feat(ec2): allow private non-nat subnets (#21699)

----

Closes: #21697 and might close #21699

Not all private subnets need to have a NAT gateway for egress; an example would be when using Transit Gateway.

I have incorporated the idea expressed in #21189 to add a more generic `PRIVATE_WITH_EGRESS` subnet type.

This PR is largely a rename and a small logic change in `determineNatGatewayCount`


### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: jmortlock

packages/@aws-cdk/aws-apigatewayv2/lib/http/vpc-link.ts

@@ -99,7 +99,7 @@ export class VpcLink extends Resource implements IVpcLink {
 
     this.vpcLinkId = cfnResource.ref;
 
-    const { subnets } = props.vpc.selectSubnets(props.subnets ?? { subnetType: ec2.SubnetType.PRIVATE_WITH_NAT });
+    const { subnets } = props.vpc.selectSubnets(props.subnets ?? { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS });
     this.addSubnets(...subnets);
 
     if (props.securityGroups) {

packages/@aws-cdk/aws-appsync/test/appsync-rds.test.ts

@@ -36,7 +36,7 @@ describe('Rds Data Source configuration', () => {
       credentials: { username: 'clusteradmin' },
       clusterIdentifier: 'db-endpoint-test',
       vpc,
-      vpcSubnets: { subnetType: SubnetType.PRIVATE_WITH_NAT },
+      vpcSubnets: { subnetType: SubnetType.PRIVATE_WITH_EGRESS },
       securityGroups: [securityGroup],
       defaultDatabaseName: 'Animals',
     });
@@ -235,7 +235,7 @@ describe('adding rds data source from imported api', () => {
       credentials: { username: 'clusteradmin' },
       clusterIdentifier: 'db-endpoint-test',
       vpc,
-      vpcSubnets: { subnetType: SubnetType.PRIVATE_WITH_NAT },
+      vpcSubnets: { subnetType: SubnetType.PRIVATE_WITH_EGRESS },
       securityGroups: [securityGroup],
       defaultDatabaseName: 'Animals',
     });
@@ -269,4 +269,4 @@ describe('adding rds data source from imported api', () => {
       ApiId: { 'Fn::GetAtt': ['baseApiCDA4D43A', 'ApiId'] },
     });
   });
-});
+});

packages/@aws-cdk/aws-autoscaling/test/auto-scaling-group.test.ts

@@ -1825,7 +1825,7 @@ test('can use Vpc imported from unparseable list tokens', () => {
     vpc,
     allowAllOutbound: false,
     associatePublicIpAddress: false,
-    vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_NAT },
+    vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS },
   });
 
   // THEN

packages/@aws-cdk/aws-batch/test/compute-environment.test.ts

@@ -375,7 +375,7 @@ describe('Batch Compute Environment', () => {
           ],
           type: batch.ComputeResourceType.ON_DEMAND,
           vpcSubnets: {
-            subnetType: ec2.SubnetType.PRIVATE_WITH_NAT,
+            subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
           },
         } as batch.ComputeResources,
         enabled: false,

packages/@aws-cdk/aws-cloud9/README.md

@@ -56,7 +56,7 @@ new cloud9.Ec2Environment(this, 'Cloud9Env2', {
 const c9env = new cloud9.Ec2Environment(this, 'Cloud9Env3', {
   vpc,
   subnetSelection: {
-    subnetType: ec2.SubnetType.PRIVATE_WITH_NAT,
+    subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
   },
   imageId: cloud9.ImageId.AMAZON_LINUX_2,
 });

packages/@aws-cdk/aws-cloud9/test/cloud9.environment.test.ts

@@ -28,7 +28,7 @@ test('create resource correctly with vpc, imageId, and subnetSelection', () => {
   new cloud9.Ec2Environment(stack, 'C9Env', {
     vpc,
     subnetSelection: {
-      subnetType: ec2.SubnetType.PRIVATE_WITH_NAT,
+      subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
     },
     imageId: cloud9.ImageId.AMAZON_LINUX_2,
   });
@@ -146,4 +146,4 @@ test.each([
     ImageId: expected,
     SubnetId: Match.anyValue(),
   });
-});
+});

packages/@aws-cdk/aws-docdb/test/cluster.test.ts

@@ -108,7 +108,7 @@ describe('DatabaseCluster', () => {
         vpc,
         instanceType: ec2.InstanceType.of(ec2.InstanceClass.R5, ec2.InstanceSize.LARGE),
         vpcSubnets: {
-          subnetType: ec2.SubnetType.PRIVATE_WITH_NAT,
+          subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
         },
       });
     }).toThrowError('Cluster requires at least 2 subnets, got 1');

packages/@aws-cdk/aws-ec2/README.md

@@ -42,10 +42,11 @@ distinguishes three different subnet types:
   Internet Gateway. If you want your instances to have a public IP address
   and be directly reachable from the Internet, you must place them in a
   public subnet.
-* **Private with Internet Access (`SubnetType.PRIVATE_WITH_NAT`)** - instances in private subnets are not directly routable from the
-  Internet, and connect out to the Internet via a NAT gateway. By default, a
-  NAT gateway is created in every public subnet for maximum availability. Be
+* **Private with Internet Access (`SubnetType.PRIVATE_WITH_EGRESS`)** - instances in private subnets are not directly routable from the
+  Internet, and you must provide a way to connect out to the Internet.
+  By default, a NAT gateway is created in every public subnet for maximum availability. Be
   aware that you will be charged for NAT gateways.
+  Alternatively you can set `natGateways:0` and provide your own egress configuration (i.e through Transit Gateway)
 * **Isolated (`SubnetType.PRIVATE_ISOLATED`)** - isolated subnets do not route from or to the Internet, and
   as such do not require NAT gateways. They can only connect to or be
   connected to from other instances in the same VPC. A default VPC configuration
@@ -260,7 +261,7 @@ const vpc = new ec2.Vpc(this, 'TheVPC', {
     {
       cidrMask: 24,
       name: 'Application',
-      subnetType: ec2.SubnetType.PRIVATE_WITH_NAT,
+      subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
     },
     {
       cidrMask: 28,
@@ -363,12 +364,12 @@ const vpc = new ec2.Vpc(this, 'TheVPC', {
     {
       cidrMask: 26,
       name: 'Application1',
-      subnetType: ec2.SubnetType.PRIVATE_WITH_NAT,
+      subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
     },
     {
       cidrMask: 26,
       name: 'Application2',
-      subnetType: ec2.SubnetType.PRIVATE_WITH_NAT,
+      subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
       reserved: true,   // <---- This subnet group is reserved
     },
     {

packages/@aws-cdk/aws-ec2/lib/util.ts

@@ -17,6 +17,7 @@ export function defaultSubnetName(type: SubnetType) {
   switch (type) {
     case SubnetType.PUBLIC: return 'Public';
     case SubnetType.PRIVATE_WITH_NAT:
+    case SubnetType.PRIVATE_WITH_EGRESS:
     case SubnetType.PRIVATE:
       return 'Private';
     case SubnetType.PRIVATE_ISOLATED:

packages/@aws-cdk/aws-ec2/lib/vpc.ts

@@ -188,6 +188,25 @@ export enum SubnetType {
    */
   ISOLATED = 'Deprecated_Isolated',
 
+  /**
+   * Subnet that routes to the internet, but not vice versa.
+   *
+   * Instances in a private subnet can connect to the Internet, but will not
+   * allow connections to be initiated from the Internet. Egress to the internet will
+   * need to be provided.
+   * NAT Gateway(s) are the default solution to providing this subnet type the ability to route Internet traffic.
+   * If a NAT Gateway is not required or desired, set `natGateways:0` or use
+   * `SubnetType.PRIVATE_ISOLATED` instead.
+   *
+   * By default, a NAT gateway is created in every public subnet for maximum availability.
+   * Be aware that you will be charged for NAT gateways.
+   *
+   * Normally a Private subnet will use a NAT gateway in the same AZ, but
+   * if `natGateways` is used to reduce the number of NAT gateways, a NAT
+   * gateway from another AZ will be used instead.
+   */
+  PRIVATE_WITH_EGRESS = 'Private',
+
   /**
    * Subnet that routes to the internet (via a NAT gateway), but not vice versa.
    *
@@ -202,8 +221,9 @@ export enum SubnetType {
    * Normally a Private subnet will use a NAT gateway in the same AZ, but
    * if `natGateways` is used to reduce the number of NAT gateways, a NAT
    * gateway from another AZ will be used instead.
+   * @deprecated use `PRIVATE_WITH_EGRESS`
    */
-  PRIVATE_WITH_NAT = 'Private',
+  PRIVATE_WITH_NAT = 'Deprecated_Private_NAT',
 
   /**
    * Subnet that routes to the internet, but not vice versa.
@@ -220,7 +240,7 @@ export enum SubnetType {
    * if `natGateways` is used to reduce the number of NAT gateways, a NAT
    * gateway from another AZ will be used instead.
    *
-   * @deprecated use `PRIVATE_WITH_NAT`
+   * @deprecated use `PRIVATE_WITH_EGRESS`
    */
   PRIVATE = 'Deprecated_Private',
 
@@ -251,7 +271,7 @@ export interface SubnetSelection {
    *
    * At most one of `subnetType` and `subnetGroupName` can be supplied.
    *
-   * @default SubnetType.PRIVATE_WITH_NAT (or ISOLATED or PUBLIC if there are no PRIVATE_WITH_NAT subnets)
+   * @default SubnetType.PRIVATE_WITH_EGRESS (or ISOLATED or PUBLIC if there are no PRIVATE_WITH_EGRESS subnets)
    */
   readonly subnetType?: SubnetType;
 
@@ -552,7 +572,7 @@ abstract class VpcBase extends Resource implements IVpc {
       subnets = this.selectSubnetObjectsByName(selection.subnetGroupName);
 
     } else { // Or specify by type
-      const type = selection.subnetType || SubnetType.PRIVATE_WITH_NAT;
+      const type = selection.subnetType || SubnetType.PRIVATE_WITH_EGRESS;
       subnets = this.selectSubnetObjectsByType(type);
     }
 
@@ -588,6 +608,7 @@ abstract class VpcBase extends Resource implements IVpc {
       [SubnetType.PRIVATE_ISOLATED]: this.isolatedSubnets,
       [SubnetType.ISOLATED]: this.isolatedSubnets,
       [SubnetType.PRIVATE_WITH_NAT]: this.privateSubnets,
+      [SubnetType.PRIVATE_WITH_EGRESS]: this.privateSubnets,
       [SubnetType.PRIVATE]: this.privateSubnets,
       [SubnetType.PUBLIC]: this.publicSubnets,
     };
@@ -631,7 +652,7 @@ abstract class VpcBase extends Resource implements IVpc {
     if (placement.subnetType === undefined && placement.subnetGroupName === undefined && placement.subnets === undefined) {
       // Return default subnet type based on subnets that actually exist
       let subnetType = this.privateSubnets.length
-        ? SubnetType.PRIVATE_WITH_NAT : this.isolatedSubnets.length ? SubnetType.PRIVATE_ISOLATED : SubnetType.PUBLIC;
+        ? SubnetType.PRIVATE_WITH_EGRESS : this.isolatedSubnets.length ? SubnetType.PRIVATE_ISOLATED : SubnetType.PUBLIC;
       placement = { ...placement, subnetType: subnetType };
     }
 
@@ -915,7 +936,7 @@ export interface VpcProps {
    *      {
    *        cidrMask: 24,
    *        name: 'application',
-   *        subnetType: ec2.SubnetType.PRIVATE_WITH_NAT,
+   *        subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
    *      },
    *      {
    *        cidrMask: 28,
@@ -1067,7 +1088,7 @@ export interface SubnetConfiguration {
  *
  * // Iterate the private subnets
  * const selection = vpc.selectSubnets({
- *   subnetType: ec2.SubnetType.PRIVATE_WITH_NAT
+ *   subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS
  * });
  *
  * for (const subnet of selection.subnets) {
@@ -1096,8 +1117,8 @@ export class Vpc extends VpcBase {
       name: defaultSubnetName(SubnetType.PUBLIC),
     },
     {
-      subnetType: SubnetType.PRIVATE_WITH_NAT,
-      name: defaultSubnetName(SubnetType.PRIVATE_WITH_NAT),
+      subnetType: SubnetType.PRIVATE_WITH_EGRESS,
+      name: defaultSubnetName(SubnetType.PRIVATE_WITH_EGRESS),
     },
   ];
 
@@ -1531,6 +1552,7 @@ export class Vpc extends VpcBase {
           this.publicSubnets.push(publicSubnet);
           subnet = publicSubnet;
           break;
+        case SubnetType.PRIVATE_WITH_EGRESS:
         case SubnetType.PRIVATE_WITH_NAT:
         case SubnetType.PRIVATE:
           const privateSubnet = new PrivateSubnet(this, name, subnetProps);
@@ -1561,6 +1583,7 @@ const SUBNETNAME_TAG = 'aws-cdk:subnet-name';
 function subnetTypeTagValue(type: SubnetType) {
   switch (type) {
     case SubnetType.PUBLIC: return 'Public';
+    case SubnetType.PRIVATE_WITH_EGRESS:
     case SubnetType.PRIVATE_WITH_NAT:
     case SubnetType.PRIVATE:
       return 'Private';
@@ -2007,7 +2030,7 @@ class ImportedVpc extends VpcBase {
 
     /* eslint-disable max-len */
     const pub = new ImportSubnetGroup(props.publicSubnetIds, props.publicSubnetNames, props.publicSubnetRouteTableIds, SubnetType.PUBLIC, this.availabilityZones, 'publicSubnetIds', 'publicSubnetNames', 'publicSubnetRouteTableIds');
-    const priv = new ImportSubnetGroup(props.privateSubnetIds, props.privateSubnetNames, props.privateSubnetRouteTableIds, SubnetType.PRIVATE_WITH_NAT, this.availabilityZones, 'privateSubnetIds', 'privateSubnetNames', 'privateSubnetRouteTableIds');
+    const priv = new ImportSubnetGroup(props.privateSubnetIds, props.privateSubnetNames, props.privateSubnetRouteTableIds, SubnetType.PRIVATE_WITH_EGRESS, this.availabilityZones, 'privateSubnetIds', 'privateSubnetNames', 'privateSubnetRouteTableIds');
     const iso = new ImportSubnetGroup(props.isolatedSubnetIds, props.isolatedSubnetNames, props.isolatedSubnetRouteTableIds, SubnetType.PRIVATE_ISOLATED, this.availabilityZones, 'isolatedSubnetIds', 'isolatedSubnetNames', 'isolatedSubnetRouteTableIds');
     /* eslint-enable max-len */
 
@@ -2207,13 +2230,13 @@ class ImportedSubnet extends Resource implements ISubnet, IPublicSubnet, IPrivat
  * They seem pointless but I see no reason to prevent it.
  */
 function determineNatGatewayCount(requestedCount: number | undefined, subnetConfig: SubnetConfiguration[], azCount: number) {
-  const hasPrivateSubnets = subnetConfig.some(c => (c.subnetType === SubnetType.PRIVATE_WITH_NAT
-    || c.subnetType === SubnetType.PRIVATE) && !c.reserved);
+  const hasPrivateSubnets = subnetConfig.some(c => (c.subnetType === SubnetType.PRIVATE_WITH_EGRESS
+    || c.subnetType === SubnetType.PRIVATE || c.subnetType === SubnetType.PRIVATE_WITH_NAT) && !c.reserved);
   const hasPublicSubnets = subnetConfig.some(c => c.subnetType === SubnetType.PUBLIC);
 
   const count = requestedCount !== undefined ? Math.min(requestedCount, azCount) : (hasPrivateSubnets ? azCount : 0);
 
-  if (count === 0 && hasPrivateSubnets) {
+  if (count === 0 && hasPrivateSubnets && subnetConfig.some(c => c.subnetType === SubnetType.PRIVATE_WITH_NAT)) {
     // eslint-disable-next-line max-len
     throw new Error('If you do not want NAT gateways (natGateways=0), make sure you don\'t configure any PRIVATE subnets in \'subnetConfiguration\' (make them PUBLIC or ISOLATED instead)');
   }

packages/@aws-cdk/aws-ec2/test/integ.reserved-private-subnet.ts

@@ -27,7 +27,7 @@ class VpcReservedPrivateSubnetStack extends cdk.Stack {
         },
         {
           name: 'private',
-          subnetType: ec2.SubnetType.PRIVATE_WITH_NAT,
+          subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
           reserved: true,
         },
       ],

packages/@aws-cdk/aws-ec2/test/integ.vpc-networkacl.ts

@@ -10,7 +10,7 @@ const vpc = new ec2.Vpc(stack, 'MyVpc');
 
 const nacl1 = new ec2.NetworkAcl(stack, 'myNACL1', {
   vpc,
-  subnetSelection: { subnetType: ec2.SubnetType.PRIVATE_WITH_NAT },
+  subnetSelection: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS },
 });
 
 nacl1.addEntry('AllowDNSEgress', {

packages/@aws-cdk/aws-ec2/test/vpc-endpoint.test.ts

@@ -63,7 +63,7 @@ describe('vpc endpoint', () => {
                 subnetType: SubnetType.PUBLIC,
               },
               {
-                subnetType: SubnetType.PRIVATE_WITH_NAT,
+                subnetType: SubnetType.PRIVATE_WITH_EGRESS,
               },
             ],
           },

packages/@aws-cdk/aws-ec2/test/vpc.from-lookup.test.ts

@@ -165,7 +165,7 @@ describe('vpc from lookup', () => {
       });
 
       // WHEN
-      const subnets = vpc.selectSubnets({ subnetType: SubnetType.PRIVATE_WITH_NAT, onePerAz: true });
+      const subnets = vpc.selectSubnets({ subnetType: SubnetType.PRIVATE_WITH_EGRESS, onePerAz: true });
 
       // THEN: we got 2 subnets and not 4
       expect(subnets.subnets.map(s => s.availabilityZone)).toEqual(['us-east-1c', 'us-east-1d']);