Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Suggestion for Alert When Associating New Route Table to Subnet

0

would like to provide a general suggestion regarding the association of route tables with subnets in AWS. Currently, when a new route table is created and attached to a subnet that already has an associated route table, the existing route table is automatically removed and replaced with the new one without any warning or confirmation. This behavior can lead to significant impacts on network configurations and operations.

To enhance user experience and prevent unintentional disruptions, I suggest implementing an alert or confirmation prompt when a user attempts to associate a new route table to a subnet that already has an existing route table. This prompt should inform the user that the older route table will be automatically removed if they proceed with attaching the new route table. This additional step would help users make more informed decisions and avoid potential issues.

The final goal for all of us is to make our work more smooth and clear. This mistake is significant and can have severe consequences. It's a mistake that anyone could easily make, but implementing such an alert would serve as a strong safeguard for AWS Cloud users, helping to prevent these avoidable errors.

Thank you for considering this suggestion. Implementing this feature would greatly improve the usability and reliability of subnet route table associations.

Topics
Networking & Content Delivery
Tags
Amazon VPC
Language
English
asked 2 years ago296 views
2 Answers
3

Hello.

Even if you submit a UI improvement suggestion via AWS re:Post, it is unlikely that your suggestion will be responded to, so I recommend that you submit it using "Feedback" at the bottom left of the AWS Management Console.
a

a

EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
EXPERT
reviewed 2 years ago
  • Didier Durand EXPERT
    2 years ago

    Agreed. Also, if you have an account team by AWS, you should reach them out so that they can issue what we call a PFR to request the feature on your behalf via the internal channels.

0

I don't work for AWS or speak on their behalf, but from my general professional experience, I doubt the management console is going to be developed in that direction. However, you can implement your own safeguards by modifying the IAM permissions policies of the users who make those types of mistakes.

For example, you could create a managed IAM policy containing the following and attach it to the IAM roles, IAM users, or user groups to which the IAM users belong. This will prevent route tables from being attached to or detached from subnets without the tag key confirm-route-table-change set to confirm (with "confirm" evaluated case-insensitively) on the subnet, unless the change is being made via CloudFormation.

Your admins/developers would need to confirm that they want to make the modification by adding the confirmation tag on the subnets they know they want to risk replacing the route table for.

To avoid the issue of admins getting lazy and tagging all subnets this way, or simply leaving behind the tag and it still being present when making future changes, you could additionally set an EventBridge Schedule to trigger a Lambda function every day, during the night while the team isn't working. The Lambda function could pull a list of all subnets in the regions where you operate, filter them by the presence of the tag key, and removing it. This way, any confirmation given for a subnet would only be valid while they're making the change and wouldn't be left behind.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyUnconfirmedRouteTableChangesToSubnets",
            "Effect": "Deny",
            "Action": ["ec2:AssociateRouteTable","ec2:DisassociateRouteTable"],
            "Resource": "arn:aws:ec2:*:*:subnet/*",
            "Condition": {
                "StringNotEqualsIgnoreCaseIfExists": {
                    "aws:ResourceTag/confirm-route-table-change": "confirm"
                },
                "StringNotEqualsIfExists": {
                    "aws:CalledViaLast": "cloudformation.amazonaws.com"
                }
            }
        }
    ]
}
EXPERT
answered 2 years ago
  • Amar Fundipalle
    2 years ago

    Yes, this is absolutely perfect, but why AWS can't make this change, that will be perfect if it shows alerts, i don't think AWS should ignore this.

  • Leo K EXPERT
    2 years ago

    Personally, I don't see how one would be configuring routing without realising routing changes have impact. There aren't and never were any warning boxes for switching a VRF for a subnet/VLAN in on-premises networking gear, either, where the effect and impact would've been exactly the same. In AWS, permissions can be configured to build custom guardrails for details like this, but frankly, I don't think the need for them should be normalised.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content