aws-cdk-lib 2.96.2__py3-none-any.whl → 2.97.1__py3-none-any.whl

aws_cdk/aws_ec2/__init__.py

@@ -3259,25 +3259,29 @@ class AmazonLinuxEdition(enum.Enum):
 class AmazonLinuxGeneration(enum.Enum):
     '''What generation of Amazon Linux to use.
 
-    :exampleMetadata: infused
+    :exampleMetadata: lit=aws-autoscaling/test/example.images.lit.ts infused
 
     Example::
 
-        # vpc: ec2.Vpc
-        
+        # Pick a Windows edition to use
+        windows = ec2.WindowsImage(ec2.WindowsVersion.WINDOWS_SERVER_2019_ENGLISH_FULL_BASE)
         
-        autoscaling.AutoScalingGroup(self, "ASG",
-            vpc=vpc,
-            instance_type=ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MICRO),
+        # Pick the right Amazon Linux edition. All arguments shown are optional
+        # and will default to these values when omitted.
+        amzn_linux = ec2.AmazonLinuxImage(
+            generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX,
+            edition=ec2.AmazonLinuxEdition.STANDARD,
+            virtualization=ec2.AmazonLinuxVirt.HVM,
+            storage=ec2.AmazonLinuxStorage.GENERAL_PURPOSE
+        )
         
-            # Amazon Linux 2 comes with SSM Agent by default
-            machine_image=ec2.MachineImage.latest_amazon_linux(
-                generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2
-            ),
+        # For other custom (Linux) images, instantiate a `GenericLinuxImage` with
+        # a map giving the AMI to in for each region:
         
-            # Turn on SSM
-            ssm_session_permissions=True
-        )
+        linux = ec2.GenericLinuxImage({
+            "us-east-1": "ami-97785bed",
+            "eu-west-1": "ami-12345678"
+        })
     '''
 
     AMAZON_LINUX = "AMAZON_LINUX"
@@ -9701,7 +9705,7 @@ class CfnEC2Fleet(
         :param on_demand_options: Describes the configuration of On-Demand Instances in an EC2 Fleet.
         :param replace_unhealthy_instances: Indicates whether EC2 Fleet should replace unhealthy Spot Instances. Supported only for fleets of type ``maintain`` . For more information, see `EC2 Fleet health checks <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/manage-ec2-fleet.html#ec2-fleet-health-checks>`_ in the *Amazon EC2 User Guide* .
         :param spot_options: Describes the configuration of Spot Instances in an EC2 Fleet.
-        :param tag_specifications: The key-value pair for tagging the EC2 Fleet request on creation. For more information, see `Tagging your resources <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources>`_ . If the fleet type is ``instant`` , specify a resource type of ``fleet`` to tag the fleet or ``instance`` to tag the instances at launch. If the fleet type is ``maintain`` or ``request`` , specify a resource type of ``fleet`` to tag the fleet. You cannot specify a resource type of ``instance`` . To tag instances at launch, specify the tags in a `launch template <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template>`_ .
+        :param tag_specifications: The key-value pair for tagging the EC2 Fleet request on creation. For more information, see `Tag your resources <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources>`_ . If the fleet type is ``instant`` , specify a resource type of ``fleet`` to tag the fleet or ``instance`` to tag the instances at launch. If the fleet type is ``maintain`` or ``request`` , specify a resource type of ``fleet`` to tag the fleet. You cannot specify a resource type of ``instance`` . To tag instances at launch, specify the tags in a `launch template <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template>`_ .
         :param terminate_instances_with_expiration: Indicates whether running instances should be terminated when the EC2 Fleet expires.
         :param type: The fleet type. The default value is ``maintain`` . - ``maintain`` - The EC2 Fleet places an asynchronous request for your desired capacity, and continues to maintain your desired Spot capacity by replenishing interrupted Spot Instances. - ``request`` - The EC2 Fleet places an asynchronous one-time request for your desired capacity, but does submit Spot requests in alternative capacity pools if Spot capacity is unavailable, and does not maintain Spot capacity if Spot Instances are interrupted. - ``instant`` - The EC2 Fleet places a synchronous one-time request for your desired capacity, and returns errors for any instances that could not be launched. For more information, see `EC2 Fleet request types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-request-type.html>`_ in the *Amazon EC2 User Guide* .
         :param valid_from: The start date and time of the request, in UTC format (for example, *YYYY* - *MM* - *DD* T *HH* : *MM* : *SS* Z). The default is to start fulfilling the request immediately.
@@ -9898,7 +9902,7 @@ class CfnEC2Fleet(
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnEC2Fleet.TagSpecificationProperty"]]]]:
         '''The key-value pair for tagging the EC2 Fleet request on creation.
 
-        For more information, see `Tagging your resources <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources>`_ .
+        For more information, see `Tag your resources <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources>`_ .
         '''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnEC2Fleet.TagSpecificationProperty"]]]], jsii.get(self, "tagSpecifications"))
 
@@ -11885,7 +11889,7 @@ class CfnEC2Fleet(
 
             :param allocation_strategy: The strategy that determines the order of the launch template overrides to use in fulfilling On-Demand capacity. ``lowest-price`` - EC2 Fleet uses price to determine the order, launching the lowest price first. ``prioritized`` - EC2 Fleet uses the priority that you assigned to each launch template override, launching the highest priority first. Default: ``lowest-price``
             :param capacity_reservation_options: The strategy for using unused Capacity Reservations for fulfilling On-Demand capacity. Supported only for fleets of type ``instant`` .
-            :param max_total_price: The maximum amount per hour for On-Demand Instances that you're willing to pay.
+            :param max_total_price: The maximum amount per hour for On-Demand Instances that you're willing to pay. .. epigraph:: If your fleet includes T instances that are configured as ``unlimited`` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The ``MaxTotalPrice`` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for ``MaxTotalPrice`` . For more information, see `Surplus credits can incur charges <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits>`_ in the *EC2 User Guide* .
             :param min_target_capacity: The minimum target capacity for On-Demand Instances in the fleet. If the minimum target capacity is not reached, the fleet launches no instances. Supported only for fleets of type ``instant`` . At least one of the following must be specified: ``SingleAvailabilityZone`` | ``SingleInstanceType``
             :param single_availability_zone: Indicates that the fleet launches all On-Demand Instances into a single Availability Zone. Supported only for fleets of type ``instant`` .
             :param single_instance_type: Indicates that the fleet uses a single instance type to launch all On-Demand Instances in the fleet. Supported only for fleets of type ``instant`` .
@@ -11964,6 +11968,10 @@ class CfnEC2Fleet(
         def max_total_price(self) -> typing.Optional[builtins.str]:
             '''The maximum amount per hour for On-Demand Instances that you're willing to pay.
 
+            .. epigraph::
+
+               If your fleet includes T instances that are configured as ``unlimited`` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The ``MaxTotalPrice`` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for ``MaxTotalPrice`` . For more information, see `Surplus credits can incur charges <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits>`_ in the *EC2 User Guide* .
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ec2fleet-ondemandoptionsrequest.html#cfn-ec2-ec2fleet-ondemandoptionsrequest-maxtotalprice
             '''
             result = self._values.get("max_total_price")
@@ -12245,7 +12253,7 @@ class CfnEC2Fleet(
             :param instance_interruption_behavior: The behavior when a Spot Instance is interrupted. Default: ``terminate``
             :param instance_pools_to_use_count: The number of Spot pools across which to allocate your target Spot capacity. Supported only when Spot ``AllocationStrategy`` is set to ``lowest-price`` . EC2 Fleet selects the cheapest Spot pools and evenly allocates your target Spot capacity across the number of Spot pools that you specify. Note that EC2 Fleet attempts to draw Spot Instances from the number of pools that you specify on a best effort basis. If a pool runs out of Spot capacity before fulfilling your target capacity, EC2 Fleet will continue to fulfill your request by drawing from the next cheapest pool. To ensure that your target capacity is met, you might receive Spot Instances from more than the number of pools that you specified. Similarly, if most of the pools have no Spot capacity, you might receive your full target capacity from fewer than the number of pools that you specified.
             :param maintenance_strategies: The strategies for managing your Spot Instances that are at an elevated risk of being interrupted.
-            :param max_total_price: The maximum amount per hour for Spot Instances that you're willing to pay. We do not recommend using this parameter because it can lead to increased interruptions. If you do not specify this parameter, you will pay the current Spot price. .. epigraph:: If you specify a maximum price, your Spot Instances will be interrupted more frequently than if you do not specify this parameter.
+            :param max_total_price: The maximum amount per hour for Spot Instances that you're willing to pay. We do not recommend using this parameter because it can lead to increased interruptions. If you do not specify this parameter, you will pay the current Spot price. .. epigraph:: If you specify a maximum price, your Spot Instances will be interrupted more frequently than if you do not specify this parameter. > If your fleet includes T instances that are configured as ``unlimited`` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The ``MaxTotalPrice`` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for ``MaxTotalPrice`` . For more information, see `Surplus credits can incur charges <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits>`_ in the *EC2 User Guide* .
             :param min_target_capacity: The minimum target capacity for Spot Instances in the fleet. If the minimum target capacity is not reached, the fleet launches no instances. Supported only for fleets of type ``instant`` . At least one of the following must be specified: ``SingleAvailabilityZone`` | ``SingleInstanceType``
             :param single_availability_zone: Indicates that the fleet launches all Spot Instances into a single Availability Zone. Supported only for fleets of type ``instant`` .
             :param single_instance_type: Indicates that the fleet uses a single instance type to launch all Spot Instances in the fleet. Supported only for fleets of type ``instant`` .
@@ -12362,7 +12370,7 @@ class CfnEC2Fleet(
             We do not recommend using this parameter because it can lead to increased interruptions. If you do not specify this parameter, you will pay the current Spot price.
             .. epigraph::
 
-               If you specify a maximum price, your Spot Instances will be interrupted more frequently than if you do not specify this parameter.
+               If you specify a maximum price, your Spot Instances will be interrupted more frequently than if you do not specify this parameter. > If your fleet includes T instances that are configured as ``unlimited`` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The ``MaxTotalPrice`` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for ``MaxTotalPrice`` . For more information, see `Surplus credits can incur charges <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits>`_ in the *EC2 User Guide* .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ec2fleet-spotoptionsrequest.html#cfn-ec2-ec2fleet-spotoptionsrequest-maxtotalprice
             '''
@@ -12819,7 +12827,7 @@ class CfnEC2FleetProps:
         :param on_demand_options: Describes the configuration of On-Demand Instances in an EC2 Fleet.
         :param replace_unhealthy_instances: Indicates whether EC2 Fleet should replace unhealthy Spot Instances. Supported only for fleets of type ``maintain`` . For more information, see `EC2 Fleet health checks <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/manage-ec2-fleet.html#ec2-fleet-health-checks>`_ in the *Amazon EC2 User Guide* .
         :param spot_options: Describes the configuration of Spot Instances in an EC2 Fleet.
-        :param tag_specifications: The key-value pair for tagging the EC2 Fleet request on creation. For more information, see `Tagging your resources <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources>`_ . If the fleet type is ``instant`` , specify a resource type of ``fleet`` to tag the fleet or ``instance`` to tag the instances at launch. If the fleet type is ``maintain`` or ``request`` , specify a resource type of ``fleet`` to tag the fleet. You cannot specify a resource type of ``instance`` . To tag instances at launch, specify the tags in a `launch template <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template>`_ .
+        :param tag_specifications: The key-value pair for tagging the EC2 Fleet request on creation. For more information, see `Tag your resources <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources>`_ . If the fleet type is ``instant`` , specify a resource type of ``fleet`` to tag the fleet or ``instance`` to tag the instances at launch. If the fleet type is ``maintain`` or ``request`` , specify a resource type of ``fleet`` to tag the fleet. You cannot specify a resource type of ``instance`` . To tag instances at launch, specify the tags in a `launch template <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template>`_ .
         :param terminate_instances_with_expiration: Indicates whether running instances should be terminated when the EC2 Fleet expires.
         :param type: The fleet type. The default value is ``maintain`` . - ``maintain`` - The EC2 Fleet places an asynchronous request for your desired capacity, and continues to maintain your desired Spot capacity by replenishing interrupted Spot Instances. - ``request`` - The EC2 Fleet places an asynchronous one-time request for your desired capacity, but does submit Spot requests in alternative capacity pools if Spot capacity is unavailable, and does not maintain Spot capacity if Spot Instances are interrupted. - ``instant`` - The EC2 Fleet places a synchronous one-time request for your desired capacity, and returns errors for any instances that could not be launched. For more information, see `EC2 Fleet request types <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-fleet-request-type.html>`_ in the *Amazon EC2 User Guide* .
         :param valid_from: The start date and time of the request, in UTC format (for example, *YYYY* - *MM* - *DD* T *HH* : *MM* : *SS* Z). The default is to start fulfilling the request immediately.
@@ -13088,7 +13096,7 @@ class CfnEC2FleetProps:
     def tag_specifications(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, CfnEC2Fleet.TagSpecificationProperty]]]]:
-        '''The key-value pair for tagging the EC2 Fleet request on creation. For more information, see `Tagging your resources <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources>`_ .
+        '''The key-value pair for tagging the EC2 Fleet request on creation. For more information, see `Tag your resources <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources>`_ .
 
         If the fleet type is ``instant`` , specify a resource type of ``fleet`` to tag the fleet or ``instance`` to tag the instances at launch.
 
@@ -13206,7 +13214,7 @@ class CfnEIP(
         :param id: Construct identifier for this resource (unique in its scope).
         :param domain: The network ( ``vpc`` ). If you define an Elastic IP address and associate it with a VPC that is defined in the same template, you must declare a dependency on the VPC-gateway attachment by using the `DependsOn Attribute <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html>`_ on this resource.
         :param instance_id: The ID of the instance. .. epigraph:: Updates to the ``InstanceId`` property may require *some interruptions* . Updates on an EIP reassociates the address on its associated resource.
-        :param network_border_group: A unique set of Availability Zones, Local Zones, or Wavelength Zones from which AWS advertises IP addresses. Use this parameter to limit the IP address to this location. IP addresses cannot move between network border groups. Use `DescribeAvailabilityZones <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html>`_ to view the network border groups. You cannot use a network border group with EC2 Classic. If you attempt this operation on EC2 Classic, you receive an ``InvalidParameterCombination`` error.
+        :param network_border_group: A unique set of Availability Zones, Local Zones, or Wavelength Zones from which AWS advertises IP addresses. Use this parameter to limit the IP address to this location. IP addresses cannot move between network border groups. Use `DescribeAvailabilityZones <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html>`_ to view the network border groups.
         :param public_ipv4_pool: The ID of an address pool that you own. Use this parameter to let Amazon EC2 select an address from the address pool. .. epigraph:: Updates to the ``PublicIpv4Pool`` property may require *some interruptions* . Updates on an EIP reassociates the address on its associated resource.
         :param tags: Any tags assigned to the Elastic IP address. .. epigraph:: Updates to the ``Tags`` property may require *some interruptions* . Updates on an EIP reassociates the address on its associated resource.
         :param transfer_address: The Elastic IP address you are accepting for transfer. You can only accept one transferred address. For more information on Elastic IP address transfers, see `Transfer Elastic IP addresses <https://docs.aws.amazon.com/vpc/latest/userguide/vpc-eips.html#transfer-EIPs-intro>`_ in the *Amazon Virtual Private Cloud User Guide* .
@@ -13411,7 +13419,7 @@ class CfnEIPAssociation(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param allocation_id: The allocation ID. This is required.
-        :param eip: 
+        :param eip: (deprecated) The Elastic IP address to associate with the instance.
         :param instance_id: The ID of the instance. The instance must have exactly one attached network interface. You can specify either the instance ID or the network interface ID, but not both.
         :param network_interface_id: The ID of the network interface. If the instance has more than one network interface, you must specify a network interface ID. You can specify either the instance ID or the network interface ID, but not both.
         :param private_ip_address: The primary or secondary private IP address to associate with the Elastic IP address. If no private IP address is specified, the Elastic IP address is associated with the primary private IP address.
@@ -13463,7 +13471,8 @@ class CfnEIPAssociation(
     @builtins.property
     @jsii.member(jsii_name="attrId")
     def attr_id(self) -> builtins.str:
-        '''
+        '''The ID of the association.
+
         :cloudformationAttribute: Id
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
@@ -13489,6 +13498,12 @@ class CfnEIPAssociation(
     @builtins.property
     @jsii.member(jsii_name="eip")
     def eip(self) -> typing.Optional[builtins.str]:
+        '''(deprecated) The Elastic IP address to associate with the instance.
+
+        :deprecated: this property has been deprecated
+
+        :stability: deprecated
+        '''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "eip"))
 
     @eip.setter
@@ -13562,7 +13577,7 @@ class CfnEIPAssociationProps:
         '''Properties for defining a ``CfnEIPAssociation``.
 
         :param allocation_id: The allocation ID. This is required.
-        :param eip: 
+        :param eip: (deprecated) The Elastic IP address to associate with the instance.
         :param instance_id: The ID of the instance. The instance must have exactly one attached network interface. You can specify either the instance ID or the network interface ID, but not both.
         :param network_interface_id: The ID of the network interface. If the instance has more than one network interface, you must specify a network interface ID. You can specify either the instance ID or the network interface ID, but not both.
         :param private_ip_address: The primary or secondary private IP address to associate with the Elastic IP address. If no private IP address is specified, the Elastic IP address is associated with the primary private IP address.
@@ -13616,8 +13631,12 @@ class CfnEIPAssociationProps:
 
     @builtins.property
     def eip(self) -> typing.Optional[builtins.str]:
-        '''
+        '''(deprecated) The Elastic IP address to associate with the instance.
+
+        :deprecated: this property has been deprecated
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-eipassociation.html#cfn-ec2-eipassociation-eip
+        :stability: deprecated
         '''
         result = self._values.get("eip")
         return typing.cast(typing.Optional[builtins.str], result)
@@ -13696,7 +13715,7 @@ class CfnEIPProps:
 
         :param domain: The network ( ``vpc`` ). If you define an Elastic IP address and associate it with a VPC that is defined in the same template, you must declare a dependency on the VPC-gateway attachment by using the `DependsOn Attribute <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html>`_ on this resource.
         :param instance_id: The ID of the instance. .. epigraph:: Updates to the ``InstanceId`` property may require *some interruptions* . Updates on an EIP reassociates the address on its associated resource.
-        :param network_border_group: A unique set of Availability Zones, Local Zones, or Wavelength Zones from which AWS advertises IP addresses. Use this parameter to limit the IP address to this location. IP addresses cannot move between network border groups. Use `DescribeAvailabilityZones <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html>`_ to view the network border groups. You cannot use a network border group with EC2 Classic. If you attempt this operation on EC2 Classic, you receive an ``InvalidParameterCombination`` error.
+        :param network_border_group: A unique set of Availability Zones, Local Zones, or Wavelength Zones from which AWS advertises IP addresses. Use this parameter to limit the IP address to this location. IP addresses cannot move between network border groups. Use `DescribeAvailabilityZones <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html>`_ to view the network border groups.
         :param public_ipv4_pool: The ID of an address pool that you own. Use this parameter to let Amazon EC2 select an address from the address pool. .. epigraph:: Updates to the ``PublicIpv4Pool`` property may require *some interruptions* . Updates on an EIP reassociates the address on its associated resource.
         :param tags: Any tags assigned to the Elastic IP address. .. epigraph:: Updates to the ``Tags`` property may require *some interruptions* . Updates on an EIP reassociates the address on its associated resource.
         :param transfer_address: The Elastic IP address you are accepting for transfer. You can only accept one transferred address. For more information on Elastic IP address transfers, see `Transfer Elastic IP addresses <https://docs.aws.amazon.com/vpc/latest/userguide/vpc-eips.html#transfer-EIPs-intro>`_ in the *Amazon Virtual Private Cloud User Guide* .
@@ -13774,8 +13793,6 @@ class CfnEIPProps:
 
         Use `DescribeAvailabilityZones <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAvailabilityZones.html>`_ to view the network border groups.
 
-        You cannot use a network border group with EC2 Classic. If you attempt this operation on EC2 Classic, you receive an ``InvalidParameterCombination`` error.
-
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-eip.html#cfn-ec2-eip-networkbordergroup
         '''
         result = self._values.get("network_border_group")
@@ -14230,6 +14247,7 @@ class CfnFlowLog(
             resource_type="resourceType",
         
             # the properties below are optional
+            deliver_cross_account_role="deliverCrossAccountRole",
             deliver_logs_permission_arn="deliverLogsPermissionArn",
             destination_options=destination_options,
             log_destination="logDestination",
@@ -14252,6 +14270,7 @@ class CfnFlowLog(
         *,
         resource_id: builtins.str,
         resource_type: builtins.str,
+        deliver_cross_account_role: typing.Optional[builtins.str] = None,
         deliver_logs_permission_arn: typing.Optional[builtins.str] = None,
         destination_options: typing.Any = None,
         log_destination: typing.Optional[builtins.str] = None,
@@ -14267,6 +14286,7 @@ class CfnFlowLog(
         :param id: Construct identifier for this resource (unique in its scope).
         :param resource_id: The ID of the resource to monitor. For example, if the resource type is ``VPC`` , specify the ID of the VPC.
         :param resource_type: The type of resource to monitor.
+        :param deliver_cross_account_role: The ARN of the IAM role that allows the service to publish flow logs across accounts.
         :param deliver_logs_permission_arn: The ARN of the IAM role that allows Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account. This parameter is required if the destination type is ``cloud-watch-logs`` and unsupported otherwise.
         :param destination_options: The destination options. The following options are supported:. - ``FileFormat`` - The format for the flow log ( ``plain-text`` | ``parquet`` ). The default is ``plain-text`` . - ``HiveCompatiblePartitions`` - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3 ( ``true`` | ``false`` ). The default is ``false`` . - ``PerHourPartition`` - Indicates whether to partition the flow log per hour ( ``true`` | ``false`` ). The default is ``false`` .
         :param log_destination: The destination for the flow log data. The meaning of this parameter depends on the destination type. - If the destination type is ``cloud-watch-logs`` , specify the ARN of a CloudWatch Logs log group. For example: arn:aws:logs: *region* : *account_id* :log-group: *my_group* Alternatively, use the ``LogGroupName`` parameter. - If the destination type is ``s3`` , specify the ARN of an S3 bucket. For example: arn:aws:s3::: *my_bucket* / *my_subfolder* / The subfolder is optional. Note that you can't use ``AWSLogs`` as a subfolder name. - If the destination type is ``kinesis-data-firehose`` , specify the ARN of a Kinesis Data Firehose delivery stream. For example: arn:aws:firehose: *region* : *account_id* :deliverystream: *my_stream*
@@ -14284,6 +14304,7 @@ class CfnFlowLog(
         props = CfnFlowLogProps(
             resource_id=resource_id,
             resource_type=resource_type,
+            deliver_cross_account_role=deliver_cross_account_role,
             deliver_logs_permission_arn=deliver_logs_permission_arn,
             destination_options=destination_options,
             log_destination=log_destination,
@@ -14375,6 +14396,19 @@ class CfnFlowLog(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "resourceType", value)
 
+    @builtins.property
+    @jsii.member(jsii_name="deliverCrossAccountRole")
+    def deliver_cross_account_role(self) -> typing.Optional[builtins.str]:
+        '''The ARN of the IAM role that allows the service to publish flow logs across accounts.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "deliverCrossAccountRole"))
+
+    @deliver_cross_account_role.setter
+    def deliver_cross_account_role(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__69de10af6e71879a605a8ff40c4836ff6e89ad4220088a0599668acc26625a53)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "deliverCrossAccountRole", value)
+
     @builtins.property
     @jsii.member(jsii_name="deliverLogsPermissionArn")
     def deliver_logs_permission_arn(self) -> typing.Optional[builtins.str]:
@@ -14605,6 +14639,7 @@ class CfnFlowLog(
     name_mapping={
         "resource_id": "resourceId",
         "resource_type": "resourceType",
+        "deliver_cross_account_role": "deliverCrossAccountRole",
         "deliver_logs_permission_arn": "deliverLogsPermissionArn",
         "destination_options": "destinationOptions",
         "log_destination": "logDestination",
@@ -14622,6 +14657,7 @@ class CfnFlowLogProps:
         *,
         resource_id: builtins.str,
         resource_type: builtins.str,
+        deliver_cross_account_role: typing.Optional[builtins.str] = None,
         deliver_logs_permission_arn: typing.Optional[builtins.str] = None,
         destination_options: typing.Any = None,
         log_destination: typing.Optional[builtins.str] = None,
@@ -14636,6 +14672,7 @@ class CfnFlowLogProps:
 
         :param resource_id: The ID of the resource to monitor. For example, if the resource type is ``VPC`` , specify the ID of the VPC.
         :param resource_type: The type of resource to monitor.
+        :param deliver_cross_account_role: The ARN of the IAM role that allows the service to publish flow logs across accounts.
         :param deliver_logs_permission_arn: The ARN of the IAM role that allows Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account. This parameter is required if the destination type is ``cloud-watch-logs`` and unsupported otherwise.
         :param destination_options: The destination options. The following options are supported:. - ``FileFormat`` - The format for the flow log ( ``plain-text`` | ``parquet`` ). The default is ``plain-text`` . - ``HiveCompatiblePartitions`` - Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3 ( ``true`` | ``false`` ). The default is ``false`` . - ``PerHourPartition`` - Indicates whether to partition the flow log per hour ( ``true`` | ``false`` ). The default is ``false`` .
         :param log_destination: The destination for the flow log data. The meaning of this parameter depends on the destination type. - If the destination type is ``cloud-watch-logs`` , specify the ARN of a CloudWatch Logs log group. For example: arn:aws:logs: *region* : *account_id* :log-group: *my_group* Alternatively, use the ``LogGroupName`` parameter. - If the destination type is ``s3`` , specify the ARN of an S3 bucket. For example: arn:aws:s3::: *my_bucket* / *my_subfolder* / The subfolder is optional. Note that you can't use ``AWSLogs`` as a subfolder name. - If the destination type is ``kinesis-data-firehose`` , specify the ARN of a Kinesis Data Firehose delivery stream. For example: arn:aws:firehose: *region* : *account_id* :deliverystream: *my_stream*
@@ -14662,6 +14699,7 @@ class CfnFlowLogProps:
                 resource_type="resourceType",
             
                 # the properties below are optional
+                deliver_cross_account_role="deliverCrossAccountRole",
                 deliver_logs_permission_arn="deliverLogsPermissionArn",
                 destination_options=destination_options,
                 log_destination="logDestination",
@@ -14680,6 +14718,7 @@ class CfnFlowLogProps:
             type_hints = typing.get_type_hints(_typecheckingstub__b70808589b9adfc66e939b8c87268607775dc0e479da5f4bed72c3ba8e3afef5)
             check_type(argname="argument resource_id", value=resource_id, expected_type=type_hints["resource_id"])
             check_type(argname="argument resource_type", value=resource_type, expected_type=type_hints["resource_type"])
+            check_type(argname="argument deliver_cross_account_role", value=deliver_cross_account_role, expected_type=type_hints["deliver_cross_account_role"])
             check_type(argname="argument deliver_logs_permission_arn", value=deliver_logs_permission_arn, expected_type=type_hints["deliver_logs_permission_arn"])
             check_type(argname="argument destination_options", value=destination_options, expected_type=type_hints["destination_options"])
             check_type(argname="argument log_destination", value=log_destination, expected_type=type_hints["log_destination"])
@@ -14693,6 +14732,8 @@ class CfnFlowLogProps:
             "resource_id": resource_id,
             "resource_type": resource_type,
         }
+        if deliver_cross_account_role is not None:
+            self._values["deliver_cross_account_role"] = deliver_cross_account_role
         if deliver_logs_permission_arn is not None:
             self._values["deliver_logs_permission_arn"] = deliver_logs_permission_arn
         if destination_options is not None:
@@ -14734,6 +14775,15 @@ class CfnFlowLogProps:
         assert result is not None, "Required property 'resource_type' is missing"
         return typing.cast(builtins.str, result)
 
+    @builtins.property
+    def deliver_cross_account_role(self) -> typing.Optional[builtins.str]:
+        '''The ARN of the IAM role that allows the service to publish flow logs across accounts.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-flowlog.html#cfn-ec2-flowlog-delivercrossaccountrole
+        '''
+        result = self._values.get("deliver_cross_account_role")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def deliver_logs_permission_arn(self) -> typing.Optional[builtins.str]:
         '''The ARN of the IAM role that allows Amazon EC2 to publish flow logs to a CloudWatch Logs log group in your account.
@@ -20977,6 +21027,331 @@ class CfnInstance(
             )
 
 
+@jsii.implements(_IInspectable_c2943556)
+class CfnInstanceConnectEndpoint(
+    _CfnResource_9df397a6,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_ec2.CfnInstanceConnectEndpoint",
+):
+    '''Creates an EC2 Instance Connect Endpoint.
+
+    An EC2 Instance Connect Endpoint allows you to connect to an instance, without requiring the instance to have a public IPv4 address. For more information, see `Connect to your instances without requiring a public IPv4 address using EC2 Instance Connect Endpoint <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect-Endpoint.html>`_ in the *Amazon EC2 User Guide* .
+
+    :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-instanceconnectendpoint.html
+    :exampleMetadata: fixture=_generated
+
+    Example::
+
+        # The code below shows an example of how to instantiate this type.
+        # The values are placeholders you should change.
+        from aws_cdk import aws_ec2 as ec2
+        
+        cfn_instance_connect_endpoint = ec2.CfnInstanceConnectEndpoint(self, "MyCfnInstanceConnectEndpoint",
+            subnet_id="subnetId",
+        
+            # the properties below are optional
+            client_token="clientToken",
+            preserve_client_ip=False,
+            security_group_ids=["securityGroupIds"],
+            tags=[CfnTag(
+                key="key",
+                value="value"
+            )]
+        )
+    '''
+
+    def __init__(
+        self,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        subnet_id: builtins.str,
+        client_token: typing.Optional[builtins.str] = None,
+        preserve_client_ip: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+        security_group_ids: typing.Optional[typing.Sequence[builtins.str]] = None,
+        tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
+    ) -> None:
+        '''
+        :param scope: Scope in which this resource is defined.
+        :param id: Construct identifier for this resource (unique in its scope).
+        :param subnet_id: The ID of the subnet in which to create the EC2 Instance Connect Endpoint.
+        :param client_token: Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
+        :param preserve_client_ip: Indicates whether your client's IP address is preserved as the source. The value is ``true`` or ``false`` . - If ``true`` , your client's IP address is used when you connect to a resource. - If ``false`` , the elastic network interface IP address is used when you connect to a resource. Default: ``true``
+        :param security_group_ids: One or more security groups to associate with the endpoint. If you don't specify a security group, the default security group for your VPC will be associated with the endpoint.
+        :param tags: The tags to apply to the EC2 Instance Connect Endpoint during creation.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__5dd25848f0ceb23edd764d8f4a076cf8f9d22793b6ca99db922a9c410f58ba1f)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        props = CfnInstanceConnectEndpointProps(
+            subnet_id=subnet_id,
+            client_token=client_token,
+            preserve_client_ip=preserve_client_ip,
+            security_group_ids=security_group_ids,
+            tags=tags,
+        )
+
+        jsii.create(self.__class__, self, [scope, id, props])
+
+    @jsii.member(jsii_name="inspect")
+    def inspect(self, inspector: _TreeInspector_488e0dd5) -> None:
+        '''Examines the CloudFormation resource and discloses attributes.
+
+        :param inspector: tree inspector to collect and process attributes.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__5891536cec39a3051ee1e1e6cad74074ab2e104448cf33448a891defadf16b6e)
+            check_type(argname="argument inspector", value=inspector, expected_type=type_hints["inspector"])
+        return typing.cast(None, jsii.invoke(self, "inspect", [inspector]))
+
+    @jsii.member(jsii_name="renderProperties")
+    def _render_properties(
+        self,
+        props: typing.Mapping[builtins.str, typing.Any],
+    ) -> typing.Mapping[builtins.str, typing.Any]:
+        '''
+        :param props: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__08af6017181d75f497ef7453c702f6e6ac3f87faf252f7dae4c9797af2382847)
+            check_type(argname="argument props", value=props, expected_type=type_hints["props"])
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.invoke(self, "renderProperties", [props]))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="CFN_RESOURCE_TYPE_NAME")
+    def CFN_RESOURCE_TYPE_NAME(cls) -> builtins.str:
+        '''The CloudFormation resource type name for this resource class.'''
+        return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
+
+    @builtins.property
+    @jsii.member(jsii_name="attrId")
+    def attr_id(self) -> builtins.str:
+        '''The ID of the EC2 Instance Connect Endpoint.
+
+        :cloudformationAttribute: Id
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "attrId"))
+
+    @builtins.property
+    @jsii.member(jsii_name="cfnProperties")
+    def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
+        return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
+
+    @builtins.property
+    @jsii.member(jsii_name="subnetId")
+    def subnet_id(self) -> builtins.str:
+        '''The ID of the subnet in which to create the EC2 Instance Connect Endpoint.'''
+        return typing.cast(builtins.str, jsii.get(self, "subnetId"))
+
+    @subnet_id.setter
+    def subnet_id(self, value: builtins.str) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__18fe6754ba2f44060c4a7a2127a488b7e626c5c1761f524fdb756846a1b48e44)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "subnetId", value)
+
+    @builtins.property
+    @jsii.member(jsii_name="clientToken")
+    def client_token(self) -> typing.Optional[builtins.str]:
+        '''Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "clientToken"))
+
+    @client_token.setter
+    def client_token(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__a075309e51f465140660c0455acd101077c2364e286033707a8d1e11f4cc3a6a)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "clientToken", value)
+
+    @builtins.property
+    @jsii.member(jsii_name="preserveClientIp")
+    def preserve_client_ip(
+        self,
+    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''Indicates whether your client's IP address is preserved as the source.
+
+        The value is ``true`` or ``false`` .
+        '''
+        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "preserveClientIp"))
+
+    @preserve_client_ip.setter
+    def preserve_client_ip(
+        self,
+        value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__a3c9af51a15924a206fae71c0b2615bf7be3e42b8bb7722c9e794e13a40973a7)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "preserveClientIp", value)
+
+    @builtins.property
+    @jsii.member(jsii_name="securityGroupIds")
+    def security_group_ids(self) -> typing.Optional[typing.List[builtins.str]]:
+        '''One or more security groups to associate with the endpoint.'''
+        return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "securityGroupIds"))
+
+    @security_group_ids.setter
+    def security_group_ids(
+        self,
+        value: typing.Optional[typing.List[builtins.str]],
+    ) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__a9a795e386e76f7e1445d90e3d1e800e540f41237f0e797a5e2058cb7b78553e)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "securityGroupIds", value)
+
+    @builtins.property
+    @jsii.member(jsii_name="tags")
+    def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
+        '''The tags to apply to the EC2 Instance Connect Endpoint during creation.'''
+        return typing.cast(typing.Optional[typing.List[_CfnTag_f6864754]], jsii.get(self, "tags"))
+
+    @tags.setter
+    def tags(self, value: typing.Optional[typing.List[_CfnTag_f6864754]]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__3dd5921daaa37553fc9b30d074bd3ef6cfc6e9a796db9530140935d020cd87ae)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "tags", value)
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_ec2.CfnInstanceConnectEndpointProps",
+    jsii_struct_bases=[],
+    name_mapping={
+        "subnet_id": "subnetId",
+        "client_token": "clientToken",
+        "preserve_client_ip": "preserveClientIp",
+        "security_group_ids": "securityGroupIds",
+        "tags": "tags",
+    },
+)
+class CfnInstanceConnectEndpointProps:
+    def __init__(
+        self,
+        *,
+        subnet_id: builtins.str,
+        client_token: typing.Optional[builtins.str] = None,
+        preserve_client_ip: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+        security_group_ids: typing.Optional[typing.Sequence[builtins.str]] = None,
+        tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
+    ) -> None:
+        '''Properties for defining a ``CfnInstanceConnectEndpoint``.
+
+        :param subnet_id: The ID of the subnet in which to create the EC2 Instance Connect Endpoint.
+        :param client_token: Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
+        :param preserve_client_ip: Indicates whether your client's IP address is preserved as the source. The value is ``true`` or ``false`` . - If ``true`` , your client's IP address is used when you connect to a resource. - If ``false`` , the elastic network interface IP address is used when you connect to a resource. Default: ``true``
+        :param security_group_ids: One or more security groups to associate with the endpoint. If you don't specify a security group, the default security group for your VPC will be associated with the endpoint.
+        :param tags: The tags to apply to the EC2 Instance Connect Endpoint during creation.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-instanceconnectendpoint.html
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_ec2 as ec2
+            
+            cfn_instance_connect_endpoint_props = ec2.CfnInstanceConnectEndpointProps(
+                subnet_id="subnetId",
+            
+                # the properties below are optional
+                client_token="clientToken",
+                preserve_client_ip=False,
+                security_group_ids=["securityGroupIds"],
+                tags=[CfnTag(
+                    key="key",
+                    value="value"
+                )]
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__78086551229af23659e2463ffd3801975d2b07247065af08d90eebf9e7f66ef8)
+            check_type(argname="argument subnet_id", value=subnet_id, expected_type=type_hints["subnet_id"])
+            check_type(argname="argument client_token", value=client_token, expected_type=type_hints["client_token"])
+            check_type(argname="argument preserve_client_ip", value=preserve_client_ip, expected_type=type_hints["preserve_client_ip"])
+            check_type(argname="argument security_group_ids", value=security_group_ids, expected_type=type_hints["security_group_ids"])
+            check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "subnet_id": subnet_id,
+        }
+        if client_token is not None:
+            self._values["client_token"] = client_token
+        if preserve_client_ip is not None:
+            self._values["preserve_client_ip"] = preserve_client_ip
+        if security_group_ids is not None:
+            self._values["security_group_ids"] = security_group_ids
+        if tags is not None:
+            self._values["tags"] = tags
+
+    @builtins.property
+    def subnet_id(self) -> builtins.str:
+        '''The ID of the subnet in which to create the EC2 Instance Connect Endpoint.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-instanceconnectendpoint.html#cfn-ec2-instanceconnectendpoint-subnetid
+        '''
+        result = self._values.get("subnet_id")
+        assert result is not None, "Required property 'subnet_id' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def client_token(self) -> typing.Optional[builtins.str]:
+        '''Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-instanceconnectendpoint.html#cfn-ec2-instanceconnectendpoint-clienttoken
+        '''
+        result = self._values.get("client_token")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def preserve_client_ip(
+        self,
+    ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+        '''Indicates whether your client's IP address is preserved as the source. The value is ``true`` or ``false`` .
+
+        - If ``true`` , your client's IP address is used when you connect to a resource.
+        - If ``false`` , the elastic network interface IP address is used when you connect to a resource.
+
+        Default: ``true``
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-instanceconnectendpoint.html#cfn-ec2-instanceconnectendpoint-preserveclientip
+        '''
+        result = self._values.get("preserve_client_ip")
+        return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], result)
+
+    @builtins.property
+    def security_group_ids(self) -> typing.Optional[typing.List[builtins.str]]:
+        '''One or more security groups to associate with the endpoint.
+
+        If you don't specify a security group, the default security group for your VPC will be associated with the endpoint.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-instanceconnectendpoint.html#cfn-ec2-instanceconnectendpoint-securitygroupids
+        '''
+        result = self._values.get("security_group_ids")
+        return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
+    @builtins.property
+    def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
+        '''The tags to apply to the EC2 Instance Connect Endpoint during creation.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-instanceconnectendpoint.html#cfn-ec2-instanceconnectendpoint-tags
+        '''
+        result = self._values.get("tags")
+        return typing.cast(typing.Optional[typing.List[_CfnTag_f6864754]], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "CfnInstanceConnectEndpointProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_ec2.CfnInstanceProps",
     jsii_struct_bases=[],
@@ -24887,6 +25262,7 @@ class CfnLaunchTemplate(
                         )],
                         network_card_index=123,
                         network_interface_id="networkInterfaceId",
+                        primary_ipv6=False,
                         private_ip_address="privateIpAddress",
                         private_ip_addresses=[ec2.CfnLaunchTemplate.PrivateIpAddProperty(
                             primary=False,
@@ -26247,6 +26623,7 @@ class CfnLaunchTemplate(
             "ipv6_prefixes": "ipv6Prefixes",
             "network_card_index": "networkCardIndex",
             "network_interface_id": "networkInterfaceId",
+            "primary_ipv6": "primaryIpv6",
             "private_ip_address": "privateIpAddress",
             "private_ip_addresses": "privateIpAddresses",
             "secondary_private_ip_address_count": "secondaryPrivateIpAddressCount",
@@ -26272,6 +26649,7 @@ class CfnLaunchTemplate(
             ipv6_prefixes: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnLaunchTemplate.Ipv6PrefixSpecificationProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
             network_card_index: typing.Optional[jsii.Number] = None,
             network_interface_id: typing.Optional[builtins.str] = None,
+            primary_ipv6: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
             private_ip_address: typing.Optional[builtins.str] = None,
             private_ip_addresses: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnLaunchTemplate.PrivateIpAddProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
             secondary_private_ip_address_count: typing.Optional[jsii.Number] = None,
@@ -26296,6 +26674,7 @@ class CfnLaunchTemplate(
             :param ipv6_prefixes: One or more IPv6 prefixes to be assigned to the network interface. You cannot use this option if you use the ``Ipv6PrefixCount`` option.
             :param network_card_index: The index of the network card. Some instance types support multiple network cards. The primary network interface must be assigned to network card index 0. The default is network card index 0.
             :param network_interface_id: The ID of the network interface.
+            :param primary_ipv6: The primary IPv6 address of the network interface. When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. For more information about primary IPv6 addresses, see `RunInstances <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html>`_ .
             :param private_ip_address: The primary private IPv4 address of the network interface.
             :param private_ip_addresses: One or more private IPv4 addresses.
             :param secondary_private_ip_address_count: The number of secondary private IPv4 addresses to assign to a network interface.
@@ -26332,6 +26711,7 @@ class CfnLaunchTemplate(
                     )],
                     network_card_index=123,
                     network_interface_id="networkInterfaceId",
+                    primary_ipv6=False,
                     private_ip_address="privateIpAddress",
                     private_ip_addresses=[ec2.CfnLaunchTemplate.PrivateIpAddProperty(
                         primary=False,
@@ -26358,6 +26738,7 @@ class CfnLaunchTemplate(
                 check_type(argname="argument ipv6_prefixes", value=ipv6_prefixes, expected_type=type_hints["ipv6_prefixes"])
                 check_type(argname="argument network_card_index", value=network_card_index, expected_type=type_hints["network_card_index"])
                 check_type(argname="argument network_interface_id", value=network_interface_id, expected_type=type_hints["network_interface_id"])
+                check_type(argname="argument primary_ipv6", value=primary_ipv6, expected_type=type_hints["primary_ipv6"])
                 check_type(argname="argument private_ip_address", value=private_ip_address, expected_type=type_hints["private_ip_address"])
                 check_type(argname="argument private_ip_addresses", value=private_ip_addresses, expected_type=type_hints["private_ip_addresses"])
                 check_type(argname="argument secondary_private_ip_address_count", value=secondary_private_ip_address_count, expected_type=type_hints["secondary_private_ip_address_count"])
@@ -26393,6 +26774,8 @@ class CfnLaunchTemplate(
                 self._values["network_card_index"] = network_card_index
             if network_interface_id is not None:
                 self._values["network_interface_id"] = network_interface_id
+            if primary_ipv6 is not None:
+                self._values["primary_ipv6"] = primary_ipv6
             if private_ip_address is not None:
                 self._values["private_ip_address"] = private_ip_address
             if private_ip_addresses is not None:
@@ -26571,6 +26954,19 @@ class CfnLaunchTemplate(
             result = self._values.get("network_interface_id")
             return typing.cast(typing.Optional[builtins.str], result)
 
+        @builtins.property
+        def primary_ipv6(
+            self,
+        ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
+            '''The primary IPv6 address of the network interface.
+
+            When you enable an IPv6 GUA address to be a primary IPv6, the first IPv6 GUA will be made the primary IPv6 address until the instance is terminated or the network interface is detached. For more information about primary IPv6 addresses, see `RunInstances <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html>`_ .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-networkinterface.html#cfn-ec2-launchtemplate-networkinterface-primaryipv6
+            '''
+            result = self._values.get("primary_ipv6")
+            return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], result)
+
         @builtins.property
         def private_ip_address(self) -> typing.Optional[builtins.str]:
             '''The primary private IPv4 address of the network interface.
@@ -28594,11 +28990,12 @@ class CfnNatGateway(
 
     You can create either a public NAT gateway or a private NAT gateway. The default is a public NAT gateway. If you create a public NAT gateway, you must specify an elastic IP address.
 
-    With a NAT gateway, instances in a private subnet can connect to the internet, other AWS services, or an on-premises network using the IP address of the NAT gateway.
+    With a NAT gateway, instances in a private subnet can connect to the internet, other AWS services, or an on-premises network using the IP address of the NAT gateway. For more information, see `NAT Gateways <https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html>`_ in the *Amazon VPC User Guide* .
 
     If you add a default route ( ``AWS::EC2::Route`` resource) that points to a NAT gateway, specify the NAT gateway ID for the route's ``NatGatewayId`` property.
+    .. epigraph::
 
-    For more information, see `NAT Gateways <https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html>`_ in the *Amazon VPC User Guide* .
+       When you associate an EIP or secondary EIPs with a public NAT gateway, the network border group of the EIPs must match the network border group of the Availability Zone (AZ) that the public NAT gateway is in. If it's not the same, the NAT gateway will fail to launch. You can see the network border group for the subnet's AZ by viewing the details of the subnet. Similarly, you can view the network border group of an EIP by viewing the details of the EIP address. For more information about network border groups and EIPs, see `Allocate an Elastic IP address <https://docs.aws.amazon.com/vpc/latest/userguide/vpc-eips.html#allocate-eip>`_ in the *Amazon VPC User Guide* .
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-natgateway.html
     :exampleMetadata: fixture=_generated
@@ -37710,6 +38107,7 @@ class CfnRoute(
             carrier_gateway_id="carrierGatewayId",
             destination_cidr_block="destinationCidrBlock",
             destination_ipv6_cidr_block="destinationIpv6CidrBlock",
+            destination_prefix_list_id="destinationPrefixListId",
             egress_only_internet_gateway_id="egressOnlyInternetGatewayId",
             gateway_id="gatewayId",
             instance_id="instanceId",
@@ -37731,6 +38129,7 @@ class CfnRoute(
         carrier_gateway_id: typing.Optional[builtins.str] = None,
         destination_cidr_block: typing.Optional[builtins.str] = None,
         destination_ipv6_cidr_block: typing.Optional[builtins.str] = None,
+        destination_prefix_list_id: typing.Optional[builtins.str] = None,
         egress_only_internet_gateway_id: typing.Optional[builtins.str] = None,
         gateway_id: typing.Optional[builtins.str] = None,
         instance_id: typing.Optional[builtins.str] = None,
@@ -37748,6 +38147,7 @@ class CfnRoute(
         :param carrier_gateway_id: The ID of the carrier gateway. You can only use this option when the VPC contains a subnet which is associated with a Wavelength Zone.
         :param destination_cidr_block: The IPv4 CIDR address block used for the destination match. Routing decisions are based on the most specific match. We modify the specified CIDR block to its canonical form; for example, if you specify ``100.68.0.18/18`` , we modify it to ``100.68.0.0/18`` .
         :param destination_ipv6_cidr_block: The IPv6 CIDR block used for the destination match. Routing decisions are based on the most specific match.
+        :param destination_prefix_list_id: The ID of managed prefix list, it's a set of one or more CIDR blocks.
         :param egress_only_internet_gateway_id: [IPv6 traffic only] The ID of an egress-only internet gateway.
         :param gateway_id: The ID of an internet gateway or virtual private gateway attached to your VPC.
         :param instance_id: The ID of a NAT instance in your VPC. The operation fails if you specify an instance ID unless exactly one network interface is attached.
@@ -37767,6 +38167,7 @@ class CfnRoute(
             carrier_gateway_id=carrier_gateway_id,
             destination_cidr_block=destination_cidr_block,
             destination_ipv6_cidr_block=destination_ipv6_cidr_block,
+            destination_prefix_list_id=destination_prefix_list_id,
             egress_only_internet_gateway_id=egress_only_internet_gateway_id,
             gateway_id=gateway_id,
             instance_id=instance_id,
@@ -37876,6 +38277,19 @@ class CfnRoute(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "destinationIpv6CidrBlock", value)
 
+    @builtins.property
+    @jsii.member(jsii_name="destinationPrefixListId")
+    def destination_prefix_list_id(self) -> typing.Optional[builtins.str]:
+        '''The ID of managed prefix list, it's a set of one or more CIDR blocks.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "destinationPrefixListId"))
+
+    @destination_prefix_list_id.setter
+    def destination_prefix_list_id(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__28b2d9e818763b23c1689ff8d32ac779a6cdf2e20e4e1b57f65f0f3474ae8878)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "destinationPrefixListId", value)
+
     @builtins.property
     @jsii.member(jsii_name="egressOnlyInternetGatewayId")
     def egress_only_internet_gateway_id(self) -> typing.Optional[builtins.str]:
@@ -38005,6 +38419,7 @@ class CfnRoute(
         "carrier_gateway_id": "carrierGatewayId",
         "destination_cidr_block": "destinationCidrBlock",
         "destination_ipv6_cidr_block": "destinationIpv6CidrBlock",
+        "destination_prefix_list_id": "destinationPrefixListId",
         "egress_only_internet_gateway_id": "egressOnlyInternetGatewayId",
         "gateway_id": "gatewayId",
         "instance_id": "instanceId",
@@ -38024,6 +38439,7 @@ class CfnRouteProps:
         carrier_gateway_id: typing.Optional[builtins.str] = None,
         destination_cidr_block: typing.Optional[builtins.str] = None,
         destination_ipv6_cidr_block: typing.Optional[builtins.str] = None,
+        destination_prefix_list_id: typing.Optional[builtins.str] = None,
         egress_only_internet_gateway_id: typing.Optional[builtins.str] = None,
         gateway_id: typing.Optional[builtins.str] = None,
         instance_id: typing.Optional[builtins.str] = None,
@@ -38040,6 +38456,7 @@ class CfnRouteProps:
         :param carrier_gateway_id: The ID of the carrier gateway. You can only use this option when the VPC contains a subnet which is associated with a Wavelength Zone.
         :param destination_cidr_block: The IPv4 CIDR address block used for the destination match. Routing decisions are based on the most specific match. We modify the specified CIDR block to its canonical form; for example, if you specify ``100.68.0.18/18`` , we modify it to ``100.68.0.0/18`` .
         :param destination_ipv6_cidr_block: The IPv6 CIDR block used for the destination match. Routing decisions are based on the most specific match.
+        :param destination_prefix_list_id: The ID of managed prefix list, it's a set of one or more CIDR blocks.
         :param egress_only_internet_gateway_id: [IPv6 traffic only] The ID of an egress-only internet gateway.
         :param gateway_id: The ID of an internet gateway or virtual private gateway attached to your VPC.
         :param instance_id: The ID of a NAT instance in your VPC. The operation fails if you specify an instance ID unless exactly one network interface is attached.
@@ -38066,6 +38483,7 @@ class CfnRouteProps:
                 carrier_gateway_id="carrierGatewayId",
                 destination_cidr_block="destinationCidrBlock",
                 destination_ipv6_cidr_block="destinationIpv6CidrBlock",
+                destination_prefix_list_id="destinationPrefixListId",
                 egress_only_internet_gateway_id="egressOnlyInternetGatewayId",
                 gateway_id="gatewayId",
                 instance_id="instanceId",
@@ -38083,6 +38501,7 @@ class CfnRouteProps:
             check_type(argname="argument carrier_gateway_id", value=carrier_gateway_id, expected_type=type_hints["carrier_gateway_id"])
             check_type(argname="argument destination_cidr_block", value=destination_cidr_block, expected_type=type_hints["destination_cidr_block"])
             check_type(argname="argument destination_ipv6_cidr_block", value=destination_ipv6_cidr_block, expected_type=type_hints["destination_ipv6_cidr_block"])
+            check_type(argname="argument destination_prefix_list_id", value=destination_prefix_list_id, expected_type=type_hints["destination_prefix_list_id"])
             check_type(argname="argument egress_only_internet_gateway_id", value=egress_only_internet_gateway_id, expected_type=type_hints["egress_only_internet_gateway_id"])
             check_type(argname="argument gateway_id", value=gateway_id, expected_type=type_hints["gateway_id"])
             check_type(argname="argument instance_id", value=instance_id, expected_type=type_hints["instance_id"])
@@ -38101,6 +38520,8 @@ class CfnRouteProps:
             self._values["destination_cidr_block"] = destination_cidr_block
         if destination_ipv6_cidr_block is not None:
             self._values["destination_ipv6_cidr_block"] = destination_ipv6_cidr_block
+        if destination_prefix_list_id is not None:
+            self._values["destination_prefix_list_id"] = destination_prefix_list_id
         if egress_only_internet_gateway_id is not None:
             self._values["egress_only_internet_gateway_id"] = egress_only_internet_gateway_id
         if gateway_id is not None:
@@ -38163,6 +38584,15 @@ class CfnRouteProps:
         result = self._values.get("destination_ipv6_cidr_block")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def destination_prefix_list_id(self) -> typing.Optional[builtins.str]:
+        '''The ID of managed prefix list, it's a set of one or more CIDR blocks.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-route.html#cfn-ec2-route-destinationprefixlistid
+        '''
+        result = self._values.get("destination_prefix_list_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def egress_only_internet_gateway_id(self) -> typing.Optional[builtins.str]:
         '''[IPv6 traffic only] The ID of an egress-only internet gateway.
@@ -44082,13 +44512,13 @@ class CfnSpotFleet(
             :param launch_template_configs: The launch template and overrides. If you specify ``LaunchTemplateConfigs`` , you can't specify ``LaunchSpecifications`` .
             :param load_balancers_config: One or more Classic Load Balancers and target groups to attach to the Spot Fleet request. Spot Fleet registers the running Spot Instances with the specified Classic Load Balancers and target groups. With Network Load Balancers, Spot Fleet cannot register instances that have the following instance types: C1, CC1, CC2, CG1, CG2, CR1, CS1, G1, G2, HI1, HS1, M1, M2, M3, and T1.
             :param on_demand_allocation_strategy: The order of the launch template overrides to use in fulfilling On-Demand capacity. If you specify ``lowestPrice`` , Spot Fleet uses price to determine the order, launching the lowest price first. If you specify ``prioritized`` , Spot Fleet uses the priority that you assign to each Spot Fleet launch template override, launching the highest priority first. If you do not specify a value, Spot Fleet defaults to ``lowestPrice`` .
-            :param on_demand_max_total_price: The maximum amount per hour for On-Demand Instances that you're willing to pay. You can use the ``onDemandMaxTotalPrice`` parameter, the ``spotMaxTotalPrice`` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn’t met the target capacity.
+            :param on_demand_max_total_price: The maximum amount per hour for On-Demand Instances that you're willing to pay. You can use the ``onDemandMaxTotalPrice`` parameter, the ``spotMaxTotalPrice`` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn’t met the target capacity. .. epigraph:: If your fleet includes T instances that are configured as ``unlimited`` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The ``onDemandMaxTotalPrice`` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for ``onDemandMaxTotalPrice`` . For more information, see `Surplus credits can incur charges <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits>`_ in the *EC2 User Guide* .
             :param on_demand_target_capacity: The number of On-Demand units to request. You can choose to set the target capacity in terms of instances or a performance characteristic that is important to your application workload, such as vCPUs, memory, or I/O. If the request type is ``maintain`` , you can specify a target capacity of 0 and add capacity later.
             :param replace_unhealthy_instances: Indicates whether Spot Fleet should replace unhealthy instances.
             :param spot_maintenance_strategies: The strategies for managing your Spot Instances that are at an elevated risk of being interrupted.
-            :param spot_max_total_price: The maximum amount per hour for Spot Instances that you're willing to pay. You can use the ``spotdMaxTotalPrice`` parameter, the ``onDemandMaxTotalPrice`` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn’t met the target capacity.
+            :param spot_max_total_price: The maximum amount per hour for Spot Instances that you're willing to pay. You can use the ``spotMaxTotalPrice`` parameter, the ``onDemandMaxTotalPrice`` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn’t met the target capacity. .. epigraph:: If your fleet includes T instances that are configured as ``unlimited`` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The ``spotMaxTotalPrice`` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for ``spotMaxTotalPrice`` . For more information, see `Surplus credits can incur charges <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits>`_ in the *EC2 User Guide* .
             :param spot_price: The maximum price per unit hour that you are willing to pay for a Spot Instance. We do not recommend using this parameter because it can lead to increased interruptions. If you do not specify this parameter, you will pay the current Spot price. .. epigraph:: If you specify a maximum price, your instances will be interrupted more frequently than if you do not specify this parameter.
-            :param tag_specifications: The key-value pair for tagging the Spot Fleet request on creation. The value for ``ResourceType`` must be ``spot-fleet-request`` , otherwise the Spot Fleet request fails. To tag instances at launch, specify the tags in the `launch template <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template>`_ (valid only if you use ``LaunchTemplateConfigs`` ) or in the ``[SpotFleetTagSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotFleetTagSpecification.html)`` (valid only if you use ``LaunchSpecifications`` ). For information about tagging after launch, see `Tagging Your Resources <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources>`_ .
+            :param tag_specifications: The key-value pair for tagging the Spot Fleet request on creation. The value for ``ResourceType`` must be ``spot-fleet-request`` , otherwise the Spot Fleet request fails. To tag instances at launch, specify the tags in the `launch template <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template>`_ (valid only if you use ``LaunchTemplateConfigs`` ) or in the ``[SpotFleetTagSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotFleetTagSpecification.html)`` (valid only if you use ``LaunchSpecifications`` ). For information about tagging after launch, see `Tag your resources <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources>`_ .
             :param target_capacity_unit_type: The unit for the target capacity. ``TargetCapacityUnitType`` can only be specified when ``InstanceRequirements`` is specified. Default: ``units`` (translates to number of instances)
             :param terminate_instances_with_expiration: Indicates whether running Spot Instances are terminated when the Spot Fleet request expires.
             :param type: The type of request. Indicates whether the Spot Fleet only requests the target capacity or also attempts to maintain it. When this value is ``request`` , the Spot Fleet only places the required requests. It does not attempt to replenish Spot Instances if capacity is diminished, nor does it submit requests in alternative Spot pools if capacity is not available. When this value is ``maintain`` , the Spot Fleet maintains the target capacity. The Spot Fleet places the required requests to meet capacity and automatically replenishes any interrupted instances. Default: ``maintain`` . ``instant`` is listed but is not used by Spot Fleet.
@@ -44558,6 +44988,9 @@ class CfnSpotFleet(
             '''The maximum amount per hour for On-Demand Instances that you're willing to pay.
 
             You can use the ``onDemandMaxTotalPrice`` parameter, the ``spotMaxTotalPrice`` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn’t met the target capacity.
+            .. epigraph::
+
+               If your fleet includes T instances that are configured as ``unlimited`` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The ``onDemandMaxTotalPrice`` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for ``onDemandMaxTotalPrice`` . For more information, see `Surplus credits can incur charges <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits>`_ in the *EC2 User Guide* .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-spotfleet-spotfleetrequestconfigdata.html#cfn-ec2-spotfleet-spotfleetrequestconfigdata-ondemandmaxtotalprice
             '''
@@ -44601,7 +45034,10 @@ class CfnSpotFleet(
         def spot_max_total_price(self) -> typing.Optional[builtins.str]:
             '''The maximum amount per hour for Spot Instances that you're willing to pay.
 
-            You can use the ``spotdMaxTotalPrice`` parameter, the ``onDemandMaxTotalPrice`` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn’t met the target capacity.
+            You can use the ``spotMaxTotalPrice`` parameter, the ``onDemandMaxTotalPrice`` parameter, or both parameters to ensure that your fleet cost does not exceed your budget. If you set a maximum price per hour for the On-Demand Instances and Spot Instances in your request, Spot Fleet will launch instances until it reaches the maximum amount you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn’t met the target capacity.
+            .. epigraph::
+
+               If your fleet includes T instances that are configured as ``unlimited`` , and if their average CPU usage exceeds the baseline utilization, you will incur a charge for surplus credits. The ``spotMaxTotalPrice`` does not account for surplus credits, and, if you use surplus credits, your final cost might be higher than what you specified for ``spotMaxTotalPrice`` . For more information, see `Surplus credits can incur charges <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode-concepts.html#unlimited-mode-surplus-credits>`_ in the *EC2 User Guide* .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-spotfleet-spotfleetrequestconfigdata.html#cfn-ec2-spotfleet-spotfleetrequestconfigdata-spotmaxtotalprice
             '''
@@ -44628,7 +45064,7 @@ class CfnSpotFleet(
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnSpotFleet.SpotFleetTagSpecificationProperty"]]]]:
             '''The key-value pair for tagging the Spot Fleet request on creation.
 
-            The value for ``ResourceType`` must be ``spot-fleet-request`` , otherwise the Spot Fleet request fails. To tag instances at launch, specify the tags in the `launch template <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template>`_ (valid only if you use ``LaunchTemplateConfigs`` ) or in the ``[SpotFleetTagSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotFleetTagSpecification.html)`` (valid only if you use ``LaunchSpecifications`` ). For information about tagging after launch, see `Tagging Your Resources <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources>`_ .
+            The value for ``ResourceType`` must be ``spot-fleet-request`` , otherwise the Spot Fleet request fails. To tag instances at launch, specify the tags in the `launch template <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template>`_ (valid only if you use ``LaunchTemplateConfigs`` ) or in the ``[SpotFleetTagSpecification](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SpotFleetTagSpecification.html)`` (valid only if you use ``LaunchSpecifications`` ). For information about tagging after launch, see `Tag your resources <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources>`_ .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-spotfleet-spotfleetrequestconfigdata.html#cfn-ec2-spotfleet-spotfleetrequestconfigdata-tagspecifications
             '''
@@ -51699,12 +52135,13 @@ class CfnTransitGatewayRouteTable(
         return typing.cast(builtins.str, jsii.sget(cls, "CFN_RESOURCE_TYPE_NAME"))
 
     @builtins.property
-    @jsii.member(jsii_name="attrId")
-    def attr_id(self) -> builtins.str:
-        '''
-        :cloudformationAttribute: Id
+    @jsii.member(jsii_name="attrTransitGatewayRouteTableId")
+    def attr_transit_gateway_route_table_id(self) -> builtins.str:
+        '''Transit Gateway Route Table primary identifier.
+
+        :cloudformationAttribute: TransitGatewayRouteTableId
         '''
-        return typing.cast(builtins.str, jsii.get(self, "attrId"))
+        return typing.cast(builtins.str, jsii.get(self, "attrTransitGatewayRouteTableId"))
 
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
@@ -68837,18 +69274,12 @@ class InstanceClass(enum.Enum):
         # vpc: ec2.Vpc
         
         cluster = rds.DatabaseCluster(self, "Database",
-            engine=rds.DatabaseClusterEngine.aurora_mysql(version=rds.AuroraMysqlEngineVersion.VER_2_08_1),
-            writer=rds.ClusterInstance.provisioned("writer",
-                instance_type=ec2.InstanceType.of(ec2.InstanceClass.R6G, ec2.InstanceSize.XLARGE4)
+            engine=rds.DatabaseClusterEngine.aurora_mysql(version=rds.AuroraMysqlEngineVersion.VER_3_01_0),
+            writer=rds.ClusterInstance.provisioned("Instance",
+                instance_type=ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE3, ec2.InstanceSize.SMALL)
             ),
-            serverless_v2_min_capacity=6.5,
-            serverless_v2_max_capacity=64,
-            readers=[
-                # will be put in promotion tier 1 and will scale with the writer
-                rds.ClusterInstance.serverless_v2("reader1", scale_with_writer=True),
-                # will be put in promotion tier 2 and will not scale with the writer
-                rds.ClusterInstance.serverless_v2("reader2")
-            ],
+            readers=[rds.ClusterInstance.provisioned("reader")],
+            instance_update_behaviour=rds.InstanceUpdateBehaviour.ROLLING,  # Optional - defaults to rds.InstanceUpdateBehaviour.BULK
             vpc=vpc
         )
     '''
@@ -69247,6 +69678,14 @@ class InstanceClass(enum.Enum):
 
     This instance class is currently only available in US East (Ohio), US East (N. Virginia), US West (Oregon), and Europe (Ireland).
     '''
+    STANDARD7_INTEL = "STANDARD7_INTEL"
+    '''Standard instances with high memory and compute capacity based on Intel Xeon Scalable (Sapphire Rapids) processors, 7th generation.'''
+    M7I = "M7I"
+    '''Standard instances with high memory and compute capacity based on Intel Xeon Scalable (Sapphire Rapids) processors, 7th generation.'''
+    STANDARD7_INTEL_FLEX = "STANDARD7_INTEL_FLEX"
+    '''Flexible instances with high memory and compute capacity based on Intel Xeon Scalable (Sapphire Rapids) processors, 7th generation The M7i-Flex instances deliver a baseline of 40% CPU performance, and can scale up to full CPU performance 95% of the time.'''
+    M7I_FLEX = "M7I_FLEX"
+    '''Flexible instances with high memory and compute capacity based on Intel Xeon Scalable (Sapphire Rapids) processors, 7th generation The M7i-Flex instances deliver a baseline of 40% CPU performance, and can scale up to full CPU performance 95% of the time.'''
     HIGH_COMPUTE_MEMORY1 = "HIGH_COMPUTE_MEMORY1"
     '''High memory and compute capacity instances, 1st generation.'''
     Z1D = "Z1D"
@@ -69974,15 +70413,17 @@ class InstanceType(
 
         # vpc: ec2.Vpc
         
-        
-        my_security_group = ec2.SecurityGroup(self, "SecurityGroup", vpc=vpc)
-        autoscaling.AutoScalingGroup(self, "ASG",
-            vpc=vpc,
-            instance_type=ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
-            machine_image=ec2.MachineImage.latest_amazon_linux(
-                generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2
+        cluster = docdb.DatabaseCluster(self, "Database",
+            master_user=docdb.Login(
+                username="myuser",  # NOTE: 'admin' is reserved by DocumentDB
+                exclude_characters="\"@/:",  # optional, defaults to the set "\"@/" and is also used for eventually created rotations
+                secret_name="/myapp/mydocdb/masteruser"
             ),
-            security_group=my_security_group
+            instance_type=ec2.InstanceType.of(ec2.InstanceClass.MEMORY5, ec2.InstanceSize.LARGE),
+            vpc_subnets=ec2.SubnetSelection(
+                subnet_type=ec2.SubnetType.PUBLIC
+            ),
+            vpc=vpc
         )
     '''
 
@@ -73540,9 +73981,7 @@ class MachineImage(
         autoscaling.AutoScalingGroup(self, "ASG",
             vpc=vpc,
             instance_type=ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
-            machine_image=ec2.MachineImage.latest_amazon_linux(
-                generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2
-            ),
+            machine_image=ec2.MachineImage.latest_amazon_linux2(),
             security_group=my_security_group
         )
     '''
@@ -77395,19 +77834,15 @@ class SecurityGroupProps:
             # vpc: ec2.Vpc
             
             
-            sg1 = ec2.SecurityGroup(self, "sg1",
-                vpc=vpc
-            )
-            sg2 = ec2.SecurityGroup(self, "sg2",
-                vpc=vpc
-            )
-            
-            launch_template = ec2.LaunchTemplate(self, "LaunchTemplate",
-                machine_image=ec2.MachineImage.latest_amazon_linux2023(),
-                security_group=sg1
+            security_group1 = ec2.SecurityGroup(self, "SecurityGroup1", vpc=vpc)
+            lb = elbv2.ApplicationLoadBalancer(self, "LB",
+                vpc=vpc,
+                internet_facing=True,
+                security_group=security_group1
             )
             
-            launch_template.add_security_group(sg2)
+            security_group2 = ec2.SecurityGroup(self, "SecurityGroup2", vpc=vpc)
+            lb.add_security_group(security_group2)
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__4e55e0c52b51f92e83b1f8d6b7a5b22268d0369a14dab808b8f2f5f233e5b622)
@@ -88356,6 +88791,8 @@ __all__ = [
     "CfnIPAMScope",
     "CfnIPAMScopeProps",
     "CfnInstance",
+    "CfnInstanceConnectEndpoint",
+    "CfnInstanceConnectEndpointProps",
     "CfnInstanceProps",
     "CfnInternetGateway",
     "CfnInternetGatewayProps",
@@ -90346,6 +90783,7 @@ def _typecheckingstub__72358d22276e2eb5cd641ca06942afc99075017aabb8f3000a9b07b53
     *,
     resource_id: builtins.str,
     resource_type: builtins.str,
+    deliver_cross_account_role: typing.Optional[builtins.str] = None,
     deliver_logs_permission_arn: typing.Optional[builtins.str] = None,
     destination_options: typing.Any = None,
     log_destination: typing.Optional[builtins.str] = None,
@@ -90383,6 +90821,12 @@ def _typecheckingstub__d21f005f9535582c1f46053bf4e82c2bbabff7cded5a69095501539e5
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__69de10af6e71879a605a8ff40c4836ff6e89ad4220088a0599668acc26625a53(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__b921f8c4adf8ca7781a1e0174a51a4017191049028a6f93859d3f656946c7c3f(
     value: typing.Optional[builtins.str],
 ) -> None:
@@ -90450,6 +90894,7 @@ def _typecheckingstub__b70808589b9adfc66e939b8c87268607775dc0e479da5f4bed72c3ba8
     *,
     resource_id: builtins.str,
     resource_type: builtins.str,
+    deliver_cross_account_role: typing.Optional[builtins.str] = None,
     deliver_logs_permission_arn: typing.Optional[builtins.str] = None,
     destination_options: typing.Any = None,
     log_destination: typing.Optional[builtins.str] = None,
@@ -91536,6 +91981,72 @@ def _typecheckingstub__b979ff4b2e7bc79429f0409f1fb60a5125a9cda71770a0324082ebc0a
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__5dd25848f0ceb23edd764d8f4a076cf8f9d22793b6ca99db922a9c410f58ba1f(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    subnet_id: builtins.str,
+    client_token: typing.Optional[builtins.str] = None,
+    preserve_client_ip: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+    security_group_ids: typing.Optional[typing.Sequence[builtins.str]] = None,
+    tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__5891536cec39a3051ee1e1e6cad74074ab2e104448cf33448a891defadf16b6e(
+    inspector: _TreeInspector_488e0dd5,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__08af6017181d75f497ef7453c702f6e6ac3f87faf252f7dae4c9797af2382847(
+    props: typing.Mapping[builtins.str, typing.Any],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__18fe6754ba2f44060c4a7a2127a488b7e626c5c1761f524fdb756846a1b48e44(
+    value: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__a075309e51f465140660c0455acd101077c2364e286033707a8d1e11f4cc3a6a(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__a3c9af51a15924a206fae71c0b2615bf7be3e42b8bb7722c9e794e13a40973a7(
+    value: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__a9a795e386e76f7e1445d90e3d1e800e540f41237f0e797a5e2058cb7b78553e(
+    value: typing.Optional[typing.List[builtins.str]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__3dd5921daaa37553fc9b30d074bd3ef6cfc6e9a796db9530140935d020cd87ae(
+    value: typing.Optional[typing.List[_CfnTag_f6864754]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__78086551229af23659e2463ffd3801975d2b07247065af08d90eebf9e7f66ef8(
+    *,
+    subnet_id: builtins.str,
+    client_token: typing.Optional[builtins.str] = None,
+    preserve_client_ip: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
+    security_group_ids: typing.Optional[typing.Sequence[builtins.str]] = None,
+    tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__605ba8f22e222289aa0ed61b03690aaf9a4e8eabb86a9ba2b63d10f2bbee2305(
     *,
     additional_info: typing.Optional[builtins.str] = None,
@@ -92031,6 +92542,7 @@ def _typecheckingstub__c599e12c3de63926f26bb5da3afad64e8c60b24c3b563faa2986e88c1
     ipv6_prefixes: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLaunchTemplate.Ipv6PrefixSpecificationProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     network_card_index: typing.Optional[jsii.Number] = None,
     network_interface_id: typing.Optional[builtins.str] = None,
+    primary_ipv6: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
     private_ip_address: typing.Optional[builtins.str] = None,
     private_ip_addresses: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnLaunchTemplate.PrivateIpAddProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
     secondary_private_ip_address_count: typing.Optional[jsii.Number] = None,
@@ -93567,6 +94079,7 @@ def _typecheckingstub__418aadfc2c6984f0ac75cd67e36ca76f23d9cf7bc23846cf55d7b3cdb
     carrier_gateway_id: typing.Optional[builtins.str] = None,
     destination_cidr_block: typing.Optional[builtins.str] = None,
     destination_ipv6_cidr_block: typing.Optional[builtins.str] = None,
+    destination_prefix_list_id: typing.Optional[builtins.str] = None,
     egress_only_internet_gateway_id: typing.Optional[builtins.str] = None,
     gateway_id: typing.Optional[builtins.str] = None,
     instance_id: typing.Optional[builtins.str] = None,
@@ -93616,6 +94129,12 @@ def _typecheckingstub__9053d56266f2ecaa5d8209e05a5af048fd6c8540eece0de592fa61759
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__28b2d9e818763b23c1689ff8d32ac779a6cdf2e20e4e1b57f65f0f3474ae8878(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__d8f8dcc844a05743d981c217d51303c0c4cc6e46dadd5339a6eb261fe327b128(
     value: typing.Optional[builtins.str],
 ) -> None:
@@ -93676,6 +94195,7 @@ def _typecheckingstub__f90e7814d59b7c562ab4b24d54461eba6a4c88fbd5451ba2b2b0adf84
     carrier_gateway_id: typing.Optional[builtins.str] = None,
     destination_cidr_block: typing.Optional[builtins.str] = None,
     destination_ipv6_cidr_block: typing.Optional[builtins.str] = None,
+    destination_prefix_list_id: typing.Optional[builtins.str] = None,
     egress_only_internet_gateway_id: typing.Optional[builtins.str] = None,
     gateway_id: typing.Optional[builtins.str] = None,
     instance_id: typing.Optional[builtins.str] = None,