NLB via manifest does not create a default security group

[rmarops]

Created an NLB via manifest with:

type: Load Balanced Web Service # type NLB

http: false
nlb:
  port: 8000/tcp

in AWS on Security tab for the newly created network load balancer the following is displayed "No security group associated Because this load balancer was created without a security group, these settings can't be changed. To utilize security groups, ensure that one is specified during creation of the load balancer."

unable to add a security group manually

is this expected?

copilot v1.24

[CaptainCarpensir]

Yes this is expected, Security Groups were only introduced to NLBs in August 2023, which you can read about in this blogpost.

Copilot introduced this change when you specify an nlb with a udp port in version v1.31, but in the next release v1.33 this change will be made for all Copilot created NLBs. In order to do this upgrade however, we need to recreate the NLB and the associated TargetGroups, the impacts of which we discussed briefly in this blogpost for the v1.31 release. Hope this helps!

[rmarops]

thanks for the swift response.

to summarize, 1.33 will be creating a default SG for the remaining NLB protocols. one gotcha is the nlb name will change but if already use a dns alias you should be good to go. I imagine if you default block all on the new SG the user will need to update the rules.

sound right?

[CaptainCarpensir]

Yeah, the only difference I think is that the SG has always been specified based on the listener rules of the NLB. This means the only way it would default block on all would be if you have no port specified, which is an invalid manifest.