feat(client-ec2): This release adds support for Security group referencing over Transit gateways, enabling you to simplify Security group management and control of instance-to-instance traffic across VPCs that are connected by Transit gateway.

Author: awstools

clients/client-ec2/src/commands/AcceptTransitGatewayVpcAttachmentCommand.ts

@@ -71,6 +71,7 @@ export interface AcceptTransitGatewayVpcAttachmentCommandOutput
  * //     CreationTime: new Date("TIMESTAMP"),
  * //     Options: { // TransitGatewayVpcAttachmentOptions
  * //       DnsSupport: "enable" || "disable",
+ * //       SecurityGroupReferencingSupport: "enable" || "disable",
  * //       Ipv6Support: "enable" || "disable",
  * //       ApplianceModeSupport: "enable" || "disable",
  * //     },

clients/client-ec2/src/commands/AuthorizeSecurityGroupEgressCommand.ts

@@ -50,6 +50,12 @@ export interface AuthorizeSecurityGroupEgressCommandOutput
  *        You can use -1 for the type or code to mean all types or all codes.</p>
  *          <p>Rule changes are propagated to affected instances as quickly as possible. However, a small delay might occur.</p>
  *          <p>For information about VPC security group quotas, see <a href="https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html">Amazon VPC quotas</a>.</p>
+ *          <note>
+ *             <p>If you want to reference a security group across VPCs attached to a transit gateway using the
+ *                     <a href="https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html#create-tgw">security group
+ *                     referencing feature</a>, note that you can only reference security groups
+ *                 for ingress rules. You cannot reference a security group for egress rules.</p>
+ *          </note>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

clients/client-ec2/src/commands/CreateCarrierGatewayCommand.ts

@@ -15,8 +15,7 @@ import {
 } from "@smithy/types";
 
 import { EC2ClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../EC2Client";
-import { CreateCarrierGatewayRequest } from "../models/models_0";
-import { CreateCarrierGatewayResult } from "../models/models_1";
+import { CreateCarrierGatewayRequest, CreateCarrierGatewayResult } from "../models/models_1";
 import { de_CreateCarrierGatewayCommand, se_CreateCarrierGatewayCommand } from "../protocols/Aws_ec2";
 
 /**

clients/client-ec2/src/commands/CreateTransitGatewayCommand.ts

@@ -65,6 +65,7 @@ export interface CreateTransitGatewayCommandOutput extends CreateTransitGatewayR
  *     DefaultRouteTablePropagation: "enable" || "disable",
  *     VpnEcmpSupport: "enable" || "disable",
  *     DnsSupport: "enable" || "disable",
+ *     SecurityGroupReferencingSupport: "enable" || "disable",
  *     MulticastSupport: "enable" || "disable",
  *     TransitGatewayCidrBlocks: [ // TransitGatewayCidrBlockStringList
  *       "STRING_VALUE",
@@ -105,6 +106,7 @@ export interface CreateTransitGatewayCommandOutput extends CreateTransitGatewayR
  * //       PropagationDefaultRouteTableId: "STRING_VALUE",
  * //       VpnEcmpSupport: "enable" || "disable",
  * //       DnsSupport: "enable" || "disable",
+ * //       SecurityGroupReferencingSupport: "enable" || "disable",
  * //       MulticastSupport: "enable" || "disable",
  * //     },
  * //     Tags: [ // TagList

clients/client-ec2/src/commands/CreateTransitGatewayVpcAttachmentCommand.ts

@@ -60,6 +60,7 @@ export interface CreateTransitGatewayVpcAttachmentCommandOutput
  *   ],
  *   Options: { // CreateTransitGatewayVpcAttachmentRequestOptions
  *     DnsSupport: "enable" || "disable",
+ *     SecurityGroupReferencingSupport: "enable" || "disable",
  *     Ipv6Support: "enable" || "disable",
  *     ApplianceModeSupport: "enable" || "disable",
  *   },
@@ -91,6 +92,7 @@ export interface CreateTransitGatewayVpcAttachmentCommandOutput
  * //     CreationTime: new Date("TIMESTAMP"),
  * //     Options: { // TransitGatewayVpcAttachmentOptions
  * //       DnsSupport: "enable" || "disable",
+ * //       SecurityGroupReferencingSupport: "enable" || "disable",
  * //       Ipv6Support: "enable" || "disable",
  * //       ApplianceModeSupport: "enable" || "disable",
  * //     },

clients/client-ec2/src/commands/DeleteNatGatewayCommand.ts

@@ -15,8 +15,7 @@ import {
 } from "@smithy/types";
 
 import { EC2ClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../EC2Client";
-import { DeleteNatGatewayRequest } from "../models/models_2";
-import { DeleteNatGatewayResult } from "../models/models_3";
+import { DeleteNatGatewayRequest, DeleteNatGatewayResult } from "../models/models_3";
 import { de_DeleteNatGatewayCommand, se_DeleteNatGatewayCommand } from "../protocols/Aws_ec2";
 
 /**

clients/client-ec2/src/commands/DeleteTransitGatewayCommand.ts

@@ -70,6 +70,7 @@ export interface DeleteTransitGatewayCommandOutput extends DeleteTransitGatewayR
  * //       PropagationDefaultRouteTableId: "STRING_VALUE",
  * //       VpnEcmpSupport: "enable" || "disable",
  * //       DnsSupport: "enable" || "disable",
+ * //       SecurityGroupReferencingSupport: "enable" || "disable",
  * //       MulticastSupport: "enable" || "disable",
  * //     },
  * //     Tags: [ // TagList

clients/client-ec2/src/commands/DeleteTransitGatewayVpcAttachmentCommand.ts

@@ -68,6 +68,7 @@ export interface DeleteTransitGatewayVpcAttachmentCommandOutput
  * //     CreationTime: new Date("TIMESTAMP"),
  * //     Options: { // TransitGatewayVpcAttachmentOptions
  * //       DnsSupport: "enable" || "disable",
+ * //       SecurityGroupReferencingSupport: "enable" || "disable",
  * //       Ipv6Support: "enable" || "disable",
  * //       ApplianceModeSupport: "enable" || "disable",
  * //     },

clients/client-ec2/src/commands/DescribeImportSnapshotTasksCommand.ts

@@ -15,8 +15,8 @@ import {
 } from "@smithy/types";
 
 import { EC2ClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../EC2Client";
-import { DescribeImportSnapshotTasksRequest } from "../models/models_3";
 import {
+  DescribeImportSnapshotTasksRequest,
   DescribeImportSnapshotTasksResult,
   DescribeImportSnapshotTasksResultFilterSensitiveLog,
 } from "../models/models_4";

clients/client-ec2/src/commands/DescribeSecurityGroupReferencesCommand.ts

@@ -42,7 +42,7 @@ export interface DescribeSecurityGroupReferencesCommandOutput
 
 /**
  * @public
- * <p>Describes the VPCs on the other side of a VPC peering connection that are referencing the security groups you've specified in this request.</p>
+ * <p>Describes the VPCs on the other side of a VPC peering connection or the VPCs attached to a transit gateway that are referencing the security groups you've specified in this request.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -63,6 +63,7 @@ export interface DescribeSecurityGroupReferencesCommandOutput
  * //       GroupId: "STRING_VALUE",
  * //       ReferencingVpcId: "STRING_VALUE",
  * //       VpcPeeringConnectionId: "STRING_VALUE",
+ * //       TransitGatewayId: "STRING_VALUE",
  * //     },
  * //   ],
  * // };

clients/client-ec2/src/commands/DescribeStaleSecurityGroupsCommand.ts

@@ -38,9 +38,8 @@ export interface DescribeStaleSecurityGroupsCommandOutput extends DescribeStaleS
 /**
  * @public
  * <p>Describes the stale security group rules for security groups in a specified VPC.
- *           Rules are stale when they reference a deleted security group in the same VPC or in a peer VPC,
- *           or if they reference a security group in a peer VPC for which the VPC peering connection has
- *           been deleted.</p>
+ *           Rules are stale when they reference a deleted security group in the same VPC, peered VPC, or in separate VPCs attached to a transit gateway (with <a href="https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html#create-tgw">security group referencing support</a> enabled). Rules can also be stale if they reference a security group in a peer VPC for which the VPC peering connection has
+ *           been deleted or if they reference a security group in a VPC that has been detached from a transit gateway.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

clients/client-ec2/src/commands/DescribeSubnetsCommand.ts

@@ -15,7 +15,8 @@ import {
 } from "@smithy/types";
 
 import { EC2ClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../EC2Client";
-import { DescribeSubnetsRequest, DescribeSubnetsResult } from "../models/models_4";
+import { DescribeSubnetsRequest } from "../models/models_4";
+import { DescribeSubnetsResult } from "../models/models_5";
 import { de_DescribeSubnetsCommand, se_DescribeSubnetsCommand } from "../protocols/Aws_ec2";
 
 /**

clients/client-ec2/src/commands/DescribeTransitGatewayVpcAttachmentsCommand.ts

@@ -85,6 +85,7 @@ export interface DescribeTransitGatewayVpcAttachmentsCommandOutput
  * //       CreationTime: new Date("TIMESTAMP"),
  * //       Options: { // TransitGatewayVpcAttachmentOptions
  * //         DnsSupport: "enable" || "disable",
+ * //         SecurityGroupReferencingSupport: "enable" || "disable",
  * //         Ipv6Support: "enable" || "disable",
  * //         ApplianceModeSupport: "enable" || "disable",
  * //       },

clients/client-ec2/src/commands/DescribeTransitGatewaysCommand.ts

@@ -84,6 +84,7 @@ export interface DescribeTransitGatewaysCommandOutput extends DescribeTransitGat
  * //         PropagationDefaultRouteTableId: "STRING_VALUE",
  * //         VpnEcmpSupport: "enable" || "disable",
  * //         DnsSupport: "enable" || "disable",
+ * //         SecurityGroupReferencingSupport: "enable" || "disable",
  * //         MulticastSupport: "enable" || "disable",
  * //       },
  * //       Tags: [ // TagList

clients/client-ec2/src/commands/GetIpamPoolCidrsCommand.ts

@@ -15,7 +15,8 @@ import {
 } from "@smithy/types";
 
 import { EC2ClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../EC2Client";
-import { GetIpamPoolCidrsRequest, GetIpamPoolCidrsResult } from "../models/models_5";
+import { GetIpamPoolCidrsRequest } from "../models/models_5";
+import { GetIpamPoolCidrsResult } from "../models/models_6";
 import { de_GetIpamPoolCidrsCommand, se_GetIpamPoolCidrsCommand } from "../protocols/Aws_ec2";
 
 /**

clients/client-ec2/src/commands/ModifyTransitGatewayCommand.ts

@@ -56,6 +56,7 @@ export interface ModifyTransitGatewayCommandOutput extends ModifyTransitGatewayR
  *     ],
  *     VpnEcmpSupport: "enable" || "disable",
  *     DnsSupport: "enable" || "disable",
+ *     SecurityGroupReferencingSupport: "enable" || "disable",
  *     AutoAcceptSharedAttachments: "enable" || "disable",
  *     DefaultRouteTableAssociation: "enable" || "disable",
  *     AssociationDefaultRouteTableId: "STRING_VALUE",
@@ -87,6 +88,7 @@ export interface ModifyTransitGatewayCommandOutput extends ModifyTransitGatewayR
  * //       PropagationDefaultRouteTableId: "STRING_VALUE",
  * //       VpnEcmpSupport: "enable" || "disable",
  * //       DnsSupport: "enable" || "disable",
+ * //       SecurityGroupReferencingSupport: "enable" || "disable",
  * //       MulticastSupport: "enable" || "disable",
  * //     },
  * //     Tags: [ // TagList

clients/client-ec2/src/commands/ModifyTransitGatewayVpcAttachmentCommand.ts

@@ -59,6 +59,7 @@ export interface ModifyTransitGatewayVpcAttachmentCommandOutput
  *   ],
  *   Options: { // ModifyTransitGatewayVpcAttachmentRequestOptions
  *     DnsSupport: "enable" || "disable",
+ *     SecurityGroupReferencingSupport: "enable" || "disable",
  *     Ipv6Support: "enable" || "disable",
  *     ApplianceModeSupport: "enable" || "disable",
  *   },
@@ -79,6 +80,7 @@ export interface ModifyTransitGatewayVpcAttachmentCommandOutput
  * //     CreationTime: new Date("TIMESTAMP"),
  * //     Options: { // TransitGatewayVpcAttachmentOptions
  * //       DnsSupport: "enable" || "disable",
+ * //       SecurityGroupReferencingSupport: "enable" || "disable",
  * //       Ipv6Support: "enable" || "disable",
  * //       ApplianceModeSupport: "enable" || "disable",
  * //     },

clients/client-ec2/src/commands/RegisterTransitGatewayMulticastGroupSourcesCommand.ts

@@ -15,10 +15,8 @@ import {
 } from "@smithy/types";
 
 import { EC2ClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../EC2Client";
-import {
-  RegisterTransitGatewayMulticastGroupSourcesRequest,
-  RegisterTransitGatewayMulticastGroupSourcesResult,
-} from "../models/models_6";
+import { RegisterTransitGatewayMulticastGroupSourcesRequest } from "../models/models_6";
+import { RegisterTransitGatewayMulticastGroupSourcesResult } from "../models/models_7";
 import {
   de_RegisterTransitGatewayMulticastGroupSourcesCommand,
   se_RegisterTransitGatewayMulticastGroupSourcesCommand,

clients/client-ec2/src/commands/RejectTransitGatewayVpcAttachmentCommand.ts

@@ -71,6 +71,7 @@ export interface RejectTransitGatewayVpcAttachmentCommandOutput
  * //     CreationTime: new Date("TIMESTAMP"),
  * //     Options: { // TransitGatewayVpcAttachmentOptions
  * //       DnsSupport: "enable" || "disable",
+ * //       SecurityGroupReferencingSupport: "enable" || "disable",
  * //       Ipv6Support: "enable" || "disable",
  * //       ApplianceModeSupport: "enable" || "disable",
  * //     },

clients/client-ec2/src/models/models_0.ts

@@ -830,6 +830,21 @@ export const Ipv6SupportValue = {
  */
 export type Ipv6SupportValue = (typeof Ipv6SupportValue)[keyof typeof Ipv6SupportValue];
 
+/**
+ * @public
+ * @enum
+ */
+export const SecurityGroupReferencingSupportValue = {
+  disable: "disable",
+  enable: "enable",
+} as const;
+
+/**
+ * @public
+ */
+export type SecurityGroupReferencingSupportValue =
+  (typeof SecurityGroupReferencingSupportValue)[keyof typeof SecurityGroupReferencingSupportValue];
+
 /**
  * @public
  * <p>Describes the VPC attachment options.</p>
@@ -841,6 +856,12 @@ export interface TransitGatewayVpcAttachmentOptions {
    */
   DnsSupport?: DnsSupportValue;
 
+  /**
+   * @public
+   * <p>For important information about this feature, see <a href="https://docs.aws.amazon.com/vpc/latest/tgw/tgw-vpc-attachments.html#create-vpc-attachment">Create a transit gateway attachment to a VPC</a> in the <i>Amazon Web Services Transit Gateway Guide</i>.</p>
+   */
+  SecurityGroupReferencingSupport?: SecurityGroupReferencingSupportValue;
+
   /**
    * @public
    * <p>Indicates whether IPv6 support is disabled.</p>
@@ -6549,7 +6570,7 @@ export interface ReferencedSecurityGroup {
 
   /**
    * @public
-   * <p>The ID of the VPC peering connection.</p>
+   * <p>The ID of the VPC peering connection (if applicable).</p>
    */
   VpcPeeringConnectionId?: string;
 }
@@ -9643,39 +9664,6 @@ export interface CreateCapacityReservationFleetResult {
   Tags?: Tag[];
 }
 
-/**
- * @public
- */
-export interface CreateCarrierGatewayRequest {
-  /**
-   * @public
-   * <p>The ID of the VPC to associate with the carrier gateway.</p>
-   */
-  VpcId: string | undefined;
-
-  /**
-   * @public
-   * <p>The tags to associate with the carrier gateway.</p>
-   */
-  TagSpecifications?: TagSpecification[];
-
-  /**
-   * @public
-   * <p>Checks whether you have the required permissions for the action, without actually making the request,
-   *    and provides an error response. If you have the required permissions, the error response is <code>DryRunOperation</code>.
-   *    Otherwise, it is <code>UnauthorizedOperation</code>.</p>
-   */
-  DryRun?: boolean;
-
-  /**
-   * @public
-   * <p>Unique, case-sensitive identifier that you provide to ensure the idempotency of the
-   *             request. For more information, see <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Run_Instance_Idempotency.html">How to ensure
-   *                 idempotency</a>.</p>
-   */
-  ClientToken?: string;
-}
-
 /**
  * @internal
  */

clients/client-ec2/src/models/models_1.ts

@@ -30,6 +30,39 @@ import {
   WeekDay,
 } from "./models_0";
 
+/**
+ * @public
+ */
+export interface CreateCarrierGatewayRequest {
+  /**
+   * @public
+   * <p>The ID of the VPC to associate with the carrier gateway.</p>
+   */
+  VpcId: string | undefined;
+
+  /**
+   * @public
+   * <p>The tags to associate with the carrier gateway.</p>
+   */
+  TagSpecifications?: TagSpecification[];
+
+  /**
+   * @public
+   * <p>Checks whether you have the required permissions for the action, without actually making the request,
+   *    and provides an error response. If you have the required permissions, the error response is <code>DryRunOperation</code>.
+   *    Otherwise, it is <code>UnauthorizedOperation</code>.</p>
+   */
+  DryRun?: boolean;
+
+  /**
+   * @public
+   * <p>Unique, case-sensitive identifier that you provide to ensure the idempotency of the
+   *             request. For more information, see <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Run_Instance_Idempotency.html">How to ensure
+   *                 idempotency</a>.</p>
+   */
+  ClientToken?: string;
+}
+
 /**
  * @public
  * @enum
@@ -10925,24 +10958,6 @@ export const NetworkInterfaceType = {
  */
 export type NetworkInterfaceType = (typeof NetworkInterfaceType)[keyof typeof NetworkInterfaceType];
 
-/**
- * @public
- * <p>Describes an IPv6 address associated with a network interface.</p>
- */
-export interface NetworkInterfaceIpv6Address {
-  /**
-   * @public
-   * <p>The IPv6 address.</p>
-   */
-  Ipv6Address?: string;
-
-  /**
-   * @public
-   * <p>Determines if an IPv6 address associated with a network interface is the primary IPv6 address. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. For more information, see <a href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyNetworkInterfaceAttribute.html">ModifyNetworkInterfaceAttribute</a>.</p>
-   */
-  IsPrimaryIpv6?: boolean;
-}
-
 /**
  * @internal
  */