(aws-cdk-lib/aws_ec2): (Can't create Internet Gateway without public subnets)

[KuramaeNaputo]

Describe the bug

I specified "create InternetGateway" prop true and "subnetConfiguration" as "PRIVATE_ISOLATED". But It doesn't make Internet Gateway. I Use Internet Gateway only for Cloud front VPC origin.

new _Vpc(this, 'Vpc', {
          ipAddresses: IpAddresses.cidr('10.0.0.0/16'),
          availabilityZones: ["ap-northeast-1a", "ap-northeast-1c"],
          ipProtocol: IpProtocol.IPV4_ONLY,
          createInternetGateway: true,
          subnetConfiguration: [
            {
              cidrMask: 24,
              name: 'SubnetA',
              subnetType: SubnetType.PRIVATE_ISOLATED
            },
            {
              cidrMask: 24,
              name: 'SubnetB',
              subnetType: SubnetType.PRIVATE_ISOLATED
            },
            {
              cidrMask: 24,
              name: 'SubnetC',
              subnetType: SubnetType.PRIVATE_ISOLATED
            },
            {
              cidrMask: 24,
              name: 'SubnetD',
              subnetType: SubnetType.PRIVATE_ISOLATED
            },
          ]
        });

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

It makes Internet Gateway and Private Subnets

Current Behavior

It doesn't makes Internet Gateway

Reproduction Steps

new _Vpc(this, 'Vpc', {
          ipAddresses: IpAddresses.cidr('10.0.0.0/16'),
          availabilityZones: ["ap-northeast-1a", "ap-northeast-1c"],
          ipProtocol: IpProtocol.IPV4_ONLY,
          createInternetGateway: true,
          subnetConfiguration: [
            {
              cidrMask: 24,
              name: 'SubnetA',
              subnetType: SubnetType.PRIVATE_ISOLATED
            },
            {
              cidrMask: 24,
              name: 'SubnetB',
              subnetType: SubnetType.PRIVATE_ISOLATED
            },
            {
              cidrMask: 24,
              name: 'SubnetC',
              subnetType: SubnetType.PRIVATE_ISOLATED
            },
            {
              cidrMask: 24,
              name: 'SubnetD',
              subnetType: SubnetType.PRIVATE_ISOLATED
            },
          ]
        });

Possible Solution

Remove the "allowOutbound" condition from the if statement in the process of creating an "Internet Gateway". However, I think it will have a big impact.

/packages/aws-cdk-lib/aws-ec2/lib/vpc.ts line 1614:1629

    const createInternetGateway = props.createInternetGateway ?? true;
    const allowOutbound = this.subnetConfiguration.filter(
      subnet => (subnet.subnetType !== SubnetType.PRIVATE_ISOLATED && subnet.subnetType !== SubnetType.ISOLATED && !subnet.reserved)).length > 0;

    // Create an Internet Gateway and attach it if necessary
    if (allowOutbound && createInternetGateway) {
      const igw = new CfnInternetGateway(this, 'IGW', {
      });

      this.internetGatewayId = igw.ref;

      this._internetConnectivityEstablished.add(igw);
      const att = new CfnVPCGatewayAttachment(this, 'VPCGW', {
        internetGatewayId: igw.ref,
        vpcId: this.resource.ref,
      });

Additional Information/Context

No response

CDK CLI Version

2.1006.0

Framework Version

No response

Node.js Version

v23.10.0

OS

Mac OS

Language

TypeScript

Language Version

No response

Other information

No response

[ykethan]

Hey @KuramaeNaputo , thank you for reporting this issue. I have verified the behavior using

Reproduction

import * as cdk from "aws-cdk-lib";
import * as ec2 from "aws-cdk-lib/aws-ec2";
import { Construct } from "constructs";

export class Repro34069Stack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    new ec2.Vpc(this, "VPC", {
      ipAddresses: ec2.IpAddresses.cidr("10.0.0.0/16"),
      availabilityZones: ["us-east-1a", "us-east-1b"],
      createInternetGateway: true,
      subnetConfiguration: [
        {
          cidrMask: 24,
          name: "SubnetA",
          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
        },
      ],
    });
  }
}

Workaround

As a workaround, I was able to create a Internet Gateway with vpc containing isolated subnets by disabling the default internet gateway on the vpc. Then creating a new internet gateway and attach it to the VPC .

import * as cdk from "aws-cdk-lib";
import * as ec2 from "aws-cdk-lib/aws-ec2";
import { Construct } from "constructs";

export class Repro34069Stack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // Create VPC with only PRIVATE_ISOLATED subnets
    const vpc = new ec2.Vpc(this, "VPC", {
      ipAddresses: ec2.IpAddresses.cidr("10.0.0.0/16"),
      availabilityZones: ["us-east-1a", "us-east-1b"],
      createInternetGateway: false,
      subnetConfiguration: [
        {
          cidrMask: 24,
          name: "Isolated",
          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
        },
      ],
    });

    // create new internet gateway
    const igw = new ec2.CfnInternetGateway(this, "IGW", {
      tags: [{ key: "Name", value: "new IGW" }],
    });

    // attach the gateway to vpc
    new ec2.CfnVPCGatewayAttachment(this, "VPCGW", {
      vpcId: vpc.vpcId,
      internetGatewayId: igw.ref,
    });
  }
}

[ykethan]

As attaching a internet gateway does not mean the subnets can automatically route to it and each subnet must be explicitly configured with routes to use the internet gateway. On the top of my head as a potential improvement we could update the existing behavior to the following

/**
 * Creates and attaches an Internet Gateway to the VPC if requested.
 */
const createInternetGateway = props.createInternetGateway ?? true;
if (createInternetGateway) {
  const igw = new CfnInternetGateway(this, 'IGW', {
    tags: [{ key: 'Name', value: 'VPC IGW' }],
  });

  this.internetGatewayId = igw.ref;
  this._internetConnectivityEstablished.add(igw);

  // Attach the IGW to the VPC
  const att = new CfnVPCGatewayAttachment(this, 'VPCGW', {
    internetGatewayId: igw.ref,
    vpcId: this.resource.ref,
  });
}

/**
 * Configure subnet routing separately from IGW creation.
 * This maintains the existing behavior where only public subnets
 * get routes to the IGW.
 */
if (allowOutbound) {
  this.publicSubnets.forEach(publicSubnet => {
    if (this.internetGatewayId) {
      if (this.useIpv4) {
        publicSubnet.addDefaultInternetRoute(this.internetGatewayId, att);
      }
      if (this.useIpv6) {
        publicSubnet.addIpv6DefaultInternetRoute(this.internetGatewayId);
      }
    }
  });
}

but will let the team further dive deeper into this.