fix(eks): throw error when kubectl subnets are isolated

[Abogical]

Issue # (if applicable)

Closes #26613.

Reason for this change

When creating an eks.FargateCluster (or any EKS cluster with coreDnsComputeType: FARGATE) in a VPC with only PRIVATE_ISOLATED subnets and private endpoint access enabled, the kubectl Lambda is placed in those isolated subnets. Since isolated subnets have no internet access by definition (no NAT Gateway, no Internet Gateway route), the Lambda cannot reach the EKS API, STS, or other AWS service endpoints. This causes the CoreDnsComputeTypePatch custom resource (and any other kubectl operation) to silently time out after 15 minutes, resulting in a confusing CloudFormation deployment failure.

Description of changes

Added a ValidationError at synth time in both aws-eks and aws-eks-v2 modules that detects when the selected kubectl private subnets include PRIVATE_ISOLATED subnets. The check runs in the Cluster constructor, right after kubectlPrivateSubnets is assigned, by comparing the selected subnets against vpc.isolatedSubnets.

The error message tells users exactly what is wrong and how to fix it:

• Use PRIVATE_WITH_EGRESS subnets with a NAT Gateway
• Or configure VPC endpoints for STS, EKS, and ECR
• Links to the AWS private clusters documentation

Why a hard error instead of a warning: PRIVATE_ISOLATED subnets are created by CDK with no egress route. If CDK created the VPC and the kubectl subnets are isolated, we know with certainty there is no egress and the deployment will fail. Failing fast at synth time is better than a 15-minute Lambda timeout.

Files changed:

• packages/aws-cdk-lib/aws-eks/lib/cluster.ts — validation after kubectlPrivateSubnets assignment
• packages/aws-cdk-lib/aws-eks-v2/lib/cluster.ts — same validation after kubectlSubnets assignment
• packages/aws-cdk-lib/aws-eks/test/cluster.test.ts — 2 new tests
• packages/aws-cdk-lib/aws-eks-v2/test/cluster.test.ts — 2 new tests

Describe any new or updated permissions being added

No new or updated IAM permissions. This is a synth-time validation only.

Description of how you validated changes

• Added 4 unit tests (2 per module):
  • throws when kubectl private subnets include isolated subnets — verifies the ValidationError is thrown
  • does not throw when kubectl private subnets are PRIVATE_WITH_EGRESS — verifies no error for valid subnets
• All 147 existing aws-eks tests pass
• All 120 existing aws-eks-v2 tests pass
• No TypeScript diagnostics errors in any modified file

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[vishaalmehrishi]

This validation throws unconditionally for isolated subnets, but the error message itself suggests VPC endpoints as a valid alternative. Users who have properly configured VPC endpoints for STS, EKS, ECR, and S3 in their isolated subnets will be blocked at synth time with no workaround.

The DNS validation directly above (line 1867) uses this.vpc instanceof ec2.Vpc to avoid false positives with imported VPCs. Consider applying the same guard here — when the VPC is CDK-created, we know isolated subnets have no egress; when it's imported, we can't be sure.

Per the AWS private clusters documentation, isolated subnets with VPC endpoints are a supported configuration.

if (this.vpc instanceof ec2.Vpc) {
  const isolatedSubnetIds = new Set(this.vpc.isolatedSubnets.map(s => s.subnetId));
  const hasIsolatedSubnets = privateSubnets.some(s => isolatedSubnetIds.has(s.subnetId));
  if (hasIsolatedSubnets) {
    throw new ValidationError(
      'Isolated subnets cannot be used for kubectl private subnets. ...',
      this,
    );
  }
}

[vishaalmehrishi]

The error message mentions "VPC endpoints for STS, EKS, and ECR" but per the AWS private clusters documentation, ECR also requires an S3 gateway endpoint (com.amazonaws.region-code.s3) for pulling container images. Consider updating to "STS, EKS, ECR, and S3" for completeness.

[vishaalmehrishi]

Same as the aws-eks module — consider adding the this.vpc instanceof ec2.Vpc guard here for consistency with the DNS validation at line 1384 and to avoid blocking users with VPC endpoints on imported VPCs.

Per the AWS private clusters documentation, isolated subnets with VPC endpoints are a supported configuration.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-03-19 11:10 UTC · Rule: default-squash
• ✅ Checks passed · in-place
• ✅ Merged — 2026-03-19 12:46 UTC · at 28b830af6f97afef43a67fb5b273ed40fd36a25b

This pull request spent 1 hour 36 minutes 16 seconds in the queue, including 43 minutes 39 seconds running CI.

Required conditions to merge

• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • fix(eks): throw error when kubectl subnets are isolated #37217
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • fix(eks): throw error when kubectl subnets are isolated #37217
• any of [🛡 GitHub branch protection]:
  • check-success = validate-pr
  • check-neutral = validate-pr
  • check-skipped = validate-pr
• any of [🛡 GitHub branch protection]:
  • check-success = build
  • check-neutral = build
  • check-skipped = build

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.