aws-samples / startup-kit-templates

CloudFormation templates to accelerate getting started on AWS.
Apache License 2.0
821 stars 402 forks source link

Fargate stack not adding the application security group to ALB #40

Open nickboucart opened 6 years ago

nickboucart commented 6 years ago

I used the combination of vpc+bastion stack, a separate db stack (postgres) and the fargate stack to run a containerized web app. I found that the load balancer could not connect to the application.

Adding the application security group to the loadbalancer solved this issue.

rnzsgh commented 6 years ago

Hi Nick,

Did you run with the wrapper stacks or individually (i.e., the files in the templates dir)? Did you create the Fargate cluster using the fargate.cfn.yml file? The fargate.cfn.yml places the service in the application security group:

https://github.com/aws-samples/startup-kit-templates/blob/master/templates/fargate.cfn.yml#L710

The service is in the application security group which allows ingress from the ELB/ALB security group and the bastion host.

https://github.com/aws-samples/startup-kit-templates/blob/master/templates/vpc.cfn.yml#L223

I am not entirely sure why adding the application security group to the ELB/ALB would change anything unless the port number parameters were set incorrectly when the stack was created.

Can you verify the port numbers you set for the ALB/ELB and the application?

Thanks,

Ryan

nickboucart commented 6 years ago

Hi Ryan,

Thanks for your reply.

I added a line after https://github.com/aws-samples/startup-kit-templates/blob/f7fd8a25c35c028ae082cfa740ea5266d53e7446/templates/fargate.cfn.yml#L556

- Fn::ImportValue: !Sub ${NetworkStackName}-AppSecurityGroupID and that made it work. I used the vpc+bastion stack, launched the db stack individually, and launched the fargate stack individually as well,

I'm learning about all of this stuff, so I might have made some mistakes. I'm running the app on port 3000 inside of the container and set it as the appingress port.

In my understanding, the ALB/ELB needs to have the APPSecurityGroupID security group attached, otherwise it won't allow outbound traffic towards the fargate cluster. Adding this line to the fargate template and redeploying made it work.

Hope this helps, Nick.

rnzsgh commented 5 years ago

Hi Nick,

Apologies for not getting back to you sooner. More than likely this is a configuration issue in the params passed when launching the stack. In the example you sent, you added the application security group to the ALB. The application security group is in place to limit the requests to the application from the ALB and the bastion host. Additionally, it is the source security group that protects the database from access outside of the application and the bastion host.

It's been some time, but if you would like to debug this, please post the CLI calls or the parameters passed to each stack and I will try to recreate or identify what is misconfigured.

Thanks,

Ryan