An unexpected security group rule

Question

Hi,

An inbound HTTPS(443) TCP rule is added to my SG when I add a VPC Interface Endpoint using the `ec2.Vpc` L1 construct method `addInterfaceEndpoint`. If I use `CfnVPCEndpoint` (commented out below) instead. all is good.

```
import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { aws_ec2 as ec2 } from 'aws-cdk-lib';

export class ScratchStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

const vpc = new ec2.Vpc(this, 'vpc', {
    });

const vpcEndpointSg = new ec2.SecurityGroup(this, 'vpc-endpoint-sg', {
      vpc: vpc,
      allowAllOutbound: true
    });

vpc.addInterfaceEndpoint('vpc-endpoint', {
      service: ec2.InterfaceVpcEndpointAwsService.IOT_CORE,
      privateDnsEnabled: false,
      securityGroups: [vpcEndpointSg]
    });

// new ec2.CfnVPCEndpoint(this, 'cfn-vpc-endpoint', {
    //   serviceName: `com.amazonaws.${process.env.CDK_DEFAULT_REGION}.iot.data`,
    //   vpcId: `${vpc.vpcId}`,
    //   vpcEndpointType: 'Interface',
    //   securityGroupIds: [vpcEndpointSg.securityGroupId]
    // });

}
}
```

Thoughts/help welcome.

Thanks, Gary

Accepted Answer

Compared to cloudformation CDK is opinionated and includes settings to shortcut creating a resource. In your example a IOT vpc endpoint must allow 443 inbound for it to be at all useful so this rule is automatically added by default. You can override this be setting the parameter "open" to false (it is default true). See in [docs](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.InterfaceVpcEndpoint.html)

An unexpected security group rule

Relevant content