VPC: Isolated subnets lists subnets that are not isolated

[sassman]

Describe the bug

When iterating over .isolatedSubnets of a given vpc or filtering subnets by .selectSubnets({subnetGroupName: 'Isolated'} I will get mixed results.

Some of the retrieved subnets are isolated, they contain the cdk tags

• aws-cdk:subnet-name: Isolated
• aws-cdk:subnet-type: Isolated

But other results in this list are not Isolated, they e.g. were manually created and contain only one single Name tag that does not contain any phrase of Isolated. Also the Network ACL of this very specifics subnets are not similar to the real isolated subnets.

Expected Behavior

Both ways of retrieving the isolated subnets should retriev only isolated subnets by at least being consistent with filtering the tag aws-cdk:subnet-type: Isolated

let vpc = ec2.Vpc.fromLookup(this, `vpc-${Date.now().toString()}`, {
  vpcId,
});

// way 1
let mixedSubnets = vpc.isolatedSubnets;

// way 2
let mixedSubnets = vpc.selectSubnets({
  subnetGroupName: 'Isolated'
}).subnets;

Current Behavior

It's unclear which criteria are being used to determine a given subnet belongs to the isolated subnet category.

Reproduction Steps

given a vpc id=abc

• create isolated subnets via cdk for abc
• create manual subnets via the aws console for abc

inspect the results of

let vpc = ec2.Vpc.fromLookup(this, `vpc-${Date.now().toString()}`, {
  vpcId: 'abc',
});

// way 1
let mixedSubnets = vpc.isolatedSubnets;

// way 2
let mixedSubnets = vpc.selectSubnets({
  subnetGroupName: 'Isolated'
}).subnets;

Possible Solution

as suggested, cdk should filter the subnets by the 2 tags below having the value Isolated

• aws-cdk:subnet-name
• aws-cdk:subnet-type

otherwise document the criteria on how cdk determines the subnet type.

Additional Information/Context

No response

CDK CLI Version

2.65.0 (build 5862f7a)

Framework Version

No response

Node.js Version

v18.13.0

OS

linux | macos

Language

Typescript

Language Version

"typescript": "4.6.3"

Other information

"aws-cdk": "2.65.0",
"aws-cdk-lib": "2.65.0",
"constructs": "10.1.256",

[pahud]

I would suggest using selectSubnets like this:

    const vpc = getDefaultVpc(this);
    const subnets = vpc.selectSubnets({ subnetType: SubnetType.PRIVATE_ISOLATED, });
    new CfnOutput(this, 'subnets', { value: subnets.subnetIds.join(',')})

But filtering with subnetGroupName works for me too.

Can you check the cdk.context.json and see if the subnets are correctly grouped under correct subnetGroups ?

[sassman]

I've tried this way of filtering as well. It didn't changed anything.

Can we elaborate the criteria on which the categorization is happening?

[pahud]

I believe it is looked up with VpcNetworkContextProviderPlugin and this is how it determines isolated subnets.

Did you see any subnets which you believe are NOT isolated subnets yet categorized as isolated ones in your cdk.context.json ? If yes, why do you think they are not isolated subnets(if any)?