Skip to content

(aws-cdk-lib/aws_ec2): (Can't create Internet Gateway without public subnets) #34069

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 task
KuramaeNaputo opened this issue Apr 8, 2025 · 2 comments
Open
1 task

(aws-cdk-lib/aws_ec2): (Can't create Internet Gateway without public subnets) #34069

KuramaeNaputo opened this issue Apr 8, 2025 · 2 comments
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. p2

Comments

@KuramaeNaputo
Copy link
Contributor

Describe the bug

I specified "create InternetGateway" prop true and "subnetConfiguration" as "PRIVATE_ISOLATED". But It doesn't make Internet Gateway. I Use Internet Gateway only for Cloud front VPC origin.

new _Vpc(this, 'Vpc', {
          ipAddresses: IpAddresses.cidr('10.0.0.0/16'),
          availabilityZones: ["ap-northeast-1a", "ap-northeast-1c"],
          ipProtocol: IpProtocol.IPV4_ONLY,
          createInternetGateway: true,
          subnetConfiguration: [
            {
              cidrMask: 24,
              name: 'SubnetA',
              subnetType: SubnetType.PRIVATE_ISOLATED
            },
            {
              cidrMask: 24,
              name: 'SubnetB',
              subnetType: SubnetType.PRIVATE_ISOLATED
            },
            {
              cidrMask: 24,
              name: 'SubnetC',
              subnetType: SubnetType.PRIVATE_ISOLATED
            },
            {
              cidrMask: 24,
              name: 'SubnetD',
              subnetType: SubnetType.PRIVATE_ISOLATED
            },
          ]
        });

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

It makes Internet Gateway and Private Subnets

Current Behavior

It doesn't makes Internet Gateway

Reproduction Steps

new _Vpc(this, 'Vpc', {
          ipAddresses: IpAddresses.cidr('10.0.0.0/16'),
          availabilityZones: ["ap-northeast-1a", "ap-northeast-1c"],
          ipProtocol: IpProtocol.IPV4_ONLY,
          createInternetGateway: true,
          subnetConfiguration: [
            {
              cidrMask: 24,
              name: 'SubnetA',
              subnetType: SubnetType.PRIVATE_ISOLATED
            },
            {
              cidrMask: 24,
              name: 'SubnetB',
              subnetType: SubnetType.PRIVATE_ISOLATED
            },
            {
              cidrMask: 24,
              name: 'SubnetC',
              subnetType: SubnetType.PRIVATE_ISOLATED
            },
            {
              cidrMask: 24,
              name: 'SubnetD',
              subnetType: SubnetType.PRIVATE_ISOLATED
            },
          ]
        });

Possible Solution

Remove the "allowOutbound" condition from the if statement in the process of creating an "Internet Gateway". However, I think it will have a big impact.

/packages/aws-cdk-lib/aws-ec2/lib/vpc.ts line 1614:1629

    const createInternetGateway = props.createInternetGateway ?? true;
    const allowOutbound = this.subnetConfiguration.filter(
      subnet => (subnet.subnetType !== SubnetType.PRIVATE_ISOLATED && subnet.subnetType !== SubnetType.ISOLATED && !subnet.reserved)).length > 0;

    // Create an Internet Gateway and attach it if necessary
    if (allowOutbound && createInternetGateway) {
      const igw = new CfnInternetGateway(this, 'IGW', {
      });

      this.internetGatewayId = igw.ref;

      this._internetConnectivityEstablished.add(igw);
      const att = new CfnVPCGatewayAttachment(this, 'VPCGW', {
        internetGatewayId: igw.ref,
        vpcId: this.resource.ref,
      });

Additional Information/Context

No response

CDK CLI Version

2.1006.0

Framework Version

No response

Node.js Version

v23.10.0

OS

Mac OS

Language

TypeScript

Language Version

No response

Other information

No response
@KuramaeNaputo KuramaeNaputo added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 8, 2025
@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Apr 8, 2025
@ykethan ykethan self-assigned this Apr 8, 2025
@ykethan
Copy link
Contributor

ykethan commented Apr 8, 2025

Hey @KuramaeNaputo , thank you for reporting this issue. I have verified the behavior using

Reproduction

import * as cdk from "aws-cdk-lib";
import * as ec2 from "aws-cdk-lib/aws-ec2";
import { Construct } from "constructs";

export class Repro34069Stack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    new ec2.Vpc(this, "VPC", {
      ipAddresses: ec2.IpAddresses.cidr("10.0.0.0/16"),
      availabilityZones: ["us-east-1a", "us-east-1b"],
      createInternetGateway: true,
      subnetConfiguration: [
        {
          cidrMask: 24,
          name: "SubnetA",
          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
        },
      ],
    });
  }
}

Workaround

As a workaround, I was able to create a Internet Gateway with vpc containing isolated subnets by disabling the default internet gateway on the vpc. Then creating a new internet gateway and attach it to the VPC .

import * as cdk from "aws-cdk-lib";
import * as ec2 from "aws-cdk-lib/aws-ec2";
import { Construct } from "constructs";

export class Repro34069Stack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // Create VPC with only PRIVATE_ISOLATED subnets
    const vpc = new ec2.Vpc(this, "VPC", {
      ipAddresses: ec2.IpAddresses.cidr("10.0.0.0/16"),
      availabilityZones: ["us-east-1a", "us-east-1b"],
      createInternetGateway: false,
      subnetConfiguration: [
        {
          cidrMask: 24,
          name: "Isolated",
          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
        },
      ],
    });

    // create new internet gateway
    const igw = new ec2.CfnInternetGateway(this, "IGW", {
      tags: [{ key: "Name", value: "new IGW" }],
    });

    // attach the gateway to vpc
    new ec2.CfnVPCGatewayAttachment(this, "VPCGW", {
      vpcId: vpc.vpcId,
      internetGatewayId: igw.ref,
    });
  }
}

@ykethan
Copy link
Contributor

ykethan commented Apr 8, 2025

As attaching a internet gateway does not mean the subnets can automatically route to it and each subnet must be explicitly configured with routes to use the internet gateway. On the top of my head as a potential improvement we could update the existing behavior to the following

/**
 * Creates and attaches an Internet Gateway to the VPC if requested.
 */
const createInternetGateway = props.createInternetGateway ?? true;
if (createInternetGateway) {
  const igw = new CfnInternetGateway(this, 'IGW', {
    tags: [{ key: 'Name', value: 'VPC IGW' }],
  });

  this.internetGatewayId = igw.ref;
  this._internetConnectivityEstablished.add(igw);

  // Attach the IGW to the VPC
  const att = new CfnVPCGatewayAttachment(this, 'VPCGW', {
    internetGatewayId: igw.ref,
    vpcId: this.resource.ref,
  });
}

/**
 * Configure subnet routing separately from IGW creation.
 * This maintains the existing behavior where only public subnets
 * get routes to the IGW.
 */
if (allowOutbound) {
  this.publicSubnets.forEach(publicSubnet => {
    if (this.internetGatewayId) {
      if (this.useIpv4) {
        publicSubnet.addDefaultInternetRoute(this.internetGatewayId, att);
      }
      if (this.useIpv6) {
        publicSubnet.addIpv6DefaultInternetRoute(this.internetGatewayId);
      }
    }
  });
}

but will let the team further dive deeper into this.

@ykethan ykethan added p2 and removed needs-triage This issue or PR still needs to be triaged. labels Apr 8, 2025
@ykethan ykethan removed their assignment Apr 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ykethan @KuramaeNaputo