Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

(aws-ec2): Vpc creates EgressOnlyInternetGateway without private subnets #30981

Open
danilobuerger opened this issue Jul 30, 2024 · 1 comment
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@danilobuerger
Copy link
Contributor

danilobuerger commented Jul 30, 2024

Describe the bug

When creating a Dual Stack VPC, an EgressOnlyInternetGateway is created even if there are no private subnets. This comes from a vaulty condition, in vpc.ts:

if (this.useIpv6 && this.privateSubnets) {
const eigw = new CfnEgressOnlyInternetGateway(this, 'EIGW6', {
vpcId: this.vpcId,
});

this.privateSubnets check will also evaluate to true on empty arrays.

Expected Behavior

No EgressOnlyInternetGateway is created without private subnets

Current Behavior

EgressOnlyInternetGateway is created without private subnets

Reproduction Steps

new Vpc(this, "Vpc", {
  ipProtocol: IpProtocol.DUAL_STACK,
  subnetConfiguration: [
    {
      subnetType: SubnetType.PUBLIC,
      name: "public",
    },
  ],
});

Possible Solution

Check the length:

this.privateSubnets.length > 0

Additional Information/Context

No response

CDK CLI Version

2.150.0 (build 3f93027)

Framework Version

No response

Node.js Version

v22.5.1

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

No response

@danilobuerger danilobuerger added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 30, 2024
@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Jul 30, 2024
@khushail khushail self-assigned this Jul 30, 2024
@khushail khushail added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Jul 30, 2024
@khushail
Copy link
Contributor

khushail commented Jul 30, 2024

@danilobuerger , thanks for reporting this. I am able to repro this with default VPC with public subnets.

I see this is mentioned in the CDK EC2 Docs and Amazon Docs as well which is a required for creating EgressOnlyInternetGateway -

An egress only internet gateway will be created for PRIVATE_WITH_EGRESS subnets, and IPv6 routes will be added for IGWs and EIGWs.

The PR that caused this change-

if (this.useIpv6 && this.privateSubnets) {
const eigw = new CfnEgressOnlyInternetGateway(this, 'EIGW6', {
vpcId: this.vpcId,
});

You can also remove the gateway using vpc.node.tryRemoveChild('EIGW6')

@khushail khushail added p1 effort/small Small work item – less than a day of effort p2 and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. p1 labels Jul 30, 2024
@khushail khushail removed their assignment Jul 31, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Development

No branches or pull requests

2 participants