Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[aws-ecs-patterns] `NetworkLoadBalancedFargateService` should allow controlling security group's `allowAllOutbound`setting

See original GitHub issue

Given a Fargate service backed by a NLB created using ecsPatterns.NetworkLoadBalancedFargateService, when I try to modify the outbound rules on the associated security group using

service.service.connections.allowTo(
            Peer.ipv4(service.cluster.vpc.vpcCidrBlock),
            ec2.Port.allTraffic(),
            "Allow outbound traffic to the VPC on any TCP port");

the change in the code is not reflected in CloudFormation.

allowFrom* statements work successfully and update the inbound rules of the security group.

Reproduction Steps

const service = new ecsPatterns.NetworkLoadBalancedFargateService(this, 'Service', {...});

//this works:
service.service.connections.allowFrom(
            Peer.ipv4(service.cluster.vpc.vpcCidrBlock),
            ec2.Port.tcp(EcsServiceStack.securedServicePort),
            "Allow traffic from within the VPC to the service secure port");

// this does not work:
        service.service.connections.allowTo(
            Peer.ipv4(service.cluster.vpc.vpcCidrBlock),
            ec2.Port.allTraffic(),
            "Allow outbound traffic to the VPC on any TCP port");

What did you expect to happen?

I expected the security group associated with the service to have an outbound rule to allow traffic to the VPC’s CIDR block on all ports

What actually happened?

The security group has the default outbound rule to allow all traffic

Environment

  • CLI Version :
  • Framework Version: 1.32.2
  • Node.js Version: v12.18.2
  • OS Mac OS Catalina 10.15.6 :
  • **Language (Version): TypeScript 3.8.3 **

Other

This is 🐛 Bug Report

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:7 (3 by maintainers)

github_iconTop GitHub Comments

2reactions
mlleflercommented, Aug 27, 2020

Just found this comment in aws-ec2.SecurityGroupImportOptions:

 /**
     * Mark the SecurityGroup as having been created allowing all outbound traffic
     *
     * Only if this is set to false will egress rules be added to this security
     * group. Be aware, this would undo any potential "all outbound traffic"
     * default.
     *
     * @experimental
     * @default true
     */
    readonly allowAllOutbound?: boolean;

It explains why changes to the egress rules are ignored.

My recommendation would be:

  1. Fail with an error if an egress rule is added to a security group with allowAllOutbound=true
  2. Add a property to the creation of NetworkLoadBalancedFargateService that will allow setting allowAllOutbound=false
1reaction
mlleflercommented, Aug 27, 2020

What is not working in your current setup? Are your connections failing?

Connections are not failing and everything works. However, I would like to have the ability to tighten the security of the service.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Security groups for your Application Load Balancer
In a VPC, you provide the security group for your load balancer, which enables you to choose the ports and protocols to allow....
Read more >
Controlling traffic with VPC security groups - IBM Cloud Docs
Automatically attached to each worker node in a cluster created in the VPC. Allows all outbound traffic by default. VPC cluster security group,...
Read more >
Network Security - EKS Best Practices Guides
Kubernetes network policies give you a mechanism to restrict network traffic ... You can control which pods are assigned to a security group...
Read more >
Amazon EKS and Security Groups for Pods | by Marcin Cuber
Consideration and configuration details to enable Security groups for pods ... and vpc-resource-controller Kubernetes service accounts must be specified in ...
Read more >
Security groups - Elastic Compute Service - Alibaba Cloud
Security groups can control inbound and outbound traffic even ... the security group allows traffic in both directions during the sessions.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

cdk cli always exits with code 1 when doing a diff

Next page

[aws-eks] Stacks with EKS clusters fail tear down due to dangling ELB/ALB holding networking resources