aws-cdk-lib 2.136.1__py3-none-any.whl → 2.138.0__py3-none-any.whl

aws_cdk/aws_ec2/__init__.py

@@ -196,6 +196,12 @@ The construct will automatically selects the latest version of Amazon Linux 2023
 If you prefer to use a custom AMI, use `machineImage: MachineImage.genericLinux({ ... })` and configure the right AMI ID for the
 regions you want to deploy to.
 
+> **Warning**
+> The NAT instances created using this method will be **unmonitored**.
+> They are not part of an Auto Scaling Group,
+> and if they become unavailable or are terminated for any reason,
+> will not be restarted or replaced.
+
 By default, the NAT instances will route all traffic. To control what traffic
 gets routed, pass a custom value for `defaultAllowedTraffic` and access the
 `NatInstanceProvider.connections` member after having passed the NAT provider to
@@ -212,7 +218,37 @@ provider = ec2.NatProvider.instance_v2(
 ec2.Vpc(self, "TheVPC",
     nat_gateway_provider=provider
 )
-provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.tcp(80))
+provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.HTTP)
+```
+
+You can also customize the characteristics of your NAT instances, including their security group,
+as well as their initialization scripts:
+
+```python
+# bucket: s3.Bucket
+
+
+user_data = ec2.UserData.for_linux()
+user_data.add_commands(
+    (SpreadElement ...ec2.NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS
+      ec2.NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS), "echo \"hello world!\" > hello.txt", f"aws s3 cp hello.txt s3://{bucket.bucketName}")
+
+provider = ec2.NatProvider.instance_v2(
+    instance_type=ec2.InstanceType("t3.small"),
+    credit_specification=ec2.CpuCredits.UNLIMITED,
+    default_allowed_traffic=ec2.NatTrafficDirection.NONE
+)
+
+vpc = ec2.Vpc(self, "TheVPC",
+    nat_gateway_provider=provider,
+    nat_gateways=2
+)
+
+security_group = ec2.SecurityGroup(self, "SecurityGroup", vpc=vpc)
+security_group.add_egress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(443))
+for gateway in provider.gateway_instances:
+    bucket.grant_write(gateway)
+    gateway.add_security_group(security_group)
 ```
 
 ```python
@@ -229,7 +265,7 @@ vpc = ec2.Vpc(self, "MyVpc",
 )
 ```
 
-The construct will use the AWS official NAT instance AMI, which has already
+The V1 `NatProvider.instance` construct will use the AWS official NAT instance AMI, which has already
 reached EOL on Dec 31, 2023. For more information, see the following blog post:
 [Amazon Linux AMI end of life](https://aws.amazon.com/blogs/aws/update-on-amazon-linux-ami-end-of-life/).
 
@@ -244,7 +280,7 @@ provider = ec2.NatProvider.instance(
 ec2.Vpc(self, "TheVPC",
     nat_gateway_provider=provider
 )
-provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.tcp(80))
+provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.HTTP)
 ```
 
 ### Ip Address Management
@@ -731,13 +767,13 @@ take care of this for you:
 
 
 # Allow connections from anywhere
-load_balancer.connections.allow_from_any_ipv4(ec2.Port.tcp(443), "Allow inbound HTTPS")
+load_balancer.connections.allow_from_any_ipv4(ec2.Port.HTTPS, "Allow inbound HTTPS")
 
 # The same, but an explicit IP address
-load_balancer.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/32"), ec2.Port.tcp(443), "Allow inbound HTTPS")
+load_balancer.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/32"), ec2.Port.HTTPS, "Allow inbound HTTPS")
 
 # Allow connection between AutoScalingGroups
-app_fleet.connections.allow_to(db_fleet, ec2.Port.tcp(443), "App can call database")
+app_fleet.connections.allow_to(db_fleet, ec2.Port.HTTPS, "App can call database")
 ```
 
 ### Connection Peers
@@ -755,7 +791,7 @@ peer = ec2.Peer.any_ipv4()
 peer = ec2.Peer.ipv6("::0/0")
 peer = ec2.Peer.any_ipv6()
 peer = ec2.Peer.prefix_list("pl-12345")
-app_fleet.connections.allow_to(peer, ec2.Port.tcp(443), "Allow outbound HTTPS")
+app_fleet.connections.allow_to(peer, ec2.Port.HTTPS, "Allow outbound HTTPS")
 ```
 
 Any object that has a security group can itself be used as a connection peer:
@@ -767,9 +803,9 @@ Any object that has a security group can itself be used as a connection peer:
 
 
 # These automatically create appropriate ingress and egress rules in both security groups
-fleet1.connections.allow_to(fleet2, ec2.Port.tcp(80), "Allow between fleets")
+fleet1.connections.allow_to(fleet2, ec2.Port.HTTP, "Allow between fleets")
 
-app_fleet.connections.allow_from_any_ipv4(ec2.Port.tcp(80), "Allow from load balancer")
+app_fleet.connections.allow_from_any_ipv4(ec2.Port.HTTP, "Allow from load balancer")
 ```
 
 ### Port Ranges
@@ -779,6 +815,7 @@ the connection specifier:
 
 ```python
 ec2.Port.tcp(80)
+ec2.Port.HTTPS
 ec2.Port.tcp_range(60000, 65535)
 ec2.Port.all_tcp()
 ec2.Port.all_icmp()
@@ -833,7 +870,7 @@ my_security_group_without_inline_rules = ec2.SecurityGroup(self, "SecurityGroup"
     disable_inline_rules=True
 )
 # This will add the rule as an external cloud formation construct
-my_security_group_without_inline_rules.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(22), "allow ssh access from the world")
+my_security_group_without_inline_rules.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.SSH, "allow ssh access from the world")
 ```
 
 ### Importing an existing security group
@@ -9317,6 +9354,7 @@ class CfnCustomerGateway(
             type="type",
         
             # the properties below are optional
+            certificate_arn="certificateArn",
             device_name="deviceName",
             tags=[CfnTag(
                 key="key",
@@ -9333,6 +9371,7 @@ class CfnCustomerGateway(
         bgp_asn: jsii.Number,
         ip_address: builtins.str,
         type: builtins.str,
+        certificate_arn: typing.Optional[builtins.str] = None,
         device_name: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
@@ -9342,6 +9381,7 @@ class CfnCustomerGateway(
         :param bgp_asn: For devices that support BGP, the customer gateway's BGP ASN. Default: 65000 Default: - 65000
         :param ip_address: IPv4 address for the customer gateway device's outside interface. The address must be static.
         :param type: The type of VPN connection that this customer gateway supports ( ``ipsec.1`` ).
+        :param certificate_arn: The Amazon Resource Name (ARN) for the customer gateway certificate.
         :param device_name: The name of customer gateway device.
         :param tags: One or more tags for the customer gateway.
         '''
@@ -9353,6 +9393,7 @@ class CfnCustomerGateway(
             bgp_asn=bgp_asn,
             ip_address=ip_address,
             type=type,
+            certificate_arn=certificate_arn,
             device_name=device_name,
             tags=tags,
         )
@@ -9448,6 +9489,19 @@ class CfnCustomerGateway(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "type", value)
 
+    @builtins.property
+    @jsii.member(jsii_name="certificateArn")
+    def certificate_arn(self) -> typing.Optional[builtins.str]:
+        '''The Amazon Resource Name (ARN) for the customer gateway certificate.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "certificateArn"))
+
+    @certificate_arn.setter
+    def certificate_arn(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__4a4b900e840c5be3a2b16a5177f91335cf813daeca359e549a639cb05a03ac63)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "certificateArn", value)
+
     @builtins.property
     @jsii.member(jsii_name="deviceName")
     def device_name(self) -> typing.Optional[builtins.str]:
@@ -9482,6 +9536,7 @@ class CfnCustomerGateway(
         "bgp_asn": "bgpAsn",
         "ip_address": "ipAddress",
         "type": "type",
+        "certificate_arn": "certificateArn",
         "device_name": "deviceName",
         "tags": "tags",
     },
@@ -9493,6 +9548,7 @@ class CfnCustomerGatewayProps:
         bgp_asn: jsii.Number,
         ip_address: builtins.str,
         type: builtins.str,
+        certificate_arn: typing.Optional[builtins.str] = None,
         device_name: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
@@ -9501,6 +9557,7 @@ class CfnCustomerGatewayProps:
         :param bgp_asn: For devices that support BGP, the customer gateway's BGP ASN. Default: 65000 Default: - 65000
         :param ip_address: IPv4 address for the customer gateway device's outside interface. The address must be static.
         :param type: The type of VPN connection that this customer gateway supports ( ``ipsec.1`` ).
+        :param certificate_arn: The Amazon Resource Name (ARN) for the customer gateway certificate.
         :param device_name: The name of customer gateway device.
         :param tags: One or more tags for the customer gateway.
 
@@ -9519,6 +9576,7 @@ class CfnCustomerGatewayProps:
                 type="type",
             
                 # the properties below are optional
+                certificate_arn="certificateArn",
                 device_name="deviceName",
                 tags=[CfnTag(
                     key="key",
@@ -9531,6 +9589,7 @@ class CfnCustomerGatewayProps:
             check_type(argname="argument bgp_asn", value=bgp_asn, expected_type=type_hints["bgp_asn"])
             check_type(argname="argument ip_address", value=ip_address, expected_type=type_hints["ip_address"])
             check_type(argname="argument type", value=type, expected_type=type_hints["type"])
+            check_type(argname="argument certificate_arn", value=certificate_arn, expected_type=type_hints["certificate_arn"])
             check_type(argname="argument device_name", value=device_name, expected_type=type_hints["device_name"])
             check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
@@ -9538,6 +9597,8 @@ class CfnCustomerGatewayProps:
             "ip_address": ip_address,
             "type": type,
         }
+        if certificate_arn is not None:
+            self._values["certificate_arn"] = certificate_arn
         if device_name is not None:
             self._values["device_name"] = device_name
         if tags is not None:
@@ -9579,6 +9640,15 @@ class CfnCustomerGatewayProps:
         assert result is not None, "Required property 'type' is missing"
         return typing.cast(builtins.str, result)
 
+    @builtins.property
+    def certificate_arn(self) -> typing.Optional[builtins.str]:
+        '''The Amazon Resource Name (ARN) for the customer gateway certificate.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-customergateway.html#cfn-ec2-customergateway-certificatearn
+        '''
+        result = self._values.get("certificate_arn")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def device_name(self) -> typing.Optional[builtins.str]:
         '''The name of customer gateway device.
@@ -19146,8 +19216,8 @@ class CfnInstance(
         :param credit_specification: The credit option for CPU usage of the burstable performance instance. Valid values are ``standard`` and ``unlimited`` . To change this attribute after launch, use `ModifyInstanceCreditSpecification <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceCreditSpecification.html>`_ . For more information, see `Burstable performance instances <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances.html>`_ in the *Amazon EC2 User Guide* . Default: ``standard`` (T2 instances) or ``unlimited`` (T3/T3a/T4g instances) For T3 instances with ``host`` tenancy, only ``standard`` is supported.
         :param disable_api_termination: If you set this parameter to ``true`` , you can't terminate the instance using the Amazon EC2 console, CLI, or API; otherwise, you can. To change this attribute after launch, use `ModifyInstanceAttribute <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html>`_ . Alternatively, if you set ``InstanceInitiatedShutdownBehavior`` to ``terminate`` , you can terminate the instance by running the shutdown command from the instance. Default: ``false``
         :param ebs_optimized: Indicates whether the instance is optimized for Amazon EBS I/O. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal Amazon EBS I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS-optimized instance. Default: ``false``
-        :param elastic_gpu_specifications: Deprecated. .. epigraph:: Amazon Elastic Graphics reached end of life on January 8, 2024. For workloads that require graphics acceleration, we recommend that you use Amazon EC2 G4ad, G4dn, or G5 instances.
-        :param elastic_inference_accelerators: An elastic inference accelerator to associate with the instance. Elastic inference accelerators are a resource you can attach to your Amazon EC2 instances to accelerate your Deep Learning (DL) inference workloads. You cannot specify accelerators from different generations in the same request. .. epigraph:: Starting April 15, 2023, AWS will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.
+        :param elastic_gpu_specifications: An elastic GPU to associate with the instance. .. epigraph:: Amazon Elastic Graphics reached end of life on January 8, 2024.
+        :param elastic_inference_accelerators: An elastic inference accelerator to associate with the instance. .. epigraph:: Amazon Elastic Inference (EI) is no longer available to new customers. For more information, see `Amazon Elastic Inference FAQs <https://docs.aws.amazon.com/machine-learning/elastic-inference/faqs/>`_ .
         :param enclave_options: Indicates whether the instance is enabled for AWS Nitro Enclaves.
         :param hibernation_options: Indicates whether an instance is enabled for hibernation. This parameter is valid only if the instance meets the `hibernation prerequisites <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/hibernating-prerequisites.html>`_ . For more information, see `Hibernate your instance <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html>`_ in the *Amazon EC2 User Guide* . You can't enable hibernation and AWS Nitro Enclaves on the same instance.
         :param host_id: If you specify host for the ``Affinity`` property, the ID of a dedicated host that the instance is associated with. If you don't specify an ID, Amazon EC2 launches the instance onto any available, compatible dedicated host in your account. This type of launch is called an untargeted launch. Note that for untargeted launches, you must have a compatible, dedicated host available to successfully launch instances.
@@ -19173,7 +19243,7 @@ class CfnInstance(
         :param security_groups: [Default VPC] The names of the security groups. For a nondefault VPC, you must use security group IDs instead. You cannot specify this option and the network interfaces option in the same request. The list can contain both the name of existing Amazon EC2 security groups or references to AWS::EC2::SecurityGroup resources created in the template. Default: Amazon EC2 uses the default security group.
         :param source_dest_check: Enable or disable source/destination checks, which ensure that the instance is either the source or the destination of any traffic that it receives. If the value is ``true`` , source/destination checks are enabled; otherwise, they are disabled. The default value is ``true`` . You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls.
         :param ssm_associations: The SSM `document <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-document.html>`_ and parameter values in AWS Systems Manager to associate with this instance. To use this property, you must specify an IAM instance profile role for the instance. For more information, see `Create an IAM instance profile for Systems Manager <https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-configuring-access-role.html>`_ in the *AWS Systems Manager User Guide* . .. epigraph:: You can associate only one document with an instance.
-        :param subnet_id: The ID of the subnet to launch the instance into. If you specify a network interface, you must specify any subnets as part of the network interface.
+        :param subnet_id: The ID of the subnet to launch the instance into. If you specify a network interface, you must specify any subnets as part of the network interface instead of using this parameter.
         :param tags: The tags to add to the instance. These tags are not applied to the EBS volumes, such as the root volume, unless `PropagateTagsToVolumeOnCreation <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-propagatetagstovolumeoncreation>`_ is ``true`` .
         :param tenancy: The tenancy of the instance. An instance with a tenancy of ``dedicated`` runs on single-tenant hardware.
         :param user_data: The parameters or scripts to store as user data. Any scripts in user data are run when you launch the instance. User data is limited to 16 KB. You must provide base64-encoded text. For more information, see `Fn::Base64 <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-base64.html>`_ . If the root volume is an EBS volume and you update user data, CloudFormation restarts the instance. If the root volume is an instance store volume and you update user data, the instance is replaced.
@@ -19266,14 +19336,6 @@ class CfnInstance(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrAvailabilityZone"))
 
-    @builtins.property
-    @jsii.member(jsii_name="attrId")
-    def attr_id(self) -> builtins.str:
-        '''
-        :cloudformationAttribute: Id
-        '''
-        return typing.cast(builtins.str, jsii.get(self, "attrId"))
-
     @builtins.property
     @jsii.member(jsii_name="attrInstanceId")
     def attr_instance_id(self) -> builtins.str:
@@ -19481,7 +19543,7 @@ class CfnInstance(
     def elastic_gpu_specifications(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnInstance.ElasticGpuSpecificationProperty"]]]]:
-        '''Deprecated.'''
+        '''An elastic GPU to associate with the instance.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnInstance.ElasticGpuSpecificationProperty"]]]], jsii.get(self, "elasticGpuSpecifications"))
 
     @elastic_gpu_specifications.setter
@@ -20909,11 +20971,9 @@ class CfnInstance(
             - The ID or the name of the launch template, but not both.
             - The version of the launch template.
 
-            ``LaunchTemplateSpecification`` is a property of the `AWS::EC2::Instance <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html>`_ resource.
-
             For information about creating a launch template, see `AWS::EC2::LaunchTemplate <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html>`_ and `Create a launch template <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template>`_ in the *Amazon EC2 User Guide* .
 
-            For examples of launch templates, see `Examples <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html#aws-resource-ec2-launchtemplate--examples>`_ .
+            For example launch templates, see the `Examples <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html#aws-resource-ec2-launchtemplate--examples>`_ for ``AWS::EC2::LaunchTemplate`` .
 
             :param version: The version number of the launch template. Specifying ``$Latest`` or ``$Default`` for the template version number is not supported. However, you can specify ``LatestVersionNumber`` or ``DefaultVersionNumber`` using the ``Fn::GetAtt`` intrinsic function. For more information, see `Fn::GetAtt <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html#aws-resource-ec2-launchtemplate-return-values-fn--getatt>`_ .
             :param launch_template_id: The ID of the launch template. You must specify the ``LaunchTemplateId`` or the ``LaunchTemplateName`` , but not both.
@@ -21103,7 +21163,7 @@ class CfnInstance(
             :param private_ip_address: The private IPv4 address of the network interface. Applies only if creating a network interface when launching an instance.
             :param private_ip_addresses: One or more private IPv4 addresses to assign to the network interface. Only one private IPv4 address can be designated as primary.
             :param secondary_private_ip_address_count: The number of secondary private IPv4 addresses. You can't specify this option and specify more than one private IP address using the private IP addresses option.
-            :param subnet_id: The ID of the subnet associated with the network interface. Applies only if creating a network interface when launching an instance.
+            :param subnet_id: The ID of the subnet associated with the network interface.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance-networkinterface.html
             :exampleMetadata: fixture=_generated
@@ -21329,8 +21389,6 @@ class CfnInstance(
         def subnet_id(self) -> typing.Optional[builtins.str]:
             '''The ID of the subnet associated with the network interface.
 
-            Applies only if creating a network interface when launching an instance.
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance-networkinterface.html#cfn-ec2-instance-networkinterface-subnetid
             '''
             result = self._values.get("subnet_id")
@@ -22140,8 +22198,8 @@ class CfnInstanceProps:
         :param credit_specification: The credit option for CPU usage of the burstable performance instance. Valid values are ``standard`` and ``unlimited`` . To change this attribute after launch, use `ModifyInstanceCreditSpecification <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceCreditSpecification.html>`_ . For more information, see `Burstable performance instances <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances.html>`_ in the *Amazon EC2 User Guide* . Default: ``standard`` (T2 instances) or ``unlimited`` (T3/T3a/T4g instances) For T3 instances with ``host`` tenancy, only ``standard`` is supported.
         :param disable_api_termination: If you set this parameter to ``true`` , you can't terminate the instance using the Amazon EC2 console, CLI, or API; otherwise, you can. To change this attribute after launch, use `ModifyInstanceAttribute <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html>`_ . Alternatively, if you set ``InstanceInitiatedShutdownBehavior`` to ``terminate`` , you can terminate the instance by running the shutdown command from the instance. Default: ``false``
         :param ebs_optimized: Indicates whether the instance is optimized for Amazon EBS I/O. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal Amazon EBS I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS-optimized instance. Default: ``false``
-        :param elastic_gpu_specifications: Deprecated. .. epigraph:: Amazon Elastic Graphics reached end of life on January 8, 2024. For workloads that require graphics acceleration, we recommend that you use Amazon EC2 G4ad, G4dn, or G5 instances.
-        :param elastic_inference_accelerators: An elastic inference accelerator to associate with the instance. Elastic inference accelerators are a resource you can attach to your Amazon EC2 instances to accelerate your Deep Learning (DL) inference workloads. You cannot specify accelerators from different generations in the same request. .. epigraph:: Starting April 15, 2023, AWS will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.
+        :param elastic_gpu_specifications: An elastic GPU to associate with the instance. .. epigraph:: Amazon Elastic Graphics reached end of life on January 8, 2024.
+        :param elastic_inference_accelerators: An elastic inference accelerator to associate with the instance. .. epigraph:: Amazon Elastic Inference (EI) is no longer available to new customers. For more information, see `Amazon Elastic Inference FAQs <https://docs.aws.amazon.com/machine-learning/elastic-inference/faqs/>`_ .
         :param enclave_options: Indicates whether the instance is enabled for AWS Nitro Enclaves.
         :param hibernation_options: Indicates whether an instance is enabled for hibernation. This parameter is valid only if the instance meets the `hibernation prerequisites <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/hibernating-prerequisites.html>`_ . For more information, see `Hibernate your instance <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html>`_ in the *Amazon EC2 User Guide* . You can't enable hibernation and AWS Nitro Enclaves on the same instance.
         :param host_id: If you specify host for the ``Affinity`` property, the ID of a dedicated host that the instance is associated with. If you don't specify an ID, Amazon EC2 launches the instance onto any available, compatible dedicated host in your account. This type of launch is called an untargeted launch. Note that for untargeted launches, you must have a compatible, dedicated host available to successfully launch instances.
@@ -22167,7 +22225,7 @@ class CfnInstanceProps:
         :param security_groups: [Default VPC] The names of the security groups. For a nondefault VPC, you must use security group IDs instead. You cannot specify this option and the network interfaces option in the same request. The list can contain both the name of existing Amazon EC2 security groups or references to AWS::EC2::SecurityGroup resources created in the template. Default: Amazon EC2 uses the default security group.
         :param source_dest_check: Enable or disable source/destination checks, which ensure that the instance is either the source or the destination of any traffic that it receives. If the value is ``true`` , source/destination checks are enabled; otherwise, they are disabled. The default value is ``true`` . You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls.
         :param ssm_associations: The SSM `document <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-document.html>`_ and parameter values in AWS Systems Manager to associate with this instance. To use this property, you must specify an IAM instance profile role for the instance. For more information, see `Create an IAM instance profile for Systems Manager <https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-configuring-access-role.html>`_ in the *AWS Systems Manager User Guide* . .. epigraph:: You can associate only one document with an instance.
-        :param subnet_id: The ID of the subnet to launch the instance into. If you specify a network interface, you must specify any subnets as part of the network interface.
+        :param subnet_id: The ID of the subnet to launch the instance into. If you specify a network interface, you must specify any subnets as part of the network interface instead of using this parameter.
         :param tags: The tags to add to the instance. These tags are not applied to the EBS volumes, such as the root volume, unless `PropagateTagsToVolumeOnCreation <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-propagatetagstovolumeoncreation>`_ is ``true`` .
         :param tenancy: The tenancy of the instance. An instance with a tenancy of ``dedicated`` runs on single-tenant hardware.
         :param user_data: The parameters or scripts to store as user data. Any scripts in user data are run when you launch the instance. User data is limited to 16 KB. You must provide base64-encoded text. For more information, see `Fn::Base64 <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-base64.html>`_ . If the root volume is an EBS volume and you update user data, CloudFormation restarts the instance. If the root volume is an instance store volume and you update user data, the instance is replaced.
@@ -22544,11 +22602,11 @@ class CfnInstanceProps:
     def elastic_gpu_specifications(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnInstance.ElasticGpuSpecificationProperty]]]]:
-        '''Deprecated.
+        '''An elastic GPU to associate with the instance.
 
         .. epigraph::
 
-           Amazon Elastic Graphics reached end of life on January 8, 2024. For workloads that require graphics acceleration, we recommend that you use Amazon EC2 G4ad, G4dn, or G5 instances.
+           Amazon Elastic Graphics reached end of life on January 8, 2024.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-instance.html#cfn-ec2-instance-elasticgpuspecifications
         '''
@@ -22561,12 +22619,9 @@ class CfnInstanceProps:
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnInstance.ElasticInferenceAcceleratorProperty]]]]:
         '''An elastic inference accelerator to associate with the instance.
 
-        Elastic inference accelerators are a resource you can attach to your Amazon EC2 instances to accelerate your Deep Learning (DL) inference workloads.
-
-        You cannot specify accelerators from different generations in the same request.
         .. epigraph::
 
-           Starting April 15, 2023, AWS will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.
+           Amazon Elastic Inference (EI) is no longer available to new customers. For more information, see `Amazon Elastic Inference FAQs <https://docs.aws.amazon.com/machine-learning/elastic-inference/faqs/>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-instance.html#cfn-ec2-instance-elasticinferenceaccelerators
         '''
@@ -22893,7 +22948,7 @@ class CfnInstanceProps:
     def subnet_id(self) -> typing.Optional[builtins.str]:
         '''The ID of the subnet to launch the instance into.
 
-        If you specify a network interface, you must specify any subnets as part of the network interface.
+        If you specify a network interface, you must specify any subnets as part of the network interface instead of using this parameter.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-instance.html#cfn-ec2-instance-subnetid
         '''
@@ -26061,12 +26116,12 @@ class CfnLaunchTemplate(
             :param maintenance_options: The maintenance options of your instance.
             :param metadata_options: The metadata options for the instance. For more information, see `Instance metadata and user data <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html>`_ in the *Amazon Elastic Compute Cloud User Guide* .
             :param monitoring: The monitoring for the instance.
-            :param network_interfaces: One or more network interfaces. If you specify a network interface, you must specify any security groups and subnets as part of the network interface.
+            :param network_interfaces: The network interfaces for the instance.
             :param placement: The placement for the instance.
             :param private_dns_name_options: The hostname type for EC2 instances launched into this subnet and how DNS A and AAAA record queries should be handled. For more information, see `Amazon EC2 instance hostname types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-naming.html>`_ in the *Amazon Elastic Compute Cloud User Guide* .
             :param ram_disk_id: The ID of the RAM disk. .. epigraph:: We recommend that you use PV-GRUB instead of kernels and RAM disks. For more information, see `User provided kernels <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UserProvidedkernels.html>`_ in the *Amazon Elastic Compute Cloud User Guide* .
-            :param security_group_ids: The IDs of the security groups. You can specify the IDs of existing security groups and references to resources created by the stack template.
-            :param security_groups: One or more security group names. For a nondefault VPC, you must use security group IDs instead.
+            :param security_group_ids: The IDs of the security groups. You can specify the IDs of existing security groups and references to resources created by the stack template. If you specify a network interface, you must specify any security groups as part of the network interface instead.
+            :param security_groups: The names of the security groups. For a nondefault VPC, you must use security group IDs instead. If you specify a network interface, you must specify any security groups as part of the network interface instead of using this parameter.
             :param tag_specifications: The tags to apply to the resources that are created during instance launch. To tag a resource after it has been created, see `CreateTags <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html>`_ . To tag the launch template itself, use `TagSpecifications <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html#cfn-ec2-launchtemplate-tagspecifications>`_ .
             :param user_data: The user data to make available to the instance. You must provide base64-encoded text. User data is limited to 16 KB. For more information, see `Run commands on your Linux instance at launch <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html>`_ (Linux) or `Work with instance user data <https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/instancedata-add-user-data.html>`_ (Windows) in the *Amazon Elastic Compute Cloud User Guide* . If you are creating the launch template for use with AWS Batch , the user data must be provided in the `MIME multi-part archive format <https://docs.aws.amazon.com/https://cloudinit.readthedocs.io/en/latest/topics/format.html#mime-multi-part-archive>`_ . For more information, see `Amazon EC2 user data in launch templates <https://docs.aws.amazon.com/batch/latest/userguide/launch-templates.html>`_ in the *AWS Batch User Guide* .
 
@@ -26202,8 +26257,7 @@ class CfnLaunchTemplate(
                         license_configuration_arn="licenseConfigurationArn"
                     )],
                     maintenance_options=ec2.CfnLaunchTemplate.MaintenanceOptionsProperty(
-                        auto_recovery="autoRecovery",
-                        reboot_migration="rebootMigration"
+                        auto_recovery="autoRecovery"
                     ),
                     metadata_options=ec2.CfnLaunchTemplate.MetadataOptionsProperty(
                         http_endpoint="httpEndpoint",
@@ -26701,9 +26755,7 @@ class CfnLaunchTemplate(
         def network_interfaces(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnLaunchTemplate.NetworkInterfaceProperty"]]]]:
-            '''One or more network interfaces.
-
-            If you specify a network interface, you must specify any security groups and subnets as part of the network interface.
+            '''The network interfaces for the instance.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html#cfn-ec2-launchtemplate-launchtemplatedata-networkinterfaces
             '''
@@ -26753,6 +26805,8 @@ class CfnLaunchTemplate(
 
             You can specify the IDs of existing security groups and references to resources created by the stack template.
 
+            If you specify a network interface, you must specify any security groups as part of the network interface instead.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html#cfn-ec2-launchtemplate-launchtemplatedata-securitygroupids
             '''
             result = self._values.get("security_group_ids")
@@ -26760,9 +26814,9 @@ class CfnLaunchTemplate(
 
         @builtins.property
         def security_groups(self) -> typing.Optional[typing.List[builtins.str]]:
-            '''One or more security group names.
+            '''The names of the security groups. For a nondefault VPC, you must use security group IDs instead.
 
-            For a nondefault VPC, you must use security group IDs instead.
+            If you specify a network interface, you must specify any security groups as part of the network interface instead of using this parameter.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html#cfn-ec2-launchtemplate-launchtemplatedata-securitygroups
             '''
@@ -27021,22 +27075,17 @@ class CfnLaunchTemplate(
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_ec2.CfnLaunchTemplate.MaintenanceOptionsProperty",
         jsii_struct_bases=[],
-        name_mapping={
-            "auto_recovery": "autoRecovery",
-            "reboot_migration": "rebootMigration",
-        },
+        name_mapping={"auto_recovery": "autoRecovery"},
     )
     class MaintenanceOptionsProperty:
         def __init__(
             self,
             *,
             auto_recovery: typing.Optional[builtins.str] = None,
-            reboot_migration: typing.Optional[builtins.str] = None,
         ) -> None:
             '''The maintenance options of your instance.
 
             :param auto_recovery: Disables the automatic recovery behavior of your instance or sets it to default.
-            :param reboot_migration: 
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-maintenanceoptions.html
             :exampleMetadata: fixture=_generated
@@ -27048,19 +27097,15 @@ class CfnLaunchTemplate(
                 from aws_cdk import aws_ec2 as ec2
                 
                 maintenance_options_property = ec2.CfnLaunchTemplate.MaintenanceOptionsProperty(
-                    auto_recovery="autoRecovery",
-                    reboot_migration="rebootMigration"
+                    auto_recovery="autoRecovery"
                 )
             '''
             if __debug__:
                 type_hints = typing.get_type_hints(_typecheckingstub__62e0d77a7fa9500aab5a08e932dc82213f11e05b31cf56f4654431c48342979e)
                 check_type(argname="argument auto_recovery", value=auto_recovery, expected_type=type_hints["auto_recovery"])
-                check_type(argname="argument reboot_migration", value=reboot_migration, expected_type=type_hints["reboot_migration"])
             self._values: typing.Dict[builtins.str, typing.Any] = {}
             if auto_recovery is not None:
                 self._values["auto_recovery"] = auto_recovery
-            if reboot_migration is not None:
-                self._values["reboot_migration"] = reboot_migration
 
         @builtins.property
         def auto_recovery(self) -> typing.Optional[builtins.str]:
@@ -27071,14 +27116,6 @@ class CfnLaunchTemplate(
             result = self._values.get("auto_recovery")
             return typing.cast(typing.Optional[builtins.str], result)
 
-        @builtins.property
-        def reboot_migration(self) -> typing.Optional[builtins.str]:
-            '''
-            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-maintenanceoptions.html#cfn-ec2-launchtemplate-maintenanceoptions-rebootmigration
-            '''
-            result = self._values.get("reboot_migration")
-            return typing.cast(typing.Optional[builtins.str], result)
-
         def __eq__(self, rhs: typing.Any) -> builtins.bool:
             return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -40398,7 +40435,7 @@ class CfnSecurityGroup(
 
     To create a security group, use the `VpcId <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#cfn-ec2-securitygroup-vpcid>`_ property to specify the VPC for which to create the security group.
 
-    If you do not specify an egress rule, we add egress rules that allow IPv4 and IPv6 traffic on all ports and protocols to any destination. We do not add these rules if you specify your own egress rules. If you later remove your egress rules, we restore the default egress rules.
+    If you do not specify an egress rule, we add egress rules that allow IPv4 and IPv6 traffic on all ports and protocols to any destination. We do not add these rules if you specify your own egress rules.
 
     This type supports updates. For more information about updating stacks, see `AWS CloudFormation Stacks Updates <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks.html>`_ .
     .. epigraph::
@@ -40430,7 +40467,6 @@ class CfnSecurityGroup(
                 destination_prefix_list_id="destinationPrefixListId",
                 destination_security_group_id="destinationSecurityGroupId",
                 from_port=123,
-                source_security_group_id="sourceSecurityGroupId",
                 to_port=123
             )],
             security_group_ingress=[ec2.CfnSecurityGroup.IngressProperty(
@@ -40661,7 +40697,6 @@ class CfnSecurityGroup(
             "destination_prefix_list_id": "destinationPrefixListId",
             "destination_security_group_id": "destinationSecurityGroupId",
             "from_port": "fromPort",
-            "source_security_group_id": "sourceSecurityGroupId",
             "to_port": "toPort",
         },
     )
@@ -40676,7 +40711,6 @@ class CfnSecurityGroup(
             destination_prefix_list_id: typing.Optional[builtins.str] = None,
             destination_security_group_id: typing.Optional[builtins.str] = None,
             from_port: typing.Optional[jsii.Number] = None,
-            source_security_group_id: typing.Optional[builtins.str] = None,
             to_port: typing.Optional[jsii.Number] = None,
         ) -> None:
             '''Adds the specified outbound (egress) rule to a security group.
@@ -40696,7 +40730,6 @@ class CfnSecurityGroup(
             :param destination_prefix_list_id: The prefix list IDs for the destination AWS service. This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
             :param destination_security_group_id: The ID of the destination VPC security group. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
             :param from_port: If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).
-            :param source_security_group_id: 
             :param to_port: If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-securitygroup-egress.html
@@ -40718,7 +40751,6 @@ class CfnSecurityGroup(
                     destination_prefix_list_id="destinationPrefixListId",
                     destination_security_group_id="destinationSecurityGroupId",
                     from_port=123,
-                    source_security_group_id="sourceSecurityGroupId",
                     to_port=123
                 )
             '''
@@ -40731,7 +40763,6 @@ class CfnSecurityGroup(
                 check_type(argname="argument destination_prefix_list_id", value=destination_prefix_list_id, expected_type=type_hints["destination_prefix_list_id"])
                 check_type(argname="argument destination_security_group_id", value=destination_security_group_id, expected_type=type_hints["destination_security_group_id"])
                 check_type(argname="argument from_port", value=from_port, expected_type=type_hints["from_port"])
-                check_type(argname="argument source_security_group_id", value=source_security_group_id, expected_type=type_hints["source_security_group_id"])
                 check_type(argname="argument to_port", value=to_port, expected_type=type_hints["to_port"])
             self._values: typing.Dict[builtins.str, typing.Any] = {
                 "ip_protocol": ip_protocol,
@@ -40748,8 +40779,6 @@ class CfnSecurityGroup(
                 self._values["destination_security_group_id"] = destination_security_group_id
             if from_port is not None:
                 self._values["from_port"] = from_port
-            if source_security_group_id is not None:
-                self._values["source_security_group_id"] = source_security_group_id
             if to_port is not None:
                 self._values["to_port"] = to_port
 
@@ -40837,14 +40866,6 @@ class CfnSecurityGroup(
             result = self._values.get("from_port")
             return typing.cast(typing.Optional[jsii.Number], result)
 
-        @builtins.property
-        def source_security_group_id(self) -> typing.Optional[builtins.str]:
-            '''
-            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-securitygroup-egress.html#cfn-ec2-securitygroup-egress-sourcesecuritygroupid
-            '''
-            result = self._values.get("source_security_group_id")
-            return typing.cast(typing.Optional[builtins.str], result)
-
         @builtins.property
         def to_port(self) -> typing.Optional[jsii.Number]:
             '''If the protocol is TCP or UDP, this is the end of the port range.
@@ -42202,7 +42223,6 @@ class CfnSecurityGroupProps:
                     destination_prefix_list_id="destinationPrefixListId",
                     destination_security_group_id="destinationSecurityGroupId",
                     from_port=123,
-                    source_security_group_id="sourceSecurityGroupId",
                     to_port=123
                 )],
                 security_group_ingress=[ec2.CfnSecurityGroup.IngressProperty(
@@ -42517,10 +42537,7 @@ class CfnSpotFleet(
 
     You can specify tags for the Spot Fleet request and instances launched by the fleet. You cannot tag other resource types in a Spot Fleet request because only the ``spot-fleet-request`` and ``instance`` resource types are supported.
 
-    For more information, see `Spot Fleet <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-fleet.html>`_ in the *Amazon EC2 User Guide for Linux Instances* .
-    .. epigraph::
-
-       We strongly discourage using the RequestSpotFleet API because it is a legacy API with no planned investment. For options for requesting Spot Instances, see `Which is the best Spot request method to use? <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-best-practices.html#which-spot-request-method-to-use>`_ in the *Amazon EC2 User Guide for Linux Instances* .
+    For more information, see `Spot Fleet <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-fleet.html>`_ in the *Amazon EC2 User Guide* .
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-spotfleet.html
     :cloudformationResource: AWS::EC2::SpotFleet
@@ -43811,7 +43828,7 @@ class CfnSpotFleet(
             :param network_interface_id: The ID of the network interface. If you are creating a Spot Fleet, omit this parameter because you can’t specify a network interface ID in a launch specification.
             :param private_ip_addresses: The private IPv4 addresses to assign to the network interface. Only one private IPv4 address can be designated as primary. You cannot specify this option if you're launching more than one instance in a `RunInstances <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html>`_ request.
             :param secondary_private_ip_address_count: The number of secondary private IPv4 addresses. You can't specify this option and specify more than one private IP address using the private IP addresses option. You cannot specify this option if you're launching more than one instance in a `RunInstances <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html>`_ request.
-            :param subnet_id: The ID of the subnet associated with the network interface. Applies only if creating a network interface when launching an instance.
+            :param subnet_id: The ID of the subnet associated with the network interface.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-spotfleet-instancenetworkinterfacespecification.html
             :exampleMetadata: fixture=_generated
@@ -44004,8 +44021,6 @@ class CfnSpotFleet(
         def subnet_id(self) -> typing.Optional[builtins.str]:
             '''The ID of the subnet associated with the network interface.
 
-            Applies only if creating a network interface when launching an instance.
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-spotfleet-instancenetworkinterfacespecification.html#cfn-ec2-spotfleet-instancenetworkinterfacespecification-subnetid
             '''
             result = self._values.get("subnet_id")
@@ -45653,12 +45668,12 @@ class CfnSpotFleet(
             :param kernel_id: The ID of the kernel.
             :param key_name: The name of the key pair.
             :param monitoring: Enable or disable monitoring for the instances.
-            :param network_interfaces: One or more network interfaces. If you specify a network interface, you must specify subnet IDs and security group IDs using the network interface. .. epigraph:: ``SpotFleetLaunchSpecification`` currently does not support Elastic Fabric Adapter (EFA). To specify an EFA, you must use `LaunchTemplateConfig <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_LaunchTemplateConfig.html>`_ .
+            :param network_interfaces: The network interfaces.
             :param placement: The placement information.
             :param ramdisk_id: The ID of the RAM disk. Some kernels require additional drivers at launch. Check the kernel requirements for information about whether you need to specify a RAM disk. To find kernel requirements, refer to the AWS Resource Center and search for the kernel ID.
-            :param security_groups: The security groups.
+            :param security_groups: The security groups. If you specify a network interface, you must specify any security groups as part of the network interface instead of using this parameter.
             :param spot_price: The maximum price per unit hour that you are willing to pay for a Spot Instance. We do not recommend using this parameter because it can lead to increased interruptions. If you do not specify this parameter, you will pay the current Spot price. .. epigraph:: If you specify a maximum price, your instances will be interrupted more frequently than if you do not specify this parameter.
-            :param subnet_id: The IDs of the subnets in which to launch the instances. To specify multiple subnets, separate them using commas; for example, "subnet-1234abcdeexample1, subnet-0987cdef6example2".
+            :param subnet_id: The IDs of the subnets in which to launch the instances. To specify multiple subnets, separate them using commas; for example, "subnet-1234abcdeexample1, subnet-0987cdef6example2". If you specify a network interface, you must specify any subnets as part of the network interface instead of using this parameter.
             :param tag_specifications: The tags to apply during creation.
             :param user_data: The base64-encoded user data that instances use when starting up. User data is limited to 16 KB.
             :param weighted_capacity: The number of units provided by the specified instance type. These are the same units that you chose to set the target capacity in terms of instances, or a performance characteristic such as vCPUs, memory, or I/O. If the target capacity divided by this value is not a whole number, Amazon EC2 rounds the number of instances to the next whole number. If this value is not specified, the default is 1.
@@ -45963,12 +45978,7 @@ class CfnSpotFleet(
         def network_interfaces(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnSpotFleet.InstanceNetworkInterfaceSpecificationProperty"]]]]:
-            '''One or more network interfaces.
-
-            If you specify a network interface, you must specify subnet IDs and security group IDs using the network interface.
-            .. epigraph::
-
-               ``SpotFleetLaunchSpecification`` currently does not support Elastic Fabric Adapter (EFA). To specify an EFA, you must use `LaunchTemplateConfig <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_LaunchTemplateConfig.html>`_ .
+            '''The network interfaces.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-spotfleet-spotfleetlaunchspecification.html#cfn-ec2-spotfleet-spotfleetlaunchspecification-networkinterfaces
             '''
@@ -46003,6 +46013,8 @@ class CfnSpotFleet(
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnSpotFleet.GroupIdentifierProperty"]]]]:
             '''The security groups.
 
+            If you specify a network interface, you must specify any security groups as part of the network interface instead of using this parameter.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-spotfleet-spotfleetlaunchspecification.html#cfn-ec2-spotfleet-spotfleetlaunchspecification-securitygroups
             '''
             result = self._values.get("security_groups")
@@ -46028,6 +46040,8 @@ class CfnSpotFleet(
 
             To specify multiple subnets, separate them using commas; for example, "subnet-1234abcdeexample1, subnet-0987cdef6example2".
 
+            If you specify a network interface, you must specify any subnets as part of the network interface instead of using this parameter.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-spotfleet-spotfleetlaunchspecification.html#cfn-ec2-spotfleet-spotfleetlaunchspecification-subnetid
             '''
             result = self._values.get("subnet_id")
@@ -54281,14 +54295,6 @@ class CfnTransitGatewayRouteTableAssociation(
         '''The CloudFormation resource type name for this resource class.'''
         return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
 
-    @builtins.property
-    @jsii.member(jsii_name="attrId")
-    def attr_id(self) -> builtins.str:
-        '''
-        :cloudformationAttribute: Id
-        '''
-        return typing.cast(builtins.str, jsii.get(self, "attrId"))
-
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
@@ -73441,7 +73447,8 @@ class InstanceType(
                 subnet_type=ec2.SubnetType.PUBLIC
             ),
             vpc=vpc,
-            removal_policy=RemovalPolicy.SNAPSHOT
+            removal_policy=RemovalPolicy.SNAPSHOT,
+            instance_removal_policy=RemovalPolicy.RETAIN
         )
     '''
 
@@ -78835,6 +78842,7 @@ class NatInstanceImage(
         "key_pair": "keyPair",
         "machine_image": "machineImage",
         "security_group": "securityGroup",
+        "user_data": "userData",
     },
 )
 class NatInstanceProps:
@@ -78848,6 +78856,7 @@ class NatInstanceProps:
         key_pair: typing.Optional[IKeyPair] = None,
         machine_image: typing.Optional[IMachineImage] = None,
         security_group: typing.Optional[ISecurityGroup] = None,
+        user_data: typing.Optional["UserData"] = None,
     ) -> None:
         '''Properties for a NAT instance.
 
@@ -78857,20 +78866,24 @@ class NatInstanceProps:
         :param key_name: (deprecated) Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
         :param key_pair: The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.
         :param machine_image: The machine image (AMI) to use. By default, will do an AMI lookup for the latest NAT instance image. If you have a specific AMI ID you want to use, pass a ``GenericLinuxImage``. For example:: ec2.NatProvider.instance({ instanceType: new ec2.InstanceType('t3.micro'), machineImage: new ec2.GenericLinuxImage({ 'us-east-2': 'ami-0f9c61b5a562a16af' }) }) Default: - Latest NAT instance image
-        :param security_group: Security Group for NAT instances. Default: - A new security group will be created
+        :param security_group: (deprecated) Security Group for NAT instances. Default: - A new security group will be created
+        :param user_data: Custom user data to run on the NAT instances. Default: UserData.forLinux().addCommands(...NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS); - Appropriate user data commands to initialize and configure the NAT instances
 
         :exampleMetadata: infused
 
         Example::
 
-            nat_instance_provider = ec2.NatProvider.instance(
-                instance_type=ec2.InstanceType.of(ec2.InstanceClass.T4G, ec2.InstanceSize.LARGE),
-                machine_image=ec2.AmazonLinuxImage(),
-                credit_specification=ec2.CpuCredits.UNLIMITED
+            # instance_type: ec2.InstanceType
+            
+            
+            provider = ec2.NatProvider.instance_v2(
+                instance_type=instance_type,
+                default_allowed_traffic=ec2.NatTrafficDirection.OUTBOUND_ONLY
             )
-            ec2.Vpc(self, "VPC",
-                nat_gateway_provider=nat_instance_provider
+            ec2.Vpc(self, "TheVPC",
+                nat_gateway_provider=provider
             )
+            provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.HTTP)
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__d7c7c717447859e1ccc181bc97f7752cc3f7fa7afaee4c3a4266eeac32c08643)
@@ -78881,6 +78894,7 @@ class NatInstanceProps:
             check_type(argname="argument key_pair", value=key_pair, expected_type=type_hints["key_pair"])
             check_type(argname="argument machine_image", value=machine_image, expected_type=type_hints["machine_image"])
             check_type(argname="argument security_group", value=security_group, expected_type=type_hints["security_group"])
+            check_type(argname="argument user_data", value=user_data, expected_type=type_hints["user_data"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "instance_type": instance_type,
         }
@@ -78896,6 +78910,8 @@ class NatInstanceProps:
             self._values["machine_image"] = machine_image
         if security_group is not None:
             self._values["security_group"] = security_group
+        if user_data is not None:
+            self._values["user_data"] = user_data
 
     @builtins.property
     def instance_type(self) -> InstanceType:
@@ -78976,13 +78992,50 @@ class NatInstanceProps:
 
     @builtins.property
     def security_group(self) -> typing.Optional[ISecurityGroup]:
-        '''Security Group for NAT instances.
+        '''(deprecated) Security Group for NAT instances.
 
         :default: - A new security group will be created
+
+        :deprecated:
+
+        - Cannot create a new security group before the VPC is created,
+        and cannot create the VPC without the NAT provider.
+        Set {@link defaultAllowedTraffic } to {@link NatTrafficDirection.NONE }
+        and use {@link NatInstanceProviderV2.gatewayInstances } to retrieve
+        the instances on the fly and add security groups
+
+        :stability: deprecated
+
+        Example::
+
+            nat_gateway_provider = ec2.NatProvider.instance_v2(
+                instance_type=ec2.InstanceType("t3.small"),
+                default_allowed_traffic=ec2.NatTrafficDirection.NONE
+            )
+            vpc = ec2.Vpc(self, "Vpc", nat_gateway_provider=nat_gateway_provider)
+            
+            security_group = ec2.SecurityGroup(self, "SecurityGroup",
+                vpc=vpc,
+                allow_all_outbound=False
+            )
+            security_group.add_egress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(443))
+            for gateway_instance in nat_gateway_provider.gateway_instances:
+                gateway_instance.add_security_group(security_group)
         '''
         result = self._values.get("security_group")
         return typing.cast(typing.Optional[ISecurityGroup], result)
 
+    @builtins.property
+    def user_data(self) -> typing.Optional["UserData"]:
+        '''Custom user data to run on the NAT instances.
+
+        :default: UserData.forLinux().addCommands(...NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS);  - Appropriate user data commands to initialize and configure the NAT instances
+
+        :see: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#create-nat-ami
+        '''
+        result = self._values.get("user_data")
+        return typing.cast(typing.Optional["UserData"], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -79018,7 +79071,7 @@ class NatProvider(
         ec2.Vpc(self, "TheVPC",
             nat_gateway_provider=provider
         )
-        provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.tcp(80))
+        provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.HTTP)
     '''
 
     def __init__(self) -> None:
@@ -79055,6 +79108,7 @@ class NatProvider(
         key_pair: typing.Optional[IKeyPair] = None,
         machine_image: typing.Optional[IMachineImage] = None,
         security_group: typing.Optional[ISecurityGroup] = None,
+        user_data: typing.Optional["UserData"] = None,
     ) -> "NatInstanceProvider":
         '''(deprecated) Use NAT instances to provide NAT services for your VPC.
 
@@ -79070,7 +79124,8 @@ class NatProvider(
         :param key_name: (deprecated) Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
         :param key_pair: The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.
         :param machine_image: The machine image (AMI) to use. By default, will do an AMI lookup for the latest NAT instance image. If you have a specific AMI ID you want to use, pass a ``GenericLinuxImage``. For example:: ec2.NatProvider.instance({ instanceType: new ec2.InstanceType('t3.micro'), machineImage: new ec2.GenericLinuxImage({ 'us-east-2': 'ami-0f9c61b5a562a16af' }) }) Default: - Latest NAT instance image
-        :param security_group: Security Group for NAT instances. Default: - A new security group will be created
+        :param security_group: (deprecated) Security Group for NAT instances. Default: - A new security group will be created
+        :param user_data: Custom user data to run on the NAT instances. Default: UserData.forLinux().addCommands(...NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS); - Appropriate user data commands to initialize and configure the NAT instances
 
         :deprecated:
 
@@ -79088,6 +79143,7 @@ class NatProvider(
             key_pair=key_pair,
             machine_image=machine_image,
             security_group=security_group,
+            user_data=user_data,
         )
 
         return typing.cast("NatInstanceProvider", jsii.sinvoke(cls, "instance", [props]))
@@ -79104,6 +79160,7 @@ class NatProvider(
         key_pair: typing.Optional[IKeyPair] = None,
         machine_image: typing.Optional[IMachineImage] = None,
         security_group: typing.Optional[ISecurityGroup] = None,
+        user_data: typing.Optional["UserData"] = None,
     ) -> "NatInstanceProviderV2":
         '''Use NAT instances to provide NAT services for your VPC.
 
@@ -79119,7 +79176,8 @@ class NatProvider(
         :param key_name: (deprecated) Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
         :param key_pair: The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.
         :param machine_image: The machine image (AMI) to use. By default, will do an AMI lookup for the latest NAT instance image. If you have a specific AMI ID you want to use, pass a ``GenericLinuxImage``. For example:: ec2.NatProvider.instance({ instanceType: new ec2.InstanceType('t3.micro'), machineImage: new ec2.GenericLinuxImage({ 'us-east-2': 'ami-0f9c61b5a562a16af' }) }) Default: - Latest NAT instance image
-        :param security_group: Security Group for NAT instances. Default: - A new security group will be created
+        :param security_group: (deprecated) Security Group for NAT instances. Default: - A new security group will be created
+        :param user_data: Custom user data to run on the NAT instances. Default: UserData.forLinux().addCommands(...NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS); - Appropriate user data commands to initialize and configure the NAT instances
 
         :see: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html
         '''
@@ -79131,6 +79189,7 @@ class NatProvider(
             key_pair=key_pair,
             machine_image=machine_image,
             security_group=security_group,
+            user_data=user_data,
         )
 
         return typing.cast("NatInstanceProviderV2", jsii.sinvoke(cls, "instanceV2", [props]))
@@ -79227,17 +79286,19 @@ class NatTrafficDirection(enum.Enum):
 
     Example::
 
-        # instance_type: ec2.InstanceType
-        
-        
-        provider = ec2.NatProvider.instance_v2(
-            instance_type=instance_type,
-            default_allowed_traffic=ec2.NatTrafficDirection.OUTBOUND_ONLY
+        nat_gateway_provider = ec2.NatProvider.instance_v2(
+            instance_type=ec2.InstanceType("t3.small"),
+            default_allowed_traffic=ec2.NatTrafficDirection.NONE
         )
-        ec2.Vpc(self, "TheVPC",
-            nat_gateway_provider=provider
+        vpc = ec2.Vpc(self, "Vpc", nat_gateway_provider=nat_gateway_provider)
+        
+        security_group = ec2.SecurityGroup(self, "SecurityGroup",
+            vpc=vpc,
+            allow_all_outbound=False
         )
-        provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.tcp(80))
+        security_group.add_egress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(443))
+        for gateway_instance in nat_gateway_provider.gateway_instances:
+            gateway_instance.add_security_group(security_group)
     '''
 
     OUTBOUND_ONLY = "OUTBOUND_ONLY"
@@ -79844,17 +79905,20 @@ class Peer(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_ec2.Peer"):
 
     Example::
 
-        # instance_type: ec2.InstanceType
-        
+        # vpc: ec2.Vpc
         
-        provider = ec2.NatProvider.instance_v2(
-            instance_type=instance_type,
-            default_allowed_traffic=ec2.NatTrafficDirection.OUTBOUND_ONLY
-        )
-        ec2.Vpc(self, "TheVPC",
-            nat_gateway_provider=provider
+        cluster = msk.Cluster(self, "Cluster",
+            cluster_name="myCluster",
+            kafka_version=msk.KafkaVersion.V2_8_1,
+            vpc=vpc
         )
-        provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.tcp(80))
+        
+        cluster.connections.allow_from(
+            ec2.Peer.ipv4("1.2.3.4/8"),
+            ec2.Port.tcp(2181))
+        cluster.connections.allow_from(
+            ec2.Peer.ipv4("1.2.3.4/8"),
+            ec2.Port.tcp(9094))
     '''
 
     def __init__(self) -> None:
@@ -80226,7 +80290,7 @@ class Port(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_ec2.Port"):
         ec2.Vpc(self, "TheVPC",
             nat_gateway_provider=provider
         )
-        provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.tcp(80))
+        provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.HTTP)
     '''
 
     def __init__(
@@ -80389,6 +80453,108 @@ class Port(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_ec2.Port"):
     def to_string(self) -> builtins.str:
         return typing.cast(builtins.str, jsii.invoke(self, "toString", []))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="DNS_TCP")
+    def DNS_TCP(cls) -> "Port":
+        '''Well-known DNS port (TCP 53).'''
+        return typing.cast("Port", jsii.sget(cls, "DNS_TCP"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="DNS_UDP")
+    def DNS_UDP(cls) -> "Port":
+        '''Well-known DNS port (UDP 53).'''
+        return typing.cast("Port", jsii.sget(cls, "DNS_UDP"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="HTTP")
+    def HTTP(cls) -> "Port":
+        '''Well-known HTTP port (TCP 80).'''
+        return typing.cast("Port", jsii.sget(cls, "HTTP"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="HTTPS")
+    def HTTPS(cls) -> "Port":
+        '''Well-known HTTPS port (TCP 443).'''
+        return typing.cast("Port", jsii.sget(cls, "HTTPS"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="IMAP")
+    def IMAP(cls) -> "Port":
+        '''Well-known IMAP port (TCP 143).'''
+        return typing.cast("Port", jsii.sget(cls, "IMAP"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="IMAPS")
+    def IMAPS(cls) -> "Port":
+        '''Well-known IMAPS port (TCP 993).'''
+        return typing.cast("Port", jsii.sget(cls, "IMAPS"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="LDAP")
+    def LDAP(cls) -> "Port":
+        '''Well-known LDAP port (TCP 389).'''
+        return typing.cast("Port", jsii.sget(cls, "LDAP"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="MSSQL")
+    def MSSQL(cls) -> "Port":
+        '''Well-known Microsoft SQL Server port (TCP 1433).'''
+        return typing.cast("Port", jsii.sget(cls, "MSSQL"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="MYSQL_AURORA")
+    def MYSQL_AURORA(cls) -> "Port":
+        '''Well-known MySQL and Aurora port (TCP 3306).'''
+        return typing.cast("Port", jsii.sget(cls, "MYSQL_AURORA"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="NFS")
+    def NFS(cls) -> "Port":
+        '''Well-known NFS port (TCP 2049).'''
+        return typing.cast("Port", jsii.sget(cls, "NFS"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="POP3")
+    def POP3(cls) -> "Port":
+        '''Well-known POP3 port (TCP 110).'''
+        return typing.cast("Port", jsii.sget(cls, "POP3"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="POP3S")
+    def POP3_S(cls) -> "Port":
+        '''Well-known POP3S port (TCP 995).'''
+        return typing.cast("Port", jsii.sget(cls, "POP3S"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="POSTGRES")
+    def POSTGRES(cls) -> "Port":
+        '''Well-known PostgreSQL port (TCP 5432).'''
+        return typing.cast("Port", jsii.sget(cls, "POSTGRES"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="RDP")
+    def RDP(cls) -> "Port":
+        '''Well-known Microsoft Remote Desktop Protocol port (TCP 3389).'''
+        return typing.cast("Port", jsii.sget(cls, "RDP"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SMB")
+    def SMB(cls) -> "Port":
+        '''Well-known SMB port (TCP 445).'''
+        return typing.cast("Port", jsii.sget(cls, "SMB"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SMTP")
+    def SMTP(cls) -> "Port":
+        '''Well-known SMTP port (TCP 25).'''
+        return typing.cast("Port", jsii.sget(cls, "SMTP"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SSH")
+    def SSH(cls) -> "Port":
+        '''Well-known SSH port (TCP 22).'''
+        return typing.cast("Port", jsii.sget(cls, "SSH"))
+
     @builtins.property
     @jsii.member(jsii_name="canInlineRule")
     def can_inline_rule(self) -> builtins.bool:
@@ -81441,18 +81607,20 @@ class SecurityGroup(
            mutable=False
        )
 
-    :exampleMetadata: fixture=with-vpc infused
+    :exampleMetadata: infused
 
     Example::
 
-        my_security_group_without_inline_rules = ec2.SecurityGroup(self, "SecurityGroup",
+        # vpc: ec2.Vpc
+        
+        
+        my_security_group = ec2.SecurityGroup(self, "SecurityGroup", vpc=vpc)
+        autoscaling.AutoScalingGroup(self, "ASG",
             vpc=vpc,
-            description="Allow ssh access to ec2 instances",
-            allow_all_outbound=True,
-            disable_inline_rules=True
+            instance_type=ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
+            machine_image=ec2.MachineImage.latest_amazon_linux2(),
+            security_group=my_security_group
         )
-        # This will add the rule as an external cloud formation construct
-        my_security_group_without_inline_rules.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(22), "allow ssh access from the world")
     '''
 
     def __init__(
@@ -81912,15 +82080,13 @@ class SecurityGroupProps:
             # vpc: ec2.Vpc
             
             
-            security_group1 = ec2.SecurityGroup(self, "SecurityGroup1", vpc=vpc)
-            lb = elbv2.ApplicationLoadBalancer(self, "LB",
+            my_security_group = ec2.SecurityGroup(self, "SecurityGroup", vpc=vpc)
+            autoscaling.AutoScalingGroup(self, "ASG",
                 vpc=vpc,
-                internet_facing=True,
-                security_group=security_group1
+                instance_type=ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
+                machine_image=ec2.MachineImage.latest_amazon_linux2(),
+                security_group=my_security_group
             )
-            
-            security_group2 = ec2.SecurityGroup(self, "SecurityGroup2", vpc=vpc)
-            lb.add_security_group(security_group2)
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__4e55e0c52b51f92e83b1f8d6b7a5b22268d0369a14dab808b8f2f5f233e5b622)
@@ -83942,13 +84108,23 @@ class UserData(
 
     Example::
 
-        multipart_user_data = ec2.MultipartUserData()
-        commands_user_data = ec2.UserData.for_linux()
-        multipart_user_data.add_user_data_part(commands_user_data, ec2.MultipartBody.SHELL_SCRIPT, True)
+        # cluster: eks.Cluster
         
-        # Adding commands to the multipartUserData adds them to commandsUserData, and vice-versa.
-        multipart_user_data.add_commands("touch /root/multi.txt")
-        commands_user_data.add_commands("touch /root/userdata.txt")
+        user_data = ec2.UserData.for_linux()
+        user_data.add_commands("set -o xtrace", f"/etc/eks/bootstrap.sh {cluster.clusterName}")
+        lt = ec2.CfnLaunchTemplate(self, "LaunchTemplate",
+            launch_template_data=ec2.CfnLaunchTemplate.LaunchTemplateDataProperty(
+                image_id="some-ami-id",  # custom AMI
+                instance_type="t3.small",
+                user_data=Fn.base64(user_data.render())
+            )
+        )
+        cluster.add_nodegroup_capacity("extra-ng",
+            launch_template_spec=eks.LaunchTemplateSpec(
+                id=lt.ref,
+                version=lt.attr_latest_version_number
+            )
+        )
     '''
 
     def __init__(self) -> None:
@@ -91307,6 +91483,7 @@ class NatInstanceProvider(
         key_pair: typing.Optional[IKeyPair] = None,
         machine_image: typing.Optional[IMachineImage] = None,
         security_group: typing.Optional[ISecurityGroup] = None,
+        user_data: typing.Optional[UserData] = None,
     ) -> None:
         '''
         :param instance_type: Instance type of the NAT instance.
@@ -91315,7 +91492,8 @@ class NatInstanceProvider(
         :param key_name: (deprecated) Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
         :param key_pair: The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.
         :param machine_image: The machine image (AMI) to use. By default, will do an AMI lookup for the latest NAT instance image. If you have a specific AMI ID you want to use, pass a ``GenericLinuxImage``. For example:: ec2.NatProvider.instance({ instanceType: new ec2.InstanceType('t3.micro'), machineImage: new ec2.GenericLinuxImage({ 'us-east-2': 'ami-0f9c61b5a562a16af' }) }) Default: - Latest NAT instance image
-        :param security_group: Security Group for NAT instances. Default: - A new security group will be created
+        :param security_group: (deprecated) Security Group for NAT instances. Default: - A new security group will be created
+        :param user_data: Custom user data to run on the NAT instances. Default: UserData.forLinux().addCommands(...NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS); - Appropriate user data commands to initialize and configure the NAT instances
 
         :stability: deprecated
         '''
@@ -91327,6 +91505,7 @@ class NatInstanceProvider(
             key_pair=key_pair,
             machine_image=machine_image,
             security_group=security_group,
+            user_data=user_data,
         )
 
         jsii.create(self.__class__, self, [props])
@@ -91412,17 +91591,19 @@ class NatInstanceProviderV2(
 
     Example::
 
-        # instance_type: ec2.InstanceType
-        
-        
-        provider = ec2.NatProvider.instance_v2(
-            instance_type=instance_type,
-            default_allowed_traffic=ec2.NatTrafficDirection.OUTBOUND_ONLY
+        nat_gateway_provider = ec2.NatProvider.instance_v2(
+            instance_type=ec2.InstanceType("t3.small"),
+            default_allowed_traffic=ec2.NatTrafficDirection.NONE
         )
-        ec2.Vpc(self, "TheVPC",
-            nat_gateway_provider=provider
+        vpc = ec2.Vpc(self, "Vpc", nat_gateway_provider=nat_gateway_provider)
+        
+        security_group = ec2.SecurityGroup(self, "SecurityGroup",
+            vpc=vpc,
+            allow_all_outbound=False
         )
-        provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.tcp(80))
+        security_group.add_egress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(443))
+        for gateway_instance in nat_gateway_provider.gateway_instances:
+            gateway_instance.add_security_group(security_group)
     '''
 
     def __init__(
@@ -91435,6 +91616,7 @@ class NatInstanceProviderV2(
         key_pair: typing.Optional[IKeyPair] = None,
         machine_image: typing.Optional[IMachineImage] = None,
         security_group: typing.Optional[ISecurityGroup] = None,
+        user_data: typing.Optional[UserData] = None,
     ) -> None:
         '''
         :param instance_type: Instance type of the NAT instance.
@@ -91443,7 +91625,8 @@ class NatInstanceProviderV2(
         :param key_name: (deprecated) Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
         :param key_pair: The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.
         :param machine_image: The machine image (AMI) to use. By default, will do an AMI lookup for the latest NAT instance image. If you have a specific AMI ID you want to use, pass a ``GenericLinuxImage``. For example:: ec2.NatProvider.instance({ instanceType: new ec2.InstanceType('t3.micro'), machineImage: new ec2.GenericLinuxImage({ 'us-east-2': 'ami-0f9c61b5a562a16af' }) }) Default: - Latest NAT instance image
-        :param security_group: Security Group for NAT instances. Default: - A new security group will be created
+        :param security_group: (deprecated) Security Group for NAT instances. Default: - A new security group will be created
+        :param user_data: Custom user data to run on the NAT instances. Default: UserData.forLinux().addCommands(...NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS); - Appropriate user data commands to initialize and configure the NAT instances
         '''
         props = NatInstanceProps(
             instance_type=instance_type,
@@ -91453,6 +91636,7 @@ class NatInstanceProviderV2(
             key_pair=key_pair,
             machine_image=machine_image,
             security_group=security_group,
+            user_data=user_data,
         )
 
         jsii.create(self.__class__, self, [props])
@@ -91492,6 +91676,15 @@ class NatInstanceProviderV2(
             check_type(argname="argument subnet", value=subnet, expected_type=type_hints["subnet"])
         return typing.cast(None, jsii.invoke(self, "configureSubnet", [subnet]))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="DEFAULT_USER_DATA_COMMANDS")
+    def DEFAULT_USER_DATA_COMMANDS(cls) -> typing.List[builtins.str]:
+        '''Amazon Linux 2023 NAT instance user data commands Enable iptables on the instance, enable persistent IP forwarding, configure NAT on instance.
+
+        :see: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#create-nat-ami
+        '''
+        return typing.cast(typing.List[builtins.str], jsii.sget(cls, "DEFAULT_USER_DATA_COMMANDS"))
+
     @builtins.property
     @jsii.member(jsii_name="configuredGateways")
     def configured_gateways(self) -> typing.List[GatewayConfig]:
@@ -91504,6 +91697,12 @@ class NatInstanceProviderV2(
         '''Manage the Security Groups associated with the NAT instances.'''
         return typing.cast(Connections, jsii.get(self, "connections"))
 
+    @builtins.property
+    @jsii.member(jsii_name="gatewayInstances")
+    def gateway_instances(self) -> typing.List[Instance]:
+        '''Array of gateway instances spawned by the provider after internal configuration.'''
+        return typing.cast(typing.List[Instance], jsii.get(self, "gatewayInstances"))
+
     @builtins.property
     @jsii.member(jsii_name="securityGroup")
     def security_group(self) -> ISecurityGroup:
@@ -94699,6 +94898,7 @@ def _typecheckingstub__16b41182e007e05b84fd0c97afc1e26001e78a56de2eb5b10c9f809de
     bgp_asn: jsii.Number,
     ip_address: builtins.str,
     type: builtins.str,
+    certificate_arn: typing.Optional[builtins.str] = None,
     device_name: typing.Optional[builtins.str] = None,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
@@ -94735,6 +94935,12 @@ def _typecheckingstub__ae973d5ca9904c069d03cbf10a1e3fdf7736cc00ca43663eb07598f97
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__4a4b900e840c5be3a2b16a5177f91335cf813daeca359e549a639cb05a03ac63(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__71d74664cf79e34328f5f6958fdd674c45b2780c9910dd252b7c5e9caba963f0(
     value: typing.Optional[builtins.str],
 ) -> None:
@@ -94752,6 +94958,7 @@ def _typecheckingstub__b0ef9a2e3e2b6937b21db500a1cd795126e924d9b920931a413ecdb66
     bgp_asn: jsii.Number,
     ip_address: builtins.str,
     type: builtins.str,
+    certificate_arn: typing.Optional[builtins.str] = None,
     device_name: typing.Optional[builtins.str] = None,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
@@ -97121,7 +97328,6 @@ def _typecheckingstub__da6f057643821e4198778db605300559763cd1d337144d841e7dd3934
 def _typecheckingstub__62e0d77a7fa9500aab5a08e932dc82213f11e05b31cf56f4654431c48342979e(
     *,
     auto_recovery: typing.Optional[builtins.str] = None,
-    reboot_migration: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -99031,7 +99237,6 @@ def _typecheckingstub__f7f9c3e8bd9fe395c2fb15fd9d38e6ef1ebca888c954597574840d202
     destination_prefix_list_id: typing.Optional[builtins.str] = None,
     destination_security_group_id: typing.Optional[builtins.str] = None,
     from_port: typing.Optional[jsii.Number] = None,
-    source_security_group_id: typing.Optional[builtins.str] = None,
     to_port: typing.Optional[jsii.Number] = None,
 ) -> None:
     """Type checking stubs"""
@@ -104109,6 +104314,7 @@ def _typecheckingstub__d7c7c717447859e1ccc181bc97f7752cc3f7fa7afaee4c3a4266eeac3
     key_pair: typing.Optional[IKeyPair] = None,
     machine_image: typing.Optional[IMachineImage] = None,
     security_group: typing.Optional[ISecurityGroup] = None,
+    user_data: typing.Optional[UserData] = None,
 ) -> None:
     """Type checking stubs"""
     pass