Building aws cdk-stack get 'Error: Cannot create a VPC Endpoint with no subnets'

huangapple go评论125阅读模式
英文:

Building aws cdk-stack get 'Error: Cannot create a VPC Endpoint with no subnets'

问题

I'm creating an AWS CDK stack (2.66.1) in which I have to define 2 VPC endpoints.

I defined all the resource necessary to my app but when I try to build it with 'cdk synth', it doesn't: Error: Cannot create a VPC Endpoint with no subnets

import * as ec2 from 'aws-cdk-lib/aws-ec2';

/*** Create VPC and its SUBNET and ENDPOINT ***/

const vpc = new ec2.Vpc(this, env.vpcName, {
  ipAddresses: ec2.IpAddresses.cidr('172.16.0.0/16'),
  subnetConfiguration: [
    {
      // CIDR mask: 255.255.255.0
      cidrMask: 24,
      name: env.vpcSubnetName,
      subnetType: ec2.SubnetType.PRIVATE_ISOLATED
    }
  ]
});

// Security group for the EC2 instance
const securityGroup = new ec2.SecurityGroup(this, env.securityGroupName, {
  vpc,
  description: "Allow SSH (TCP port 22) and HTTP (TCP port 80) in",
  allowAllOutbound: true,
});

// Allow SSH access on port tcp/22
securityGroup.addIngressRule(
  ec2.Peer.anyIpv4(),
  ec2.Port.tcp(22),
  "Allow SSH Access"
);

// Allow HTTP access on port tcp/80
securityGroup.addIngressRule(
  ec2.Peer.anyIpv4(),
  ec2.Port.tcp(80),
  "Allow HTTP Access"
);

new ec2.InterfaceVpcEndpoint(this, env.vpcEndpointDynamoDBName, {
  vpc,
  service: new ec2.InterfaceVpcEndpointService('com.amazonaws.' + region + '.dynamodb', 443),
  subnets: {
    subnets: [...vpc.privateSubnets]
  },
  privateDnsEnabled: true,
  securityGroups: [securityGroup]
});

new ec2.InterfaceVpcEndpoint(this, env.vpcEndpoints3Name, {
  vpc,
  service: new ec2.InterfaceVpcEndpointService('com.amazonaws.' + region + '.s3', 443),
  subnets: {
    subnets: [...vpc.privateSubnets]
  },
  privateDnsEnabled: true,
  securityGroups: [securityGroup]
});
英文:

I'm creating an AWS CDK stack (2.66.1) in which I have to define 2 VPC endpoints.

I defined all the resource necessary to my app but when I try to build it with 'cdk synth', it doesn't: Error: Cannot create a VPC Endpoint with no subnets

import * as ec2 from 'aws-cdk-lib/aws-ec2';

[...]

/*** Create VPC and its SUBNET and ENDPOINT ***/

    const vpc = new ec2.Vpc(this, env.vpcName, {
      ipAddresses: ec2.IpAddresses.cidr('172.16.0.0/16'),
      subnetConfiguration: [
        {
          // CIDR mask: 255.255.255.0
          cidrMask: 24,
          name: env.vpcSubnetName,
          subnetType: ec2.SubnetType.PRIVATE_ISOLATED
        }
      ]
    });

    // Security group for the EC2 instance
    const securityGroup = new ec2.SecurityGroup(this, env.securityGroupName, {
      vpc,
      description: "Allow SSH (TCP port 22) and HTTP (TCP port 80) in",
      allowAllOutbound: true,
    });

    // Allow SSH access on port tcp/22
    securityGroup.addIngressRule(
      ec2.Peer.anyIpv4(),
      ec2.Port.tcp(22),
      "Allow SSH Access"
    );

    // Allow HTTP access on port tcp/80
    securityGroup.addIngressRule(
      ec2.Peer.anyIpv4(),
      ec2.Port.tcp(80),
      "Allow HTTP Access"
    );

    new ec2.InterfaceVpcEndpoint(this, env.vpcEndpointDynamoDBName, {
      vpc,
      service: new ec2.InterfaceVpcEndpointService('com.amazonaws.' + region + '.dynamodb', 443),
      subnets: {
        subnets: [...vpc.privateSubnets]
      },
      privateDnsEnabled: true,
      securityGroups: [securityGroup]
    });


    new ec2.InterfaceVpcEndpoint(this, env.vpcEndpoints3Name, {
      vpc,
      service: new ec2.InterfaceVpcEndpointService('com.amazonaws.' + region + '.s3', 443),
      subnets: {
        subnets: [...vpc.privateSubnets]
      },
      privateDnsEnabled: true,
      securityGroups: [securityGroup]
    });

答案1

得分: 1

You are passing vpc.privateSubnets as the interface endpoint subnets, but this attribute is undefined. Your VPC defines a single PRIVATE_ISOLATED subnet, which is available as vpc.isolatedSubnets.

  subnets: {
    subnets: vpc.isolatedSubnets
  },

Here's how the VPC subnet attributes map to SubnetType values:

  • publicSubnets: PUBLIC
  • privateSubnets: PRIVATE_WITH_EGRESS, PRIVATE_WITH_NAT (deprecated), PRIVATE (deprecated)
  • isolatedSubnets: PRIVATE_ISOLATED, ISOLATED (deprecated)

BTW, you are creating interface endpoints for DynamoDB and S3. Consider Gateway Endpoints instead. Gateway Endpoints are supported for DynamoDB and S3 and carry no hourly charge. See the Types of VPC endpoints for Amazon S3 docs for a comparison.

英文:

You are passing vpc.privateSubnets as the interface endpoint subnets, but this attribute is undefined. Your VPC defines a single PRIVATE_ISOLATED subnet, which is available as vpc.isolatedSubnets.

  subnets: {
    subnets: vpc.isolatedSubnets
  },

Here's how the VPC subnet attributes map to SubnetType values (source):

  • publicSubnets: PUBLIC
  • privateSubnets: PRIVATE_WITH_EGRESS, PRIVATE_WITH_NAT (deprecated), PRIVATE (deprecated)
  • isolatedSubnets: PRIVATE_ISOLATED, ISOLATED (deprecated)

BTW, you are creating interface endpoints for DynamoDB and S3. Consider Gateway Endpoints instead. Gateway Endpoints are supported for DynamoDB and S3 and carry no hourly charge. See the Types of VPC endpoints for Amazon S3 docs for a comparison.

huangapple
  • 本文由 发表于 2023年3月4日 00:57:48
  • 转载请务必保留本文链接:https://go.coder-hub.com/75629886.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定