fix(ec2): dual-stack vpc without private subnets creates EgressOnlyInternetGateway (under feature flag)

packages/aws-cdk-lib/aws-ec2/lib/vpc.ts

@@ -1649,7 +1649,13 @@ export class Vpc extends VpcBase {
     }
 
     // Create an Egress Only Internet Gateway and attach it if necessary
-    if (this.useIpv6 && this.privateSubnets) {
+
+    const redundantEgressOnlyGatewayRemovalFeatureFlag =
+      FeatureFlags.of(this).isEnabled(cxapi.ENABLE_E2_REMOVE_EGRESSONLYGATEWAY_FROM_PUBLIC_SUBNET_VPC);
+
+    if ((this.useIpv6 && !redundantEgressOnlyGatewayRemovalFeatureFlag && this.privateSubnets) ||
+      (this.useIpv6 && redundantEgressOnlyGatewayRemovalFeatureFlag && this.privateSubnets.length > 0)
+    ) {
       const eigw = new CfnEgressOnlyInternetGateway(this, 'EIGW6', {
         vpcId: this.vpcId,
       });

packages/aws-cdk-lib/aws-ec2/test/vpc.test.ts

@@ -1,7 +1,7 @@
 import { testDeprecated } from '@aws-cdk/cdk-build-tools';
 import { Annotations, Match, Template } from '../../assertions';
 import { App, CfnOutput, CfnResource, Fn, Lazy, Stack, Tags } from '../../core';
-import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP } from '../../cx-api';
+import { EC2_RESTRICT_DEFAULT_SECURITY_GROUP, ENABLE_E2_REMOVE_EGRESSONLYGATEWAY_FROM_PUBLIC_SUBNET_VPC } from '../../cx-api';
 import {
   AclCidr,
   AclTraffic,
@@ -2747,6 +2747,90 @@ describe('vpc', () => {
       },
     });
   });
+  test('(default)EgressOnlyInternetGateWay is created when no private subnet configured in dual stack', () => {
+    // GIVEN
+    const app = new App();
+    const stack = new Stack(app, 'DualStackStack');
+
+    // WHEN
+    const vpc = new Vpc(stack, 'Vpc', {
+      ipProtocol: IpProtocol.DUAL_STACK,
+      subnetConfiguration: [
+        {
+          subnetType: SubnetType.PUBLIC,
+          name: 'public',
+        },
+      ],
+    });
+
+    // THEN
+    Template.fromStack(stack).resourceCountIs('AWS::EC2::EgressOnlyInternetGateway', 1);
+  });
+  test('(default)EgressOnlyInternetGateWay is created when private subnet configured in dual stack', () => {
+    // GIVEN
+    const app = new App();
+    const stack = new Stack(app, 'DualStackStack');
+
+    // WHEN
+    const vpc = new Vpc(stack, 'Vpc', {
+      ipProtocol: IpProtocol.DUAL_STACK,
+      subnetConfiguration: [
+        {
+          subnetType: SubnetType.PUBLIC,
+          name: 'public',
+        },
+        {
+          subnetType: SubnetType.PRIVATE_WITH_EGRESS,
+          name: 'private',
+        },
+      ],
+    });
+
+    // THEN
+    Template.fromStack(stack).resourceCountIs('AWS::EC2::EgressOnlyInternetGateway', 1);
+  });
+
+  test('(feature flag ENABLE_E2_REMOVE_EGRESSONLYGATEWAY_FROM_PUBLIC_SUBNET_VPC)EgressOnlyInternetGateWay is created when private subnet configured in dual stack', () => {
+    // GIVEN
+    const app = new App();
+    const stack = new Stack(app, 'DualStackStack');
+    // WHEN
+    stack.node.setContext(ENABLE_E2_REMOVE_EGRESSONLYGATEWAY_FROM_PUBLIC_SUBNET_VPC, true);
+    const vpc = new Vpc(stack, 'Vpc', {
+      ipProtocol: IpProtocol.DUAL_STACK,
+      subnetConfiguration: [
+        {
+          subnetType: SubnetType.PUBLIC,
+          name: 'public',
+        },
+        {
+          subnetType: SubnetType.PRIVATE_WITH_EGRESS,
+          name: 'private',
+        },
+      ],
+    });
+
+    // THEN
+    Template.fromStack(stack).resourceCountIs('AWS::EC2::EgressOnlyInternetGateway', 1);
+  });
+  test(' (feature flag ENABLE_E2_REMOVE_EGRESSONLYGATEWAY_FROM_PUBLIC_SUBNET_VPC)EgressOnlyInternetGateWay is not created when private subnet configured in dual stack', () => {
+    // GIVEN
+    const app = new App();
+    const stack = new Stack(app, 'DualStackStack');
+    stack.node.setContext(ENABLE_E2_REMOVE_EGRESSONLYGATEWAY_FROM_PUBLIC_SUBNET_VPC, true);
+    // WHEN
+    const vpc = new Vpc(stack, 'Vpc', {
+      ipProtocol: IpProtocol.DUAL_STACK,
+      subnetConfiguration: [
+        {
+          subnetType: SubnetType.PUBLIC,
+          name: 'public',
+        },
+      ],
+    });
+    // THEN
+    Template.fromStack(stack).resourceCountIs('AWS::EC2::EgressOnlyInternetGateway', 0);
+  });
 
   test('error should occur if IPv6 properties are provided for a non-dual-stack VPC', () => {
     // GIVEN

packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md

@@ -100,6 +100,7 @@ Flags come in three types:
 | [@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope](#aws-cdkpipelinesreducecrossaccountactionroletrustscope) | When enabled, scopes down the trust policy for the cross-account action role | 2.189.0 | new default |
 | [@aws-cdk/core:aspectPrioritiesMutating](#aws-cdkcoreaspectprioritiesmutating) | When set to true, Aspects added by the construct library on your behalf will be given a priority of MUTATING. | 2.189.1 | new default |
 | [@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions](#aws-cdks3-notificationsadds3trustkeypolicyforsnssubscriptions) | Add an S3 trust policy to a KMS key resource policy for SNS subscriptions. | 2.195.0 | fix |
+| [@aws-cdk/ec2:removeEgressOnlyGatewayFromPublicSubnetVPC](#aws-cdkec2removeegressonlygatewayfrompublicsubnetvpc) | Remove EgressOnlyGateway resource when a a double stack vpc has only public subnets | V2NEXT | fix |
 
 <!-- END table -->
 
@@ -183,7 +184,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/core:aspectPrioritiesMutating": true,
     "@aws-cdk/aws-dynamodb:retainTableReplica": true,
     "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": true,
-    "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": true
+    "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": true,
+    "@aws-cdk/ec2:removeEgressOnlyGatewayFromPublicSubnetVPC": true
   }
 }
 ```
@@ -2105,4 +2107,19 @@ When this feature flag is enabled, a S3 trust policy will be added to the KMS ke
 | 2.195.0 | `false` | `true` |
 
 
+### @aws-cdk/ec2:removeEgressOnlyGatewayFromPublicSubnetVPC
+
+*Remove EgressOnlyGateway resource when a a double stack vpc has only public subnets*
+
+Flag type: Backwards incompatible bugfix
+
+When this feature flag is enabled, EgressOnlyGateway resource will not be created when you create a vpc with only public subnets. A
+
+
+| Since | Default | Recommended |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| V2NEXT | `false` | `true` |
+
+
 <!-- END details -->

packages/aws-cdk-lib/cx-api/lib/features.ts

@@ -137,6 +137,7 @@ export const DYNAMODB_TABLE_RETAIN_TABLE_REPLICA = '@aws-cdk/aws-dynamodb:retain
 export const LOG_USER_POOL_CLIENT_SECRET_VALUE = '@aws-cdk/cognito:logUserPoolClientSecretValue';
 export const PIPELINE_REDUCE_CROSS_ACCOUNT_ACTION_ROLE_TRUST_SCOPE = '@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope';
 export const S3_TRUST_KEY_POLICY_FOR_SNS_SUBSCRIPTIONS = '@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions';
+export const ENABLE_E2_REMOVE_EGRESSONLYGATEWAY_FROM_PUBLIC_SUBNET_VPC = '@aws-cdk/ec2:removeEgressOnlyGatewayFromPublicSubnetVPC';
 export const USE_RESOURCEID_FOR_VPCV2_MIGRATION = '@aws-cdk/aws-ec2-alpha:useResourceIdForVpcV2Migration';
 
 export const FLAGS: Record<string, FlagInfo> = {
@@ -1576,6 +1577,17 @@ export const FLAGS: Record<string, FlagInfo> = {
   },
 
   //////////////////////////////////////////////////////////////////////
+  [ENABLE_E2_REMOVE_EGRESSONLYGATEWAY_FROM_PUBLIC_SUBNET_VPC]: {
+    type: FlagType.BugFix,
+    summary: 'Remove EgressOnlyGateway resource when a a double stack vpc has only public subnets',
+    detailsMd: `
+      When this feature flag is enabled, EgressOnlyGateway resource will not be created when you create a vpc with only public subnets.
+          `,
+    introducedIn: { v2: 'V2NEXT' },
+    recommendedValue: true,
+  },
+
+  /// ///////////////////////////////////////////////////////////////////
   [USE_RESOURCEID_FOR_VPCV2_MIGRATION]: {
     type: FlagType.ApiDefault,
     summary: 'When enabled, use resource IDs for VPC V2 migration',
@@ -1588,6 +1600,7 @@ export const FLAGS: Record<string, FlagInfo> = {
     recommendedValue: false,
     defaults: { v2: false },
     compatibilityWithOldBehaviorMd: 'Disable the feature flag to use getAtt references for VPC V2 migration',
+
   },
 };
 

packages/aws-cdk-lib/recommended-feature-flags.json

@@ -71,5 +71,6 @@
   "@aws-cdk/core:aspectPrioritiesMutating": true,
   "@aws-cdk/aws-dynamodb:retainTableReplica": true,
   "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": true,
-  "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": true
+  "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": true,
+  "@aws-cdk/ec2:removeEgressOnlyGatewayFromPublicSubnetVPC": true
 }