Cannot create VPC without NAT Gateways

[ivawzh]

I am trying to create a VPC without NAT Gateways. And I do not need private subnets.

Received error message There are no 'Private' subnet groups in this VPC. Available types: Isolated,Public when trying to create a new VPC via TypeScript CDK without a Private subnet.

this.vpc = new Vpc(this, 'Vpc', {
  cidr: '10.180.0.0/16',
  vpnGateway: false,
  subnetConfiguration: [
    { cidrMask: 23, name: 'Public', subnetType: SubnetType.PUBLIC },
    { cidrMask: 23, name: 'Isolated', subnetType: SubnetType.ISOLATED },
  ]
})

I have also tried a workaround - creating Private subnet but with amount of NAT Gateways set to 0. And then I received error message If you do not want NAT gateways (natGateways=0), make sure you don't configure any PRIVATE subnets in 'subnetConfiguration' (make them PUBLIC or ISOLATED instead).

this.vpc = new Vpc(this, 'Vpc', {
  cidr: '10.180.0.0/16',
  vpnGateway: false,
  natGateways: 0,
  natGatewaySubnets: { subnets: [] },
  subnetConfiguration: [
    { cidrMask: 23, name: 'Public', subnetType: SubnetType.PUBLIC },
    { cidrMask: 23, name: 'Private', subnetType: SubnetType.PRIVATE },
    { cidrMask: 23, name: 'Isolated', subnetType: SubnetType.ISOLATED },
  ]
})

I know the second scenario is not a bug. It's just here to show there is no successful workaround I could find.

Environment

• CLI Version 1.35.0 (build e0810c8):
• Framework Version MacBook Pro (15-inch, 2018):
• OS MacOS 10.15.3 (19D76):
• Language TypeScript:

---

This is 🐛 Bug Report

[jcode-hub]

Iam not sure if this is helpfull and it's not TS but I am able to create a VPC without a NAT-Gateway in python:

vpc = ec2.Vpc(self, "MainVpc",
            subnet_configuration=[
                ec2.SubnetConfiguration(
                name="public-subnet",
                subnet_type=ec2.SubnetType.PUBLIC
            )],
        )

maybe it's a TS only behaviour

[ivawzh]

Very weird. This error could be something related to the client-side state.

@jcode-hub I tried your suggestion and it works originally. Code:

    this.vpc = new Vpc(this, 'Vpc', {
      subnetConfiguration: [
        { cidrMask: 23, name: 'Public', subnetType: SubnetType.PUBLIC }
      ]
    })

And then I tried to bit by bit add the missing parts back. It was working when code was:

    this.vpc = new Vpc(this, 'Vpc', {
      cidr: '11.180.0.0/16',
      vpnGateway: false,
      subnetConfiguration: [
        { cidrMask: 23, name: 'Public', subnetType: SubnetType.PUBLIC },
        { cidrMask: 23, name: 'Isolated', subnetType: SubnetType.ISOLATED },
      ]
    })

And then I tried adding this.vpc.addS3Endpoint('S3Endpoint'). It gave me error There are no 'Private' subnet groups in this VPC. Available types: Isolated,Public.

Then I reset everything back to your minimal version 1. Run cdk deploy again, it throws error There are no 'Private' subnet groups in this VPC. Available types: Isolated,Public...

---

BTW is .addS3Endpoint only needed when subnet is private?

[jcode-hub]

I can confirm this behaviour and the documentation says:

An interface endpoint is an elastic network interface with a private IP address from the IP address range of your subnet that serves as an entry point for traffic destined to a supported service.

I guess a vpc must have a private subnet so that endpoint can get a private address

[ivawzh]

I see. You may consider this issue is resolved then. It'd be good to improve the error message though. Thanks heaps 🙂