The ALB portion of security-groups.yaml mentions that access to the ALB can be restricted by changing the CIDR, wide open by default. However, if that is changed it breaks the website service from accessing the product service because the request comes from the ECS hosts via the NAT Gateways which will not be allowed.
While the NAT Gateway addresses can be subsequently manually added to the ALB SG it would be more convenient to support that change in the configuration.
I do have a fix for this where I add the natgw ips to the alb sg. I had an issue with a merge conflict in my pr and have not gotten back to it but I do expect to send a pr with the fix in the next few days.
The ALB portion of security-groups.yaml mentions that access to the ALB can be restricted by changing the CIDR, wide open by default. However, if that is changed it breaks the website service from accessing the product service because the request comes from the ECS hosts via the NAT Gateways which will not be allowed. While the NAT Gateway addresses can be subsequently manually added to the ALB SG it would be more convenient to support that change in the configuration.