Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(ec2): allowAllOutbound on default security group should mimic allowAllTraffic on NAT instance #12673

Closed
f0rr0 opened this issue Jan 23, 2021 · 3 comments · Fixed by #12674
Closed

(ec2): allowAllOutbound on default security group should mimic allowAllTraffic on NAT instance #12673

f0rr0 opened this issue Jan 23, 2021 · 3 comments · Fixed by #12674
Assignees
@rix0rrr
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/small Small work item – less than a day of effort needs-triage This issue or PR still needs to be triaged. p2

Comments

@f0rr0
Copy link

f0rr0 commented Jan 23, 2021

Setting allowAllTraffic to false in ec2.NatProvider.instance should set allowAllOutbound on the default security group created for the NAT instance.

Reproduction Steps

ec2.NatProvider.instance({
      instanceType: new ec2.InstanceType('t2.micro'),
      keyName: key.name,
      allowAllTraffic: false,
})

What did you expect to happen?

Default security group associated with NAT instance disallows all outbound connections.

What actually happened?

All outbound connections are allowed on the default security group.

This is 🐛 Bug Report
@f0rr0 f0rr0 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 23, 2021
@f0rr0 f0rr0 changed the title (ec2): allowAllOutbound n default security group should mimic allowAllTraffic on NAT instance (ec2): allowAllOutbound on default security group should mimic allowAllTraffic on NAT instance Jan 23, 2021
@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Jan 23, 2021
@hedrall
Copy link
Contributor

hedrall commented Jan 23, 2021
edited
Loading

This is a comment of allowAllTraffic.

aws-cdk/packages/@aws-cdk/aws-ec2/lib/nat.ts

Lines 150 to 162 in 31b1b32

/**
* Allow all traffic through the NAT instance
*
* If you set this to false, you must configure the NAT instance's security
* groups in another way, either by passing in a fully configured Security
* Group using the `securityGroup` property, or by configuring it using the
* `.securityGroup` or `.connections` members after passing the NAT Instance
* Provider to a Vpc.
*
* @default true
*/
readonly allowAllTraffic?: boolean;
}

According to this,
I also feel that this may be a bit misleading, because it looks like the behavior when allowAllTraffic is false is practically not implemented.

@hedrall hedrall mentioned this issue Jan 23, 2021
Merged
@f0rr0
Copy link
Author

f0rr0 commented Jan 23, 2021 via email
edited
Loading

@rix0rrr rix0rrr added effort/small Small work item – less than a day of effort p2 labels Jan 26, 2021
@mergify mergify bot closed this as completed in #12674 Mar 4, 2021
mergify bot pushed a commit that referenced this issue Mar 4, 2021
@hedrall
fix(ec2): NAT provider's default outbound rules cannot be disabled (#…
664133a 
…12674)

`allowAllTraffic` only applies to inbound traffic, but it should also apply to outbound traffic. 

Deprecate it and add a new enum-based property, `defaultAllowedTraffic`, which also allows controlling outbound traffic rules. There is no option to allow inbound but not outbound because there is no use case for that.

Fix #12673

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

github-actions bot commented Mar 4, 2021

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

cornerwings pushed a commit to cornerwings/aws-cdk that referenced this issue Mar 8, 2021
@hedrall @cornerwings
fix(ec2): NAT provider's default outbound rules cannot be disabled (a…
53d5802 
…ws#12674)

`allowAllTraffic` only applies to inbound traffic, but it should also apply to outbound traffic. 

Deprecate it and add a new enum-based property, `defaultAllowedTraffic`, which also allows controlling outbound traffic rules. There is no option to allow inbound but not outbound because there is no use case for that.

Fix aws#12673

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rix0rrr rix0rrr

Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/small Small work item – less than a day of effort needs-triage This issue or PR still needs to be triaged. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(ec2): NAT provider's default outbound rules cannot be disabled hedrall/aws-cdk
3 participants
@rix0rrr @f0rr0 @hedrall