aws · Aaxhirrr · Mar 6, 2026 · Mar 6, 2026 · Mar 6, 2026
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint-cfn-subnet.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint-cfn-subnet.ts
@@ -0,0 +1,38 @@
+import * as cdk from 'aws-cdk-lib';
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+
+const app = new cdk.App();
+
+class VpcEndpointCfnSubnetStack extends cdk.Stack {
+    constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+
+        const vpc = new ec2.Vpc(this, 'MyVpc', {
+            subnetConfiguration: [
+                {
+                    cidrMask: 24,
+                    name: 'Public',
+                    subnetType: ec2.SubnetType.PUBLIC,
+                },
+            ]
+        });
+
+        const cfnSubnet = new ec2.CfnSubnet(this, 'CfnSubnet', {
+            vpcId: vpc.vpcId,
+            cidrBlock: '10.0.100.0/24',
+            availabilityZone: 'us-east-1a'
+        });
+
+        vpc.addInterfaceEndpoint('SecretsManagerEndpoint', {
+            service: ec2.InterfaceVpcEndpointAwsService.SECRETS_MANAGER,
+            subnets: { subnets: [cfnSubnet as unknown as ec2.ISubnet] },
+        });
+    }
+}
+
+const stack = new VpcEndpointCfnSubnetStack(app, 'aws-cdk-ec2-vpc-endpoint-cfn-subnet');
+
+new IntegTest(app, 'VpcEndpointCfnSubnetTest', {
+    testCases: [stack],
+});
diff --git a/packages/aws-cdk-lib/aws-ec2/lib/vpc.ts b/packages/aws-cdk-lib/aws-ec2/lib/vpc.ts
@@ -652,7 +652,22 @@ abstract class VpcBase extends Resource implements IVpc {
     selection = this.reifySelectionDefaults(selection);
 
     if (selection.subnets !== undefined) {
-      return selection.subnets;
+      return selection.subnets.map(s => {
+        if (s instanceof CfnSubnet) {
+          const cfnSubnet = s as CfnSubnet;
+          const wrapperId = `WrappedSubnet${cfnSubnet.node.addr}`;
+          let wrappedSubnet = this.node.tryFindChild(wrapperId) as ISubnet;
+          if (!wrappedSubnet) {
+            wrappedSubnet = Subnet.fromSubnetAttributes(this, wrapperId, {
+              subnetId: cfnSubnet.ref,
+              availabilityZone: cfnSubnet.availabilityZone,
+              ipv4CidrBlock: cfnSubnet.cidrBlock,
+            });
+          }
+          return wrappedSubnet;
+        }
+        return s;
+      });
     }
 
     let subnets;
@@ -1403,7 +1418,7 @@ export class Vpc extends VpcBase {
       throw new ValidationError('All arguments to Vpc.fromLookup() must be concrete (no Tokens)', scope);
     }
 
-    const filter: {[key: string]: string} = makeTagFilter(options.tags);
+    const filter: { [key: string]: string } = makeTagFilter(options.tags);
 
     // We give special treatment to some tags
     if (options.vpcId) { filter['vpc-id'] = options.vpcId; }
@@ -1413,7 +1428,7 @@ export class Vpc extends VpcBase {
       filter.isDefault = options.isDefault ? 'true' : 'false';
     }
 
-    const overrides: {[key: string]: string} = {};
+    const overrides: { [key: string]: string } = {};
     if (options.region) {
       overrides.region = options.region;
     }
@@ -1642,7 +1657,7 @@ export class Vpc extends VpcBase {
       // If given AZs and stack AZs are both resolved, then validate their compatibility.
       const resolvedStackAzs = this.resolveStackAvailabilityZones(stack.availabilityZones);
       const areGivenAzsSubsetOfStack = resolvedStackAzs.length === 0 ||
-        props.availabilityZones.every(az => Token.isUnresolved(az) ||resolvedStackAzs.includes(az));
+        props.availabilityZones.every(az => Token.isUnresolved(az) || resolvedStackAzs.includes(az));
       if (!areGivenAzsSubsetOfStack) {
         throw new ValidationError(`Given VPC 'availabilityZones' ${props.availabilityZones} must be a subset of the stack's availability zones ${resolvedStackAzs}`, this);
       }
@@ -1829,7 +1844,7 @@ export class Vpc extends VpcBase {
   private createSubnets() {
     const requestedSubnets: RequestedSubnet[] = [];
 
-    this.subnetConfiguration.forEach((configuration)=> (
+    this.subnetConfiguration.forEach((configuration) => (
       this.availabilityZones.forEach((az, index) => {
         requestedSubnets.push({
           availabilityZone: az,

diff --git a/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts b/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts
@@ -13,6 +13,8 @@ import {
   SubnetFilter,
   SubnetType,
   Vpc,
+  CfnSubnet,
+  ISubnet,
   VpcEndpointDnsRecordIpType,
   VpcEndpointIpAddressType,
 } from '../lib';
@@ -640,6 +642,40 @@ describe('vpc endpoint', () => {
         }),
       })).toThrow();
     });
+    test('endpoint selection works with L1 CfnSubnet passed as ISubnet', () => {
+      // GIVEN
+      const stack = new Stack();
+      const vpc = new Vpc(stack, 'VPC', {
+        subnetConfiguration: [
+          {
+            cidrMask: 24,
+            name: 'Public',
+            subnetType: SubnetType.PUBLIC,
+          },
+        ]
+      });
+
+      const cfnSubnet = new CfnSubnet(stack, 'CfnSubnet', {
+        vpcId: vpc.vpcId,
+        cidrBlock: '10.0.100.0/24',
+        availabilityZone: 'us-east-1a'
+      });
+
+      // WHEN
+      vpc.addInterfaceEndpoint('YourService', {
+        service: InterfaceVpcEndpointAwsService.SECRETS_MANAGER,
+        subnets: { subnets: [cfnSubnet as unknown as ISubnet] },
+      });
+
+      // THEN
+      Template.fromStack(stack).hasResourceProperties('AWS::EC2::VPCEndpoint', {
+        SubnetIds: [
+          {
+            Ref: 'CfnSubnet',
+          },
+        ],
+      });
+    });
     test('test vpc interface endpoint with cn.com.amazonaws prefix can be created correctly in cn-north-1', () => {
       // GIVEN
       const stack = new Stack(undefined, 'TestStack', { env: { account: '123456789012', region: 'cn-north-1' } });