I have a Fargate service behind NLB.
I want to provide access to it to 2 external IP only.
I have one security group attached to my Fargate tasks
However I still see some random requests in the log like
{"host": "52.211.201.31", "user-agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36", "accept-encoding": "gzip, deflate", "accept": "*/*", "connection": "keep-alive", "content-length": "15", "content-type": "application/x-www-form-urlencoded"}
{"host": "52.211.201.31", "content-length": "20", "accept-encoding": "gzip, deflate", "accept": "*/*", "user-agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36", "connection": "keep-alive", "content-type": "application/x-www-form-urlencoded"}
{"host": "34.240.169.38", "user-agent": "Mozilla/5.0 (Linux; U; Android 4.4.2; en-US; HM NOTE 1W Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/11.0.5.850 U3/0.8.0 Mobile Safari/534.30", "accept-encoding": "gzip, deflate", "accept": "*/*", "connection": "keep-alive", "content-length": "20", "content-type": "application/x-www-form-urlencoded"}
Fargate is created in following way:
const taskDefinition = new ecs.FargateTaskDefinition(
this,
`${appPrefix}-front-task-def`,
{
family: `${appPrefix}-front-task-def-nlb`,
cpu: 1024 * 2,
memoryLimitMiB: 8 * 1024,
runtimePlatform: {
cpuArchitecture: ecs.CpuArchitecture.ARM64,
operatingSystemFamily: ecs.OperatingSystemFamily.LINUX,
},
},
);
const container = taskDefinition.addContainer(`${appPrefix}-front-container`, {
image: cargoWorkspaceImageArm64,
command: ['./front'],
logging: logDriver,
portMappings: [
// Main port
{
containerPort: CONTAINER_PORT,
},
// Health check port
{
containerPort: HEALTH_CHECK_PORT,
},
],
environment: {
S3_WORK_BUCKET: bucket.bucketName,
},
// Container health check
healthCheck: {
command: ['CMD-SHELL', `curl -f http://localhost:${HEALTH_CHECK_PORT}/status || exit 1`],
interval: cdk.Duration.seconds(30),
timeout: cdk.Duration.seconds(5),
startPeriod: cdk.Duration.seconds(60),
retries: 3,
},
});
container.addPortMappings({
containerPort: CONTAINER_PORT,
});
// Health check port
container.addPortMappings({
containerPort: HEALTH_CHECK_PORT,
});
const ingestNLBFargateServicePublic = new ecsPatterns.NetworkLoadBalancedFargateService(this, `${appPrefix}-ingest-public-nlb`, {
cluster,
serviceName: `${appPrefix}-data-ingest-public-nlb`,
taskDefinition,
taskSubnets,
propagateTags: ecs.PropagatedTagSource.SERVICE,
publicLoadBalancer: true,
assignPublicIp: true,
minHealthyPercent: 100,
listenerPort: ELB_PORT,
});
// Define health check for NLB
ingestNLBFargateServicePublic.targetGroup.configureHealthCheck({
path: '/status',
protocol: elb2.Protocol.HTTP,
interval: cdk.Duration.minutes(3),
port: HEALTH_CHECK_PORT.toString(),
});
const { connections } = ingestNLBFargateServicePublic.service;
// Allow all outbound
// connections.addSecurityGroup(elbSG);
ALLOWED_INGRESS.forEach((ip) => {
connections.allowFrom(
ec2.Peer.ipv4(ip),
ec2.Port.tcp(ELB_PORT),
'eStreaming inbound',
);
});
connections.allowFrom(
ec2.Peer.ipv4(vpc.vpcCidrBlock),
ec2.Port.tcp(HEALTH_CHECK_PORT),
'Allow traffic from within the VPC to the service health check port',
);
connections.allowFrom(
ec2.Peer.ipv4(vpc.vpcCidrBlock),
ec2.Port.tcp(CONTAINER_PORT),
'Allow traffic from within the VPC container port',
);
So my question is very simple: what I did wrong to restrict access?
Hmmm... Does NLB has its own security groups?
Yes, since a few months nlb can have its own security groups, see here: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-security-groups.html
Thank you @HeikoMR As I understand it is not reflected in CDK so far?