Skip to content

fix(route53-targets): only use dualstack prefix for dual-stack NLBs #34641

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 17 commits into
base: main
Choose a base branch
from
Open

fix(route53-targets): only use dualstack prefix for dual-stack NLBs #34641

wants to merge 17 commits into from

Conversation

pahud
Copy link
Contributor

@pahud pahud commented Jun 5, 2025

Issue # (if applicable)

Closes #16987.

Reason for this change

LoadBalancerTarget was unconditionally adding the dualstack. prefix to all load balancer DNS names, causing IPv4-only Network Load Balancers to become unreachable via Route53 alias records. This breaks a fundamental use case where users expect Route53 aliases to work with their default (IPv4-only) NLBs.

Description of changes

Core Fix:

  • Modified LoadBalancerTarget.getDnsName() to conditionally apply the dualstack prefix based on load balancer type and IP address configuration
  • Added isNetworkLoadBalancer() and isIpv4Only() helper methods for type detection

Logic Changes:

  • IPv4-only NLBs: Use plain DNS name (fixes the broken behavior)
  • Dual-stack NLBs: Use dualstack prefix (maintains existing behavior)
  • ALBs: Continue using dualstack prefix (preserves backward compatibility)

Why this approach:

  • Fixes the bug while maintaining backward compatibility for ALBs
  • Uses constructor name checking for reliable NLB detection
  • Defaults to dualstack prefix when in doubt (safer fallback)

Alternatives considered:

  • Interface-based type checking (rejected due to complexity)
  • Breaking change for all load balancers (rejected for backward compatibility)
  • Runtime DNS validation (rejected as too complex)

Describe any new or updated permissions being added

No new IAM permissions required. This is a client-side logic change that affects how CDK generates CloudFormation templates.

Description of how you validated changes

Unit Tests:

  • Added comprehensive test cases covering IPv4-only NLB, dual-stack NLB, default NLB, and ALB scenarios
  • Verified existing ALB tests continue to pass (backward compatibility)

Integration Tests:

  • Created integ.nlb-alias-target.ts with real CloudFormation deployment
  • Generated snapshots proving correct DNS name generation:
    • IPv4-only NLB: {"Fn::GetAtt": ["IPv4NLB", "DNSName"]} (no prefix)
    • Dual-stack NLB: {"Fn::Join": ["", ["dualstack.", {"Fn::GetAtt": [...]}]]} (with prefix)
  • Successfully deployed and validated in AWS environment

Manual Validation:

  • Verified CloudFormation template generation produces expected outputs
  • Confirmed Route53 record syntax matches AWS requirements

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

This follows the exact AWS CDK PR template format and provides comprehensive details about the fix, testing, and impact.

@pahud pahud marked this pull request as draft June 5, 2025 18:25
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Jun 5, 2025
@pahud
feat(route53-targets): enhance LoadBalancerTarget to support IPv4-onl…
998c628 
…y and dual-stack NLBs with appropriate DNS naming
pahud added 8 commits June 5, 2025 15:48
@pahud
feat: add integration tests for NLB alias target
d58e590 
- Created snapshot files for integration tests related to NLB alias target.
- Added manifest and asset files to support the new integration test.
- Included CloudFormation template for the NLB integration test.
- Updated tree structure to reflect the new resources and dependencies.
@pahud
Merge branch 'main' into fix-16987
f91c393
@pahud
fix: remove unnecessary blank line and improve formatting in LoadBala…
010e72f 
…ncerTarget
@pahud
fix: ensure newline at end of file in integ.nlb-alias-target.ts
baa88af
@pahud
fix: update bucket deployment test to disable managed log group
8811ee3 
- Modified the TestBucketDeployment class to set the postCliContext option for disabling the use of CDK managed log groups.

refactor: improve load balancer target detection logic

- Enhanced the isNetworkLoadBalancer and isIpv4Only methods for better readability and maintainability by using clearer variable names and comments.

chore: clean up yarn.lock by removing unused dependencies

- Removed references to unused packages and updated existing dependencies to streamline the project.
@pahud
fix: correct syntax error and simplify app initialization in bucket d…
08a560d 
…eployment test
@pahud
feat(route53-targets): enhance LoadBalancerTarget to support IPv4-onl…
ee4fab5 
…y and dual-stack NLBs with appropriate DNS naming
@pahud
improve(route53-targets): enhance code clarity and type safety
cba95b8 
- Add explanatory comment for constructor name checking approach
- Improve variable naming and formatting in isIpv4Only method
- Better explain why NLB vs ALB detection is needed for DNS requirements
aws-cdk-automation
aws-cdk-automation previously requested changes Jun 6, 2025
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

pahud added 2 commits June 5, 2025 22:52
@pahud
feat(route53-targets): add integration test for NLB alias target
2cf79f2 
- Created snapshot files for integration test of NLB alias target.
- Added CloudFormation template and asset manifest for the NLB integration.
- Implemented VPC, subnets, and load balancers in the test setup.
- Included assertions for bootstrap version checks in the CloudFormation template.
@pahud
Merge fix-16987-clean into fix-16987
0f183ff
@aws-cdk-automation aws-cdk-automation dismissed their stale review June 6, 2025 03:07

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

pahud added 6 commits June 5, 2025 23:10
@pahud
fix: restore original content in S3 deployment test file
49bbfb9
@pahud
chore: restore original yarn.lock file
e2adf97
@pahud
chore: empty commit to trigger CI
8559880
@pahud
fix: remove trailing spaces in load-balancer-target.ts
ca376b3
@pahud
feat(route53-targets): enhance NLB integration tests with dual-stack …
bc9ae98 
…support

- Updated VPC configuration to support dual-stack with IPv6 CIDR blocks.
- Enabled auto-assign of IPv6 addresses for public subnets.
- Created dual-stack NLB and added corresponding A and AAAA records for DNS.
- Ensured IPv4-only NLB records do not have dualstack prefix.
@pahud
lint
1a8d531
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 1a8d531
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@pahud pahud marked this pull request as ready for review June 6, 2025 19:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
contribution/core This is a PR that came from AWS.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

aws-route53-targets: LoadBalancerTarget always appends the dualstack prefix even when not a valid option
2 participants
@pahud @aws-cdk-automation