aws-ecs-patterns: Cannot create a public/private LoadBalancedFargateService in a VPC with multiple public/private subnets

[realharry]

• I'm submitting a ...

  • 🪲 bug report
  • 🚀 feature request
  • 📚 construct library gap
  • ☎️ security issue or vulnerability => Please see policy
  • ❓ support request => Please see note at the top of this template.

• What is the current behavior?
  If the current behavior is a 🪲bug🪲: Please provide the steps to reproduce

Create a vpc with multiple subnets, and try to create a LoadBalancedFargateService. For example,

    const cluster = new ecs.Cluster(this, id, {
      clusterName: id,
      vpc: this.vpc
    });
    const props: ecsPatterns.LoadBalancedFargateServiceProps = {
      cluster: cluster,
      image: ecs.ContainerImage.fromRegistry(registryId),
      cpu: 1024,
      memoryLimitMiB: 4096,
      desiredCount: 2,
      domainName,
      publicLoadBalancer: false,
      certificate,
      containerPort: 443,
      loadBalancerType: LoadBalancerType.APPLICATION,
    }
    const service = new ecsPatterns.LoadBalancedFargateService(this, 'service1', props);

When doing cdk deploy, I get the following error:

  5/52 | 9:23:49 AM | CREATE_FAILED        | AWS::ElasticLoadBalancingV2::LoadBalancer | data-api/LB (dataapiLB703DBC99) A load balancer cannot be attached to multiple subnets in the same Availability Zone (Service: AmazonElasticLoadBalancingV2; Status Code: 400; Error Code: InvalidConfigurationRequest; Request ID: 90d4d7f2-bd1d-11e9-8000-cf0aab00dd3e)
	new BaseLoadBalancer (/Users/harry/Projects/devops/deploy/rbi5-main/node_modules/@aws-cdk/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts:137:22)
	\_ new NetworkLoadBalancer (/Users/harry/Projects/devops/deploy/rbi5-main/node_modules/@aws-cdk/aws-elasticloadbalancingv2/lib/nlb/network-load-balancer.ts:77:5)
	\_ new LoadBalancedServiceBase (/Users/harry/Projects/devops/deploy/rbi5-main/node_modules/@aws-cdk/aws-ecs-patterns/lib/base/load-balanced-service-base.ts:203:27)
	\_ new LoadBalancedFargateService (/Users/harry/Projects/devops/deploy/rbi5-main/node_modules/@aws-cdk/aws-ecs-patterns/lib/fargate/load-balanced-fargate-service.ts:61:5)
	\_ Rbi5MainStack.createPrivateFargateService (/Users/harry/Projects/devops/deploy/rbi5-main/lib/rbi5-main-stack.ts:142:21)
	\_ Rbi5MainStack.init (/Users/harry/Projects/devops/deploy/rbi5-main/lib/rbi5-main-stack.ts:66:28)
	\_ new Rbi5MainStack (/Users/harry/Projects/devops/deploy/rbi5-main/lib/rbi5-main-stack.ts:59:10)
	\_ Object.<anonymous> (/Users/harry/Projects/devops/deploy/rbi5-main/bin/rbi5-main.ts:18:1)
	\_ Module._compile (internal/modules/cjs/loader.js:701:30)
	\_ Module.m._compile (/Users/harry/Projects/devops/deploy/rbi5-main/node_modules/ts-node/src/index.ts:473:23)
	\_ Module._extensions..js (internal/modules/cjs/loader.js:712:10)
	\_ Object.require.extensions.(anonymous function) [as .ts] (/Users/harry/Projects/devops/deploy/rbi5-main/node_modules/ts-node/src/index.ts:476:12)
	\_ Module.load (internal/modules/cjs/loader.js:600:32)
	\_ tryModuleLoad (internal/modules/cjs/loader.js:539:12)
	\_ Function.Module._load (internal/modules/cjs/loader.js:531:3)
	\_ Function.Module.runMain (internal/modules/cjs/loader.js:754:12)
	\_ Object.<anonymous> (/Users/harry/Projects/devops/deploy/rbi5-main/node_modules/ts-node/src/bin.ts:158:12)
	\_ Module._compile (internal/modules/cjs/loader.js:701:30)
	\_ Object.Module._extensions..js (internal/modules/cjs/loader.js:712:10)
	\_ Module.load (internal/modules/cjs/loader.js:600:32)
	\_ tryModuleLoad (internal/modules/cjs/loader.js:539:12)
	\_ Function.Module._load (internal/modules/cjs/loader.js:531:3)
	\_ Function.Module.runMain (internal/modules/cjs/loader.js:754:12)
	\_ findNodeScript.then.existing (/usr/local/lib/node_modules/npm/node_modules/libnpx/index.js:268:14)

• What is the expected behavior (or behavior of feature suggested)?

It should work.

• What is the motivation / use case for changing the behavior or adding this feature?

I'd like to use high-level ecsPatterns constructs.

• Please tell us about your environment:

  • CDK CLI Version: 1.3.0 (build bba9914)
  • Module Version: 1.3.0
  • OS: OSX Mojave
  • Language: TypeScript

• Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc)

Related tickets:

• VpcPlacement: allow picking subset of subnets #1577
• Subnet selection returns more than one per AZ #3126

[piradeepk]

@realharry can you add what your vpc definition looks like? (appropriately redacted - remove any confidential info, such as account IDs or internal project names, etc.)

[piradeepk]

I was able to successfully create a stack using:

const vpc = new ec2.Vpc(stack, 'MyVpc', { maxAzs: 2  });
const cluster = new ecs.Cluster(stack, 'Cluster', { vpc });

new ecs_patterns.LoadBalancedFargateService(stack, "FargateService", {
  cluster,
  image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample"),
  cpu: 1024,
  memoryLimitMiB: 4096,
  desiredCount: 2,
  publicLoadBalancer: false,
  containerPort: 443,
  loadBalancerType: LoadBalancerType.APPLICATION,
});

[realharry]

Hi @pkandasamy91 Yes, it does work in some cases. As you can see from my repeatedly updated title :) I couldn't figure out/pinpoint what exactly was causing the failure. Here's my VPC setup:

  private createVpc = (id: string, cidr: string): ec2.Vpc => {
    const vpc = new ec2.Vpc(this, id, {
      cidr,
      maxAzs: 2,
      enableDnsSupport: true,
      enableDnsHostnames: true,
      subnetConfiguration: [
        {
          cidrMask: 22,
          name: 'Frontend',
          subnetType: ec2.SubnetType.PUBLIC,
        },
        {
          cidrMask: 22,
          name: 'Backend',
          subnetType: ec2.SubnetType.PRIVATE,
        },
        {
          cidrMask: 26,
          name: 'Vpn',
          subnetType: ec2.SubnetType.PRIVATE,
        },
        {
          cidrMask: 26,
          name: 'Database',
          subnetType: ec2.SubnetType.ISOLATED,
        }
      ],
    });
    return vpc;
  };

where cider range is, for example, 10.1.0.0/16.

Thanks!

[realharry]

I create a cluster as follows, if relevant:

this.vpc = ec2.Vpc.fromLookup(this, vpcId, { vpcId });

private createFargateCluster = (id: string): ecs.Cluster => {
  const cluster = new ecs.Cluster(this, id, {
    clusterName: id,
    vpc: this.vpc
  });
  return cluster;
};

This is in a separate stack from VPC. (that is, an existing vpc stack is used when we create fargate clusters.)

[realharry]

OK, I figured out. It turns out you cannot create a LoadBalancedFargateService with publicLoadBalancer = true if there are more than one public subnets. Likewise, you cannot create a LoadBalancedFargateService with publicLoadBalancer = false if there are more than one private subnets.

Updated the issue title accordingly.

[sonofachamp]

Hey @realharry, thanks for updating the issue.

When setting the publicLoadBalancer flag, the LoadBalancedFargateService construct will use it to determine whether the load balancer will point to the PUBLIC or PRIVATE subnets within the VPC.

An application load balancer can point to multiple PUBLIC or PRIVATE subnets within a VPC, but the subnets cannot be in the same availability zone. There is a limit of 1 subnet per availability zone per load balancer.

With the provided VPC subnetConfiguration above, setting publicLoadBalancer to false the load balancer will try to point to all of the PRIVATE subnets defined in the VPC which exceeds the limit of 1 subnet per availability zone per load balancer.

[realharry]

Hi @sonofachamp thanks for the update/confirmation. I think that the CDK API, e.g., LoadBalancedFargateService, providing a way to select particular subnets for the ELB can solve this issue.

[sonofachamp]

@realharry I've opened a separate issue to track that as a feature request as we determine the best way to expose that configuration.