Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Network Load Balancers (NLB) to support Security Groups! #319

Open
jceduar opened this issue Mar 7, 2024 · 0 comments
Open

[Feature Request] Network Load Balancers (NLB) to support Security Groups! #319

jceduar opened this issue Mar 7, 2024 · 0 comments
Labels
Proposed

Comments

@jceduar
Copy link

jceduar commented Mar 7, 2024

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
  • Please do not leave "+1" or "me too" comments. They generate extra noise for issue followers and do not help prioritize the request.

Tell us about your request
What do you want us to build?

The following AWS Blog Post ("Network Load Balancer now supports security groups") was released on Aug 10, 2023.

The AWS Elastic Beanstalk console should allow configuring security groups on ELB resources only during environment creation.

Is this request specific to an Elastic Beanstalk platform?
If so, which one(s)?
N/A

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
What outcome are you trying to achieve, ultimately, and why is it hard/impossible to do right now? What is the impact of not having this problem solved? The more details you can provide, the better we'll be able to understand and solve the problem.

At this time, the AWS Elastic Beanstalk console does not support configuring additional security groups for ELB resources during environment creation. It only provides the following Namespace (aws:elbv2:loadbalancer) to configure additional security groups for an Application Load Balancer which can be applied through an .ebextensions configuration file.

Except, this namespace isn't applicable to environments with a Network Load Balancer.

Are you currently working around this issue?
How are you currently solving this problem?

The following AWS Network Load Balancing documentation provides the following statement to consider:
You can associate security groups with a Network Load Balancer when you create it. If you create a Network Load Balancer without associating any security groups, you can't associate them with the load balancer later on.

As a result, the current solution requires using Custom Resources via .ebextensions configuration file during environment creation. Therefore, you must ensure the Source Application Bundle is already stored and selected as the application version to ensure solution is applied to the environment.

If you do not include the .ebextensions configuration file in your source application bundle during environment creation. The Network Load Balancer will be created without a Security Group and you will not be able to associate one later on. Therefore, it requires creating a new environment again.

Additional context
Anything else we should know?

Example Solution - .ebextensions (NLB-SecurityGroup.config)

###################################################################################################
#### This configuration file configures creates a NLB security group and configures ingress rules for the EC2 instances security group.
#### This will override existing configuration of the Security Groups for both the instance and the
#### NLB. The configuration below allows 80 and 443 to the NLB and port 80 from the ELB to the
#### instances. Please input the correct VpcId value for your environment.
###################################################################################################

Resources:
    NetworkLoadBalancerSecurityGroup:
        Type: AWS::EC2::SecurityGroup
        Properties:
            GroupDescription: NLB SecurityGroup for ElasticBeanstalk environment.
            VpcId: vpc-xxxxxxx
            SecurityGroupIngress:
                - FromPort: 80
                  ToPort: 80
                  IpProtocol: tcp
                  CidrIp : 0.0.0.0/0
                - FromPort: 443
                  ToPort: 443
                  IpProtocol: tcp
                  CidrIp : 0.0.0.0/0
    AWSEBV2LoadBalancer:
        Type: AWS::ElasticLoadBalancingV2::LoadBalancer
        DependsOn: "NetworkLoadBalancerSecurityGroup"
        Properties:
            SecurityGroups:
                - Fn::GetAtt:
                    - NetworkLoadBalancerSecurityGroup
                    - GroupId
    AWSEBSecurityGroup:
        Type: AWS::EC2::SecurityGroup
        Properties:
            GroupDescription: EB SecurityGroup for ElasticBeanstalk environment.
            SecurityGroupIngress:
                - ToPort: 80
                  FromPort: 80
                  IpProtocol: tcp
                  SourceSecurityGroupId: { "Fn::GetAtt" : [ "NetworkLoadBalancerSecurityGroup", "GroupId" ]}

Attachments
If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Proposed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jceduar