aws-elasticloadbalancingv2: ApplicationListener open prop does not account for LB type DUAL_STACK_WITHOUT_PUBLIC_IPV4

[clareliguori]

Describe the bug

The automatically generated security group ingress rules for an ALB are incorrect when 1) an ApplicationLoadBalancer IP address type is set to DUAL_STACK_WITHOUT_PUBLIC_IPV4 and 2) a listener on the LB is set to allow anyone to connect to the load balancer on the listener port open: true. The generated rules only allow IPV4 inbound traffic and no IPV6 inbound traffic, which effectively allows no external traffic.

Support for DUAL_STACK_WITHOUT_PUBLIC_IPV4 was added in CDK v2.159.0, but missed this change.

Regression Issue

• [ ] Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

Example security group ingress rules:

    "SecurityGroupIngress": [
     {
      "CidrIp": "0.0.0.0/0",
      "Description": "Allow from anyone on port 80",
      "FromPort": 80,
      "IpProtocol": "tcp",
      "ToPort": 80
     },
     {
      "CidrIp": "::/0",
      "Description": "Allow from anyone on port 80",
      "FromPort": 80,
      "IpProtocol": "tcp",
      "ToPort": 80
     }
    ],

Current Behavior

Example security group ingress rules:

    "SecurityGroupIngress": [
     {
      "CidrIp": "0.0.0.0/0",
      "Description": "Allow from anyone on port 80",
      "FromPort": 80,
      "IpProtocol": "tcp",
      "ToPort": 80
     }
    ],

Reproduction Steps

I'm using the ECS patterns module, which automatically generated the load balancer:

new patterns.ApplicationLoadBalancedFargateService(this, 'Service', {
      cluster,
      desiredCount: 1,
      domainName,
      domainZone,
      protocol: ApplicationProtocol.HTTPS,
      redirectHTTP: true,
      assignPublicIp: false,
      ipAddressType: elb.IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4,
      taskImageOptions: {
...

Possible Solution

I have what I believe is a fix, but I still need to update tests and validate:

diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
index 07cfb949f3..35ba804721 100644
--- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
+++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
@@ -303,7 +303,8 @@ export class ApplicationListener extends BaseListener implements IApplicationLis

     if (props.open !== false) {
       this.connections.allowDefaultPortFrom(ec2.Peer.anyIpv4(), `Allow from anyone on port ${port}`);
-      if (this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK) {
+      if (this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK ||
+        this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4) {
         this.connections.allowDefaultPortFrom(ec2.Peer.anyIpv6(), `Allow from anyone on port ${port}`);
       }
     }

Additional Information/Context

No response

CDK CLI Version

2.164.1

Framework Version

No response

Node.js Version

v20.18.0

OS

Linux

Language

TypeScript

Language Version

5.6.2

Other information

No response

[khushail]

Hi @clareliguori , thanks for reporting this. The issue is reproducible with given code snippet -

    const albv2 = new patterns.ApplicationLoadBalancedFargateService(this, 'MyFargateService', {
      taskImageOptions: {
        image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample"),
      },
      cluster: clusterv2,
      desiredCount: 1,
      publicLoadBalancer: true,
      domainName: 'mydomain.com',
      domainZone: route53.HostedZone.fromLookup(this, 'MyHostedZone', { domainName: 'mydomain.com' }),
      protocol: elbv2.ApplicationProtocol.HTTPS,
      redirectHTTP: true,
      sslPolicy: elbv2.SslPolicy.RECOMMENDED_TLS
    });

generated template -

Appreciate your PR contribution! Thanks.