CDK Create Subnets on VPC

Question

I'm trying to create 2 subnets on AWS in CDK.

I originally followed the post here but I ran out of IP Addresses

The error I'm getting is

Resource handler returned message: "The CIDR '12.0.0.0/25' conflicts with another subnet

This error is returned for each of the subnets.

const vpc = new ec2.Vpc(this, name, {
  ipAddresses: IpAddresses.cidr('12.0.0.0/23'),
});    

const publicOneSubnet = new ec2.Subnet(this, 'PublicOneSubnet', {
  availabilityZone: 'eu-west-1a',
  vpcId: vpc.vpcId,
  cidrBlock: '12.0.0.0/25',
})

let publicOneSubnetRouteTable = publicOneSubnet.routeTable;
const publicTwoSubnet = new ec2.Subnet(this, 'PublicTwoSubnet', {
  availabilityZone: 'eu-west-1b',
  vpcId: vpc.vpcId,
  cidrBlock: '12.0.0.128/25'
})

const privateOneSubnet = new ec2.Subnet(this, 'PrivateOneSubnet', {
  availabilityZone: 'eu-west-1a',
  vpcId: vpc.vpcId,
  cidrBlock: '12.0.1.0/25'
})

const privateTwoSubnet = new ec2.Subnet(this, 'PrivateTwoSubnet', {
  availabilityZone: 'eu-west-1b',
  vpcId: vpc.vpcId,
  cidrBlock: '12.0.1.128/25'
})

Could somebody tell me please what I'm doing wrong… this is making me want to cry! As far as I can tell, the 12.0.0.0/23 should mean theres 12.0.1.0-255 and 12.0.0.0-255.

The 12.0.0.0/25 should mean 12.0.0.0-127 and so on, so I'm a bit confused as to how these conflict, I've never done this sort of VPC setup before so apologies if these are stupid questions!

Answer 1

By default your VPC CIDR will be equally divided, 1 public and 1 private subnets will be created per AZ (source).

As you're not specifying anything beside the CIDR on your VPC, maxAzs will be 3 and you'll have a total of 6 subnets created over these availability zones.

If you want to have control over a VPC's subnets, just drop manual subnet creation and use the subnetConfiguration property, while specifying you only want 2 AZs:

const vpc = new ec2.Vpc(this, name, {
  ipAddresses: IpAddresses.cidr('12.0.0.0/23'),
  maxAzs: 2,
  subnetConfiguration: [
    {
      cidrMask: 25,
      name: 'public',
      subnetType: ec2.SubnetType.PUBLIC,
    },
    {
      cidrMask: 25,
      name: 'private',
      subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
    }
  ]
})

Answer 2

This is not something that I have tried but it seems like it has a good chance of working assuming that the details of the validation DNS record can be retrieved - see below.

This is the comment on the CertificateValidation.fromDns method.

/**
 * Validate the certificate with DNS
 *
 * IMPORTANT: If `hostedZone` is not specified, DNS records must be added
 * manually and the stack will not complete creating until the records are
 * added.
 *
 * @param hostedZone the hosted zone where DNS records must be created
 */
static fromDns(hostedZone?: route53.IHostedZone): CertificateValidation;

Note that the DNS record will not be created if no hostedZone is passed in. If the DNS record is created as part of the CloudFormation Stack, then it should not have any problems deleting it.

The trick will be to retrieve the details of the validation DNS record that should be created from the certificate. These did not seem to be exposed in the CDK Certificate object unfortunately.