Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generated Security Group for Dualstack ALB Doesn't Allow IPv6 Connections #7043

Closed
wbprice opened this issue Mar 27, 2020 · 3 comments · Fixed by #8798
Closed

Generated Security Group for Dualstack ALB Doesn't Allow IPv6 Connections #7043

wbprice opened this issue Mar 27, 2020 · 3 comments · Fixed by #8798
Assignees
@rix0rrr @BryanPan342
Labels
@aws-cdk/aws-elasticloadbalancing Related to Amazon Elastic Load Balancing bug This issue is a bug. good first issue Related to contributions. See CONTRIBUTING.md in-progress This issue is being actively worked on. p2

Comments

@wbprice
Copy link

wbprice commented Mar 27, 2020

Expected Behavior
When creating an application load balancer (adapted from this example), if I configure ipAddressType to be dualstack, and set internetFacing to true, I would expect the automatically generated security group to allow inbound connections from 0.0.0.0/0 and ::/0.

Actual Behavior
The automatically generated security group only allows inbound connections from 0.0.0.0/0.

Reproduction Steps

Create an application load balancer

    // Create ALB
    const lb = new ApplicationLoadBalancer(
      this,
      camelCase(`alb-${REGION}-${ENV_CODE}-api-load-balancer`),
      {
        vpc,
        internetFacing: true,
        ipAddressType: IpAddressType.DUAL_STACK,
        vpcSubnets: {
          subnets: IPV6EnabledSubnets
        },
      }
    );

Note generated security group

Screen Shot 2020-03-27 at 1 54 51 PM

Error Log

n/a

Environment

  • aws-cli/2.0.1 Python/3.7.4 Darwin/19.3.0 botocore/2.0.0dev5
  • 1.31.0 (build 8f3ac79)
  • MacOS Catalina (10.15.3)
  • English

Other

I was able to workaround this by creating a security group for the load balancer manually and referencing the autoscaling group security group.

    // Create ALB
    // Configure security group for load balancer
    // TODO: I would expect IPv6 to be included for free, this is a workaround in the meantime.
    const lbSecurityGroup = new SecurityGroup(
      this,
      camelCase(`sg-${REGION}-${ENV_CODE}-api-load-balancer`),
      {
        vpc,
        description: "The API load balancer security group",
      }
    );

    // Add ingress and egress rules for load balancer
    lbSecurityGroup.addIngressRule(Peer.anyIpv4(), Port.tcp(443), "Allow IPv4 connections to the security group on port 443");
    lbSecurityGroup.addIngressRule(Peer.anyIpv6(), Port.tcp(443), "Allow IPv6 connections to the security group on port 443");
    lbSecurityGroup.addEgressRule(autoScalingGroup.connections.securityGroups[0], Port.tcp(80), "Allow port 80 IPv4 connections to the autoscaling group");

    const lb = new ApplicationLoadBalancer(
      this,
      camelCase(`alb-${REGION}-${ENV_CODE}-api-load-balancer`),
      {
        vpc,
        internetFacing: true,
        ipAddressType: IpAddressType.DUAL_STACK,
        vpcSubnets: {
          subnets: IPV6EnabledSubnets
        },
        securityGroup: lbSecurityGroup
      }
    );

This is 🐛 Bug Report
@wbprice wbprice added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 27, 2020
@SomayaB SomayaB added the @aws-cdk/aws-elasticloadbalancing Related to Amazon Elastic Load Balancing label Mar 30, 2020
@rix0rrr rix0rrr added effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p2 and removed effort/small Small work item – less than a day of effort labels Mar 31, 2020
@ryaeng
Copy link

ryaeng commented Apr 16, 2020

I'm having trouble traversing this one. Anyone care to walk me through it?

@wbprice
Copy link
Author

wbprice commented May 8, 2020

Is there some part of the bug I can help explain better?

@SomayaB SomayaB removed the needs-triage This issue or PR still needs to be triaged. label May 19, 2020
@shivlaks shivlaks added the in-progress This issue is being actively worked on. label Jun 26, 2020
@BryanPan342
Copy link
Contributor

@wbprice tackling the issue at the moment, will come back with queries if they come up!

@BryanPan342 BryanPan342 mentioned this issue Jun 29, 2020
Merged
@mergify mergify bot closed this as completed in #8798 Jul 2, 2020
mergify bot pushed a commit that referenced this issue Jul 2, 2020
@BryanPan342
fix(elasticloadbalancingv2): dualstack ALB missing default IPv6 ingre…
66f9634 
…ss rule (#8798)

**[ISSUE]**
ALB configured with `ipAddressType: dualstack` and `internetFacing: true` missing ingress rule for IPv6. 

**[APPROACH]**
Add a property in `IApplicationLoadBalancer` to obtain `ipAddressType` in listener constructor.
Add a check in `ApplicationListener` constructor to check for `ipAddressType` of `dualstack` 

**[NOTE]**
Implemented `dualstack` check only in the constructor because any additional ingress rule should be specified by the user upon further use.

Fixes #7043

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rix0rrr rix0rrr

@BryanPan342 BryanPan342

Labels
@aws-cdk/aws-elasticloadbalancing Related to Amazon Elastic Load Balancing bug This issue is a bug. good first issue Related to contributions. See CONTRIBUTING.md in-progress This issue is being actively worked on. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(elasticloadbalancingv2): dualstack ALB missing default IPv6 ingress rule BryanPan342/aws-cdk
6 participants
@rix0rrr @wbprice @ryaeng @SomayaB @shivlaks @BryanPan342