Be able to change AZ count on already deployed VPC (constructs need to be able to keep state)
See original GitHub issueWhen (in my case) increasing the maxAzs specified using the VPC construct from 3 to 4 and running cdk deploy
, the CloudFormation stack update fails with an error code of InvalidSubnet.Conflict;
Reproduction Steps
Changing
const vpc = new ec2.Vpc(this, 'VPC', {
cidr: "172.21.0.0/16",
maxAzs: 3,
natGateways: 1,
subnetConfiguration: [
{
cidrMask: 24,
name: 'public',
subnetType: ec2.SubnetType.PUBLIC,
},
{
cidrMask: 24,
name: 'private',
subnetType: ec2.SubnetType.PRIVATE,
}
]
});
to
const vpc = new ec2.Vpc(this, 'VPC', {
cidr: "172.21.0.0/16",
maxAzs: 4,
natGateways: 1,
subnetConfiguration: [
{
cidrMask: 24,
name: 'public',
subnetType: ec2.SubnetType.PUBLIC,
},
{
cidrMask: 24,
name: 'private',
subnetType: ec2.SubnetType.PRIVATE,
}
]
});
produces the error below.
Error Log
1/28 | 5:55:19 PM | CREATE_FAILED | AWS::EC2::Subnet | VPC/publicSubnet4/Subnet (VPCpublicSubnet4Subnet46529D45) The CIDR '172.21.3.0/24' conflicts with another subnet (Service: AmazonEC2; Status Code: 400; Error Code: InvalidSubnet.Conflict; Request ID: 41f1d4ed-b249-4cfa-bb1e-c0148a4ddc30)
new Subnet (/Users/username/workspace/cdk-vpc-transitgateway/node_modules/@aws-cdk/aws-ec2/lib/vpc.ts:1373:20)
\_ new PublicSubnet (/Users/username/workspace/cdk-vpc-transitgateway/node_modules/@aws-cdk/aws-ec2/lib/vpc.ts:1588:5)
\_ /Users/username/workspace/cdk-vpc-transitgateway/node_modules/@aws-cdk/aws-ec2/lib/vpc.ts:1239:32
\_ Array.forEach (<anonymous>)
\_ Vpc.createSubnetResources (/Users/username/workspace/cdk-vpc-transitgateway/node_modules/@aws-cdk/aws-ec2/lib/vpc.ts:1221:28)
\_ Vpc.createSubnets (/Users/username/workspace/cdk-vpc-transitgateway/node_modules/@aws-cdk/aws-ec2/lib/vpc.ts:1210:12)
\_ new Vpc (/Users/username/workspace/cdk-vpc-transitgateway/node_modules/@aws-cdk/aws-ec2/lib/vpc.ts:1076:10)
\_ new CdkVpcTransitgatewayStack (/Users/username/workspace/cdk-vpc-transitgateway/lib/cdk-vpc-transitgateway-stack.ts:8:17)
\_ Object.<anonymous> (/Users/username/workspace/cdk-vpc-transitgateway/bin/cdk-vpc-transitgateway.ts:10:1)
\_ Module._compile (internal/modules/cjs/loader.js:1147:30)
\_ Module.m._compile (/Users/username/workspace/cdk-vpc-transitgateway/node_modules/ts-node/src/index.ts:814:23)
\_ Module._extensions..js (internal/modules/cjs/loader.js:1167:10)
\_ Object.require.extensions.<computed> [as .ts] (/Users/username/workspace/cdk-vpc-transitgateway/node_modules/ts-node/src/index.ts:817:12)
\_ Module.load (internal/modules/cjs/loader.js:996:32)
\_ Function.Module._load (internal/modules/cjs/loader.js:896:14)
\_ Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:71:12)
\_ main (/Users/username/workspace/cdk-vpc-transitgateway/node_modules/ts-node/src/bin.ts:226:14)
\_ Object.<anonymous> (/Users/username/workspace/cdk-vpc-transitgateway/node_modules/ts-node/src/bin.ts:485:3)
\_ Module._compile (internal/modules/cjs/loader.js:1147:30)
\_ Object.Module._extensions..js (internal/modules/cjs/loader.js:1167:10)
\_ Module.load (internal/modules/cjs/loader.js:996:32)
\_ Function.Module._load (internal/modules/cjs/loader.js:896:14)
\_ Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:71:12)
\_ /usr/local/lib/node_modules/npm/node_modules/libnpx/index.js:268:14
Environment
- CLI Version : 1.27.0 (build a98c0b3)
- Framework Version:
node --version v13.10.1
- OS : macOS 10.14.6
- Language : us-english
Other
At first glance, it appears that on subsequent deployments the VPC construct is not aware of what CIDR ranges may already be in-use.
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 4 years ago
- Reactions:58
- Comments:15 (2 by maintainers)
Top Results From Across the Web
Amazon EC2 Construct Library - AWS Documentation
Control over availability zones . By default, a VPC will spread over at most 3 Availability Zones available to it. To change the...
Read more >VPC networks - Google Cloud
A Virtual Private Cloud (VPC) network is a virtual version of a physical network, implemented inside of Google's production network, using Andromeda.
Read more >ARCHIVED: Best Practices for Deploying Amazon WorkSpaces
Each AD Connector requires two subnets that have enough IP addresses available to meet your WorkSpaces usage growth estimates. Note: Each AWS VPC...
Read more >AWS Cloud Development Kit - A Turing Complete Solution For ...
CDK now knows we want a VPC with one NAT gateway, Class C CIDR block and two availability zones. As mentioned before, we...
Read more >Practice Questions Archives - Page 2 of 5
You have been asked to manage your AWS infrastructure in a manner similar to the way you might manage application code. You want...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
It’s unfortunate that devs don’t give priority to fix this Vpc construct; without these problems fixed, relying on it is very dangerous.
I’ve encountered this issue several times. It doesn’t really matter what you’re changing–if you attempt to change the subnet structure of an already-created VPC with CDK, you’ll get this error.
Has anyone come up with a workaround, or even an order of operations for making changes to a VPC? My thought is that the previous VPC subnets would have to be completely destroyed prior to an update (since the CIDR reservations are not editable, even in the console)