By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Issue Configuring Inbound Rules for Load Balancer Traffic on Fargate Container Across VPCs

0

Hello everyone,

I hope this message finds you well. I am currently facing an issue while configuring inbound rules for the traffic from a Load Balancer in one VPC to a Fargate container in another VPC. Here is a brief overview of my setup:

  • Network Account A with a Load Balancer deployed in VPC A.
  • Fargate container in Network Account B deployed in VPC B.
  • The VPCs are connected via a transit gateway.

According to the Amazon documentation, it should be possible to reference security groups from another VPC in the inbound rules of a security group. Enter image description here

However, when I attempt to implement this, I encounter the following error:

*"An error occurred (InvalidGroup.NotFound) when calling the AuthorizeSecurityGroupIngress operation: The security group 'sg-123' does not exist." * I have double-checked my configurations and ensured that the security group ID provided does indeed exist in the connected VPC. Despite this, the error persists.

If anyone has experience with a similar setup or has encountered this issue before, I would greatly appreciate any guidance or insights you could provide. Additionally, if there are alternative approaches to allow Load Balancer traffic to reach the Fargate container across VPCs, I am open to exploring those as well.

Thank you in advance for your assistance!

Topics
Networking & Content DeliveryServerlessContainers
Tags
Amazon VPCAWS FargateElastic Load Balancing
Language
English
nmos
asked 4 months ago148 views
2 Answers
1
Accepted Answer

Hello.

Transit Gateway cannot refer to security groups in another VPC.
To reference a security group in another VPC, you will need to configure VPC peering.
Therefore, if you are using Transit Gateway, you should set the CIDR of VPC A where load balancer is located using the source IP address instead of referring to the security group.
https://docs.aws.amazon.com/vpc/latest/tgw/tgw-best-design-practices.html

  • When migrating from VPC peering to use a transit gateway, consider the following:

    • A transit gateway does not support security group referencing.

Security groups can be referenced if the VPCs are VPC peering and are in the same region.
https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html

profile picture
EXPERT
Riku_Kobayashi
answered 4 months ago
profile picture
EXPERT
Gary Mclean
reviewed 4 months ago
  • nmos
    4 months ago

    Is there any recommendation what to use in this case?

  • Gary Mclean EXPERT
    4 months ago

    You have to use IP address CIDRs in the SG rule

  • Riku_Kobayashi EXPERT
    4 months ago

    As @Gary says, you need to specify the CIDR of the VPC where the load balancer is located in the inbound rule of the security group set for the ECS container.

0

Hi,

Did you properly reference the security group from the remote account: see https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-security-groups.html

The peer VPC can be a VPC in your account, or a VPC in another AWS account. To reference 
a security group in another AWS account, include the account number in Source or Destination field; 
for example, 123456789012/sg-1a2b3c4d.

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content