Correct security group egress for CodeDeploy-ing to EC2 instances

Question

Hello everyone,

We're using CodeDeploy to deploy to EC2 instances. We've installed the CodeDeploy Agent onto the AMI, which is based on AL2023.

Until recently, the security group assigned to the EC2s would allow egress all traffic to all ports. We want this to be a more sensible config, but can't find which ports and to which IPs to configure egress, so that CodeDeploy still works. CodeDeploy documentation specifies SSH & RDP ports, and alongside these we added 443, but the CodeDeploy Agent can't communicate with the service.

Has anyone here figured out what ports CodeDeploy needs?

Thank you in advance for your help!

Answer

Hello.

Have you checked the CodeDeploy Agent logs?  
The CodeDeploy Agent should be communicating with the CodeDeploy endpoint over HTTP and HTTPS, so the security group's outbound rules must allow HTTP and HTTPS.  
https://docs.aws.amazon.com/codedeploy/latest/userguide/deployments-view-logs.html

Answer

Instantly im thinking you need to allow outbound DNS requests UDP/TCP port 53..

Could it be a resolution problem than connectivity?

Other than that it will need port 443 outbound also to connect to the HTTPS endpoints and S3.

Correct security group egress for CodeDeploy-ing to EC2 instances

相关内容