NetaNir
commented
4 years ago @tomgreenwood1 sounds reasonable, want to pick it up? I'll happy to review!
Closed t0gre closed 2 years ago
NetaNir
commented
4 years ago @tomgreenwood1 sounds reasonable, want to pick it up? I'll happy to review!
t0gre
commented
4 years ago I've started a pull request here https://github.com/aws/aws-cdk/pull/7827 the only thing is it's failing because I haven't written a test.. Not sure what an appropriate test for this would be tbh, but then testing isn't my strong point @NetaNir do you have any suggestions?
NetaNir
commented
4 years ago H @tomgreenwood1 !
Thank you for submitting the PR, I have added a comment about possible tests.
tomeldar
commented
3 years ago Hi @NetaNir,
I've ran into this issue and checked out the closed PR, seeing that it will be pushed to v2 of the CDK. I understand that changing the default will cause issues, but there is seemingly no workaround.
If I set allowAllOutbound to false, I can only add IPV6 egress and not IPV4. I get prompted with the following error:
Cannot add an "all traffic" egress rule in this way; set allowAllOutbound=true on the SecurityGroup instead.
If I set allowAllOutbound to true, then trying to add an IPV6 egress is ignored. I get the following warning:
Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
From what I've attempted and read, there is no way to add both IPV4 and IPV6 egress on all traffic. Please correct me if I am wrong. Is there any way to get this working with the CDK?
Thank you, Tom
NetaNir
commented
3 years ago @tomeldar Check this comment out: https://github.com/aws/aws-cdk/issues/9017#issuecomment-658582279
If I recall correctly, since EC2 allows ipv4 traffic by default, you should be able to set allowAllOutbound=false and add the Ipv6 rule and that will give you Ipv4 and Ipv6.
Let me know if it works. In any case this is not an ideal customer experience we need to fix it
tomeldar
commented
3 years ago @NetaNir Unfortunately that does not work. The following code generates the following egress rule (with no IPV4 egress allowed):
const securityGroup = new ec2.SecurityGroup(this, 'SecurityGroup', {
vpc,
allowAllOutbound: false
});
securityGroup.addEgressRule(ec2.Peer.anyIpv6(), ec2.Port.allTraffic(), 'IPV6 Egress');
peterwoodworth
commented
2 years ago Workaround with escape hatches:
const sg = new SecurityGroup(this, 'SG', {
vpc: Vpc.fromLookup(this, 'TestVpc', { vpcName: 'TestVpc'}),
// allowAllOutbound: false
});
const cfnSg = sg.node.defaultChild as CfnSecurityGroup;
cfnSg.addPropertyOverride('SecurityGroupEgress',
[
{
"CidrIpv6": "::/0",
"Description": "from ::/0:ALL TRAFFIC",
"IpProtocol": "-1"
},
{
"CidrIp": "0.0.0.0/0",
"Description": "Allow all outbound traffic by default",
"IpProtocol": "-1"
}
]);
github-actions[bot]
commented
2 years ago Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
For autoscaling groups, a new security group is always created. There's a setting called allowAllOutbound, which configures that that security group to allow all ipv4 traffic out. However, it actually doesn't let ALL outbound traffic out, because it doesn't let ipv6 traffic out.
Use Case
I need to be able to ping things on ipv6 from inside ecs containers, which are run on an autoscaling group.
Proposed Solution
Add ::/0 to the list of allowed outbound connections for the allowAllOutbound.
Other
I'd be very happy to have a go at this if you can point me to which module it's configured in. Seems unlikely it would break anything.
This is a :rocket: Feature Request