(aws-cdk-lib/aws-ec2): (ec2.Vpc.fromLookup() doesn't correctly recognize existing PRIVATE_WITH_EGRESS subnets ) #30897
Labels
@aws-cdk/aws-ec2
Related to Amazon Elastic Compute Cloud
bug
This issue is a bug.
needs-triage
This issue or PR still needs to be triaged.
Comments
antonioshondroulis-saltsecurity
added
bug
github-actions
bot
added
the
@aws-cdk/aws-ec2
|
I think the issue I was seeing was somehow caused by cached stale context inside the cdk.context.json file. Once I deleted that file, it forced cdk to re-read the vpc details and discover correctly the private_with_egress subnets. |
|
Comments on closed issues and PRs are hard for our team to see. |
This was referenced Jul 22, 2024
|
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Describe the bug
I was surprised to see that it thought of them as
"There are no 'Private' subnet groups in this VPC. Available types: Isolated,Deprecated_Isolated,Public"
when the reality is they are only 2 Public subnets (with default route to IGW) and 4 private subnets with default route to a single NAT GW shared across 2 AZs. us-east-1a (use1-az4) + us-east-1b (use1-az6)
I suspect it gets confused by an extra route for private S3 access via S3 vpc gateway endpoint's route in the private subnet which also has a default route via a NAT GW, thus should be PRIVATE_WITH_EGRESS because of the presence of the NAT-GW, regardless of the additional route for private access to S3.
There is indeed a public subnets RT with default route to IGW, there's the private subnets' RT which I described, and there's an unused 3rd RT (the default VPC RT) which contains only the route to VPC so that is a route table for isolated subnets, but no subnet is using it, I only have 2 public and 4 private subnets.
Expected Behavior
According to the CDK documentation for VPC, these subnets should be classified as Private with Egress. They are not isolated as they can get to the Internet.
Here's the manual.
Private with Internet Access (SubnetType.PRIVATE_WITH_EGRESS) - instances in private subnets are not directly routable from the Internet, and you must provide a way to connect out to the Internet. By default, a NAT gateway is created in every public subnet for maximum availability. Be aware that you will be charged for NAT gateways. Alternatively you can set natGateways:0 and provide your own egress configuration (i.e through Transit Gateway)
Isolated (SubnetType.PRIVATE_ISOLATED) - isolated subnets do not route from or to the Internet, and as such do not require NAT gateways. They can only connect to or be connected to from other instances in the same VPC. A default VPC configuration will not include isolated subnets,
Current Behavior
Reproduction Steps
Also, see 2 screenshots in expected behavior
To reproduce it is quite simple: I manually created a 2 AZ, with said subnets. the public subnets shared a single Public_RT with the default route to IGW and the local VPC route. The private subnets with EGRESS shared a single Private_RT with default route to a single NAT GW in us-east-1a (use1-az4), and the local VPC route , and a 3rd route for S3 gateway endpoint's plist that routes to the S3 gateway endpoint for private access to S3. (maybe the 3rd route confused the existing code to misclassify the subnets as Isolated or Deprecated_isolated, but I clearly have a route to a NAT GW.
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.148.0 (build e5740c0)
Framework Version
No response
Node.js Version
v20.12.2
OS
MacOS 14.5 (23F79) (Sonoma)
Language
TypeScript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: