Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws_apigatewayv2): VpcLink can't see Private_Isolated subnets #29221

Open
rantoniuk opened this issue Feb 22, 2024 · 4 comments
Open

(aws_apigatewayv2): VpcLink can't see Private_Isolated subnets #29221

rantoniuk opened this issue Feb 22, 2024 · 4 comments
Assignees
@pahud
Labels
@aws-cdk/aws-apigatewayv2 Related to Amazon API Gateway v2 bug This issue is a bug. effort/medium Medium work item – several days of effort p3

Comments

@rantoniuk
Copy link

Describe the bug

VPC defined as:

 this.vpc = new ec2.Vpc(this, 'Vpc', {
      maxAzs: 2,
      subnetConfiguration: [
        { cidrMask: 24, name: 'Isolated', subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
      ],
    });

When trying to deploy the below APIGW definition:

    const lb = new cdk.aws_elasticloadbalancingv2.ApplicationLoadBalancer(this, 'lb', { vpc: props.vpc });
    const listener = lb.addListener('Listener', { port: 80 });

    listener.addTargets('ecs', {
      port: 80,
      targets: [props.backendService.loadBalancerTarget({
        containerName: 'backend',
        containerPort: 8000,
      })],
    });

    
    const vpcLink = new cdk.aws_apigatewayv2.VpcLink(this, 'VpcLink', { vpc: props.vpc });
    
    new cdk.aws_apigatewayv2.HttpApi(this, 'HttpProxyPrivateApi', {
      apiName: 'BackendApi',
      defaultIntegration: new HttpAlbIntegration('DefaultIntegration', listener, { vpcLink }),
    });
  }

Expected Behavior

VpcLink is created using Isolated subnets automatically.

Current Behavior

Error: There are no 'Private' subnet groups in this VPC. Available types: Isolated,Deprecated_Isolated

Reproduction Steps

As above.

Possible Solution

Workaround:

const vpcLink = new cdk.aws_apigatewayv2.VpcLink(this, 'VpcLink', { vpc: props.vpc, subnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED } });

Additional Information/Context

No response

CDK CLI Version

2.129.0

Framework Version

No response

Node.js Version

18.18.2

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

No response
@rantoniuk rantoniuk added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 22, 2024
@github-actions github-actions bot added the @aws-cdk/aws-apigatewayv2 Related to Amazon API Gateway v2 label Feb 22, 2024
@pahud
Copy link
Contributor

pahud commented Feb 23, 2024

Yes if you don't specify props.subnets it would filter and pick up with { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }, which you don't have in your use case. So you will need to specify props.subnets.

aws-cdk/packages/aws-cdk-lib/aws-apigatewayv2/lib/http/vpc-link.ts

Line 101 in f0af5b1

const { subnets } = props.vpc.selectSubnets(props.subnets ?? { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS });

@pahud pahud added p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Feb 23, 2024
@rantoniuk
Copy link
Author

I would challenge the fact of using PRIVATE_EGRESS as the default - having a VpcLink already means that someone is probably looking for strict security so:

  • either look for PRIVATE_ISOLATED first then for PRIVATE_EGRESS if not found
  • and then props should only be used for a custom config of some non-standard setup of subnets.

I know it's just an opinion but simplicity of the usage of constructs and minimising the number of props overrides is important in my opinion. Up to you to decide though!

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Feb 25, 2024
@github-actions github-actions bot mentioned this issue Mar 1, 2024
Closed
@pahud
Copy link
Contributor

pahud commented Jun 3, 2024

Yeah I guess we need to improve the doc here.

@pahud pahud self-assigned this Jun 3, 2024
@rantoniuk
Copy link
Author

I suggested something else rather than improving the docs.

@pahud pahud added p3 and removed p2 labels Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pahud pahud

Labels
@aws-cdk/aws-apigatewayv2 Related to Amazon API Gateway v2 bug This issue is a bug. effort/medium Medium work item – several days of effort p3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @rantoniuk