Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ecsPatterns.ApplicationLoadBalancedFargateService always create HTTP target groups #6428

Closed
lemiesz opened this issue Feb 25, 2020 · 3 comments
Closed

ecsPatterns.ApplicationLoadBalancedFargateService always create HTTP target groups #6428

lemiesz opened this issue Feb 25, 2020 · 3 comments
Assignees
@kohidave
Labels
@aws-cdk/aws-ecs-patterns Related to ecs-patterns library feature-request A feature should be added or improved. guidance Question that needs advice or information. needs-reproduction This issue needs reproduction.

Comments

@lemiesz
Copy link

lemiesz commented Feb 25, 2020

❓ General Issue

I am creating a ALBEcs service with HTTPs like this

    this.service = new ecsPatterns.ApplicationLoadBalancedFargateService(
      this,
      "Service",
      {
        publicLoadBalancer: true,

        domainName: `portal.example.com`,
        domainZone: new HostedZone(this, "HostedZone", {
          zoneName: `example.com`
        }),
        protocol: elbv2.ApplicationProtocol.HTTPS,
        listenerPort: 443,
        cluster: props.ecsCluster,
        memoryLimitMiB: 1024,
        cpu: 512,
        loadBalancer: new elbv2.ApplicationLoadBalancer(this, "ALB", {
          securityGroup: alphaCorp443sg,
          vpc: props.ecsCluster.vpc,
          loadBalancerName: "Portal-ALB",
          internetFacing: true
        }),

The problem is that this always creates the ALB target groups over HTTP with not option to change to HTTPS.

https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-ecs-patterns/lib/base/application-load-balanced-service-base.ts#L319-L321.

In my current application architecture this does not work since we terminate SSL at the nginx layer, inside each container.

The Question

Why does CDK not allow specifying the target group protocol to use HTTPS

Environment

  • CDK CLI Version: "1.17.1
  • Module Version: 1.17.1
  • OS: OSX
  • Language: Typescript
@lemiesz lemiesz added the needs-triage This issue or PR still needs to be triaged. label Feb 25, 2020
@lemiesz
Copy link
Author

lemiesz commented Feb 27, 2020

Ping anyone got advice on how to solve this. I need end-to-end traffic encryption

@SomayaB SomayaB added the @aws-cdk/aws-ecs-patterns Related to ecs-patterns library label Feb 27, 2020
@SomayaB SomayaB added guidance Question that needs advice or information. bug This issue is a bug. labels Feb 27, 2020
@SoManyHs SoManyHs added needs-reproduction This issue needs reproduction. feature-request A feature should be added or improved. and removed needs-triage This issue or PR still needs to be triaged. bug This issue is a bug. labels Mar 9, 2020
@SoManyHs SoManyHs assigned uttarasridhar and hencrice and unassigned SoManyHs and piradeepk Mar 9, 2020
@SoManyHs SoManyHs assigned kohidave and unassigned uttarasridhar and hencrice Mar 23, 2020
@kohidave
Copy link

kohidave commented Mar 23, 2020
edited
Loading

Howdy! Thanks for reaching out, and sorry for the delay.

So, to answer the "Why?" part of your question - The reason the pattern redirects to HTTP of your target group is because your Target Group is within your VPC - so doing TLS termination at the Load Balancer level, and trusting the security of your VPC is very common.

HTTPS within a VPC is useful only if you don't trust the actors within your VPC - which we thought would be an uncommon situation.

As to how you can wire up your ALB to talk to an HTTPS Target Group - hmmm. I'm not sure - there's no way, within the pattern, to manually specify the TargetGroup.

If this is something you need now - I'd say you'd have to forgo this particular pattern.

Just to help me out - could you tell me why you want to encrypt traffic once its within your VPC? My guess is that you might share it with a bunch of other services/teams - is that right?

@bvtujo bvtujo mentioned this issue May 5, 2020
Closed
@bvtujo
Copy link
Contributor

bvtujo commented May 5, 2020

Closing this as duplicate--please refer to #7266 for latest developments here.

@bvtujo bvtujo closed this as completed May 5, 2020
@hencrice hencrice mentioned this issue Jun 2, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kohidave kohidave

Labels
@aws-cdk/aws-ecs-patterns Related to ecs-patterns library feature-request A feature should be added or improved. guidance Question that needs advice or information. needs-reproduction This issue needs reproduction.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@kohidave @uttarasridhar @lemiesz @hencrice @SomayaB @bvtujo @SoManyHs @piradeepk