amazon-web-servicesaws-cloudformationaws-cdkamazon-elbaws-security-group

Set "Enforce inbound rules on PrivateLink traffic" setting in AWS CDK


In order to allow API Gateway access to my private Network Load Balancer in AWS, I need to set the property Enforce inbound rules on PrivateLink traffic to Off (see reference). This is very easy to do from the AWS Console, simply go to the Security tab for the specified Load Balancer: enter image description here

However, after looking in both the Load Balancer and Security Group CDK references, I cannot find a way to do this from CDK. Even vanilla CloudFormation seems to have no property associated with this feature (AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::EC2::SecurityGroup). Is there any way to set this property from CDK? I have a strict mandate to automate all infrastructure.


Solution

  • TL;DR Use a Custom Resource to set the property with a SetSecurityGroups SDK call.

    The SetSecurityGroups API has a EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic parameter, settable to on or off. See Set up a Network Load Balancer for API Gateway private integrations in the docs.

    You can integrate this API call with your CDK app using a Custom Resources. Custom Resources are a fallback option in cases where a property isn't supported by CloudFormation. The concept exists in both the CDK and CloudFormation. Custom Resources are typically backed by a Lambda, which CloudFormation invokes for you during deployment. The CDK offers several flavors of Custom Resource. The options can be overwhelming.

    Luckily, you can probably use AwsCustomResource, a construct tailored to making AWS SDK calls. Pass SetSecurityGroups as the action prop and EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic: off as a parameter.