[aws-ec2] Allow including/excluding availability zones based on AZ Id

[IvanKraljevic]

Hi CDK team,
It would be great if you enable us to supply a list of included/excluded AZs (based on AZ id, not name) when a VPC or any other resource that requires a subnet selection is created (for instance, an EKS cluster).

A viable alternative would be to expose the AZ IDs filed on subnets, so we can manually filter unwanted subnets.

Use Case

I have a use case where I need to create an EKS cluster with worker nodes in every available AZ. When I try to deploy my stacks, I get an UnsupportedAvailabilityZoneException stating there aren't enough compute resources in one of the supplied AZs. This is a fairly common issue with EKS (example 1, example 2), and you can usually work around it by omitting the subnets mapped to the problematic AZ.

As the AZ names get shuffled for every AWS account, that workaround doesn't scale if you need to create a big number of clusters spread across a lot of AWS accounts.

My current workaround is to maintain a map of unsupported AZs for every AWS account that I have:

static final Multimap<String, String> ACCOUNT_ID_TO_UNSUPPORTED_AZ = ImmutableMultimap.<String, String>builder()
            .put("my-aws-account-id-1", "us-east-1e")
            .put("my-aws-account-id-2", "us-east-1f")
            ...
            .build();

boolean isAzSupported(final ISubnet s) {
    final var accountId = s.getStack().getAccount();
    if (StringUtils.isEmpty(accountId)) {
        return true;
    }

    return !ACCOUNT_ID_TO_UNSUPPORTED_AZ.get(accountId)
            .contains(s.getAvailabilityZone());
}

Cluster buildCluster(final Construct scope, final String clusterName, final Vpc vpc) {
    final var subnets = vpc.getPrivateSubnets().stream()
            .filter(this::isAzSupported)
            .collect(Collectors.toList());

    return Cluster.Builder.create(scope, "EksCluster")
            .vpc(vpc)
            .vpcSubnets(List.of(SubnetSelection.builder()
                    .subnets(subnets)
                    .build()))
            ....
           .build();
}

The awful thing about this is that I first need to fail in order to figure out the problematic subnet/AZ for each new account, adjust the mapping, have the change reviewed, deployed etc.

Proposed Solution

1. Expand the VPC builder or subnet configuration so that subnets aren't created in unwanted AZs. Clients should be able to supply the wanted/unwanted AZ by either supplying the AZ names or IDs.
2. Expand the SubnetSelection with availabilityZoneIds() so that resources aren't placed in unwanted AZs.

An alternative would be to expose getAvailabilityZoneId() on the ISubnet interface. With it, we'd be able to manually filter out unwanted AZs before an EKS cluster is created. It would simplify maintenance because the ACCOUNT_ID_TO_UNSUPPORTED_AZ map from the example above could be simplified to something like UNSUPPORTED_AZS = ['use1-az3',...].

Both proposals would increase developer velocity as the fail-adjust-review-deploy cycle would be avoided.

Other

The following comment suggests the same feature:
#5927 (comment)

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[rix0rrr]

We are aware of this issue, but thanks for reporting.

For my edification--feels like it should be possible to put the physical AZ ids directly into the template. Is that not true?

[IvanKraljevic]

Hi Rico,
Thanks for the feedback.

Looking at the official CF docs for Subnets and parameters, there are no mentions of AZ IDs so it seem CF works only with AZ names (us-east-1e):

• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html
• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet.html

The following links imply the same:
https://stackoverflow.com/questions/51513086/get-availability-zone-from-subnet-parameter-in-cloudformation
https://old.reddit.com/r/aws/comments/a1ldov/availability_zone_ids_in_cloudformation/

I might be able to use the AWS SDK to call DescribeSubnets for the default VPC, and extract the mapping between AZ names and IDs - haven't tried it yet though.

[github-actions]

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[jdix531]

I think this is an issue worth keeping open. The work arounds are fairly cumbersome.

[gravitylow]

Following up on this -- CFN now supports AvailabilityZoneId for subnets - https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-ec2.CfnSubnet.html. This should be possible to support now.

[ggallo]

Because Workspaces is not available in certain AZs, redesigning my stack led to a chain reaction of dropping everything into Cfn methods - an exercise with errors I am still slogging through - and completely negated the utility of the CDK.

If CDK supported this natively all this pain would be resolved.

[acrodrig]

@gravitylow just read your comment above. How could the subnet be used in CDK?