Access to Fargate tasks behind NLB

0

I have a Fargate service behind NLB. I want to provide access to it to 2 external IP only. I have one security group attached to my Fargate tasks Enter image description here

However I still see some random requests in the log like

{"host": "52.211.201.31", "user-agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36", "accept-encoding": "gzip, deflate", "accept": "*/*", "connection": "keep-alive", "content-length": "15", "content-type": "application/x-www-form-urlencoded"}

{"host": "52.211.201.31", "content-length": "20", "accept-encoding": "gzip, deflate", "accept": "*/*", "user-agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36", "connection": "keep-alive", "content-type": "application/x-www-form-urlencoded"}

{"host": "34.240.169.38", "user-agent": "Mozilla/5.0 (Linux; U; Android 4.4.2; en-US; HM NOTE 1W Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/11.0.5.850 U3/0.8.0 Mobile Safari/534.30", "accept-encoding": "gzip, deflate", "accept": "*/*", "connection": "keep-alive", "content-length": "20", "content-type": "application/x-www-form-urlencoded"}

Fargate is created in following way:


 const taskDefinition = new ecs.FargateTaskDefinition(
      this,
      `${appPrefix}-front-task-def`,
      {
        family: `${appPrefix}-front-task-def-nlb`,
        cpu: 1024 * 2,
        memoryLimitMiB: 8 * 1024,
        runtimePlatform: {
          cpuArchitecture: ecs.CpuArchitecture.ARM64,
          operatingSystemFamily: ecs.OperatingSystemFamily.LINUX,
        },
      },
    );

const container = taskDefinition.addContainer(`${appPrefix}-front-container`, {
      image: cargoWorkspaceImageArm64,
      command: ['./front'],
      logging: logDriver,
      portMappings: [
        // Main port
        {
          containerPort: CONTAINER_PORT,
        },
        // Health check port
        {
          containerPort: HEALTH_CHECK_PORT,
        },
      ],
      environment: {
        S3_WORK_BUCKET: bucket.bucketName,
      },
      // Container health check
      healthCheck: {
        command: ['CMD-SHELL', `curl -f http://localhost:${HEALTH_CHECK_PORT}/status || exit 1`],
        interval: cdk.Duration.seconds(30),
        timeout: cdk.Duration.seconds(5),
        startPeriod: cdk.Duration.seconds(60),
        retries: 3,
      },
    });

container.addPortMappings({
      containerPort: CONTAINER_PORT,
    });
    // Health check port
    container.addPortMappings({
      containerPort: HEALTH_CHECK_PORT,
    });

    const ingestNLBFargateServicePublic = new ecsPatterns.NetworkLoadBalancedFargateService(this, `${appPrefix}-ingest-public-nlb`, {
      cluster,
      serviceName: `${appPrefix}-data-ingest-public-nlb`,
      taskDefinition,
      taskSubnets,
      propagateTags: ecs.PropagatedTagSource.SERVICE,
      publicLoadBalancer: true,
      assignPublicIp: true,
      minHealthyPercent: 100,
      listenerPort: ELB_PORT,
    });

    // Define health check for NLB
    ingestNLBFargateServicePublic.targetGroup.configureHealthCheck({
      path: '/status',
      protocol: elb2.Protocol.HTTP,
      interval: cdk.Duration.minutes(3),
      port: HEALTH_CHECK_PORT.toString(),
    });

    const { connections } = ingestNLBFargateServicePublic.service;

    // Allow all outbound
    // connections.addSecurityGroup(elbSG);

    ALLOWED_INGRESS.forEach((ip) => {
      connections.allowFrom(
        ec2.Peer.ipv4(ip),
        ec2.Port.tcp(ELB_PORT),
        'eStreaming inbound',
      );
    });

    connections.allowFrom(
      ec2.Peer.ipv4(vpc.vpcCidrBlock),
      ec2.Port.tcp(HEALTH_CHECK_PORT),
      'Allow traffic from within the VPC to the service health check port',
    );

    connections.allowFrom(
      ec2.Peer.ipv4(vpc.vpcCidrBlock),
      ec2.Port.tcp(CONTAINER_PORT),
      'Allow traffic from within the VPC container port',
    );

So my question is very simple: what I did wrong to restrict access?

profile picture
Smotrov
已提問 5 個月前檢視次數 269 次
3 個答案
2

Hi, your code seems to attach you security groups to the NLB.

So, every requester bypassing the NLB will not be barred by your sec group.

You have to attach your sec group to the ECS service enforce it on any request.

When working with CLI, you would do it on the nettwork-configuration part of create-services. See https://docs.aws.amazon.com/cli/latest/reference/ecs/create-service.html

Best,

Didier

profile pictureAWS
專家
已回答 5 個月前
profile picture
專家
已審閱 5 個月前
0

Hello.

What are the security group settings associated with ECS Fargate?
Isn't it in a state where it can be accessed directly from outside of NLB?

profile picture
專家
已回答 5 個月前
  • What are the security group settings associated with ECS Fargate?

    I'm not sure I understand your question. What is "security group settings"? Inbound rules are in the screenshot if you asking about it.

    Isn't it in a state where it can be accessed directly from outside of NLB?

    As I understand, NLB does not have its own SG. So all security control supposed to be done on the target level. This is why I've provided access for 2 selected IPs and for NLB CIDR for health check and Container access.

0

Can you confirm thats the security group in your screen shot is attached to the Fargate Service?

profile picture
專家
已回答 5 個月前
  • Yes. Exactly. In the ECS Console I see this SG as the only SG attached to the running tasks.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南