search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.51k stars 3.85k forks source link

(aws-ec2): Vpc creates EgressOnlyInternetGateway without private subnets #30981

Open danilobuerger opened 1 month ago

danilobuerger commented 1 month ago

Describe the bug

When creating a Dual Stack VPC, an EgressOnlyInternetGateway is created even if there are no private subnets. This comes from a vaulty condition, in vpc.ts:

https://github.com/aws/aws-cdk/blob/3f930279513b0f168333c6f6038b8ad81b99b7e1/packages/aws-cdk-lib/aws-ec2/lib/vpc.ts#L1644-L1647

this.privateSubnets check will also evaluate to true on empty arrays.

Expected Behavior

No EgressOnlyInternetGateway is created without private subnets

Current Behavior

EgressOnlyInternetGateway is created without private subnets

Reproduction Steps

new Vpc(this, "Vpc", {
  ipProtocol: IpProtocol.DUAL_STACK,
  subnetConfiguration: [
    {
      subnetType: SubnetType.PUBLIC,
      name: "public",
    },
  ],
});

Possible Solution

Check the length:

this.privateSubnets.length > 0

Additional Information/Context

No response

CDK CLI Version

2.150.0 (build 3f93027)

Framework Version

No response

Node.js Version

v22.5.1

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

No response

khushail commented 1 month ago

@danilobuerger , thanks for reporting this. I am able to repro this with default VPC with public subnets.

I see this is mentioned in the CDK EC2 Docs and Amazon Docs as well which is a required for creating EgressOnlyInternetGateway -

An egress only internet gateway will be created for PRIVATE_WITH_EGRESS subnets, and IPv6 routes will be added for IGWs and EIGWs.

The PR that caused this change- https://github.com/aws/aws-cdk/blob/3f930279513b0f168333c6f6038b8ad81b99b7e1/packages/aws-cdk-lib/aws-ec2/lib/vpc.ts#L1644-L1647

You can also remove the gateway using vpc.node.tryRemoveChild('EIGW6')