Skip to content

mike/feat-TELEMTRAF-7944: add arm-supporting AZ VPC export#48

Merged
michael-mbox merged 1 commit intomasterfrom
TELEMTRAF-7944-migrate-live-traffic-engine-to-arm
May 5, 2026
Merged

mike/feat-TELEMTRAF-7944: add arm-supporting AZ VPC export#48
michael-mbox merged 1 commit intomasterfrom
TELEMTRAF-7944-migrate-live-traffic-engine-to-arm

Conversation

@michael-mbox
Copy link
Copy Markdown
Contributor

@michael-mbox michael-mbox commented May 5, 2026
edited
Loading

Adds a new DefaultVpc output property: FargateArm64PrivateSubnets.

This output is an array of private subnet IDs from the default VPC, excluding physical availability zones where AWS Fargate ARM64 is not supported. Today the known unsupported case is use1-az3 in us-east-1, per AWS ECS ARM64 documentation.

This does not change any existing DefaultVpc outputs such as PrivateSubnets, PublicSubnets, AzIndexedPrivateSubnets, or AzIndexedPublicSubnets. Existing stacks will continue to receive the same attributes they use today; this PR only adds a new attribute for stacks that explicitly opt into it.

Why

live-traffic-engine is migrating Fargate tasks to ARM64 for cost savings. Its legacy CloudFormation/cloudfriend service stack currently uses the shared vpc-private-subnets export, which includes subnet-276c8319 (us-east-1c / physical AZ use1-az3). Fargate ARM64 does not support use1-az3, so ARM64 task placement needs a private subnet set that excludes that AZ while preserving multi-AZ placement.

CDK consumers can filter subnets by AZ, but cloudfriend/raw CFN stacks need either hardcoded subnet IDs or a custom-resource/exported value. This adds a reusable custom-resource attribute so LTE and similar legacy CFN stacks can avoid hardcoding subnet IDs.

Usage example

A CloudFormation/cloudfriend stack can define the existing custom resource:

DefaultVpc: {
  Type: 'Custom::DefaultVpcLookup',
  Properties: {
    ServiceToken: cf.importValue('default-vpc-lookup'),
  },
},

Then use the new attribute for Fargate ARM64 subnet placement:

NetworkConfiguration: {
  AwsvpcConfiguration: {
    AssignPublicIp: 'DISABLED',
    SecurityGroups: [/* ... */],
    Subnets: cf.getAtt('DefaultVpc', 'FargateArm64PrivateSubnets'),
  },
},

For LTE in us-east-1, this should resolve to the ARM-safe private subnet set equivalent to A/D/E, excluding the private subnet in use1-az3.

Testing

  • Updated test/default-vpc.test.js to verify FargateArm64PrivateSubnets excludes a private subnet with AvailabilityZoneId: use1-az3 while preserving existing DefaultVpc outputs.
  • Local test suite passes: 158 passing.

@michael-mbox michael-mbox requested a review from a team as a code owner May 5, 2026 11:47
@michael-mbox michael-mbox merged commit f55182c into master May 5, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ryndaniels ryndaniels ryndaniels approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@michael-mbox @ryndaniels