Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Issue Configuring Inbound Rules for Load Balancer Traffic on Fargate Container Across VPCs

0

Hello everyone,

I hope this message finds you well. I am currently facing an issue while configuring inbound rules for the traffic from a Load Balancer in one VPC to a Fargate container in another VPC. Here is a brief overview of my setup:

  • Network Account A with a Load Balancer deployed in VPC A.
  • Fargate container in Network Account B deployed in VPC B.
  • The VPCs are connected via a transit gateway.

According to the Amazon documentation, it should be possible to reference security groups from another VPC in the inbound rules of a security group. Enter image description here

However, when I attempt to implement this, I encounter the following error:

*"An error occurred (InvalidGroup.NotFound) when calling the AuthorizeSecurityGroupIngress operation: The security group 'sg-123' does not exist." * I have double-checked my configurations and ensured that the security group ID provided does indeed exist in the connected VPC. Despite this, the error persists.

If anyone has experience with a similar setup or has encountered this issue before, I would greatly appreciate any guidance or insights you could provide. Additionally, if there are alternative approaches to allow Load Balancer traffic to reach the Fargate container across VPCs, I am open to exploring those as well.

Thank you in advance for your assistance!

Themen
Vernetzung & Bereitstellung von InhaltenServerlosBehälter
Tags
Amazon VPCAWS FargateElastic Load Balancing
Sprache
English
nmos
gefragt vor 4 Monaten158 Aufrufe
2 Antworten
1
Akzeptierte Antwort

Hello.

Transit Gateway cannot refer to security groups in another VPC.
To reference a security group in another VPC, you will need to configure VPC peering.
Therefore, if you are using Transit Gateway, you should set the CIDR of VPC A where load balancer is located using the source IP address instead of referring to the security group.
https://docs.aws.amazon.com/vpc/latest/tgw/tgw-best-design-practices.html

  • When migrating from VPC peering to use a transit gateway, consider the following:

    • A transit gateway does not support security group referencing.

Security groups can be referenced if the VPCs are VPC peering and are in the same region.
https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html

profile picture
EXPERTE
Riku_Kobayashi
beantwortet vor 4 Monaten
profile picture
EXPERTE
Gary Mclean
überprüft vor 4 Monaten
  • nmos
    vor 4 Monaten

    Is there any recommendation what to use in this case?

  • Gary Mclean EXPERTE
    vor 4 Monaten

    You have to use IP address CIDRs in the SG rule

  • Riku_Kobayashi EXPERTE
    vor 4 Monaten

    As @Gary says, you need to specify the CIDR of the VPC where the load balancer is located in the inbound rule of the security group set for the ECS container.

0

Hi,

Did you properly reference the security group from the remote account: see https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html

The peer VPC can be a VPC in your account, or a VPC in another AWS account. To reference 
a security group in another AWS account, include the account number in Source or Destination field; 
for example, 123456789012/sg-1a2b3c4d.

Best,

Didier

profile pictureAWS
EXPERTE
Didier_Durand
beantwortet vor 4 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt