The aws:vpclattice/resourceGateway:ResourceGateway resource, part of the Pulumi AWS provider, provisions a VPC Lattice Resource Gateway that enables resources outside your VPC to connect to services within it. This guide focuses on three capabilities: subnet placement and VPC association, IP address type configuration, and security group attachment.
Resource gateways require an existing VPC with subnets and optionally reference security groups for traffic filtering. The examples are intentionally small. Combine them with your own VPC infrastructure and access policies.
Create a gateway in VPC subnets
VPC Lattice Resource Gateways enable external resources to reach services hosted in your VPC by placing network interfaces in specific subnets.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.vpclattice.ResourceGateway("example", {
name: "Example",
vpcId: exampleAwsVpc.id,
subnetIds: [exampleAwsSubnet.id],
tags: {
Environment: "Example",
},
});
import pulumi
import pulumi_aws as aws
example = aws.vpclattice.ResourceGateway("example",
name="Example",
vpc_id=example_aws_vpc["id"],
subnet_ids=[example_aws_subnet["id"]],
tags={
"Environment": "Example",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/vpclattice"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := vpclattice.NewResourceGateway(ctx, "example", &vpclattice.ResourceGatewayArgs{
Name: pulumi.String("Example"),
VpcId: pulumi.Any(exampleAwsVpc.Id),
SubnetIds: pulumi.StringArray{
exampleAwsSubnet.Id,
},
Tags: pulumi.StringMap{
"Environment": pulumi.String("Example"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VpcLattice.ResourceGateway("example", new()
{
Name = "Example",
VpcId = exampleAwsVpc.Id,
SubnetIds = new[]
{
exampleAwsSubnet.Id,
},
Tags =
{
{ "Environment", "Example" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.vpclattice.ResourceGateway;
import com.pulumi.aws.vpclattice.ResourceGatewayArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new ResourceGateway("example", ResourceGatewayArgs.builder()
.name("Example")
.vpcId(exampleAwsVpc.id())
.subnetIds(exampleAwsSubnet.id())
.tags(Map.of("Environment", "Example"))
.build());
}
}
resources:
example:
type: aws:vpclattice:ResourceGateway
properties:
name: Example
vpcId: ${exampleAwsVpc.id}
subnetIds:
- ${exampleAwsSubnet.id}
tags:
Environment: Example
The gateway creates elastic network interfaces (ENIs) in the specified subnets. The vpcId property associates the gateway with your VPC, while subnetIds determines where the ENIs are placed. The gateway uses these ENIs to route traffic between external resources and your VPC-hosted services.
Configure dual-stack IP addressing
Resource gateways support IPv4-only, IPv6-only, or dual-stack addressing depending on your connectivity requirements.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.vpclattice.ResourceGateway("example", {
name: "Example",
vpcId: exampleAwsVpc.id,
subnetIds: [exampleAwsSubnet.id],
ipAddressType: "DUALSTACK",
tags: {
Environment: "Example",
},
});
import pulumi
import pulumi_aws as aws
example = aws.vpclattice.ResourceGateway("example",
name="Example",
vpc_id=example_aws_vpc["id"],
subnet_ids=[example_aws_subnet["id"]],
ip_address_type="DUALSTACK",
tags={
"Environment": "Example",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/vpclattice"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := vpclattice.NewResourceGateway(ctx, "example", &vpclattice.ResourceGatewayArgs{
Name: pulumi.String("Example"),
VpcId: pulumi.Any(exampleAwsVpc.Id),
SubnetIds: pulumi.StringArray{
exampleAwsSubnet.Id,
},
IpAddressType: pulumi.String("DUALSTACK"),
Tags: pulumi.StringMap{
"Environment": pulumi.String("Example"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VpcLattice.ResourceGateway("example", new()
{
Name = "Example",
VpcId = exampleAwsVpc.Id,
SubnetIds = new[]
{
exampleAwsSubnet.Id,
},
IpAddressType = "DUALSTACK",
Tags =
{
{ "Environment", "Example" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.vpclattice.ResourceGateway;
import com.pulumi.aws.vpclattice.ResourceGatewayArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new ResourceGateway("example", ResourceGatewayArgs.builder()
.name("Example")
.vpcId(exampleAwsVpc.id())
.subnetIds(exampleAwsSubnet.id())
.ipAddressType("DUALSTACK")
.tags(Map.of("Environment", "Example"))
.build());
}
}
resources:
example:
type: aws:vpclattice:ResourceGateway
properties:
name: Example
vpcId: ${exampleAwsVpc.id}
subnetIds:
- ${exampleAwsSubnet.id}
ipAddressType: DUALSTACK
tags:
Environment: Example
The ipAddressType property controls which IP protocols the gateway supports. Setting it to DUALSTACK enables both IPv4 and IPv6 traffic. The IP address type must be compatible with both the subnets you specify and the resources that will connect through the gateway.
Apply security groups for traffic filtering
Security groups control which traffic flows through the resource gateway based on protocol, port, and source.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.vpclattice.ResourceGateway("example", {
name: "Example",
vpcId: exampleAwsVpc.id,
securityGroupIds: [test.id],
subnetIds: [exampleAwsSubnet.id],
});
import pulumi
import pulumi_aws as aws
example = aws.vpclattice.ResourceGateway("example",
name="Example",
vpc_id=example_aws_vpc["id"],
security_group_ids=[test["id"]],
subnet_ids=[example_aws_subnet["id"]])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/vpclattice"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := vpclattice.NewResourceGateway(ctx, "example", &vpclattice.ResourceGatewayArgs{
Name: pulumi.String("Example"),
VpcId: pulumi.Any(exampleAwsVpc.Id),
SecurityGroupIds: pulumi.StringArray{
test.Id,
},
SubnetIds: pulumi.StringArray{
exampleAwsSubnet.Id,
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.VpcLattice.ResourceGateway("example", new()
{
Name = "Example",
VpcId = exampleAwsVpc.Id,
SecurityGroupIds = new[]
{
test.Id,
},
SubnetIds = new[]
{
exampleAwsSubnet.Id,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.vpclattice.ResourceGateway;
import com.pulumi.aws.vpclattice.ResourceGatewayArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new ResourceGateway("example", ResourceGatewayArgs.builder()
.name("Example")
.vpcId(exampleAwsVpc.id())
.securityGroupIds(test.id())
.subnetIds(exampleAwsSubnet.id())
.build());
}
}
resources:
example:
type: aws:vpclattice:ResourceGateway
properties:
name: Example
vpcId: ${exampleAwsVpc.id}
securityGroupIds:
- ${test.id}
subnetIds:
- ${exampleAwsSubnet.id}
The securityGroupIds property attaches security groups to the gateway’s ENIs. These security groups must exist in the same VPC as the gateway. Rules in the security groups determine which inbound and outbound traffic the gateway permits.
Beyond these examples
These snippets focus on specific resource gateway features: subnet placement and VPC association, IP address type configuration, and security group attachment. They’re intentionally minimal rather than full VPC Lattice deployments.
The examples reference pre-existing infrastructure such as VPC with subnets, and security groups for traffic filtering. They focus on configuring the gateway rather than provisioning the surrounding network infrastructure.
To keep things focused, common gateway patterns are omitted, including:
- IPv4 address density tuning (ipv4AddressesPerEni)
- Cross-region gateway configuration (region property)
These omissions are intentional: the goal is to illustrate how each gateway feature is wired, not provide drop-in VPC Lattice modules. See the VPC Lattice Resource Gateway resource reference for all available configuration options.
Let's configure AWS VPC Lattice Resource Gateways
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
IP Address Configuration
ipAddressType you choose must be compatible with both your subnet configuration and the IP address type of the resource you’re connecting to. Mismatches will cause configuration errors.IPV4, IPV6, or DUALSTACK. Choose based on your subnet and resource requirements.IPV4 and DUALSTACK address types. It has no effect when using IPV6.Networking & Security
securityGroupIds with groups from the VPC specified in vpcId.Using a different cloud?
Explore networking guides for other cloud providers: