(@aws-cdk/aws-ec2-alpha): secondaryAddressBlock IP validation disallows valid options #36111
Description
Describe the bug
The validateIpv4address function disallows VPCs with primaryAddressBlocks in 192.168.0.0/16 and 10.0.0.0/8 space to have secondaryAddressBlocks outside that space such as publicly routable IPv4 CIDR block which are valid as documented by aws: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-cidr-blocks.html#add-cidr-block-restrictions
e.g primary 10.0.0.0/16 + 198.18.0.0/26
aws-cdk/packages/@aws-cdk/aws-ec2-alpha/lib/vpc-v2.ts
Lines 914 to 917 in 73b9f98
Regression Issue
- Select this option if this issue appears to be a regression.
Last Known Working CDK Library Version
No response
Expected Behavior
It should be possible to add secondary address blocks from valid IP ranges other than the primary address block.
Current Behavior
Running npx cdk synth throws an error - "CIDR block should be in the same RFC 1918 range in the VPC"
/test/node_modules/@aws-cdk/aws-ec2-alpha/lib/vpc-v2.ts:556
throw new Error('CIDR block should be in the same RFC 1918 range in the VPC');
^
Error: CIDR block should be in the same RFC 1918 range in the VPC
at new VpcV2 (/test/node_modules/@aws-cdk/aws-ec2-alpha/lib/vpc-v2.ts:556:19)
at new VpcV2 (/test/node_modules/aws-cdk-lib/core/lib/prop-injectable.js:1:681)
at Object.<anonymous> (/test/bin/vpc.ts:30:1)
at Module._compile (node:internal/modules/cjs/loader:1734:14)
at Module.m._compile (/test/node_modules/ts-node/src/index.ts:1618:23)
at loadTS (node:internal/modules/cjs/loader:1826:10)
at Object.require.extensions.<computed> [as .ts] (/test/node_modules/ts-node/src/index.ts:1621:12)
at Module.load (node:internal/modules/cjs/loader:1469:32)
at Module._load (node:internal/modules/cjs/loader:1286:12)
at TracingChannel.traceSync (node:diagnostics_channel:322:14)
npx ts-node --prefer-ts-exts bin/vpc.ts: Subprocess exited with error 1Reproduction Steps
import * as cdk from "aws-cdk-lib/core";
import * as ec2a from "@aws-cdk/aws-ec2-alpha";
const app = new cdk.App();
const stack = new cdk.Stack(app, "Stack");
new ec2a.VpcV2(stack, "Vpc", {
primaryAddressBlock: ec2a.IpAddresses.ipv4("10.160.0.0/19"),
secondaryAddressBlocks: [ec2a.IpAddresses.ipv4("198.18.0.0/26", { cidrBlockName: "tgw" })],
});
### Possible Solution
1. Write validation logic such that it allows all valid combinations.
2. Allow bypassing validation via an optional propertly.
3. Remove the validation altogether.
I appreciate the affordance offered by attempting to validate secondary ranges without needing to wait till deploying a cloudformation stack to find it won't work. Given that the current logic only tests a subset of possible combinations and writing exhaustive logic to validate all possible combinations might be a lot of work (and possibly require updates if cloudformation or ec2 modifies it's own rules in future), I can see the value in making it bypassable or simply removing it altogether.
### Additional Information/Context
There are various networking scenarios and AWS guidance that call for somewhat "unusual" seconday IP blocks on a VPC
https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/preserve-routable-ip-space-in-multi-account-vpc-designs-for-non-workload-subnets.html
### AWS CDK Library version (aws-cdk-lib)
2.225.0
### AWS CDK CLI version
2.1032.0
### Node.js Version
v24.1.0
### OS
OSX
### Language
TypeScript
### Language Version
5.9.3
### Other information
_No response_