edge: support creating ipv6-enabled subnets in edge zones

tthvo · tthvo · commit c70f34126967 · 2025-10-09T15:54:50.000-07:00
IPv6 subnets are not generally supported by AWS Local Zones: only certain zones support Ipv6, see [0]. Wavelength Zones is currently not supporting IPv6 subnets, see [1]. References [0] https://docs.aws.amazon.com/local-zones/latest/ug/how-local-zones-work.html#considerations [1] https://docs.aws.amazon.com/wavelength/latest/developerguide/wavelength-quotas.html#vpc-considerations
diff --git a/pkg/cloud/services/network/routetables.go b/pkg/cloud/services/network/routetables.go
@@ -385,11 +385,10 @@ func (s *Service) getRouteTableTagParams(id string, public bool, zone string) in
 func (s *Service) getRoutesToPublicSubnet(sn *infrav1.SubnetSpec) ([]*ec2.CreateRouteInput, error) {
 	var routes []*ec2.CreateRouteInput
 
-	if sn.IsEdge() && sn.IsIPv6 {
-		return nil, errors.Errorf("can't determine routes for unsupported ipv6 subnet in zone type %q", sn.ZoneType)
-	}
-
 	if sn.IsEdgeWavelength() {
+		if sn.IsIPv6 {
+			return nil, errors.Errorf("can't determine routes for unsupported ipv6 subnet in zone type %q", sn.ZoneType)
+		}
 		if s.scope.VPC().CarrierGatewayID == nil {
 			return routes, errors.Errorf("failed to create carrier routing table: carrier gateway for VPC %q is not present", s.scope.VPC().ID)
 		}
@@ -411,7 +410,7 @@ func (s *Service) getRoutesToPublicSubnet(sn *infrav1.SubnetSpec) ([]*ec2.Create
 func (s *Service) getRoutesToPrivateSubnet(sn *infrav1.SubnetSpec) (routes []*ec2.CreateRouteInput, err error) {
 	var natGatewayID string
 
-	if sn.IsEdge() && sn.IsIPv6 {
+	if sn.IsEdgeWavelength() && sn.IsIPv6 {
 		return nil, errors.Errorf("can't determine routes for unsupported ipv6 subnet in zone type %q", sn.ZoneType)
 	}
 
diff --git a/pkg/cloud/services/network/routetables_test.go b/pkg/cloud/services/network/routetables_test.go
@@ -918,6 +918,17 @@ func TestService_getRoutesForSubnet(t *testing.T) {
 			IsPublic:         true,
 			NatGatewayID:     ptr.To("nat-gw-fromZone-us-east-1a"),
 		},
+		{
+			ResourceID:       "subnet-az-1f-private",
+			AvailabilityZone: "us-east-1f",
+			IsPublic:         false,
+		},
+		{
+			ResourceID:       "subnet-az-1f-public",
+			AvailabilityZone: "us-east-1f",
+			IsPublic:         true,
+			NatGatewayID:     ptr.To("nat-gw-fromZone-us-east-1f"),
+		},
 		{
 			ResourceID:       "subnet-lz-invalid2z-private",
 			AvailabilityZone: "us-east-2-inv-1z",
@@ -974,6 +985,20 @@ func TestService_getRoutesForSubnet(t *testing.T) {
 			ZoneType:         ptr.To(infrav1.ZoneType("wavelength-zone")),
 			ParentZoneName:   ptr.To("us-east-1a"),
 		},
+		{
+			ResourceID:       "subnet-lz-1f-private",
+			AvailabilityZone: "us-east-1-atl-2a",
+			IsPublic:         false,
+			ZoneType:         ptr.To(infrav1.ZoneType("local-zone")),
+			ParentZoneName:   ptr.To("us-east-1f"),
+		},
+		{
+			ResourceID:       "subnet-lz-1f-public",
+			AvailabilityZone: "us-east-1-atl-2a",
+			IsPublic:         true,
+			ZoneType:         ptr.To(infrav1.ZoneType("local-zone")),
+			ParentZoneName:   ptr.To("us-east-1f"),
+		},
 	}
 
 	vpcName := "vpc-test-for-routes"
@@ -1126,19 +1151,28 @@ func TestService_getRoutesForSubnet(t *testing.T) {
 			},
 			wantErrMessage: `failed to create carrier routing table: carrier gateway for VPC "vpc-test-for-routes" is not present`,
 		},
-		// public subnet ipv6, unsupported
 		{
-			name: "public ipv6 subnet, local zone, must return error for unsupported ip version",
+			name: "public ipv6 subnet, local zone, must have ipv6 default route to igw",
 			inputSubnet: &infrav1.SubnetSpec{
 				ResourceID:       "subnet-lz-1a-public",
-				AvailabilityZone: "us-east-1-nyc-1a",
+				AvailabilityZone: "us-east-1-atl-2a",
 				IsPublic:         true,
 				IsIPv6:           true,
 				ZoneType:         ptr.To(infrav1.ZoneType("local-zone")),
-				ParentZoneName:   aws.String("us-east-1a"),
+				ParentZoneName:   aws.String("us-east-1f"),
+			},
+			want: []*ec2.CreateRouteInput{
+				{
+					DestinationCidrBlock: aws.String("0.0.0.0/0"),
+					GatewayId:            aws.String("vpc-igw"),
+				},
+				{
+					DestinationIpv6CidrBlock: aws.String("::/0"),
+					GatewayId:                aws.String("vpc-igw"),
+				},
 			},
-			wantErrMessage: `can't determine routes for unsupported ipv6 subnet in zone type "local-zone"`,
 		},
+		// public subnet ipv6, unsupported
 		{
 			name: "public ipv6 subnet, wavelength zone, must return error for unsupported ip version",
 			inputSubnet: &infrav1.SubnetSpec{
@@ -1199,9 +1233,8 @@ func TestService_getRoutesForSubnet(t *testing.T) {
 				},
 			},
 		},
-		// egress-only subnet ipv6
 		{
-			name: "egress-only ipv6 subnet, availability zone, must have ipv6 default route to egress-only gateway",
+			name: "private ipv6 subnet, availability zone, must have ipv6 default route to egress-only gateway",
 			inputSubnet: &infrav1.SubnetSpec{
 				ResourceID:       "subnet-az-1a-private",
 				AvailabilityZone: "us-east-1a",
@@ -1238,19 +1271,32 @@ func TestService_getRoutesForSubnet(t *testing.T) {
 			},
 			wantErrMessage: `ipv6 block missing for ipv6 enabled subnet, can't create route for egress only internet gateway`,
 		},
-		// private subnet ipv6, unsupported
 		{
-			name: "private ipv6 subnet, local zone, must return unsupported",
+			name: "private ipv6 subnet, local zone, must have ipv6 default route to egress-only gateway",
 			inputSubnet: &infrav1.SubnetSpec{
 				ResourceID:       "subnet-lz-1a-private",
-				AvailabilityZone: "us-east-1-nyc-a",
+				AvailabilityZone: "us-east-1-atl-2a",
 				IsIPv6:           true,
 				IsPublic:         false,
 				ZoneType:         ptr.To(infrav1.ZoneType("local-zone")),
-				ParentZoneName:   aws.String("us-east-1a"),
+				ParentZoneName:   aws.String("us-east-1f"),
+			},
+			want: []*ec2.CreateRouteInput{
+				{
+					DestinationCidrBlock: aws.String("0.0.0.0/0"),
+					NatGatewayId:         aws.String("nat-gw-fromZone-us-east-1f"),
+				},
+				{
+					DestinationIpv6CidrBlock: aws.String("64:ff9b::/96"),
+					NatGatewayId:             aws.String("nat-gw-fromZone-us-east-1f"),
+				},
+				{
+					DestinationIpv6CidrBlock:    aws.String("::/0"),
+					EgressOnlyInternetGatewayId: aws.String("vpc-eigw"),
+				},
 			},
-			wantErrMessage: `can't determine routes for unsupported ipv6 subnet in zone type "local-zone"`,
 		},
+		// private subnet ipv6, unsupported
 		{
 			name: "private ipv6 subnet, wavelength zone, must return unsupported",
 			inputSubnet: &infrav1.SubnetSpec{
@@ -1287,21 +1333,22 @@ func TestService_getRoutesForSubnet(t *testing.T) {
 			specOverrideNet: func() *infrav1.NetworkSpec {
 				net := defaultNetwork.DeepCopy()
 				for i := range net.Subnets {
-					if net.Subnets[i].AvailabilityZone == "us-east-1a" && net.Subnets[i].IsPublic {
-						net.Subnets[i].NatGatewayID = nil
+					if net.Subnets[i].IsPublic {
+						sn := &net.Subnets[i]
+						sn.NatGatewayID = nil
 					}
 				}
 				return net
 			}(),
 			inputSubnet: &infrav1.SubnetSpec{
 				ResourceID:       "subnet-lz-1a-private",
 				AvailabilityZone: "us-east-1-nyc-1a",
-				IsIPv6:           true,
+				IsIPv6:           false,
 				IsPublic:         false,
 				ZoneType:         ptr.To(infrav1.ZoneType("local-zone")),
 				ParentZoneName:   aws.String("us-east-1a"),
 			},
-			wantErrMessage: `can't determine routes for unsupported ipv6 subnet in zone type "local-zone"`,
+			wantErrMessage: `no nat gateways available in "us-east-1-nyc-1a" for private edge subnet "subnet-lz-1a-private", current state: map[]`,
 		},
 		{
 			name: "private ipv4 subnet, wavelength zone, must return error when invalid gateway",
diff --git a/pkg/cloud/services/network/subnets.go b/pkg/cloud/services/network/subnets.go
@@ -543,7 +543,7 @@ func (s *Service) createSubnet(sn *infrav1.SubnetSpec) (*infrav1.SubnetSpec, err
 	// https://docs.aws.amazon.com/local-zones/latest/ug/how-local-zones-work.html#considerations
 	// Wavelength Zones is currently not supporting IPv6 subnets.
 	// https://docs.aws.amazon.com/wavelength/latest/developerguide/wavelength-quotas.html#vpc-considerations
-	if sn.IsIPv6 && sn.IsEdge() {
+	if sn.IsIPv6 && sn.IsEdgeWavelength() {
 		err := fmt.Errorf("failed to create subnet: IPv6 is not supported with zone type %q", sn.ZoneType)
 		record.Warnf(s.scope.InfraCluster(), "FailedCreateSubnet", "Failed creating managed Subnet for edge zones: %v", err)
 		return nil, err
diff --git a/pkg/cloud/services/network/subnets_test.go b/pkg/cloud/services/network/subnets_test.go
@@ -3282,16 +3282,16 @@ func TestReconcileSubnets(t *testing.T) {
 			errorMessageExpected: `expected the zone attributes to be populated to subnet: unable to update zone information for subnet 'subnet-private-us-east-1a' and zone 'us-east-1a'`,
 		},
 		{
-			name: "Managed VPC, edge zones, error when IPv6 subnet",
+			name: "Managed VPC, edge zones, error when IPv6 Wavelength subnet",
 			input: func() *ClusterScopeBuilder {
 				net := stubNetworkSpecWithSubnetsEdge.DeepCopy()
 				// Only AZ and LZ to simplify the goal
 				net.Subnets = infrav1.Subnets{}
 				for i := range stubSubnetsAvailabilityZone {
 					net.Subnets = append(net.Subnets, *stubSubnetsAvailabilityZone[i].DeepCopy())
 				}
-				for i := range stubSubnetsLocalZone {
-					lz := stubSubnetsLocalZone[i].DeepCopy()
+				for i := range stubSubnetsWavelengthZone {
+					lz := stubSubnetsWavelengthZone[i].DeepCopy()
 					lz.IsIPv6 = true
 					net.Subnets = append(net.Subnets, *lz)
 				}
@@ -3309,7 +3309,7 @@ func TestReconcileSubnets(t *testing.T) {
 				stubMockModifySubnetAttributeWithContext(m, "subnet-public-us-east-1a").After(az1Public)
 			},
 			errorExpected:        true,
-			errorMessageExpected: `failed to create subnet: IPv6 is not supported with zone type "local-zone"`,
+			errorMessageExpected: `failed to create subnet: IPv6 is not supported with zone type "wavelength-zone"`,
 		},
 		{
 			name: "Unmanaged VPC, edge zones, existing subnets, one AZ, LZ and WL, expect one private and one public subnets from each of default zones, Local Zone, and Wavelength",
