I have a cdk stack containing an ECS container build using ApplicationLoadBalancedFargateService (ref.) which allows requests from anywhere. Now I have an updated requirement to allow apllication access from specific IPs only. So far I didn't find any option to assign security group to load balancer in ApplicationLoadBalancedFargateService. I tried testing with
const service = new ApplicationLoadBalancedFargateService(this, 'Admin', {
cluster: context.ecsCluster,
memoryLimitMiB: webService.memoryLimitMiB,
desiredCount: webService.desiredCount,
cpu: webService.cpu,
taskImageOptions: imageOptions,
taskSubnets: vpcParams.vpcSubnets,
protocol: elbv2.ApplicationProtocol.HTTPS,
sslPolicy: elbv2.SslPolicy.TLS12,
certificate
}
const securityGroup = new ec2.SecurityGroup(this, 'AdminVpnSecurityGroup', {
vpc: context.vpc,
allowAllOutbound: true
});
securityGroup.addIngressRule(
ec2.Peer.ipv4('11.22.33.44/32'),
ec2.Port.tcp(443),
'Allow inbound traffic from Australia DC'
);
service.loadBalancer.addSecurityGroup(securityGroup);
This adds an additional security group to my ALB but the existing rule which allows '0.0.0.0/0' remains there which actually I want to overwrite.
I didn't find anything in AWS document which allows me to remove existing security group or anything to overwrite. Any help on this is much appreciated. Thanks
You can set the property "openListener: false" on the ApplicationLoadBalancedFargateService construct. This will remove the default ingress rule for '0.0.0.0/0' from the default SecurityGroup.
Then you can add a secondary group to the ALB as in your example.