': 'ipv4'|'ipv6',
'TunnelOptions': [
{
'TunnelInsideCidr': 'string',
'TunnelInsideIpv6Cidr': 'string',
'PreSharedKey': 'string',
'Phase1LifetimeSeconds': 123,
'Phase2LifetimeSeconds': 123,
'RekeyMarginTimeSeconds': 123,
'RekeyFuzzPercentage': 123,
'ReplayWindowSize': 123,
'DPDTimeoutSeconds': 123,
'DPDTimeoutAction': 'string',
'Phase1EncryptionAlgorithms': [
{
'Value': 'string'
},
],
'Phase2EncryptionAlgorithms': [
{
'Value': 'string'
},
],
'Phase1IntegrityAlgorithms': [
{
'Value': 'string'
},
],
'Phase2IntegrityAlgorithms': [
{
'Value': 'string'
},
],
'Phase1DHGroupNumbers': [
{
'Value': 123
},
],
'Phase2DHGroupNumbers': [
{
'Value': 123
},
],
'IKEVersions': [
{
'Value': 'string'
},
],
'StartupAction': 'string',
'LogOptions': {
'CloudWatchLogOptions': {
'LogEnabled': True|False,
'LogGroupArn': 'string',
'LogOutputFormat': 'string',
'BgpLogEnabled': True|False,
'BgpLogGroupArn': 'string',
'BgpLogOutputFormat': 'string'
}
},
'EnableTunnelLifecycleControl': True|False
},
],
'LocalIpv4NetworkCidr': 'string',
'RemoteIpv4NetworkCidr': 'string',
'LocalIpv6NetworkCidr': 'string',
'RemoteIpv6NetworkCidr': 'string',
'OutsideIpAddressType': 'string',
'TransportTransitGatewayAttachmentId': 'string',
'TunnelBandwidth': 'standard'|'large',
'StaticRoutesOnly': True|False
}
)
string
[REQUIRED]
The ID of the customer gateway.
string
[REQUIRED]
The type of VPN connection ( ipsec.1).
string
The ID of the virtual private gateway. If you specify a virtual private gateway, you cannot specify a transit gateway.
string
The ID of the transit gateway. If you specify a transit gateway, you cannot specify a virtual private gateway.
string
The ID of the VPN concentrator to associate with the VPN connection.
list
The tags to apply to the VPN connection.
(dict) --
The tags to apply to a resource when the resource is being created. When you specify a tag, you must specify the resource type to tag, otherwise the request will fail.
ResourceType (string) --
The type of resource to tag on creation.
Tags (list) --
The tags to apply to the resource.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
string
Specifies the storage mode for the pre-shared key (PSK). Valid values are Standard" (stored in the Site-to-Site VPN service) or SecretsManager (stored in Amazon Web Services Secrets Manager).
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
The options for the VPN connection.
EnableAcceleration (boolean) --
Indicate whether to enable acceleration for the VPN connection.
Default: false
TunnelInsideIpVersion (string) --
Indicate whether the VPN tunnels process IPv4 or IPv6 traffic.
Default: ipv4
TunnelOptions (list) --
The tunnel options for the VPN connection.
(dict) --
The tunnel options for a single VPN tunnel.
TunnelInsideCidr (string) --
The range of inside IPv4 addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same virtual private gateway.
Constraints: A size /30 CIDR block from the 169.254.0.0/16 range. The following CIDR blocks are reserved and cannot be used:
169.254.0.0/30
169.254.1.0/30
169.254.2.0/30
169.254.3.0/30
169.254.4.0/30
169.254.5.0/30
169.254.169.252/30
TunnelInsideIpv6Cidr (string) --
The range of inside IPv6 addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same transit gateway.
Constraints: A size /126 CIDR block from the local fd00::/8 range.
PreSharedKey (string) --
The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and customer gateway.
Constraints: Allowed characters are alphanumeric characters, periods (.), and underscores (_). Must be between 8 and 64 characters in length and cannot start with zero (0).
Phase1LifetimeSeconds (integer) --
The lifetime for phase 1 of the IKE negotiation, in seconds.
Constraints: A value between 900 and 28,800.
Default: 28800
Phase2LifetimeSeconds (integer) --
The lifetime for phase 2 of the IKE negotiation, in seconds.
Constraints: A value between 900 and 3,600. The value must be less than the value for Phase1LifetimeSeconds.
Default: 3600
RekeyMarginTimeSeconds (integer) --
The margin time, in seconds, before the phase 2 lifetime expires, during which the Amazon Web Services side of the VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for RekeyFuzzPercentage.
Constraints: A value between 60 and half of Phase2LifetimeSeconds.
Default: 270
RekeyFuzzPercentage (integer) --
The percentage of the rekey window (determined by RekeyMarginTimeSeconds) during which the rekey time is randomly selected.
Constraints: A value between 0 and 100.
Default: 100
ReplayWindowSize (integer) --
The number of packets in an IKE replay window.
Constraints: A value between 64 and 2048.
Default: 1024
DPDTimeoutSeconds (integer) --
The number of seconds after which a DPD timeout occurs.
Constraints: A value greater than or equal to 30.
Default: 30
DPDTimeoutAction (string) --
The action to take after DPD timeout occurs. Specify restart to restart the IKE initiation. Specify clear to end the IKE session.
Valid Values: clear | none | restart
Default: clear
Phase1EncryptionAlgorithms (list) --
One or more encryption algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations.
Valid values: AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16
(dict) --
Specifies the encryption algorithm for the VPN tunnel for phase 1 IKE negotiations.
Value (string) --
The value for the encryption algorithm.
Phase2EncryptionAlgorithms (list) --
One or more encryption algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations.
Valid values: AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16
(dict) --
Specifies the encryption algorithm for the VPN tunnel for phase 2 IKE negotiations.
Value (string) --
The encryption algorithm.
Phase1IntegrityAlgorithms (list) --
One or more integrity algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations.
Valid values: SHA1 | SHA2-256 | SHA2-384 | SHA2-512
(dict) --
Specifies the integrity algorithm for the VPN tunnel for phase 1 IKE negotiations.
Value (string) --
The value for the integrity algorithm.
Phase2IntegrityAlgorithms (list) --
One or more integrity algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations.
Valid values: SHA1 | SHA2-256 | SHA2-384 | SHA2-512
(dict) --
Specifies the integrity algorithm for the VPN tunnel for phase 2 IKE negotiations.
Value (string) --
The integrity algorithm.
Phase1DHGroupNumbers (list) --
One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 1 IKE negotiations.
Valid values: 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24
(dict) --
Specifies a Diffie-Hellman group number for the VPN tunnel for phase 1 IKE negotiations.
Value (integer) --
The Diffie-Hellmann group number.
Phase2DHGroupNumbers (list) --
One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 2 IKE negotiations.
Valid values: 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24
(dict) --
Specifies a Diffie-Hellman group number for the VPN tunnel for phase 2 IKE negotiations.
Value (integer) --
The Diffie-Hellmann group number.
IKEVersions (list) --
The IKE versions that are permitted for the VPN tunnel.
Valid values: ikev1 | ikev2
(dict) --
The IKE version that is permitted for the VPN tunnel.
Value (string) --
The IKE version.
StartupAction (string) --
The action to take when the establishing the tunnel for the VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for Amazon Web Services to initiate the IKE negotiation.
Valid Values: add | start
Default: add
LogOptions (dict) --
Options for logging VPN tunnel activity.
CloudWatchLogOptions (dict) --
Options for sending VPN tunnel logs to CloudWatch.
LogEnabled (boolean) --
Enable or disable VPN tunnel logging feature. Default value is False.
Valid values: True | False
LogGroupArn (string) --
The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
LogOutputFormat (string) --
Set log format. Default format is json.
Valid values: json | text
BgpLogEnabled (boolean) --
Specifies whether to enable BGP logging for the VPN connection. Default value is False.
Valid values: True | False
BgpLogGroupArn (string) --
The Amazon Resource Name (ARN) of the CloudWatch log group where BGP logs will be sent.
BgpLogOutputFormat (string) --
The desired output format for BGP logs to be sent to CloudWatch. Default format is json.
Valid values: json | text
EnableTunnelLifecycleControl (boolean) --
Turn on or off tunnel endpoint lifecycle control feature.
LocalIpv4NetworkCidr (string) --
The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
Default: 0.0.0.0/0
RemoteIpv4NetworkCidr (string) --
The IPv4 CIDR on the Amazon Web Services side of the VPN connection.
Default: 0.0.0.0/0
LocalIpv6NetworkCidr (string) --
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
Default: ::/0
RemoteIpv6NetworkCidr (string) --
The IPv6 CIDR on the Amazon Web Services side of the VPN connection.
Default: ::/0
OutsideIpAddressType (string) --
The type of IP address assigned to the outside interface of the customer gateway device.
Valid values: PrivateIpv4 | PublicIpv4 | Ipv6
Default: PublicIpv4
TransportTransitGatewayAttachmentId (string) --
The transit gateway attachment ID to use for the VPN tunnel.
Required if OutsideIpAddressType is set to PrivateIpv4.
TunnelBandwidth (string) --
The desired bandwidth specification for the VPN tunnel, used when creating or modifying VPN connection options to set the tunnel's throughput capacity. standard supports up to 1.25 Gbps per tunnel, while large supports up to 5 Gbps per tunnel. The default value is standard. Existing VPN connections without a bandwidth setting will automatically default to standard.
StaticRoutesOnly (boolean) --
Indicate whether the VPN connection uses static routes only. If you are creating a VPN connection for a device that does not support BGP, you must specify true. Use CreateVpnConnectionRoute to create a static route.
Default: false
dict
Response Syntax
{
'VpnConnection': {
'Category': 'string',
'TransitGatewayId': 'string',
'VpnConcentratorId': 'string',
'CoreNetworkArn': 'string',
'CoreNetworkAttachmentArn': 'string',
'GatewayAssociationState': 'associated'|'not-associated'|'associating'|'disassociating',
'Options': {
'EnableAcceleration': True|False,
'StaticRoutesOnly': True|False,
'LocalIpv4NetworkCidr': 'string',
'RemoteIpv4NetworkCidr': 'string',
'LocalIpv6NetworkCidr': 'string',
'RemoteIpv6NetworkCidr': 'string',
'OutsideIpAddressType': 'string',
'TransportTransitGatewayAttachmentId': 'string',
'TunnelInsideIpVersion': 'ipv4'|'ipv6',
'TunnelOptions': [
{
'OutsideIpAddress': 'string',
'TunnelInsideCidr': 'string',
'TunnelInsideIpv6Cidr': 'string',
'PreSharedKey': 'string',
'Phase1LifetimeSeconds': 123,
'Phase2LifetimeSeconds': 123,
'RekeyMarginTimeSeconds': 123,
'RekeyFuzzPercentage': 123,
'ReplayWindowSize': 123,
'DpdTimeoutSeconds': 123,
'DpdTimeoutAction': 'string',
'Phase1EncryptionAlgorithms': [
{
'Value': 'string'
},
],
'Phase2EncryptionAlgorithms': [
{
'Value': 'string'
},
],
'Phase1IntegrityAlgorithms': [
{
'Value': 'string'
},
],
'Phase2IntegrityAlgorithms': [
{
'Value': 'string'
},
],
'Phase1DHGroupNumbers': [
{
'Value': 123
},
],
'Phase2DHGroupNumbers': [
{
'Value': 123
},
],
'IkeVersions': [
{
'Value': 'string'
},
],
'StartupAction': 'string',
'LogOptions': {
'CloudWatchLogOptions': {
'LogEnabled': True|False,
'LogGroupArn': 'string',
'LogOutputFormat': 'string',
'BgpLogEnabled': True|False,
'BgpLogGroupArn': 'string',
'BgpLogOutputFormat': 'string'
}
},
'EnableTunnelLifecycleControl': True|False
},
],
'TunnelBandwidth': 'standard'|'large'
},
'Routes': [
{
'DestinationCidrBlock': 'string',
'Source': 'Static',
'State': 'pending'|'available'|'deleting'|'deleted'
},
],
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'VgwTelemetry': [
{
'AcceptedRouteCount': 123,
'LastStatusChange': datetime(2015, 1, 1),
'OutsideIpAddress': 'string',
'Status': 'UP'|'DOWN',
'StatusMessage': 'string',
'CertificateArn': 'string'
},
],
'PreSharedKeyArn': 'string',
'VpnConnectionId': 'string',
'State': 'pending'|'available'|'deleting'|'deleted',
'CustomerGatewayConfiguration': 'string',
'Type': 'ipsec.1',
'CustomerGatewayId': 'string',
'VpnGatewayId': 'string'
}
}
Response Structure
(dict) --
Contains the output of CreateVpnConnection.
VpnConnection (dict) --
Information about the VPN connection.
Category (string) --
The category of the VPN connection. A value of VPN indicates an Amazon Web Services VPN connection. A value of VPN-Classic indicates an Amazon Web Services Classic VPN connection.
TransitGatewayId (string) --
The ID of the transit gateway associated with the VPN connection.
VpnConcentratorId (string) --
The ID of the VPN concentrator associated with the VPN connection.
CoreNetworkArn (string) --
The ARN of the core network.
CoreNetworkAttachmentArn (string) --
The ARN of the core network attachment.
GatewayAssociationState (string) --
The current state of the gateway association.
Options (dict) --
The VPN connection options.
EnableAcceleration (boolean) --
Indicates whether acceleration is enabled for the VPN connection.
StaticRoutesOnly (boolean) --
Indicates whether the VPN connection uses static routes only. Static routes must be used for devices that don't support BGP.
LocalIpv4NetworkCidr (string) --
The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
RemoteIpv4NetworkCidr (string) --
The IPv4 CIDR on the Amazon Web Services side of the VPN connection.
LocalIpv6NetworkCidr (string) --
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
RemoteIpv6NetworkCidr (string) --
The IPv6 CIDR on the Amazon Web Services side of the VPN connection.
OutsideIpAddressType (string) --
The type of IPv4 address assigned to the outside interface of the customer gateway.
Valid values: PrivateIpv4 | PublicIpv4 | Ipv6
Default: PublicIpv4
TransportTransitGatewayAttachmentId (string) --
The transit gateway attachment ID in use for the VPN tunnel.
TunnelInsideIpVersion (string) --
Indicates whether the VPN tunnels process IPv4 or IPv6 traffic.
TunnelOptions (list) --
Indicates the VPN tunnel options.
(dict) --
The VPN tunnel options.
OutsideIpAddress (string) --
The external IP address of the VPN tunnel.
TunnelInsideCidr (string) --
The range of inside IPv4 addresses for the tunnel.
TunnelInsideIpv6Cidr (string) --
The range of inside IPv6 addresses for the tunnel.
PreSharedKey (string) --
The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and the customer gateway.
Phase1LifetimeSeconds (integer) --
The lifetime for phase 1 of the IKE negotiation, in seconds.
Phase2LifetimeSeconds (integer) --
The lifetime for phase 2 of the IKE negotiation, in seconds.
RekeyMarginTimeSeconds (integer) --
The margin time, in seconds, before the phase 2 lifetime expires, during which the Amazon Web Services side of the VPN connection performs an IKE rekey.
RekeyFuzzPercentage (integer) --
The percentage of the rekey window determined by RekeyMarginTimeSeconds during which the rekey time is randomly selected.
ReplayWindowSize (integer) --
The number of packets in an IKE replay window.
DpdTimeoutSeconds (integer) --
The number of seconds after which a DPD timeout occurs.
DpdTimeoutAction (string) --
The action to take after a DPD timeout occurs.
Phase1EncryptionAlgorithms (list) --
The permitted encryption algorithms for the VPN tunnel for phase 1 IKE negotiations.
(dict) --
The encryption algorithm for phase 1 IKE negotiations.
Value (string) --
The value for the encryption algorithm.
Phase2EncryptionAlgorithms (list) --
The permitted encryption algorithms for the VPN tunnel for phase 2 IKE negotiations.
(dict) --
The encryption algorithm for phase 2 IKE negotiations.
Value (string) --
The encryption algorithm.
Phase1IntegrityAlgorithms (list) --
The permitted integrity algorithms for the VPN tunnel for phase 1 IKE negotiations.
(dict) --
The integrity algorithm for phase 1 IKE negotiations.
Value (string) --
The value for the integrity algorithm.
Phase2IntegrityAlgorithms (list) --
The permitted integrity algorithms for the VPN tunnel for phase 2 IKE negotiations.
(dict) --
The integrity algorithm for phase 2 IKE negotiations.
Value (string) --
The integrity algorithm.
Phase1DHGroupNumbers (list) --
The permitted Diffie-Hellman group numbers for the VPN tunnel for phase 1 IKE negotiations.
(dict) --
The Diffie-Hellmann group number for phase 1 IKE negotiations.
Value (integer) --
The Diffie-Hellmann group number.
Phase2DHGroupNumbers (list) --
The permitted Diffie-Hellman group numbers for the VPN tunnel for phase 2 IKE negotiations.
(dict) --
The Diffie-Hellmann group number for phase 2 IKE negotiations.
Value (integer) --
The Diffie-Hellmann group number.
IkeVersions (list) --
The IKE versions that are permitted for the VPN tunnel.
(dict) --
The internet key exchange (IKE) version permitted for the VPN tunnel.
Value (string) --
The IKE version.
StartupAction (string) --
The action to take when the establishing the VPN tunnels for a VPN connection.
LogOptions (dict) --
Options for logging VPN tunnel activity.
CloudWatchLogOptions (dict) --
Options for sending VPN tunnel logs to CloudWatch.
LogEnabled (boolean) --
Status of VPN tunnel logging feature. Default value is False.
Valid values: True | False
LogGroupArn (string) --
The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
LogOutputFormat (string) --
Configured log format. Default format is json.
Valid values: json | text
BgpLogEnabled (boolean) --
Indicates whether Border Gateway Protocol (BGP) logging is enabled for the VPN connection. Default value is False.
Valid values: True | False
BgpLogGroupArn (string) --
The Amazon Resource Name (ARN) of the CloudWatch log group for BGP logs.
BgpLogOutputFormat (string) --
The output format for BGP logs sent to CloudWatch. Default format is json.
Valid values: json | text
EnableTunnelLifecycleControl (boolean) --
Status of tunnel endpoint lifecycle control feature.
TunnelBandwidth (string) --
The configured bandwidth for the VPN tunnel. Represents the current throughput capacity setting for the tunnel connection. standard tunnel bandwidth supports up to 1.25 Gbps per tunnel while large supports up to 5 Gbps per tunnel. If no tunnel bandwidth was specified for the connection, standard is used as the default value.
Routes (list) --
The static routes associated with the VPN connection.
(dict) --
Describes a static route for a VPN connection.
DestinationCidrBlock (string) --
The CIDR block associated with the local subnet of the customer data center.
Source (string) --
Indicates how the routes were provided.
State (string) --
The current state of the static route.
Tags (list) --
Any tags assigned to the VPN connection.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
VgwTelemetry (list) --
Information about the VPN tunnel.
(dict) --
Describes telemetry for a VPN tunnel.
AcceptedRouteCount (integer) --
The number of accepted routes.
LastStatusChange (datetime) --
The date and time of the last change in status. This field is updated when changes in IKE (Phase 1), IPSec (Phase 2), or BGP status are detected.
OutsideIpAddress (string) --
The Internet-routable IP address of the virtual private gateway's outside interface.
Status (string) --
The status of the VPN tunnel.
StatusMessage (string) --
If an error occurs, a description of the error.
CertificateArn (string) --
The Amazon Resource Name (ARN) of the VPN tunnel endpoint certificate.
PreSharedKeyArn (string) --
The Amazon Resource Name (ARN) of the Secrets Manager secret storing the pre-shared key(s) for the VPN connection.
VpnConnectionId (string) --
The ID of the VPN connection.
State (string) --
The current state of the VPN connection.
CustomerGatewayConfiguration (string) --
The configuration information for the VPN connection's customer gateway (in the native XML format). This element is always present in the CreateVpnConnection response; however, it's present in the DescribeVpnConnections response only if the VPN connection is in the pending or available state.
Type (string) --
The type of VPN connection.
CustomerGatewayId (string) --
The ID of the customer gateway at your end of the VPN connection.
VpnGatewayId (string) --
The ID of the virtual private gateway at the Amazon Web Services side of the VPN connection.
{'IpamPool': {'AwsService': {'global-services'}}}
Delete an IPAM pool.
For more information, see Delete a pool in the Amazon VPC IPAM User Guide.
See also: AWS API Documentation
Request Syntax
client.delete_ipam_pool(
DryRun=True|False,
IpamPoolId='string',
Cascade=True|False
)
boolean
A check for whether you have the required permissions for the action without actually making the request and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
[REQUIRED]
The ID of the pool to delete.
boolean
Enables you to quickly delete an IPAM pool and all resources within that pool, including provisioned CIDRs, allocations, and other pools.
dict
Response Syntax
{
'IpamPool': {
'OwnerId': 'string',
'IpamPoolId': 'string',
'SourceIpamPoolId': 'string',
'IpamPoolArn': 'string',
'IpamScopeArn': 'string',
'IpamScopeType': 'public'|'private',
'IpamArn': 'string',
'IpamRegion': 'string',
'Locale': 'string',
'PoolDepth': 123,
'State': 'create-in-progress'|'create-complete'|'create-failed'|'modify-in-progress'|'modify-complete'|'modify-failed'|'delete-in-progress'|'delete-complete'|'delete-failed'|'isolate-in-progress'|'isolate-complete'|'restore-in-progress',
'StateMessage': 'string',
'Description': 'string',
'AutoImport': True|False,
'PubliclyAdvertisable': True|False,
'AddressFamily': 'ipv4'|'ipv6',
'AllocationMinNetmaskLength': 123,
'AllocationMaxNetmaskLength': 123,
'AllocationDefaultNetmaskLength': 123,
'AllocationResourceTags': [
{
'Key': 'string',
'Value': 'string'
},
],
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'AwsService': 'ec2'|'global-services',
'PublicIpSource': 'amazon'|'byoip',
'SourceResource': {
'ResourceId': 'string',
'ResourceType': 'vpc',
'ResourceRegion': 'string',
'ResourceOwner': 'string'
}
}
}
Response Structure
(dict) --
IpamPool (dict) --
Information about the results of the deletion.
OwnerId (string) --
The Amazon Web Services account ID of the owner of the IPAM pool.
IpamPoolId (string) --
The ID of the IPAM pool.
SourceIpamPoolId (string) --
The ID of the source IPAM pool. You can use this option to create an IPAM pool within an existing source pool.
IpamPoolArn (string) --
The Amazon Resource Name (ARN) of the IPAM pool.
IpamScopeArn (string) --
The ARN of the scope of the IPAM pool.
IpamScopeType (string) --
In IPAM, a scope is the highest-level container within IPAM. An IPAM contains two default scopes. Each scope represents the IP space for a single network. The private scope is intended for all private IP address space. The public scope is intended for all public IP address space. Scopes enable you to reuse IP addresses across multiple unconnected networks without causing IP address overlap or conflict.
IpamArn (string) --
The ARN of the IPAM.
IpamRegion (string) --
The Amazon Web Services Region of the IPAM pool.
Locale (string) --
The locale of the IPAM pool.
The locale for the pool should be one of the following:
An Amazon Web Services Region where you want this IPAM pool to be available for allocations.
The network border group for an Amazon Web Services Local Zone where you want this IPAM pool to be available for allocations ( supported Local Zones). This option is only available for IPAM IPv4 pools in the public scope.
If you choose an Amazon Web Services Region for locale that has not been configured as an operating Region for the IPAM, you'll get an error.
PoolDepth (integer) --
The depth of pools in your IPAM pool. The pool depth quota is 10. For more information, see Quotas in IPAM in the Amazon VPC IPAM User Guide.
State (string) --
The state of the IPAM pool.
StateMessage (string) --
The state message.
Description (string) --
The description of the IPAM pool.
AutoImport (boolean) --
If selected, IPAM will continuously look for resources within the CIDR range of this pool and automatically import them as allocations into your IPAM. The CIDRs that will be allocated for these resources must not already be allocated to other resources in order for the import to succeed. IPAM will import a CIDR regardless of its compliance with the pool's allocation rules, so a resource might be imported and subsequently marked as noncompliant. If IPAM discovers multiple CIDRs that overlap, IPAM will import the largest CIDR only. If IPAM discovers multiple CIDRs with matching CIDRs, IPAM will randomly import one of them only.
A locale must be set on the pool for this feature to work.
PubliclyAdvertisable (boolean) --
Determines if a pool is publicly advertisable. This option is not available for pools with AddressFamily set to ipv4.
AddressFamily (string) --
The address family of the pool.
AllocationMinNetmaskLength (integer) --
The minimum netmask length required for CIDR allocations in this IPAM pool to be compliant. The minimum netmask length must be less than the maximum netmask length. Possible netmask lengths for IPv4 addresses are 0 - 32. Possible netmask lengths for IPv6 addresses are 0 - 128.
AllocationMaxNetmaskLength (integer) --
The maximum netmask length possible for CIDR allocations in this IPAM pool to be compliant. The maximum netmask length must be greater than the minimum netmask length. Possible netmask lengths for IPv4 addresses are 0 - 32. Possible netmask lengths for IPv6 addresses are 0 - 128.
AllocationDefaultNetmaskLength (integer) --
The default netmask length for allocations added to this pool. If, for example, the CIDR assigned to this pool is 10.0.0.0/8 and you enter 16 here, new allocations will default to 10.0.0.0/16.
AllocationResourceTags (list) --
Tags that are required for resources that use CIDRs from this IPAM pool. Resources that do not have these tags will not be allowed to allocate space from the pool. If the resources have their tags changed after they have allocated space or if the allocation tagging requirements are changed on the pool, the resource may be marked as noncompliant.
(dict) --
The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
Key (string) --
The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
Value (string) --
The value of the tag.
Tags (list) --
The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
AwsService (string) --
Limits which service in Amazon Web Services that the pool can be used in. "ec2", for example, allows users to use space for Elastic IP addresses and VPCs.
PublicIpSource (string) --
The IP address source for pools in the public scope. Only used for provisioning IP address CIDRs to pools in the public scope. Default is BYOIP. For more information, see Create IPv6 pools in the Amazon VPC IPAM User Guide. By default, you can add only one Amazon-provided IPv6 CIDR block to a top-level IPv6 pool. For information on increasing the default limit, see Quotas for your IPAM in the Amazon VPC IPAM User Guide.
SourceResource (dict) --
The resource used to provision CIDRs to a resource planning pool.
ResourceId (string) --
The source resource ID.
ResourceType (string) --
The source resource type.
ResourceRegion (string) --
The source resource Region.
ResourceOwner (string) --
The source resource owner.
{'TransitGateway': {'Options': {'EncryptionSupport': {'EncryptionState': 'enabling '
'| '
'enabled '
'| '
'disabling '
'| '
'disabled',
'StateMessage': 'string'}}}}
Deletes the specified transit gateway.
See also: AWS API Documentation
Request Syntax
client.delete_transit_gateway(
TransitGatewayId='string',
DryRun=True|False
)
string
[REQUIRED]
The ID of the transit gateway.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'TransitGateway': {
'TransitGatewayId': 'string',
'TransitGatewayArn': 'string',
'State': 'pending'|'available'|'modifying'|'deleting'|'deleted',
'OwnerId': 'string',
'Description': 'string',
'CreationTime': datetime(2015, 1, 1),
'Options': {
'AmazonSideAsn': 123,
'TransitGatewayCidrBlocks': [
'string',
],
'AutoAcceptSharedAttachments': 'enable'|'disable',
'DefaultRouteTableAssociation': 'enable'|'disable',
'AssociationDefaultRouteTableId': 'string',
'DefaultRouteTablePropagation': 'enable'|'disable',
'PropagationDefaultRouteTableId': 'string',
'VpnEcmpSupport': 'enable'|'disable',
'DnsSupport': 'enable'|'disable',
'SecurityGroupReferencingSupport': 'enable'|'disable',
'MulticastSupport': 'enable'|'disable',
'EncryptionSupport': {
'EncryptionState': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
}
},
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
}
}
Response Structure
(dict) --
TransitGateway (dict) --
Information about the deleted transit gateway.
TransitGatewayId (string) --
The ID of the transit gateway.
TransitGatewayArn (string) --
The Amazon Resource Name (ARN) of the transit gateway.
State (string) --
The state of the transit gateway.
OwnerId (string) --
The ID of the Amazon Web Services account that owns the transit gateway.
Description (string) --
The description of the transit gateway.
CreationTime (datetime) --
The creation time.
Options (dict) --
The transit gateway options.
AmazonSideAsn (integer) --
A private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is 64512 to 65534 for 16-bit ASNs and 4200000000 to 4294967294 for 32-bit ASNs.
TransitGatewayCidrBlocks (list) --
The transit gateway CIDR blocks.
(string) --
AutoAcceptSharedAttachments (string) --
Indicates whether attachment requests are automatically accepted.
DefaultRouteTableAssociation (string) --
Indicates whether resource attachments are automatically associated with the default association route table. Enabled by default. Either defaultRouteTableAssociation or defaultRouteTablePropagation must be set to enable for Amazon Web Services Transit Gateway to create the default transit gateway route table.
AssociationDefaultRouteTableId (string) --
The ID of the default association route table.
DefaultRouteTablePropagation (string) --
Indicates whether resource attachments automatically propagate routes to the default propagation route table. Enabled by default. If defaultRouteTablePropagation is set to enable, Amazon Web Services Transit Gateway creates the default transit gateway route table.
PropagationDefaultRouteTableId (string) --
The ID of the default propagation route table.
VpnEcmpSupport (string) --
Indicates whether Equal Cost Multipath Protocol support is enabled.
DnsSupport (string) --
Indicates whether DNS support is enabled.
SecurityGroupReferencingSupport (string) --
Enables you to reference a security group across VPCs attached to a transit gateway to simplify security group management.
This option is disabled by default.
MulticastSupport (string) --
Indicates whether multicast is enabled on the transit gateway
EncryptionSupport (dict) --
Defines if the Transit Gateway supports VPC Encryption Control.
EncryptionState (string) --
The current encryption state of the resource.
StateMessage (string) --
A message describing the encryption state.
Tags (list) --
The tags for the transit gateway.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
{'ByoipCidr': {'AdvertisementType': 'string',
'State': {'pending-withdrawal', 'pending-advertising'}}}
Releases the specified address range that you provisioned for use with your Amazon Web Services resources through bring your own IP addresses (BYOIP) and deletes the corresponding address pool.
Before you can release an address range, you must stop advertising it and you must not have any IP addresses allocated from its address range.
See also: AWS API Documentation
Request Syntax
client.deprovision_byoip_cidr(
Cidr='string',
DryRun=True|False
)
string
[REQUIRED]
The address range, in CIDR notation. The prefix must be the same prefix that you specified when you provisioned the address range.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'ByoipCidr': {
'Cidr': 'string',
'Description': 'string',
'AsnAssociations': [
{
'Asn': 'string',
'Cidr': 'string',
'StatusMessage': 'string',
'State': 'disassociated'|'failed-disassociation'|'failed-association'|'pending-disassociation'|'pending-association'|'associated'
},
],
'StatusMessage': 'string',
'State': 'advertised'|'deprovisioned'|'failed-deprovision'|'failed-provision'|'pending-advertising'|'pending-deprovision'|'pending-provision'|'pending-withdrawal'|'provisioned'|'provisioned-not-publicly-advertisable',
'NetworkBorderGroup': 'string',
'AdvertisementType': 'string'
}
}
Response Structure
(dict) --
ByoipCidr (dict) --
Information about the address range.
Cidr (string) --
The address range, in CIDR notation.
Description (string) --
The description of the address range.
AsnAssociations (list) --
The BYOIP CIDR associations with ASNs.
(dict) --
An Autonomous System Number (ASN) and BYOIP CIDR association.
Asn (string) --
The association's ASN.
Cidr (string) --
The association's CIDR.
StatusMessage (string) --
The association's status message.
State (string) --
The association's state.
StatusMessage (string) --
Upon success, contains the ID of the address pool. Otherwise, contains an error message.
State (string) --
The state of the address range.
advertised: The address range is being advertised to the internet by Amazon Web Services.
deprovisioned: The address range is deprovisioned.
failed-deprovision: The request to deprovision the address range was unsuccessful. Ensure that all EIPs from the range have been deallocated and try again.
failed-provision: The request to provision the address range was unsuccessful.
pending-deprovision: You’ve submitted a request to deprovision an address range and it's pending.
pending-provision: You’ve submitted a request to provision an address range and it's pending.
provisioned: The address range is provisioned and can be advertised. The range is not currently advertised.
provisioned-not-publicly-advertisable: The address range is provisioned and cannot be advertised.
NetworkBorderGroup (string) --
If you have Local Zones enabled, you can choose a network border group for Local Zones when you provision and advertise a BYOIPv4 CIDR. Choose the network border group carefully as the EIP and the Amazon Web Services resource it is associated with must reside in the same network border group.
You can provision BYOIP address ranges to and advertise them in the following Local Zone network border groups:
us-east-1-dfw-2
us-west-2-lax-1
us-west-2-phx-2
AdvertisementType (string) --
Specifies the advertisement method for the BYOIP CIDR. Valid values are:
unicast: IP is advertised from a single location (regional services like EC2)
anycast: IP is advertised from multiple global locations simultaneously (global services like CloudFront)
For more information, see Bring your own IP to CloudFront using IPAM in the Amazon VPC IPAM User Guide.
{'ByoipCidrs': {'AdvertisementType': 'string',
'State': {'pending-withdrawal', 'pending-advertising'}}}
Describes the IP address ranges that were provisioned for use with Amazon Web Services resources through through bring your own IP addresses (BYOIP).
See also: AWS API Documentation
Request Syntax
client.describe_byoip_cidrs(
DryRun=True|False,
MaxResults=123,
NextToken='string'
)
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
integer
[REQUIRED]
The maximum number of results to return with a single call. To retrieve the remaining results, make another call with the returned nextToken value.
string
The token for the next page of results.
dict
Response Syntax
{
'ByoipCidrs': [
{
'Cidr': 'string',
'Description': 'string',
'AsnAssociations': [
{
'Asn': 'string',
'Cidr': 'string',
'StatusMessage': 'string',
'State': 'disassociated'|'failed-disassociation'|'failed-association'|'pending-disassociation'|'pending-association'|'associated'
},
],
'StatusMessage': 'string',
'State': 'advertised'|'deprovisioned'|'failed-deprovision'|'failed-provision'|'pending-advertising'|'pending-deprovision'|'pending-provision'|'pending-withdrawal'|'provisioned'|'provisioned-not-publicly-advertisable',
'NetworkBorderGroup': 'string',
'AdvertisementType': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
ByoipCidrs (list) --
Information about your address ranges.
(dict) --
Information about an address range that is provisioned for use with your Amazon Web Services resources through bring your own IP addresses (BYOIP).
Cidr (string) --
The address range, in CIDR notation.
Description (string) --
The description of the address range.
AsnAssociations (list) --
The BYOIP CIDR associations with ASNs.
(dict) --
An Autonomous System Number (ASN) and BYOIP CIDR association.
Asn (string) --
The association's ASN.
Cidr (string) --
The association's CIDR.
StatusMessage (string) --
The association's status message.
State (string) --
The association's state.
StatusMessage (string) --
Upon success, contains the ID of the address pool. Otherwise, contains an error message.
State (string) --
The state of the address range.
advertised: The address range is being advertised to the internet by Amazon Web Services.
deprovisioned: The address range is deprovisioned.
failed-deprovision: The request to deprovision the address range was unsuccessful. Ensure that all EIPs from the range have been deallocated and try again.
failed-provision: The request to provision the address range was unsuccessful.
pending-deprovision: You’ve submitted a request to deprovision an address range and it's pending.
pending-provision: You’ve submitted a request to provision an address range and it's pending.
provisioned: The address range is provisioned and can be advertised. The range is not currently advertised.
provisioned-not-publicly-advertisable: The address range is provisioned and cannot be advertised.
NetworkBorderGroup (string) --
If you have Local Zones enabled, you can choose a network border group for Local Zones when you provision and advertise a BYOIPv4 CIDR. Choose the network border group carefully as the EIP and the Amazon Web Services resource it is associated with must reside in the same network border group.
You can provision BYOIP address ranges to and advertise them in the following Local Zone network border groups:
us-east-1-dfw-2
us-west-2-lax-1
us-west-2-phx-2
AdvertisementType (string) --
Specifies the advertisement method for the BYOIP CIDR. Valid values are:
unicast: IP is advertised from a single location (regional services like EC2)
anycast: IP is advertised from multiple global locations simultaneously (global services like CloudFront)
For more information, see Bring your own IP to CloudFront using IPAM in the Amazon VPC IPAM User Guide.
NextToken (string) --
The token to use to retrieve the next page of results. This value is null when there are no more results to return.
{'IpamPools': {'AwsService': {'global-services'}}}
Get information about your IPAM pools.
See also: AWS API Documentation
Request Syntax
client.describe_ipam_pools(
DryRun=True|False,
Filters=[
{
'Name': 'string',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string',
IpamPoolIds=[
'string',
]
)
boolean
A check for whether you have the required permissions for the action without actually making the request and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
list
One or more filters for the request. For more information about filtering, see Filtering CLI output.
(dict) --
A filter name and value pair that is used to return a more specific list of results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.
If you specify multiple filters, the filters are joined with an AND, and the request returns only results that match all of the specified filters.
For more information, see List and filter using the CLI and API in the Amazon EC2 User Guide.
Name (string) --
The name of the filter. Filter names are case-sensitive.
Values (list) --
The filter values. Filter values are case-sensitive. If you specify multiple values for a filter, the values are joined with an OR, and the request returns all results that match any of the specified values.
(string) --
integer
The maximum number of results to return in the request.
string
The token for the next page of results.
list
The IDs of the IPAM pools you would like information on.
(string) --
dict
Response Syntax
{
'NextToken': 'string',
'IpamPools': [
{
'OwnerId': 'string',
'IpamPoolId': 'string',
'SourceIpamPoolId': 'string',
'IpamPoolArn': 'string',
'IpamScopeArn': 'string',
'IpamScopeType': 'public'|'private',
'IpamArn': 'string',
'IpamRegion': 'string',
'Locale': 'string',
'PoolDepth': 123,
'State': 'create-in-progress'|'create-complete'|'create-failed'|'modify-in-progress'|'modify-complete'|'modify-failed'|'delete-in-progress'|'delete-complete'|'delete-failed'|'isolate-in-progress'|'isolate-complete'|'restore-in-progress',
'StateMessage': 'string',
'Description': 'string',
'AutoImport': True|False,
'PubliclyAdvertisable': True|False,
'AddressFamily': 'ipv4'|'ipv6',
'AllocationMinNetmaskLength': 123,
'AllocationMaxNetmaskLength': 123,
'AllocationDefaultNetmaskLength': 123,
'AllocationResourceTags': [
{
'Key': 'string',
'Value': 'string'
},
],
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'AwsService': 'ec2'|'global-services',
'PublicIpSource': 'amazon'|'byoip',
'SourceResource': {
'ResourceId': 'string',
'ResourceType': 'vpc',
'ResourceRegion': 'string',
'ResourceOwner': 'string'
}
},
]
}
Response Structure
(dict) --
NextToken (string) --
The token to use to retrieve the next page of results. This value is null when there are no more results to return.
IpamPools (list) --
Information about the IPAM pools.
(dict) --
In IPAM, a pool is a collection of contiguous IP addresses CIDRs. Pools enable you to organize your IP addresses according to your routing and security needs. For example, if you have separate routing and security needs for development and production applications, you can create a pool for each.
OwnerId (string) --
The Amazon Web Services account ID of the owner of the IPAM pool.
IpamPoolId (string) --
The ID of the IPAM pool.
SourceIpamPoolId (string) --
The ID of the source IPAM pool. You can use this option to create an IPAM pool within an existing source pool.
IpamPoolArn (string) --
The Amazon Resource Name (ARN) of the IPAM pool.
IpamScopeArn (string) --
The ARN of the scope of the IPAM pool.
IpamScopeType (string) --
In IPAM, a scope is the highest-level container within IPAM. An IPAM contains two default scopes. Each scope represents the IP space for a single network. The private scope is intended for all private IP address space. The public scope is intended for all public IP address space. Scopes enable you to reuse IP addresses across multiple unconnected networks without causing IP address overlap or conflict.
IpamArn (string) --
The ARN of the IPAM.
IpamRegion (string) --
The Amazon Web Services Region of the IPAM pool.
Locale (string) --
The locale of the IPAM pool.
The locale for the pool should be one of the following:
An Amazon Web Services Region where you want this IPAM pool to be available for allocations.
The network border group for an Amazon Web Services Local Zone where you want this IPAM pool to be available for allocations ( supported Local Zones). This option is only available for IPAM IPv4 pools in the public scope.
If you choose an Amazon Web Services Region for locale that has not been configured as an operating Region for the IPAM, you'll get an error.
PoolDepth (integer) --
The depth of pools in your IPAM pool. The pool depth quota is 10. For more information, see Quotas in IPAM in the Amazon VPC IPAM User Guide.
State (string) --
The state of the IPAM pool.
StateMessage (string) --
The state message.
Description (string) --
The description of the IPAM pool.
AutoImport (boolean) --
If selected, IPAM will continuously look for resources within the CIDR range of this pool and automatically import them as allocations into your IPAM. The CIDRs that will be allocated for these resources must not already be allocated to other resources in order for the import to succeed. IPAM will import a CIDR regardless of its compliance with the pool's allocation rules, so a resource might be imported and subsequently marked as noncompliant. If IPAM discovers multiple CIDRs that overlap, IPAM will import the largest CIDR only. If IPAM discovers multiple CIDRs with matching CIDRs, IPAM will randomly import one of them only.
A locale must be set on the pool for this feature to work.
PubliclyAdvertisable (boolean) --
Determines if a pool is publicly advertisable. This option is not available for pools with AddressFamily set to ipv4.
AddressFamily (string) --
The address family of the pool.
AllocationMinNetmaskLength (integer) --
The minimum netmask length required for CIDR allocations in this IPAM pool to be compliant. The minimum netmask length must be less than the maximum netmask length. Possible netmask lengths for IPv4 addresses are 0 - 32. Possible netmask lengths for IPv6 addresses are 0 - 128.
AllocationMaxNetmaskLength (integer) --
The maximum netmask length possible for CIDR allocations in this IPAM pool to be compliant. The maximum netmask length must be greater than the minimum netmask length. Possible netmask lengths for IPv4 addresses are 0 - 32. Possible netmask lengths for IPv6 addresses are 0 - 128.
AllocationDefaultNetmaskLength (integer) --
The default netmask length for allocations added to this pool. If, for example, the CIDR assigned to this pool is 10.0.0.0/8 and you enter 16 here, new allocations will default to 10.0.0.0/16.
AllocationResourceTags (list) --
Tags that are required for resources that use CIDRs from this IPAM pool. Resources that do not have these tags will not be allowed to allocate space from the pool. If the resources have their tags changed after they have allocated space or if the allocation tagging requirements are changed on the pool, the resource may be marked as noncompliant.
(dict) --
The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
Key (string) --
The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
Value (string) --
The value of the tag.
Tags (list) --
The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
AwsService (string) --
Limits which service in Amazon Web Services that the pool can be used in. "ec2", for example, allows users to use space for Elastic IP addresses and VPCs.
PublicIpSource (string) --
The IP address source for pools in the public scope. Only used for provisioning IP address CIDRs to pools in the public scope. Default is BYOIP. For more information, see Create IPv6 pools in the Amazon VPC IPAM User Guide. By default, you can add only one Amazon-provided IPv6 CIDR block to a top-level IPv6 pool. For information on increasing the default limit, see Quotas for your IPAM in the Amazon VPC IPAM User Guide.
SourceResource (dict) --
The resource used to provision CIDRs to a resource planning pool.
ResourceId (string) --
The source resource ID.
ResourceType (string) --
The source resource type.
ResourceRegion (string) --
The source resource Region.
ResourceOwner (string) --
The source resource owner.
{'LaunchTemplateVersions': {'LaunchTemplateData': {'TagSpecifications': {'ResourceType': {'transit-gateway-metering-policy',
'vpc-encryption-control'}}}}}
{'SpotFleetRequestConfigs': {'SpotFleetRequestConfig': {'LaunchSpecifications': {'TagSpecifications': {'ResourceType': {'transit-gateway-metering-policy',
'vpc-encryption-control'}}},
'TagSpecifications': {'ResourceType': {'transit-gateway-metering-policy',
'vpc-encryption-control'}}}}}
{'Tags': {'ResourceType': {'transit-gateway-metering-policy',
'vpc-encryption-control'}}}
Describes the specified tags for your EC2 resources.
For more information about tags, see Tag your Amazon EC2 resources in the Amazon Elastic Compute Cloud User Guide.
See also: AWS API Documentation
Request Syntax
client.describe_tags(
DryRun=True|False,
Filters=[
{
'Name': 'string',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string'
)
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
list
The filters.
key - The tag key.
resource-id - The ID of the resource.
resource-type - The resource type. For a list of possible values, see TagSpecification.
tag:<key> - The key/value combination of the tag. For example, specify "tag:Owner" for the filter name and "TeamA" for the filter value to find resources with the tag "Owner=TeamA".
value - The tag value.
(dict) --
A filter name and value pair that is used to return a more specific list of results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.
If you specify multiple filters, the filters are joined with an AND, and the request returns only results that match all of the specified filters.
For more information, see List and filter using the CLI and API in the Amazon EC2 User Guide.
Name (string) --
The name of the filter. Filter names are case-sensitive.
Values (list) --
The filter values. Filter values are case-sensitive. If you specify multiple values for a filter, the values are joined with an OR, and the request returns all results that match any of the specified values.
(string) --
integer
The maximum number of items to return for this request. This value can be between 5 and 1000. To get the next page of items, make another request with the token returned in the output. For more information, see Pagination.
string
The token returned from a previous paginated request. Pagination continues from the end of the items returned by the previous request.
dict
Response Syntax
{
'NextToken': 'string',
'Tags': [
{
'Key': 'string',
'ResourceId': 'string',
'ResourceType': 'capacity-reservation'|'client-vpn-endpoint'|'customer-gateway'|'carrier-gateway'|'coip-pool'|'declarative-policies-report'|'dedicated-host'|'dhcp-options'|'egress-only-internet-gateway'|'elastic-ip'|'elastic-gpu'|'export-image-task'|'export-instance-task'|'fleet'|'fpga-image'|'host-reservation'|'image'|'image-usage-report'|'import-image-task'|'import-snapshot-task'|'instance'|'instance-event-window'|'internet-gateway'|'ipam'|'ipam-pool'|'ipam-scope'|'ipv4pool-ec2'|'ipv6pool-ec2'|'key-pair'|'launch-template'|'local-gateway'|'local-gateway-route-table'|'local-gateway-virtual-interface'|'local-gateway-virtual-interface-group'|'local-gateway-route-table-vpc-association'|'local-gateway-route-table-virtual-interface-group-association'|'natgateway'|'network-acl'|'network-interface'|'network-insights-analysis'|'network-insights-path'|'network-insights-access-scope'|'network-insights-access-scope-analysis'|'outpost-lag'|'placement-group'|'prefix-list'|'replace-root-volume-task'|'reserved-instances'|'route-table'|'security-group'|'security-group-rule'|'service-link-virtual-interface'|'snapshot'|'spot-fleet-request'|'spot-instances-request'|'subnet'|'subnet-cidr-reservation'|'traffic-mirror-filter'|'traffic-mirror-session'|'traffic-mirror-target'|'transit-gateway'|'transit-gateway-attachment'|'transit-gateway-connect-peer'|'transit-gateway-multicast-domain'|'transit-gateway-policy-table'|'transit-gateway-metering-policy'|'transit-gateway-route-table'|'transit-gateway-route-table-announcement'|'volume'|'vpc'|'vpc-endpoint'|'vpc-endpoint-connection'|'vpc-endpoint-service'|'vpc-endpoint-service-permission'|'vpc-peering-connection'|'vpn-connection'|'vpn-gateway'|'vpc-flow-log'|'capacity-reservation-fleet'|'traffic-mirror-filter-rule'|'vpc-endpoint-connection-device-type'|'verified-access-instance'|'verified-access-group'|'verified-access-endpoint'|'verified-access-policy'|'verified-access-trust-provider'|'vpn-connection-device-type'|'vpc-block-public-access-exclusion'|'vpc-encryption-control'|'route-server'|'route-server-endpoint'|'route-server-peer'|'ipam-resource-discovery'|'ipam-resource-discovery-association'|'instance-connect-endpoint'|'verified-access-endpoint-target'|'ipam-external-resource-verification-token'|'capacity-block'|'mac-modification-task'|'ipam-prefix-list-resolver'|'ipam-policy'|'ipam-prefix-list-resolver-target'|'capacity-manager-data-export'|'vpn-concentrator',
'Value': 'string'
},
]
}
Response Structure
(dict) --
NextToken (string) --
The token to include in another request to get the next page of items. This value is null when there are no more items to return.
Tags (list) --
The tags.
(dict) --
Describes a tag.
Key (string) --
The tag key.
ResourceId (string) --
The ID of the resource.
ResourceType (string) --
The resource type.
Value (string) --
The tag value.
{'TransitGateways': {'Options': {'EncryptionSupport': {'EncryptionState': 'enabling '
'| '
'enabled '
'| '
'disabling '
'| '
'disabled',
'StateMessage': 'string'}}}}
Describes one or more transit gateways. By default, all transit gateways are described. Alternatively, you can filter the results.
See also: AWS API Documentation
Request Syntax
client.describe_transit_gateways(
TransitGatewayIds=[
'string',
],
Filters=[
{
'Name': 'string',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string',
DryRun=True|False
)
list
The IDs of the transit gateways.
(string) --
list
One or more filters. The possible values are:
options.propagation-default-route-table-id - The ID of the default propagation route table.
options.amazon-side-asn - The private ASN for the Amazon side of a BGP session.
options.association-default-route-table-id - The ID of the default association route table.
options.auto-accept-shared-attachments - Indicates whether there is automatic acceptance of attachment requests ( enable | disable).
options.default-route-table-association - Indicates whether resource attachments are automatically associated with the default association route table ( enable | disable).
options.default-route-table-propagation - Indicates whether resource attachments automatically propagate routes to the default propagation route table ( enable | disable).
options.dns-support - Indicates whether DNS support is enabled ( enable | disable).
options.vpn-ecmp-support - Indicates whether Equal Cost Multipath Protocol support is enabled ( enable | disable).
owner-id - The ID of the Amazon Web Services account that owns the transit gateway.
state - The state of the transit gateway ( available | deleted | deleting | modifying | pending).
transit-gateway-id - The ID of the transit gateway.
tag-key ``- The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key ``Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
(dict) --
A filter name and value pair that is used to return a more specific list of results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.
If you specify multiple filters, the filters are joined with an AND, and the request returns only results that match all of the specified filters.
For more information, see List and filter using the CLI and API in the Amazon EC2 User Guide.
Name (string) --
The name of the filter. Filter names are case-sensitive.
Values (list) --
The filter values. Filter values are case-sensitive. If you specify multiple values for a filter, the values are joined with an OR, and the request returns all results that match any of the specified values.
(string) --
integer
The maximum number of results to return with a single call. To retrieve the remaining results, make another call with the returned nextToken value.
string
The token for the next page of results.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'TransitGateways': [
{
'TransitGatewayId': 'string',
'TransitGatewayArn': 'string',
'State': 'pending'|'available'|'modifying'|'deleting'|'deleted',
'OwnerId': 'string',
'Description': 'string',
'CreationTime': datetime(2015, 1, 1),
'Options': {
'AmazonSideAsn': 123,
'TransitGatewayCidrBlocks': [
'string',
],
'AutoAcceptSharedAttachments': 'enable'|'disable',
'DefaultRouteTableAssociation': 'enable'|'disable',
'AssociationDefaultRouteTableId': 'string',
'DefaultRouteTablePropagation': 'enable'|'disable',
'PropagationDefaultRouteTableId': 'string',
'VpnEcmpSupport': 'enable'|'disable',
'DnsSupport': 'enable'|'disable',
'SecurityGroupReferencingSupport': 'enable'|'disable',
'MulticastSupport': 'enable'|'disable',
'EncryptionSupport': {
'EncryptionState': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
}
},
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
TransitGateways (list) --
Information about the transit gateways.
(dict) --
Describes a transit gateway.
TransitGatewayId (string) --
The ID of the transit gateway.
TransitGatewayArn (string) --
The Amazon Resource Name (ARN) of the transit gateway.
State (string) --
The state of the transit gateway.
OwnerId (string) --
The ID of the Amazon Web Services account that owns the transit gateway.
Description (string) --
The description of the transit gateway.
CreationTime (datetime) --
The creation time.
Options (dict) --
The transit gateway options.
AmazonSideAsn (integer) --
A private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is 64512 to 65534 for 16-bit ASNs and 4200000000 to 4294967294 for 32-bit ASNs.
TransitGatewayCidrBlocks (list) --
The transit gateway CIDR blocks.
(string) --
AutoAcceptSharedAttachments (string) --
Indicates whether attachment requests are automatically accepted.
DefaultRouteTableAssociation (string) --
Indicates whether resource attachments are automatically associated with the default association route table. Enabled by default. Either defaultRouteTableAssociation or defaultRouteTablePropagation must be set to enable for Amazon Web Services Transit Gateway to create the default transit gateway route table.
AssociationDefaultRouteTableId (string) --
The ID of the default association route table.
DefaultRouteTablePropagation (string) --
Indicates whether resource attachments automatically propagate routes to the default propagation route table. Enabled by default. If defaultRouteTablePropagation is set to enable, Amazon Web Services Transit Gateway creates the default transit gateway route table.
PropagationDefaultRouteTableId (string) --
The ID of the default propagation route table.
VpnEcmpSupport (string) --
Indicates whether Equal Cost Multipath Protocol support is enabled.
DnsSupport (string) --
Indicates whether DNS support is enabled.
SecurityGroupReferencingSupport (string) --
Enables you to reference a security group across VPCs attached to a transit gateway to simplify security group management.
This option is disabled by default.
MulticastSupport (string) --
Indicates whether multicast is enabled on the transit gateway
EncryptionSupport (dict) --
Defines if the Transit Gateway supports VPC Encryption Control.
EncryptionState (string) --
The current encryption state of the resource.
StateMessage (string) --
A message describing the encryption state.
Tags (list) --
The tags for the transit gateway.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
NextToken (string) --
The token to use to retrieve the next page of results. This value is null when there are no more results to return.
{'VpnConnections': {'Options': {'TunnelOptions': {'LogOptions': {'CloudWatchLogOptions': {'BgpLogEnabled': 'boolean',
'BgpLogGroupArn': 'string',
'BgpLogOutputFormat': 'string'}}}}}}
Describes one or more of your VPN connections.
For more information, see Amazon Web Services Site-to-Site VPN in the Amazon Web Services Site-to-Site VPN User Guide.
See also: AWS API Documentation
Request Syntax
client.describe_vpn_connections(
Filters=[
{
'Name': 'string',
'Values': [
'string',
]
},
],
VpnConnectionIds=[
'string',
],
DryRun=True|False
)
list
One or more filters.
customer-gateway-configuration - The configuration information for the customer gateway.
customer-gateway-id - The ID of a customer gateway associated with the VPN connection.
state - The state of the VPN connection ( pending | available | deleting | deleted).
option.static-routes-only - Indicates whether the connection has static routes only. Used for devices that do not support Border Gateway Protocol (BGP).
route.destination-cidr-block - The destination CIDR block. This corresponds to the subnet used in a customer data center.
bgp-asn - The BGP Autonomous System Number (ASN) associated with a BGP device.
tag:<key> - The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
type - The type of VPN connection. Currently the only supported type is ipsec.1.
vpn-connection-id - The ID of the VPN connection.
vpn-gateway-id - The ID of a virtual private gateway associated with the VPN connection.
transit-gateway-id - The ID of a transit gateway associated with the VPN connection.
(dict) --
A filter name and value pair that is used to return a more specific list of results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.
If you specify multiple filters, the filters are joined with an AND, and the request returns only results that match all of the specified filters.
For more information, see List and filter using the CLI and API in the Amazon EC2 User Guide.
Name (string) --
The name of the filter. Filter names are case-sensitive.
Values (list) --
The filter values. Filter values are case-sensitive. If you specify multiple values for a filter, the values are joined with an OR, and the request returns all results that match any of the specified values.
(string) --
list
One or more VPN connection IDs.
Default: Describes your VPN connections.
(string) --
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'VpnConnections': [
{
'Category': 'string',
'TransitGatewayId': 'string',
'VpnConcentratorId': 'string',
'CoreNetworkArn': 'string',
'CoreNetworkAttachmentArn': 'string',
'GatewayAssociationState': 'associated'|'not-associated'|'associating'|'disassociating',
'Options': {
'EnableAcceleration': True|False,
'StaticRoutesOnly': True|False,
'LocalIpv4NetworkCidr': 'string',
'RemoteIpv4NetworkCidr': 'string',
'LocalIpv6NetworkCidr': 'string',
'RemoteIpv6NetworkCidr': 'string',
'OutsideIpAddressType': 'string',
'TransportTransitGatewayAttachmentId': 'string',
'TunnelInsideIpVersion': 'ipv4'|'ipv6',
'TunnelOptions': [
{
'OutsideIpAddress': 'string',
'TunnelInsideCidr': 'string',
'TunnelInsideIpv6Cidr': 'string',
'PreSharedKey': 'string',
'Phase1LifetimeSeconds': 123,
'Phase2LifetimeSeconds': 123,
'RekeyMarginTimeSeconds': 123,
'RekeyFuzzPercentage': 123,
'ReplayWindowSize': 123,
'DpdTimeoutSeconds': 123,
'DpdTimeoutAction': 'string',
'Phase1EncryptionAlgorithms': [
{
'Value': 'string'
},
],
'Phase2EncryptionAlgorithms': [
{
'Value': 'string'
},
],
'Phase1IntegrityAlgorithms': [
{
'Value': 'string'
},
],
'Phase2IntegrityAlgorithms': [
{
'Value': 'string'
},
],
'Phase1DHGroupNumbers': [
{
'Value': 123
},
],
'Phase2DHGroupNumbers': [
{
'Value': 123
},
],
'IkeVersions': [
{
'Value': 'string'
},
],
'StartupAction': 'string',
'LogOptions': {
'CloudWatchLogOptions': {
'LogEnabled': True|False,
'LogGroupArn': 'string',
'LogOutputFormat': 'string',
'BgpLogEnabled': True|False,
'BgpLogGroupArn': 'string',
'BgpLogOutputFormat': 'string'
}
},
'EnableTunnelLifecycleControl': True|False
},
],
'TunnelBandwidth': 'standard'|'large'
},
'Routes': [
{
'DestinationCidrBlock': 'string',
'Source': 'Static',
'State': 'pending'|'available'|'deleting'|'deleted'
},
],
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'VgwTelemetry': [
{
'AcceptedRouteCount': 123,
'LastStatusChange': datetime(2015, 1, 1),
'OutsideIpAddress': 'string',
'Status': 'UP'|'DOWN',
'StatusMessage': 'string',
'CertificateArn': 'string'
},
],
'PreSharedKeyArn': 'string',
'VpnConnectionId': 'string',
'State': 'pending'|'available'|'deleting'|'deleted',
'CustomerGatewayConfiguration': 'string',
'Type': 'ipsec.1',
'CustomerGatewayId': 'string',
'VpnGatewayId': 'string'
},
]
}
Response Structure
(dict) --
Contains the output of DescribeVpnConnections.
VpnConnections (list) --
Information about one or more VPN connections.
(dict) --
Describes a VPN connection.
Category (string) --
The category of the VPN connection. A value of VPN indicates an Amazon Web Services VPN connection. A value of VPN-Classic indicates an Amazon Web Services Classic VPN connection.
TransitGatewayId (string) --
The ID of the transit gateway associated with the VPN connection.
VpnConcentratorId (string) --
The ID of the VPN concentrator associated with the VPN connection.
CoreNetworkArn (string) --
The ARN of the core network.
CoreNetworkAttachmentArn (string) --
The ARN of the core network attachment.
GatewayAssociationState (string) --
The current state of the gateway association.
Options (dict) --
The VPN connection options.
EnableAcceleration (boolean) --
Indicates whether acceleration is enabled for the VPN connection.
StaticRoutesOnly (boolean) --
Indicates whether the VPN connection uses static routes only. Static routes must be used for devices that don't support BGP.
LocalIpv4NetworkCidr (string) --
The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
RemoteIpv4NetworkCidr (string) --
The IPv4 CIDR on the Amazon Web Services side of the VPN connection.
LocalIpv6NetworkCidr (string) --
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
RemoteIpv6NetworkCidr (string) --
The IPv6 CIDR on the Amazon Web Services side of the VPN connection.
OutsideIpAddressType (string) --
The type of IPv4 address assigned to the outside interface of the customer gateway.
Valid values: PrivateIpv4 | PublicIpv4 | Ipv6
Default: PublicIpv4
TransportTransitGatewayAttachmentId (string) --
The transit gateway attachment ID in use for the VPN tunnel.
TunnelInsideIpVersion (string) --
Indicates whether the VPN tunnels process IPv4 or IPv6 traffic.
TunnelOptions (list) --
Indicates the VPN tunnel options.
(dict) --
The VPN tunnel options.
OutsideIpAddress (string) --
The external IP address of the VPN tunnel.
TunnelInsideCidr (string) --
The range of inside IPv4 addresses for the tunnel.
TunnelInsideIpv6Cidr (string) --
The range of inside IPv6 addresses for the tunnel.
PreSharedKey (string) --
The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and the customer gateway.
Phase1LifetimeSeconds (integer) --
The lifetime for phase 1 of the IKE negotiation, in seconds.
Phase2LifetimeSeconds (integer) --
The lifetime for phase 2 of the IKE negotiation, in seconds.
RekeyMarginTimeSeconds (integer) --
The margin time, in seconds, before the phase 2 lifetime expires, during which the Amazon Web Services side of the VPN connection performs an IKE rekey.
RekeyFuzzPercentage (integer) --
The percentage of the rekey window determined by RekeyMarginTimeSeconds during which the rekey time is randomly selected.
ReplayWindowSize (integer) --
The number of packets in an IKE replay window.
DpdTimeoutSeconds (integer) --
The number of seconds after which a DPD timeout occurs.
DpdTimeoutAction (string) --
The action to take after a DPD timeout occurs.
Phase1EncryptionAlgorithms (list) --
The permitted encryption algorithms for the VPN tunnel for phase 1 IKE negotiations.
(dict) --
The encryption algorithm for phase 1 IKE negotiations.
Value (string) --
The value for the encryption algorithm.
Phase2EncryptionAlgorithms (list) --
The permitted encryption algorithms for the VPN tunnel for phase 2 IKE negotiations.
(dict) --
The encryption algorithm for phase 2 IKE negotiations.
Value (string) --
The encryption algorithm.
Phase1IntegrityAlgorithms (list) --
The permitted integrity algorithms for the VPN tunnel for phase 1 IKE negotiations.
(dict) --
The integrity algorithm for phase 1 IKE negotiations.
Value (string) --
The value for the integrity algorithm.
Phase2IntegrityAlgorithms (list) --
The permitted integrity algorithms for the VPN tunnel for phase 2 IKE negotiations.
(dict) --
The integrity algorithm for phase 2 IKE negotiations.
Value (string) --
The integrity algorithm.
Phase1DHGroupNumbers (list) --
The permitted Diffie-Hellman group numbers for the VPN tunnel for phase 1 IKE negotiations.
(dict) --
The Diffie-Hellmann group number for phase 1 IKE negotiations.
Value (integer) --
The Diffie-Hellmann group number.
Phase2DHGroupNumbers (list) --
The permitted Diffie-Hellman group numbers for the VPN tunnel for phase 2 IKE negotiations.
(dict) --
The Diffie-Hellmann group number for phase 2 IKE negotiations.
Value (integer) --
The Diffie-Hellmann group number.
IkeVersions (list) --
The IKE versions that are permitted for the VPN tunnel.
(dict) --
The internet key exchange (IKE) version permitted for the VPN tunnel.
Value (string) --
The IKE version.
StartupAction (string) --
The action to take when the establishing the VPN tunnels for a VPN connection.
LogOptions (dict) --
Options for logging VPN tunnel activity.
CloudWatchLogOptions (dict) --
Options for sending VPN tunnel logs to CloudWatch.
LogEnabled (boolean) --
Status of VPN tunnel logging feature. Default value is False.
Valid values: True | False
LogGroupArn (string) --
The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
LogOutputFormat (string) --
Configured log format. Default format is json.
Valid values: json | text
BgpLogEnabled (boolean) --
Indicates whether Border Gateway Protocol (BGP) logging is enabled for the VPN connection. Default value is False.
Valid values: True | False
BgpLogGroupArn (string) --
The Amazon Resource Name (ARN) of the CloudWatch log group for BGP logs.
BgpLogOutputFormat (string) --
The output format for BGP logs sent to CloudWatch. Default format is json.
Valid values: json | text
EnableTunnelLifecycleControl (boolean) --
Status of tunnel endpoint lifecycle control feature.
TunnelBandwidth (string) --
The configured bandwidth for the VPN tunnel. Represents the current throughput capacity setting for the tunnel connection. standard tunnel bandwidth supports up to 1.25 Gbps per tunnel while large supports up to 5 Gbps per tunnel. If no tunnel bandwidth was specified for the connection, standard is used as the default value.
Routes (list) --
The static routes associated with the VPN connection.
(dict) --
Describes a static route for a VPN connection.
DestinationCidrBlock (string) --
The CIDR block associated with the local subnet of the customer data center.
Source (string) --
Indicates how the routes were provided.
State (string) --
The current state of the static route.
Tags (list) --
Any tags assigned to the VPN connection.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
VgwTelemetry (list) --
Information about the VPN tunnel.
(dict) --
Describes telemetry for a VPN tunnel.
AcceptedRouteCount (integer) --
The number of accepted routes.
LastStatusChange (datetime) --
The date and time of the last change in status. This field is updated when changes in IKE (Phase 1), IPSec (Phase 2), or BGP status are detected.
OutsideIpAddress (string) --
The Internet-routable IP address of the virtual private gateway's outside interface.
Status (string) --
The status of the VPN tunnel.
StatusMessage (string) --
If an error occurs, a description of the error.
CertificateArn (string) --
The Amazon Resource Name (ARN) of the VPN tunnel endpoint certificate.
PreSharedKeyArn (string) --
The Amazon Resource Name (ARN) of the Secrets Manager secret storing the pre-shared key(s) for the VPN connection.
VpnConnectionId (string) --
The ID of the VPN connection.
State (string) --
The current state of the VPN connection.
CustomerGatewayConfiguration (string) --
The configuration information for the VPN connection's customer gateway (in the native XML format). This element is always present in the CreateVpnConnection response; however, it's present in the DescribeVpnConnections response only if the VPN connection is in the pending or available state.
Type (string) --
The type of VPN connection.
CustomerGatewayId (string) --
The ID of the customer gateway at your end of the VPN connection.
VpnGatewayId (string) --
The ID of the virtual private gateway at the Amazon Web Services side of the VPN connection.
{'IpamDiscoveredPublicAddresses': {'AddressType': {'anycast-ip-list-ip'},
'Service': {'cloudfront'}}}
Gets the public IP addresses that have been discovered by IPAM.
See also: AWS API Documentation
Request Syntax
client.get_ipam_discovered_public_addresses(
DryRun=True|False,
IpamResourceDiscoveryId='string',
AddressRegion='string',
Filters=[
{
'Name': 'string',
'Values': [
'string',
]
},
],
NextToken='string',
MaxResults=123
)
boolean
A check for whether you have the required permissions for the action without actually making the request and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
[REQUIRED]
An IPAM resource discovery ID.
string
[REQUIRED]
The Amazon Web Services Region for the IP address.
list
Filters.
(dict) --
A filter name and value pair that is used to return a more specific list of results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.
If you specify multiple filters, the filters are joined with an AND, and the request returns only results that match all of the specified filters.
For more information, see List and filter using the CLI and API in the Amazon EC2 User Guide.
Name (string) --
The name of the filter. Filter names are case-sensitive.
Values (list) --
The filter values. Filter values are case-sensitive. If you specify multiple values for a filter, the values are joined with an OR, and the request returns all results that match any of the specified values.
(string) --
string
The token for the next page of results.
integer
The maximum number of IPAM discovered public addresses to return in one page of results.
dict
Response Syntax
{
'IpamDiscoveredPublicAddresses': [
{
'IpamResourceDiscoveryId': 'string',
'AddressRegion': 'string',
'Address': 'string',
'AddressOwnerId': 'string',
'AddressAllocationId': 'string',
'AssociationStatus': 'associated'|'disassociated',
'AddressType': 'service-managed-ip'|'service-managed-byoip'|'amazon-owned-eip'|'amazon-owned-contig'|'byoip'|'ec2-public-ip'|'anycast-ip-list-ip',
'Service': 'nat-gateway'|'database-migration-service'|'redshift'|'elastic-container-service'|'relational-database-service'|'site-to-site-vpn'|'load-balancer'|'global-accelerator'|'cloudfront'|'other',
'ServiceResource': 'string',
'VpcId': 'string',
'SubnetId': 'string',
'PublicIpv4PoolId': 'string',
'NetworkInterfaceId': 'string',
'NetworkInterfaceDescription': 'string',
'InstanceId': 'string',
'Tags': {
'EipTags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
'NetworkBorderGroup': 'string',
'SecurityGroups': [
{
'GroupName': 'string',
'GroupId': 'string'
},
],
'SampleTime': datetime(2015, 1, 1)
},
],
'OldestSampleTime': datetime(2015, 1, 1),
'NextToken': 'string'
}
Response Structure
(dict) --
IpamDiscoveredPublicAddresses (list) --
IPAM discovered public addresses.
(dict) --
A public IP Address discovered by IPAM.
IpamResourceDiscoveryId (string) --
The resource discovery ID.
AddressRegion (string) --
The Region of the resource the IP address is assigned to.
Address (string) --
The IP address.
AddressOwnerId (string) --
The ID of the owner of the resource the IP address is assigned to.
AddressAllocationId (string) --
The allocation ID of the resource the IP address is assigned to.
AssociationStatus (string) --
The association status.
AddressType (string) --
The IP address type.
Service (string) --
The Amazon Web Services service associated with the IP address.
ServiceResource (string) --
The resource ARN or ID.
VpcId (string) --
The ID of the VPC that the resource with the assigned IP address is in.
SubnetId (string) --
The ID of the subnet that the resource with the assigned IP address is in.
PublicIpv4PoolId (string) --
The ID of the public IPv4 pool that the resource with the assigned IP address is from.
NetworkInterfaceId (string) --
The network interface ID of the resource with the assigned IP address.
NetworkInterfaceDescription (string) --
The description of the network interface that IP address is assigned to.
InstanceId (string) --
The instance ID of the instance the assigned IP address is assigned to.
Tags (dict) --
Tags associated with the IP address.
EipTags (list) --
Tags for an Elastic IP address.
(dict) --
A tag for a public IP address discovered by IPAM.
Key (string) --
The tag's key.
Value (string) --
The tag's value.
NetworkBorderGroup (string) --
The Availability Zone (AZ) or Local Zone (LZ) network border group that the resource that the IP address is assigned to is in. Defaults to an AZ network border group. For more information on available Local Zones, see Local Zone availability in the Amazon EC2 User Guide.
SecurityGroups (list) --
Security groups associated with the resource that the IP address is assigned to.
(dict) --
The security group that the resource with the public IP address is in.
GroupName (string) --
The security group's name.
GroupId (string) --
The security group's ID.
SampleTime (datetime) --
The last successful resource discovery time.
OldestSampleTime (datetime) --
The oldest successful resource discovery time.
NextToken (string) --
The token to use to retrieve the next page of results. This value is null when there are no more results to return.
{'IpamDiscoveredResourceCidrs': {'ResourceType': {'anycast-ip-list'}}}
Returns the resource CIDRs that are monitored as part of a resource discovery. A discovered resource is a resource CIDR monitored under a resource discovery. The following resources can be discovered: VPCs, Public IPv4 pools, VPC subnets, and Elastic IP addresses.
See also: AWS API Documentation
Request Syntax
client.get_ipam_discovered_resource_cidrs(
DryRun=True|False,
IpamResourceDiscoveryId='string',
ResourceRegion='string',
Filters=[
{
'Name': 'string',
'Values': [
'string',
]
},
],
NextToken='string',
MaxResults=123
)
boolean
A check for whether you have the required permissions for the action without actually making the request and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
[REQUIRED]
A resource discovery ID.
string
[REQUIRED]
A resource Region.
list
Filters.
(dict) --
A filter name and value pair that is used to return a more specific list of results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.
If you specify multiple filters, the filters are joined with an AND, and the request returns only results that match all of the specified filters.
For more information, see List and filter using the CLI and API in the Amazon EC2 User Guide.
Name (string) --
The name of the filter. Filter names are case-sensitive.
Values (list) --
The filter values. Filter values are case-sensitive. If you specify multiple values for a filter, the values are joined with an OR, and the request returns all results that match any of the specified values.
(string) --
string
Specify the pagination token from a previous request to retrieve the next page of results.
integer
The maximum number of discovered resource CIDRs to return in one page of results.
dict
Response Syntax
{
'IpamDiscoveredResourceCidrs': [
{
'IpamResourceDiscoveryId': 'string',
'ResourceRegion': 'string',
'ResourceId': 'string',
'ResourceOwnerId': 'string',
'ResourceCidr': 'string',
'IpSource': 'amazon'|'byoip'|'none',
'ResourceType': 'vpc'|'subnet'|'eip'|'public-ipv4-pool'|'ipv6-pool'|'eni'|'anycast-ip-list',
'ResourceTags': [
{
'Key': 'string',
'Value': 'string'
},
],
'IpUsage': 123.0,
'VpcId': 'string',
'SubnetId': 'string',
'NetworkInterfaceAttachmentStatus': 'available'|'in-use',
'SampleTime': datetime(2015, 1, 1),
'AvailabilityZoneId': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
IpamDiscoveredResourceCidrs (list) --
Discovered resource CIDRs.
(dict) --
An IPAM discovered resource CIDR. A discovered resource is a resource CIDR monitored under a resource discovery. The following resources can be discovered: VPCs, Public IPv4 pools, VPC subnets, and Elastic IP addresses. The discovered resource CIDR is the IP address range in CIDR notation that is associated with the resource.
IpamResourceDiscoveryId (string) --
The resource discovery ID.
ResourceRegion (string) --
The resource Region.
ResourceId (string) --
The resource ID.
ResourceOwnerId (string) --
The resource owner ID.
ResourceCidr (string) --
The resource CIDR.
IpSource (string) --
The source that allocated the IP address space. byoip or amazon indicates public IP address space allocated by Amazon or space that you have allocated with Bring your own IP (BYOIP). none indicates private space.
ResourceType (string) --
The resource type.
ResourceTags (list) --
The resource tags.
(dict) --
The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
Key (string) --
The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
Value (string) --
The value of the tag.
IpUsage (float) --
The percentage of IP address space in use. To convert the decimal to a percentage, multiply the decimal by 100. Note the following:
For resources that are VPCs, this is the percentage of IP address space in the VPC that's taken up by subnet CIDRs.
For resources that are subnets, if the subnet has an IPv4 CIDR provisioned to it, this is the percentage of IPv4 address space in the subnet that's in use. If the subnet has an IPv6 CIDR provisioned to it, the percentage of IPv6 address space in use is not represented. The percentage of IPv6 address space in use cannot currently be calculated.
For resources that are public IPv4 pools, this is the percentage of IP address space in the pool that's been allocated to Elastic IP addresses (EIPs).
VpcId (string) --
The VPC ID.
SubnetId (string) --
The subnet ID.
NetworkInterfaceAttachmentStatus (string) --
For elastic network interfaces, this is the status of whether or not the elastic network interface is attached.
SampleTime (datetime) --
The last successful resource discovery time.
AvailabilityZoneId (string) --
The Availability Zone ID.
NextToken (string) --
Specify the pagination token from a previous request to retrieve the next page of results.
{'IpamPoolAllocations': {'ResourceType': {'anycast-ip-list'}}}
Get a list of all the CIDR allocations in an IPAM pool. The Region you use should be the IPAM pool locale. The locale is the Amazon Web Services Region where this IPAM pool is available for allocations.
See also: AWS API Documentation
Request Syntax
client.get_ipam_pool_allocations(
DryRun=True|False,
IpamPoolId='string',
IpamPoolAllocationId='string',
Filters=[
{
'Name': 'string',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string'
)
boolean
A check for whether you have the required permissions for the action without actually making the request and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
[REQUIRED]
The ID of the IPAM pool you want to see the allocations for.
string
The ID of the allocation.
list
One or more filters for the request. For more information about filtering, see Filtering CLI output.
(dict) --
A filter name and value pair that is used to return a more specific list of results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.
If you specify multiple filters, the filters are joined with an AND, and the request returns only results that match all of the specified filters.
For more information, see List and filter using the CLI and API in the Amazon EC2 User Guide.
Name (string) --
The name of the filter. Filter names are case-sensitive.
Values (list) --
The filter values. Filter values are case-sensitive. If you specify multiple values for a filter, the values are joined with an OR, and the request returns all results that match any of the specified values.
(string) --
integer
The maximum number of results you would like returned per page.
string
The token for the next page of results.
dict
Response Syntax
{
'IpamPoolAllocations': [
{
'Cidr': 'string',
'IpamPoolAllocationId': 'string',
'Description': 'string',
'ResourceId': 'string',
'ResourceType': 'ipam-pool'|'vpc'|'ec2-public-ipv4-pool'|'custom'|'subnet'|'eip'|'anycast-ip-list',
'ResourceRegion': 'string',
'ResourceOwner': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
IpamPoolAllocations (list) --
The IPAM pool allocations you want information on.
(dict) --
In IPAM, an allocation is a CIDR assignment from an IPAM pool to another IPAM pool or to a resource.
Cidr (string) --
The CIDR for the allocation. A CIDR is a representation of an IP address and its associated network mask (or netmask) and refers to a range of IP addresses. An IPv4 CIDR example is 10.24.34.0/23. An IPv6 CIDR example is 2001:DB8::/32.
IpamPoolAllocationId (string) --
The ID of an allocation.
Description (string) --
A description of the pool allocation.
ResourceId (string) --
The ID of the resource.
ResourceType (string) --
The type of the resource.
ResourceRegion (string) --
The Amazon Web Services Region of the resource.
ResourceOwner (string) --
The owner of the resource.
NextToken (string) --
The token to use to retrieve the next page of results. This value is null when there are no more results to return.
{'Rules': {'ResourceType': {'anycast-ip-list'}}}
Retrieves the CIDR selection rules for an IPAM prefix list resolver. Use this operation to view the business logic that determines which CIDRs are selected for synchronization with prefix lists.
See also: AWS API Documentation
Request Syntax
client.get_ipam_prefix_list_resolver_rules(
DryRun=True|False,
IpamPrefixListResolverId='string',
Filters=[
{
'Name': 'string',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string'
)
boolean
A check for whether you have the required permissions for the action without actually making the request and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
[REQUIRED]
The ID of the IPAM prefix list resolver whose rules you want to retrieve.
list
One or more filters to limit the results.
(dict) --
A filter name and value pair that is used to return a more specific list of results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.
If you specify multiple filters, the filters are joined with an AND, and the request returns only results that match all of the specified filters.
For more information, see List and filter using the CLI and API in the Amazon EC2 User Guide.
Name (string) --
The name of the filter. Filter names are case-sensitive.
Values (list) --
The filter values. Filter values are case-sensitive. If you specify multiple values for a filter, the values are joined with an OR, and the request returns all results that match any of the specified values.
(string) --
integer
The maximum number of items to return for this request. To get the next page of items, make another request with the token returned in the output. For more information, see Pagination.
string
The token for the next page of results.
dict
Response Syntax
{
'Rules': [
{
'RuleType': 'static-cidr'|'ipam-resource-cidr'|'ipam-pool-cidr',
'StaticCidr': 'string',
'IpamScopeId': 'string',
'ResourceType': 'vpc'|'subnet'|'eip'|'public-ipv4-pool'|'ipv6-pool'|'eni'|'anycast-ip-list',
'Conditions': [
{
'Operation': 'equals'|'not-equals'|'subnet-of',
'IpamPoolId': 'string',
'ResourceId': 'string',
'ResourceOwner': 'string',
'ResourceRegion': 'string',
'ResourceTag': {
'Key': 'string',
'Value': 'string'
},
'Cidr': 'string'
},
]
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Rules (list) --
The CIDR selection rules for the IPAM prefix list resolver.
(dict) --
Describes a CIDR selection rule.
CIDR selection rules define the business logic for selecting CIDRs from IPAM. If a CIDR matches any of the rules, it will be included. If a rule has multiple conditions, the CIDR has to match every condition of that rule. You can create a prefix list resolver without any CIDR selection rules, but it will generate empty versions (containing no CIDRs) until you add rules.
RuleType (string) --
The type of CIDR selection rule. Valid values include include for selecting CIDRs that match the conditions, and exclude for excluding CIDRs that match the conditions.
StaticCidr (string) --
A fixed list of CIDRs that do not change (like a manual list replicated across Regions).
IpamScopeId (string) --
The ID of the IPAM scope from which to select CIDRs. This determines whether to select from public or private IP address space.
ResourceType (string) --
For rules of type ipam-resource-cidr, this is the resource type.
Conditions (list) --
The conditions that determine which CIDRs are selected by this rule. Conditions specify criteria such as resource type, tags, account IDs, and Regions.
(dict) --
Describes a condition within a CIDR selection rule. Conditions define the criteria for selecting CIDRs from IPAM's database based on resource attributes.
CIDR selection rules define the business logic for selecting CIDRs from IPAM. If a CIDR matches any of the rules, it will be included. If a rule has multiple conditions, the CIDR has to match every condition of that rule. You can create a prefix list resolver without any CIDR selection rules, but it will generate empty versions (containing no CIDRs) until you add rules.
There are three rule types. Only 2 of the 3 rule types support conditions - IPAM pool CIDR and Scope resource CIDR. Static CIDR rules cannot have conditions.
Static CIDR: A fixed list of CIDRs that do not change (like a manual list replicated across Regions)
IPAM pool CIDR: CIDRs from specific IPAM pools (like all CIDRs from your IPAM production pool) If you choose this option, choose the following:
IPAM scope: Select the IPAM scope to search for resources
Conditions:
Property
IPAM pool ID: Select an IPAM pool that contains the resources
CIDR (like 10.24.34.0/23)
Operation: Equals/Not equals
Value: The value on which to match the condition
Scope resource CIDR: CIDRs from Amazon Web Services resources like VPCs, subnets, EIPs within an IPAM scope If you choose this option, choose the following:
IPAM scope: Select the IPAM scope to search for resources
Resource type: Select a resource, like a VPC or subnet.
Conditions:
Property:
Resource ID: The unique ID of a resource (like vpc-1234567890abcdef0)
Resource owner (like 111122223333)
Resource region (like us-east-1)
Resource tag (like key: name, value: dev-vpc-1)
CIDR (like 10.24.34.0/23)
Operation: Equals/Not equals
Value: The value on which to match the condition
Operation (string) --
The operation to perform when evaluating this condition. Valid values include equals, not-equals, contains, and not-contains.
IpamPoolId (string) --
The ID of the IPAM pool to match against. This condition selects CIDRs that belong to the specified IPAM pool.
ResourceId (string) --
The ID of the Amazon Web Services resource to match against. This condition selects CIDRs associated with the specified resource.
ResourceOwner (string) --
The Amazon Web Services account ID that owns the resources to match against. This condition selects CIDRs from resources owned by the specified account.
ResourceRegion (string) --
The Amazon Web Services Region where the resources are located. This condition selects CIDRs from resources in the specified Region.
ResourceTag (dict) --
A tag key-value pair to match against. This condition selects CIDRs from resources that have the specified tag.
Key (string) --
The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
Value (string) --
The value of the tag.
Cidr (string) --
A CIDR block to match against. This condition selects CIDRs that fall within or match the specified CIDR range.
NextToken (string) --
The token to use to retrieve the next page of results. This value is null when there are no more results to return.
{'ResourceType': {'anycast-ip-list'}}
Response {'IpamResourceCidrs': {'ResourceType': {'anycast-ip-list'}}}
Returns resource CIDRs managed by IPAM in a given scope. If an IPAM is associated with more than one resource discovery, the resource CIDRs across all of the resource discoveries is returned. A resource discovery is an IPAM component that enables IPAM to manage and monitor resources that belong to the owning account.
See also: AWS API Documentation
Request Syntax
client.get_ipam_resource_cidrs(
DryRun=True|False,
Filters=[
{
'Name': 'string',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string',
IpamScopeId='string',
IpamPoolId='string',
ResourceId='string',
ResourceType='vpc'|'subnet'|'eip'|'public-ipv4-pool'|'ipv6-pool'|'eni'|'anycast-ip-list',
ResourceTag={
'Key': 'string',
'Value': 'string'
},
ResourceOwner='string'
)
boolean
A check for whether you have the required permissions for the action without actually making the request and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
list
One or more filters for the request. For more information about filtering, see Filtering CLI output.
(dict) --
A filter name and value pair that is used to return a more specific list of results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.
If you specify multiple filters, the filters are joined with an AND, and the request returns only results that match all of the specified filters.
For more information, see List and filter using the CLI and API in the Amazon EC2 User Guide.
Name (string) --
The name of the filter. Filter names are case-sensitive.
Values (list) --
The filter values. Filter values are case-sensitive. If you specify multiple values for a filter, the values are joined with an OR, and the request returns all results that match any of the specified values.
(string) --
integer
The maximum number of results to return in the request.
string
The token for the next page of results.
string
[REQUIRED]
The ID of the scope that the resource is in.
string
The ID of the IPAM pool that the resource is in.
string
The ID of the resource.
string
The resource type.
dict
The resource tag.
Key (string) --
The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
Value (string) --
The value for the tag.
string
The ID of the Amazon Web Services account that owns the resource.
dict
Response Syntax
{
'NextToken': 'string',
'IpamResourceCidrs': [
{
'IpamId': 'string',
'IpamScopeId': 'string',
'IpamPoolId': 'string',
'ResourceRegion': 'string',
'ResourceOwnerId': 'string',
'ResourceId': 'string',
'ResourceName': 'string',
'ResourceCidr': 'string',
'ResourceType': 'vpc'|'subnet'|'eip'|'public-ipv4-pool'|'ipv6-pool'|'eni'|'anycast-ip-list',
'ResourceTags': [
{
'Key': 'string',
'Value': 'string'
},
],
'IpUsage': 123.0,
'ComplianceStatus': 'compliant'|'noncompliant'|'unmanaged'|'ignored',
'ManagementState': 'managed'|'unmanaged'|'ignored',
'OverlapStatus': 'overlapping'|'nonoverlapping'|'ignored',
'VpcId': 'string',
'AvailabilityZoneId': 'string'
},
]
}
Response Structure
(dict) --
NextToken (string) --
The token to use to retrieve the next page of results. This value is null when there are no more results to return.
IpamResourceCidrs (list) --
The resource CIDRs.
(dict) --
The CIDR for an IPAM resource.
IpamId (string) --
The IPAM ID for an IPAM resource.
IpamScopeId (string) --
The scope ID for an IPAM resource.
IpamPoolId (string) --
The pool ID for an IPAM resource.
ResourceRegion (string) --
The Amazon Web Services Region for an IPAM resource.
ResourceOwnerId (string) --
The Amazon Web Services account number of the owner of an IPAM resource.
ResourceId (string) --
The ID of an IPAM resource.
ResourceName (string) --
The name of an IPAM resource.
ResourceCidr (string) --
The CIDR for an IPAM resource.
ResourceType (string) --
The type of IPAM resource.
ResourceTags (list) --
The tags for an IPAM resource.
(dict) --
The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
Key (string) --
The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
Value (string) --
The value of the tag.
IpUsage (float) --
The percentage of IP address space in use. To convert the decimal to a percentage, multiply the decimal by 100. Note the following:
For resources that are VPCs, this is the percentage of IP address space in the VPC that's taken up by subnet CIDRs.
For resources that are subnets, if the subnet has an IPv4 CIDR provisioned to it, this is the percentage of IPv4 address space in the subnet that's in use. If the subnet has an IPv6 CIDR provisioned to it, the percentage of IPv6 address space in use is not represented. The percentage of IPv6 address space in use cannot currently be calculated.
For resources that are public IPv4 pools, this is the percentage of IP address space in the pool that's been allocated to Elastic IP addresses (EIPs).
ComplianceStatus (string) --
The compliance status of the IPAM resource. For more information on compliance statuses, see Monitor CIDR usage by resource in the Amazon VPC IPAM User Guide.
ManagementState (string) --
The management state of the resource. For more information about management states, see Monitor CIDR usage by resource in the Amazon VPC IPAM User Guide.
OverlapStatus (string) --
The overlap status of an IPAM resource. The overlap status tells you if the CIDR for a resource overlaps with another CIDR in the scope. For more information on overlap statuses, see Monitor CIDR usage by resource in the Amazon VPC IPAM User Guide.
VpcId (string) --
The ID of a VPC.
AvailabilityZoneId (string) --
The Availability Zone ID.
{'LaunchTemplateData': {'TagSpecifications': {'ResourceType': {'transit-gateway-metering-policy',
'vpc-encryption-control'}}}}
{'IpamPool': {'AwsService': {'global-services'}}}
Modify the configurations of an IPAM pool.
For more information, see Modify a pool in the Amazon VPC IPAM User Guide.
See also: AWS API Documentation
Request Syntax
client.modify_ipam_pool(
DryRun=True|False,
IpamPoolId='string',
Description='string',
AutoImport=True|False,
AllocationMinNetmaskLength=123,
AllocationMaxNetmaskLength=123,
AllocationDefaultNetmaskLength=123,
ClearAllocationDefaultNetmaskLength=True|False,
AddAllocationResourceTags=[
{
'Key': 'string',
'Value': 'string'
},
],
RemoveAllocationResourceTags=[
{
'Key': 'string',
'Value': 'string'
},
]
)
boolean
A check for whether you have the required permissions for the action without actually making the request and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
[REQUIRED]
The ID of the IPAM pool you want to modify.
string
The description of the IPAM pool you want to modify.
boolean
If true, IPAM will continuously look for resources within the CIDR range of this pool and automatically import them as allocations into your IPAM. The CIDRs that will be allocated for these resources must not already be allocated to other resources in order for the import to succeed. IPAM will import a CIDR regardless of its compliance with the pool's allocation rules, so a resource might be imported and subsequently marked as noncompliant. If IPAM discovers multiple CIDRs that overlap, IPAM will import the largest CIDR only. If IPAM discovers multiple CIDRs with matching CIDRs, IPAM will randomly import one of them only.
A locale must be set on the pool for this feature to work.
integer
The minimum netmask length required for CIDR allocations in this IPAM pool to be compliant. Possible netmask lengths for IPv4 addresses are 0 - 32. Possible netmask lengths for IPv6 addresses are 0 - 128. The minimum netmask length must be less than the maximum netmask length.
integer
The maximum netmask length possible for CIDR allocations in this IPAM pool to be compliant. Possible netmask lengths for IPv4 addresses are 0 - 32. Possible netmask lengths for IPv6 addresses are 0 - 128.The maximum netmask length must be greater than the minimum netmask length.
integer
The default netmask length for allocations added to this pool. If, for example, the CIDR assigned to this pool is 10.0.0.0/8 and you enter 16 here, new allocations will default to 10.0.0.0/16.
boolean
Clear the default netmask length allocation rule for this pool.
list
Add tag allocation rules to a pool. For more information about allocation rules, see Create a top-level pool in the Amazon VPC IPAM User Guide.
(dict) --
A tag on an IPAM resource.
Key (string) --
The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
Value (string) --
The value for the tag.
list
Remove tag allocation rules from a pool.
(dict) --
A tag on an IPAM resource.
Key (string) --
The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
Value (string) --
The value for the tag.
dict
Response Syntax
{
'IpamPool': {
'OwnerId': 'string',
'IpamPoolId': 'string',
'SourceIpamPoolId': 'string',
'IpamPoolArn': 'string',
'IpamScopeArn': 'string',
'IpamScopeType': 'public'|'private',
'IpamArn': 'string',
'IpamRegion': 'string',
'Locale': 'string',
'PoolDepth': 123,
'State': 'create-in-progress'|'create-complete'|'create-failed'|'modify-in-progress'|'modify-complete'|'modify-failed'|'delete-in-progress'|'delete-complete'|'delete-failed'|'isolate-in-progress'|'isolate-complete'|'restore-in-progress',
'StateMessage': 'string',
'Description': 'string',
'AutoImport': True|False,
'PubliclyAdvertisable': True|False,
'AddressFamily': 'ipv4'|'ipv6',
'AllocationMinNetmaskLength': 123,
'AllocationMaxNetmaskLength': 123,
'AllocationDefaultNetmaskLength': 123,
'AllocationResourceTags': [
{
'Key': 'string',
'Value': 'string'
},
],
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'AwsService': 'ec2'|'global-services',
'PublicIpSource': 'amazon'|'byoip',
'SourceResource': {
'ResourceId': 'string',
'ResourceType': 'vpc',
'ResourceRegion': 'string',
'ResourceOwner': 'string'
}
}
}
Response Structure
(dict) --
IpamPool (dict) --
The results of the modification.
OwnerId (string) --
The Amazon Web Services account ID of the owner of the IPAM pool.
IpamPoolId (string) --
The ID of the IPAM pool.
SourceIpamPoolId (string) --
The ID of the source IPAM pool. You can use this option to create an IPAM pool within an existing source pool.
IpamPoolArn (string) --
The Amazon Resource Name (ARN) of the IPAM pool.
IpamScopeArn (string) --
The ARN of the scope of the IPAM pool.
IpamScopeType (string) --
In IPAM, a scope is the highest-level container within IPAM. An IPAM contains two default scopes. Each scope represents the IP space for a single network. The private scope is intended for all private IP address space. The public scope is intended for all public IP address space. Scopes enable you to reuse IP addresses across multiple unconnected networks without causing IP address overlap or conflict.
IpamArn (string) --
The ARN of the IPAM.
IpamRegion (string) --
The Amazon Web Services Region of the IPAM pool.
Locale (string) --
The locale of the IPAM pool.
The locale for the pool should be one of the following:
An Amazon Web Services Region where you want this IPAM pool to be available for allocations.
The network border group for an Amazon Web Services Local Zone where you want this IPAM pool to be available for allocations ( supported Local Zones). This option is only available for IPAM IPv4 pools in the public scope.
If you choose an Amazon Web Services Region for locale that has not been configured as an operating Region for the IPAM, you'll get an error.
PoolDepth (integer) --
The depth of pools in your IPAM pool. The pool depth quota is 10. For more information, see Quotas in IPAM in the Amazon VPC IPAM User Guide.
State (string) --
The state of the IPAM pool.
StateMessage (string) --
The state message.
Description (string) --
The description of the IPAM pool.
AutoImport (boolean) --
If selected, IPAM will continuously look for resources within the CIDR range of this pool and automatically import them as allocations into your IPAM. The CIDRs that will be allocated for these resources must not already be allocated to other resources in order for the import to succeed. IPAM will import a CIDR regardless of its compliance with the pool's allocation rules, so a resource might be imported and subsequently marked as noncompliant. If IPAM discovers multiple CIDRs that overlap, IPAM will import the largest CIDR only. If IPAM discovers multiple CIDRs with matching CIDRs, IPAM will randomly import one of them only.
A locale must be set on the pool for this feature to work.
PubliclyAdvertisable (boolean) --
Determines if a pool is publicly advertisable. This option is not available for pools with AddressFamily set to ipv4.
AddressFamily (string) --
The address family of the pool.
AllocationMinNetmaskLength (integer) --
The minimum netmask length required for CIDR allocations in this IPAM pool to be compliant. The minimum netmask length must be less than the maximum netmask length. Possible netmask lengths for IPv4 addresses are 0 - 32. Possible netmask lengths for IPv6 addresses are 0 - 128.
AllocationMaxNetmaskLength (integer) --
The maximum netmask length possible for CIDR allocations in this IPAM pool to be compliant. The maximum netmask length must be greater than the minimum netmask length. Possible netmask lengths for IPv4 addresses are 0 - 32. Possible netmask lengths for IPv6 addresses are 0 - 128.
AllocationDefaultNetmaskLength (integer) --
The default netmask length for allocations added to this pool. If, for example, the CIDR assigned to this pool is 10.0.0.0/8 and you enter 16 here, new allocations will default to 10.0.0.0/16.
AllocationResourceTags (list) --
Tags that are required for resources that use CIDRs from this IPAM pool. Resources that do not have these tags will not be allowed to allocate space from the pool. If the resources have their tags changed after they have allocated space or if the allocation tagging requirements are changed on the pool, the resource may be marked as noncompliant.
(dict) --
The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
Key (string) --
The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
Value (string) --
The value of the tag.
Tags (list) --
The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
AwsService (string) --
Limits which service in Amazon Web Services that the pool can be used in. "ec2", for example, allows users to use space for Elastic IP addresses and VPCs.
PublicIpSource (string) --
The IP address source for pools in the public scope. Only used for provisioning IP address CIDRs to pools in the public scope. Default is BYOIP. For more information, see Create IPv6 pools in the Amazon VPC IPAM User Guide. By default, you can add only one Amazon-provided IPv6 CIDR block to a top-level IPv6 pool. For information on increasing the default limit, see Quotas for your IPAM in the Amazon VPC IPAM User Guide.
SourceResource (dict) --
The resource used to provision CIDRs to a resource planning pool.
ResourceId (string) --
The source resource ID.
ResourceType (string) --
The source resource type.
ResourceRegion (string) --
The source resource Region.
ResourceOwner (string) --
The source resource owner.
{'Rules': {'ResourceType': {'anycast-ip-list'}}}
Modifies an IPAM prefix list resolver. You can update the description and CIDR selection rules. Changes to rules will trigger re-evaluation and potential updates to associated prefix lists.
See also: AWS API Documentation
Request Syntax
client.modify_ipam_prefix_list_resolver(
DryRun=True|False,
IpamPrefixListResolverId='string',
Description='string',
Rules=[
{
'RuleType': 'static-cidr'|'ipam-resource-cidr'|'ipam-pool-cidr',
'StaticCidr': 'string',
'IpamScopeId': 'string',
'ResourceType': 'vpc'|'subnet'|'eip'|'public-ipv4-pool'|'ipv6-pool'|'eni'|'anycast-ip-list',
'Conditions': [
{
'Operation': 'equals'|'not-equals'|'subnet-of',
'IpamPoolId': 'string',
'ResourceId': 'string',
'ResourceOwner': 'string',
'ResourceRegion': 'string',
'ResourceTag': {
'Key': 'string',
'Value': 'string'
},
'Cidr': 'string'
},
]
},
]
)
boolean
A check for whether you have the required permissions for the action without actually making the request and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
[REQUIRED]
The ID of the IPAM prefix list resolver to modify.
string
A new description for the IPAM prefix list resolver.
list
The updated CIDR selection rules for the resolver. These rules replace the existing rules entirely.
(dict) --
Describes a CIDR selection rule to include in a request. This is used when creating or modifying resolver rules.
CIDR selection rules define the business logic for selecting CIDRs from IPAM. If a CIDR matches any of the rules, it will be included. If a rule has multiple conditions, the CIDR has to match every condition of that rule. You can create a prefix list resolver without any CIDR selection rules, but it will generate empty versions (containing no CIDRs) until you add rules.
There are three rule types. Only 2 of the 3 rule types support conditions - IPAM pool CIDR and Scope resource CIDR. Static CIDR rules cannot have conditions.
Static CIDR: A fixed list of CIDRs that do not change (like a manual list replicated across Regions)
IPAM pool CIDR: CIDRs from specific IPAM pools (like all CIDRs from your IPAM production pool) If you choose this option, choose the following:
IPAM scope: Select the IPAM scope to search for resources
Conditions:
Property
IPAM pool ID: Select an IPAM pool that contains the resources
CIDR (like 10.24.34.0/23)
Operation: Equals/Not equals
Value: The value on which to match the condition
Scope resource CIDR: CIDRs from Amazon Web Services resources like VPCs, subnets, EIPs within an IPAM scope If you choose this option, choose the following:
IPAM scope: Select the IPAM scope to search for resources
Resource type: Select a resource, like a VPC or subnet.
Conditions:
Property:
Resource ID: The unique ID of a resource (like vpc-1234567890abcdef0)
Resource owner (like 111122223333)
Resource region (like us-east-1)
Resource tag (like key: name, value: dev-vpc-1)
CIDR (like 10.24.34.0/23)
Operation: Equals/Not equals
Value: The value on which to match the condition
RuleType (string) -- [REQUIRED]
The type of CIDR selection rule. Valid values include include for selecting CIDRs that match the conditions, and exclude for excluding CIDRs that match the conditions.
StaticCidr (string) --
A fixed list of CIDRs that do not change (like a manual list replicated across Regions).
IpamScopeId (string) --
The ID of the IPAM scope from which to select CIDRs. This determines whether to select from public or private IP address space.
ResourceType (string) --
For rules of type ipam-resource-cidr, this is the resource type.
Conditions (list) --
The conditions that determine which CIDRs are selected by this rule. Conditions specify criteria such as resource type, tags, account IDs, and Regions.
(dict) --
Describes a condition used when creating or modifying resolver rules.
CIDR selection rules define the business logic for selecting CIDRs from IPAM. If a CIDR matches any of the rules, it will be included. If a rule has multiple conditions, the CIDR has to match every condition of that rule. You can create a prefix list resolver without any CIDR selection rules, but it will generate empty versions (containing no CIDRs) until you add rules.
There are three rule types. Only 2 of the 3 rule types support conditions - IPAM pool CIDR and Scope resource CIDR. Static CIDR rules cannot have conditions.
Static CIDR: A fixed list of CIDRs that do not change (like a manual list replicated across Regions)
IPAM pool CIDR: CIDRs from specific IPAM pools (like all CIDRs from your IPAM production pool) If you choose this option, choose the following:
IPAM scope: Select the IPAM scope to search for resources
Conditions:
Property
IPAM pool ID: Select an IPAM pool that contains the resources
CIDR (like 10.24.34.0/23)
Operation: Equals/Not equals
Value: The value on which to match the condition
Scope resource CIDR: CIDRs from Amazon Web Services resources like VPCs, subnets, EIPs within an IPAM scope If you choose this option, choose the following:
IPAM scope: Select the IPAM scope to search for resources
Resource type: Select a resource, like a VPC or subnet.
Conditions:
Property:
Resource ID: The unique ID of a resource (like vpc-1234567890abcdef0)
Resource owner (like 111122223333)
Resource region (like us-east-1)
Resource tag (like key: name, value: dev-vpc-1)
CIDR (like 10.24.34.0/23)
Operation: Equals/Not equals
Value: The value on which to match the condition
Operation (string) -- [REQUIRED]
The operation to perform when evaluating this condition.
IpamPoolId (string) --
The ID of the IPAM pool to match against. This condition selects CIDRs that belong to the specified IPAM pool.
ResourceId (string) --
The ID of the Amazon Web Services resource to match against. This condition selects CIDRs associated with the specified resource.
ResourceOwner (string) --
The Amazon Web Services account ID that owns the resources to match against. This condition selects CIDRs from resources owned by the specified account.
ResourceRegion (string) --
The Amazon Web Services Region where the resources are located. This condition selects CIDRs from resources in the specified Region.
ResourceTag (dict) --
A tag key-value pair to match against. This condition selects CIDRs from resources that have the specified tag.
Key (string) --
The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
Value (string) --
The value for the tag.
Cidr (string) --
A CIDR block to match against. This condition selects CIDRs that fall within or match the specified CIDR range.
dict
Response Syntax
{
'IpamPrefixListResolver': {
'OwnerId': 'string',
'IpamPrefixListResolverId': 'string',
'IpamPrefixListResolverArn': 'string',
'IpamArn': 'string',
'IpamRegion': 'string',
'Description': 'string',
'AddressFamily': 'ipv4'|'ipv6',
'State': 'create-in-progress'|'create-complete'|'create-failed'|'modify-in-progress'|'modify-complete'|'modify-failed'|'delete-in-progress'|'delete-complete'|'delete-failed'|'isolate-in-progress'|'isolate-complete'|'restore-in-progress',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'LastVersionCreationStatus': 'pending'|'success'|'failure',
'LastVersionCreationStatusMessage': 'string'
}
}
Response Structure
(dict) --
IpamPrefixListResolver (dict) --
Information about the modified IPAM prefix list resolver.
OwnerId (string) --
The ID of the Amazon Web Services account that owns the IPAM prefix list resolver.
IpamPrefixListResolverId (string) --
The ID of the IPAM prefix list resolver.
IpamPrefixListResolverArn (string) --
The Amazon Resource Name (ARN) of the IPAM prefix list resolver.
IpamArn (string) --
The Amazon Resource Name (ARN) of the IPAM associated with this resolver.
IpamRegion (string) --
The Amazon Web Services Region where the associated IPAM is located.
Description (string) --
The description of the IPAM prefix list resolver.
AddressFamily (string) --
The address family (IPv4 or IPv6) for the IPAM prefix list resolver.
State (string) --
The current state of the IPAM prefix list resolver. Valid values include create-in-progress, create-complete, create-failed, modify-in-progress, modify-complete, modify-failed, delete-in-progress, delete-complete, and delete-failed.
Tags (list) --
The tags assigned to the IPAM prefix list resolver.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
LastVersionCreationStatus (string) --
The status for the last time a version was created.
Each version is a snapshot of what CIDRs matched your rules at that moment in time. The version number increments every time the CIDR list changes due to infrastructure changes.
LastVersionCreationStatusMessage (string) --
The status message for the last time a version was created.
Each version is a snapshot of what CIDRs matched your rules at that moment in time. The version number increments every time the CIDR list changes due to infrastructure changes.
{'IpamResourceCidr': {'ResourceType': {'anycast-ip-list'}}}
Modify a resource CIDR. You can use this action to transfer resource CIDRs between scopes and ignore resource CIDRs that you do not want to manage. If set to false, the resource will not be tracked for overlap, it cannot be auto-imported into a pool, and it will be removed from any pool it has an allocation in.
For more information, see Move resource CIDRs between scopes and Change the monitoring state of resource CIDRs in the Amazon VPC IPAM User Guide.
See also: AWS API Documentation
Request Syntax
client.modify_ipam_resource_cidr(
DryRun=True|False,
ResourceId='string',
ResourceCidr='string',
ResourceRegion='string',
CurrentIpamScopeId='string',
DestinationIpamScopeId='string',
Monitored=True|False
)
boolean
A check for whether you have the required permissions for the action without actually making the request and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
[REQUIRED]
The ID of the resource you want to modify.
string
[REQUIRED]
The CIDR of the resource you want to modify.
string
[REQUIRED]
The Amazon Web Services Region of the resource you want to modify.
string
[REQUIRED]
The ID of the current scope that the resource CIDR is in.
string
The ID of the scope you want to transfer the resource CIDR to.
boolean
[REQUIRED]
Determines if the resource is monitored by IPAM. If a resource is monitored, the resource is discovered by IPAM and you can view details about the resource’s CIDR.
dict
Response Syntax
{
'IpamResourceCidr': {
'IpamId': 'string',
'IpamScopeId': 'string',
'IpamPoolId': 'string',
'ResourceRegion': 'string',
'ResourceOwnerId': 'string',
'ResourceId': 'string',
'ResourceName': 'string',
'ResourceCidr': 'string',
'ResourceType': 'vpc'|'subnet'|'eip'|'public-ipv4-pool'|'ipv6-pool'|'eni'|'anycast-ip-list',
'ResourceTags': [
{
'Key': 'string',
'Value': 'string'
},
],
'IpUsage': 123.0,
'ComplianceStatus': 'compliant'|'noncompliant'|'unmanaged'|'ignored',
'ManagementState': 'managed'|'unmanaged'|'ignored',
'OverlapStatus': 'overlapping'|'nonoverlapping'|'ignored',
'VpcId': 'string',
'AvailabilityZoneId': 'string'
}
}
Response Structure
(dict) --
IpamResourceCidr (dict) --
The CIDR of the resource.
IpamId (string) --
The IPAM ID for an IPAM resource.
IpamScopeId (string) --
The scope ID for an IPAM resource.
IpamPoolId (string) --
The pool ID for an IPAM resource.
ResourceRegion (string) --
The Amazon Web Services Region for an IPAM resource.
ResourceOwnerId (string) --
The Amazon Web Services account number of the owner of an IPAM resource.
ResourceId (string) --
The ID of an IPAM resource.
ResourceName (string) --
The name of an IPAM resource.
ResourceCidr (string) --
The CIDR for an IPAM resource.
ResourceType (string) --
The type of IPAM resource.
ResourceTags (list) --
The tags for an IPAM resource.
(dict) --
The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
Key (string) --
The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
Value (string) --
The value of the tag.
IpUsage (float) --
The percentage of IP address space in use. To convert the decimal to a percentage, multiply the decimal by 100. Note the following:
For resources that are VPCs, this is the percentage of IP address space in the VPC that's taken up by subnet CIDRs.
For resources that are subnets, if the subnet has an IPv4 CIDR provisioned to it, this is the percentage of IPv4 address space in the subnet that's in use. If the subnet has an IPv6 CIDR provisioned to it, the percentage of IPv6 address space in use is not represented. The percentage of IPv6 address space in use cannot currently be calculated.
For resources that are public IPv4 pools, this is the percentage of IP address space in the pool that's been allocated to Elastic IP addresses (EIPs).
ComplianceStatus (string) --
The compliance status of the IPAM resource. For more information on compliance statuses, see Monitor CIDR usage by resource in the Amazon VPC IPAM User Guide.
ManagementState (string) --
The management state of the resource. For more information about management states, see Monitor CIDR usage by resource in the Amazon VPC IPAM User Guide.
OverlapStatus (string) --
The overlap status of an IPAM resource. The overlap status tells you if the CIDR for a resource overlaps with another CIDR in the scope. For more information on overlap statuses, see Monitor CIDR usage by resource in the Amazon VPC IPAM User Guide.
VpcId (string) --
The ID of a VPC.
AvailabilityZoneId (string) --
The Availability Zone ID.
{'Options': {'EncryptionSupport': 'enable | disable'}}
Response {'TransitGateway': {'Options': {'EncryptionSupport': {'EncryptionState': 'enabling '
'| '
'enabled '
'| '
'disabling '
'| '
'disabled',
'StateMessage': 'string'}}}}
Modifies the specified transit gateway. When you modify a transit gateway, the modified options are applied to new transit gateway attachments only. Your existing transit gateway attachments are not modified.
See also: AWS API Documentation
Request Syntax
client.modify_transit_gateway(
TransitGatewayId='string',
Description='string',
Options={
'AddTransitGatewayCidrBlocks': [
'string',
],
'RemoveTransitGatewayCidrBlocks': [
'string',
],
'VpnEcmpSupport': 'enable'|'disable',
'DnsSupport': 'enable'|'disable',
'SecurityGroupReferencingSupport': 'enable'|'disable',
'AutoAcceptSharedAttachments': 'enable'|'disable',
'DefaultRouteTableAssociation': 'enable'|'disable',
'AssociationDefaultRouteTableId': 'string',
'DefaultRouteTablePropagation': 'enable'|'disable',
'PropagationDefaultRouteTableId': 'string',
'AmazonSideAsn': 123,
'EncryptionSupport': 'enable'|'disable'
},
DryRun=True|False
)
string
[REQUIRED]
The ID of the transit gateway.
string
The description for the transit gateway.
dict
The options to modify.
AddTransitGatewayCidrBlocks (list) --
Adds IPv4 or IPv6 CIDR blocks for the transit gateway. Must be a size /24 CIDR block or larger for IPv4, or a size /64 CIDR block or larger for IPv6.
(string) --
RemoveTransitGatewayCidrBlocks (list) --
Removes CIDR blocks for the transit gateway.
(string) --
VpnEcmpSupport (string) --
Enable or disable Equal Cost Multipath Protocol support.
DnsSupport (string) --
Enable or disable DNS support.
SecurityGroupReferencingSupport (string) --
Enables you to reference a security group across VPCs attached to a transit gateway to simplify security group management.
This option is disabled by default.
For more information about security group referencing, see Security group referencing in the Amazon Web Services Transit Gateways Guide.
AutoAcceptSharedAttachments (string) --
Enable or disable automatic acceptance of attachment requests.
DefaultRouteTableAssociation (string) --
Enable or disable automatic association with the default association route table.
AssociationDefaultRouteTableId (string) --
The ID of the default association route table.
DefaultRouteTablePropagation (string) --
Indicates whether resource attachments automatically propagate routes to the default propagation route table. Enabled by default. If defaultRouteTablePropagation is set to enable, Amazon Web Services Transit Gateway will create the default transit gateway route table.
PropagationDefaultRouteTableId (string) --
The ID of the default propagation route table.
AmazonSideAsn (integer) --
A private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is 64512 to 65534 for 16-bit ASNs and 4200000000 to 4294967294 for 32-bit ASNs.
The modify ASN operation is not allowed on a transit gateway if it has the following attachments:
Dynamic VPN
Static VPN
Direct Connect Gateway
Connect
You must first delete all transit gateway attachments configured prior to modifying the ASN on the transit gateway.
EncryptionSupport (string) --
Enable or disable encryption support for VPC Encryption Control.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'TransitGateway': {
'TransitGatewayId': 'string',
'TransitGatewayArn': 'string',
'State': 'pending'|'available'|'modifying'|'deleting'|'deleted',
'OwnerId': 'string',
'Description': 'string',
'CreationTime': datetime(2015, 1, 1),
'Options': {
'AmazonSideAsn': 123,
'TransitGatewayCidrBlocks': [
'string',
],
'AutoAcceptSharedAttachments': 'enable'|'disable',
'DefaultRouteTableAssociation': 'enable'|'disable',
'AssociationDefaultRouteTableId': 'string',
'DefaultRouteTablePropagation': 'enable'|'disable',
'PropagationDefaultRouteTableId': 'string',
'VpnEcmpSupport': 'enable'|'disable',
'DnsSupport': 'enable'|'disable',
'SecurityGroupReferencingSupport': 'enable'|'disable',
'MulticastSupport': 'enable'|'disable',
'EncryptionSupport': {
'EncryptionState': 'enabling'|'enabled'|'disabling'|'disabled',
'StateMessage': 'string'
}
},
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
}
}
Response Structure
(dict) --
TransitGateway (dict) --
Information about the transit gateway.
TransitGatewayId (string) --
The ID of the transit gateway.
TransitGatewayArn (string) --
The Amazon Resource Name (ARN) of the transit gateway.
State (string) --
The state of the transit gateway.
OwnerId (string) --
The ID of the Amazon Web Services account that owns the transit gateway.
Description (string) --
The description of the transit gateway.
CreationTime (datetime) --
The creation time.
Options (dict) --
The transit gateway options.
AmazonSideAsn (integer) --
A private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is 64512 to 65534 for 16-bit ASNs and 4200000000 to 4294967294 for 32-bit ASNs.
TransitGatewayCidrBlocks (list) --
The transit gateway CIDR blocks.
(string) --
AutoAcceptSharedAttachments (string) --
Indicates whether attachment requests are automatically accepted.
DefaultRouteTableAssociation (string) --
Indicates whether resource attachments are automatically associated with the default association route table. Enabled by default. Either defaultRouteTableAssociation or defaultRouteTablePropagation must be set to enable for Amazon Web Services Transit Gateway to create the default transit gateway route table.
AssociationDefaultRouteTableId (string) --
The ID of the default association route table.
DefaultRouteTablePropagation (string) --
Indicates whether resource attachments automatically propagate routes to the default propagation route table. Enabled by default. If defaultRouteTablePropagation is set to enable, Amazon Web Services Transit Gateway creates the default transit gateway route table.
PropagationDefaultRouteTableId (string) --
The ID of the default propagation route table.
VpnEcmpSupport (string) --
Indicates whether Equal Cost Multipath Protocol support is enabled.
DnsSupport (string) --
Indicates whether DNS support is enabled.
SecurityGroupReferencingSupport (string) --
Enables you to reference a security group across VPCs attached to a transit gateway to simplify security group management.
This option is disabled by default.
MulticastSupport (string) --
Indicates whether multicast is enabled on the transit gateway
EncryptionSupport (dict) --
Defines if the Transit Gateway supports VPC Encryption Control.
EncryptionState (string) --
The current encryption state of the resource.
StateMessage (string) --
A message describing the encryption state.
Tags (list) --
The tags for the transit gateway.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
{'VpnConnection': {'Options': {'TunnelOptions': {'LogOptions': {'CloudWatchLogOptions': {'BgpLogEnabled': 'boolean',
'BgpLogGroupArn': 'string',
'BgpLogOutputFormat': 'string'}}}}}}
Modifies the customer gateway or the target gateway of an Amazon Web Services Site-to-Site VPN connection. To modify the target gateway, the following migration options are available:
An existing virtual private gateway to a new virtual private gateway
An existing virtual private gateway to a transit gateway
An existing transit gateway to a new transit gateway
An existing transit gateway to a virtual private gateway
Before you perform the migration to the new gateway, you must configure the new gateway. Use CreateVpnGateway to create a virtual private gateway, or CreateTransitGateway to create a transit gateway.
This step is required when you migrate from a virtual private gateway with static routes to a transit gateway.
You must delete the static routes before you migrate to the new gateway.
Keep a copy of the static route before you delete it. You will need to add back these routes to the transit gateway after the VPN connection migration is complete.
After you migrate to the new gateway, you might need to modify your VPC route table. Use CreateRoute and DeleteRoute to make the changes described in Update VPC route tables in the Amazon Web Services Site-to-Site VPN User Guide.
When the new gateway is a transit gateway, modify the transit gateway route table to allow traffic between the VPC and the Amazon Web Services Site-to-Site VPN connection. Use CreateTransitGatewayRoute to add the routes.
If you deleted VPN static routes, you must add the static routes to the transit gateway route table.
After you perform this operation, the VPN endpoint's IP addresses on the Amazon Web Services side and the tunnel options remain intact. Your Amazon Web Services Site-to-Site VPN connection will be temporarily unavailable for a brief period while we provision the new endpoints.
See also: AWS API Documentation
Request Syntax
client.modify_vpn_connection(
VpnConnectionId='string',
TransitGatewayId='string',
CustomerGatewayId='string',
VpnGatewayId='string',
DryRun=True|False
)
string
[REQUIRED]
The ID of the VPN connection.
string
The ID of the transit gateway.
string
The ID of the customer gateway at your end of the VPN connection.
string
The ID of the virtual private gateway at the Amazon Web Services side of the VPN connection.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'VpnConnection': {
'Category': 'string',
'TransitGatewayId': 'string',
'VpnConcentratorId': 'string',
'CoreNetworkArn': 'string',
'CoreNetworkAttachmentArn': 'string',
'GatewayAssociationState': 'associated'|'not-associated'|'associating'|'disassociating',
'Options': {
'EnableAcceleration': True|False,
'StaticRoutesOnly': True|False,
'LocalIpv4NetworkCidr': 'string',
'RemoteIpv4NetworkCidr': 'string',
'LocalIpv6NetworkCidr': 'string',
'RemoteIpv6NetworkCidr': 'string',
'OutsideIpAddressType': 'string',
'TransportTransitGatewayAttachmentId': 'string',
'TunnelInsideIpVersion': 'ipv4'|'ipv6',
'TunnelOptions': [
{
'OutsideIpAddress': 'string',
'TunnelInsideCidr': 'string',
'TunnelInsideIpv6Cidr': 'string',
'PreSharedKey': 'string',
'Phase1LifetimeSeconds': 123,
'Phase2LifetimeSeconds': 123,
'RekeyMarginTimeSeconds': 123,
'RekeyFuzzPercentage': 123,
'ReplayWindowSize': 123,
'DpdTimeoutSeconds': 123,
'DpdTimeoutAction': 'string',
'Phase1EncryptionAlgorithms': [
{
'Value': 'string'
},
],
'Phase2EncryptionAlgorithms': [
{
'Value': 'string'
},
],
'Phase1IntegrityAlgorithms': [
{
'Value': 'string'
},
],
'Phase2IntegrityAlgorithms': [
{
'Value': 'string'
},
],
'Phase1DHGroupNumbers': [
{
'Value': 123
},
],
'Phase2DHGroupNumbers': [
{
'Value': 123
},
],
'IkeVersions': [
{
'Value': 'string'
},
],
'StartupAction': 'string',
'LogOptions': {
'CloudWatchLogOptions': {
'LogEnabled': True|False,
'LogGroupArn': 'string',
'LogOutputFormat': 'string',
'BgpLogEnabled': True|False,
'BgpLogGroupArn': 'string',
'BgpLogOutputFormat': 'string'
}
},
'EnableTunnelLifecycleControl': True|False
},
],
'TunnelBandwidth': 'standard'|'large'
},
'Routes': [
{
'DestinationCidrBlock': 'string',
'Source': 'Static',
'State': 'pending'|'available'|'deleting'|'deleted'
},
],
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'VgwTelemetry': [
{
'AcceptedRouteCount': 123,
'LastStatusChange': datetime(2015, 1, 1),
'OutsideIpAddress': 'string',
'Status': 'UP'|'DOWN',
'StatusMessage': 'string',
'CertificateArn': 'string'
},
],
'PreSharedKeyArn': 'string',
'VpnConnectionId': 'string',
'State': 'pending'|'available'|'deleting'|'deleted',
'CustomerGatewayConfiguration': 'string',
'Type': 'ipsec.1',
'CustomerGatewayId': 'string',
'VpnGatewayId': 'string'
}
}
Response Structure
(dict) --
VpnConnection (dict) --
Information about the VPN connection.
Category (string) --
The category of the VPN connection. A value of VPN indicates an Amazon Web Services VPN connection. A value of VPN-Classic indicates an Amazon Web Services Classic VPN connection.
TransitGatewayId (string) --
The ID of the transit gateway associated with the VPN connection.
VpnConcentratorId (string) --
The ID of the VPN concentrator associated with the VPN connection.
CoreNetworkArn (string) --
The ARN of the core network.
CoreNetworkAttachmentArn (string) --
The ARN of the core network attachment.
GatewayAssociationState (string) --
The current state of the gateway association.
Options (dict) --
The VPN connection options.
EnableAcceleration (boolean) --
Indicates whether acceleration is enabled for the VPN connection.
StaticRoutesOnly (boolean) --
Indicates whether the VPN connection uses static routes only. Static routes must be used for devices that don't support BGP.
LocalIpv4NetworkCidr (string) --
The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
RemoteIpv4NetworkCidr (string) --
The IPv4 CIDR on the Amazon Web Services side of the VPN connection.
LocalIpv6NetworkCidr (string) --
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
RemoteIpv6NetworkCidr (string) --
The IPv6 CIDR on the Amazon Web Services side of the VPN connection.
OutsideIpAddressType (string) --
The type of IPv4 address assigned to the outside interface of the customer gateway.
Valid values: PrivateIpv4 | PublicIpv4 | Ipv6
Default: PublicIpv4
TransportTransitGatewayAttachmentId (string) --
The transit gateway attachment ID in use for the VPN tunnel.
TunnelInsideIpVersion (string) --
Indicates whether the VPN tunnels process IPv4 or IPv6 traffic.
TunnelOptions (list) --
Indicates the VPN tunnel options.
(dict) --
The VPN tunnel options.
OutsideIpAddress (string) --
The external IP address of the VPN tunnel.
TunnelInsideCidr (string) --
The range of inside IPv4 addresses for the tunnel.
TunnelInsideIpv6Cidr (string) --
The range of inside IPv6 addresses for the tunnel.
PreSharedKey (string) --
The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and the customer gateway.
Phase1LifetimeSeconds (integer) --
The lifetime for phase 1 of the IKE negotiation, in seconds.
Phase2LifetimeSeconds (integer) --
The lifetime for phase 2 of the IKE negotiation, in seconds.
RekeyMarginTimeSeconds (integer) --
The margin time, in seconds, before the phase 2 lifetime expires, during which the Amazon Web Services side of the VPN connection performs an IKE rekey.
RekeyFuzzPercentage (integer) --
The percentage of the rekey window determined by RekeyMarginTimeSeconds during which the rekey time is randomly selected.
ReplayWindowSize (integer) --
The number of packets in an IKE replay window.
DpdTimeoutSeconds (integer) --
The number of seconds after which a DPD timeout occurs.
DpdTimeoutAction (string) --
The action to take after a DPD timeout occurs.
Phase1EncryptionAlgorithms (list) --
The permitted encryption algorithms for the VPN tunnel for phase 1 IKE negotiations.
(dict) --
The encryption algorithm for phase 1 IKE negotiations.
Value (string) --
The value for the encryption algorithm.
Phase2EncryptionAlgorithms (list) --
The permitted encryption algorithms for the VPN tunnel for phase 2 IKE negotiations.
(dict) --
The encryption algorithm for phase 2 IKE negotiations.
Value (string) --
The encryption algorithm.
Phase1IntegrityAlgorithms (list) --
The permitted integrity algorithms for the VPN tunnel for phase 1 IKE negotiations.
(dict) --
The integrity algorithm for phase 1 IKE negotiations.
Value (string) --
The value for the integrity algorithm.
Phase2IntegrityAlgorithms (list) --
The permitted integrity algorithms for the VPN tunnel for phase 2 IKE negotiations.
(dict) --
The integrity algorithm for phase 2 IKE negotiations.
Value (string) --
The integrity algorithm.
Phase1DHGroupNumbers (list) --
The permitted Diffie-Hellman group numbers for the VPN tunnel for phase 1 IKE negotiations.
(dict) --
The Diffie-Hellmann group number for phase 1 IKE negotiations.
Value (integer) --
The Diffie-Hellmann group number.
Phase2DHGroupNumbers (list) --
The permitted Diffie-Hellman group numbers for the VPN tunnel for phase 2 IKE negotiations.
(dict) --
The Diffie-Hellmann group number for phase 2 IKE negotiations.
Value (integer) --
The Diffie-Hellmann group number.
IkeVersions (list) --
The IKE versions that are permitted for the VPN tunnel.
(dict) --
The internet key exchange (IKE) version permitted for the VPN tunnel.
Value (string) --
The IKE version.
StartupAction (string) --
The action to take when the establishing the VPN tunnels for a VPN connection.
LogOptions (dict) --
Options for logging VPN tunnel activity.
CloudWatchLogOptions (dict) --
Options for sending VPN tunnel logs to CloudWatch.
LogEnabled (boolean) --
Status of VPN tunnel logging feature. Default value is False.
Valid values: True | False
LogGroupArn (string) --
The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
LogOutputFormat (string) --
Configured log format. Default format is json.
Valid values: json | text
BgpLogEnabled (boolean) --
Indicates whether Border Gateway Protocol (BGP) logging is enabled for the VPN connection. Default value is False.
Valid values: True | False
BgpLogGroupArn (string) --
The Amazon Resource Name (ARN) of the CloudWatch log group for BGP logs.
BgpLogOutputFormat (string) --
The output format for BGP logs sent to CloudWatch. Default format is json.
Valid values: json | text
EnableTunnelLifecycleControl (boolean) --
Status of tunnel endpoint lifecycle control feature.
TunnelBandwidth (string) --
The configured bandwidth for the VPN tunnel. Represents the current throughput capacity setting for the tunnel connection. standard tunnel bandwidth supports up to 1.25 Gbps per tunnel while large supports up to 5 Gbps per tunnel. If no tunnel bandwidth was specified for the connection, standard is used as the default value.
Routes (list) --
The static routes associated with the VPN connection.
(dict) --
Describes a static route for a VPN connection.
DestinationCidrBlock (string) --
The CIDR block associated with the local subnet of the customer data center.
Source (string) --
Indicates how the routes were provided.
State (string) --
The current state of the static route.
Tags (list) --
Any tags assigned to the VPN connection.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
VgwTelemetry (list) --
Information about the VPN tunnel.
(dict) --
Describes telemetry for a VPN tunnel.
AcceptedRouteCount (integer) --
The number of accepted routes.
LastStatusChange (datetime) --
The date and time of the last change in status. This field is updated when changes in IKE (Phase 1), IPSec (Phase 2), or BGP status are detected.
OutsideIpAddress (string) --
The Internet-routable IP address of the virtual private gateway's outside interface.
Status (string) --
The status of the VPN tunnel.
StatusMessage (string) --
If an error occurs, a description of the error.
CertificateArn (string) --
The Amazon Resource Name (ARN) of the VPN tunnel endpoint certificate.
PreSharedKeyArn (string) --
The Amazon Resource Name (ARN) of the Secrets Manager secret storing the pre-shared key(s) for the VPN connection.
VpnConnectionId (string) --
The ID of the VPN connection.
State (string) --
The current state of the VPN connection.
CustomerGatewayConfiguration (string) --
The configuration information for the VPN connection's customer gateway (in the native XML format). This element is always present in the CreateVpnConnection response; however, it's present in the DescribeVpnConnections response only if the VPN connection is in the pending or available state.
Type (string) --
The type of VPN connection.
CustomerGatewayId (string) --
The ID of the customer gateway at your end of the VPN connection.
VpnGatewayId (string) --
The ID of the virtual private gateway at the Amazon Web Services side of the VPN connection.
{'VpnConnection': {'Options': {'TunnelOptions': {'LogOptions': {'CloudWatchLogOptions': {'BgpLogEnabled': 'boolean',
'BgpLogGroupArn': 'string',
'BgpLogOutputFormat': 'string'}}}}}}
Modifies the connection options for your Site-to-Site VPN connection.
When you modify the VPN connection options, the VPN endpoint IP addresses on the Amazon Web Services side do not change, and the tunnel options do not change. Your VPN connection will be temporarily unavailable for a brief period while the VPN connection is updated.
See also: AWS API Documentation
Request Syntax
client.modify_vpn_connection_options(
VpnConnectionId='string',
LocalIpv4NetworkCidr='string',
RemoteIpv4NetworkCidr='string',
LocalIpv6NetworkCidr='string',
RemoteIpv6NetworkCidr='string',
DryRun=True|False
)
string
[REQUIRED]
The ID of the Site-to-Site VPN connection.
string
The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
Default: 0.0.0.0/0
string
The IPv4 CIDR on the Amazon Web Services side of the VPN connection.
Default: 0.0.0.0/0
string
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
Default: ::/0
string
The IPv6 CIDR on the Amazon Web Services side of the VPN connection.
Default: ::/0
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'VpnConnection': {
'Category': 'string',
'TransitGatewayId': 'string',
'VpnConcentratorId': 'string',
'CoreNetworkArn': 'string',
'CoreNetworkAttachmentArn': 'string',
'GatewayAssociationState': 'associated'|'not-associated'|'associating'|'disassociating',
'Options': {
'EnableAcceleration': True|False,
'StaticRoutesOnly': True|False,
'LocalIpv4NetworkCidr': 'string',
'RemoteIpv4NetworkCidr': 'string',
'LocalIpv6NetworkCidr': 'string',
'RemoteIpv6NetworkCidr': 'string',
'OutsideIpAddressType': 'string',
'TransportTransitGatewayAttachmentId': 'string',
'TunnelInsideIpVersion': 'ipv4'|'ipv6',
'TunnelOptions': [
{
'OutsideIpAddress': 'string',
'TunnelInsideCidr': 'string',
'TunnelInsideIpv6Cidr': 'string',
'PreSharedKey': 'string',
'Phase1LifetimeSeconds': 123,
'Phase2LifetimeSeconds': 123,
'RekeyMarginTimeSeconds': 123,
'RekeyFuzzPercentage': 123,
'ReplayWindowSize': 123,
'DpdTimeoutSeconds': 123,
'DpdTimeoutAction': 'string',
'Phase1EncryptionAlgorithms': [
{
'Value': 'string'
},
],
'Phase2EncryptionAlgorithms': [
{
'Value': 'string'
},
],
'Phase1IntegrityAlgorithms': [
{
'Value': 'string'
},
],
'Phase2IntegrityAlgorithms': [
{
'Value': 'string'
},
],
'Phase1DHGroupNumbers': [
{
'Value': 123
},
],
'Phase2DHGroupNumbers': [
{
'Value': 123
},
],
'IkeVersions': [
{
'Value': 'string'
},
],
'StartupAction': 'string',
'LogOptions': {
'CloudWatchLogOptions': {
'LogEnabled': True|False,
'LogGroupArn': 'string',
'LogOutputFormat': 'string',
'BgpLogEnabled': True|False,
'BgpLogGroupArn': 'string',
'BgpLogOutputFormat': 'string'
}
},
'EnableTunnelLifecycleControl': True|False
},
],
'TunnelBandwidth': 'standard'|'large'
},
'Routes': [
{
'DestinationCidrBlock': 'string',
'Source': 'Static',
'State': 'pending'|'available'|'deleting'|'deleted'
},
],
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'VgwTelemetry': [
{
'AcceptedRouteCount': 123,
'LastStatusChange': datetime(2015, 1, 1),
'OutsideIpAddress': 'string',
'Status': 'UP'|'DOWN',
'StatusMessage': 'string',
'CertificateArn': 'string'
},
],
'PreSharedKeyArn': 'string',
'VpnConnectionId': 'string',
'State': 'pending'|'available'|'deleting'|'deleted',
'CustomerGatewayConfiguration': 'string',
'Type': 'ipsec.1',
'CustomerGatewayId': 'string',
'VpnGatewayId': 'string'
}
}
Response Structure
(dict) --
VpnConnection (dict) --
Information about the VPN connection.
Category (string) --
The category of the VPN connection. A value of VPN indicates an Amazon Web Services VPN connection. A value of VPN-Classic indicates an Amazon Web Services Classic VPN connection.
TransitGatewayId (string) --
The ID of the transit gateway associated with the VPN connection.
VpnConcentratorId (string) --
The ID of the VPN concentrator associated with the VPN connection.
CoreNetworkArn (string) --
The ARN of the core network.
CoreNetworkAttachmentArn (string) --
The ARN of the core network attachment.
GatewayAssociationState (string) --
The current state of the gateway association.
Options (dict) --
The VPN connection options.
EnableAcceleration (boolean) --
Indicates whether acceleration is enabled for the VPN connection.
StaticRoutesOnly (boolean) --
Indicates whether the VPN connection uses static routes only. Static routes must be used for devices that don't support BGP.
LocalIpv4NetworkCidr (string) --
The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
RemoteIpv4NetworkCidr (string) --
The IPv4 CIDR on the Amazon Web Services side of the VPN connection.
LocalIpv6NetworkCidr (string) --
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
RemoteIpv6NetworkCidr (string) --
The IPv6 CIDR on the Amazon Web Services side of the VPN connection.
OutsideIpAddressType (string) --
The type of IPv4 address assigned to the outside interface of the customer gateway.
Valid values: PrivateIpv4 | PublicIpv4 | Ipv6
Default: PublicIpv4
TransportTransitGatewayAttachmentId (string) --
The transit gateway attachment ID in use for the VPN tunnel.
TunnelInsideIpVersion (string) --
Indicates whether the VPN tunnels process IPv4 or IPv6 traffic.
TunnelOptions (list) --
Indicates the VPN tunnel options.
(dict) --
The VPN tunnel options.
OutsideIpAddress (string) --
The external IP address of the VPN tunnel.
TunnelInsideCidr (string) --
The range of inside IPv4 addresses for the tunnel.
TunnelInsideIpv6Cidr (string) --
The range of inside IPv6 addresses for the tunnel.
PreSharedKey (string) --
The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and the customer gateway.
Phase1LifetimeSeconds (integer) --
The lifetime for phase 1 of the IKE negotiation, in seconds.
Phase2LifetimeSeconds (integer) --
The lifetime for phase 2 of the IKE negotiation, in seconds.
RekeyMarginTimeSeconds (integer) --
The margin time, in seconds, before the phase 2 lifetime expires, during which the Amazon Web Services side of the VPN connection performs an IKE rekey.
RekeyFuzzPercentage (integer) --
The percentage of the rekey window determined by RekeyMarginTimeSeconds during which the rekey time is randomly selected.
ReplayWindowSize (integer) --
The number of packets in an IKE replay window.
DpdTimeoutSeconds (integer) --
The number of seconds after which a DPD timeout occurs.
DpdTimeoutAction (string) --
The action to take after a DPD timeout occurs.
Phase1EncryptionAlgorithms (list) --
The permitted encryption algorithms for the VPN tunnel for phase 1 IKE negotiations.
(dict) --
The encryption algorithm for phase 1 IKE negotiations.
Value (string) --
The value for the encryption algorithm.
Phase2EncryptionAlgorithms (list) --
The permitted encryption algorithms for the VPN tunnel for phase 2 IKE negotiations.
(dict) --
The encryption algorithm for phase 2 IKE negotiations.
Value (string) --
The encryption algorithm.
Phase1IntegrityAlgorithms (list) --
The permitted integrity algorithms for the VPN tunnel for phase 1 IKE negotiations.
(dict) --
The integrity algorithm for phase 1 IKE negotiations.
Value (string) --
The value for the integrity algorithm.
Phase2IntegrityAlgorithms (list) --
The permitted integrity algorithms for the VPN tunnel for phase 2 IKE negotiations.
(dict) --
The integrity algorithm for phase 2 IKE negotiations.
Value (string) --
The integrity algorithm.
Phase1DHGroupNumbers (list) --
The permitted Diffie-Hellman group numbers for the VPN tunnel for phase 1 IKE negotiations.
(dict) --
The Diffie-Hellmann group number for phase 1 IKE negotiations.
Value (integer) --
The Diffie-Hellmann group number.
Phase2DHGroupNumbers (list) --
The permitted Diffie-Hellman group numbers for the VPN tunnel for phase 2 IKE negotiations.
(dict) --
The Diffie-Hellmann group number for phase 2 IKE negotiations.
Value (integer) --
The Diffie-Hellmann group number.
IkeVersions (list) --
The IKE versions that are permitted for the VPN tunnel.
(dict) --
The internet key exchange (IKE) version permitted for the VPN tunnel.
Value (string) --
The IKE version.
StartupAction (string) --
The action to take when the establishing the VPN tunnels for a VPN connection.
LogOptions (dict) --
Options for logging VPN tunnel activity.
CloudWatchLogOptions (dict) --
Options for sending VPN tunnel logs to CloudWatch.
LogEnabled (boolean) --
Status of VPN tunnel logging feature. Default value is False.
Valid values: True | False
LogGroupArn (string) --
The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
LogOutputFormat (string) --
Configured log format. Default format is json.
Valid values: json | text
BgpLogEnabled (boolean) --
Indicates whether Border Gateway Protocol (BGP) logging is enabled for the VPN connection. Default value is False.
Valid values: True | False
BgpLogGroupArn (string) --
The Amazon Resource Name (ARN) of the CloudWatch log group for BGP logs.
BgpLogOutputFormat (string) --
The output format for BGP logs sent to CloudWatch. Default format is json.
Valid values: json | text
EnableTunnelLifecycleControl (boolean) --
Status of tunnel endpoint lifecycle control feature.
TunnelBandwidth (string) --
The configured bandwidth for the VPN tunnel. Represents the current throughput capacity setting for the tunnel connection. standard tunnel bandwidth supports up to 1.25 Gbps per tunnel while large supports up to 5 Gbps per tunnel. If no tunnel bandwidth was specified for the connection, standard is used as the default value.
Routes (list) --
The static routes associated with the VPN connection.
(dict) --
Describes a static route for a VPN connection.
DestinationCidrBlock (string) --
The CIDR block associated with the local subnet of the customer data center.
Source (string) --
Indicates how the routes were provided.
State (string) --
The current state of the static route.
Tags (list) --
Any tags assigned to the VPN connection.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
VgwTelemetry (list) --
Information about the VPN tunnel.
(dict) --
Describes telemetry for a VPN tunnel.
AcceptedRouteCount (integer) --
The number of accepted routes.
LastStatusChange (datetime) --
The date and time of the last change in status. This field is updated when changes in IKE (Phase 1), IPSec (Phase 2), or BGP status are detected.
OutsideIpAddress (string) --
The Internet-routable IP address of the virtual private gateway's outside interface.
Status (string) --
The status of the VPN tunnel.
StatusMessage (string) --
If an error occurs, a description of the error.
CertificateArn (string) --
The Amazon Resource Name (ARN) of the VPN tunnel endpoint certificate.
PreSharedKeyArn (string) --
The Amazon Resource Name (ARN) of the Secrets Manager secret storing the pre-shared key(s) for the VPN connection.
VpnConnectionId (string) --
The ID of the VPN connection.
State (string) --
The current state of the VPN connection.
CustomerGatewayConfiguration (string) --
The configuration information for the VPN connection's customer gateway (in the native XML format). This element is always present in the CreateVpnConnection response; however, it's present in the DescribeVpnConnections response only if the VPN connection is in the pending or available state.
Type (string) --
The type of VPN connection.
CustomerGatewayId (string) --
The ID of the customer gateway at your end of the VPN connection.
VpnGatewayId (string) --
The ID of the virtual private gateway at the Amazon Web Services side of the VPN connection.
{'VpnConnection': {'Options': {'TunnelOptions': {'LogOptions': {'CloudWatchLogOptions': {'BgpLogEnabled': 'boolean',
'BgpLogGroupArn': 'string',
'BgpLogOutputFormat': 'string'}}}}}}
Modifies the VPN tunnel endpoint certificate.
See also: AWS API Documentation
Request Syntax
client.modify_vpn_tunnel_certificate(
VpnConnectionId='string',
VpnTunnelOutsideIpAddress='string',
DryRun=True|False
)
string
[REQUIRED]
The ID of the Amazon Web Services Site-to-Site VPN connection.
string
[REQUIRED]
The external IP address of the VPN tunnel.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'VpnConnection': {
'Category': 'string',
'TransitGatewayId': 'string',
'VpnConcentratorId': 'string',
'CoreNetworkArn': 'string',
'CoreNetworkAttachmentArn': 'string',
'GatewayAssociationState': 'associated'|'not-associated'|'associating'|'disassociating',
'Options': {
'EnableAcceleration': True|False,
'StaticRoutesOnly': True|False,
'LocalIpv4NetworkCidr': 'string',
'RemoteIpv4NetworkCidr': 'string',
'LocalIpv6NetworkCidr': 'string',
'RemoteIpv6NetworkCidr': 'string',
'OutsideIpAddressType': 'string',
'TransportTransitGatewayAttachmentId': 'string',
'TunnelInsideIpVersion': 'ipv4'|'ipv6',
'TunnelOptions': [
{
'OutsideIpAddress': 'string',
'TunnelInsideCidr': 'string',
'TunnelInsideIpv6Cidr': 'string',
'PreSharedKey': 'string',
'Phase1LifetimeSeconds': 123,
'Phase2LifetimeSeconds': 123,
'RekeyMarginTimeSeconds': 123,
'RekeyFuzzPercentage': 123,
'ReplayWindowSize': 123,
'DpdTimeoutSeconds': 123,
'DpdTimeoutAction': 'string',
'Phase1EncryptionAlgorithms': [
{
'Value': 'string'
},
],
'Phase2EncryptionAlgorithms': [
{
'Value': 'string'
},
],
'Phase1IntegrityAlgorithms': [
{
'Value': 'string'
},
],
'Phase2IntegrityAlgorithms': [
{
'Value': 'string'
},
],
'Phase1DHGroupNumbers': [
{
'Value': 123
},
],
'Phase2DHGroupNumbers': [
{
'Value': 123
},
],
'IkeVersions': [
{
'Value': 'string'
},
],
'StartupAction': 'string',
'LogOptions': {
'CloudWatchLogOptions': {
'LogEnabled': True|False,
'LogGroupArn': 'string',
'LogOutputFormat': 'string',
'BgpLogEnabled': True|False,
'BgpLogGroupArn': 'string',
'BgpLogOutputFormat': 'string'
}
},
'EnableTunnelLifecycleControl': True|False
},
],
'TunnelBandwidth': 'standard'|'large'
},
'Routes': [
{
'DestinationCidrBlock': 'string',
'Source': 'Static',
'State': 'pending'|'available'|'deleting'|'deleted'
},
],
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'VgwTelemetry': [
{
'AcceptedRouteCount': 123,
'LastStatusChange': datetime(2015, 1, 1),
'OutsideIpAddress': 'string',
'Status': 'UP'|'DOWN',
'StatusMessage': 'string',
'CertificateArn': 'string'
},
],
'PreSharedKeyArn': 'string',
'VpnConnectionId': 'string',
'State': 'pending'|'available'|'deleting'|'deleted',
'CustomerGatewayConfiguration': 'string',
'Type': 'ipsec.1',
'CustomerGatewayId': 'string',
'VpnGatewayId': 'string'
}
}
Response Structure
(dict) --
VpnConnection (dict) --
Information about the VPN connection.
Category (string) --
The category of the VPN connection. A value of VPN indicates an Amazon Web Services VPN connection. A value of VPN-Classic indicates an Amazon Web Services Classic VPN connection.
TransitGatewayId (string) --
The ID of the transit gateway associated with the VPN connection.
VpnConcentratorId (string) --
The ID of the VPN concentrator associated with the VPN connection.
CoreNetworkArn (string) --
The ARN of the core network.
CoreNetworkAttachmentArn (string) --
The ARN of the core network attachment.
GatewayAssociationState (string) --
The current state of the gateway association.
Options (dict) --
The VPN connection options.
EnableAcceleration (boolean) --
Indicates whether acceleration is enabled for the VPN connection.
StaticRoutesOnly (boolean) --
Indicates whether the VPN connection uses static routes only. Static routes must be used for devices that don't support BGP.
LocalIpv4NetworkCidr (string) --
The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
RemoteIpv4NetworkCidr (string) --
The IPv4 CIDR on the Amazon Web Services side of the VPN connection.
LocalIpv6NetworkCidr (string) --
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
RemoteIpv6NetworkCidr (string) --
The IPv6 CIDR on the Amazon Web Services side of the VPN connection.
OutsideIpAddressType (string) --
The type of IPv4 address assigned to the outside interface of the customer gateway.
Valid values: PrivateIpv4 | PublicIpv4 | Ipv6
Default: PublicIpv4
TransportTransitGatewayAttachmentId (string) --
The transit gateway attachment ID in use for the VPN tunnel.
TunnelInsideIpVersion (string) --
Indicates whether the VPN tunnels process IPv4 or IPv6 traffic.
TunnelOptions (list) --
Indicates the VPN tunnel options.
(dict) --
The VPN tunnel options.
OutsideIpAddress (string) --
The external IP address of the VPN tunnel.
TunnelInsideCidr (string) --
The range of inside IPv4 addresses for the tunnel.
TunnelInsideIpv6Cidr (string) --
The range of inside IPv6 addresses for the tunnel.
PreSharedKey (string) --
The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and the customer gateway.
Phase1LifetimeSeconds (integer) --
The lifetime for phase 1 of the IKE negotiation, in seconds.
Phase2LifetimeSeconds (integer) --
The lifetime for phase 2 of the IKE negotiation, in seconds.
RekeyMarginTimeSeconds (integer) --
The margin time, in seconds, before the phase 2 lifetime expires, during which the Amazon Web Services side of the VPN connection performs an IKE rekey.
RekeyFuzzPercentage (integer) --
The percentage of the rekey window determined by RekeyMarginTimeSeconds during which the rekey time is randomly selected.
ReplayWindowSize (integer) --
The number of packets in an IKE replay window.
DpdTimeoutSeconds (integer) --
The number of seconds after which a DPD timeout occurs.
DpdTimeoutAction (string) --
The action to take after a DPD timeout occurs.
Phase1EncryptionAlgorithms (list) --
The permitted encryption algorithms for the VPN tunnel for phase 1 IKE negotiations.
(dict) --
The encryption algorithm for phase 1 IKE negotiations.
Value (string) --
The value for the encryption algorithm.
Phase2EncryptionAlgorithms (list) --
The permitted encryption algorithms for the VPN tunnel for phase 2 IKE negotiations.
(dict) --
The encryption algorithm for phase 2 IKE negotiations.
Value (string) --
The encryption algorithm.
Phase1IntegrityAlgorithms (list) --
The permitted integrity algorithms for the VPN tunnel for phase 1 IKE negotiations.
(dict) --
The integrity algorithm for phase 1 IKE negotiations.
Value (string) --
The value for the integrity algorithm.
Phase2IntegrityAlgorithms (list) --
The permitted integrity algorithms for the VPN tunnel for phase 2 IKE negotiations.
(dict) --
The integrity algorithm for phase 2 IKE negotiations.
Value (string) --
The integrity algorithm.
Phase1DHGroupNumbers (list) --
The permitted Diffie-Hellman group numbers for the VPN tunnel for phase 1 IKE negotiations.
(dict) --
The Diffie-Hellmann group number for phase 1 IKE negotiations.
Value (integer) --
The Diffie-Hellmann group number.
Phase2DHGroupNumbers (list) --
The permitted Diffie-Hellman group numbers for the VPN tunnel for phase 2 IKE negotiations.
(dict) --
The Diffie-Hellmann group number for phase 2 IKE negotiations.
Value (integer) --
The Diffie-Hellmann group number.
IkeVersions (list) --
The IKE versions that are permitted for the VPN tunnel.
(dict) --
The internet key exchange (IKE) version permitted for the VPN tunnel.
Value (string) --
The IKE version.
StartupAction (string) --
The action to take when the establishing the VPN tunnels for a VPN connection.
LogOptions (dict) --
Options for logging VPN tunnel activity.
CloudWatchLogOptions (dict) --
Options for sending VPN tunnel logs to CloudWatch.
LogEnabled (boolean) --
Status of VPN tunnel logging feature. Default value is False.
Valid values: True | False
LogGroupArn (string) --
The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
LogOutputFormat (string) --
Configured log format. Default format is json.
Valid values: json | text
BgpLogEnabled (boolean) --
Indicates whether Border Gateway Protocol (BGP) logging is enabled for the VPN connection. Default value is False.
Valid values: True | False
BgpLogGroupArn (string) --
The Amazon Resource Name (ARN) of the CloudWatch log group for BGP logs.
BgpLogOutputFormat (string) --
The output format for BGP logs sent to CloudWatch. Default format is json.
Valid values: json | text
EnableTunnelLifecycleControl (boolean) --
Status of tunnel endpoint lifecycle control feature.
TunnelBandwidth (string) --
The configured bandwidth for the VPN tunnel. Represents the current throughput capacity setting for the tunnel connection. standard tunnel bandwidth supports up to 1.25 Gbps per tunnel while large supports up to 5 Gbps per tunnel. If no tunnel bandwidth was specified for the connection, standard is used as the default value.
Routes (list) --
The static routes associated with the VPN connection.
(dict) --
Describes a static route for a VPN connection.
DestinationCidrBlock (string) --
The CIDR block associated with the local subnet of the customer data center.
Source (string) --
Indicates how the routes were provided.
State (string) --
The current state of the static route.
Tags (list) --
Any tags assigned to the VPN connection.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
VgwTelemetry (list) --
Information about the VPN tunnel.
(dict) --
Describes telemetry for a VPN tunnel.
AcceptedRouteCount (integer) --
The number of accepted routes.
LastStatusChange (datetime) --
The date and time of the last change in status. This field is updated when changes in IKE (Phase 1), IPSec (Phase 2), or BGP status are detected.
OutsideIpAddress (string) --
The Internet-routable IP address of the virtual private gateway's outside interface.
Status (string) --
The status of the VPN tunnel.
StatusMessage (string) --
If an error occurs, a description of the error.
CertificateArn (string) --
The Amazon Resource Name (ARN) of the VPN tunnel endpoint certificate.
PreSharedKeyArn (string) --
The Amazon Resource Name (ARN) of the Secrets Manager secret storing the pre-shared key(s) for the VPN connection.
VpnConnectionId (string) --
The ID of the VPN connection.
State (string) --
The current state of the VPN connection.
CustomerGatewayConfiguration (string) --
The configuration information for the VPN connection's customer gateway (in the native XML format). This element is always present in the CreateVpnConnection response; however, it's present in the DescribeVpnConnections response only if the VPN connection is in the pending or available state.
Type (string) --
The type of VPN connection.
CustomerGatewayId (string) --
The ID of the customer gateway at your end of the VPN connection.
VpnGatewayId (string) --
The ID of the virtual private gateway at the Amazon Web Services side of the VPN connection.
{'TunnelOptions': {'LogOptions': {'CloudWatchLogOptions': {'BgpLogEnabled': 'boolean',
'BgpLogGroupArn': 'string',
'BgpLogOutputFormat': 'string'}}}}
Response {'VpnConnection': {'Options': {'TunnelOptions': {'LogOptions': {'CloudWatchLogOptions': {'BgpLogEnabled': 'boolean',
'BgpLogGroupArn': 'string',
'BgpLogOutputFormat': 'string'}}}}}}
Modifies the options for a VPN tunnel in an Amazon Web Services Site-to-Site VPN connection. You can modify multiple options for a tunnel in a single request, but you can only modify one tunnel at a time. For more information, see Site-to-Site VPN tunnel options for your Site-to-Site VPN connection in the Amazon Web Services Site-to-Site VPN User Guide.
See also: AWS API Documentation
Request Syntax
client.modify_vpn_tunnel_options(
VpnConnectionId='string',
VpnTunnelOutsideIpAddress='string',
TunnelOptions={
'TunnelInsideCidr': 'string',
'TunnelInsideIpv6Cidr': 'string',
'PreSharedKey': 'string',
'Phase1LifetimeSeconds': 123,
'Phase2LifetimeSeconds': 123,
'RekeyMarginTimeSeconds': 123,
'RekeyFuzzPercentage': 123,
'ReplayWindowSize': 123,
'DPDTimeoutSeconds': 123,
'DPDTimeoutAction': 'string',
'Phase1EncryptionAlgorithms': [
{
'Value': 'string'
},
],
'Phase2EncryptionAlgorithms': [
{
'Value': 'string'
},
],
'Phase1IntegrityAlgorithms': [
{
'Value': 'string'
},
],
'Phase2IntegrityAlgorithms': [
{
'Value': 'string'
},
],
'Phase1DHGroupNumbers': [
{
'Value': 123
},
],
'Phase2DHGroupNumbers': [
{
'Value': 123
},
],
'IKEVersions': [
{
'Value': 'string'
},
],
'StartupAction': 'string',
'LogOptions': {
'CloudWatchLogOptions': {
'LogEnabled': True|False,
'LogGroupArn': 'string',
'LogOutputFormat': 'string',
'BgpLogEnabled': True|False,
'BgpLogGroupArn': 'string',
'BgpLogOutputFormat': 'string'
}
},
'EnableTunnelLifecycleControl': True|False
},
DryRun=True|False,
SkipTunnelReplacement=True|False,
PreSharedKeyStorage='string'
)
string
[REQUIRED]
The ID of the Amazon Web Services Site-to-Site VPN connection.
string
[REQUIRED]
The external IP address of the VPN tunnel.
dict
[REQUIRED]
The tunnel options to modify.
TunnelInsideCidr (string) --
The range of inside IPv4 addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same virtual private gateway.
Constraints: A size /30 CIDR block from the 169.254.0.0/16 range. The following CIDR blocks are reserved and cannot be used:
169.254.0.0/30
169.254.1.0/30
169.254.2.0/30
169.254.3.0/30
169.254.4.0/30
169.254.5.0/30
169.254.169.252/30
TunnelInsideIpv6Cidr (string) --
The range of inside IPv6 addresses for the tunnel. Any specified CIDR blocks must be unique across all VPN connections that use the same transit gateway.
Constraints: A size /126 CIDR block from the local fd00::/8 range.
PreSharedKey (string) --
The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and the customer gateway.
Constraints: Allowed characters are alphanumeric characters, periods (.), and underscores (_). Must be between 8 and 64 characters in length and cannot start with zero (0).
Phase1LifetimeSeconds (integer) --
The lifetime for phase 1 of the IKE negotiation, in seconds.
Constraints: A value between 900 and 28,800.
Default: 28800
Phase2LifetimeSeconds (integer) --
The lifetime for phase 2 of the IKE negotiation, in seconds.
Constraints: A value between 900 and 3,600. The value must be less than the value for Phase1LifetimeSeconds.
Default: 3600
RekeyMarginTimeSeconds (integer) --
The margin time, in seconds, before the phase 2 lifetime expires, during which the Amazon Web Services side of the VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for RekeyFuzzPercentage.
Constraints: A value between 60 and half of Phase2LifetimeSeconds.
Default: 270
RekeyFuzzPercentage (integer) --
The percentage of the rekey window (determined by RekeyMarginTimeSeconds) during which the rekey time is randomly selected.
Constraints: A value between 0 and 100.
Default: 100
ReplayWindowSize (integer) --
The number of packets in an IKE replay window.
Constraints: A value between 64 and 2048.
Default: 1024
DPDTimeoutSeconds (integer) --
The number of seconds after which a DPD timeout occurs. A DPD timeout of 40 seconds means that the VPN endpoint will consider the peer dead 30 seconds after the first failed keep-alive.
Constraints: A value greater than or equal to 30.
Default: 40
DPDTimeoutAction (string) --
The action to take after DPD timeout occurs. Specify restart to restart the IKE initiation. Specify clear to end the IKE session.
Valid Values: clear | none | restart
Default: clear
Phase1EncryptionAlgorithms (list) --
One or more encryption algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations.
Valid values: AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16
(dict) --
Specifies the encryption algorithm for the VPN tunnel for phase 1 IKE negotiations.
Value (string) --
The value for the encryption algorithm.
Phase2EncryptionAlgorithms (list) --
One or more encryption algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations.
Valid values: AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16
(dict) --
Specifies the encryption algorithm for the VPN tunnel for phase 2 IKE negotiations.
Value (string) --
The encryption algorithm.
Phase1IntegrityAlgorithms (list) --
One or more integrity algorithms that are permitted for the VPN tunnel for phase 1 IKE negotiations.
Valid values: SHA1 | SHA2-256 | SHA2-384 | SHA2-512
(dict) --
Specifies the integrity algorithm for the VPN tunnel for phase 1 IKE negotiations.
Value (string) --
The value for the integrity algorithm.
Phase2IntegrityAlgorithms (list) --
One or more integrity algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations.
Valid values: SHA1 | SHA2-256 | SHA2-384 | SHA2-512
(dict) --
Specifies the integrity algorithm for the VPN tunnel for phase 2 IKE negotiations.
Value (string) --
The integrity algorithm.
Phase1DHGroupNumbers (list) --
One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 1 IKE negotiations.
Valid values: 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24
(dict) --
Specifies a Diffie-Hellman group number for the VPN tunnel for phase 1 IKE negotiations.
Value (integer) --
The Diffie-Hellmann group number.
Phase2DHGroupNumbers (list) --
One or more Diffie-Hellman group numbers that are permitted for the VPN tunnel for phase 2 IKE negotiations.
Valid values: 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24
(dict) --
Specifies a Diffie-Hellman group number for the VPN tunnel for phase 2 IKE negotiations.
Value (integer) --
The Diffie-Hellmann group number.
IKEVersions (list) --
The IKE versions that are permitted for the VPN tunnel.
Valid values: ikev1 | ikev2
(dict) --
The IKE version that is permitted for the VPN tunnel.
Value (string) --
The IKE version.
StartupAction (string) --
The action to take when the establishing the tunnel for the VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for Amazon Web Services to initiate the IKE negotiation.
Valid Values: add | start
Default: add
LogOptions (dict) --
Options for logging VPN tunnel activity.
CloudWatchLogOptions (dict) --
Options for sending VPN tunnel logs to CloudWatch.
LogEnabled (boolean) --
Enable or disable VPN tunnel logging feature. Default value is False.
Valid values: True | False
LogGroupArn (string) --
The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
LogOutputFormat (string) --
Set log format. Default format is json.
Valid values: json | text
BgpLogEnabled (boolean) --
Specifies whether to enable BGP logging for the VPN connection. Default value is False.
Valid values: True | False
BgpLogGroupArn (string) --
The Amazon Resource Name (ARN) of the CloudWatch log group where BGP logs will be sent.
BgpLogOutputFormat (string) --
The desired output format for BGP logs to be sent to CloudWatch. Default format is json.
Valid values: json | text
EnableTunnelLifecycleControl (boolean) --
Turn on or off tunnel endpoint lifecycle control feature.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
boolean
Choose whether or not to trigger immediate tunnel replacement. This is only applicable when turning on or off EnableTunnelLifecycleControl.
Valid values: True | False
string
Specifies the storage mode for the pre-shared key (PSK). Valid values are Standard (stored in Site-to-Site VPN service) or SecretsManager (stored in Amazon Web Services Secrets Manager).
dict
Response Syntax
{
'VpnConnection': {
'Category': 'string',
'TransitGatewayId': 'string',
'VpnConcentratorId': 'string',
'CoreNetworkArn': 'string',
'CoreNetworkAttachmentArn': 'string',
'GatewayAssociationState': 'associated'|'not-associated'|'associating'|'disassociating',
'Options': {
'EnableAcceleration': True|False,
'StaticRoutesOnly': True|False,
'LocalIpv4NetworkCidr': 'string',
'RemoteIpv4NetworkCidr': 'string',
'LocalIpv6NetworkCidr': 'string',
'RemoteIpv6NetworkCidr': 'string',
'OutsideIpAddressType': 'string',
'TransportTransitGatewayAttachmentId': 'string',
'TunnelInsideIpVersion': 'ipv4'|'ipv6',
'TunnelOptions': [
{
'OutsideIpAddress': 'string',
'TunnelInsideCidr': 'string',
'TunnelInsideIpv6Cidr': 'string',
'PreSharedKey': 'string',
'Phase1LifetimeSeconds': 123,
'Phase2LifetimeSeconds': 123,
'RekeyMarginTimeSeconds': 123,
'RekeyFuzzPercentage': 123,
'ReplayWindowSize': 123,
'DpdTimeoutSeconds': 123,
'DpdTimeoutAction': 'string',
'Phase1EncryptionAlgorithms': [
{
'Value': 'string'
},
],
'Phase2EncryptionAlgorithms': [
{
'Value': 'string'
},
],
'Phase1IntegrityAlgorithms': [
{
'Value': 'string'
},
],
'Phase2IntegrityAlgorithms': [
{
'Value': 'string'
},
],
'Phase1DHGroupNumbers': [
{
'Value': 123
},
],
'Phase2DHGroupNumbers': [
{
'Value': 123
},
],
'IkeVersions': [
{
'Value': 'string'
},
],
'StartupAction': 'string',
'LogOptions': {
'CloudWatchLogOptions': {
'LogEnabled': True|False,
'LogGroupArn': 'string',
'LogOutputFormat': 'string',
'BgpLogEnabled': True|False,
'BgpLogGroupArn': 'string',
'BgpLogOutputFormat': 'string'
}
},
'EnableTunnelLifecycleControl': True|False
},
],
'TunnelBandwidth': 'standard'|'large'
},
'Routes': [
{
'DestinationCidrBlock': 'string',
'Source': 'Static',
'State': 'pending'|'available'|'deleting'|'deleted'
},
],
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'VgwTelemetry': [
{
'AcceptedRouteCount': 123,
'LastStatusChange': datetime(2015, 1, 1),
'OutsideIpAddress': 'string',
'Status': 'UP'|'DOWN',
'StatusMessage': 'string',
'CertificateArn': 'string'
},
],
'PreSharedKeyArn': 'string',
'VpnConnectionId': 'string',
'State': 'pending'|'available'|'deleting'|'deleted',
'CustomerGatewayConfiguration': 'string',
'Type': 'ipsec.1',
'CustomerGatewayId': 'string',
'VpnGatewayId': 'string'
}
}
Response Structure
(dict) --
VpnConnection (dict) --
Information about the VPN connection.
Category (string) --
The category of the VPN connection. A value of VPN indicates an Amazon Web Services VPN connection. A value of VPN-Classic indicates an Amazon Web Services Classic VPN connection.
TransitGatewayId (string) --
The ID of the transit gateway associated with the VPN connection.
VpnConcentratorId (string) --
The ID of the VPN concentrator associated with the VPN connection.
CoreNetworkArn (string) --
The ARN of the core network.
CoreNetworkAttachmentArn (string) --
The ARN of the core network attachment.
GatewayAssociationState (string) --
The current state of the gateway association.
Options (dict) --
The VPN connection options.
EnableAcceleration (boolean) --
Indicates whether acceleration is enabled for the VPN connection.
StaticRoutesOnly (boolean) --
Indicates whether the VPN connection uses static routes only. Static routes must be used for devices that don't support BGP.
LocalIpv4NetworkCidr (string) --
The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
RemoteIpv4NetworkCidr (string) --
The IPv4 CIDR on the Amazon Web Services side of the VPN connection.
LocalIpv6NetworkCidr (string) --
The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
RemoteIpv6NetworkCidr (string) --
The IPv6 CIDR on the Amazon Web Services side of the VPN connection.
OutsideIpAddressType (string) --
The type of IPv4 address assigned to the outside interface of the customer gateway.
Valid values: PrivateIpv4 | PublicIpv4 | Ipv6
Default: PublicIpv4
TransportTransitGatewayAttachmentId (string) --
The transit gateway attachment ID in use for the VPN tunnel.
TunnelInsideIpVersion (string) --
Indicates whether the VPN tunnels process IPv4 or IPv6 traffic.
TunnelOptions (list) --
Indicates the VPN tunnel options.
(dict) --
The VPN tunnel options.
OutsideIpAddress (string) --
The external IP address of the VPN tunnel.
TunnelInsideCidr (string) --
The range of inside IPv4 addresses for the tunnel.
TunnelInsideIpv6Cidr (string) --
The range of inside IPv6 addresses for the tunnel.
PreSharedKey (string) --
The pre-shared key (PSK) to establish initial authentication between the virtual private gateway and the customer gateway.
Phase1LifetimeSeconds (integer) --
The lifetime for phase 1 of the IKE negotiation, in seconds.
Phase2LifetimeSeconds (integer) --
The lifetime for phase 2 of the IKE negotiation, in seconds.
RekeyMarginTimeSeconds (integer) --
The margin time, in seconds, before the phase 2 lifetime expires, during which the Amazon Web Services side of the VPN connection performs an IKE rekey.
RekeyFuzzPercentage (integer) --
The percentage of the rekey window determined by RekeyMarginTimeSeconds during which the rekey time is randomly selected.
ReplayWindowSize (integer) --
The number of packets in an IKE replay window.
DpdTimeoutSeconds (integer) --
The number of seconds after which a DPD timeout occurs.
DpdTimeoutAction (string) --
The action to take after a DPD timeout occurs.
Phase1EncryptionAlgorithms (list) --
The permitted encryption algorithms for the VPN tunnel for phase 1 IKE negotiations.
(dict) --
The encryption algorithm for phase 1 IKE negotiations.
Value (string) --
The value for the encryption algorithm.
Phase2EncryptionAlgorithms (list) --
The permitted encryption algorithms for the VPN tunnel for phase 2 IKE negotiations.
(dict) --
The encryption algorithm for phase 2 IKE negotiations.
Value (string) --
The encryption algorithm.
Phase1IntegrityAlgorithms (list) --
The permitted integrity algorithms for the VPN tunnel for phase 1 IKE negotiations.
(dict) --
The integrity algorithm for phase 1 IKE negotiations.
Value (string) --
The value for the integrity algorithm.
Phase2IntegrityAlgorithms (list) --
The permitted integrity algorithms for the VPN tunnel for phase 2 IKE negotiations.
(dict) --
The integrity algorithm for phase 2 IKE negotiations.
Value (string) --
The integrity algorithm.
Phase1DHGroupNumbers (list) --
The permitted Diffie-Hellman group numbers for the VPN tunnel for phase 1 IKE negotiations.
(dict) --
The Diffie-Hellmann group number for phase 1 IKE negotiations.
Value (integer) --
The Diffie-Hellmann group number.
Phase2DHGroupNumbers (list) --
The permitted Diffie-Hellman group numbers for the VPN tunnel for phase 2 IKE negotiations.
(dict) --
The Diffie-Hellmann group number for phase 2 IKE negotiations.
Value (integer) --
The Diffie-Hellmann group number.
IkeVersions (list) --
The IKE versions that are permitted for the VPN tunnel.
(dict) --
The internet key exchange (IKE) version permitted for the VPN tunnel.
Value (string) --
The IKE version.
StartupAction (string) --
The action to take when the establishing the VPN tunnels for a VPN connection.
LogOptions (dict) --
Options for logging VPN tunnel activity.
CloudWatchLogOptions (dict) --
Options for sending VPN tunnel logs to CloudWatch.
LogEnabled (boolean) --
Status of VPN tunnel logging feature. Default value is False.
Valid values: True | False
LogGroupArn (string) --
The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
LogOutputFormat (string) --
Configured log format. Default format is json.
Valid values: json | text
BgpLogEnabled (boolean) --
Indicates whether Border Gateway Protocol (BGP) logging is enabled for the VPN connection. Default value is False.
Valid values: True | False
BgpLogGroupArn (string) --
The Amazon Resource Name (ARN) of the CloudWatch log group for BGP logs.
BgpLogOutputFormat (string) --
The output format for BGP logs sent to CloudWatch. Default format is json.
Valid values: json | text
EnableTunnelLifecycleControl (boolean) --
Status of tunnel endpoint lifecycle control feature.
TunnelBandwidth (string) --
The configured bandwidth for the VPN tunnel. Represents the current throughput capacity setting for the tunnel connection. standard tunnel bandwidth supports up to 1.25 Gbps per tunnel while large supports up to 5 Gbps per tunnel. If no tunnel bandwidth was specified for the connection, standard is used as the default value.
Routes (list) --
The static routes associated with the VPN connection.
(dict) --
Describes a static route for a VPN connection.
DestinationCidrBlock (string) --
The CIDR block associated with the local subnet of the customer data center.
Source (string) --
Indicates how the routes were provided.
State (string) --
The current state of the static route.
Tags (list) --
Any tags assigned to the VPN connection.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
VgwTelemetry (list) --
Information about the VPN tunnel.
(dict) --
Describes telemetry for a VPN tunnel.
AcceptedRouteCount (integer) --
The number of accepted routes.
LastStatusChange (datetime) --
The date and time of the last change in status. This field is updated when changes in IKE (Phase 1), IPSec (Phase 2), or BGP status are detected.
OutsideIpAddress (string) --
The Internet-routable IP address of the virtual private gateway's outside interface.
Status (string) --
The status of the VPN tunnel.
StatusMessage (string) --
If an error occurs, a description of the error.
CertificateArn (string) --
The Amazon Resource Name (ARN) of the VPN tunnel endpoint certificate.
PreSharedKeyArn (string) --
The Amazon Resource Name (ARN) of the Secrets Manager secret storing the pre-shared key(s) for the VPN connection.
VpnConnectionId (string) --
The ID of the VPN connection.
State (string) --
The current state of the VPN connection.
CustomerGatewayConfiguration (string) --
The configuration information for the VPN connection's customer gateway (in the native XML format). This element is always present in the CreateVpnConnection response; however, it's present in the DescribeVpnConnections response only if the VPN connection is in the pending or available state.
Type (string) --
The type of VPN connection.
CustomerGatewayId (string) --
The ID of the customer gateway at your end of the VPN connection.
VpnGatewayId (string) --
The ID of the virtual private gateway at the Amazon Web Services side of the VPN connection.
{'ByoipCidr': {'AdvertisementType': 'string',
'State': {'pending-withdrawal', 'pending-advertising'}}}
Move a BYOIPv4 CIDR to IPAM from a public IPv4 pool.
If you already have a BYOIPv4 CIDR with Amazon Web Services, you can move the CIDR to IPAM from a public IPv4 pool. You cannot move an IPv6 CIDR to IPAM. If you are bringing a new IP address to Amazon Web Services for the first time, complete the steps in Tutorial: BYOIP address CIDRs to IPAM.
See also: AWS API Documentation
Request Syntax
client.move_byoip_cidr_to_ipam(
DryRun=True|False,
Cidr='string',
IpamPoolId='string',
IpamPoolOwner='string'
)
boolean
A check for whether you have the required permissions for the action without actually making the request and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
[REQUIRED]
The BYOIP CIDR.
string
[REQUIRED]
The IPAM pool ID.
string
[REQUIRED]
The Amazon Web Services account ID of the owner of the IPAM pool.
dict
Response Syntax
{
'ByoipCidr': {
'Cidr': 'string',
'Description': 'string',
'AsnAssociations': [
{
'Asn': 'string',
'Cidr': 'string',
'StatusMessage': 'string',
'State': 'disassociated'|'failed-disassociation'|'failed-association'|'pending-disassociation'|'pending-association'|'associated'
},
],
'StatusMessage': 'string',
'State': 'advertised'|'deprovisioned'|'failed-deprovision'|'failed-provision'|'pending-advertising'|'pending-deprovision'|'pending-provision'|'pending-withdrawal'|'provisioned'|'provisioned-not-publicly-advertisable',
'NetworkBorderGroup': 'string',
'AdvertisementType': 'string'
}
}
Response Structure
(dict) --
ByoipCidr (dict) --
The BYOIP CIDR.
Cidr (string) --
The address range, in CIDR notation.
Description (string) --
The description of the address range.
AsnAssociations (list) --
The BYOIP CIDR associations with ASNs.
(dict) --
An Autonomous System Number (ASN) and BYOIP CIDR association.
Asn (string) --
The association's ASN.
Cidr (string) --
The association's CIDR.
StatusMessage (string) --
The association's status message.
State (string) --
The association's state.
StatusMessage (string) --
Upon success, contains the ID of the address pool. Otherwise, contains an error message.
State (string) --
The state of the address range.
advertised: The address range is being advertised to the internet by Amazon Web Services.
deprovisioned: The address range is deprovisioned.
failed-deprovision: The request to deprovision the address range was unsuccessful. Ensure that all EIPs from the range have been deallocated and try again.
failed-provision: The request to provision the address range was unsuccessful.
pending-deprovision: You’ve submitted a request to deprovision an address range and it's pending.
pending-provision: You’ve submitted a request to provision an address range and it's pending.
provisioned: The address range is provisioned and can be advertised. The range is not currently advertised.
provisioned-not-publicly-advertisable: The address range is provisioned and cannot be advertised.
NetworkBorderGroup (string) --
If you have Local Zones enabled, you can choose a network border group for Local Zones when you provision and advertise a BYOIPv4 CIDR. Choose the network border group carefully as the EIP and the Amazon Web Services resource it is associated with must reside in the same network border group.
You can provision BYOIP address ranges to and advertise them in the following Local Zone network border groups:
us-east-1-dfw-2
us-west-2-lax-1
us-west-2-phx-2
AdvertisementType (string) --
Specifies the advertisement method for the BYOIP CIDR. Valid values are:
unicast: IP is advertised from a single location (regional services like EC2)
anycast: IP is advertised from multiple global locations simultaneously (global services like CloudFront)
For more information, see Bring your own IP to CloudFront using IPAM in the Amazon VPC IPAM User Guide.
{'PoolTagSpecifications': {'ResourceType': {'transit-gateway-metering-policy',
'vpc-encryption-control'}}}
Response {'ByoipCidr': {'AdvertisementType': 'string',
'State': {'pending-withdrawal', 'pending-advertising'}}}
Provisions an IPv4 or IPv6 address range for use with your Amazon Web Services resources through bring your own IP addresses (BYOIP) and creates a corresponding address pool. After the address range is provisioned, it is ready to be advertised.
Amazon Web Services verifies that you own the address range and are authorized to advertise it. You must ensure that the address range is registered to you and that you created an RPKI ROA to authorize Amazon ASNs 16509 and 14618 to advertise the address range. For more information, see Bring your own IP addresses (BYOIP) in the Amazon EC2 User Guide.
Provisioning an address range is an asynchronous operation, so the call returns immediately, but the address range is not ready to use until its status changes from pending-provision to provisioned. For more information, see Onboard your address range.
See also: AWS API Documentation
Request Syntax
client.provision_byoip_cidr(
Cidr='string',
CidrAuthorizationContext={
'Message': 'string',
'Signature': 'string'
},
PubliclyAdvertisable=True|False,
Description='string',
DryRun=True|False,
PoolTagSpecifications=[
{
'ResourceType': 'capacity-reservation'|'client-vpn-endpoint'|'customer-gateway'|'carrier-gateway'|'coip-pool'|'declarative-policies-report'|'dedicated-host'|'dhcp-options'|'egress-only-internet-gateway'|'elastic-ip'|'elastic-gpu'|'export-image-task'|'export-instance-task'|'fleet'|'fpga-image'|'host-reservation'|'image'|'image-usage-report'|'import-image-task'|'import-snapshot-task'|'instance'|'instance-event-window'|'internet-gateway'|'ipam'|'ipam-pool'|'ipam-scope'|'ipv4pool-ec2'|'ipv6pool-ec2'|'key-pair'|'launch-template'|'local-gateway'|'local-gateway-route-table'|'local-gateway-virtual-interface'|'local-gateway-virtual-interface-group'|'local-gateway-route-table-vpc-association'|'local-gateway-route-table-virtual-interface-group-association'|'natgateway'|'network-acl'|'network-interface'|'network-insights-analysis'|'network-insights-path'|'network-insights-access-scope'|'network-insights-access-scope-analysis'|'outpost-lag'|'placement-group'|'prefix-list'|'replace-root-volume-task'|'reserved-instances'|'route-table'|'security-group'|'security-group-rule'|'service-link-virtual-interface'|'snapshot'|'spot-fleet-request'|'spot-instances-request'|'subnet'|'subnet-cidr-reservation'|'traffic-mirror-filter'|'traffic-mirror-session'|'traffic-mirror-target'|'transit-gateway'|'transit-gateway-attachment'|'transit-gateway-connect-peer'|'transit-gateway-multicast-domain'|'transit-gateway-policy-table'|'transit-gateway-metering-policy'|'transit-gateway-route-table'|'transit-gateway-route-table-announcement'|'volume'|'vpc'|'vpc-endpoint'|'vpc-endpoint-connection'|'vpc-endpoint-service'|'vpc-endpoint-service-permission'|'vpc-peering-connection'|'vpn-connection'|'vpn-gateway'|'vpc-flow-log'|'capacity-reservation-fleet'|'traffic-mirror-filter-rule'|'vpc-endpoint-connection-device-type'|'verified-access-instance'|'verified-access-group'|'verified-access-endpoint'|'verified-access-policy'|'verified-access-trust-provider'|'vpn-connection-device-type'|'vpc-block-public-access-exclusion'|'vpc-encryption-control'|'route-server'|'route-server-endpoint'|'route-server-peer'|'ipam-resource-discovery'|'ipam-resource-discovery-association'|'instance-connect-endpoint'|'verified-access-endpoint-target'|'ipam-external-resource-verification-token'|'capacity-block'|'mac-modification-task'|'ipam-prefix-list-resolver'|'ipam-policy'|'ipam-prefix-list-resolver-target'|'capacity-manager-data-export'|'vpn-concentrator',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
],
MultiRegion=True|False,
NetworkBorderGroup='string'
)
string
[REQUIRED]
The public IPv4 or IPv6 address range, in CIDR notation. The most specific IPv4 prefix that you can specify is /24. The most specific IPv6 address range that you can bring is /48 for CIDRs that are publicly advertisable and /56 for CIDRs that are not publicly advertisable. The address range cannot overlap with another address range that you've brought to this or another Region.
dict
A signed document that proves that you are authorized to bring the specified IP address range to Amazon using BYOIP.
Message (string) -- [REQUIRED]
The plain-text authorization message for the prefix and account.
Signature (string) -- [REQUIRED]
The signed authorization message for the prefix and account.
boolean
(IPv6 only) Indicate whether the address range will be publicly advertised to the internet.
Default: true
string
A description for the address range and the address pool.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
list
The tags to apply to the address pool.
(dict) --
The tags to apply to a resource when the resource is being created. When you specify a tag, you must specify the resource type to tag, otherwise the request will fail.
ResourceType (string) --
The type of resource to tag on creation.
Tags (list) --
The tags to apply to the resource.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
boolean
Reserved.
string
If you have Local Zones enabled, you can choose a network border group for Local Zones when you provision and advertise a BYOIPv4 CIDR. Choose the network border group carefully as the EIP and the Amazon Web Services resource it is associated with must reside in the same network border group.
You can provision BYOIP address ranges to and advertise them in the following Local Zone network border groups:
us-east-1-dfw-2
us-west-2-lax-1
us-west-2-phx-2
dict
Response Syntax
{
'ByoipCidr': {
'Cidr': 'string',
'Description': 'string',
'AsnAssociations': [
{
'Asn': 'string',
'Cidr': 'string',
'StatusMessage': 'string',
'State': 'disassociated'|'failed-disassociation'|'failed-association'|'pending-disassociation'|'pending-association'|'associated'
},
],
'StatusMessage': 'string',
'State': 'advertised'|'deprovisioned'|'failed-deprovision'|'failed-provision'|'pending-advertising'|'pending-deprovision'|'pending-provision'|'pending-withdrawal'|'provisioned'|'provisioned-not-publicly-advertisable',
'NetworkBorderGroup': 'string',
'AdvertisementType': 'string'
}
}
Response Structure
(dict) --
ByoipCidr (dict) --
Information about the address range.
Cidr (string) --
The address range, in CIDR notation.
Description (string) --
The description of the address range.
AsnAssociations (list) --
The BYOIP CIDR associations with ASNs.
(dict) --
An Autonomous System Number (ASN) and BYOIP CIDR association.
Asn (string) --
The association's ASN.
Cidr (string) --
The association's CIDR.
StatusMessage (string) --
The association's status message.
State (string) --
The association's state.
StatusMessage (string) --
Upon success, contains the ID of the address pool. Otherwise, contains an error message.
State (string) --
The state of the address range.
advertised: The address range is being advertised to the internet by Amazon Web Services.
deprovisioned: The address range is deprovisioned.
failed-deprovision: The request to deprovision the address range was unsuccessful. Ensure that all EIPs from the range have been deallocated and try again.
failed-provision: The request to provision the address range was unsuccessful.
pending-deprovision: You’ve submitted a request to deprovision an address range and it's pending.
pending-provision: You’ve submitted a request to provision an address range and it's pending.
provisioned: The address range is provisioned and can be advertised. The range is not currently advertised.
provisioned-not-publicly-advertisable: The address range is provisioned and cannot be advertised.
NetworkBorderGroup (string) --
If you have Local Zones enabled, you can choose a network border group for Local Zones when you provision and advertise a BYOIPv4 CIDR. Choose the network border group carefully as the EIP and the Amazon Web Services resource it is associated with must reside in the same network border group.
You can provision BYOIP address ranges to and advertise them in the following Local Zone network border groups:
us-east-1-dfw-2
us-west-2-lax-1
us-west-2-phx-2
AdvertisementType (string) --
Specifies the advertisement method for the BYOIP CIDR. Valid values are:
unicast: IP is advertised from a single location (regional services like EC2)
anycast: IP is advertised from multiple global locations simultaneously (global services like CloudFront)
For more information, see Bring your own IP to CloudFront using IPAM in the Amazon VPC IPAM User Guide.
{'SpotFleetRequestConfig': {'LaunchSpecifications': {'TagSpecifications': {'ResourceType': {'transit-gateway-metering-policy',
'vpc-encryption-control'}}},
'TagSpecifications': {'ResourceType': {'transit-gateway-metering-policy',
'vpc-encryption-control'}}}}
{'ByoipCidr': {'AdvertisementType': 'string',
'State': {'pending-withdrawal', 'pending-advertising'}}}
Stops advertising an address range that is provisioned as an address pool.
You can perform this operation at most once every 10 seconds, even if you specify different address ranges each time.
It can take a few minutes before traffic to the specified addresses stops routing to Amazon Web Services because of BGP propagation delays.
See also: AWS API Documentation
Request Syntax
client.withdraw_byoip_cidr(
Cidr='string',
DryRun=True|False
)
string
[REQUIRED]
The address range, in CIDR notation.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'ByoipCidr': {
'Cidr': 'string',
'Description': 'string',
'AsnAssociations': [
{
'Asn': 'string',
'Cidr': 'string',
'StatusMessage': 'string',
'State': 'disassociated'|'failed-disassociation'|'failed-association'|'pending-disassociation'|'pending-association'|'associated'
},
],
'StatusMessage': 'string',
'State': 'advertised'|'deprovisioned'|'failed-deprovision'|'failed-provision'|'pending-advertising'|'pending-deprovision'|'pending-provision'|'pending-withdrawal'|'provisioned'|'provisioned-not-publicly-advertisable',
'NetworkBorderGroup': 'string',
'AdvertisementType': 'string'
}
}
Response Structure
(dict) --
ByoipCidr (dict) --
Information about the address pool.
Cidr (string) --
The address range, in CIDR notation.
Description (string) --
The description of the address range.
AsnAssociations (list) --
The BYOIP CIDR associations with ASNs.
(dict) --
An Autonomous System Number (ASN) and BYOIP CIDR association.
Asn (string) --
The association's ASN.
Cidr (string) --
The association's CIDR.
StatusMessage (string) --
The association's status message.
State (string) --
The association's state.
StatusMessage (string) --
Upon success, contains the ID of the address pool. Otherwise, contains an error message.
State (string) --
The state of the address range.
advertised: The address range is being advertised to the internet by Amazon Web Services.
deprovisioned: The address range is deprovisioned.
failed-deprovision: The request to deprovision the address range was unsuccessful. Ensure that all EIPs from the range have been deallocated and try again.
failed-provision: The request to provision the address range was unsuccessful.
pending-deprovision: You’ve submitted a request to deprovision an address range and it's pending.
pending-provision: You’ve submitted a request to provision an address range and it's pending.
provisioned: The address range is provisioned and can be advertised. The range is not currently advertised.
provisioned-not-publicly-advertisable: The address range is provisioned and cannot be advertised.
NetworkBorderGroup (string) --
If you have Local Zones enabled, you can choose a network border group for Local Zones when you provision and advertise a BYOIPv4 CIDR. Choose the network border group carefully as the EIP and the Amazon Web Services resource it is associated with must reside in the same network border group.
You can provision BYOIP address ranges to and advertise them in the following Local Zone network border groups:
us-east-1-dfw-2
us-west-2-lax-1
us-west-2-phx-2
AdvertisementType (string) --
Specifies the advertisement method for the BYOIP CIDR. Valid values are:
unicast: IP is advertised from a single location (regional services like EC2)
anycast: IP is advertised from multiple global locations simultaneously (global services like CloudFront)
For more information, see Bring your own IP to CloudFront using IPAM in the Amazon VPC IPAM User Guide.