Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VPC Endpoint is not automatically connectable from instances inside VPC #4589

Closed
jd-carroll opened this issue Oct 18, 2019 · 0 comments · Fixed by #4908
Closed

VPC Endpoint is not automatically connectable from instances inside VPC #4589

jd-carroll opened this issue Oct 18, 2019 · 0 comments · Fixed by #4908
Assignees
@rix0rrr
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud feature-request A feature should be added or improved. needs-reproduction This issue needs reproduction.

Comments

@jd-carroll
Copy link
Contributor

When creating a new VPC Endpoint, the default security group, created by the endpoint, is not configured with an inbound rule for the provided port.

Reproduction Steps

const vpc = new ec2.Vpc(stack, 'Vpc', { maxAzs: 1 });

const ssmEndpoint = new ec2.InterfaceVpcEndpoint(stack, 'ssm-interface', {
  vpc,
  service: {
    name: `com.amazonaws.${cdk.Aws.REGION}.ssm`,
    port: 443
  }
});

The fix is to add:

const securityGroups = ssmEndpoint.connections.securityGroups;
securityGroups[0].addIngressRule(ec2.Peer.ipv4(vpc.vpcCidrBlock), ec2.Port.tcp(443));

Error Log

The generated [relevant] CloudFormation is initially:

    "ssminterfaceSecurityGroupA5BC2091": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "stack/ssm-interface/SecurityGroup",
        "SecurityGroupEgress": [
          {
            "CidrIp": "0.0.0.0/0",
            "Description": "Allow all outbound traffic by default",
            "IpProtocol": "-1"
          }
        ],
        "VpcId": {
          "Ref": "Vpc8378EB38"
        }
      },
      "Metadata": {
        "aws:cdk:path": "stack/ssm-interface/SecurityGroup/Resource"
      }
    },

After the fix, it is:

    "ssminterfaceSecurityGroupA5BC2091": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "stack/ssm-interface/SecurityGroup",
        "SecurityGroupEgress": [
          {
            "CidrIp": "0.0.0.0/0",
            "Description": "Allow all outbound traffic by default",
            "IpProtocol": "-1"
          }
        ],
        "SecurityGroupIngress": [
          {
            "CidrIp": {
              "Fn::GetAtt": [
                "Vpc8378EB38",
                "CidrBlock"
              ]
            },
            "Description": {
              "Fn::Join": [
                "",
                [
                  "from ",
                  {
                    "Fn::GetAtt": [
                      "Vpc8378EB38",
                      "CidrBlock"
                    ]
                  },
                  ":443"
                ]
              ]
            },
            "FromPort": 443,
            "IpProtocol": "tcp",
            "ToPort": 443
          }
        ],
        "VpcId": {
          "Ref": "Vpc8378EB38"
        }
      },
      "Metadata": {
        "aws:cdk:path": "stack/ssm-interface/SecurityGroup/Resource"
      }
    },

Environment

  • CLI Version : 1.12.0
  • Framework Version: 1.12.0
  • OS : All
  • Language : All

This is 🐛 Bug Report
@jd-carroll jd-carroll added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 18, 2019
@SomayaB SomayaB added needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. labels Oct 18, 2019
@jd-carroll jd-carroll mentioned this issue Oct 18, 2019
Closed
@rix0rrr rix0rrr added feature-request A feature should be added or improved. and removed bug This issue is a bug. labels Oct 24, 2019
@rix0rrr rix0rrr changed the title VPC Endpoint Does Not Configure Inbound Port VPC Endpoint is not automatically connectable from instances inside VPC Oct 24, 2019
jogold added a commit to jogold/aws-cdk that referenced this issue Nov 7, 2019
@jogold
feat(ec2): allow using existing security groups with interface VPC en…
4b57991 
…dpoints

Support a `securityGroups` for interface VPC endpoints in a non breaking way.

Clarify documentation on interface VPC endpoints connections.

Add missing Storage Gateway.

Closes aws#4589
Closes aws#2699
Closes aws#3446
jogold added a commit to jogold/aws-cdk that referenced this issue Nov 7, 2019
@jogold
feat(ec2): allow using existing security groups with interface VPC en…
80fbe35 
…dpoints

Support a `securityGroups` prop for interface VPC endpoints in a non breaking way.

Clarify documentation on interface VPC endpoints connections.

Add missing Storage Gateway.

Closes aws#4589
Closes aws#2699
Closes aws#3446
@jogold jogold mentioned this issue Nov 7, 2019
Merged
@mergify mergify bot closed this as completed in #4908 Nov 8, 2019
mergify bot pushed a commit that referenced this issue Nov 8, 2019
@jogold @mergify
feat(ec2): allow using existing security groups with interface VPC en…
bda28e8 
…dpoints (#4908)

Support a `securityGroups` prop for interface VPC endpoints in a non breaking way.

Clarify documentation on interface VPC endpoints connections.

Add missing Storage Gateway.

Closes #4589
Closes #2699
Closes #3446
@SomayaB SomayaB added @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud and removed package/vpc labels May 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rix0rrr rix0rrr

Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud feature-request A feature should be added or improved. needs-reproduction This issue needs reproduction.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(ec2): allow using existing security groups with interface VPC enpoints jogold/aws-cdk
3 participants
@rix0rrr @jd-carroll @SomayaB