Access to Fargate tasks behind NLB

0

I have a Fargate service behind NLB. I want to provide access to it to 2 external IP only. I have one security group attached to my Fargate tasks Enter image description here

However I still see some random requests in the log like

{"host": "52.211.201.31", "user-agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36", "accept-encoding": "gzip, deflate", "accept": "*/*", "connection": "keep-alive", "content-length": "15", "content-type": "application/x-www-form-urlencoded"}

{"host": "52.211.201.31", "content-length": "20", "accept-encoding": "gzip, deflate", "accept": "*/*", "user-agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36", "connection": "keep-alive", "content-type": "application/x-www-form-urlencoded"}

{"host": "34.240.169.38", "user-agent": "Mozilla/5.0 (Linux; U; Android 4.4.2; en-US; HM NOTE 1W Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/11.0.5.850 U3/0.8.0 Mobile Safari/534.30", "accept-encoding": "gzip, deflate", "accept": "*/*", "connection": "keep-alive", "content-length": "20", "content-type": "application/x-www-form-urlencoded"}

Fargate is created in following way:


 const taskDefinition = new ecs.FargateTaskDefinition(
      this,
      `${appPrefix}-front-task-def`,
      {
        family: `${appPrefix}-front-task-def-nlb`,
        cpu: 1024 * 2,
        memoryLimitMiB: 8 * 1024,
        runtimePlatform: {
          cpuArchitecture: ecs.CpuArchitecture.ARM64,
          operatingSystemFamily: ecs.OperatingSystemFamily.LINUX,
        },
      },
    );

const container = taskDefinition.addContainer(`${appPrefix}-front-container`, {
      image: cargoWorkspaceImageArm64,
      command: ['./front'],
      logging: logDriver,
      portMappings: [
        // Main port
        {
          containerPort: CONTAINER_PORT,
        },
        // Health check port
        {
          containerPort: HEALTH_CHECK_PORT,
        },
      ],
      environment: {
        S3_WORK_BUCKET: bucket.bucketName,
      },
      // Container health check
      healthCheck: {
        command: ['CMD-SHELL', `curl -f http://localhost:${HEALTH_CHECK_PORT}/status || exit 1`],
        interval: cdk.Duration.seconds(30),
        timeout: cdk.Duration.seconds(5),
        startPeriod: cdk.Duration.seconds(60),
        retries: 3,
      },
    });

container.addPortMappings({
      containerPort: CONTAINER_PORT,
    });
    // Health check port
    container.addPortMappings({
      containerPort: HEALTH_CHECK_PORT,
    });

    const ingestNLBFargateServicePublic = new ecsPatterns.NetworkLoadBalancedFargateService(this, `${appPrefix}-ingest-public-nlb`, {
      cluster,
      serviceName: `${appPrefix}-data-ingest-public-nlb`,
      taskDefinition,
      taskSubnets,
      propagateTags: ecs.PropagatedTagSource.SERVICE,
      publicLoadBalancer: true,
      assignPublicIp: true,
      minHealthyPercent: 100,
      listenerPort: ELB_PORT,
    });

    // Define health check for NLB
    ingestNLBFargateServicePublic.targetGroup.configureHealthCheck({
      path: '/status',
      protocol: elb2.Protocol.HTTP,
      interval: cdk.Duration.minutes(3),
      port: HEALTH_CHECK_PORT.toString(),
    });

    const { connections } = ingestNLBFargateServicePublic.service;

    // Allow all outbound
    // connections.addSecurityGroup(elbSG);

    ALLOWED_INGRESS.forEach((ip) => {
      connections.allowFrom(
        ec2.Peer.ipv4(ip),
        ec2.Port.tcp(ELB_PORT),
        'eStreaming inbound',
      );
    });

    connections.allowFrom(
      ec2.Peer.ipv4(vpc.vpcCidrBlock),
      ec2.Port.tcp(HEALTH_CHECK_PORT),
      'Allow traffic from within the VPC to the service health check port',
    );

    connections.allowFrom(
      ec2.Peer.ipv4(vpc.vpcCidrBlock),
      ec2.Port.tcp(CONTAINER_PORT),
      'Allow traffic from within the VPC container port',
    );

So my question is very simple: what I did wrong to restrict access?

3回答
2

Hi, your code seems to attach you security groups to the NLB.

So, every requester bypassing the NLB will not be barred by your sec group.

You have to attach your sec group to the ECS service enforce it on any request.

When working with CLI, you would do it on the nettwork-configuration part of create-services. See https://docs.aws.amazon.com/cli/latest/reference/ecs/create-service.html

Best,

Didier

profile pictureAWS
エキスパート
回答済み 5ヶ月前
profile picture
エキスパート
レビュー済み 5ヶ月前
0

Hello.

What are the security group settings associated with ECS Fargate?
Isn't it in a state where it can be accessed directly from outside of NLB?

profile picture
エキスパート
回答済み 5ヶ月前
  • What are the security group settings associated with ECS Fargate?

    I'm not sure I understand your question. What is "security group settings"? Inbound rules are in the screenshot if you asking about it.

    Isn't it in a state where it can be accessed directly from outside of NLB?

    As I understand, NLB does not have its own SG. So all security control supposed to be done on the target level. This is why I've provided access for 2 selected IPs and for NLB CIDR for health check and Container access.

0

Can you confirm thats the security group in your screen shot is attached to the Fargate Service?

profile picture
エキスパート
回答済み 5ヶ月前
  • Yes. Exactly. In the ECS Console I see this SG as the only SG attached to the running tasks.

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ