ecs-patterns/ApplicationLoadBalancedFargateService fails to deploy in VPC with multiple subnets in same AZ

[fshields]

The ApplicationLoadBalancedFargateService construct (and possibly other related constructs) fails to deploy when there exist multiple public subnets in the same AZ. It appears that the construct selects all public subnets from the provided VPC by default.

Reproduction Steps

I was following the "ECS Example" described at https://docs.aws.amazon.com/cdk/latest/guide/ecs_example.html but utilizing an existing VPC (with 7 pre-existing public subnets) instead of creating a new VPC like the example prescribes.

Error Log

  7/16 | 10:00:14 AM | CREATE_FAILED        | AWS::ElasticLoadBalancingV2::LoadBalancer | DevStack/MyFargateService/LB (MyFargateServiceLBDE830E97) A load balancer cannot be attached to multiple subnets in the same Availability Zone (Service: AmazonElasticLoadBalancingV2; Status Code: 400; Error Code: InvalidConfigurationRequest; Request ID: 4915531e-c85f-40f6-93ff-0a899d948d5e)
        new BaseLoadBalancer (/mnt/c/git-repos/atlassian-backup/node_modules/@aws-cdk/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts:138:22)
        \_ new ApplicationLoadBalancer (/mnt/c/git-repos/atlassian-backup/node_modules/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts:64:5)
        \_ new ApplicationLoadBalancedServiceBase (/mnt/c/git-repos/atlassian-backup/node_modules/@aws-cdk/aws-ecs-patterns/lib/base/application-load-balanced-service-base.ts:300:81)
        \_ new ApplicationLoadBalancedFargateService (/mnt/c/git-repos/atlassian-backup/node_modules/@aws-cdk/aws-ecs-patterns/lib/fargate/application-load-balanced-fargate-service.ts:92:5)
        \_ new AtlassianBackupStack (/mnt/c/git-repos/atlassian-backup/lib/atlassian-backup-stack.ts:24:5)
        \_ Object.<anonymous> (/mnt/c/git-repos/atlassian-backup/bin/atlassian-backup.ts:14:15)
        \_ Module._compile (internal/modules/cjs/loader.js:778:30)
        \_ Module.m._compile (/mnt/c/git-repos/atlassian-backup/node_modules/ts-node/src/index.ts:814:23)
        \_ Module._extensions..js (internal/modules/cjs/loader.js:789:10)
        \_ Object.require.extensions.(anonymous function) [as .ts] (/mnt/c/git-repos/atlassian-backup/node_modules/ts-node/src/index.ts:817:12)
        \_ Module.load (internal/modules/cjs/loader.js:653:32)
        \_ tryModuleLoad (internal/modules/cjs/loader.js:593:12)
        \_ Function.Module._load (internal/modules/cjs/loader.js:585:3)
        \_ Function.Module.runMain (internal/modules/cjs/loader.js:831:12)
        \_ main (/mnt/c/git-repos/atlassian-backup/node_modules/ts-node/src/bin.ts:226:14)
        \_ Object.<anonymous> (/mnt/c/git-repos/atlassian-backup/node_modules/ts-node/src/bin.ts:485:3)
        \_ Module._compile (internal/modules/cjs/loader.js:778:30)
        \_ Object.Module._extensions..js (internal/modules/cjs/loader.js:789:10)
        \_ Module.load (internal/modules/cjs/loader.js:653:32)
        \_ tryModuleLoad (internal/modules/cjs/loader.js:593:12)
        \_ Function.Module._load (internal/modules/cjs/loader.js:585:3)
        \_ Function.Module.runMain (internal/modules/cjs/loader.js:831:12)
        \_ findNodeScript.then.existing (/home/fshields/.nvm/versions/node/v10.18.1/lib/node_modules/npm/node_modules/libnpx/index.js:268:14)

Environment

• CDK Version : 1.21.1 (build 842cc5f)
• Framework Version:
• OS : Debian GNU/Linux 9 (stretch)
• Language : TypeScript 3.7.5

Other

---

This is 🐛 Bug Report

[fshields]

While continuing to troubleshoot this, I discovered that it may be related to #3126

[jdavisp3]

Hitting the same issue here, and the one_per_az argument to SubnetSelection doesn't seem to work either.

[xcrezd]

Workaround

    const albFargetService = new ecsPatterns.ApplicationLoadBalancedFargateService(this, 'Service', {
     ...
    });

    const cfnLoadBalancer = albFargetService.loadBalancer.node.defaultChild as CfnLoadBalancer
    cfnLoadBalancer.subnets = vpc.selectSubnets({ onePerAz: true, subnetType: SubnetType.PUBLIC}).subnetIds

[MisterGlass]

Are there any updates on this? Just ran into this in python, and I can't seem to override the subnets after creation like in the posted TypeScript workaround

[nkolatsis]

The following python work-around uses two approaches. The approach above and a subnet_ids approach. Use it depending on what you have available.

subnet_ids = ['subnet-1234', 'subnet-5678']
alb_fargate_service = ecs_patterns.ApplicationLoadBalancedFargateService(self, .....)

cfn_lb = alb_fargate_service.load_balancer.node.default_child
if not subnet_ids:
    cfn_lb.subnets = vpc.select_subnets(subnet_group_name=subnet_group_name, availability_zones=availability_zones, one_per_az=True).subnet_ids
else:
    cfn_lb.subnets = subnet_ids

[Anonyfox]

with CDK (lib/cli) 2.22 the issue can't be solved with

cfnLoadBalancer.subnets = vpc.selectSubnets({ onePerAz: true, subnetType: ec2.SubnetType.PUBLIC }).subnetIds

because onePerAz does not what it says, leading to CreateService error: subnets can have at most 16 items.

the fix from @nkolatsis also doesn't fix it for me :(

[drobbins-ancile]

Any plans to fix this? It's been open for 3 years.