Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(EC2): document how to workaround Network ACL rule 100

See original GitHub issue

The default NACL created with a custom VPC has a default “100 - Allow All” ingress rule. This should not be since we can’t delete rules after the fact thru the CDK. image

Reproduction Steps

What did you expect to happen?

What actually happened?

Environment

  • CDK CLI Version :
  • Framework Version:
  • Node.js Version:
  • OS :
  • Language (Version):

Other

This is 🐛 Bug Report

Issue Analytics

  • State:open
  • Created 3 years ago
  • Comments:9 (3 by maintainers)

github_iconTop GitHub Comments

2reactions
zachgollcommented, May 14, 2022

For anyone stumbling on this in the future, there’s a much simpler solution than expressed above (I’m guessing due to CDK updates). Leaving an example below for a basic VPC with a public subnet and private subnet with a NAT Gateway (CDK default).

This solution of course mirrors the “allow everything” model, but the skeleton is there to customize it however you want. This solution creates a separate network ACL for the public and private subnets (regardless of how many subnets you have).

The not-so-obvious part of this solution is the fact that subnetSelection: { subnetType: ... } is the line that does all the network acl to subnet associations for you. It will dissociate the default network ACL (CDK default) and re-associate these newly created ACLs.

const vpc = new Vpc(this, 'VPC', {
    maxAzs: 2,
})

const publicNetworkACL = new NetworkAcl(this, 'PublicNetworkACL', {
    vpc,
    subnetSelection: { subnetType: SubnetType.PUBLIC },
})

publicNetworkACL.addEntry('AllowAllIngress', {
    cidr: AclCidr.anyIpv4(),
    ruleNumber: 100,
    traffic: AclTraffic.allTraffic(),
    direction: TrafficDirection.INGRESS,
    ruleAction: Action.ALLOW,
})

publicNetworkACL.addEntry('AllowAllEgress', {
    cidr: AclCidr.anyIpv4(),
    ruleNumber: 100,
    traffic: AclTraffic.allTraffic(),
    direction: TrafficDirection.EGRESS,
    ruleAction: Action.ALLOW,
})

const privateNetworkACL = new NetworkAcl(this, 'PrivateNetworkACL', {
    vpc: this.vpc,
    subnetSelection: { subnetType: SubnetType.PRIVATE_WITH_NAT },
})

privateNetworkACL.addEntry('AllowAllIngress', {
    cidr: AclCidr.anyIpv4(),
    ruleNumber: 100,
    traffic: AclTraffic.allTraffic(),
    direction: TrafficDirection.INGRESS,
    ruleAction: Action.ALLOW,
})

privateNetworkACL.addEntry('AllowAllEgress', {
    cidr: AclCidr.anyIpv4(),
    ruleNumber: 100,
    traffic: AclTraffic.allTraffic(),
    direction: TrafficDirection.EGRESS,
    ruleAction: Action.ALLOW,
})

Hope this helps!

0reactions
ALFmachinecommented, Oct 26, 2022

my current work around building off of this concept

import * as cdk from "aws-cdk-lib";
import * as ec2 from "aws-cdk-lib/aws-ec2";
import {
  AwsCustomResource,
  AwsCustomResourcePolicy,
  PhysicalResourceId,
} from "aws-cdk-lib/custom-resources";
import { Construct } from "constructs";

export class BaseVpc extends ec2.Vpc {
  constructor(scope: Construct, id: string, props: ec2.VpcProps) {
    super(scope, id, props);

    const defaultNacl = this.vpcDefaultNetworkAcl;
    const options = [true, false];
    const stack = cdk.Stack.of(this);

    options.forEach((option) => {
      const type = option ? "egress" : "ingress";

      new AwsCustomResource(this, `restrict-default-nacl-${type}`, {
        onCreate: {
          action: "deleteNetworkAclEntry",
          parameters: {
            Egress: option,
            NetworkAclId: defaultNacl,
            RuleNumber: 100,
          },
          physicalResourceId: PhysicalResourceId.of(
            `restrict-nacl-${this.vpcId}-${defaultNacl}-${type}`
          ),
          service: "EC2",
        },
        policy: AwsCustomResourcePolicy.fromSdkCalls({
          resources: [
            `arn:aws:ec2:${stack.region}:${stack.account}:network-acl/${defaultNacl}`,
          ],
        }),
      });
    });
  }
}
Read more comments on GitHub >

github_iconTop Results From Across the Web

Control traffic to subnets using Network ACLs
In the details pane, select either the Inbound Rules or Outbound Rules tab, and then choose Edit. Choose Remove for the rule you...
Read more >
create-network-acl-entry — AWS CLI 2.9.8 Command Reference
Creates an entry (a rule) in a network ACL with the specified rule number. Each network ACL has a set of numbered ingress...
Read more >
AWS Security Groups & Network ACLs troubleshooting
Scenario 2: Subnet B (traffic destination) with OUTBOUND DENY NACL rule ... Like the previous scenario, source EC2 ENI VPC flow log entries...
Read more >
AWS: Error accessing the Internet with a custom Network ACL
I know the "problem rule" is inbound no 1000, which allows all ephemeral ports from 10.0.0.0/16 . If I change this rule to...
Read more >
AWS EC2 Network Access Control List Creation - Elastic
Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[custom-resources] allow for no policy to be specified

Next page

(aws-lambda-nodejs): does not properly detect `esbuild` when used with Yarn 2+ in PnP mode