feat(ec2): Add SubnetFilter for CIDR Range

packages/aws-cdk-lib/aws-ec2/README.md

@@ -180,6 +180,7 @@ Which subnets are selected is evaluated as follows:
   * `onePerAz`: chooses at most one subnet per availability zone
   * `containsIpAddresses`: chooses a subnet which contains *any* of the listed ip addresses
   * `byCidrMask`: chooses subnets that have the provided CIDR netmask
+  * `byCidrRanges`: chooses subnets which are inside any of the specified CIDR Ranges
 
 ### Using NAT instances
 

packages/aws-cdk-lib/aws-ec2/lib/subnet.ts

@@ -43,6 +43,13 @@ export abstract class SubnetFilter {
     return new CidrMaskSubnetFilter(mask);
   }
 
+  /**
+   * Chooses subnets which are inside any of the specified CIDR Range.
+   */
+  public static byCidrRanges(vpcCidrs: string[]): SubnetFilter {
+    return new CidrRangesSubnetFilter(vpcCidrs);
+  }
+
   /**
    * Executes the subnet filtering logic, returning a filtered set of subnets.
    */
@@ -169,3 +176,33 @@ class CidrMaskSubnetFilter extends SubnetFilter {
     });
   }
 }
+
+/**
+ * Chooses subnets based on the CIDR Range
+ */
+class CidrRangesSubnetFilter extends SubnetFilter {
+
+  private readonly cidrRanges: string[]
+
+  constructor(cidrRanges: string[]) {
+    super();
+    this.cidrRanges = cidrRanges;
+  }
+
+  /**
+   * Executes the subnet filtering logic.
+   */
+  public selectSubnets(subnets: ISubnet[]): ISubnet[] {
+    return this.checkCidrRanges(subnets, this.cidrRanges);
+  }
+
+  private checkCidrRanges(subnets: ISubnet[], cidrRanges: string[]): ISubnet[] {
+    const vpcCidrs = cidrRanges.map(cidr => {
+      return new CidrBlock(cidr);
+    });
+    return subnets.filter(s => {
+      const subnetCidrBlock = new CidrBlock(s.ipv4CidrBlock);
+      return vpcCidrs.some(cidr => cidr.containsCidr(subnetCidrBlock));
+    });
+  }
+}

packages/aws-cdk-lib/aws-ec2/test/vpc.test.ts

@@ -2261,6 +2261,46 @@ describe('vpc', () => {
 
     });
 
+    test('can filter by multiple CIDR Ranges', () => {
+      // GIVEN
+      const stack = getTestStack();
+
+      // IP space is split into 6 pieces, one public/one private per AZ
+      const vpc = new Vpc(stack, 'VPC', {
+        ipAddresses: IpAddresses.cidr('10.0.0.0/16'),
+        maxAzs: 3,
+      });
+
+      // WHEN
+      // We want to place this endpoint in the same subnets as these IPv4
+      // address.
+      // WHEN
+      new InterfaceVpcEndpoint(stack, 'VPC Endpoint', {
+        vpc,
+        service: new InterfaceVpcEndpointService('com.amazonaws.vpce.us-east-1.vpce-svc-uuddlrlrbastrtsvc', 443),
+        subnets: {
+          subnetFilters: [SubnetFilter.byCidrRanges(['10.0.0.0/16'])],
+        },
+      });
+
+      // THEN
+      Template.fromStack(stack).hasResourceProperties('AWS::EC2::VPCEndpoint', {
+        ServiceName: 'com.amazonaws.vpce.us-east-1.vpce-svc-uuddlrlrbastrtsvc',
+        SubnetIds: [
+          {
+            Ref: 'VPCPrivateSubnet1Subnet8BCA10E0',
+          },
+          {
+            Ref: 'VPCPrivateSubnet2SubnetCFCDAA7A',
+          },
+          {
+            Ref: 'VPCPrivateSubnet3Subnet3EDCD457',
+          },
+        ],
+      });
+
+    });
+
     test('tests router types', () => {
       // GIVEN
       const stack = getTestStack();