aws-cdk-lib 2.172.0__py3-none-any.whl → 2.173.1__py3-none-any.whl

aws_cdk/aws_elasticloadbalancingv2/__init__.py

@@ -390,7 +390,24 @@ lb = elbv2.NetworkLoadBalancer(self, "LB",
 )
 ```
 
-You cannot add UDP or TCP_UDP listeners to a dualstack Network Load Balancer.
+You can configure whether to use an IPv6 prefix from each subnet for source NAT by setting `enablePrefixForIpv6SourceNat` to `true`.
+This must be enabled if you want to create a dualstack Network Load Balancer with a listener that uses UDP protocol.
+
+```python
+# vpc: ec2.Vpc
+
+
+lb = elbv2.NetworkLoadBalancer(self, "LB",
+    vpc=vpc,
+    ip_address_type=elbv2.IpAddressType.DUAL_STACK,
+    enable_prefix_for_ipv6_source_nat=True
+)
+
+listener = lb.add_listener("Listener",
+    port=1229,
+    protocol=elbv2.Protocol.UDP
+)
+```
 
 ### Network Load Balancer attributes
 
@@ -3649,6 +3666,7 @@ class CfnListener(
                 value="value"
             )],
             mutual_authentication=elbv2.CfnListener.MutualAuthenticationProperty(
+                advertise_trust_store_ca_names="advertiseTrustStoreCaNames",
                 ignore_client_certificate_expiry=False,
                 mode="mode",
                 trust_store_arn="trustStoreArn"
@@ -4835,7 +4853,7 @@ class CfnListener(
         ) -> None:
             '''Information about a listener attribute.
 
-            :param key: The name of the attribute. The following attribute is supported by Network Load Balancers, and Gateway Load Balancers. - ``tcp.idle_timeout.seconds`` - The tcp idle timeout value, in seconds. The valid range is 60-6000 seconds. The default is 350 seconds.
+            :param key: The name of the attribute. The following attribute is supported by Network Load Balancers, and Gateway Load Balancers. - ``tcp.idle_timeout.seconds`` - The tcp idle timeout value, in seconds. The valid range is 60-6000 seconds. The default is 350 seconds. The following attributes are only supported by Application Load Balancers. - ``routing.http.request.x_amzn_mtls_clientcert_serial_number.header_name`` - Enables you to modify the header name of the *X-Amzn-Mtls-Clientcert-Serial-Number* HTTP request header. - ``routing.http.request.x_amzn_mtls_clientcert_issuer.header_name`` - Enables you to modify the header name of the *X-Amzn-Mtls-Clientcert-Issuer* HTTP request header. - ``routing.http.request.x_amzn_mtls_clientcert_subject.header_name`` - Enables you to modify the header name of the *X-Amzn-Mtls-Clientcert-Subject* HTTP request header. - ``routing.http.request.x_amzn_mtls_clientcert_validity.header_name`` - Enables you to modify the header name of the *X-Amzn-Mtls-Clientcert-Validity* HTTP request header. - ``routing.http.request.x_amzn_mtls_clientcert_leaf.header_name`` - Enables you to modify the header name of the *X-Amzn-Mtls-Clientcert-Leaf* HTTP request header. - ``routing.http.request.x_amzn_mtls_clientcert.header_name`` - Enables you to modify the header name of the *X-Amzn-Mtls-Clientcert* HTTP request header. - ``routing.http.request.x_amzn_tls_version.header_name`` - Enables you to modify the header name of the *X-Amzn-Tls-Version* HTTP request header. - ``routing.http.request.x_amzn_tls_cipher_suite.header_name`` - Enables you to modify the header name of the *X-Amzn-Tls-Cipher-Suite* HTTP request header. - ``routing.http.response.server.enabled`` - Enables you to allow or remove the HTTP response server header. - ``routing.http.response.strict_transport_security.header_value`` - Informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS. - ``routing.http.response.access_control_allow_origin.header_value`` - Specifies which origins are allowed to access the server. - ``routing.http.response.access_control_allow_methods.header_value`` - Returns which HTTP methods are allowed when accessing the server from a different origin. - ``routing.http.response.access_control_allow_headers.header_value`` - Specifies which headers can be used during the request. - ``routing.http.response.access_control_allow_credentials.header_value`` - Indicates whether the browser should include credentials such as cookies or authentication when making requests. - ``routing.http.response.access_control_expose_headers.header_value`` - Returns which headers the browser can expose to the requesting client. - ``routing.http.response.access_control_max_age.header_value`` - Specifies how long the results of a preflight request can be cached, in seconds. - ``routing.http.response.content_security_policy.header_value`` - Specifies restrictions enforced by the browser to help minimize the risk of certain types of security threats. - ``routing.http.response.x_content_type_options.header_value`` - Indicates whether the MIME types advertised in the *Content-Type* headers should be followed and not be changed. - ``routing.http.response.x_frame_options.header_value`` - Indicates whether the browser is allowed to render a page in a *frame* , *iframe* , *embed* or *object* .
             :param value: The value of the attribute.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-listener-listenerattribute.html
@@ -4870,6 +4888,28 @@ class CfnListener(
 
             - ``tcp.idle_timeout.seconds`` - The tcp idle timeout value, in seconds. The valid range is 60-6000 seconds. The default is 350 seconds.
 
+            The following attributes are only supported by Application Load Balancers.
+
+            - ``routing.http.request.x_amzn_mtls_clientcert_serial_number.header_name`` - Enables you to modify the header name of the *X-Amzn-Mtls-Clientcert-Serial-Number* HTTP request header.
+            - ``routing.http.request.x_amzn_mtls_clientcert_issuer.header_name`` - Enables you to modify the header name of the *X-Amzn-Mtls-Clientcert-Issuer* HTTP request header.
+            - ``routing.http.request.x_amzn_mtls_clientcert_subject.header_name`` - Enables you to modify the header name of the *X-Amzn-Mtls-Clientcert-Subject* HTTP request header.
+            - ``routing.http.request.x_amzn_mtls_clientcert_validity.header_name`` - Enables you to modify the header name of the *X-Amzn-Mtls-Clientcert-Validity* HTTP request header.
+            - ``routing.http.request.x_amzn_mtls_clientcert_leaf.header_name`` - Enables you to modify the header name of the *X-Amzn-Mtls-Clientcert-Leaf* HTTP request header.
+            - ``routing.http.request.x_amzn_mtls_clientcert.header_name`` - Enables you to modify the header name of the *X-Amzn-Mtls-Clientcert* HTTP request header.
+            - ``routing.http.request.x_amzn_tls_version.header_name`` - Enables you to modify the header name of the *X-Amzn-Tls-Version* HTTP request header.
+            - ``routing.http.request.x_amzn_tls_cipher_suite.header_name`` - Enables you to modify the header name of the *X-Amzn-Tls-Cipher-Suite* HTTP request header.
+            - ``routing.http.response.server.enabled`` - Enables you to allow or remove the HTTP response server header.
+            - ``routing.http.response.strict_transport_security.header_value`` - Informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.
+            - ``routing.http.response.access_control_allow_origin.header_value`` - Specifies which origins are allowed to access the server.
+            - ``routing.http.response.access_control_allow_methods.header_value`` - Returns which HTTP methods are allowed when accessing the server from a different origin.
+            - ``routing.http.response.access_control_allow_headers.header_value`` - Specifies which headers can be used during the request.
+            - ``routing.http.response.access_control_allow_credentials.header_value`` - Indicates whether the browser should include credentials such as cookies or authentication when making requests.
+            - ``routing.http.response.access_control_expose_headers.header_value`` - Returns which headers the browser can expose to the requesting client.
+            - ``routing.http.response.access_control_max_age.header_value`` - Specifies how long the results of a preflight request can be cached, in seconds.
+            - ``routing.http.response.content_security_policy.header_value`` - Specifies restrictions enforced by the browser to help minimize the risk of certain types of security threats.
+            - ``routing.http.response.x_content_type_options.header_value`` - Indicates whether the MIME types advertised in the *Content-Type* headers should be followed and not be changed.
+            - ``routing.http.response.x_frame_options.header_value`` - Indicates whether the browser is allowed to render a page in a *frame* , *iframe* , *embed* or *object* .
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-listener-listenerattribute.html#cfn-elasticloadbalancingv2-listener-listenerattribute-key
             '''
             result = self._values.get("key")
@@ -4899,6 +4939,7 @@ class CfnListener(
         jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.CfnListener.MutualAuthenticationProperty",
         jsii_struct_bases=[],
         name_mapping={
+            "advertise_trust_store_ca_names": "advertiseTrustStoreCaNames",
             "ignore_client_certificate_expiry": "ignoreClientCertificateExpiry",
             "mode": "mode",
             "trust_store_arn": "trustStoreArn",
@@ -4908,12 +4949,14 @@ class CfnListener(
         def __init__(
             self,
             *,
+            advertise_trust_store_ca_names: typing.Optional[builtins.str] = None,
             ignore_client_certificate_expiry: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
             mode: typing.Optional[builtins.str] = None,
             trust_store_arn: typing.Optional[builtins.str] = None,
         ) -> None:
             '''Specifies the configuration information for mutual authentication.
 
+            :param advertise_trust_store_ca_names: 
             :param ignore_client_certificate_expiry: Indicates whether expired client certificates are ignored.
             :param mode: The client certificate handling method. Options are ``off`` , ``passthrough`` or ``verify`` . The default value is ``off`` .
             :param trust_store_arn: The Amazon Resource Name (ARN) of the trust store.
@@ -4928,6 +4971,7 @@ class CfnListener(
                 from aws_cdk import aws_elasticloadbalancingv2 as elbv2
                 
                 mutual_authentication_property = elbv2.CfnListener.MutualAuthenticationProperty(
+                    advertise_trust_store_ca_names="advertiseTrustStoreCaNames",
                     ignore_client_certificate_expiry=False,
                     mode="mode",
                     trust_store_arn="trustStoreArn"
@@ -4935,10 +4979,13 @@ class CfnListener(
             '''
             if __debug__:
                 type_hints = typing.get_type_hints(_typecheckingstub__07605e87f763c352d3e6705d69aa07723ad3c005493c1fdef02b175f49d53ee0)
+                check_type(argname="argument advertise_trust_store_ca_names", value=advertise_trust_store_ca_names, expected_type=type_hints["advertise_trust_store_ca_names"])
                 check_type(argname="argument ignore_client_certificate_expiry", value=ignore_client_certificate_expiry, expected_type=type_hints["ignore_client_certificate_expiry"])
                 check_type(argname="argument mode", value=mode, expected_type=type_hints["mode"])
                 check_type(argname="argument trust_store_arn", value=trust_store_arn, expected_type=type_hints["trust_store_arn"])
             self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if advertise_trust_store_ca_names is not None:
+                self._values["advertise_trust_store_ca_names"] = advertise_trust_store_ca_names
             if ignore_client_certificate_expiry is not None:
                 self._values["ignore_client_certificate_expiry"] = ignore_client_certificate_expiry
             if mode is not None:
@@ -4946,6 +4993,14 @@ class CfnListener(
             if trust_store_arn is not None:
                 self._values["trust_store_arn"] = trust_store_arn
 
+        @builtins.property
+        def advertise_trust_store_ca_names(self) -> typing.Optional[builtins.str]:
+            '''
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-listener-mutualauthentication.html#cfn-elasticloadbalancingv2-listener-mutualauthentication-advertisetruststorecanames
+            '''
+            result = self._values.get("advertise_trust_store_ca_names")
+            return typing.cast(typing.Optional[builtins.str], result)
+
         @builtins.property
         def ignore_client_certificate_expiry(
             self,
@@ -5686,6 +5741,7 @@ class CfnListenerProps:
                     value="value"
                 )],
                 mutual_authentication=elbv2.CfnListener.MutualAuthenticationProperty(
+                    advertise_trust_store_ca_names="advertiseTrustStoreCaNames",
                     ignore_client_certificate_expiry=False,
                     mode="mode",
                     trust_store_arn="trustStoreArn"
@@ -8280,7 +8336,7 @@ class CfnLoadBalancer(
         :param enforce_security_group_inbound_rules_on_private_link_traffic: Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink .
         :param ip_address_type: The IP address type. Internal load balancers must use ``ipv4`` . [Application Load Balancers] The possible values are ``ipv4`` (IPv4 addresses), ``dualstack`` (IPv4 and IPv6 addresses), and ``dualstack-without-public-ipv4`` (public IPv6 addresses and private IPv4 and IPv6 addresses). Application Load Balancer authentication supports IPv4 addresses only when connecting to an Identity Provider (IdP) or Amazon Cognito endpoint. Without a public IPv4 address the load balancer can't complete the authentication process, resulting in HTTP 500 errors. [Network Load Balancers and Gateway Load Balancers] The possible values are ``ipv4`` (IPv4 addresses) and ``dualstack`` (IPv4 and IPv6 addresses).
         :param load_balancer_attributes: The load balancer attributes.
-        :param minimum_load_balancer_capacity: 
+        :param minimum_load_balancer_capacity: The minimum capacity for a load balancer.
         :param name: The name of the load balancer. This name must be unique per region per account, can have a maximum of 32 characters, must contain only alphanumeric characters or hyphens, must not begin or end with a hyphen, and must not begin with "internal-". If you don't specify a name, AWS CloudFormation generates a unique physical ID for the load balancer. If you specify a name, you cannot perform updates that require replacement of this resource, but you can perform other updates. To replace the resource, specify a new name.
         :param scheme: The nodes of an Internet-facing load balancer have public IP addresses. The DNS name of an Internet-facing load balancer is publicly resolvable to the public IP addresses of the nodes. Therefore, Internet-facing load balancers can route requests from clients over the internet. The nodes of an internal load balancer have only private IP addresses. The DNS name of an internal load balancer is publicly resolvable to the private IP addresses of the nodes. Therefore, internal load balancers can route requests only from clients with access to the VPC for the load balancer. The default is an Internet-facing load balancer. You can't specify a scheme for a Gateway Load Balancer.
         :param security_groups: [Application Load Balancers and Network Load Balancers] The IDs of the security groups for the load balancer.
@@ -8486,6 +8542,7 @@ class CfnLoadBalancer(
     def minimum_load_balancer_capacity(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLoadBalancer.MinimumLoadBalancerCapacityProperty"]]:
+        '''The minimum capacity for a load balancer.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLoadBalancer.MinimumLoadBalancerCapacityProperty"]], jsii.get(self, "minimumLoadBalancerCapacity"))
 
     @minimum_load_balancer_capacity.setter
@@ -8611,7 +8668,7 @@ class CfnLoadBalancer(
         ) -> None:
             '''Specifies an attribute for an Application Load Balancer, a Network Load Balancer, or a Gateway Load Balancer.
 
-            :param key: The name of the attribute. The following attributes are supported by all load balancers: - ``deletion_protection.enabled`` - Indicates whether deletion protection is enabled. The value is ``true`` or ``false`` . The default is ``false`` . - ``load_balancing.cross_zone.enabled`` - Indicates whether cross-zone load balancing is enabled. The possible values are ``true`` and ``false`` . The default for Network Load Balancers and Gateway Load Balancers is ``false`` . The default for Application Load Balancers is ``true`` , and can't be changed. The following attributes are supported by both Application Load Balancers and Network Load Balancers: - ``access_logs.s3.enabled`` - Indicates whether access logs are enabled. The value is ``true`` or ``false`` . The default is ``false`` . - ``access_logs.s3.bucket`` - The name of the S3 bucket for the access logs. This attribute is required if access logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket. - ``access_logs.s3.prefix`` - The prefix for the location in the S3 bucket for the access logs. - ``ipv6.deny_all_igw_traffic`` - Blocks internet gateway (IGW) access to the load balancer. It is set to ``false`` for internet-facing load balancers and ``true`` for internal load balancers, preventing unintended access to your internal load balancer through an internet gateway. The following attributes are supported by only Application Load Balancers: - ``idle_timeout.timeout_seconds`` - The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds. - ``client_keep_alive.seconds`` - The client keep alive value, in seconds. The valid range is 60-604800 seconds. The default is 3600 seconds. - ``connection_logs.s3.enabled`` - Indicates whether connection logs are enabled. The value is ``true`` or ``false`` . The default is ``false`` . - ``connection_logs.s3.bucket`` - The name of the S3 bucket for the connection logs. This attribute is required if connection logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket. - ``connection_logs.s3.prefix`` - The prefix for the location in the S3 bucket for the connection logs. - ``routing.http.desync_mitigation_mode`` - Determines how the load balancer handles requests that might pose a security risk to your application. The possible values are ``monitor`` , ``defensive`` , and ``strictest`` . The default is ``defensive`` . - ``routing.http.drop_invalid_header_fields.enabled`` - Indicates whether HTTP headers with invalid header fields are removed by the load balancer ( ``true`` ) or routed to targets ( ``false`` ). The default is ``false`` . - ``routing.http.preserve_host_header.enabled`` - Indicates whether the Application Load Balancer should preserve the ``Host`` header in the HTTP request and send it to the target without any change. The possible values are ``true`` and ``false`` . The default is ``false`` . - ``routing.http.x_amzn_tls_version_and_cipher_suite.enabled`` - Indicates whether the two headers ( ``x-amzn-tls-version`` and ``x-amzn-tls-cipher-suite`` ), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The ``x-amzn-tls-version`` header has information about the TLS protocol version negotiated with the client, and the ``x-amzn-tls-cipher-suite`` header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are ``true`` and ``false`` . The default is ``false`` . - ``routing.http.xff_client_port.enabled`` - Indicates whether the ``X-Forwarded-For`` header should preserve the source port that the client used to connect to the load balancer. The possible values are ``true`` and ``false`` . The default is ``false`` . - ``routing.http.xff_header_processing.mode`` - Enables you to modify, preserve, or remove the ``X-Forwarded-For`` header in the HTTP request before the Application Load Balancer sends the request to the target. The possible values are ``append`` , ``preserve`` , and ``remove`` . The default is ``append`` . - If the value is ``append`` , the Application Load Balancer adds the client IP address (of the last hop) to the ``X-Forwarded-For`` header in the HTTP request before it sends it to targets. - If the value is ``preserve`` the Application Load Balancer preserves the ``X-Forwarded-For`` header in the HTTP request, and sends it to targets without any change. - If the value is ``remove`` , the Application Load Balancer removes the ``X-Forwarded-For`` header in the HTTP request before it sends it to targets. - ``routing.http2.enabled`` - Indicates whether HTTP/2 is enabled. The possible values are ``true`` and ``false`` . The default is ``true`` . Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens. - ``waf.fail_open.enabled`` - Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are ``true`` and ``false`` . The default is ``false`` . The following attributes are supported by only Network Load Balancers: - ``dns_record.client_routing_policy`` - Indicates how traffic is distributed among the load balancer Availability Zones. The possible values are ``availability_zone_affinity`` with 100 percent zonal affinity, ``partial_availability_zone_affinity`` with 85 percent zonal affinity, and ``any_availability_zone`` with 0 percent zonal affinity. - ``zonal_shift.config.enabled`` - Indicates whether zonal shift is enabled. The possible values are ``true`` and ``false`` . The default is ``false`` .
+            :param key: The name of the attribute. The following attributes are supported by all load balancers: - ``deletion_protection.enabled`` - Indicates whether deletion protection is enabled. The value is ``true`` or ``false`` . The default is ``false`` . - ``load_balancing.cross_zone.enabled`` - Indicates whether cross-zone load balancing is enabled. The possible values are ``true`` and ``false`` . The default for Network Load Balancers and Gateway Load Balancers is ``false`` . The default for Application Load Balancers is ``true`` , and can't be changed. The following attributes are supported by both Application Load Balancers and Network Load Balancers: - ``access_logs.s3.enabled`` - Indicates whether access logs are enabled. The value is ``true`` or ``false`` . The default is ``false`` . - ``access_logs.s3.bucket`` - The name of the S3 bucket for the access logs. This attribute is required if access logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket. - ``access_logs.s3.prefix`` - The prefix for the location in the S3 bucket for the access logs. - ``ipv6.deny_all_igw_traffic`` - Blocks internet gateway (IGW) access to the load balancer. It is set to ``false`` for internet-facing load balancers and ``true`` for internal load balancers, preventing unintended access to your internal load balancer through an internet gateway. - ``zonal_shift.config.enabled`` - Indicates whether zonal shift is enabled. The possible values are ``true`` and ``false`` . The default is ``false`` . The following attributes are supported by only Application Load Balancers: - ``idle_timeout.timeout_seconds`` - The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds. - ``client_keep_alive.seconds`` - The client keep alive value, in seconds. The valid range is 60-604800 seconds. The default is 3600 seconds. - ``connection_logs.s3.enabled`` - Indicates whether connection logs are enabled. The value is ``true`` or ``false`` . The default is ``false`` . - ``connection_logs.s3.bucket`` - The name of the S3 bucket for the connection logs. This attribute is required if connection logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket. - ``connection_logs.s3.prefix`` - The prefix for the location in the S3 bucket for the connection logs. - ``routing.http.desync_mitigation_mode`` - Determines how the load balancer handles requests that might pose a security risk to your application. The possible values are ``monitor`` , ``defensive`` , and ``strictest`` . The default is ``defensive`` . - ``routing.http.drop_invalid_header_fields.enabled`` - Indicates whether HTTP headers with invalid header fields are removed by the load balancer ( ``true`` ) or routed to targets ( ``false`` ). The default is ``false`` . - ``routing.http.preserve_host_header.enabled`` - Indicates whether the Application Load Balancer should preserve the ``Host`` header in the HTTP request and send it to the target without any change. The possible values are ``true`` and ``false`` . The default is ``false`` . - ``routing.http.x_amzn_tls_version_and_cipher_suite.enabled`` - Indicates whether the two headers ( ``x-amzn-tls-version`` and ``x-amzn-tls-cipher-suite`` ), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The ``x-amzn-tls-version`` header has information about the TLS protocol version negotiated with the client, and the ``x-amzn-tls-cipher-suite`` header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are ``true`` and ``false`` . The default is ``false`` . - ``routing.http.xff_client_port.enabled`` - Indicates whether the ``X-Forwarded-For`` header should preserve the source port that the client used to connect to the load balancer. The possible values are ``true`` and ``false`` . The default is ``false`` . - ``routing.http.xff_header_processing.mode`` - Enables you to modify, preserve, or remove the ``X-Forwarded-For`` header in the HTTP request before the Application Load Balancer sends the request to the target. The possible values are ``append`` , ``preserve`` , and ``remove`` . The default is ``append`` . - If the value is ``append`` , the Application Load Balancer adds the client IP address (of the last hop) to the ``X-Forwarded-For`` header in the HTTP request before it sends it to targets. - If the value is ``preserve`` the Application Load Balancer preserves the ``X-Forwarded-For`` header in the HTTP request, and sends it to targets without any change. - If the value is ``remove`` , the Application Load Balancer removes the ``X-Forwarded-For`` header in the HTTP request before it sends it to targets. - ``routing.http2.enabled`` - Indicates whether HTTP/2 is enabled. The possible values are ``true`` and ``false`` . The default is ``true`` . Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens. - ``waf.fail_open.enabled`` - Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. The possible values are ``true`` and ``false`` . The default is ``false`` . The following attributes are supported by only Network Load Balancers: - ``dns_record.client_routing_policy`` - Indicates how traffic is distributed among the load balancer Availability Zones. The possible values are ``availability_zone_affinity`` with 100 percent zonal affinity, ``partial_availability_zone_affinity`` with 85 percent zonal affinity, and ``any_availability_zone`` with 0 percent zonal affinity.
             :param value: The value of the attribute.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-loadbalancer-loadbalancerattribute.html
@@ -8653,6 +8710,7 @@ class CfnLoadBalancer(
             - ``access_logs.s3.bucket`` - The name of the S3 bucket for the access logs. This attribute is required if access logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.
             - ``access_logs.s3.prefix`` - The prefix for the location in the S3 bucket for the access logs.
             - ``ipv6.deny_all_igw_traffic`` - Blocks internet gateway (IGW) access to the load balancer. It is set to ``false`` for internet-facing load balancers and ``true`` for internal load balancers, preventing unintended access to your internal load balancer through an internet gateway.
+            - ``zonal_shift.config.enabled`` - Indicates whether zonal shift is enabled. The possible values are ``true`` and ``false`` . The default is ``false`` .
 
             The following attributes are supported by only Application Load Balancers:
 
@@ -8676,7 +8734,6 @@ class CfnLoadBalancer(
             The following attributes are supported by only Network Load Balancers:
 
             - ``dns_record.client_routing_policy`` - Indicates how traffic is distributed among the load balancer Availability Zones. The possible values are ``availability_zone_affinity`` with 100 percent zonal affinity, ``partial_availability_zone_affinity`` with 85 percent zonal affinity, and ``any_availability_zone`` with 0 percent zonal affinity.
-            - ``zonal_shift.config.enabled`` - Indicates whether zonal shift is enabled. The possible values are ``true`` and ``false`` . The default is ``false`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-loadbalancer-loadbalancerattribute.html#cfn-elasticloadbalancingv2-loadbalancer-loadbalancerattribute-key
             '''
@@ -8710,8 +8767,9 @@ class CfnLoadBalancer(
     )
     class MinimumLoadBalancerCapacityProperty:
         def __init__(self, *, capacity_units: jsii.Number) -> None:
-            '''
-            :param capacity_units: 
+            '''The minimum capacity for a load balancer.
+
+            :param capacity_units: The number of capacity units.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-loadbalancer-minimumloadbalancercapacity.html
             :exampleMetadata: fixture=_generated
@@ -8735,7 +8793,8 @@ class CfnLoadBalancer(
 
         @builtins.property
         def capacity_units(self) -> jsii.Number:
-            '''
+            '''The number of capacity units.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-loadbalancer-minimumloadbalancercapacity.html#cfn-elasticloadbalancingv2-loadbalancer-minimumloadbalancercapacity-capacityunits
             '''
             result = self._values.get("capacity_units")
@@ -8921,7 +8980,7 @@ class CfnLoadBalancerProps:
         :param enforce_security_group_inbound_rules_on_private_link_traffic: Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink .
         :param ip_address_type: The IP address type. Internal load balancers must use ``ipv4`` . [Application Load Balancers] The possible values are ``ipv4`` (IPv4 addresses), ``dualstack`` (IPv4 and IPv6 addresses), and ``dualstack-without-public-ipv4`` (public IPv6 addresses and private IPv4 and IPv6 addresses). Application Load Balancer authentication supports IPv4 addresses only when connecting to an Identity Provider (IdP) or Amazon Cognito endpoint. Without a public IPv4 address the load balancer can't complete the authentication process, resulting in HTTP 500 errors. [Network Load Balancers and Gateway Load Balancers] The possible values are ``ipv4`` (IPv4 addresses) and ``dualstack`` (IPv4 and IPv6 addresses).
         :param load_balancer_attributes: The load balancer attributes.
-        :param minimum_load_balancer_capacity: 
+        :param minimum_load_balancer_capacity: The minimum capacity for a load balancer.
         :param name: The name of the load balancer. This name must be unique per region per account, can have a maximum of 32 characters, must contain only alphanumeric characters or hyphens, must not begin or end with a hyphen, and must not begin with "internal-". If you don't specify a name, AWS CloudFormation generates a unique physical ID for the load balancer. If you specify a name, you cannot perform updates that require replacement of this resource, but you can perform other updates. To replace the resource, specify a new name.
         :param scheme: The nodes of an Internet-facing load balancer have public IP addresses. The DNS name of an Internet-facing load balancer is publicly resolvable to the public IP addresses of the nodes. Therefore, Internet-facing load balancers can route requests from clients over the internet. The nodes of an internal load balancer have only private IP addresses. The DNS name of an internal load balancer is publicly resolvable to the private IP addresses of the nodes. Therefore, internal load balancers can route requests only from clients with access to the VPC for the load balancer. The default is an Internet-facing load balancer. You can't specify a scheme for a Gateway Load Balancer.
         :param security_groups: [Application Load Balancers and Network Load Balancers] The IDs of the security groups for the load balancer.
@@ -9062,7 +9121,8 @@ class CfnLoadBalancerProps:
     def minimum_load_balancer_capacity(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnLoadBalancer.MinimumLoadBalancerCapacityProperty]]:
-        '''
+        '''The minimum capacity for a load balancer.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-loadbalancer.html#cfn-elasticloadbalancingv2-loadbalancer-minimumloadbalancercapacity
         '''
         result = self._values.get("minimum_load_balancer_capacity")
@@ -11441,7 +11501,7 @@ class HealthCheck:
         :param port: The port that the load balancer uses when performing health checks on the targets. Default: 'traffic-port'
         :param protocol: The protocol the load balancer uses when performing health checks on targets. The TCP protocol is supported for health checks only if the protocol of the target group is TCP, TLS, UDP, or TCP_UDP. The TLS, UDP, and TCP_UDP protocols are not supported for health checks. Default: - HTTP for ALBs, TCP for NLBs
         :param timeout: The amount of time, in seconds, during which no response from a target means a failed health check. Must be 2 to 120 seconds. Default: - 6 seconds if the protocol is HTTP, 5 seconds if protocol is ``GENEVE``, 30 seconds if target type is ``lambda``, 10 seconds for TCP, TLS, or HTTPS
-        :param unhealthy_threshold_count: The number of consecutive health check failures required before considering a target unhealthy. For Application Load Balancers, the default is 2. For Network Load Balancers, this value must be the same as the healthy threshold count. Default: 2
+        :param unhealthy_threshold_count: The number of consecutive health check failures required before considering a target unhealthy. For Application Load Balancers, the default is 2. For Network Load Balancers, the range is between 2-10 and can be set accordingly. Default: 2
 
         :exampleMetadata: infused
 
@@ -11602,7 +11662,7 @@ class HealthCheck:
         '''The number of consecutive health check failures required before considering a target unhealthy.
 
         For Application Load Balancers, the default is 2. For Network Load
-        Balancers, this value must be the same as the healthy threshold count.
+        Balancers, the range is between 2-10 and can be set accordingly.
 
         :default: 2
         '''
@@ -15422,9 +15482,15 @@ class IpAddressType(enum.Enum):
         # vpc: ec2.Vpc
         
         
-        lb = elbv2.ApplicationLoadBalancer(self, "LB",
+        lb = elbv2.NetworkLoadBalancer(self, "LB",
             vpc=vpc,
-            ip_address_type=elbv2.IpAddressType.DUAL_STACK
+            ip_address_type=elbv2.IpAddressType.DUAL_STACK,
+            enable_prefix_for_ipv6_source_nat=True
+        )
+        
+        listener = lb.add_listener("Listener",
+            port=1229,
+            protocol=elbv2.Protocol.UDP
         )
     '''
 
@@ -16722,18 +16788,18 @@ class NetworkLoadBalancer(
 
     Example::
 
-        from aws_cdk.aws_apigatewayv2_integrations import HttpNlbIntegration
+        # vpc: ec2.Vpc
         
         
-        vpc = ec2.Vpc(self, "VPC")
-        lb = elbv2.NetworkLoadBalancer(self, "lb", vpc=vpc)
-        listener = lb.add_listener("listener", port=80)
-        listener.add_targets("target",
-            port=80
+        lb = elbv2.NetworkLoadBalancer(self, "LB",
+            vpc=vpc,
+            ip_address_type=elbv2.IpAddressType.DUAL_STACK,
+            enable_prefix_for_ipv6_source_nat=True
         )
         
-        http_endpoint = apigwv2.HttpApi(self, "HttpProxyPrivateApi",
-            default_integration=HttpNlbIntegration("DefaultIntegration", listener)
+        listener = lb.add_listener("Listener",
+            port=1229,
+            protocol=elbv2.Protocol.UDP
         )
     '''
 
@@ -16743,6 +16809,7 @@ class NetworkLoadBalancer(
         id: builtins.str,
         *,
         client_routing_policy: typing.Optional[ClientRoutingPolicy] = None,
+        enable_prefix_for_ipv6_source_nat: typing.Optional[builtins.bool] = None,
         enforce_security_group_inbound_rules_on_private_link_traffic: typing.Optional[builtins.bool] = None,
         ip_address_type: typing.Optional[IpAddressType] = None,
         security_groups: typing.Optional[typing.Sequence[_ISecurityGroup_acf8a799]] = None,
@@ -16759,6 +16826,7 @@ class NetworkLoadBalancer(
         :param scope: -
         :param id: -
         :param client_routing_policy: The AZ affinity routing policy. Default: - AZ affinity is disabled.
+        :param enable_prefix_for_ipv6_source_nat: Indicates whether to use an IPv6 prefix from each subnet for source NAT. The IP address type must be IpAddressType.DUALSTACK. Default: undefined - NLB default behavior is false
         :param enforce_security_group_inbound_rules_on_private_link_traffic: Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink. Default: true
         :param ip_address_type: The type of IP addresses to use. If you want to add a UDP or TCP_UDP listener to the load balancer, you must choose IPv4. Default: IpAddressType.IPV4
         :param security_groups: Security groups to associate with this load balancer. Default: - No security groups associated with the load balancer.
@@ -16777,6 +16845,7 @@ class NetworkLoadBalancer(
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = NetworkLoadBalancerProps(
             client_routing_policy=client_routing_policy,
+            enable_prefix_for_ipv6_source_nat=enable_prefix_for_ipv6_source_nat,
             enforce_security_group_inbound_rules_on_private_link_traffic=enforce_security_group_inbound_rules_on_private_link_traffic,
             ip_address_type=ip_address_type,
             security_groups=security_groups,
@@ -17529,6 +17598,7 @@ class NetworkLoadBalancerLookupOptions(BaseLoadBalancerLookupOptions):
         "load_balancer_name": "loadBalancerName",
         "vpc_subnets": "vpcSubnets",
         "client_routing_policy": "clientRoutingPolicy",
+        "enable_prefix_for_ipv6_source_nat": "enablePrefixForIpv6SourceNat",
         "enforce_security_group_inbound_rules_on_private_link_traffic": "enforceSecurityGroupInboundRulesOnPrivateLinkTraffic",
         "ip_address_type": "ipAddressType",
         "security_groups": "securityGroups",
@@ -17547,6 +17617,7 @@ class NetworkLoadBalancerProps(BaseLoadBalancerProps):
         load_balancer_name: typing.Optional[builtins.str] = None,
         vpc_subnets: typing.Optional[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]] = None,
         client_routing_policy: typing.Optional[ClientRoutingPolicy] = None,
+        enable_prefix_for_ipv6_source_nat: typing.Optional[builtins.bool] = None,
         enforce_security_group_inbound_rules_on_private_link_traffic: typing.Optional[builtins.bool] = None,
         ip_address_type: typing.Optional[IpAddressType] = None,
         security_groups: typing.Optional[typing.Sequence[_ISecurityGroup_acf8a799]] = None,
@@ -17562,6 +17633,7 @@ class NetworkLoadBalancerProps(BaseLoadBalancerProps):
         :param load_balancer_name: Name of the load balancer. Default: - Automatically generated name.
         :param vpc_subnets: Which subnets place the load balancer in. Default: - the Vpc default strategy.
         :param client_routing_policy: The AZ affinity routing policy. Default: - AZ affinity is disabled.
+        :param enable_prefix_for_ipv6_source_nat: Indicates whether to use an IPv6 prefix from each subnet for source NAT. The IP address type must be IpAddressType.DUALSTACK. Default: undefined - NLB default behavior is false
         :param enforce_security_group_inbound_rules_on_private_link_traffic: Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink. Default: true
         :param ip_address_type: The type of IP addresses to use. If you want to add a UDP or TCP_UDP listener to the load balancer, you must choose IPv4. Default: IpAddressType.IPV4
         :param security_groups: Security groups to associate with this load balancer. Default: - No security groups associated with the load balancer.
@@ -17571,18 +17643,18 @@ class NetworkLoadBalancerProps(BaseLoadBalancerProps):
 
         Example::
 
-            from aws_cdk.aws_apigatewayv2_integrations import HttpNlbIntegration
+            # vpc: ec2.Vpc
             
             
-            vpc = ec2.Vpc(self, "VPC")
-            lb = elbv2.NetworkLoadBalancer(self, "lb", vpc=vpc)
-            listener = lb.add_listener("listener", port=80)
-            listener.add_targets("target",
-                port=80
+            lb = elbv2.NetworkLoadBalancer(self, "LB",
+                vpc=vpc,
+                ip_address_type=elbv2.IpAddressType.DUAL_STACK,
+                enable_prefix_for_ipv6_source_nat=True
             )
             
-            http_endpoint = apigwv2.HttpApi(self, "HttpProxyPrivateApi",
-                default_integration=HttpNlbIntegration("DefaultIntegration", listener)
+            listener = lb.add_listener("Listener",
+                port=1229,
+                protocol=elbv2.Protocol.UDP
             )
         '''
         if isinstance(vpc_subnets, dict):
@@ -17597,6 +17669,7 @@ class NetworkLoadBalancerProps(BaseLoadBalancerProps):
             check_type(argname="argument load_balancer_name", value=load_balancer_name, expected_type=type_hints["load_balancer_name"])
             check_type(argname="argument vpc_subnets", value=vpc_subnets, expected_type=type_hints["vpc_subnets"])
             check_type(argname="argument client_routing_policy", value=client_routing_policy, expected_type=type_hints["client_routing_policy"])
+            check_type(argname="argument enable_prefix_for_ipv6_source_nat", value=enable_prefix_for_ipv6_source_nat, expected_type=type_hints["enable_prefix_for_ipv6_source_nat"])
             check_type(argname="argument enforce_security_group_inbound_rules_on_private_link_traffic", value=enforce_security_group_inbound_rules_on_private_link_traffic, expected_type=type_hints["enforce_security_group_inbound_rules_on_private_link_traffic"])
             check_type(argname="argument ip_address_type", value=ip_address_type, expected_type=type_hints["ip_address_type"])
             check_type(argname="argument security_groups", value=security_groups, expected_type=type_hints["security_groups"])
@@ -17618,6 +17691,8 @@ class NetworkLoadBalancerProps(BaseLoadBalancerProps):
             self._values["vpc_subnets"] = vpc_subnets
         if client_routing_policy is not None:
             self._values["client_routing_policy"] = client_routing_policy
+        if enable_prefix_for_ipv6_source_nat is not None:
+            self._values["enable_prefix_for_ipv6_source_nat"] = enable_prefix_for_ipv6_source_nat
         if enforce_security_group_inbound_rules_on_private_link_traffic is not None:
             self._values["enforce_security_group_inbound_rules_on_private_link_traffic"] = enforce_security_group_inbound_rules_on_private_link_traffic
         if ip_address_type is not None:
@@ -17704,6 +17779,17 @@ class NetworkLoadBalancerProps(BaseLoadBalancerProps):
         result = self._values.get("client_routing_policy")
         return typing.cast(typing.Optional[ClientRoutingPolicy], result)
 
+    @builtins.property
+    def enable_prefix_for_ipv6_source_nat(self) -> typing.Optional[builtins.bool]:
+        '''Indicates whether to use an IPv6 prefix from each subnet for source NAT.
+
+        The IP address type must be IpAddressType.DUALSTACK.
+
+        :default: undefined - NLB default behavior is false
+        '''
+        result = self._values.get("enable_prefix_for_ipv6_source_nat")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def enforce_security_group_inbound_rules_on_private_link_traffic(
         self,
@@ -18124,85 +18210,18 @@ class Protocol(enum.Enum):
 
     Example::
 
-        from aws_cdk.aws_certificatemanager import Certificate
-        from aws_cdk.aws_ec2 import InstanceType
-        from aws_cdk.aws_ecs import Cluster, ContainerImage
-        from aws_cdk.aws_elasticloadbalancingv2 import ApplicationProtocol, Protocol, SslPolicy
-        from aws_cdk.aws_route53 import PublicHostedZone
+        # vpc: ec2.Vpc
         
-        vpc = ec2.Vpc(self, "Vpc", max_azs=1)
         
-        load_balanced_fargate_service = ecs_patterns.ApplicationMultipleTargetGroupsFargateService(self, "myService",
-            cluster=ecs.Cluster(self, "EcsCluster", vpc=vpc),
-            memory_limit_mi_b=256,
-            task_image_options=ecsPatterns.ApplicationLoadBalancedTaskImageProps(
-                image=ecs.ContainerImage.from_registry("amazon/amazon-ecs-sample")
-            ),
-            enable_execute_command=True,
-            load_balancers=[ecsPatterns.ApplicationLoadBalancerProps(
-                name="lb",
-                idle_timeout=Duration.seconds(400),
-                domain_name="api.example.com",
-                domain_zone=PublicHostedZone(self, "HostedZone", zone_name="example.com"),
-                listeners=[ecsPatterns.ApplicationListenerProps(
-                    name="listener",
-                    protocol=ApplicationProtocol.HTTPS,
-                    certificate=Certificate.from_certificate_arn(self, "Cert", "helloworld"),
-                    ssl_policy=SslPolicy.TLS12_EXT
-                )
-                ]
-            ), ecsPatterns.ApplicationLoadBalancerProps(
-                name="lb2",
-                idle_timeout=Duration.seconds(120),
-                domain_name="frontend.com",
-                domain_zone=PublicHostedZone(self, "HostedZone", zone_name="frontend.com"),
-                listeners=[ecsPatterns.ApplicationListenerProps(
-                    name="listener2",
-                    protocol=ApplicationProtocol.HTTPS,
-                    certificate=Certificate.from_certificate_arn(self, "Cert2", "helloworld"),
-                    ssl_policy=SslPolicy.TLS12_EXT
-                )
-                ]
-            )
-            ],
-            target_groups=[ecsPatterns.ApplicationTargetProps(
-                container_port=80,
-                listener="listener"
-            ), ecsPatterns.ApplicationTargetProps(
-                container_port=90,
-                path_pattern="a/b/c",
-                priority=10,
-                listener="listener"
-            ), ecsPatterns.ApplicationTargetProps(
-                container_port=443,
-                listener="listener2"
-            ), ecsPatterns.ApplicationTargetProps(
-                container_port=80,
-                path_pattern="a/b/c",
-                priority=10,
-                listener="listener2"
-            )
-            ]
-        )
-        
-        load_balanced_fargate_service.target_groups[0].configure_health_check(
-            port="8050",
-            protocol=Protocol.HTTP,
-            healthy_threshold_count=2,
-            unhealthy_threshold_count=2,
-            timeout=Duration.seconds(10),
-            interval=Duration.seconds(30),
-            healthy_http_codes="200"
+        lb = elbv2.NetworkLoadBalancer(self, "LB",
+            vpc=vpc,
+            ip_address_type=elbv2.IpAddressType.DUAL_STACK,
+            enable_prefix_for_ipv6_source_nat=True
         )
         
-        load_balanced_fargate_service.target_groups[1].configure_health_check(
-            port="8050",
-            protocol=Protocol.HTTP,
-            healthy_threshold_count=2,
-            unhealthy_threshold_count=2,
-            timeout=Duration.seconds(10),
-            interval=Duration.seconds(30),
-            healthy_http_codes="200"
+        listener = lb.add_listener("Listener",
+            port=1229,
+            protocol=elbv2.Protocol.UDP
         )
     '''
 
@@ -18666,9 +18685,9 @@ class SslPolicy(enum.Enum):
     '''
 
     RECOMMENDED_TLS = "RECOMMENDED_TLS"
-    '''The recommended security policy for TLS listeners.
+    '''The recommended security policy for TLS listeners. This is the default policy for listeners created using the AWS Management Console.
 
-    This is the default policy for listeners created using the AWS Management Console
+    This policy includes TLS 1.3, and is backwards compatible with TLS 1.2
     '''
     RECOMMENDED = "RECOMMENDED"
     '''The recommended policy for http listeners.
@@ -18869,7 +18888,7 @@ class TargetGroupBase(
         :param port: The port that the load balancer uses when performing health checks on the targets. Default: 'traffic-port'
         :param protocol: The protocol the load balancer uses when performing health checks on targets. The TCP protocol is supported for health checks only if the protocol of the target group is TCP, TLS, UDP, or TCP_UDP. The TLS, UDP, and TCP_UDP protocols are not supported for health checks. Default: - HTTP for ALBs, TCP for NLBs
         :param timeout: The amount of time, in seconds, during which no response from a target means a failed health check. Must be 2 to 120 seconds. Default: - 6 seconds if the protocol is HTTP, 5 seconds if protocol is ``GENEVE``, 30 seconds if target type is ``lambda``, 10 seconds for TCP, TLS, or HTTPS
-        :param unhealthy_threshold_count: The number of consecutive health check failures required before considering a target unhealthy. For Application Load Balancers, the default is 2. For Network Load Balancers, this value must be the same as the healthy threshold count. Default: 2
+        :param unhealthy_threshold_count: The number of consecutive health check failures required before considering a target unhealthy. For Application Load Balancers, the default is 2. For Network Load Balancers, the range is between 2-10 and can be set accordingly. Default: 2
         '''
         health_check = HealthCheck(
             enabled=enabled,
@@ -22202,30 +22221,18 @@ class NetworkListener(
 
     Example::
 
-        # vpc: ec2.Vpc
-        # asg: autoscaling.AutoScalingGroup
-        # sg1: ec2.ISecurityGroup
-        # sg2: ec2.ISecurityGroup
-        
+        from aws_cdk.aws_apigatewayv2_integrations import HttpNlbIntegration
         
-        # Create the load balancer in a VPC. 'internetFacing' is 'false'
-        # by default, which creates an internal load balancer.
-        lb = elbv2.NetworkLoadBalancer(self, "LB",
-            vpc=vpc,
-            internet_facing=True,
-            security_groups=[sg1]
-        )
-        lb.add_security_group(sg2)
         
-        # Add a listener on a particular port.
-        listener = lb.add_listener("Listener",
-            port=443
+        vpc = ec2.Vpc(self, "VPC")
+        lb = elbv2.NetworkLoadBalancer(self, "lb", vpc=vpc)
+        listener = lb.add_listener("listener", port=80)
+        listener.add_targets("target",
+            port=80
         )
         
-        # Add targets on a particular port.
-        listener.add_targets("AppFleet",
-            port=443,
-            targets=[asg]
+        http_endpoint = apigwv2.HttpApi(self, "HttpProxyPrivateApi",
+            default_integration=HttpNlbIntegration("DefaultIntegration", listener)
         )
     '''
 
@@ -25585,6 +25592,7 @@ def _typecheckingstub__0e09ea6213c5fb2125f07b2f54d7fe6ee24307939dcc06580928b2ef0
 
 def _typecheckingstub__07605e87f763c352d3e6705d69aa07723ad3c005493c1fdef02b175f49d53ee0(
     *,
+    advertise_trust_store_ca_names: typing.Optional[builtins.str] = None,
     ignore_client_certificate_expiry: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     mode: typing.Optional[builtins.str] = None,
     trust_store_arn: typing.Optional[builtins.str] = None,
@@ -26731,6 +26739,7 @@ def _typecheckingstub__e1c7a4c1332bdc807d1e25aa5d69eea6e1f3bf6a88ddd30dac9a64c93
     id: builtins.str,
     *,
     client_routing_policy: typing.Optional[ClientRoutingPolicy] = None,
+    enable_prefix_for_ipv6_source_nat: typing.Optional[builtins.bool] = None,
     enforce_security_group_inbound_rules_on_private_link_traffic: typing.Optional[builtins.bool] = None,
     ip_address_type: typing.Optional[IpAddressType] = None,
     security_groups: typing.Optional[typing.Sequence[_ISecurityGroup_acf8a799]] = None,
@@ -26834,6 +26843,7 @@ def _typecheckingstub__195ab659ca9cd1c401d6d2d1a1f5cb0aaf7dd80f06dbc724020ac0cc3
     load_balancer_name: typing.Optional[builtins.str] = None,
     vpc_subnets: typing.Optional[typing.Union[_SubnetSelection_e57d76df, typing.Dict[builtins.str, typing.Any]]] = None,
     client_routing_policy: typing.Optional[ClientRoutingPolicy] = None,
+    enable_prefix_for_ipv6_source_nat: typing.Optional[builtins.bool] = None,
     enforce_security_group_inbound_rules_on_private_link_traffic: typing.Optional[builtins.bool] = None,
     ip_address_type: typing.Optional[IpAddressType] = None,
     security_groups: typing.Optional[typing.Sequence[_ISecurityGroup_acf8a799]] = None,