Can't configure an RDS without Private subnets in a VPC

[shurmanidze]

Via the AWS Management Console I created a VPC from scratch with two public subnets. Then I created a DB Instance in that VPC. Everything worked smoothly. When I replicated the same configuration in CDK I got the following error:

There are no 'Private' subnet groups in this VPC. Available types: Public

When I added two extra Private subnets (with natGateways=0) to the VPC, I got another error:

CommonVpc/CommonPrivateSubnetGroupSubnet2/DefaultRoute (CommonVpcCommonPrivateSubnetGroupSubnet2DefaultRoute30057064) Exactly one of [InstanceId, NetworkInterfaceId, EgressOnlyInternetGatewayId, VpcPeeringConnectionId, GatewayId, TransitGatewayId, NatGatewayId] must be specified and not empty

Reproduction Steps

    const vpc = new Vpc(this, 'CommonVpc', {
      enableDnsSupport: true,
      natGateways: 0,
      cidr: '10.0.0.0/16',
      maxAzs: 2,
      subnetConfiguration: [
        {
          cidrMask: 19,
          name: 'CommonPublicSubnetGroup',
          subnetType: SubnetType.PUBLIC,
        },
        // {
        //   cidrMask: 19,
        //   name: 'CommonPrivateSubnetGroup',
        //   subnetType: SubnetType.PRIVATE,
        // },
      ]
    });

    const dbInstance = new DatabaseInstance(this, 'DbInstance', {
      engine: DatabaseInstanceEngine.MYSQL,
      masterUsername: 'root',
      databaseName: 'RootDb',
      instanceClass: InstanceType.of(InstanceClass.T2, InstanceSize.MICRO),
      vpc,
      allocatedStorage: 10,
      vpcPlacement: {
        subnetType: SubnetType.PUBLIC,
      },
    });

Environment

• CLI Version : 1.14.0
• Framework Version: 1.14.0
• OS : Windows 10
• Language : TS

---

This is 🐛 Bug Report

[shurmanidze]

I guess I found the answer here #4668
The issue is caused by lambdas that can't work in a public subnet. Since DB is placed in the public subnets and lambdas are in the private subnet they need NAT to access the DB. If I put the DB into the private subnet I might not need NAT in this case, but I won't be able to connect to the DB instance from my local PC. Please close the issue if that's the case.

[rix0rrr]

I guess I found the answer here #4668

Yes, I think the behavior around subnet selection in 1.15 will be better for you.

Since DB is placed in the public subnets and lambdas are in the private subnet they need NAT to access the DB.

I don't believe that is true. You will need to use the private IP addresses of your database to connect though (probably in the 10.x.x.x range), not the public IP addresses or the DNS name.

Maybe enabling "private DNS" on your VPC will work, I'm not sure I'm not a networking expert.

Since you don't seem to want any NAT gateways, you need to use ISOLATED subnets for your Lambdas though, not PRIVATE ones.

[shurmanidze]

you need to use ISOLATED subnets for your Lambdas though, not PRIVATE ones.

I'd like to be able to connect to my RDS from a local PC (at least during the development stage). It looks like it's not possible with ISOLATED subnets.

[rix0rrr]

If you want to connect to your RDS instance from your PC it will need to be routable from the internet.

That means it is itself in a public subnet with a public IP address, or it has a publicly routable computer in front of it (typically a load balancer in the form of an ALB with a TCP connection or an NLB).

[rix0rrr]

Or I guess you could VPN into your VPC, but I'm not exactly sure how that is done.

[SomayaB]

Closing this issue since it seems to have been resolved. Feel free to reopen.

[deleugpn]

Wait, we can have ALB (public subnet) routing traffic to Aurora (private subnet)? 👀

[nikita-sheremet-clearscale]

vpcSubnets selector must be provided to fix the error There are no 'Private' subnet groups in this VPC. Available types: Public like that (java):

import software.amazon.awscdk.core.RemovalPolicy;
import software.amazon.awscdk.core.SecretValue;
import software.amazon.awscdk.services.ec2.InstanceClass;
import software.amazon.awscdk.services.ec2.InstanceSize;
import software.amazon.awscdk.services.ec2.InstanceType;
import software.amazon.awscdk.services.ec2.SubnetSelection;
import software.amazon.awscdk.services.ec2.SubnetType;
import software.amazon.awscdk.services.ec2.Vpc;
import software.amazon.awscdk.services.ec2.VpcLookupOptions;
import software.amazon.awscdk.services.rds.AuroraPostgresClusterEngineProps;
import software.amazon.awscdk.services.rds.AuroraPostgresEngineVersion;
import software.amazon.awscdk.services.rds.Credentials;
import software.amazon.awscdk.services.rds.DatabaseCluster;
import software.amazon.awscdk.services.rds.DatabaseClusterEngine;
import software.amazon.awscdk.services.rds.DatabaseClusterProps;
import software.amazon.awscdk.services.rds.InstanceProps;

class Scratch {
  public static void main(String[] args) {
    var cluster = new DatabaseCluster(this, "PostgresDb",
        DatabaseClusterProps.builder()
            .clusterIdentifier("aurora-postgresql-cluster")
            .instanceIdentifierBase("aurora-postgresql-cluster")
            .engine(DatabaseClusterEngine.auroraPostgres(
                AuroraPostgresClusterEngineProps.builder()
                    .version(
                        AuroraPostgresEngineVersion.VER_12_4
                    )
                    .build()))
            .removalPolicy(RemovalPolicy.DESTROY)
            .deletionProtection(false)
//            .credentials(Credentials.fromSecret(databaseSecret))
            .credentials(Credentials.fromPassword("somename", SecretValue.plainText("password")))
            .instanceIdentifierBase("aurora-postgresql-instance")

            .instanceProps(
                InstanceProps.builder()
                    .instanceType(
                        InstanceType.of(InstanceClass.MEMORY4, InstanceSize.LARGE)
                    )
                    .vpc(Vpc.fromLookup(this, "DefaultVpc", VpcLookupOptions.builder().isDefault(true).build()))
                    .vpcSubnets(SubnetSelection.builder().subnetType(SubnetType.PUBLIC).build()) // <- here fixed the error
                    .publiclyAccessible(true)
                    .build())
            .build()
    );
  }
}