Access to Fargate tasks behind NLB

0

I have a Fargate service behind NLB. I want to provide access to it to 2 external IP only. I have one security group attached to my Fargate tasks Enter image description here

However I still see some random requests in the log like

{"host": "52.211.201.31", "user-agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36", "accept-encoding": "gzip, deflate", "accept": "*/*", "connection": "keep-alive", "content-length": "15", "content-type": "application/x-www-form-urlencoded"}

{"host": "52.211.201.31", "content-length": "20", "accept-encoding": "gzip, deflate", "accept": "*/*", "user-agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36", "connection": "keep-alive", "content-type": "application/x-www-form-urlencoded"}

{"host": "34.240.169.38", "user-agent": "Mozilla/5.0 (Linux; U; Android 4.4.2; en-US; HM NOTE 1W Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/11.0.5.850 U3/0.8.0 Mobile Safari/534.30", "accept-encoding": "gzip, deflate", "accept": "*/*", "connection": "keep-alive", "content-length": "20", "content-type": "application/x-www-form-urlencoded"}

Fargate is created in following way:


 const taskDefinition = new ecs.FargateTaskDefinition(
      this,
      `${appPrefix}-front-task-def`,
      {
        family: `${appPrefix}-front-task-def-nlb`,
        cpu: 1024 * 2,
        memoryLimitMiB: 8 * 1024,
        runtimePlatform: {
          cpuArchitecture: ecs.CpuArchitecture.ARM64,
          operatingSystemFamily: ecs.OperatingSystemFamily.LINUX,
        },
      },
    );

const container = taskDefinition.addContainer(`${appPrefix}-front-container`, {
      image: cargoWorkspaceImageArm64,
      command: ['./front'],
      logging: logDriver,
      portMappings: [
        // Main port
        {
          containerPort: CONTAINER_PORT,
        },
        // Health check port
        {
          containerPort: HEALTH_CHECK_PORT,
        },
      ],
      environment: {
        S3_WORK_BUCKET: bucket.bucketName,
      },
      // Container health check
      healthCheck: {
        command: ['CMD-SHELL', `curl -f http://localhost:${HEALTH_CHECK_PORT}/status || exit 1`],
        interval: cdk.Duration.seconds(30),
        timeout: cdk.Duration.seconds(5),
        startPeriod: cdk.Duration.seconds(60),
        retries: 3,
      },
    });

container.addPortMappings({
      containerPort: CONTAINER_PORT,
    });
    // Health check port
    container.addPortMappings({
      containerPort: HEALTH_CHECK_PORT,
    });

    const ingestNLBFargateServicePublic = new ecsPatterns.NetworkLoadBalancedFargateService(this, `${appPrefix}-ingest-public-nlb`, {
      cluster,
      serviceName: `${appPrefix}-data-ingest-public-nlb`,
      taskDefinition,
      taskSubnets,
      propagateTags: ecs.PropagatedTagSource.SERVICE,
      publicLoadBalancer: true,
      assignPublicIp: true,
      minHealthyPercent: 100,
      listenerPort: ELB_PORT,
    });

    // Define health check for NLB
    ingestNLBFargateServicePublic.targetGroup.configureHealthCheck({
      path: '/status',
      protocol: elb2.Protocol.HTTP,
      interval: cdk.Duration.minutes(3),
      port: HEALTH_CHECK_PORT.toString(),
    });

    const { connections } = ingestNLBFargateServicePublic.service;

    // Allow all outbound
    // connections.addSecurityGroup(elbSG);

    ALLOWED_INGRESS.forEach((ip) => {
      connections.allowFrom(
        ec2.Peer.ipv4(ip),
        ec2.Port.tcp(ELB_PORT),
        'eStreaming inbound',
      );
    });

    connections.allowFrom(
      ec2.Peer.ipv4(vpc.vpcCidrBlock),
      ec2.Port.tcp(HEALTH_CHECK_PORT),
      'Allow traffic from within the VPC to the service health check port',
    );

    connections.allowFrom(
      ec2.Peer.ipv4(vpc.vpcCidrBlock),
      ec2.Port.tcp(CONTAINER_PORT),
      'Allow traffic from within the VPC container port',
    );

So my question is very simple: what I did wrong to restrict access?

3 Answers
2

Hi, your code seems to attach you security groups to the NLB.

So, every requester bypassing the NLB will not be barred by your sec group.

You have to attach your sec group to the ECS service enforce it on any request.

When working with CLI, you would do it on the nettwork-configuration part of create-services. See https://docs.aws.amazon.com/cli/latest/reference/ecs/create-service.html

Best,

Didier

profile pictureAWS
EXPERT
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
0

Hello.

What are the security group settings associated with ECS Fargate?
Isn't it in a state where it can be accessed directly from outside of NLB?

profile picture
EXPERT
answered 2 months ago
  • What are the security group settings associated with ECS Fargate?

    I'm not sure I understand your question. What is "security group settings"? Inbound rules are in the screenshot if you asking about it.

    Isn't it in a state where it can be accessed directly from outside of NLB?

    As I understand, NLB does not have its own SG. So all security control supposed to be done on the target level. This is why I've provided access for 2 selected IPs and for NLB CIDR for health check and Container access.

0

Can you confirm thats the security group in your screen shot is attached to the Fargate Service?

profile picture
EXPERT
answered 2 months ago
  • Yes. Exactly. In the ECS Console I see this SG as the only SG attached to the running tasks.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions