Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ec2: NatProvider.instanceV2 does not work when mapPublicIpOnLaunch=false for public subnets #31711

Open
1 task
tmokmss opened this issue Oct 10, 2024 · 3 comments · May be fixed by #31812
Open
1 task

ec2: NatProvider.instanceV2 does not work when mapPublicIpOnLaunch=false for public subnets #31711

tmokmss opened this issue Oct 10, 2024 · 3 comments · May be fixed by #31812
Assignees
@GavinZZ
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@tmokmss
Copy link
Contributor

tmokmss commented Oct 10, 2024
edited
Loading

Describe the bug

When we set mapPublicIpOnLaunch=false for public subnets, NAT instances does not get public IP addresses assigned, resulting in non-working NAT instances.

Disabling mapPublicIpOnLaunch is recommended as AWS Config rule (and cdk-nag as well.)
https://docs.aws.amazon.com/config/latest/developerguide/subnet-auto-assign-public-ip-disabled.html

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

NAT instance works.

Current Behavior

NAT instance does not work.

Reproduction Steps

Deploy the below VPC, and you can see the NAT instances does not have public IP addresses assigned; traffic cannot go to the Internet because of that.

new Vpc(this, 'Vpc', {
  natGatewayProvider: NatProvider.instanceV2({
    instanceType: InstanceType.of(InstanceClass.T4G, InstanceSize.MICRO),
  }),
  subnetConfiguration: [
    {
      subnetType: SubnetType.PUBLIC,
      name: 'Public',
      // NAT instance does not work when this set to false.
      mapPublicIpOnLaunch: false,
    },
    {
      subnetType: SubnetType.PRIVATE_WITH_EGRESS,
      name: 'Private',
    },
  ],
});

Possible Solution

Expose associatePublicIpAddress property maybe?

Additional Information/Context

No response

CDK CLI Version

2.160.0

Framework Version

No response

Node.js Version

20

OS

macos

Language

TypeScript

Language Version

No response

Other information

No response
@tmokmss tmokmss added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 10, 2024
@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Oct 10, 2024
@khushail khushail added needs-reproduction This issue needs reproduction. p2 and removed needs-triage This issue or PR still needs to be triaged. labels Oct 10, 2024
@khushail khushail self-assigned this Oct 10, 2024
@khushail khushail added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-reproduction This issue needs reproduction. labels Oct 10, 2024
@khushail
Copy link
Contributor

khushail commented Oct 11, 2024
edited
Loading

Hi @tmokmss , thanks for reaching out.

The property mapPublicIpOnLaunch in CDK docs states that -

The property mapPublicIpOnLaunch controls if a public IPv4 address will be assigned. This defaults to false for dual stack VPCs to avoid inadvertant costs of having the public address. However, a public IP must be enabled (or otherwise configured with BYOIP or IPAM) in order for services that rely on the address to function.

The ipv6AssignAddressOnCreation property controls the same behavior for the IPv6 address. It defaults to true.

Using IPv6 specific properties in an IPv4 only VPC will result in errors.

As mentioned in CDK Docs, not assigning public IP when mapPublicIpOnLaunch=false, is intentional as mentioned in here -

Disabling the auto-assigning of a public IPv4 address by default can avoid the cost of public IPv4 addresses starting 2/1/2024. For use cases that need an IPv4 address, the mapPublicIpOnLaunch property in subnetConfiguration can be set to auto-assign the IPv4 address. Note that private IPv4 address allocation will not be changed.

and one can always assign public Ip addresses manually, by using Elastic IP Addresses.

AFAIU, and if my understanding is correct, this is by design to keep it disabled. Please feel free to correct me if something is misunderstood.

I would also reach out to core team and request their insights on the implementation of this concept.
Thanks

@khushail khushail added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Oct 11, 2024
@tmokmss
Copy link
Contributor Author

tmokmss commented Oct 12, 2024
edited
Loading

Thanks @khushail for the investigation!

this is by design to keep it disabled

I'm afraid not. Without public IP addresses, NAT instances won't work. This is a surprising behavior because users expect NatProvider.instanceV2 just works as soon as the deployment finished. Forcing users to assign public ip address manally is clearly a sub-optimal solution.

So a straightforward solution would be to expose a prop to assign a public IP address to the NAT instance when configuring NatProvider.instanceV2. In Instance construct, we have associatePublicIpAddress prop, which we can expose in NatInstanceProps and pass it when defining an Instance construct (below code).

aws-cdk/packages/aws-cdk-lib/aws-ec2/lib/nat.ts

Lines 536 to 547 in fbc28bc

const natInstance = new Instance(sub, 'NatInstance', {
instanceType: this.props.instanceType,
machineImage,
sourceDestCheck: false, // Required for NAT
vpc: options.vpc,
vpcSubnets: { subnets: [sub] },
securityGroup: this._securityGroup,
keyPair: this.props.keyPair,
keyName: this.props.keyName,
creditSpecification: this.props.creditSpecification,
userData,
});

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Oct 12, 2024
@khushail
Copy link
Contributor

khushail commented Oct 14, 2024
edited
Loading

thanks @tmokmss for the clarification there. Your solution makes sense.

@khushail khushail added the effort/small Small work item – less than a day of effort label Oct 14, 2024
@khushail khushail removed their assignment Oct 14, 2024
@GavinZZ GavinZZ self-assigned this Oct 18, 2024
@GavinZZ GavinZZ linked a pull request Oct 18, 2024 that will close this issue
Draft
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@GavinZZ GavinZZ

Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(ec2): allow NAT instance to associate public IP aws/aws-cdk
3 participants
@tmokmss @GavinZZ @khushail