(aws-ec2): Why are NAT gateways required for private subnets?

[ffxsam]

❓ General Issue

The Question

I'm very curious why this check is in place:

aws-cdk/packages/@aws-cdk/aws-ec2/lib/vpc.ts

Lines 2036 to 2039 in 283ed02

	if (count === 0 && hasPrivateSubnets) {
	// eslint-disable-next-line max-len
	throw new Error('If you do not want NAT gateways (natGateways=0), make sure you don\'t configure any PRIVATE subnets in \'subnetConfiguration\' (make them PUBLIC or ISOLATED instead)');
	}

NAT gateways are, if I'm not mistaken, only required if resources within your private subnets need to access the Internet through an Internet gateway. In this case, I'm unable to use CDK to create a ServerlessCluster, because the SubnetGroup can't be defined without giving it a VPC with private subnets, which strangely require NAT Gateways. If I try to create a SubnetGroup using a VPC with public & isolated subnets, it complains and says I need to use private subnets: Error: There are no 'Private' subnet groups in this VPC. Available types: Isolated,Public

[njlynch]

It's a great question.

It looks like there has been some question about this since the original implementation:

aws-cdk/packages/@aws-cdk/aws-ec2/lib/vpc.ts

Lines 2027 to 2028 in 283ed02

	* Do we want to require that there are private subnets if there are NatGateways?
	* They seem pointless but I see no reason to prevent it.

It also looks like there was an unaddressed comment on that PR: "Perhaps provide the rationale for this in the error message or an accompanying link to an issue or doc".

While I think it's likely that in the most common scenario, this check makes sense, I can also see infrastructure setups where it doesn't. Given that there's no work-around here (short of using some rather ugly escape hatches), I'm re-labelling this as a P1 bug.

We welcome community contributions! If you are able, we encourage you to contribute the bug fix. I think it's safe to just remove this check (and associated test(s)).