aws-cdk-lib 2.137.0__py3-none-any.whl → 2.139.0__py3-none-any.whl

aws_cdk/aws_ec2/__init__.py

@@ -218,10 +218,11 @@ provider = ec2.NatProvider.instance_v2(
 ec2.Vpc(self, "TheVPC",
     nat_gateway_provider=provider
 )
-provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.tcp(80))
+provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.HTTP)
 ```
 
-You can also customize the characteristics of your NAT instances, as well as their initialization scripts:
+You can also customize the characteristics of your NAT instances, including their security group,
+as well as their initialization scripts:
 
 ```python
 # bucket: s3.Bucket
@@ -234,16 +235,20 @@ user_data.add_commands(
 
 provider = ec2.NatProvider.instance_v2(
     instance_type=ec2.InstanceType("t3.small"),
-    credit_specification=ec2.CpuCredits.UNLIMITED
+    credit_specification=ec2.CpuCredits.UNLIMITED,
+    default_allowed_traffic=ec2.NatTrafficDirection.NONE
 )
 
-ec2.Vpc(self, "TheVPC",
+vpc = ec2.Vpc(self, "TheVPC",
     nat_gateway_provider=provider,
     nat_gateways=2
 )
 
+security_group = ec2.SecurityGroup(self, "SecurityGroup", vpc=vpc)
+security_group.add_egress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(443))
 for gateway in provider.gateway_instances:
     bucket.grant_write(gateway)
+    gateway.add_security_group(security_group)
 ```
 
 ```python
@@ -275,7 +280,7 @@ provider = ec2.NatProvider.instance(
 ec2.Vpc(self, "TheVPC",
     nat_gateway_provider=provider
 )
-provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.tcp(80))
+provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.HTTP)
 ```
 
 ### Ip Address Management
@@ -762,13 +767,13 @@ take care of this for you:
 
 
 # Allow connections from anywhere
-load_balancer.connections.allow_from_any_ipv4(ec2.Port.tcp(443), "Allow inbound HTTPS")
+load_balancer.connections.allow_from_any_ipv4(ec2.Port.HTTPS, "Allow inbound HTTPS")
 
 # The same, but an explicit IP address
-load_balancer.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/32"), ec2.Port.tcp(443), "Allow inbound HTTPS")
+load_balancer.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/32"), ec2.Port.HTTPS, "Allow inbound HTTPS")
 
 # Allow connection between AutoScalingGroups
-app_fleet.connections.allow_to(db_fleet, ec2.Port.tcp(443), "App can call database")
+app_fleet.connections.allow_to(db_fleet, ec2.Port.HTTPS, "App can call database")
 ```
 
 ### Connection Peers
@@ -786,7 +791,7 @@ peer = ec2.Peer.any_ipv4()
 peer = ec2.Peer.ipv6("::0/0")
 peer = ec2.Peer.any_ipv6()
 peer = ec2.Peer.prefix_list("pl-12345")
-app_fleet.connections.allow_to(peer, ec2.Port.tcp(443), "Allow outbound HTTPS")
+app_fleet.connections.allow_to(peer, ec2.Port.HTTPS, "Allow outbound HTTPS")
 ```
 
 Any object that has a security group can itself be used as a connection peer:
@@ -798,9 +803,9 @@ Any object that has a security group can itself be used as a connection peer:
 
 
 # These automatically create appropriate ingress and egress rules in both security groups
-fleet1.connections.allow_to(fleet2, ec2.Port.tcp(80), "Allow between fleets")
+fleet1.connections.allow_to(fleet2, ec2.Port.HTTP, "Allow between fleets")
 
-app_fleet.connections.allow_from_any_ipv4(ec2.Port.tcp(80), "Allow from load balancer")
+app_fleet.connections.allow_from_any_ipv4(ec2.Port.HTTP, "Allow from load balancer")
 ```
 
 ### Port Ranges
@@ -810,6 +815,7 @@ the connection specifier:
 
 ```python
 ec2.Port.tcp(80)
+ec2.Port.HTTPS
 ec2.Port.tcp_range(60000, 65535)
 ec2.Port.all_tcp()
 ec2.Port.all_icmp()
@@ -864,7 +870,7 @@ my_security_group_without_inline_rules = ec2.SecurityGroup(self, "SecurityGroup"
     disable_inline_rules=True
 )
 # This will add the rule as an external cloud formation construct
-my_security_group_without_inline_rules.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(22), "allow ssh access from the world")
+my_security_group_without_inline_rules.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.SSH, "allow ssh access from the world")
 ```
 
 ### Importing an existing security group
@@ -9343,11 +9349,13 @@ class CfnCustomerGateway(
         from aws_cdk import aws_ec2 as ec2
         
         cfn_customer_gateway = ec2.CfnCustomerGateway(self, "MyCfnCustomerGateway",
-            bgp_asn=123,
             ip_address="ipAddress",
             type="type",
         
             # the properties below are optional
+            bgp_asn=123,
+            bgp_asn_extended=123,
+            certificate_arn="certificateArn",
             device_name="deviceName",
             tags=[CfnTag(
                 key="key",
@@ -9361,18 +9369,22 @@ class CfnCustomerGateway(
         scope: _constructs_77d1e7e8.Construct,
         id: builtins.str,
         *,
-        bgp_asn: jsii.Number,
         ip_address: builtins.str,
         type: builtins.str,
+        bgp_asn: typing.Optional[jsii.Number] = None,
+        bgp_asn_extended: typing.Optional[jsii.Number] = None,
+        certificate_arn: typing.Optional[builtins.str] = None,
         device_name: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param bgp_asn: For devices that support BGP, the customer gateway's BGP ASN. Default: 65000 Default: - 65000
         :param ip_address: IPv4 address for the customer gateway device's outside interface. The address must be static.
         :param type: The type of VPN connection that this customer gateway supports ( ``ipsec.1`` ).
+        :param bgp_asn: For devices that support BGP, the customer gateway's BGP ASN. Default: 65000 Default: - 65000
+        :param bgp_asn_extended: 
+        :param certificate_arn: The Amazon Resource Name (ARN) for the customer gateway certificate.
         :param device_name: The name of customer gateway device.
         :param tags: One or more tags for the customer gateway.
         '''
@@ -9381,9 +9393,11 @@ class CfnCustomerGateway(
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = CfnCustomerGatewayProps(
-            bgp_asn=bgp_asn,
             ip_address=ip_address,
             type=type,
+            bgp_asn=bgp_asn,
+            bgp_asn_extended=bgp_asn_extended,
+            certificate_arn=certificate_arn,
             device_name=device_name,
             tags=tags,
         )
@@ -9440,19 +9454,6 @@ class CfnCustomerGateway(
         '''Tag Manager which manages the tags for this resource.'''
         return typing.cast(_TagManager_0a598cb3, jsii.get(self, "tags"))
 
-    @builtins.property
-    @jsii.member(jsii_name="bgpAsn")
-    def bgp_asn(self) -> jsii.Number:
-        '''For devices that support BGP, the customer gateway's BGP ASN.'''
-        return typing.cast(jsii.Number, jsii.get(self, "bgpAsn"))
-
-    @bgp_asn.setter
-    def bgp_asn(self, value: jsii.Number) -> None:
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__84dfb7d1775bd2bb124f990570c9a2ef23fafd01744cfe248fcb360562f57ca9)
-            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "bgpAsn", value)
-
     @builtins.property
     @jsii.member(jsii_name="ipAddress")
     def ip_address(self) -> builtins.str:
@@ -9479,6 +9480,44 @@ class CfnCustomerGateway(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "type", value)
 
+    @builtins.property
+    @jsii.member(jsii_name="bgpAsn")
+    def bgp_asn(self) -> typing.Optional[jsii.Number]:
+        '''For devices that support BGP, the customer gateway's BGP ASN.'''
+        return typing.cast(typing.Optional[jsii.Number], jsii.get(self, "bgpAsn"))
+
+    @bgp_asn.setter
+    def bgp_asn(self, value: typing.Optional[jsii.Number]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__84dfb7d1775bd2bb124f990570c9a2ef23fafd01744cfe248fcb360562f57ca9)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "bgpAsn", value)
+
+    @builtins.property
+    @jsii.member(jsii_name="bgpAsnExtended")
+    def bgp_asn_extended(self) -> typing.Optional[jsii.Number]:
+        return typing.cast(typing.Optional[jsii.Number], jsii.get(self, "bgpAsnExtended"))
+
+    @bgp_asn_extended.setter
+    def bgp_asn_extended(self, value: typing.Optional[jsii.Number]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__f41644d25c48e5c3c87a361ba478bdb4a18bf473fe1582fa35c6311f6d5284d8)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "bgpAsnExtended", value)
+
+    @builtins.property
+    @jsii.member(jsii_name="certificateArn")
+    def certificate_arn(self) -> typing.Optional[builtins.str]:
+        '''The Amazon Resource Name (ARN) for the customer gateway certificate.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "certificateArn"))
+
+    @certificate_arn.setter
+    def certificate_arn(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__4a4b900e840c5be3a2b16a5177f91335cf813daeca359e549a639cb05a03ac63)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "certificateArn", value)
+
     @builtins.property
     @jsii.member(jsii_name="deviceName")
     def device_name(self) -> typing.Optional[builtins.str]:
@@ -9510,9 +9549,11 @@ class CfnCustomerGateway(
     jsii_type="aws-cdk-lib.aws_ec2.CfnCustomerGatewayProps",
     jsii_struct_bases=[],
     name_mapping={
-        "bgp_asn": "bgpAsn",
         "ip_address": "ipAddress",
         "type": "type",
+        "bgp_asn": "bgpAsn",
+        "bgp_asn_extended": "bgpAsnExtended",
+        "certificate_arn": "certificateArn",
         "device_name": "deviceName",
         "tags": "tags",
     },
@@ -9521,17 +9562,21 @@ class CfnCustomerGatewayProps:
     def __init__(
         self,
         *,
-        bgp_asn: jsii.Number,
         ip_address: builtins.str,
         type: builtins.str,
+        bgp_asn: typing.Optional[jsii.Number] = None,
+        bgp_asn_extended: typing.Optional[jsii.Number] = None,
+        certificate_arn: typing.Optional[builtins.str] = None,
         device_name: typing.Optional[builtins.str] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
         '''Properties for defining a ``CfnCustomerGateway``.
 
-        :param bgp_asn: For devices that support BGP, the customer gateway's BGP ASN. Default: 65000 Default: - 65000
         :param ip_address: IPv4 address for the customer gateway device's outside interface. The address must be static.
         :param type: The type of VPN connection that this customer gateway supports ( ``ipsec.1`` ).
+        :param bgp_asn: For devices that support BGP, the customer gateway's BGP ASN. Default: 65000 Default: - 65000
+        :param bgp_asn_extended: 
+        :param certificate_arn: The Amazon Resource Name (ARN) for the customer gateway certificate.
         :param device_name: The name of customer gateway device.
         :param tags: One or more tags for the customer gateway.
 
@@ -9545,11 +9590,13 @@ class CfnCustomerGatewayProps:
             from aws_cdk import aws_ec2 as ec2
             
             cfn_customer_gateway_props = ec2.CfnCustomerGatewayProps(
-                bgp_asn=123,
                 ip_address="ipAddress",
                 type="type",
             
                 # the properties below are optional
+                bgp_asn=123,
+                bgp_asn_extended=123,
+                certificate_arn="certificateArn",
                 device_name="deviceName",
                 tags=[CfnTag(
                     key="key",
@@ -9559,35 +9606,28 @@ class CfnCustomerGatewayProps:
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__b0ef9a2e3e2b6937b21db500a1cd795126e924d9b920931a413ecdb668bfc7ec)
-            check_type(argname="argument bgp_asn", value=bgp_asn, expected_type=type_hints["bgp_asn"])
             check_type(argname="argument ip_address", value=ip_address, expected_type=type_hints["ip_address"])
             check_type(argname="argument type", value=type, expected_type=type_hints["type"])
+            check_type(argname="argument bgp_asn", value=bgp_asn, expected_type=type_hints["bgp_asn"])
+            check_type(argname="argument bgp_asn_extended", value=bgp_asn_extended, expected_type=type_hints["bgp_asn_extended"])
+            check_type(argname="argument certificate_arn", value=certificate_arn, expected_type=type_hints["certificate_arn"])
             check_type(argname="argument device_name", value=device_name, expected_type=type_hints["device_name"])
             check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
-            "bgp_asn": bgp_asn,
             "ip_address": ip_address,
             "type": type,
         }
+        if bgp_asn is not None:
+            self._values["bgp_asn"] = bgp_asn
+        if bgp_asn_extended is not None:
+            self._values["bgp_asn_extended"] = bgp_asn_extended
+        if certificate_arn is not None:
+            self._values["certificate_arn"] = certificate_arn
         if device_name is not None:
             self._values["device_name"] = device_name
         if tags is not None:
             self._values["tags"] = tags
 
-    @builtins.property
-    def bgp_asn(self) -> jsii.Number:
-        '''For devices that support BGP, the customer gateway's BGP ASN.
-
-        Default: 65000
-
-        :default: - 65000
-
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-customergateway.html#cfn-ec2-customergateway-bgpasn
-        '''
-        result = self._values.get("bgp_asn")
-        assert result is not None, "Required property 'bgp_asn' is missing"
-        return typing.cast(jsii.Number, result)
-
     @builtins.property
     def ip_address(self) -> builtins.str:
         '''IPv4 address for the customer gateway device's outside interface.
@@ -9610,6 +9650,36 @@ class CfnCustomerGatewayProps:
         assert result is not None, "Required property 'type' is missing"
         return typing.cast(builtins.str, result)
 
+    @builtins.property
+    def bgp_asn(self) -> typing.Optional[jsii.Number]:
+        '''For devices that support BGP, the customer gateway's BGP ASN.
+
+        Default: 65000
+
+        :default: - 65000
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-customergateway.html#cfn-ec2-customergateway-bgpasn
+        '''
+        result = self._values.get("bgp_asn")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
+    @builtins.property
+    def bgp_asn_extended(self) -> typing.Optional[jsii.Number]:
+        '''
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-customergateway.html#cfn-ec2-customergateway-bgpasnextended
+        '''
+        result = self._values.get("bgp_asn_extended")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
+    @builtins.property
+    def certificate_arn(self) -> typing.Optional[builtins.str]:
+        '''The Amazon Resource Name (ARN) for the customer gateway certificate.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-customergateway.html#cfn-ec2-customergateway-certificatearn
+        '''
+        result = self._values.get("certificate_arn")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def device_name(self) -> typing.Optional[builtins.str]:
         '''The name of customer gateway device.
@@ -19177,8 +19247,8 @@ class CfnInstance(
         :param credit_specification: The credit option for CPU usage of the burstable performance instance. Valid values are ``standard`` and ``unlimited`` . To change this attribute after launch, use `ModifyInstanceCreditSpecification <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceCreditSpecification.html>`_ . For more information, see `Burstable performance instances <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances.html>`_ in the *Amazon EC2 User Guide* . Default: ``standard`` (T2 instances) or ``unlimited`` (T3/T3a/T4g instances) For T3 instances with ``host`` tenancy, only ``standard`` is supported.
         :param disable_api_termination: If you set this parameter to ``true`` , you can't terminate the instance using the Amazon EC2 console, CLI, or API; otherwise, you can. To change this attribute after launch, use `ModifyInstanceAttribute <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html>`_ . Alternatively, if you set ``InstanceInitiatedShutdownBehavior`` to ``terminate`` , you can terminate the instance by running the shutdown command from the instance. Default: ``false``
         :param ebs_optimized: Indicates whether the instance is optimized for Amazon EBS I/O. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal Amazon EBS I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS-optimized instance. Default: ``false``
-        :param elastic_gpu_specifications: Deprecated. .. epigraph:: Amazon Elastic Graphics reached end of life on January 8, 2024. For workloads that require graphics acceleration, we recommend that you use Amazon EC2 G4ad, G4dn, or G5 instances.
-        :param elastic_inference_accelerators: An elastic inference accelerator to associate with the instance. Elastic inference accelerators are a resource you can attach to your Amazon EC2 instances to accelerate your Deep Learning (DL) inference workloads. You cannot specify accelerators from different generations in the same request. .. epigraph:: Starting April 15, 2023, AWS will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.
+        :param elastic_gpu_specifications: An elastic GPU to associate with the instance. .. epigraph:: Amazon Elastic Graphics reached end of life on January 8, 2024.
+        :param elastic_inference_accelerators: An elastic inference accelerator to associate with the instance. .. epigraph:: Amazon Elastic Inference (EI) is no longer available to new customers. For more information, see `Amazon Elastic Inference FAQs <https://docs.aws.amazon.com/machine-learning/elastic-inference/faqs/>`_ .
         :param enclave_options: Indicates whether the instance is enabled for AWS Nitro Enclaves.
         :param hibernation_options: Indicates whether an instance is enabled for hibernation. This parameter is valid only if the instance meets the `hibernation prerequisites <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/hibernating-prerequisites.html>`_ . For more information, see `Hibernate your instance <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html>`_ in the *Amazon EC2 User Guide* . You can't enable hibernation and AWS Nitro Enclaves on the same instance.
         :param host_id: If you specify host for the ``Affinity`` property, the ID of a dedicated host that the instance is associated with. If you don't specify an ID, Amazon EC2 launches the instance onto any available, compatible dedicated host in your account. This type of launch is called an untargeted launch. Note that for untargeted launches, you must have a compatible, dedicated host available to successfully launch instances.
@@ -19204,7 +19274,7 @@ class CfnInstance(
         :param security_groups: [Default VPC] The names of the security groups. For a nondefault VPC, you must use security group IDs instead. You cannot specify this option and the network interfaces option in the same request. The list can contain both the name of existing Amazon EC2 security groups or references to AWS::EC2::SecurityGroup resources created in the template. Default: Amazon EC2 uses the default security group.
         :param source_dest_check: Enable or disable source/destination checks, which ensure that the instance is either the source or the destination of any traffic that it receives. If the value is ``true`` , source/destination checks are enabled; otherwise, they are disabled. The default value is ``true`` . You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls.
         :param ssm_associations: The SSM `document <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-document.html>`_ and parameter values in AWS Systems Manager to associate with this instance. To use this property, you must specify an IAM instance profile role for the instance. For more information, see `Create an IAM instance profile for Systems Manager <https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-configuring-access-role.html>`_ in the *AWS Systems Manager User Guide* . .. epigraph:: You can associate only one document with an instance.
-        :param subnet_id: The ID of the subnet to launch the instance into. If you specify a network interface, you must specify any subnets as part of the network interface.
+        :param subnet_id: The ID of the subnet to launch the instance into. If you specify a network interface, you must specify any subnets as part of the network interface instead of using this parameter.
         :param tags: The tags to add to the instance. These tags are not applied to the EBS volumes, such as the root volume, unless `PropagateTagsToVolumeOnCreation <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-propagatetagstovolumeoncreation>`_ is ``true`` .
         :param tenancy: The tenancy of the instance. An instance with a tenancy of ``dedicated`` runs on single-tenant hardware.
         :param user_data: The parameters or scripts to store as user data. Any scripts in user data are run when you launch the instance. User data is limited to 16 KB. You must provide base64-encoded text. For more information, see `Fn::Base64 <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-base64.html>`_ . If the root volume is an EBS volume and you update user data, CloudFormation restarts the instance. If the root volume is an instance store volume and you update user data, the instance is replaced.
@@ -19297,14 +19367,6 @@ class CfnInstance(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrAvailabilityZone"))
 
-    @builtins.property
-    @jsii.member(jsii_name="attrId")
-    def attr_id(self) -> builtins.str:
-        '''
-        :cloudformationAttribute: Id
-        '''
-        return typing.cast(builtins.str, jsii.get(self, "attrId"))
-
     @builtins.property
     @jsii.member(jsii_name="attrInstanceId")
     def attr_instance_id(self) -> builtins.str:
@@ -19512,7 +19574,7 @@ class CfnInstance(
     def elastic_gpu_specifications(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnInstance.ElasticGpuSpecificationProperty"]]]]:
-        '''Deprecated.'''
+        '''An elastic GPU to associate with the instance.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnInstance.ElasticGpuSpecificationProperty"]]]], jsii.get(self, "elasticGpuSpecifications"))
 
     @elastic_gpu_specifications.setter
@@ -20940,11 +21002,9 @@ class CfnInstance(
             - The ID or the name of the launch template, but not both.
             - The version of the launch template.
 
-            ``LaunchTemplateSpecification`` is a property of the `AWS::EC2::Instance <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html>`_ resource.
-
             For information about creating a launch template, see `AWS::EC2::LaunchTemplate <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html>`_ and `Create a launch template <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template>`_ in the *Amazon EC2 User Guide* .
 
-            For examples of launch templates, see `Examples <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html#aws-resource-ec2-launchtemplate--examples>`_ .
+            For example launch templates, see the `Examples <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html#aws-resource-ec2-launchtemplate--examples>`_ for ``AWS::EC2::LaunchTemplate`` .
 
             :param version: The version number of the launch template. Specifying ``$Latest`` or ``$Default`` for the template version number is not supported. However, you can specify ``LatestVersionNumber`` or ``DefaultVersionNumber`` using the ``Fn::GetAtt`` intrinsic function. For more information, see `Fn::GetAtt <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html#aws-resource-ec2-launchtemplate-return-values-fn--getatt>`_ .
             :param launch_template_id: The ID of the launch template. You must specify the ``LaunchTemplateId`` or the ``LaunchTemplateName`` , but not both.
@@ -21134,7 +21194,7 @@ class CfnInstance(
             :param private_ip_address: The private IPv4 address of the network interface. Applies only if creating a network interface when launching an instance.
             :param private_ip_addresses: One or more private IPv4 addresses to assign to the network interface. Only one private IPv4 address can be designated as primary.
             :param secondary_private_ip_address_count: The number of secondary private IPv4 addresses. You can't specify this option and specify more than one private IP address using the private IP addresses option.
-            :param subnet_id: The ID of the subnet associated with the network interface. Applies only if creating a network interface when launching an instance.
+            :param subnet_id: The ID of the subnet associated with the network interface.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance-networkinterface.html
             :exampleMetadata: fixture=_generated
@@ -21360,8 +21420,6 @@ class CfnInstance(
         def subnet_id(self) -> typing.Optional[builtins.str]:
             '''The ID of the subnet associated with the network interface.
 
-            Applies only if creating a network interface when launching an instance.
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance-networkinterface.html#cfn-ec2-instance-networkinterface-subnetid
             '''
             result = self._values.get("subnet_id")
@@ -22171,8 +22229,8 @@ class CfnInstanceProps:
         :param credit_specification: The credit option for CPU usage of the burstable performance instance. Valid values are ``standard`` and ``unlimited`` . To change this attribute after launch, use `ModifyInstanceCreditSpecification <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceCreditSpecification.html>`_ . For more information, see `Burstable performance instances <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances.html>`_ in the *Amazon EC2 User Guide* . Default: ``standard`` (T2 instances) or ``unlimited`` (T3/T3a/T4g instances) For T3 instances with ``host`` tenancy, only ``standard`` is supported.
         :param disable_api_termination: If you set this parameter to ``true`` , you can't terminate the instance using the Amazon EC2 console, CLI, or API; otherwise, you can. To change this attribute after launch, use `ModifyInstanceAttribute <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html>`_ . Alternatively, if you set ``InstanceInitiatedShutdownBehavior`` to ``terminate`` , you can terminate the instance by running the shutdown command from the instance. Default: ``false``
         :param ebs_optimized: Indicates whether the instance is optimized for Amazon EBS I/O. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal Amazon EBS I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS-optimized instance. Default: ``false``
-        :param elastic_gpu_specifications: Deprecated. .. epigraph:: Amazon Elastic Graphics reached end of life on January 8, 2024. For workloads that require graphics acceleration, we recommend that you use Amazon EC2 G4ad, G4dn, or G5 instances.
-        :param elastic_inference_accelerators: An elastic inference accelerator to associate with the instance. Elastic inference accelerators are a resource you can attach to your Amazon EC2 instances to accelerate your Deep Learning (DL) inference workloads. You cannot specify accelerators from different generations in the same request. .. epigraph:: Starting April 15, 2023, AWS will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.
+        :param elastic_gpu_specifications: An elastic GPU to associate with the instance. .. epigraph:: Amazon Elastic Graphics reached end of life on January 8, 2024.
+        :param elastic_inference_accelerators: An elastic inference accelerator to associate with the instance. .. epigraph:: Amazon Elastic Inference (EI) is no longer available to new customers. For more information, see `Amazon Elastic Inference FAQs <https://docs.aws.amazon.com/machine-learning/elastic-inference/faqs/>`_ .
         :param enclave_options: Indicates whether the instance is enabled for AWS Nitro Enclaves.
         :param hibernation_options: Indicates whether an instance is enabled for hibernation. This parameter is valid only if the instance meets the `hibernation prerequisites <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/hibernating-prerequisites.html>`_ . For more information, see `Hibernate your instance <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html>`_ in the *Amazon EC2 User Guide* . You can't enable hibernation and AWS Nitro Enclaves on the same instance.
         :param host_id: If you specify host for the ``Affinity`` property, the ID of a dedicated host that the instance is associated with. If you don't specify an ID, Amazon EC2 launches the instance onto any available, compatible dedicated host in your account. This type of launch is called an untargeted launch. Note that for untargeted launches, you must have a compatible, dedicated host available to successfully launch instances.
@@ -22198,7 +22256,7 @@ class CfnInstanceProps:
         :param security_groups: [Default VPC] The names of the security groups. For a nondefault VPC, you must use security group IDs instead. You cannot specify this option and the network interfaces option in the same request. The list can contain both the name of existing Amazon EC2 security groups or references to AWS::EC2::SecurityGroup resources created in the template. Default: Amazon EC2 uses the default security group.
         :param source_dest_check: Enable or disable source/destination checks, which ensure that the instance is either the source or the destination of any traffic that it receives. If the value is ``true`` , source/destination checks are enabled; otherwise, they are disabled. The default value is ``true`` . You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls.
         :param ssm_associations: The SSM `document <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-document.html>`_ and parameter values in AWS Systems Manager to associate with this instance. To use this property, you must specify an IAM instance profile role for the instance. For more information, see `Create an IAM instance profile for Systems Manager <https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-configuring-access-role.html>`_ in the *AWS Systems Manager User Guide* . .. epigraph:: You can associate only one document with an instance.
-        :param subnet_id: The ID of the subnet to launch the instance into. If you specify a network interface, you must specify any subnets as part of the network interface.
+        :param subnet_id: The ID of the subnet to launch the instance into. If you specify a network interface, you must specify any subnets as part of the network interface instead of using this parameter.
         :param tags: The tags to add to the instance. These tags are not applied to the EBS volumes, such as the root volume, unless `PropagateTagsToVolumeOnCreation <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-propagatetagstovolumeoncreation>`_ is ``true`` .
         :param tenancy: The tenancy of the instance. An instance with a tenancy of ``dedicated`` runs on single-tenant hardware.
         :param user_data: The parameters or scripts to store as user data. Any scripts in user data are run when you launch the instance. User data is limited to 16 KB. You must provide base64-encoded text. For more information, see `Fn::Base64 <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-base64.html>`_ . If the root volume is an EBS volume and you update user data, CloudFormation restarts the instance. If the root volume is an instance store volume and you update user data, the instance is replaced.
@@ -22575,11 +22633,11 @@ class CfnInstanceProps:
     def elastic_gpu_specifications(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnInstance.ElasticGpuSpecificationProperty]]]]:
-        '''Deprecated.
+        '''An elastic GPU to associate with the instance.
 
         .. epigraph::
 
-           Amazon Elastic Graphics reached end of life on January 8, 2024. For workloads that require graphics acceleration, we recommend that you use Amazon EC2 G4ad, G4dn, or G5 instances.
+           Amazon Elastic Graphics reached end of life on January 8, 2024.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-instance.html#cfn-ec2-instance-elasticgpuspecifications
         '''
@@ -22592,12 +22650,9 @@ class CfnInstanceProps:
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnInstance.ElasticInferenceAcceleratorProperty]]]]:
         '''An elastic inference accelerator to associate with the instance.
 
-        Elastic inference accelerators are a resource you can attach to your Amazon EC2 instances to accelerate your Deep Learning (DL) inference workloads.
-
-        You cannot specify accelerators from different generations in the same request.
         .. epigraph::
 
-           Starting April 15, 2023, AWS will not onboard new customers to Amazon Elastic Inference (EI), and will help current customers migrate their workloads to options that offer better price and performance. After April 15, 2023, new customers will not be able to launch instances with Amazon EI accelerators in Amazon SageMaker, Amazon ECS, or Amazon EC2. However, customers who have used Amazon EI at least once during the past 30-day period are considered current customers and will be able to continue using the service.
+           Amazon Elastic Inference (EI) is no longer available to new customers. For more information, see `Amazon Elastic Inference FAQs <https://docs.aws.amazon.com/machine-learning/elastic-inference/faqs/>`_ .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-instance.html#cfn-ec2-instance-elasticinferenceaccelerators
         '''
@@ -22924,7 +22979,7 @@ class CfnInstanceProps:
     def subnet_id(self) -> typing.Optional[builtins.str]:
         '''The ID of the subnet to launch the instance into.
 
-        If you specify a network interface, you must specify any subnets as part of the network interface.
+        If you specify a network interface, you must specify any subnets as part of the network interface instead of using this parameter.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-instance.html#cfn-ec2-instance-subnetid
         '''
@@ -26092,12 +26147,12 @@ class CfnLaunchTemplate(
             :param maintenance_options: The maintenance options of your instance.
             :param metadata_options: The metadata options for the instance. For more information, see `Instance metadata and user data <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html>`_ in the *Amazon Elastic Compute Cloud User Guide* .
             :param monitoring: The monitoring for the instance.
-            :param network_interfaces: One or more network interfaces. If you specify a network interface, you must specify any security groups and subnets as part of the network interface.
+            :param network_interfaces: The network interfaces for the instance.
             :param placement: The placement for the instance.
             :param private_dns_name_options: The hostname type for EC2 instances launched into this subnet and how DNS A and AAAA record queries should be handled. For more information, see `Amazon EC2 instance hostname types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-naming.html>`_ in the *Amazon Elastic Compute Cloud User Guide* .
             :param ram_disk_id: The ID of the RAM disk. .. epigraph:: We recommend that you use PV-GRUB instead of kernels and RAM disks. For more information, see `User provided kernels <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UserProvidedkernels.html>`_ in the *Amazon Elastic Compute Cloud User Guide* .
-            :param security_group_ids: The IDs of the security groups. You can specify the IDs of existing security groups and references to resources created by the stack template.
-            :param security_groups: One or more security group names. For a nondefault VPC, you must use security group IDs instead.
+            :param security_group_ids: The IDs of the security groups. You can specify the IDs of existing security groups and references to resources created by the stack template. If you specify a network interface, you must specify any security groups as part of the network interface instead.
+            :param security_groups: The names of the security groups. For a nondefault VPC, you must use security group IDs instead. If you specify a network interface, you must specify any security groups as part of the network interface instead of using this parameter.
             :param tag_specifications: The tags to apply to the resources that are created during instance launch. To tag a resource after it has been created, see `CreateTags <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html>`_ . To tag the launch template itself, use `TagSpecifications <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html#cfn-ec2-launchtemplate-tagspecifications>`_ .
             :param user_data: The user data to make available to the instance. You must provide base64-encoded text. User data is limited to 16 KB. For more information, see `Run commands on your Linux instance at launch <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html>`_ (Linux) or `Work with instance user data <https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/instancedata-add-user-data.html>`_ (Windows) in the *Amazon Elastic Compute Cloud User Guide* . If you are creating the launch template for use with AWS Batch , the user data must be provided in the `MIME multi-part archive format <https://docs.aws.amazon.com/https://cloudinit.readthedocs.io/en/latest/topics/format.html#mime-multi-part-archive>`_ . For more information, see `Amazon EC2 user data in launch templates <https://docs.aws.amazon.com/batch/latest/userguide/launch-templates.html>`_ in the *AWS Batch User Guide* .
 
@@ -26233,8 +26288,7 @@ class CfnLaunchTemplate(
                         license_configuration_arn="licenseConfigurationArn"
                     )],
                     maintenance_options=ec2.CfnLaunchTemplate.MaintenanceOptionsProperty(
-                        auto_recovery="autoRecovery",
-                        reboot_migration="rebootMigration"
+                        auto_recovery="autoRecovery"
                     ),
                     metadata_options=ec2.CfnLaunchTemplate.MetadataOptionsProperty(
                         http_endpoint="httpEndpoint",
@@ -26732,9 +26786,7 @@ class CfnLaunchTemplate(
         def network_interfaces(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnLaunchTemplate.NetworkInterfaceProperty"]]]]:
-            '''One or more network interfaces.
-
-            If you specify a network interface, you must specify any security groups and subnets as part of the network interface.
+            '''The network interfaces for the instance.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html#cfn-ec2-launchtemplate-launchtemplatedata-networkinterfaces
             '''
@@ -26784,6 +26836,8 @@ class CfnLaunchTemplate(
 
             You can specify the IDs of existing security groups and references to resources created by the stack template.
 
+            If you specify a network interface, you must specify any security groups as part of the network interface instead.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html#cfn-ec2-launchtemplate-launchtemplatedata-securitygroupids
             '''
             result = self._values.get("security_group_ids")
@@ -26791,9 +26845,9 @@ class CfnLaunchTemplate(
 
         @builtins.property
         def security_groups(self) -> typing.Optional[typing.List[builtins.str]]:
-            '''One or more security group names.
+            '''The names of the security groups. For a nondefault VPC, you must use security group IDs instead.
 
-            For a nondefault VPC, you must use security group IDs instead.
+            If you specify a network interface, you must specify any security groups as part of the network interface instead of using this parameter.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html#cfn-ec2-launchtemplate-launchtemplatedata-securitygroups
             '''
@@ -27052,22 +27106,17 @@ class CfnLaunchTemplate(
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_ec2.CfnLaunchTemplate.MaintenanceOptionsProperty",
         jsii_struct_bases=[],
-        name_mapping={
-            "auto_recovery": "autoRecovery",
-            "reboot_migration": "rebootMigration",
-        },
+        name_mapping={"auto_recovery": "autoRecovery"},
     )
     class MaintenanceOptionsProperty:
         def __init__(
             self,
             *,
             auto_recovery: typing.Optional[builtins.str] = None,
-            reboot_migration: typing.Optional[builtins.str] = None,
         ) -> None:
             '''The maintenance options of your instance.
 
             :param auto_recovery: Disables the automatic recovery behavior of your instance or sets it to default.
-            :param reboot_migration: 
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-maintenanceoptions.html
             :exampleMetadata: fixture=_generated
@@ -27079,19 +27128,15 @@ class CfnLaunchTemplate(
                 from aws_cdk import aws_ec2 as ec2
                 
                 maintenance_options_property = ec2.CfnLaunchTemplate.MaintenanceOptionsProperty(
-                    auto_recovery="autoRecovery",
-                    reboot_migration="rebootMigration"
+                    auto_recovery="autoRecovery"
                 )
             '''
             if __debug__:
                 type_hints = typing.get_type_hints(_typecheckingstub__62e0d77a7fa9500aab5a08e932dc82213f11e05b31cf56f4654431c48342979e)
                 check_type(argname="argument auto_recovery", value=auto_recovery, expected_type=type_hints["auto_recovery"])
-                check_type(argname="argument reboot_migration", value=reboot_migration, expected_type=type_hints["reboot_migration"])
             self._values: typing.Dict[builtins.str, typing.Any] = {}
             if auto_recovery is not None:
                 self._values["auto_recovery"] = auto_recovery
-            if reboot_migration is not None:
-                self._values["reboot_migration"] = reboot_migration
 
         @builtins.property
         def auto_recovery(self) -> typing.Optional[builtins.str]:
@@ -27102,14 +27147,6 @@ class CfnLaunchTemplate(
             result = self._values.get("auto_recovery")
             return typing.cast(typing.Optional[builtins.str], result)
 
-        @builtins.property
-        def reboot_migration(self) -> typing.Optional[builtins.str]:
-            '''
-            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-maintenanceoptions.html#cfn-ec2-launchtemplate-maintenanceoptions-rebootmigration
-            '''
-            result = self._values.get("reboot_migration")
-            return typing.cast(typing.Optional[builtins.str], result)
-
         def __eq__(self, rhs: typing.Any) -> builtins.bool:
             return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -40429,7 +40466,7 @@ class CfnSecurityGroup(
 
     To create a security group, use the `VpcId <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#cfn-ec2-securitygroup-vpcid>`_ property to specify the VPC for which to create the security group.
 
-    If you do not specify an egress rule, we add egress rules that allow IPv4 and IPv6 traffic on all ports and protocols to any destination. We do not add these rules if you specify your own egress rules. If you later remove your egress rules, we restore the default egress rules.
+    If you do not specify an egress rule, we add egress rules that allow IPv4 and IPv6 traffic on all ports and protocols to any destination. We do not add these rules if you specify your own egress rules.
 
     This type supports updates. For more information about updating stacks, see `AWS CloudFormation Stacks Updates <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks.html>`_ .
     .. epigraph::
@@ -40461,7 +40498,6 @@ class CfnSecurityGroup(
                 destination_prefix_list_id="destinationPrefixListId",
                 destination_security_group_id="destinationSecurityGroupId",
                 from_port=123,
-                source_security_group_id="sourceSecurityGroupId",
                 to_port=123
             )],
             security_group_ingress=[ec2.CfnSecurityGroup.IngressProperty(
@@ -40692,7 +40728,6 @@ class CfnSecurityGroup(
             "destination_prefix_list_id": "destinationPrefixListId",
             "destination_security_group_id": "destinationSecurityGroupId",
             "from_port": "fromPort",
-            "source_security_group_id": "sourceSecurityGroupId",
             "to_port": "toPort",
         },
     )
@@ -40707,7 +40742,6 @@ class CfnSecurityGroup(
             destination_prefix_list_id: typing.Optional[builtins.str] = None,
             destination_security_group_id: typing.Optional[builtins.str] = None,
             from_port: typing.Optional[jsii.Number] = None,
-            source_security_group_id: typing.Optional[builtins.str] = None,
             to_port: typing.Optional[jsii.Number] = None,
         ) -> None:
             '''Adds the specified outbound (egress) rule to a security group.
@@ -40727,7 +40761,6 @@ class CfnSecurityGroup(
             :param destination_prefix_list_id: The prefix list IDs for the destination AWS service. This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
             :param destination_security_group_id: The ID of the destination VPC security group. You must specify exactly one of the following: ``CidrIp`` , ``CidrIpv6`` , ``DestinationPrefixListId`` , or ``DestinationSecurityGroupId`` .
             :param from_port: If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).
-            :param source_security_group_id: 
             :param to_port: If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-securitygroup-egress.html
@@ -40749,7 +40782,6 @@ class CfnSecurityGroup(
                     destination_prefix_list_id="destinationPrefixListId",
                     destination_security_group_id="destinationSecurityGroupId",
                     from_port=123,
-                    source_security_group_id="sourceSecurityGroupId",
                     to_port=123
                 )
             '''
@@ -40762,7 +40794,6 @@ class CfnSecurityGroup(
                 check_type(argname="argument destination_prefix_list_id", value=destination_prefix_list_id, expected_type=type_hints["destination_prefix_list_id"])
                 check_type(argname="argument destination_security_group_id", value=destination_security_group_id, expected_type=type_hints["destination_security_group_id"])
                 check_type(argname="argument from_port", value=from_port, expected_type=type_hints["from_port"])
-                check_type(argname="argument source_security_group_id", value=source_security_group_id, expected_type=type_hints["source_security_group_id"])
                 check_type(argname="argument to_port", value=to_port, expected_type=type_hints["to_port"])
             self._values: typing.Dict[builtins.str, typing.Any] = {
                 "ip_protocol": ip_protocol,
@@ -40779,8 +40810,6 @@ class CfnSecurityGroup(
                 self._values["destination_security_group_id"] = destination_security_group_id
             if from_port is not None:
                 self._values["from_port"] = from_port
-            if source_security_group_id is not None:
-                self._values["source_security_group_id"] = source_security_group_id
             if to_port is not None:
                 self._values["to_port"] = to_port
 
@@ -40868,14 +40897,6 @@ class CfnSecurityGroup(
             result = self._values.get("from_port")
             return typing.cast(typing.Optional[jsii.Number], result)
 
-        @builtins.property
-        def source_security_group_id(self) -> typing.Optional[builtins.str]:
-            '''
-            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-securitygroup-egress.html#cfn-ec2-securitygroup-egress-sourcesecuritygroupid
-            '''
-            result = self._values.get("source_security_group_id")
-            return typing.cast(typing.Optional[builtins.str], result)
-
         @builtins.property
         def to_port(self) -> typing.Optional[jsii.Number]:
             '''If the protocol is TCP or UDP, this is the end of the port range.
@@ -42233,7 +42254,6 @@ class CfnSecurityGroupProps:
                     destination_prefix_list_id="destinationPrefixListId",
                     destination_security_group_id="destinationSecurityGroupId",
                     from_port=123,
-                    source_security_group_id="sourceSecurityGroupId",
                     to_port=123
                 )],
                 security_group_ingress=[ec2.CfnSecurityGroup.IngressProperty(
@@ -42548,10 +42568,7 @@ class CfnSpotFleet(
 
     You can specify tags for the Spot Fleet request and instances launched by the fleet. You cannot tag other resource types in a Spot Fleet request because only the ``spot-fleet-request`` and ``instance`` resource types are supported.
 
-    For more information, see `Spot Fleet <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-fleet.html>`_ in the *Amazon EC2 User Guide for Linux Instances* .
-    .. epigraph::
-
-       We strongly discourage using the RequestSpotFleet API because it is a legacy API with no planned investment. For options for requesting Spot Instances, see `Which is the best Spot request method to use? <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-best-practices.html#which-spot-request-method-to-use>`_ in the *Amazon EC2 User Guide for Linux Instances* .
+    For more information, see `Spot Fleet <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-fleet.html>`_ in the *Amazon EC2 User Guide* .
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-spotfleet.html
     :cloudformationResource: AWS::EC2::SpotFleet
@@ -43842,7 +43859,7 @@ class CfnSpotFleet(
             :param network_interface_id: The ID of the network interface. If you are creating a Spot Fleet, omit this parameter because you can’t specify a network interface ID in a launch specification.
             :param private_ip_addresses: The private IPv4 addresses to assign to the network interface. Only one private IPv4 address can be designated as primary. You cannot specify this option if you're launching more than one instance in a `RunInstances <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html>`_ request.
             :param secondary_private_ip_address_count: The number of secondary private IPv4 addresses. You can't specify this option and specify more than one private IP address using the private IP addresses option. You cannot specify this option if you're launching more than one instance in a `RunInstances <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html>`_ request.
-            :param subnet_id: The ID of the subnet associated with the network interface. Applies only if creating a network interface when launching an instance.
+            :param subnet_id: The ID of the subnet associated with the network interface.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-spotfleet-instancenetworkinterfacespecification.html
             :exampleMetadata: fixture=_generated
@@ -44035,8 +44052,6 @@ class CfnSpotFleet(
         def subnet_id(self) -> typing.Optional[builtins.str]:
             '''The ID of the subnet associated with the network interface.
 
-            Applies only if creating a network interface when launching an instance.
-
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-spotfleet-instancenetworkinterfacespecification.html#cfn-ec2-spotfleet-instancenetworkinterfacespecification-subnetid
             '''
             result = self._values.get("subnet_id")
@@ -45684,12 +45699,12 @@ class CfnSpotFleet(
             :param kernel_id: The ID of the kernel.
             :param key_name: The name of the key pair.
             :param monitoring: Enable or disable monitoring for the instances.
-            :param network_interfaces: One or more network interfaces. If you specify a network interface, you must specify subnet IDs and security group IDs using the network interface. .. epigraph:: ``SpotFleetLaunchSpecification`` currently does not support Elastic Fabric Adapter (EFA). To specify an EFA, you must use `LaunchTemplateConfig <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_LaunchTemplateConfig.html>`_ .
+            :param network_interfaces: The network interfaces.
             :param placement: The placement information.
             :param ramdisk_id: The ID of the RAM disk. Some kernels require additional drivers at launch. Check the kernel requirements for information about whether you need to specify a RAM disk. To find kernel requirements, refer to the AWS Resource Center and search for the kernel ID.
-            :param security_groups: The security groups.
+            :param security_groups: The security groups. If you specify a network interface, you must specify any security groups as part of the network interface instead of using this parameter.
             :param spot_price: The maximum price per unit hour that you are willing to pay for a Spot Instance. We do not recommend using this parameter because it can lead to increased interruptions. If you do not specify this parameter, you will pay the current Spot price. .. epigraph:: If you specify a maximum price, your instances will be interrupted more frequently than if you do not specify this parameter.
-            :param subnet_id: The IDs of the subnets in which to launch the instances. To specify multiple subnets, separate them using commas; for example, "subnet-1234abcdeexample1, subnet-0987cdef6example2".
+            :param subnet_id: The IDs of the subnets in which to launch the instances. To specify multiple subnets, separate them using commas; for example, "subnet-1234abcdeexample1, subnet-0987cdef6example2". If you specify a network interface, you must specify any subnets as part of the network interface instead of using this parameter.
             :param tag_specifications: The tags to apply during creation.
             :param user_data: The base64-encoded user data that instances use when starting up. User data is limited to 16 KB.
             :param weighted_capacity: The number of units provided by the specified instance type. These are the same units that you chose to set the target capacity in terms of instances, or a performance characteristic such as vCPUs, memory, or I/O. If the target capacity divided by this value is not a whole number, Amazon EC2 rounds the number of instances to the next whole number. If this value is not specified, the default is 1.
@@ -45994,12 +46009,7 @@ class CfnSpotFleet(
         def network_interfaces(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnSpotFleet.InstanceNetworkInterfaceSpecificationProperty"]]]]:
-            '''One or more network interfaces.
-
-            If you specify a network interface, you must specify subnet IDs and security group IDs using the network interface.
-            .. epigraph::
-
-               ``SpotFleetLaunchSpecification`` currently does not support Elastic Fabric Adapter (EFA). To specify an EFA, you must use `LaunchTemplateConfig <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_LaunchTemplateConfig.html>`_ .
+            '''The network interfaces.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-spotfleet-spotfleetlaunchspecification.html#cfn-ec2-spotfleet-spotfleetlaunchspecification-networkinterfaces
             '''
@@ -46034,6 +46044,8 @@ class CfnSpotFleet(
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnSpotFleet.GroupIdentifierProperty"]]]]:
             '''The security groups.
 
+            If you specify a network interface, you must specify any security groups as part of the network interface instead of using this parameter.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-spotfleet-spotfleetlaunchspecification.html#cfn-ec2-spotfleet-spotfleetlaunchspecification-securitygroups
             '''
             result = self._values.get("security_groups")
@@ -46059,6 +46071,8 @@ class CfnSpotFleet(
 
             To specify multiple subnets, separate them using commas; for example, "subnet-1234abcdeexample1, subnet-0987cdef6example2".
 
+            If you specify a network interface, you must specify any subnets as part of the network interface instead of using this parameter.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-spotfleet-spotfleetlaunchspecification.html#cfn-ec2-spotfleet-spotfleetlaunchspecification-subnetid
             '''
             result = self._values.get("subnet_id")
@@ -53844,11 +53858,11 @@ class CfnTransitGatewayRoute(
         from aws_cdk import aws_ec2 as ec2
         
         cfn_transit_gateway_route = ec2.CfnTransitGatewayRoute(self, "MyCfnTransitGatewayRoute",
+            destination_cidr_block="destinationCidrBlock",
             transit_gateway_route_table_id="transitGatewayRouteTableId",
         
             # the properties below are optional
             blackhole=False,
-            destination_cidr_block="destinationCidrBlock",
             transit_gateway_attachment_id="transitGatewayAttachmentId"
         )
     '''
@@ -53858,17 +53872,17 @@ class CfnTransitGatewayRoute(
         scope: _constructs_77d1e7e8.Construct,
         id: builtins.str,
         *,
+        destination_cidr_block: builtins.str,
         transit_gateway_route_table_id: builtins.str,
         blackhole: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
-        destination_cidr_block: typing.Optional[builtins.str] = None,
         transit_gateway_attachment_id: typing.Optional[builtins.str] = None,
     ) -> None:
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
+        :param destination_cidr_block: The CIDR block used for destination matches.
         :param transit_gateway_route_table_id: The ID of the transit gateway route table.
         :param blackhole: Indicates whether to drop traffic that matches this route.
-        :param destination_cidr_block: The CIDR block used for destination matches.
         :param transit_gateway_attachment_id: The ID of the attachment.
         '''
         if __debug__:
@@ -53876,9 +53890,9 @@ class CfnTransitGatewayRoute(
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = CfnTransitGatewayRouteProps(
+            destination_cidr_block=destination_cidr_block,
             transit_gateway_route_table_id=transit_gateway_route_table_id,
             blackhole=blackhole,
-            destination_cidr_block=destination_cidr_block,
             transit_gateway_attachment_id=transit_gateway_attachment_id,
         )
 
@@ -53927,6 +53941,19 @@ class CfnTransitGatewayRoute(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
+    @builtins.property
+    @jsii.member(jsii_name="destinationCidrBlock")
+    def destination_cidr_block(self) -> builtins.str:
+        '''The CIDR block used for destination matches.'''
+        return typing.cast(builtins.str, jsii.get(self, "destinationCidrBlock"))
+
+    @destination_cidr_block.setter
+    def destination_cidr_block(self, value: builtins.str) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__30150d874e802337a21fe5c33c5e59055a33af9ec33282c5c08706bcd1082c1c)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "destinationCidrBlock", value)
+
     @builtins.property
     @jsii.member(jsii_name="transitGatewayRouteTableId")
     def transit_gateway_route_table_id(self) -> builtins.str:
@@ -53958,19 +53985,6 @@ class CfnTransitGatewayRoute(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "blackhole", value)
 
-    @builtins.property
-    @jsii.member(jsii_name="destinationCidrBlock")
-    def destination_cidr_block(self) -> typing.Optional[builtins.str]:
-        '''The CIDR block used for destination matches.'''
-        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "destinationCidrBlock"))
-
-    @destination_cidr_block.setter
-    def destination_cidr_block(self, value: typing.Optional[builtins.str]) -> None:
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__30150d874e802337a21fe5c33c5e59055a33af9ec33282c5c08706bcd1082c1c)
-            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "destinationCidrBlock", value)
-
     @builtins.property
     @jsii.member(jsii_name="transitGatewayAttachmentId")
     def transit_gateway_attachment_id(self) -> typing.Optional[builtins.str]:
@@ -53992,9 +54006,9 @@ class CfnTransitGatewayRoute(
     jsii_type="aws-cdk-lib.aws_ec2.CfnTransitGatewayRouteProps",
     jsii_struct_bases=[],
     name_mapping={
+        "destination_cidr_block": "destinationCidrBlock",
         "transit_gateway_route_table_id": "transitGatewayRouteTableId",
         "blackhole": "blackhole",
-        "destination_cidr_block": "destinationCidrBlock",
         "transit_gateway_attachment_id": "transitGatewayAttachmentId",
     },
 )
@@ -54002,16 +54016,16 @@ class CfnTransitGatewayRouteProps:
     def __init__(
         self,
         *,
+        destination_cidr_block: builtins.str,
         transit_gateway_route_table_id: builtins.str,
         blackhole: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
-        destination_cidr_block: typing.Optional[builtins.str] = None,
         transit_gateway_attachment_id: typing.Optional[builtins.str] = None,
     ) -> None:
         '''Properties for defining a ``CfnTransitGatewayRoute``.
 
+        :param destination_cidr_block: The CIDR block used for destination matches.
         :param transit_gateway_route_table_id: The ID of the transit gateway route table.
         :param blackhole: Indicates whether to drop traffic that matches this route.
-        :param destination_cidr_block: The CIDR block used for destination matches.
         :param transit_gateway_attachment_id: The ID of the attachment.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewayroute.html
@@ -54024,30 +54038,39 @@ class CfnTransitGatewayRouteProps:
             from aws_cdk import aws_ec2 as ec2
             
             cfn_transit_gateway_route_props = ec2.CfnTransitGatewayRouteProps(
+                destination_cidr_block="destinationCidrBlock",
                 transit_gateway_route_table_id="transitGatewayRouteTableId",
             
                 # the properties below are optional
                 blackhole=False,
-                destination_cidr_block="destinationCidrBlock",
                 transit_gateway_attachment_id="transitGatewayAttachmentId"
             )
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__234e56a6f757b6cae89b22252317937e5caf6081f899789f9dfaf239987ad5e3)
+            check_type(argname="argument destination_cidr_block", value=destination_cidr_block, expected_type=type_hints["destination_cidr_block"])
             check_type(argname="argument transit_gateway_route_table_id", value=transit_gateway_route_table_id, expected_type=type_hints["transit_gateway_route_table_id"])
             check_type(argname="argument blackhole", value=blackhole, expected_type=type_hints["blackhole"])
-            check_type(argname="argument destination_cidr_block", value=destination_cidr_block, expected_type=type_hints["destination_cidr_block"])
             check_type(argname="argument transit_gateway_attachment_id", value=transit_gateway_attachment_id, expected_type=type_hints["transit_gateway_attachment_id"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
+            "destination_cidr_block": destination_cidr_block,
             "transit_gateway_route_table_id": transit_gateway_route_table_id,
         }
         if blackhole is not None:
             self._values["blackhole"] = blackhole
-        if destination_cidr_block is not None:
-            self._values["destination_cidr_block"] = destination_cidr_block
         if transit_gateway_attachment_id is not None:
             self._values["transit_gateway_attachment_id"] = transit_gateway_attachment_id
 
+    @builtins.property
+    def destination_cidr_block(self) -> builtins.str:
+        '''The CIDR block used for destination matches.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewayroute.html#cfn-ec2-transitgatewayroute-destinationcidrblock
+        '''
+        result = self._values.get("destination_cidr_block")
+        assert result is not None, "Required property 'destination_cidr_block' is missing"
+        return typing.cast(builtins.str, result)
+
     @builtins.property
     def transit_gateway_route_table_id(self) -> builtins.str:
         '''The ID of the transit gateway route table.
@@ -54069,15 +54092,6 @@ class CfnTransitGatewayRouteProps:
         result = self._values.get("blackhole")
         return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], result)
 
-    @builtins.property
-    def destination_cidr_block(self) -> typing.Optional[builtins.str]:
-        '''The CIDR block used for destination matches.
-
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-transitgatewayroute.html#cfn-ec2-transitgatewayroute-destinationcidrblock
-        '''
-        result = self._values.get("destination_cidr_block")
-        return typing.cast(typing.Optional[builtins.str], result)
-
     @builtins.property
     def transit_gateway_attachment_id(self) -> typing.Optional[builtins.str]:
         '''The ID of the attachment.
@@ -54312,14 +54326,6 @@ class CfnTransitGatewayRouteTableAssociation(
         '''The CloudFormation resource type name for this resource class.'''
         return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
 
-    @builtins.property
-    @jsii.member(jsii_name="attrId")
-    def attr_id(self) -> builtins.str:
-        '''
-        :cloudformationAttribute: Id
-        '''
-        return typing.cast(builtins.str, jsii.get(self, "attrId"))
-
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
@@ -78891,7 +78897,7 @@ class NatInstanceProps:
         :param key_name: (deprecated) Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
         :param key_pair: The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.
         :param machine_image: The machine image (AMI) to use. By default, will do an AMI lookup for the latest NAT instance image. If you have a specific AMI ID you want to use, pass a ``GenericLinuxImage``. For example:: ec2.NatProvider.instance({ instanceType: new ec2.InstanceType('t3.micro'), machineImage: new ec2.GenericLinuxImage({ 'us-east-2': 'ami-0f9c61b5a562a16af' }) }) Default: - Latest NAT instance image
-        :param security_group: Security Group for NAT instances. Default: - A new security group will be created
+        :param security_group: (deprecated) Security Group for NAT instances. Default: - A new security group will be created
         :param user_data: Custom user data to run on the NAT instances. Default: UserData.forLinux().addCommands(...NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS); - Appropriate user data commands to initialize and configure the NAT instances
 
         :exampleMetadata: infused
@@ -78908,7 +78914,7 @@ class NatInstanceProps:
             ec2.Vpc(self, "TheVPC",
                 nat_gateway_provider=provider
             )
-            provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.tcp(80))
+            provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.HTTP)
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__d7c7c717447859e1ccc181bc97f7752cc3f7fa7afaee4c3a4266eeac32c08643)
@@ -79017,9 +79023,35 @@ class NatInstanceProps:
 
     @builtins.property
     def security_group(self) -> typing.Optional[ISecurityGroup]:
-        '''Security Group for NAT instances.
+        '''(deprecated) Security Group for NAT instances.
 
         :default: - A new security group will be created
+
+        :deprecated:
+
+        - Cannot create a new security group before the VPC is created,
+        and cannot create the VPC without the NAT provider.
+        Set {@link defaultAllowedTraffic } to {@link NatTrafficDirection.NONE }
+        and use {@link NatInstanceProviderV2.gatewayInstances } to retrieve
+        the instances on the fly and add security groups
+
+        :stability: deprecated
+
+        Example::
+
+            nat_gateway_provider = ec2.NatProvider.instance_v2(
+                instance_type=ec2.InstanceType("t3.small"),
+                default_allowed_traffic=ec2.NatTrafficDirection.NONE
+            )
+            vpc = ec2.Vpc(self, "Vpc", nat_gateway_provider=nat_gateway_provider)
+            
+            security_group = ec2.SecurityGroup(self, "SecurityGroup",
+                vpc=vpc,
+                allow_all_outbound=False
+            )
+            security_group.add_egress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(443))
+            for gateway_instance in nat_gateway_provider.gateway_instances:
+                gateway_instance.add_security_group(security_group)
         '''
         result = self._values.get("security_group")
         return typing.cast(typing.Optional[ISecurityGroup], result)
@@ -79070,7 +79102,7 @@ class NatProvider(
         ec2.Vpc(self, "TheVPC",
             nat_gateway_provider=provider
         )
-        provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.tcp(80))
+        provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.HTTP)
     '''
 
     def __init__(self) -> None:
@@ -79123,7 +79155,7 @@ class NatProvider(
         :param key_name: (deprecated) Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
         :param key_pair: The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.
         :param machine_image: The machine image (AMI) to use. By default, will do an AMI lookup for the latest NAT instance image. If you have a specific AMI ID you want to use, pass a ``GenericLinuxImage``. For example:: ec2.NatProvider.instance({ instanceType: new ec2.InstanceType('t3.micro'), machineImage: new ec2.GenericLinuxImage({ 'us-east-2': 'ami-0f9c61b5a562a16af' }) }) Default: - Latest NAT instance image
-        :param security_group: Security Group for NAT instances. Default: - A new security group will be created
+        :param security_group: (deprecated) Security Group for NAT instances. Default: - A new security group will be created
         :param user_data: Custom user data to run on the NAT instances. Default: UserData.forLinux().addCommands(...NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS); - Appropriate user data commands to initialize and configure the NAT instances
 
         :deprecated:
@@ -79175,7 +79207,7 @@ class NatProvider(
         :param key_name: (deprecated) Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
         :param key_pair: The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.
         :param machine_image: The machine image (AMI) to use. By default, will do an AMI lookup for the latest NAT instance image. If you have a specific AMI ID you want to use, pass a ``GenericLinuxImage``. For example:: ec2.NatProvider.instance({ instanceType: new ec2.InstanceType('t3.micro'), machineImage: new ec2.GenericLinuxImage({ 'us-east-2': 'ami-0f9c61b5a562a16af' }) }) Default: - Latest NAT instance image
-        :param security_group: Security Group for NAT instances. Default: - A new security group will be created
+        :param security_group: (deprecated) Security Group for NAT instances. Default: - A new security group will be created
         :param user_data: Custom user data to run on the NAT instances. Default: UserData.forLinux().addCommands(...NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS); - Appropriate user data commands to initialize and configure the NAT instances
 
         :see: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html
@@ -79285,17 +79317,19 @@ class NatTrafficDirection(enum.Enum):
 
     Example::
 
-        # instance_type: ec2.InstanceType
-        
-        
-        provider = ec2.NatProvider.instance_v2(
-            instance_type=instance_type,
-            default_allowed_traffic=ec2.NatTrafficDirection.OUTBOUND_ONLY
+        nat_gateway_provider = ec2.NatProvider.instance_v2(
+            instance_type=ec2.InstanceType("t3.small"),
+            default_allowed_traffic=ec2.NatTrafficDirection.NONE
         )
-        ec2.Vpc(self, "TheVPC",
-            nat_gateway_provider=provider
+        vpc = ec2.Vpc(self, "Vpc", nat_gateway_provider=nat_gateway_provider)
+        
+        security_group = ec2.SecurityGroup(self, "SecurityGroup",
+            vpc=vpc,
+            allow_all_outbound=False
         )
-        provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.tcp(80))
+        security_group.add_egress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(443))
+        for gateway_instance in nat_gateway_provider.gateway_instances:
+            gateway_instance.add_security_group(security_group)
     '''
 
     OUTBOUND_ONLY = "OUTBOUND_ONLY"
@@ -79902,17 +79936,20 @@ class Peer(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_ec2.Peer"):
 
     Example::
 
-        # instance_type: ec2.InstanceType
-        
+        # vpc: ec2.Vpc
         
-        provider = ec2.NatProvider.instance_v2(
-            instance_type=instance_type,
-            default_allowed_traffic=ec2.NatTrafficDirection.OUTBOUND_ONLY
-        )
-        ec2.Vpc(self, "TheVPC",
-            nat_gateway_provider=provider
+        cluster = msk.Cluster(self, "Cluster",
+            cluster_name="myCluster",
+            kafka_version=msk.KafkaVersion.V2_8_1,
+            vpc=vpc
         )
-        provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.tcp(80))
+        
+        cluster.connections.allow_from(
+            ec2.Peer.ipv4("1.2.3.4/8"),
+            ec2.Port.tcp(2181))
+        cluster.connections.allow_from(
+            ec2.Peer.ipv4("1.2.3.4/8"),
+            ec2.Port.tcp(9094))
     '''
 
     def __init__(self) -> None:
@@ -80284,7 +80321,7 @@ class Port(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_ec2.Port"):
         ec2.Vpc(self, "TheVPC",
             nat_gateway_provider=provider
         )
-        provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.tcp(80))
+        provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.HTTP)
     '''
 
     def __init__(
@@ -80447,6 +80484,108 @@ class Port(metaclass=jsii.JSIIMeta, jsii_type="aws-cdk-lib.aws_ec2.Port"):
     def to_string(self) -> builtins.str:
         return typing.cast(builtins.str, jsii.invoke(self, "toString", []))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="DNS_TCP")
+    def DNS_TCP(cls) -> "Port":
+        '''Well-known DNS port (TCP 53).'''
+        return typing.cast("Port", jsii.sget(cls, "DNS_TCP"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="DNS_UDP")
+    def DNS_UDP(cls) -> "Port":
+        '''Well-known DNS port (UDP 53).'''
+        return typing.cast("Port", jsii.sget(cls, "DNS_UDP"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="HTTP")
+    def HTTP(cls) -> "Port":
+        '''Well-known HTTP port (TCP 80).'''
+        return typing.cast("Port", jsii.sget(cls, "HTTP"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="HTTPS")
+    def HTTPS(cls) -> "Port":
+        '''Well-known HTTPS port (TCP 443).'''
+        return typing.cast("Port", jsii.sget(cls, "HTTPS"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="IMAP")
+    def IMAP(cls) -> "Port":
+        '''Well-known IMAP port (TCP 143).'''
+        return typing.cast("Port", jsii.sget(cls, "IMAP"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="IMAPS")
+    def IMAPS(cls) -> "Port":
+        '''Well-known IMAPS port (TCP 993).'''
+        return typing.cast("Port", jsii.sget(cls, "IMAPS"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="LDAP")
+    def LDAP(cls) -> "Port":
+        '''Well-known LDAP port (TCP 389).'''
+        return typing.cast("Port", jsii.sget(cls, "LDAP"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="MSSQL")
+    def MSSQL(cls) -> "Port":
+        '''Well-known Microsoft SQL Server port (TCP 1433).'''
+        return typing.cast("Port", jsii.sget(cls, "MSSQL"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="MYSQL_AURORA")
+    def MYSQL_AURORA(cls) -> "Port":
+        '''Well-known MySQL and Aurora port (TCP 3306).'''
+        return typing.cast("Port", jsii.sget(cls, "MYSQL_AURORA"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="NFS")
+    def NFS(cls) -> "Port":
+        '''Well-known NFS port (TCP 2049).'''
+        return typing.cast("Port", jsii.sget(cls, "NFS"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="POP3")
+    def POP3(cls) -> "Port":
+        '''Well-known POP3 port (TCP 110).'''
+        return typing.cast("Port", jsii.sget(cls, "POP3"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="POP3S")
+    def POP3_S(cls) -> "Port":
+        '''Well-known POP3S port (TCP 995).'''
+        return typing.cast("Port", jsii.sget(cls, "POP3S"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="POSTGRES")
+    def POSTGRES(cls) -> "Port":
+        '''Well-known PostgreSQL port (TCP 5432).'''
+        return typing.cast("Port", jsii.sget(cls, "POSTGRES"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="RDP")
+    def RDP(cls) -> "Port":
+        '''Well-known Microsoft Remote Desktop Protocol port (TCP 3389).'''
+        return typing.cast("Port", jsii.sget(cls, "RDP"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SMB")
+    def SMB(cls) -> "Port":
+        '''Well-known SMB port (TCP 445).'''
+        return typing.cast("Port", jsii.sget(cls, "SMB"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SMTP")
+    def SMTP(cls) -> "Port":
+        '''Well-known SMTP port (TCP 25).'''
+        return typing.cast("Port", jsii.sget(cls, "SMTP"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="SSH")
+    def SSH(cls) -> "Port":
+        '''Well-known SSH port (TCP 22).'''
+        return typing.cast("Port", jsii.sget(cls, "SSH"))
+
     @builtins.property
     @jsii.member(jsii_name="canInlineRule")
     def can_inline_rule(self) -> builtins.bool:
@@ -81499,18 +81638,20 @@ class SecurityGroup(
            mutable=False
        )
 
-    :exampleMetadata: fixture=with-vpc infused
+    :exampleMetadata: infused
 
     Example::
 
-        my_security_group_without_inline_rules = ec2.SecurityGroup(self, "SecurityGroup",
+        # vpc: ec2.Vpc
+        
+        
+        my_security_group = ec2.SecurityGroup(self, "SecurityGroup", vpc=vpc)
+        autoscaling.AutoScalingGroup(self, "ASG",
             vpc=vpc,
-            description="Allow ssh access to ec2 instances",
-            allow_all_outbound=True,
-            disable_inline_rules=True
+            instance_type=ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
+            machine_image=ec2.MachineImage.latest_amazon_linux2(),
+            security_group=my_security_group
         )
-        # This will add the rule as an external cloud formation construct
-        my_security_group_without_inline_rules.add_ingress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(22), "allow ssh access from the world")
     '''
 
     def __init__(
@@ -81970,15 +82111,13 @@ class SecurityGroupProps:
             # vpc: ec2.Vpc
             
             
-            security_group1 = ec2.SecurityGroup(self, "SecurityGroup1", vpc=vpc)
-            lb = elbv2.ApplicationLoadBalancer(self, "LB",
+            my_security_group = ec2.SecurityGroup(self, "SecurityGroup", vpc=vpc)
+            autoscaling.AutoScalingGroup(self, "ASG",
                 vpc=vpc,
-                internet_facing=True,
-                security_group=security_group1
+                instance_type=ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
+                machine_image=ec2.MachineImage.latest_amazon_linux2(),
+                security_group=my_security_group
             )
-            
-            security_group2 = ec2.SecurityGroup(self, "SecurityGroup2", vpc=vpc)
-            lb.add_security_group(security_group2)
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__4e55e0c52b51f92e83b1f8d6b7a5b22268d0369a14dab808b8f2f5f233e5b622)
@@ -91384,7 +91523,7 @@ class NatInstanceProvider(
         :param key_name: (deprecated) Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
         :param key_pair: The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.
         :param machine_image: The machine image (AMI) to use. By default, will do an AMI lookup for the latest NAT instance image. If you have a specific AMI ID you want to use, pass a ``GenericLinuxImage``. For example:: ec2.NatProvider.instance({ instanceType: new ec2.InstanceType('t3.micro'), machineImage: new ec2.GenericLinuxImage({ 'us-east-2': 'ami-0f9c61b5a562a16af' }) }) Default: - Latest NAT instance image
-        :param security_group: Security Group for NAT instances. Default: - A new security group will be created
+        :param security_group: (deprecated) Security Group for NAT instances. Default: - A new security group will be created
         :param user_data: Custom user data to run on the NAT instances. Default: UserData.forLinux().addCommands(...NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS); - Appropriate user data commands to initialize and configure the NAT instances
 
         :stability: deprecated
@@ -91483,17 +91622,19 @@ class NatInstanceProviderV2(
 
     Example::
 
-        # instance_type: ec2.InstanceType
-        
-        
-        provider = ec2.NatProvider.instance_v2(
-            instance_type=instance_type,
-            default_allowed_traffic=ec2.NatTrafficDirection.OUTBOUND_ONLY
+        nat_gateway_provider = ec2.NatProvider.instance_v2(
+            instance_type=ec2.InstanceType("t3.small"),
+            default_allowed_traffic=ec2.NatTrafficDirection.NONE
         )
-        ec2.Vpc(self, "TheVPC",
-            nat_gateway_provider=provider
+        vpc = ec2.Vpc(self, "Vpc", nat_gateway_provider=nat_gateway_provider)
+        
+        security_group = ec2.SecurityGroup(self, "SecurityGroup",
+            vpc=vpc,
+            allow_all_outbound=False
         )
-        provider.connections.allow_from(ec2.Peer.ipv4("1.2.3.4/8"), ec2.Port.tcp(80))
+        security_group.add_egress_rule(ec2.Peer.any_ipv4(), ec2.Port.tcp(443))
+        for gateway_instance in nat_gateway_provider.gateway_instances:
+            gateway_instance.add_security_group(security_group)
     '''
 
     def __init__(
@@ -91515,7 +91656,7 @@ class NatInstanceProviderV2(
         :param key_name: (deprecated) Name of SSH keypair to grant access to instance. Default: - No SSH access will be possible.
         :param key_pair: The SSH keypair to grant access to the instance. Default: - No SSH access will be possible.
         :param machine_image: The machine image (AMI) to use. By default, will do an AMI lookup for the latest NAT instance image. If you have a specific AMI ID you want to use, pass a ``GenericLinuxImage``. For example:: ec2.NatProvider.instance({ instanceType: new ec2.InstanceType('t3.micro'), machineImage: new ec2.GenericLinuxImage({ 'us-east-2': 'ami-0f9c61b5a562a16af' }) }) Default: - Latest NAT instance image
-        :param security_group: Security Group for NAT instances. Default: - A new security group will be created
+        :param security_group: (deprecated) Security Group for NAT instances. Default: - A new security group will be created
         :param user_data: Custom user data to run on the NAT instances. Default: UserData.forLinux().addCommands(...NatInstanceProviderV2.DEFAULT_USER_DATA_COMMANDS); - Appropriate user data commands to initialize and configure the NAT instances
         '''
         props = NatInstanceProps(
@@ -94785,9 +94926,11 @@ def _typecheckingstub__16b41182e007e05b84fd0c97afc1e26001e78a56de2eb5b10c9f809de
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
     *,
-    bgp_asn: jsii.Number,
     ip_address: builtins.str,
     type: builtins.str,
+    bgp_asn: typing.Optional[jsii.Number] = None,
+    bgp_asn_extended: typing.Optional[jsii.Number] = None,
+    certificate_arn: typing.Optional[builtins.str] = None,
     device_name: typing.Optional[builtins.str] = None,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
@@ -94806,20 +94949,32 @@ def _typecheckingstub__a44104c4ad329cfdabba2866cf426d821fa85ba6f3aa04801988c746b
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__84dfb7d1775bd2bb124f990570c9a2ef23fafd01744cfe248fcb360562f57ca9(
-    value: jsii.Number,
+def _typecheckingstub__a312c99e6832f0396cbd7c4d05fbab836db0503cf37ecee5f1f64bd213516c2e(
+    value: builtins.str,
 ) -> None:
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__a312c99e6832f0396cbd7c4d05fbab836db0503cf37ecee5f1f64bd213516c2e(
+def _typecheckingstub__ae973d5ca9904c069d03cbf10a1e3fdf7736cc00ca43663eb07598f97c4e5771(
     value: builtins.str,
 ) -> None:
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__ae973d5ca9904c069d03cbf10a1e3fdf7736cc00ca43663eb07598f97c4e5771(
-    value: builtins.str,
+def _typecheckingstub__84dfb7d1775bd2bb124f990570c9a2ef23fafd01744cfe248fcb360562f57ca9(
+    value: typing.Optional[jsii.Number],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__f41644d25c48e5c3c87a361ba478bdb4a18bf473fe1582fa35c6311f6d5284d8(
+    value: typing.Optional[jsii.Number],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__4a4b900e840c5be3a2b16a5177f91335cf813daeca359e549a639cb05a03ac63(
+    value: typing.Optional[builtins.str],
 ) -> None:
     """Type checking stubs"""
     pass
@@ -94838,9 +94993,11 @@ def _typecheckingstub__05a111d13df5583de4721245805f1cb23e3c81e0e12774d2a044cf75b
 
 def _typecheckingstub__b0ef9a2e3e2b6937b21db500a1cd795126e924d9b920931a413ecdb668bfc7ec(
     *,
-    bgp_asn: jsii.Number,
     ip_address: builtins.str,
     type: builtins.str,
+    bgp_asn: typing.Optional[jsii.Number] = None,
+    bgp_asn_extended: typing.Optional[jsii.Number] = None,
+    certificate_arn: typing.Optional[builtins.str] = None,
     device_name: typing.Optional[builtins.str] = None,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
@@ -97210,7 +97367,6 @@ def _typecheckingstub__da6f057643821e4198778db605300559763cd1d337144d841e7dd3934
 def _typecheckingstub__62e0d77a7fa9500aab5a08e932dc82213f11e05b31cf56f4654431c48342979e(
     *,
     auto_recovery: typing.Optional[builtins.str] = None,
-    reboot_migration: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -99120,7 +99276,6 @@ def _typecheckingstub__f7f9c3e8bd9fe395c2fb15fd9d38e6ef1ebca888c954597574840d202
     destination_prefix_list_id: typing.Optional[builtins.str] = None,
     destination_security_group_id: typing.Optional[builtins.str] = None,
     from_port: typing.Optional[jsii.Number] = None,
-    source_security_group_id: typing.Optional[builtins.str] = None,
     to_port: typing.Optional[jsii.Number] = None,
 ) -> None:
     """Type checking stubs"""
@@ -100953,9 +101108,9 @@ def _typecheckingstub__762528618652de53ec01b9db873d15c1412ef510b68d36faf8e5193ee
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
     *,
+    destination_cidr_block: builtins.str,
     transit_gateway_route_table_id: builtins.str,
     blackhole: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
-    destination_cidr_block: typing.Optional[builtins.str] = None,
     transit_gateway_attachment_id: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""
@@ -100973,20 +101128,20 @@ def _typecheckingstub__db248da6e580b35319fa4105c6aa56b32a97434942c5e6aa6364835dd
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__a3ff43d5668d80486662b5f29a818edf8b7a164143e8327503af53fea81d72e4(
+def _typecheckingstub__30150d874e802337a21fe5c33c5e59055a33af9ec33282c5c08706bcd1082c1c(
     value: builtins.str,
 ) -> None:
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__ae3c350b4ebbf2eafd4fffaf648073580cc8872edfcbb0622e12224667970a75(
-    value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
+def _typecheckingstub__a3ff43d5668d80486662b5f29a818edf8b7a164143e8327503af53fea81d72e4(
+    value: builtins.str,
 ) -> None:
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__30150d874e802337a21fe5c33c5e59055a33af9ec33282c5c08706bcd1082c1c(
-    value: typing.Optional[builtins.str],
+def _typecheckingstub__ae3c350b4ebbf2eafd4fffaf648073580cc8872edfcbb0622e12224667970a75(
+    value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
 ) -> None:
     """Type checking stubs"""
     pass
@@ -100999,9 +101154,9 @@ def _typecheckingstub__a94dba0eae14b14a0b432cb7e86de53fbec80e85adaa717d318a1fe9f
 
 def _typecheckingstub__234e56a6f757b6cae89b22252317937e5caf6081f899789f9dfaf239987ad5e3(
     *,
+    destination_cidr_block: builtins.str,
     transit_gateway_route_table_id: builtins.str,
     blackhole: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
-    destination_cidr_block: typing.Optional[builtins.str] = None,
     transit_gateway_attachment_id: typing.Optional[builtins.str] = None,
 ) -> None:
     """Type checking stubs"""