  • Public
  • Public/Protected
  • All
  • English
  • Français
The configuration file schema documentation is a work in progress. Please use this draft document with caution. The deeper you browse into the hierarchy, the less accurate the definitions are likely to be.

Either: a) defines and creates the VPC(s) that will be shared with every account in an OU, or b) defines and creates the VPC(s) in every account in an OU, or c) defines and creates VPC(s) inside an account. VPCs should generally be defined at the OU level (either centrally created and shared, or templated and locally deployed), versus at the account level.


  • VPCConfig1



Optional alb-forwarding

alb-forwarding: boolean
Title: ALB IP Forwarding
Description: Enable ALB to ALB forwarding with IPv4 lookup

Optional central-endpoint

central-endpoint: boolean
Title: Central Endpoint
Description: Use central endpoints for this VPC

Optional cidr

Title: VPC CIDR Range
Description: CIDR range for the VPC.

Optional cidr-src

cidr-src: "provided" | "lookup" | "dynamic"
Title: CIDR Source
Description: One of: Provided, Lookup, Dynamic. Provided retrieves CIDR range from the config file, Lookup queries a DynamoDB table for the CIDR block, Dynamic automatically assigns a new CIDR block from the designated pool.

Optional dedicated-tenancy

dedicated-tenancy: boolean
Title: Dedicated Tenancy
Description: Enables the creation of Dedicated Tenancy VPCs


deploy: string
Title: Deploy
Description: "local" if being configured inside an account or "shared-network" if being configured inside an OU.

Optional description

description: string
Title: Description
Description: Description field used in the future GUI, and allows customers to provide a purpose for this VPC.

Optional dns-resolver-logging

dns-resolver-logging: boolean
Title: Dns Resolver Logging
Description: Enables DNS resolver logging for this VPC (log all DNS queries made by resources within the VPC)

Optional flow-logs

Title: Flow Logs
Description: Enables VPC flow logging on the VPC. Values: Accept, Reject, or BOTH

Optional gateway-endpoints

gateway-endpoints: GatewayEndpoints[]
Title: Gateway Endpoints
Description: Create gateway endpoints.

Optional igw

igw: boolean
Title: Internet Gateway
Description: Create an Internet Gateway.

Optional interface-endpoints

interface-endpoints: InterfaceEndpointConfig1
Title: Interface Endpoints
Description: Deploy interface endpoints. The reference architecture prescribes centralized endpoints in the shared network account that are then shared through the TGW. You can start by adding on initial ones or provide a complete list so that they don’t need to be created in the future. There is a cost per interface endpoint.

Optional log-retention

log-retention: number
Title: Deprecated
Description: Deprecated.


name: string
Title: VPC Name
Description: The name of the VPC that will be deployed inside the account.

Optional natgw

Title: NAT Gateway
Description: Create a NAT gateway.

Optional nfw

Title: AWS Network Firewall
Description: Create the AWS NFW

Optional on-premise-rules

on-premise-rules: OnPremisesZoneConfig1[]
Title: On Premises Rules
Description: On Prem DNS zones configuration

Optional opt-in

opt-in: boolean
Title: Opt-In VPC
Description: Enables a VPC to be defined in an OU and created in an account, but only once the account has opted in, will the VPC be created.

Optional pcx

Title: Peering Connection
Description: Create a peering connection.


region: Region
Title: Region
Description: Region for the VPC.

Optional resolvers

Title: Resolvers
Description: Create a Route 53 resolver in this account. You can integrate DNS resolution between the Resolver in the VPC and this resolver

Optional route-tables

route-tables: RouteTableConfig1[]
Title: Route Tables
Description: Route tables for the VPC.

Optional security-groups

security-groups: SecurityGroupConfig3[]
Title: Security Groups
Description: Security groups for theVPC

Optional subnets

subnets: SubnetConfigs1[]
Title: Subnets
Description: Subnet definitions for the VPC.

Optional tgw-attach

Title: TGW Attachment
Description: Attach this VPC to a transit gateway.

Optional use-central-endpoints

use-central-endpoints: boolean
Title: Use Central Endpoints
Description: Use VPC endpoints defined by the VPC with the central-endpoint value set to true. Associates the designated endpoint Route53 Zone with this VPC.

Optional vgw

Title: Virtual Gateway
Description: Create a Virtual Gateway.

Optional zones

Title: Zones
Description: Create route 53 hosted zones