I am trying to revoke an ingress rule on a security group that is inside my VPC which is not the default. I can find the security group using DescribeSecurityGroupsRequest and create the ingress rule using AuthorizeSecurityGroupIngressRequest all that works fine and I'm able to see the new rule in the AWS console, but when I try to revoke the same Ingress rule I am getting can not find the security group on default VPC but I don't see a way to specify which VPC. I'm using
RevokeSecurityGroupIngressRequest revokeSecurityGroupIngressRequest = new RevokeSecurityGroupIngressRequest();
revokeSecurityGroupIngressRequest.GroupId = "sg-id";
revokeSecurityGroupIngressRequest.GroupName = "sg-name";
revokeSecurityGroupIngressRequest.IpPermissions = ipPermissions;
I have seen how you would do this using the CLI or lambda using boto3 but I don't see how to do it using the .net SDK
John Rotenstein Had the right answer. The group name is used for default VPC. If you specify the group name it defaults to the default VPC. Omitting that and using the security group ID only works perfectly.
Related
I have been trying to troubleshoot some connection issues, and I'm struggling with a relatively simple setup.
On my (relatively new) AWS account, I create a new Application Load balancer. I configure it in the following way:
Internet facing
Use the default VPC that came with the account
Across all availability zones
Uses default security group for VPC
Listens on HTTP:80 and returns a fixed response (status 404)
When I then try and use the new dns name assigned, it just hangs. When using curl -v I can see it says:
Trying :80
dig also responds with 3 IPs (I'm assuming for the different zones).
It feels like I'm missing something obvious, but I'm struggling to find it myself.
Can anyone see what I may be missing?
Can you please share a print screen of the default security group and LB configuration?
I am almost sure that the default security group has opened ALL inbound traffic but only for itself (security group).
I am wondering if it is possible to configure the “public access source allowlist” from CDK. I can see and manage this in the console under the networking tab, but can’t find anything in the CDK docs about setting the allowlist during deploy. I tried creating and assigning a security group (code sample below), but this didn't work. Also the security group was created as an "additional" security group, rather than the "cluster" security group.
declare const vpc: ec2.Vpc;
declare const adminRole: iam.Role;
const securityGroup = new ec2.SecurityGroup(this, 'my-security-group', {
vpc,
allowAllOutbound: true,
description: 'Created in CDK',
securityGroupName: 'cluster-security-group'
});
securityGroup.addIngressRule(
ec2.Peer.ipv4('<vpn CIDR block>'),
ec2.Port.tcp(8888),
'allow frontend access from the VPN'
);
const cluster = new eks.Cluster(this, 'my-cluster', {
vpc,
clusterName: 'cluster-cdk',
version: eks.KubernetesVersion.V1_21,
mastersRole: adminRole,
defaultCapacity: 0,
securityGroup
});
Update: I attempted the following, and it updated the cluster security group, but I'm still able to access the frontend when I'm not on the VPN:
cluster.connections.allowFrom(
ec2.Peer.ipv4('<vpn CIDER block>'),
ec2.Port.tcp(8888)
);
Update 2: I tried this as well, and I can still access my application's frontend even when I'm not on the VPN. However I can now only use kubectl when I'm on the VPN, which is good! It's a step forward that I've at least improved the cluster's security in a useful manner.
const cluster = new eks.Cluster(this, 'my-cluster', {
vpc,
clusterName: 'cluster-cdk',
version: eks.KubernetesVersion.V1_21,
mastersRole: adminRole,
defaultCapacity: 0,
endpointAccess: eks.EndpointAccess.PUBLIC_AND_PRIVATE.onlyFrom('<vpn CIDER block>')
});
In general EKS has two relevant security groups:
The one used by nodes, which AWS calls "cluster security group". It's setup automatically by EKS. You shouldn't need to mess with it unless you want (a) more restrictive rules the defaults (b) open your nodes to maintenance taks (e.g.: ssh access). This is what you are acessing via cluster.connections.
The Ingress Load Balancer security group. This is an Application Load balancer created and managed by EKS. In CDK, it can be created like so:
const cluster = new eks.Cluster(this, 'HelloEKS', {
version: eks.KubernetesVersion.V1_22,
albController: {
version: eks.AlbControllerVersion.V2_4_1,
},
});
This will will serve as a gateway for all internal services that need an Ingress. You can access it via the cluster.albController propriety and add rules to it like a regular Application Load Balancer. I have no idea how EKS deals with task communication when an Ingress ALB is not present.
Relevant docs:
Amazon EKS security group considerations
Alb Controller on CDK docs
The ALB propriety for EKS Cluster objects
I'm looking for whitelisting Ip addresses to secure an internet facing transfer server via terraform but unfortunately terraform AWS provider still doesn't support adding new security group to vpc endpoint via terraform aws transfer resource.
I tried to update server using aws cli command but getting an error "An error occurred (InvalidRequestException) when calling the UpdateServer operation: Changing Security Group is not supported"
Any suggestion?
Assuming they are using EndpointType=VPC, the UpdateServer command does not support updating SecurityGroups.
Attaching a Security Group can either be done at server creation time using CreateServer or use EC2's ModifyVPCEndpoint API to update Security Group once the server has been created.
Refer to the documentation here: EndpointDetails - AWS Transfer Family (Under SecurityGroupIds)
(Console) In order to modify the Security Group of an AWS Transfer server once created do the following:
Go to the VPC service
Go to "Endpoints"
Click on the Endpoint that has "transfer" on the Server Name field
Click on the "Security Groups" Tab
Click on "Edit Security Groups"
I am trying to setup AWS Systems manager to use Session manager. In Systems manager setup guide, one of the steps to allow HTTPS traffic to SSM endpoints. Documentation tells 2 ways of doing this, one using VPC end points and other by allowing traffic to ssm endpoints as mentioned here. I don't want to create VPC endpoints, so I am trying to use other option.
Setup guide mentions following:
Security groups don't allow URLs, so how can i allow HTTPS outbound traffic to some URLs as mentioned in screenshot.
You can't create security group rules for URLs. You need to figure out a reliable way of figuring out the IP address (or range) for your URL and then create security group rules for them.
For AWS services, you can get the IP addresses using the following URL:
https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
You can also filter the IP address using the APIs. I am sharing one such example for filtering with power shell:
Get-AWSPublicIpAddressRange -ServiceKey AMAZON -Region ap-south-1 | where {$_.IpAddressFormat -eq "Ipv4"} | select IpPrefix
This lists the IPv4 addresses for amazon service name "AMAZON" for ap-south-1 region.
For supported list of services, please refer the ULR above.
What I want to accomplish:
I want Terraform to create a Classic route based VPN tunnel in GCP.
Background:
When setting up a VPN tunnel in GCP there are three options for routing
BGP
Route based
Policy based
When creating a Route based VPN tunnel in GCP you need to specify the remote subnets. If you are creating a Policy based VPN tunnel you also need to specify local subnets.
Since I want to create a route based VPN tunnel I only need to provide remote subnets.
The problem:
However in Terraform, there is no option for the resource "google_compute_vpn_tunnel" that has to do with what routing type to use.
Okay maybe its determined by the lack of "local_traffic_selector" and then becomes a route based VPN tunnel.
But even if I ommit the "local_traffic_selector" option in my main.tf it is still there in the plan.
' + local_traffic_selector = (known after apply)
Since I have not specified any value for it, Terraform tries to use it with an empty value, which is not possible.
Error: Error creating VpnTunnel: googleapi: Error 400: Invalid value for field 'resource.localTrafficSelector[0]': ''. The local_traffic_selector field cannot be empty for network in custom subnet mode., invalid
on main.tf line 51, in resource "google_compute_vpn_tunnel" "tunnel1":
51: resource "google_compute_vpn_tunnel" "tunnel1" {
If I do specify it, the VPN tunnel will be of type Policy based instead of Route based.
Is there no support for Terraform to create a route based classic VPN tunnel in GCP?
Another strange thing is when creating the VPN gateway. When you do it in the GCP console you need to specify what external IP address the VPN gateway have. That is a pretty important property. But Terraform has no option for setting the IP address for the resource "google_compute_vpn_gateway"
In the examples here: https://www.terraform.io/docs/providers/google/r/compute_vpn_gateway.html they create an static IP object, but its never assigned to the VPN gateway in the configuration.
According with the documentation of VPN routing policies, the Route Based = Policy based if the local selector is in 0.0.0.0/0
Route based VPN tunnels are similar to tunnels that use policy based routing, except that only the remote IP ranges (right side) are specified. The list of local IP ranges is assumed to be any network (0.0.0.0/0), so you only specify the remote traffic selector.
By the way add local_traffic_selector= ["0.0.0.0/0"] in your tunnel definition, like this (here in the default example of Terraform)
resource "google_compute_vpn_tunnel" "tunnel1" {
name = "tunnel1"
peer_ip = "15.0.0.120"
shared_secret = "a secret message"
local_traffic_selector= ["0.0.0.0/0"]
...
Yes, of course, the created VPN tunnel is set as Policy Based in the GUI but with a local network to 0.0.0.0/0, thus technically equivalent to Route Based config.
About the static IP, it's the standard (and boring) behavior of Terraform. You have to create the static IP with Terraform, for having the state saved in TFSTATE file, and then having the capability to reuse it.
Try this:
Keep only the external ip creation in your main.tf file
resource "google_compute_address" "vpn_static_ip" {
name = "my-vpn-ip"
}
Apply this configuration
Now add the rest of the configuration
Apply again the update of the configuration
As you could see, Terraform retrieve the IP from the previous state and reuse it without creating a new IP.
google_compute_address.vpn_static_ip: Refreshing state... [id=******PROJECT_ID*****/us-central1/my-vpn-ip]
resource "google_compute_vpn_tunnel" "tunnel1" {
name = "tunnel1"
peer_ip = "15.0.0.120"
shared_secret = "a secret message"
local_traffic_selector= ["0.0.0.0/0"]
remote_traffic_selector=["0.0.0.0/0"]
Add remote_traffic_selector field as 0.0.0.0/0 and create routes pointing to tunnel independently it will create route based VPN.