Thanks for the PR! As an uninitiated outsider to this particular corner of the codebase, two questions come to mind:

1. Is there a way we can safely auto-detect this situation and disable route-table listing by heuristic? I am on a minor mission to remove configuration flags. Ideally this would be in the operator itself, but at cilium install time would also be nice.
2. Given that listing route tables can be expensive, it sure seems like we do it too frequently. In your ideal world, what would be a good edge to trigger such a list?

I'm not asking you to do all this, but I'd like to know exactly the problem space.

Do you mind to wait a bit to figure out the best way in #42310 before we start to work on the flag?

@squeed

Q1: Can we auto-detect this?

Safest heuristic: Count route tables per AZ. If there's only one route table in the AZ, all subnets route identically → awareness is pointless. This is provably safe.

Problem with other heuristics (subnet overlap checks, etc): We can't know if "pod traffic needs same routing as nodes" without knowing user intent. Separate subnets might still need identical VPN routes. A
heuristic could silently break hybrid connectivity.

Recommendation: Auto-disable when len(routeTablesInAZ) == 1, otherwise require explicit config. Covers simple VPCs (majority) while avoiding silent failures.

Q2: What's the right trigger for listing route tables?

Current: Every resync (100+/hour)Change frequency of route tables: Hours to weeksRatio: We refetch ~1000× more than they change

Ideal triggers:

1. Cache with 15-30min TTL (solves 98% of the problem immediately)
2. Only fetch when creating ENIs (not on every resync)
3. Lazy load (try simple subnet selection first, only fetch if needed)

Route tables are slow-changing infrastructure. We shouldn't be in the hot path of IPAM resync at all.

In my ideal world:

• Fetch once at startup, cache for 30min
• Skip entirely during periodic resync (only fetch instances/ENIs)
• Refetch on cache expiry or manual trigger

This drops my 600MB/hour to ~12MB/hour (98% reduction) and eliminates the OOM.

The core problem: Route tables are 100× larger than other resources but change just as rarely. We treat them like instances (fetch constantly) when they should be treated like VPC topology (fetch once, cache
long).

I have different opinions where I expressed it in the #42310.

There are 2 issues where my previous PR introduced.

• The OOM issue on operator. That can be resolved by only querying certain field and VPC filter where I mentioned here Significant memory usage increase for AWS Operator with 1.18 #42310 (comment). We can further reduce the memory consumption for other resource like SG, subnets, describe ec2 etc.

• rate limit issue. I know we have 1 min internal full sync which is not ideal, but that shouldn't be the major reason of the issue since AWS refill 20 token sper second. I guess multiple single instance resync in a short time is causing the issue. I could review the ipam logic to see if we can skip VPC, subnet, RT and SG for single instance sync.

I can see your environment having the around 180 subnets and 180 route tables. it's more like route table per subnet. I dont think that's a common setup. Do you mind to share a bit about why? From my view, I usually see people put several subnets together sharing the same route table, where I think that's the target setup that cilium should consider.

Do you mind to share your opinion on my approach in #42310?

@liyihuang Fair points on the architectural approach. I think the disable flag and your refactor are complementary. The flag gives users like @antonipp immediate relief without waiting for the resync refactor. Skip VPC/subnet/RT/SG for instance resync. This helps everyone and is the right long-term fix. Both address different aspects, the flag is pragmatic, your refactor is clean. We can do both incrementally.

For the flag itself: it's low-risk, backwards compatible, and unblocks a real user. I think we should merge it while you work on the resync optimization. Thoughts?

@vietcgi Since we already have a lot of flags, do you mind to see #42529 fixes the issue? If not, let's look into this PR.

I have chatted one of my friends working at AWS as the solution architect in networking area. We all feel the route table should be the resource that only has a few in a VPC. I understand you may have your reason to have 100+ route table, I personally think we should keep it as true by default since that's more common setup for all AWS users if we want to merge this PR

I think this flag could actually be useful, since #42529 should improve the memory usage but we still have the Route Table calls on the critical path of the full resync, so it would be great if we could turn it off. And I'm fine with having the flag be true by default.

Hey @liyihuang

checked out PR #42529. It’s close, but there are a few issues that could break prod:

Cache not initialized, m.vpcs/m.subnets start empty, so InstanceSync() can crash if it runs before the first resync.

Data race, reads happen without locks, writes use a mutex → classic race.

No tests, nothing covers InstanceSync() or cache behavior.

The idea’s solid, but needs cache init, proper locking, and some tests. Until then, PR #42365 is safer short-term.

Commit feddbcc does not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

Thanks for comment. Do you mind to put the comments in PR?

Cache not initialized, m.vpcs/m.subnets start empty, so InstanceSync() can crash if it runs before the first resync.

I personally dont think caches can be empty for InstanceSync() since the 1st full sync at here https://github.com/liyihuang/cilium/blob/e56bad826338931f14fe9f8735222b9e0905129a/operator/cmd/root.go#L647-L650.

I dont think there is a way for operator can start and let agent to create CiliumNode.

I'm not sure if I'm following it looks like there is a lock here

e56bad8#diff-120e1fc9482652cdd5001efe26f26ff049c32c601e30d1c3b34e9a3150431faeR386-R392.

Let me think about the testing

Commit 6b2d453 does not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

Commits 6b2d453, 40e441b do not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

Commits 6b2d453, 40e441b, 9e2e5e7 do not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

Commit 87d00cf does not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

This doesn't look it has been in a passing state for the past three weeks (see the bot's comments above), so switching to draft while it's being worked on.

This pull request has been automatically marked as stale because it
has not had recent activity. It will be closed if no further activity
occurs. Thank you for your contributions.

This pull request has not seen any activity since it was marked stale.
Closing.