Subnet selection returns more than one per AZ

[pagameba]

Note: for support questions, please first reference our documentation, then use Stackoverflow. This repository's issues are intended for feature requests and bug reports.

• I'm submitting a ...

  • 🪲 bug report
  • 🚀 feature request
  • 📚 construct library gap
  • ☎️ security issue or vulnerability => Please see policy
  • ❓ support request => Please see note at the top of this template.

• What is the current behavior?
  If the current behavior is a 🪲bug🪲: Please provide the steps to reproduce

Creation of an ALB is failing with an error that it is getting more than one subnet per AZ.

A load balancer cannot be attached to multiple subnets in the same Availability Zone (Service: AmazonElasticLoadBalancingV2; Status Code: 400; Error Code: InvalidConfigurationRequest;

code to reproduce:

      const vpcId = "vpc-xxxxxx";

      const vpc = ec2.Vpc.fromLookup(this, "Vpc", { vpcId: vpcId });

      const alb = new elbv2.ApplicationLoadBalancer(this, id + "LoadBalancer", {
        loadBalancerName: id + 'ALB',
        vpc: vpc,
        internetFacing: false,
        vpcSubnets: {subnetType: ec2.SubnetType.PRIVATE, onePerAz: true}
      });

cdk synth shows a long list of subnets.

console.log(vpc.selectSubnets({subnetType: ec2.SubnetType.PRIVATE, onePerAz: true}).availabilityZones outputs

[
  'us-east-1c', 'us-east-1d',
  'us-east-1d', 'us-east-1d',
  'us-east-1d', 'us-east-1d',
  'us-east-1d', 'us-east-1d',
  'us-east-1d', 'us-east-1d',
  'us-east-1e', 'us-east-1e',
  'us-east-1e', 'us-east-1e',
  'us-east-1e', 'us-east-1e',
  'us-east-1e', 'us-east-1e',
  'us-east-1e', 'us-east-1e',
  'us-east-1e', 'us-east-1e',
  'us-east-1e', 'us-east-1e'
]

Having looked at the implementation, it seems that all private subnets retrieved for the VPC have "Private" returned from subnetName() and the implementation of onePerAz simply filters like this:

subnets = subnets.filter(s => subnetName(s) === subnetName(subnets[0]));

so it returns all the subnets, not just one per AZ.

Selecting by subnetName does not actually seem to use the Name shown in the AWS console.

• What is the expected behavior (or behavior of feature suggested)?
  onePerAz: true should return exactly one subnet per AZ.

• What is the motivation / use case for changing the behavior or adding this feature?
  trying to create an ALB inside an existing VPC

• Please tell us about your environment:

  • CDK CLI Version: 0.36.0 (build 6d38487)
  • Module Version: "@aws-cdk/aws-ec2": "^0.36.0"
  • OS: OSX Mojave
  • Language: TypeScript

• Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc)

[yangas]

I'm hitting the same issue though tied to the codebuild resource. I'm currently using an existing VPC with ~40 subnets in it and need the onePerAz to avoid hitting limit on resources being attached.

Code used:

const vpc = ec2.Vpc.fromLookup(this, 'VPC', {
	vpcName: 'xxxxxx',
	isDefault: false
});

new codebuild.Project(this, 'ecs-ami-creator', {
	buildSpec: codebuild.BuildSpec.fromObject(yaml.safeLoad(fs.readFileSync(process.env.PWD + '/lib/buildspec.yml', 'utf8'))),
	subnetSelection: { subnetType: ec2.SubnetType.PRIVATE, onePerAz: true },
	vpc: vpc
});

Error Encountered:

Invalid vpc config: the maximum number of subnets is 16 (Service: AWSCodeBuild; Status Code: 400; Error Code: InvalidInputException; Request ID: xxxx)

Environment:

• CDK CLI Version: 0.37.0 (build c4bdb54)
• Module Version: @aws-cdk/aws-ec2@0.36.2
• OS: OSX Mojave
• Language: TypeScript

Other Info:
I've also hit the need to be able to filter by Name, but after digging around at different issues saw that filtering is using aws-cdk:subnet-name.

Questions:

• Is it possible to extend the name tag to also use Name?
• Is it possible to support creating a subnetSelection with custom filtering that has access to the resources tags and allow for manual filtering rules?

[jonnyyu]

It turns out CDK has some assumptions on the subnets. It looks for
these two tags:'aws-cdk:subnet-type' and 'aws-cdk:subnet-name' on each subnet.

The 'aws-cdk:subnet-type' tag is optional, as CDK will try to guess if a subnet is public if the assign public address on launch is enabled. But the guess seems not working for me, the public subnets also treated as private. As a workaround, I set this tag with value 'Public' just for the public subnets.

The 'aws-cdk:subnet-name' tag is not the name of the subnet, it's actually a group name for the same function subnet on all AZ. For example:
If you have subnet names with AZ embeded 'app_az1', 'app_az2', 'app_az3'. Their 'aws-cdk:subnet-name' tag value should be 'app'.

with all these assumptions, the code below now makes sense, because it is trying to get one for that group 😭

subnets = subnets.filter(s => subnetName(s) === subnetName(subnets[0]));

also you probably need cdk context --clear after you updated the tags, cdk cache the values in cdk.context.json

[giovannidegani]

Facing the same issue with the latest CDK, onePerAz does not work as expected, in my case are subnets in a VPC that were created by a central team and thus not managed by CDK.

[angusfz]

Same issue here.
Creating internal ALB with imported VPC which has multiple private subnets in the same AZ, but onePerAz return all subnets.
This will interrupt CDK deploy and return error as below

A load balancer cannot be attached to multiple subnets in the same Availability Zone

Here is the workaround and any suggestion will be appreciated.

    // Import Vpc
    const vpc = ec2.Vpc.fromLookup(this, 'VPC', { vpcName: 'EXISTED_VPC_NAME' });

    // Handle one subnet per AZ
    const subnets: ISubnet[] = [] as ISubnet[];
    vpc.privateSubnets.forEach(subnet => {
      if (subnets.length == 0) {
        subnets.push(subnet);
      } else if (
        subnets.length < 2 &&
        subnets.find(v => {
          if (v.availabilityZone == subnet.availabilityZone) {
            return false;
          }
          return true;
        })
      ) {
        subnets.push(subnet);
      }
    });

    // ALB
    const applicationLoadBalancer = new ApplicationLoadBalancer(tagGroup, 'applicationLoadBalancer', {
      vpc,
      internetFacing: false,
      //vpcSubnets: vpc.selectSubnets({ onePerAz: true})
      vpcSubnets: vpc.selectSubnets({ subnets })
    });

[sarbajitdutta]

I have the same issue it seems onePerAz is not being honored.

//Shared public Application Load balancer
        final ApplicationLoadBalancer appdevEcsALB = new ApplicationLoadBalancer(this, "appdevEcsALB", ApplicationLoadBalancerProps.builder()
            .vpc(vpc)
            .vpcSubnets(SubnetSelection.builder()
                .onePerAz(true)
                .subnetType(SubnetType.PRIVATE)
                .build())
            .deletionProtection(false)
            .idleTimeout(Duration.seconds(60))
            .http2Enabled(true)
            .internetFacing(false)
            .ipAddressType(IpAddressType.IPV4)
            .loadBalancerName("appdev-cdk-ecs-alb")
            .securityGroup(albSg)
            .build());

3:29:40 PM | CREATE_FAILED        | AWS::ElasticLoadBalancingV2::LoadBalancer     | cbtApiDevFargateService/LB
A load balancer cannot be attached to multiple subnets in the same Availability Zone (Service: AmazonElasticLoadBalancing; Status Code: 400; Error Code: InvalidConfigurationRequest; Request ID: 5a57111a-2611
-4b98-b0bc-baf10615a4a8; Proxy: null)

[lloiacono]

Why is this issue closed? I'm running the latest version of CDK 1.133.0 (build 2dea31a) (as of writing) and I'm still getting the issue.

[emmanuelnk]

I'm also hitting this issue -- I think this should be re-opened. CDK does not honor onePerAZ

[Anonyfox]

happens for me too, using CDK 2.22 (lib + bin)

[bugb]

it happens sometimes for me too!

[hardcode83]

Hi guys,

I am using ecsPatterns.NetworkLoadBalancedFargateService with a vpc imported with vpc lookup and I am having the same problem yet.

AWS::ElasticLoadBalancingV2::LoadBalancer | staging/gd-billing/LB (staginggdbillingLB6A0E60DF) A load balancer cannot be attached to multiple subnets in the same Availability Zone (Service: AmazonElasticLoadBalancing; Status Code: 400; Error Code: InvalidConfigurationRequest; Request ID: 303a030b-0ec7-4dbd-afe1-195b3089c529; Proxy: null)

PS C:\pod\repos\cdk-ecs-networkloadbalancer> cdk --version
2.38.1 (build a5ced21)

Any fix for the problem?

[rremanan-bwi]

subnet-name

This didnt work for me, I added a tag 'subnet-name' with same name for 3 subnets in 3 az, but didnt work

[hardcode83]

@rix0rrr Apologies for the noise...

Here my last try for filter the subnets: result the same problem. cloudformation generate all subnets (with the problem of two in the same AZ):

export class EcsNetworkFargate extends Construct {
constructor(scope: Construct, id: string, props: EcsNetworkFargateProps) {
super(scope, id);
const repo = Repository.fromRepositoryArn(this, "repo", props.arnRepo)
const vpc = ec2.Vpc.fromLookup(this, "VPC", {
vpcId: props.vpcId
})
const publicSubnets = vpc.publicSubnets;
const arrayIds = props.subnets;
const subnetFiltered = publicSubnets.filter(x => {
arrayIds.includes(x.subnetId)
});

const loadBalancedFargateService = new ecsPatterns.NetworkLoadBalancedFargateService(this, 'gd-billing', {
vpc: vpc,

  assignPublicIp: props.assignPublicIp,
  taskSubnets:    subnets: subnetFiltered
  }

....

I dont know why, but its imposible filter the subnets.

Thx in advance everyone.

[madeline-k]

Re-opening this issue, looks like several people still hit the bug after the fix was released. Apologies to everyone that we didn't see this sooner; visibility on closed issues is very limited. For future reference, opening a new issue is a much better way to raise that a closed bug is still occurring.

[yibrahim-deloitte]

Currently facing this issue as well.

[corymhall]

Can someone that is still experiencing this issue provide a reproducible example using the latest version of the CDK?

[mohitanchlia]

@corymhall

I get this error when running https://github.com/aws-samples/amazon-sagemaker-mlflow-fargate/blob/main/app.py I have a VPC with multiple subnets in an AZ

11:00:57 AM | CREATE_FAILED | AWS::ElasticLoadBalancingV2::LoadBalancer | MLFLO7B85C32A
A load balancer cannot be attached to multiple subnets in the same Availability Zone (Service: AmazonElasticLoadBalancing; Status Code: 400; Error Code: InvalidConfigurationRequest;
Request ID: 4d0a8d42-28d0-88efea76e961; Proxy: null)

[corymhall]

@mohitanchlia are you running that example as is or are you modifying it to import a VPC instead of using the VPC that it is creating? If you are modifying it to import a VPC can you provide the CDK config that created the VPC?

[corymhall]

@mohitanchlia @yibrahim-deloitte @hardcode83 In order for us to reproduce this issue we need a complete example that includes the VPC configuration that created the VPC (not just the imported VPC).

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[ryan-strandt]

@mohitanchlia are you running that example as is or are you modifying it to import a VPC instead of using the VPC that it is creating? If you are modifying it to import a VPC can you provide the CDK config that created the VPC?

Selecting by subnetName does not actually seem to use the Name shown in the AWS console.

What is the expected behavior (or behavior of feature suggested)?
onePerAz: true should return exactly one subnet per AZ.

What is the motivation / use case for changing the behavior or adding this feature?
trying to create an NLB inside an existing VPC

Please tell us about your environment:

CDK CLI Version: 2.154.1
OS: Github Actions
Ubuntu - 22.0
Language: Python

I am facing similar issue with the following

        lb = elbv2.NetworkLoadBalancer(
            self,
            "DBServerlessNLB",
            vpc=vpc,
            enforce_security_group_inbound_rules_on_private_link_traffic=False,
            internet_facing=False,
            security_groups=[nlb_security_group],
            vpc_subnets=ec2.SubnetSelection(
                one_per_az=True, availability_zones=["us-east-2a","us-east-2b","us-east-2c"]
            ),
        )

SubnetSelection is returning 2 subnets from us-east-2c and 1 from us-east-2b.