-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(aws-ec2): Why are NAT gateways required for private subnets? #15929
Comments
It's a great question. It looks like there has been some question about this since the original implementation: aws-cdk/packages/@aws-cdk/aws-ec2/lib/vpc.ts Lines 2027 to 2028 in 283ed02
It also looks like there was an unaddressed comment on that PR: "Perhaps provide the rationale for this in the error message or an accompanying link to an issue or doc". While I think it's likely that in the most common scenario, this check makes sense, I can also see infrastructure setups where it doesn't. Given that there's no work-around here (short of using some rather ugly escape hatches), I'm re-labelling this as a P1 bug. We welcome community contributions! If you are able, we encourage you to contribute the bug fix. I think it's safe to just remove this check (and associated test(s)). |
This is what I find interesting/confusing: Referencing that comment above: The thing is, that code check does the opposite of this: it requires there to be a NAT Gateway if there are private subnets, which makes no sense. My ultimate concern here is that people new to AWS might mistakenly think the NAT Gateway is required (and potentially 3 of them!), costing roughly $90/mo for no reason. Totally happy to open a PR and remove that check! I've already done so in my local Sidebar: The concept of "isolated" subnets is not a thing, if I'm not mistaken. There are only private (not in the route table, connected to an IGW) or public. Seems like in the context of CDK, "isolated" means a private subnet that isn't connected to the external Internet in any way, and "private" means a private subnet that will go into the route table and be connected to a NAT Gateway. IMO (and I know this is maybe controversial), "isolated" should be phased out completely. Reference: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html Note there's no mention of "isolated subnet." This creates a conceptual rift between CDK & AWS documentation, which could cause confusion as people new to AWS search the docs for info on isolated subnets. My vote would be to align more closely with AWS docs and conventions, therefore:
I'm totally open to hearing any reasons why this may not be a great idea. |
CDK currently has the following conventions:
This is explained pretty much at the top of the EC2 README: https://docs.aws.amazon.com/cdk/api/latest/docs/aws-ec2-readme.html#subnet-types So to answer your original question: why is NAT required for a private subnet? because by definition, a private subnet is one that routes through NAT. As to why your
As explained in https://docs.aws.amazon.com/cdk/api/latest/docs/aws-ec2-readme.html#choosing-subnets-for-resources The default here is somewhat unfortunate: C'lest la vie. This is worth a bug report to the RDS library. As for if it's worth CDK making a distinction between PRIVATE and ISOLATED that EC2 itself does not... that's a fair question. This decision was based on some internal conventions we had inside the organization, but perhaps we should not have done that. Whatever the case, it will be a tough choice to undo with lots of implications and complications, so the upside should be very clearly worth it. |
It seems like CDK conventions & AWS conventions are at odds, which is confusing, because CDK is an Amazon tool. AWS docs state:
(Source: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html) Having a NAT Gateway is optional. Resources on private subnets may not need to connect to the Internet at all. Another reference to NAT Gateway being optional:
(Source: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html) Contrast the above with CDK's docs:
Again, my main concern is for people new to AWS who might mistakenly believe they need a NAT Gateway to use private subnets, and incur high monthly costs. The way CDK is set up and documented is misleading. I did eventually arrive at a solution with the serverless cluster (before I saw your post): vpcSubnets: { subnetType: ec2.SubnetType.PUBLIC }, I'm using the default VPC which doesn't have private subnets, and there doesn't seem to be any security issue with using public subnets, since the RDS endpoint is still unreachable to the outside world. I suppose, to be on the safe side, I should figure out how to just tack on a few private subnets to my existing default VPC and use those instead. |
Early on in the CDK history, a decision was made to delineate between subnets with Internet access (i.e., those with a NAT) and those without. The convention chosen at that time was to label the subnets as `PRIVATE` and `ISOLATED`, respectively. The intent was to make it clear that subnets without a NAT were completely isolated from the broader Internet (unless connected through another subnet). However, this introduction of a new subnet type that does not match EC2 documentation and naming conventions can cause confusion. Most critically, a user may select a `PRIVATE` subnet without realizing that it automatically requires one (or more) NAT gateways. As NAT gateways are not free, this can lead to unintended charges. To realign to the EC2 terminology -- while retaining the existing logic surrounding SubnetTypes -- the existing types of `PRIVATE` and `ISOLATED` are being renamed to `PRIVATE_WITH_NAT` and `PRIVATE_ISOLATED`, respectively. fixes #15929
It's a fair criticism that our concept of |
@njlynch Thanks! I think that's much clearer. And I hope some modifications will be made so that CDK doesn't require NAT gateways in instances where they're not really required. |
…#16348) Early on in the CDK history, a decision was made to delineate between subnets with Internet access (i.e., those with a NAT) and those without. The convention chosen at that time was to label the subnets as `PRIVATE` and `ISOLATED`, respectively. The intent was to make it clear that subnets without a NAT were completely isolated from the broader Internet (unless connected through another subnet). However, this introduction of a new subnet type that does not match EC2 documentation and naming conventions can cause confusion. Most critically, a user may select a `PRIVATE` subnet without realizing that it automatically requires one (or more) NAT gateways. As NAT gateways are not free, this can lead to unintended charges. To realign to the EC2 terminology -- while retaining the existing logic surrounding SubnetTypes -- the existing types of `PRIVATE` and `ISOLATED` are being renamed to `PRIVATE_WITH_NAT` and `PRIVATE_ISOLATED`, respectively. fixes #15929 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
…aws#16348) Early on in the CDK history, a decision was made to delineate between subnets with Internet access (i.e., those with a NAT) and those without. The convention chosen at that time was to label the subnets as `PRIVATE` and `ISOLATED`, respectively. The intent was to make it clear that subnets without a NAT were completely isolated from the broader Internet (unless connected through another subnet). However, this introduction of a new subnet type that does not match EC2 documentation and naming conventions can cause confusion. Most critically, a user may select a `PRIVATE` subnet without realizing that it automatically requires one (or more) NAT gateways. As NAT gateways are not free, this can lead to unintended charges. To realign to the EC2 terminology -- while retaining the existing logic surrounding SubnetTypes -- the existing types of `PRIVATE` and `ISOLATED` are being renamed to `PRIVATE_WITH_NAT` and `PRIVATE_ISOLATED`, respectively. fixes aws#15929 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…aws#16348) Early on in the CDK history, a decision was made to delineate between subnets with Internet access (i.e., those with a NAT) and those without. The convention chosen at that time was to label the subnets as `PRIVATE` and `ISOLATED`, respectively. The intent was to make it clear that subnets without a NAT were completely isolated from the broader Internet (unless connected through another subnet). However, this introduction of a new subnet type that does not match EC2 documentation and naming conventions can cause confusion. Most critically, a user may select a `PRIVATE` subnet without realizing that it automatically requires one (or more) NAT gateways. As NAT gateways are not free, this can lead to unintended charges. To realign to the EC2 terminology -- while retaining the existing logic surrounding SubnetTypes -- the existing types of `PRIVATE` and `ISOLATED` are being renamed to `PRIVATE_WITH_NAT` and `PRIVATE_ISOLATED`, respectively. fixes aws#15929 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
❓ General Issue
The Question
I'm very curious why this check is in place:
aws-cdk/packages/@aws-cdk/aws-ec2/lib/vpc.ts
Lines 2036 to 2039 in 283ed02
NAT gateways are, if I'm not mistaken, only required if resources within your private subnets need to access the Internet through an Internet gateway. In this case, I'm unable to use CDK to create a
ServerlessCluster
, because theSubnetGroup
can't be defined without giving it a VPC with private subnets, which strangely require NAT Gateways. If I try to create aSubnetGroup
using a VPC with public & isolated subnets, it complains and says I need to use private subnets:Error: There are no 'Private' subnet groups in this VPC. Available types: Isolated,Public
The text was updated successfully, but these errors were encountered: