What rules should I add to my custom security group to avoid using the default VPC security group and still pass the health check?

0

I've been experimenting with running containerized services on ECS, utilizing the awsvpc network mode and ALB. However, I've encountered an issue where I have to attach the default VPC security group to the ALB's security group for the health checks to pass. Removing it results in the health checks becoming unhealthy. Therefore, I'm wondering what rules I should add within my custom security group to bypass the need for the default VPC security group while still allowing the health checks to pass.

Additionally, I've observed that when using the bridge networking mode, there's no requirement to include the default VPC security group, and health checks still pass.

I have two questions:

What rules should I add to my custom security group to avoid relying on the default VPC security group and still pass the health check?

Why is it unnecessary to add the default VPC security group when using the bridge networking mode, and the health checks still pass?

asked 2 months ago250 views
2 Answers
0

You will need to add rules to allow inbound traffic on the port that the Application Load Balancer (ALB) is using for health checks. By default this is port TCP/443 or TCP/80 depending on whether you specify HTTPS or HTTP health checks. The security group should allow ingress from the ALB security group on the health check port.

When using the bridge network mode, the containers are placed on the same network as the EC2 host instance. This means the security groups of the EC2 instance apply to the containers as well. Since the default VPC security group is associated with EC2 instances by default, it allows the health checks from the ALB to reach the containers without needing to be explicitly added.

In the awsvpc network mode, each container gets its own elastic network interface and thus its own security group.

profile picture
EXPERT
answered 2 months ago
  • Thank you for your response. However, I have already added the following rules to the custom security group of ALB:

    • All traffic from 10.0.0.0/16

    Yet, it seems I still need to add the default VPC security group. Could you kindly advise on what part I might be missing?

0

As Giovanni mentioned, the security group needs to allow ingress from the ALB security group on the health check port.

See if following the documentation guidelines on security group configurations solves your problem here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html

Or allowing the CIDR ranges on the target group IPv4 Addresses: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-group-register-targets.html

AWS
answered 2 months ago
  • Hi,

    Thank you for your response. I've already configured the security group to allow all traffic from the source 10.0.0.0/16, which I believe encompasses both HTTP and HTTPS. Therefore, I'm a bit puzzled if the health check requires its own specific IP or if I might have overlooked something?

    Additionally, it's worth mentioning that simply adding the default VPC security group allows everything to function properly.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions