Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

When creating a security group, allowAllOutbound parameter seems to be ignored

See original GitHub issue

When I create a security group and specify allowAllOutbound=false, a security group with the default egress rule that allows all ports is created anyway. It is called …InstanceSecurityGroup… I can’t find a way to change that.

const securityGroup = new ec2.SecurityGroup(parent, 'SecurityGroup', {
            vpc,
            description: 'xxxx',
            allowAllOutbound: false
        });

Issue Analytics

State:
Created 5 years ago
Comments:10 (3 by maintainers)

Top GitHub Comments

2reactions

areedtomlinsoncommented, Aug 18, 2020

@varunshaji @moehlone The outbound rule you’re seeing (ICMP 252, port 86, destination 255.255.255.255/32) is intentionally set here: https://github.com/aws/aws-cdk/blob/master/packages/@aws-cdk/aws-ec2/lib/security-group.ts#L509 From the comments:

This is used in order to disable the "all traffic" default of Security Groups.

No machine can ever actually have the 255.255.255.255 IP address, but
in order to lock it down even more we'll restrict to a nonexistent
ICMP traffic type.

Apparently there has to be some rule set to override the “allow all” default. Same net effect as having no outbound rules, just more confusing when you first notice it.

1reaction

fabiopaivacommented, Apr 28, 2021

I had to google why it was creating that rule. Maybe could be used the same example AWS is using

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#aws-properties-ec2-security-group--examples--Remove_the_default_rule