[aws-ecs-patterns] `NetworkLoadBalancedFargateService` should allow controlling security group's `allowAllOutbound`setting
See original GitHub issueGiven a Fargate service backed by a NLB created using ecsPatterns.NetworkLoadBalancedFargateService
, when I try to modify the outbound rules on the associated security group using
service.service.connections.allowTo(
Peer.ipv4(service.cluster.vpc.vpcCidrBlock),
ec2.Port.allTraffic(),
"Allow outbound traffic to the VPC on any TCP port");
the change in the code is not reflected in CloudFormation.
allowFrom*
statements work successfully and update the inbound rules of the security group.
Reproduction Steps
const service = new ecsPatterns.NetworkLoadBalancedFargateService(this, 'Service', {...});
//this works:
service.service.connections.allowFrom(
Peer.ipv4(service.cluster.vpc.vpcCidrBlock),
ec2.Port.tcp(EcsServiceStack.securedServicePort),
"Allow traffic from within the VPC to the service secure port");
// this does not work:
service.service.connections.allowTo(
Peer.ipv4(service.cluster.vpc.vpcCidrBlock),
ec2.Port.allTraffic(),
"Allow outbound traffic to the VPC on any TCP port");
What did you expect to happen?
I expected the security group associated with the service to have an outbound rule to allow traffic to the VPC’s CIDR block on all ports
What actually happened?
The security group has the default outbound rule to allow all traffic
Environment
- CLI Version :
- Framework Version: 1.32.2
- Node.js Version: v12.18.2
- OS Mac OS Catalina 10.15.6 :
- **Language (Version): TypeScript 3.8.3 **
Other
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Comments:7 (3 by maintainers)
Top Results From Across the Web
Security groups for your Application Load Balancer
In a VPC, you provide the security group for your load balancer, which enables you to choose the ports and protocols to allow....
Read more >Controlling traffic with VPC security groups - IBM Cloud Docs
Automatically attached to each worker node in a cluster created in the VPC. Allows all outbound traffic by default. VPC cluster security group,...
Read more >Network Security - EKS Best Practices Guides
Kubernetes network policies give you a mechanism to restrict network traffic ... You can control which pods are assigned to a security group...
Read more >Amazon EKS and Security Groups for Pods | by Marcin Cuber
Consideration and configuration details to enable Security groups for pods ... and vpc-resource-controller Kubernetes service accounts must be specified in ...
Read more >Security groups - Elastic Compute Service - Alibaba Cloud
Security groups can control inbound and outbound traffic even ... the security group allows traffic in both directions during the sessions.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Just found this comment in
aws-ec2.SecurityGroupImportOptions
:It explains why changes to the egress rules are ignored.
My recommendation would be:
Connections are not failing and everything works. However, I would like to have the ability to tighten the security of the service.