The aws:vpclattice/resourceGateway:ResourceGateway resource, part of the Pulumi AWS provider, provisions a VPC Lattice Resource Gateway that enables resources outside your VPC to connect to services within it. This guide focuses on three capabilities: subnet placement and VPC attachment, IP address type configuration, and security group integration.
Resource gateways require an existing VPC with subnets and optionally reference security groups for traffic filtering. The examples are intentionally small. Combine them with your own VPC infrastructure and routing configuration.
Create a gateway in VPC subnets
VPC Lattice Resource Gateways route traffic between external resources and VPC-hosted services. Most deployments place the gateway in specific subnets where it can handle this routing.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.vpclattice.ResourceGateway("example", {
name: "Example",
vpcId: exampleAwsVpc.id,
subnetIds: [exampleAwsSubnet.id],
tags: {
Environment: "Example",
},
});
import pulumi
import pulumi_aws as aws
example = aws.vpclattice.ResourceGateway("example",
name="Example",
vpc_id=example_aws_vpc["id"],
subnet_ids=[example_aws_subnet["id"]],
tags={
"Environment": "Example",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/vpclattice"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := vpclattice.NewResourceGateway(ctx, "example", &vpclattice.ResourceGatewayArgs{
Name: pulumi.String("Example"),
VpcId: pulumi.Any(exampleAwsVpc.Id),
SubnetIds: pulumi.StringArray{
exampleAwsSubnet.Id,
},
Tags: pulumi.StringMap{
"Environment": pulumi.String("Example"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VpcLattice.ResourceGateway("example", new()
{
Name = "Example",
VpcId = exampleAwsVpc.Id,
SubnetIds = new[]
{
exampleAwsSubnet.Id,
},
Tags =
{
{ "Environment", "Example" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.vpclattice.ResourceGateway;
import com.pulumi.aws.vpclattice.ResourceGatewayArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new ResourceGateway("example", ResourceGatewayArgs.builder()
.name("Example")
.vpcId(exampleAwsVpc.id())
.subnetIds(exampleAwsSubnet.id())
.tags(Map.of("Environment", "Example"))
.build());
}
}
resources:
example:
type: aws:vpclattice:ResourceGateway
properties:
name: Example
vpcId: ${exampleAwsVpc.id}
subnetIds:
- ${exampleAwsSubnet.id}
tags:
Environment: Example
The gateway is created in the specified VPC and subnets. The vpcId property identifies the VPC, while subnetIds lists the subnets where the gateway’s network interfaces will be placed. The gateway uses these subnets to route traffic between external resources and services within your VPC.
Configure dual-stack IP addressing
Resource gateways can support IPv4-only, IPv6-only, or dual-stack addressing depending on the IP requirements of connected resources.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.vpclattice.ResourceGateway("example", {
name: "Example",
vpcId: exampleAwsVpc.id,
subnetIds: [exampleAwsSubnet.id],
ipAddressType: "DUALSTACK",
tags: {
Environment: "Example",
},
});
import pulumi
import pulumi_aws as aws
example = aws.vpclattice.ResourceGateway("example",
name="Example",
vpc_id=example_aws_vpc["id"],
subnet_ids=[example_aws_subnet["id"]],
ip_address_type="DUALSTACK",
tags={
"Environment": "Example",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/vpclattice"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := vpclattice.NewResourceGateway(ctx, "example", &vpclattice.ResourceGatewayArgs{
Name: pulumi.String("Example"),
VpcId: pulumi.Any(exampleAwsVpc.Id),
SubnetIds: pulumi.StringArray{
exampleAwsSubnet.Id,
},
IpAddressType: pulumi.String("DUALSTACK"),
Tags: pulumi.StringMap{
"Environment": pulumi.String("Example"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VpcLattice.ResourceGateway("example", new()
{
Name = "Example",
VpcId = exampleAwsVpc.Id,
SubnetIds = new[]
{
exampleAwsSubnet.Id,
},
IpAddressType = "DUALSTACK",
Tags =
{
{ "Environment", "Example" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.vpclattice.ResourceGateway;
import com.pulumi.aws.vpclattice.ResourceGatewayArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new ResourceGateway("example", ResourceGatewayArgs.builder()
.name("Example")
.vpcId(exampleAwsVpc.id())
.subnetIds(exampleAwsSubnet.id())
.ipAddressType("DUALSTACK")
.tags(Map.of("Environment", "Example"))
.build());
}
}
resources:
example:
type: aws:vpclattice:ResourceGateway
properties:
name: Example
vpcId: ${exampleAwsVpc.id}
subnetIds:
- ${exampleAwsSubnet.id}
ipAddressType: DUALSTACK
tags:
Environment: Example
The ipAddressType property controls which IP protocols the gateway supports. Setting it to DUALSTACK enables both IPv4 and IPv6 traffic. The IP address type must be compatible with both the subnets you specify and the resources that will communicate through the gateway.
Control traffic with security groups
Security groups filter traffic to and from the resource gateway, determining which resources can communicate through it.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.vpclattice.ResourceGateway("example", {
name: "Example",
vpcId: exampleAwsVpc.id,
securityGroupIds: [test.id],
subnetIds: [exampleAwsSubnet.id],
});
import pulumi
import pulumi_aws as aws
example = aws.vpclattice.ResourceGateway("example",
name="Example",
vpc_id=example_aws_vpc["id"],
security_group_ids=[test["id"]],
subnet_ids=[example_aws_subnet["id"]])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/vpclattice"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := vpclattice.NewResourceGateway(ctx, "example", &vpclattice.ResourceGatewayArgs{
Name: pulumi.String("Example"),
VpcId: pulumi.Any(exampleAwsVpc.Id),
SecurityGroupIds: pulumi.StringArray{
test.Id,
},
SubnetIds: pulumi.StringArray{
exampleAwsSubnet.Id,
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VpcLattice.ResourceGateway("example", new()
{
Name = "Example",
VpcId = exampleAwsVpc.Id,
SecurityGroupIds = new[]
{
test.Id,
},
SubnetIds = new[]
{
exampleAwsSubnet.Id,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.vpclattice.ResourceGateway;
import com.pulumi.aws.vpclattice.ResourceGatewayArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new ResourceGateway("example", ResourceGatewayArgs.builder()
.name("Example")
.vpcId(exampleAwsVpc.id())
.securityGroupIds(test.id())
.subnetIds(exampleAwsSubnet.id())
.build());
}
}
resources:
example:
type: aws:vpclattice:ResourceGateway
properties:
name: Example
vpcId: ${exampleAwsVpc.id}
securityGroupIds:
- ${test.id}
subnetIds:
- ${exampleAwsSubnet.id}
The securityGroupIds property attaches security groups to the gateway. These security groups must be in the same VPC as the gateway and define the inbound and outbound rules that control traffic flow. Without security groups, the gateway uses the VPC’s default security group.
Beyond these examples
These snippets focus on specific resource gateway features: subnet placement and VPC attachment, IP address type configuration, and security group integration. They’re intentionally minimal rather than full VPC Lattice deployments.
The examples reference pre-existing infrastructure such as VPC with configured subnets, and security groups for traffic filtering. They focus on configuring the gateway rather than provisioning the surrounding VPC infrastructure.
To keep things focused, common gateway patterns are omitted, including:
- IPv4 address allocation tuning (ipv4AddressesPerEni)
- Cross-region gateway configuration (region property)
- Gateway status monitoring and lifecycle management
These omissions are intentional: the goal is to illustrate how each gateway feature is wired, not provide drop-in VPC Lattice modules. See the VPC Lattice Resource Gateway resource reference for all available configuration options.
Let's configure AWS VPC Lattice Resource Gateways
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
IP Address Configuration
IPV4, IPV6, and DUALSTACK address types. The IP address type must be compatible with both the subnets of the resource gateway and the IP address type of the resource itself.IPV4 and DUALSTACK IP address types.Networking & Security
securityGroupIds parameter with an array of security group IDs, as shown in the “With security groups” example.Configuration & Deployment
name, vpcId, and subnetIds. The ipAddressType, ipv4AddressesPerEni, region, and securityGroupIds have defaults or are optional.region parameter.Using a different cloud?
Explore networking guides for other cloud providers: