Skip to content

[Bug] Fix is_subnet_public to use main route table for subnets without explicit association #7174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
almightychang wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

[Bug] Fix is_subnet_public to use main route table for subnets without explicit association #7174

almightychang wants to merge 1 commit into from
+94 −0

Conversation

@almightychang
Copy link

@almightychang almightychang commented Dec 23, 2025

Summary

  • Fix is_subnet_public() to correctly identify public subnets that use the VPC's main route table
  • When a subnet has no explicit route table association, find the main route table instead of using route_tables[0]
  • Add explicit error handling when main route table cannot be found

Root Cause

When a subnet has no explicit route table association, it implicitly uses the VPC's main route table. The previous implementation fetched all VPC route tables but only checked route_tables[0], which may not be the main route table. This caused public subnets (using main route table with IGW) to be incorrectly identified as private.

Changes

cli/src/pcluster/aws/ec2.py

  • Find main route table by checking Associations[].Main flag
  • Raise explicit exception if main route table not found

cli/tests/pcluster/aws/test_ec2.py

  • Add helper functions for mocking route table responses
  • Add test for subnet using main route table with IGW (public)
  • Add test for subnet using main route table without IGW (private)

Test plan

  • Existing test_is_subnet_public passes
  • New test_is_subnet_public_with_main_route_table passes
  • New test_is_subnet_public_main_route_table_no_igw passes

Fixes #7173

@almightychang
[Bug] Fix is_subnet_public to use main route table for subnets withou…
b3b5da0 
…t explicit association

When a subnet has no explicit route table association, it uses the VPC's
main route table. The previous implementation incorrectly used route_tables[0]
which may not be the main route table, causing public subnets to be
incorrectly identified as private.

This fix explicitly finds the main route table by checking the "Main" flag
in route table associations. If no main route table is found (which should
not happen in a valid VPC), an exception is raised with a helpful message.

Fixes aws#7173
@almightychang almightychang requested review from a team as code owners December 23, 2025 06:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] LoginNodes NLB scheme incorrectly set to internal on public subnet

1 participant

@almightychang