aws-elasticloadbalancing: Allow for input/specified Security Group

[jonchines]

Describe the feature

packages/@aws-cdk/aws-elasticloadbalancing/lib/load-balancer.ts

ELB should allow for SG to be specified the same way that ELBv2 does. CloudFormation and SDK allow this functionality so there is clearly not a limitation. As it is, the code creates a new SG that is not configurable and creates quite a mess for environments where they SG setup has to be well defined (e.g. DoD SRG).

Use Case

In a code base with well defined SG setup following WAF having SG's created for ingress to LB from outside and ingress to EC2/ASG from LB using SG references, the current implementation of ELB causes extra and unexpected SG's to be created and applied to the LB itself while the ASG uses the defined SG's creating a scenario where the environment is fully KO until manual intervention is executed to remove the extra SG's and their carried references. It is very messy, as is.

Proposed Solution

Add readonly value corresponding to specified value then add to ELB during definition. export interface LoadBalancerProps { readonly secGroups?: SecurityGroup; } Possibly remove lines 249, 258, 259 Possibly change line 265 to "securityGroups: [props.secGroup.SecurityGroupId],"

Of course, this is my non-programmer way to communicate a proposed solution.

Example from ELBv2 - packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts line 22: readonly value corresponding to value specified as property lines 138-140: add the SG to the LB

Other Information

No response

Acknowledgements

• [ ] I may be able to implement this feature request
• [ ] This feature might incur a breaking change

CDK version used

2.33.0 (build 859272d)

Environment details (OS name and version, etc.)

Linux endeavor 5.19.1-zen1-1-zen

[peterwoodworth]

Thanks for the feature request @jonchines,

I'm curious what the use case is for using v1 instead of elbv2?

We accept contributions! Check out our contributing guide if you're interested - there's a low chance the team will be able to address this soon but we'd be happy to review a PR 🙂

[jonchines]

Peter,

I am an Infrastructure Architect for Dassault Systemes, the 3DExperience company. We produce a multi-node, n-tier enterprise Product Lifecycle Management (PLM) application called the 3DExperience Platform (built on the ENOVIA V6 and MatrixOne foundation). A full deployment is made up of many services each having one or more nodes running as Java webapps (TomEE web application server). The Platform has an internal SSO tool called 3DPassport (which can be integrated into any IdP or function on its own) to authenticate users. The other Platform services periodically make proxy calls to 3DPassport to verify that the user is still "valid". The 3DPassport server does a check and sends the response in a Proxy Callback. Furthermore, the Platform is largely (minus a few services) stateful - implying a reliance on session persistence (sticky sessions). While ALB (ELBv2) allows for sticky sessions, it does not allow for sticky sessions combined with proxy callbacks as the ALB re-encrypts the cookie periodically. The only way for a proxy callback to work in this scenario would be for AWS to give us the ALB encryption key - a thing which will never happen. So, we are forced into two options: use the CLB which does not re-encrypt the cookie after instantiation or use an NLB for SSL offload then a backend HAProxy to do the actual load balancing, persistency, and reverse proxy. The latter is more robust, honestly, but comes at the cost of more EC2's and a greater challenge in managing autoscaling.

Jon

On Wed, Aug 31, 2022 at 6:34 PM Peter Woodworth @.***> wrote:

Thanks for the feature request @jonchines https://github.com/jonchines,

I'm curious what the use case is for using v1 instead of elbv2?

We accept contributions! Check out our contributing guide https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md if you're interested - there's a low chance the team will be able to address this soon but we'd be happy to review a PR 🙂

— Reply to this email directly, view it on GitHub https://github.com/aws/aws-cdk/issues/21860#issuecomment-1233489863, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJKRX2U7PWHOZYKWQGLR6X3V37MYDANCNFSM6AAAAAAQBUL2IA . You are receiving this because you were mentioned.Message ID: @.***>

[peterwoodworth]

Thanks for elaborating Jonathan, this is very insightful 🙂 I'd love for us to implement this feature for your use case, however the team has a lot to get to so unfortunately we won't be able to get to this soon ourselves. If you or someone else you know would be willing to make a contribution, we would be very happy to review a PR! You can also reach out to the cdk.dev community on Slack to solicit support for reprioritization.