Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Task Security group for NetworkLoadBalancedEc2Service with Network Mode AWSVPC

0

I use CDK to deploy my app. NetworkLoadBalancedEc2Service is deployed with its own security group to limit inbound access for certain IP addresses.

    // Create the Network Load Balancer with a custom name
    const nlb = new elbv2.NetworkLoadBalancer(this, `${appPrefix}-ingest-nlb`, {
      vpc,
      internetFacing: true,
      loadBalancerName: `${appPrefix}-ingest-nlb`,
      securityGroups: [elbSG],
    });

Than this nib is used in NetworkLoadBalancedEc2Service constructor.

Task is created with AWS VPS network mode

    // Create a task definition
    const taskDefinition = new ecs.Ec2TaskDefinition(this, `${appPrefix}-ingest-nlb-ec2-task-def`, {
      family: `${appPrefix}-ingest-task-arm64`,
      networkMode: ecs.NetworkMode.AWS_VPC,
    });

Thus, each task supposed to have its own ENI. Now I need to let NLB to access my tasks to send data and do a health check.

    const taskSG = new ec2.SecurityGroup(
      this,
      `${appPrefix}-ingest-nlb-ec2-task-sg`,
      {
        securityGroupName: `${appPrefix}-ingest-nlb-ec2-task-sg`,
        vpc,
        allowAllOutbound: true,
        description: 'Security group for the ECS task',
      },
    );


    taskSG.addIngressRule(
      elbSG,
      ec2.Port.tcp(CONTAINER_PORT),
      'Allow traffic from the NLB',
    );

    taskSG.addIngressRule(
      elbSG,
      ec2.Port.tcp(HEALTH_CHECK_PORT),
      'Allow traffic from the NLB for health check',
    );

ingestEC2NlbServicePublic.service.connections.addSecurityGroup(taskSG);

But it seams like this security group does not attached to the tasks ENI. What I'm doing wrong here? In cloud watch metrics all data generates SecurityGroupBlockedFlowCount_Inbound

Topics
AWS Cloud Development Kit (CDK)Containers
Tags
Amazon Elastic Container ServiceAWS Cloud Development Kit (CDK)
Language
English
asked 2 years ago304 views
2 Answers
1

In AWS ECS, when using the awsvpc network mode, each task gets its own Elastic Network Interface (ENI) and the security group is attached to this ENI, however, these ENIs are fully managed by Amazon ECS and cannot be detached manually or modified. Instead of defining the security group at the task level, it is necessary to set it at the Elastic Network Interface (ENI).

EXPERT
answered 2 years ago
  • Smotrov
    2 years ago

    Than you for prompt reply. I do understand how to do it in the console. The question is how to do it using CDK. Any hints?

  • Giovanni Lauria EXPERT
    2 years ago

    something like this may work

    const vpc = new ec2.Vpc(this, 'MyVpc', { maxAzs: 2 });
const securityGroup = new ec2.SecurityGroup(this, 'SecurityGroup', { vpc });

const cluster = new ecs.Cluster(this, 'EcsCluster', { vpc });
cluster.connections.addSecurityGroup(securityGroup);
0
Accepted Answer

Self answer. Adding security group doesn't works. I don't know why....

ingestEC2NlbServicePublic.service.connections.addSecurityGroup(taskSG);

Meanwhile, if I use allowFrom it works like a charm.

    const { connections } = ingestEC2NlbServicePublic.service;

    connections.allowFrom(
      elbSG,
      ec2.Port.tcp(HEALTH_CHECK_PORT),
      'Allow traffic from within the VPC to the service health check port',
    );

    connections.allowFrom(
      elbSG,
      ec2.Port.tcp(CONTAINER_PORT),
      'Allow traffic from within the VPC container port',
    );

I suspect it is CDK bug.

answered 2 years ago
EXPERT
reviewed 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content