Restricting access to ALB prevents the website service from reaching the product service

aws-samples / ecs-refarch-cloudformation

A reference architecture for deploying containerized microservices with Amazon ECS and AWS CloudFormation (YAML)

Apache License 2.0

1.69k stars 1.32k forks source link

Restricting access to ALB prevents the website service from reaching the product service #52

Open dougtoppin opened 6 years ago

dougtoppin commented 6 years ago

The ALB portion of security-groups.yaml mentions that access to the ALB can be restricted by changing the CIDR, wide open by default. However, if that is changed it breaks the website service from accessing the product service because the request comes from the ECS hosts via the NAT Gateways which will not be allowed. While the NAT Gateway addresses can be subsequently manually added to the ALB SG it would be more convenient to support that change in the configuration.

dougtoppin commented 6 years ago

I do have a fix for this where I add the natgw ips to the alb sg. I had an issue with a merge conflict in my pr and have not gotten back to it but I do expect to send a pr with the fix in the next few days.