Access to Fargate tasks behind NLB
I have a Fargate service behind NLB.
I want to provide access to it to 2 external IP only.
I have one security group attached to my Fargate tasks
However I still see some random requests in the log like
{"host": "52.211.201.31", "user-agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36", "accept-encoding": "gzip, deflate", "accept": "*/*", "connection": "keep-alive", "content-length": "15", "content-type": "application/x-www-form-urlencoded"}
{"host": "52.211.201.31", "content-length": "20", "accept-encoding": "gzip, deflate", "accept": "*/*", "user-agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36", "connection": "keep-alive", "content-type": "application/x-www-form-urlencoded"}
{"host": "34.240.169.38", "user-agent": "Mozilla/5.0 (Linux; U; Android 4.4.2; en-US; HM NOTE 1W Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/11.0.5.850 U3/0.8.0 Mobile Safari/534.30", "accept-encoding": "gzip, deflate", "accept": "*/*", "connection": "keep-alive", "content-length": "20", "content-type": "application/x-www-form-urlencoded"}
Fargate is created in following way:
const taskDefinition = new ecs.FargateTaskDefinition(
this,
`${appPrefix}-front-task-def`,
{
family: `${appPrefix}-front-task-def-nlb`,
cpu: 1024 * 2,
memoryLimitMiB: 8 * 1024,
runtimePlatform: {
cpuArchitecture: ecs.CpuArchitecture.ARM64,
operatingSystemFamily: ecs.OperatingSystemFamily.LINUX,
},
},
);
const container = taskDefinition.addContainer(`${appPrefix}-front-container`, {
image: cargoWorkspaceImageArm64,
command: ['./front'],
logging: logDriver,
portMappings: [
// Main port
{
containerPort: CONTAINER_PORT,
},
// Health check port
{
containerPort: HEALTH_CHECK_PORT,
},
],
environment: {
S3_WORK_BUCKET: bucket.bucketName,
},
// Container health check
healthCheck: {
command: ['CMD-SHELL', `curl -f http://localhost:${HEALTH_CHECK_PORT}/status || exit 1`],
interval: cdk.Duration.seconds(30),
timeout: cdk.Duration.seconds(5),
startPeriod: cdk.Duration.seconds(60),
retries: 3,
},
});
container.addPortMappings({
containerPort: CONTAINER_PORT,
});
// Health check port
container.addPortMappings({
containerPort: HEALTH_CHECK_PORT,
});
const ingestNLBFargateServicePublic = new ecsPatterns.NetworkLoadBalancedFargateService(this, `${appPrefix}-ingest-public-nlb`, {
cluster,
serviceName: `${appPrefix}-data-ingest-public-nlb`,
taskDefinition,
taskSubnets,
propagateTags: ecs.PropagatedTagSource.SERVICE,
publicLoadBalancer: true,
assignPublicIp: true,
minHealthyPercent: 100,
listenerPort: ELB_PORT,
});
// Define health check for NLB
ingestNLBFargateServicePublic.targetGroup.configureHealthCheck({
path: '/status',
protocol: elb2.Protocol.HTTP,
interval: cdk.Duration.minutes(3),
port: HEALTH_CHECK_PORT.toString(),
});
const { connections } = ingestNLBFargateServicePublic.service;
// Allow all outbound
// connections.addSecurityGroup(elbSG);
ALLOWED_INGRESS.forEach((ip) => {
connections.allowFrom(
ec2.Peer.ipv4(ip),
ec2.Port.tcp(ELB_PORT),
'eStreaming inbound',
);
});
connections.allowFrom(
ec2.Peer.ipv4(vpc.vpcCidrBlock),
ec2.Port.tcp(HEALTH_CHECK_PORT),
'Allow traffic from within the VPC to the service health check port',
);
connections.allowFrom(
ec2.Peer.ipv4(vpc.vpcCidrBlock),
ec2.Port.tcp(CONTAINER_PORT),
'Allow traffic from within the VPC container port',
);
So my question is very simple: what I did wrong to restrict access?
- Newest
- Most votes
- Most comments
Hi, your code seems to attach you security groups to the NLB.
So, every requester bypassing the NLB will not be barred by your sec group.
You have to attach your sec group to the ECS service enforce it on any request.
When working with CLI, you would do it on the nettwork-configuration part of create-services. See https://docs.aws.amazon.com/cli/latest/reference/ecs/create-service.html
Best,
Didier
Hello.
What are the security group settings associated with ECS Fargate?
Isn't it in a state where it can be accessed directly from outside of NLB?
What are the security group settings associated with ECS Fargate?
I'm not sure I understand your question. What is "security group settings"? Inbound rules are in the screenshot if you asking about it.
Isn't it in a state where it can be accessed directly from outside of NLB?
As I understand, NLB does not have its own SG. So all security control supposed to be done on the target level. This is why I've provided access for 2 selected IPs and for NLB CIDR for health check and Container access.
Can you confirm thats the security group in your screen shot is attached to the Fargate Service?
Yes. Exactly. In the ECS Console I see this SG as the only SG attached to the running tasks.
Relevant content
- Accepted Answerasked a year ago
- Accepted Answerasked a year ago
- asked 2 years ago
- asked 2 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Hmmm... Does NLB has its own security groups?
Yes, since a few months nlb can have its own security groups, see here: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-security-groups.html
Thank you @HeikoMR As I understand it is not reflected in CDK so far?