[aws-ecs-patterns] `NetworkLoadBalancedFargateService` should allow controlling security group's `allowAllOutbound`setting

Question

[aws-ecs-patterns] `NetworkLoadBalancedFargateService` should allow controlling security group's `allowAllOutbound`setting

Closed this issue 2 years ago · 7 comments

Given a Fargate service backed by a NLB created using ecsPatterns.NetworkLoadBalancedFargateService, when I try to modify the outbound rules on the associated security group using

service.service.connections.allowTo(
            Peer.ipv4(service.cluster.vpc.vpcCidrBlock),
            ec2.Port.allTraffic(),
            "Allow outbound traffic to the VPC on any TCP port");

the change in the code is not reflected in CloudFormation.

allowFrom* statements work successfully and update the inbound rules of the security group.

Reproduction Steps

const service = new ecsPatterns.NetworkLoadBalancedFargateService(this, 'Service', {...});

//this works:
service.service.connections.allowFrom(
            Peer.ipv4(service.cluster.vpc.vpcCidrBlock),
            ec2.Port.tcp(EcsServiceStack.securedServicePort),
            "Allow traffic from within the VPC to the service secure port");

// this does not work:
        service.service.connections.allowTo(
            Peer.ipv4(service.cluster.vpc.vpcCidrBlock),
            ec2.Port.allTraffic(),
            "Allow outbound traffic to the VPC on any TCP port");

What did you expect to happen?

I expected the security group associated with the service to have an outbound rule to allow traffic to the VPC's CIDR block on all ports

What actually happened?

The security group has the default outbound rule to allow all traffic

Environment

CLI Version :
Framework Version: 1.32.2
Node.js Version: v12.18.2
OS Mac OS Catalina 10.15.6 :
**Language (Version): TypeScript 3.8.3 **

Other

This is 🐛 Bug Report

Answer 1 · 2020-08-27T08:03:23.000Z

Just found this comment in aws-ec2.SecurityGroupImportOptions:

 /**
     * Mark the SecurityGroup as having been created allowing all outbound traffic
     *
     * Only if this is set to false will egress rules be added to this security
     * group. Be aware, this would undo any potential "all outbound traffic"
     * default.
     *
     * @experimental
     * @default true
     */
    readonly allowAllOutbound?: boolean;

It explains why changes to the egress rules are ignored.

My recommendation would be:

Fail with an error if an egress rule is added to a security group with allowAllOutbound=true
Add a property to the creation of NetworkLoadBalancedFargateService that will allow setting allowAllOutbound=false

Answer 2 · 2020-08-27T09:16:41.000Z

What is not working in your current setup? Are your connections failing?

Answer 3 · 2020-08-27T09:29:13.000Z

What is not working in your current setup? Are your connections failing?

Connections are not failing and everything works. However, I would like to have the ability to tighten the security of the service.

Answer 4 · 2022-06-21T16:11:08.000Z

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

Answer 5 · 2022-08-08T22:38:25.000Z

This problem is still ongoing. Can this be re-opened please?

Answer 6 · 2022-08-18T11:26:49.000Z

Why is this closed? The issue is still ongoing @rix0rrr help please?

Answer 7 · 2022-11-11T12:55:43.000Z

Facing security escalations because of this. Is there any solution for this ?