elestivloadbalancingv2: default security group settings for NLB (Network Load Balancer)

[badmintoncryer]

Describe the feature

Currently, CDK's L2 constructs allow setting security groups for NLBs, but this requires explicit configuration.

declare const sg1: ec2.ISecurityGroup;

const lb = new elbv2.NetworkLoadBalancer(this, 'LB', {
  vpc,
  securityGroups: [sg1], // configure SG explicitly
});

This was not originally intended - NLB security group support was implemented later, and the current specification exists to maintain backward compatibility.

#27978
#28494

However, when comparing NLBs without security groups to NLBs with security groups configured, the latter has significantly more advantages. Furthermore, once an NLB is created without security groups, it's impossible to add security group configuration later.

Therefore, I propose using feature flags to make security group configuration the default for NLBs in CDK.

Use Case

Basically, security groups should be configured when creating an NLB, but having to explicitly create and configure security groups feels cumbersome.

// Create an NLB with security group configuration
const lb = new elbv2.NetworkLoadBalancer(this, 'LB', {
  vpc,
});

Proposed Solution

Create security group automatically when props.securityGroups is undefined.

Current implementation

    this.connections = new ec2.Connections({ securityGroups: props.securityGroups });

Proposed implementation (like ALB)

const securityGroups = [props.securityGroup || new ec2.SecurityGroup(this, 'SecurityGroup', {
      vpc: props.vpc,
      description: `Automatically created Security Group for ELB ${Names.uniqueId(this)}`,
      allowAllOutbound: false,
    })];
    this.connections = new ec2.Connections({ securityGroups });

And add disableSecurityGroups prop to create legacy NLB.

const lb = new elbv2.NetworkLoadBalancer(this, 'LB', {
  vpc,
 disableSecurityGroups: true,
});

Other Information

No response

Acknowledgements

• I may will be able to implement this feature request
• This feature might incur a breaking change

AWS CDK Library version (aws-cdk-lib)

2.198.0

AWS CDK CLI version

2.1015.0

Environment details (OS name and version, etc.)

macos

[pahud]

Hi @badmintoncryer,

Thank you for this well-thought-out feature request! This is a great suggestion to improve the default security posture of Network Load Balancers in CDK.

The proposed implementation aligns well with how Application Load Balancers handle security groups and would provide better security by default while maintaining backward compatibility through the disableSecurityGroups option.

A few considerations for the implementation:

1. The default security group should be created with allowAllOutbound: false to match the ALB behavior
2. The feature flag approach with disableSecurityGroups provides a clean way to maintain backward compatibility
3. The implementation should follow the same pattern as ApplicationLoadBalancer for consistency

Since you've indicated you can implement this feature, would you like to proceed with creating a PR? We'll be happy to review and provide guidance during the implementation.

Some tips for the implementation:

• Add unit tests covering both the new default behavior and the disableSecurityGroups option
• Update the API documentation to clearly explain the new default behavior

Let us know if you need any clarification or assistance!

[WinterYukky]

I think to add this props is need more thinking. Because, all most users expect legacy NLB behavior.
Could we following implements. For example, CDK doesn't add SecurityGroups for NLB, until connections.allowXxx() methods using new class that extend Connections class.

[badmintoncryer]

For example, CDK doesn't add SecurityGroups for NLB, until connections.allowXxx() methods using new class that extend Connections class.

@WinterYukky This idea is reasonable for me. I'll try to implement it.

[badmintoncryer]

I haven't properly examined the code yet, but I'm not confident whether it can be achieved in Case 2 below. I'll investigate it later.

declare const nlb: elbv2.INetworkLoadBalancer;
declare const other: IConnectable;

// case1
nlb.connections.allowTo(other, ec2.Port.tcp(1234));

// case2
other.connections.allowTo(nlb, ec2.Port.tcp(2181));