search

awslabs / landing-zone-accelerator-on-aws

Deploy a multi-account cloud foundation to support highly-regulated workloads and complex compliance requirements.
https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/
Apache License 2.0
566 stars 453 forks source link

Add Support for IP addresses from outside the VPC in ALB TargetGroups created by LZA #661

Open sriharshakns opened 4 days ago

sriharshakns commented 4 days ago

Is your feature request related to a problem? Please describe. TargetGroup allows to add IP addresses from both within and outside the VPC via EC2 Console. The same feature is also supported in underlying CloudFormation resource AWS::ElasticLoadBalancingV2::TargetGroup and can be enabled by setting "AvailabilityZone" property to "all".

However, as per the source code network-associations and target-group, there is no such provision in LZA.

To Reproduce: Define the targetGroups as follows:

vpcs: 
  - name: Network-Ingress
    ...
    cidrs:
      - 10.54.240.0/24   #VPC CIDR
    ....
    targetGroups:
      - name: Test
        port: 80
        protocol: HTTP
        type: ip
        targets:
          - '10.54.69.14'   # Fails as it is outside VPC
          - '10.54.240.100' # Works as it is within the same VPC
        healthCheck:
          enabled: true
          port: 80
          protocol: HTTP

Any attempts to create the same will fail the NetworkAssociationsStack with below error:

Resource handler returned message: "You must specify a valid Availability Zone or select 'all' for all enabled Availability zones, since the IP address '10.54.69.14' is outside the VPC (Service: ElasticLoadBalancingV2, Status Code: 400, ..., HandlerErrorCode: GeneralServiceException)

Describe the feature you'd like Ability to set the "AvailabilityZone" property in LZA manifests.

Possible Workaround: Add the desired Listener and TargetGroup using template file under cloudFormationStacks in customizations-config.yaml.

Sample Template Snippet:

Resources:
  ElasticLoadBalancingV2TargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      ....
      Targets:
        - AvailabilityZone: all    <----------
          Port: 80
          Id: 10.54.69.14

Additional context Console screenshot.

image

bo1984 commented 2 days ago

Hello @sriharshakns! Thank you for utilizing the Landing Zone Accelerator on AWS (LZA) solution. You're correct, as of right now, if you're using the native ALB and Target Group within the LZA solution, specifying target IP addresses from outside of the VPC is not possible. I have opened a feature request for this issue and will keep this issue open to keep you up to date once we plan on including this in an upcoming release. As a workaround, you could utilize the customizations layer to deploy this pattern.