From 6d2b9e7b944dd7700d5cbb92156cb55ce6bc7d2b Mon Sep 17 00:00:00 2001
From: Madhu Nunna <madnunna@amazon.com>
Date: Thu, 5 Mar 2026 14:53:52 -0800
Subject: [PATCH] fix: add availabilityZones prop to work around CloudFront VPC
 Origins AZ restriction

CloudFront VPC Origins excludes one AZ in certain regions (Seoul, Tokyo,
N. California, N. Virginia). CDK's default AZ selection may pick the
unsupported AZ causing ValidationException on deployment.

Added availabilityZones prop to LangfuseVpcInfra and LangfuseDemoStack
so users in affected regions can explicitly specify supported AZs.
Added documentation explaining the issue and how to identify the
unsupported AZ for their account.

Fixes #606
---
 .../lib/langfuse/vpc.ts                       | 29 +++++++++++++++++--
 .../lib/stack.ts                              | 21 +++++++++++++-
 2 files changed, 47 insertions(+), 3 deletions(-)

diff --git a/evaluation-observe/deploy-langfuse-on-ecs-fargate-with-typescript-cdk/lib/langfuse/vpc.ts b/evaluation-observe/deploy-langfuse-on-ecs-fargate-with-typescript-cdk/lib/langfuse/vpc.ts
index b3970348d..8d2ac56bd 100644
--- a/evaluation-observe/deploy-langfuse-on-ecs-fargate-with-typescript-cdk/lib/langfuse/vpc.ts
+++ b/evaluation-observe/deploy-langfuse-on-ecs-fargate-with-typescript-cdk/lib/langfuse/vpc.ts
@@ -8,6 +8,26 @@ import * as logs from "aws-cdk-lib/aws-logs";
 import { Construct } from "constructs";
 
 export interface ILangfuseVpcInfraProps {
+  /**
+   * Explicitly specify Availability Zones for the VPC subnets.
+   *
+   * CloudFront VPC Origins does not support all AZs in every region. In some regions (e.g.
+   * ap-northeast-2 Seoul, ap-northeast-1 Tokyo, us-west-1 California, us-east-1 Virginia), one
+   * AZ is excluded from CloudFront VPC Origins support. Because AZ IDs map to different AZ names
+   * per AWS account in these older regions, CDK's default AZ selection may pick an unsupported AZ
+   * causing deployment failures.
+   *
+   * If you encounter a CloudFront VPC Origins AZ error, use this prop to explicitly specify
+   * supported AZs. For example, in ap-northeast-2 (Seoul), exclude the AZ mapped to ID
+   * `apne2-az1` in your account:
+   * @example ['ap-northeast-2b', 'ap-northeast-2c']
+   *
+   * See: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.html#vpc-origins-supported-regions
+   * See: https://docs.aws.amazon.com/global-infrastructure/latest/regions/az-ids.html
+   *
+   * @default CDK selects 2 AZs automatically
+   */
+  availabilityZones?: string[];
   /**
    * Optional AWS Tags to apply to created resources
    */
@@ -35,11 +55,16 @@ export class LangfuseVpcInfra extends Construct {
   ) {
     super(scope, id);
 
-    // maxAzs parameter is not specified.
+    // maxAzs parameter is not specified by default.
     // The default behavior of the ec2.Vpc construct is to create a VPC with subnets spread across
     // 2 Availability Zones (AZs) when no maxAzs parameter is specified.
-    // Each AZ will have one public subnet and one private subnet by default
+    // Each AZ will have one public subnet and one private subnet by default.
+    //
+    // NOTE: If deploying in a region where CloudFront VPC Origins excludes an AZ (e.g. Seoul,
+    // Tokyo, N. California, N. Virginia), pass `availabilityZones` in props to explicitly select
+    // supported AZs and avoid deployment failures.
     this.vpc = new ec2.Vpc(this, "Vpc", {
+      ...(props.availabilityZones ? { availabilityZones: props.availabilityZones } : {}),
       gatewayEndpoints: {
         S3: {
           service: ec2.GatewayVpcEndpointAwsService.S3,
diff --git a/evaluation-observe/deploy-langfuse-on-ecs-fargate-with-typescript-cdk/lib/stack.ts b/evaluation-observe/deploy-langfuse-on-ecs-fargate-with-typescript-cdk/lib/stack.ts
index 3987373f5..98a5a033a 100644
--- a/evaluation-observe/deploy-langfuse-on-ecs-fargate-with-typescript-cdk/lib/stack.ts
+++ b/evaluation-observe/deploy-langfuse-on-ecs-fargate-with-typescript-cdk/lib/stack.ts
@@ -40,6 +40,22 @@ export interface ILangfuseDemoStackProps extends cdk.StackProps {
    * @default 'ghcr.io/langfuse/langfuse-worker:3'
    */
   langfuseWorkerImage?: string;
+  /**
+   * Explicitly specify Availability Zones for the VPC.
+   *
+   * CloudFront VPC Origins does not support all AZs in every region. In some regions (e.g.
+   * ap-northeast-2 Seoul, ap-northeast-1 Tokyo, us-west-1 California, us-east-1 Virginia), one
+   * AZ is excluded. Because AZ IDs map to different names per AWS account in these older regions,
+   * CDK's default AZ selection may pick an unsupported AZ causing deployment failures.
+   *
+   * If you encounter a CloudFront VPC Origins AZ error, use this prop to explicitly specify
+   * supported AZs. For example, in ap-northeast-2 (Seoul), exclude the AZ mapped to ID
+   * `apne2-az1` in your account:
+   * @example ['ap-northeast-2b', 'ap-northeast-2c']
+   *
+   * @default CDK selects 2 AZs automatically
+   */
+  availabilityZones?: string[];
   /**
    * Set `true` to create and use Amazon Cognito User Pool for authentication
    *
@@ -61,7 +77,10 @@ export class LangfuseDemoStack extends cdk.Stack {
 
     const tags = [new cdk.Tag("project", "langfuse-demo")];
 
-    const vpcInfra = new LangfuseVpcInfra(this, "VpcInfra", { tags });
+    const vpcInfra = new LangfuseVpcInfra(this, "VpcInfra", {
+      availabilityZones: props.availabilityZones,
+      tags,
+    });
 
     let cognitoUserPool;
     if (props.useCognitoAuth) {