Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-elasticloadbalancingv2: ApplicationListener open prop does not account for LB type DUAL_STACK_WITHOUT_PUBLIC_IPV4 #32197

Closed
1 task
clareliguori opened this issue Nov 19, 2024 · 4 comments · Fixed by #32203 or #32765
Closed
1 task

aws-elasticloadbalancingv2: ApplicationListener open prop does not account for LB type DUAL_STACK_WITHOUT_PUBLIC_IPV4 #32197

clareliguori opened this issue Nov 19, 2024 · 4 comments · Fixed by #32203 or #32765
Labels
@aws-cdk/aws-elasticloadbalancingv2 Related to Amazon Elastic Load Balancing V2 bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@clareliguori
Copy link
Member

clareliguori commented Nov 19, 2024
edited
Loading

Describe the bug

The automatically generated security group ingress rules for an ALB are incorrect when 1) an ApplicationLoadBalancer IP address type is set to DUAL_STACK_WITHOUT_PUBLIC_IPV4 and 2) a listener on the LB is set to allow anyone to connect to the load balancer on the listener port open: true. The generated rules only allow IPV4 inbound traffic and no IPV6 inbound traffic, which effectively allows no external traffic.

Support for DUAL_STACK_WITHOUT_PUBLIC_IPV4 was added in CDK v2.159.0, but missed this change.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

Example security group ingress rules:

    "SecurityGroupIngress": [
     {
      "CidrIp": "0.0.0.0/0",
      "Description": "Allow from anyone on port 80",
      "FromPort": 80,
      "IpProtocol": "tcp",
      "ToPort": 80
     },
     {
      "CidrIp": "::/0",
      "Description": "Allow from anyone on port 80",
      "FromPort": 80,
      "IpProtocol": "tcp",
      "ToPort": 80
     }
    ],

Current Behavior

Example security group ingress rules:

    "SecurityGroupIngress": [
     {
      "CidrIp": "0.0.0.0/0",
      "Description": "Allow from anyone on port 80",
      "FromPort": 80,
      "IpProtocol": "tcp",
      "ToPort": 80
     }
    ],

Reproduction Steps

I'm using the ECS patterns module, which automatically generated the load balancer:

new patterns.ApplicationLoadBalancedFargateService(this, 'Service', {
      cluster,
      desiredCount: 1,
      domainName,
      domainZone,
      protocol: ApplicationProtocol.HTTPS,
      redirectHTTP: true,
      assignPublicIp: false,
      ipAddressType: elb.IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4,
      taskImageOptions: {
...

Possible Solution

I have what I believe is a fix, but I still need to update tests and validate:

diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
index 07cfb949f3..35ba804721 100644
--- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
+++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
@@ -303,7 +303,8 @@ export class ApplicationListener extends BaseListener implements IApplicationLis
 
     if (props.open !== false) {
       this.connections.allowDefaultPortFrom(ec2.Peer.anyIpv4(), `Allow from anyone on port ${port}`);
-      if (this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK) {
+      if (this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK ||
+        this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4) {
         this.connections.allowDefaultPortFrom(ec2.Peer.anyIpv6(), `Allow from anyone on port ${port}`);
       }
     }

Additional Information/Context

No response

CDK CLI Version

2.164.1

Framework Version

No response

Node.js Version

v20.18.0

OS

Linux

Language

TypeScript

Language Version

5.6.2

Other information

No response
@clareliguori clareliguori added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 19, 2024
@github-actions github-actions bot added the @aws-cdk/aws-elasticloadbalancingv2 Related to Amazon Elastic Load Balancing V2 label Nov 19, 2024
@khushail khushail added needs-reproduction This issue needs reproduction. p2 and removed needs-triage This issue or PR still needs to be triaged. labels Nov 19, 2024
@khushail khushail self-assigned this Nov 19, 2024
This was referenced Nov 19, 2024
Closed
Merged
@khushail khushail added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-reproduction This issue needs reproduction. labels Nov 26, 2024
@khushail
Copy link
Contributor

Hi @clareliguori , thanks for reporting this. The issue is reproducible with given code snippet -

    const albv2 = new patterns.ApplicationLoadBalancedFargateService(this, 'MyFargateService', {
      taskImageOptions: {
        image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample"),
      },
      cluster: clusterv2,
      desiredCount: 1,
      publicLoadBalancer: true,
      domainName: 'mydomain.com',
      domainZone: route53.HostedZone.fromLookup(this, 'MyHostedZone', { domainName: 'mydomain.com' }),
      protocol: elbv2.ApplicationProtocol.HTTPS,
      redirectHTTP: true,
      sslPolicy: elbv2.SslPolicy.RECOMMENDED_TLS
    });

generated template -

Screenshot 2024-11-26 at 1 51 39 PM

Appreciate your PR contribution! Thanks.

@khushail khushail added effort/small Small work item – less than a day of effort and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Nov 26, 2024
@khushail khushail removed their assignment Nov 26, 2024
@github-actions github-actions bot mentioned this issue Dec 1, 2024
Closed
@mergify mergify bot closed this as completed in #32203 Dec 24, 2024
@mergify mergify bot closed this as completed in 0731095 Dec 24, 2024
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

1 similar comment
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 24, 2024
@samson-keung
Copy link
Contributor

PR was reverted, hence, re-opening

@samson-keung samson-keung reopened this Dec 31, 2024
@mergify mergify bot closed this as completed in #32765 Jan 10, 2025
@mergify mergify bot closed this as completed in aff160b Jan 10, 2025
iankhou pushed a commit that referenced this issue Jan 13, 2025
@gracelu0
fix(elasticloadbalancingv2): open, dual-stack-without-public-ipv4 ALB…
fff563f 
… does not allow IPv6 inbound traffic (under feature flag) (#32765)

### Issue # (if applicable)

Closes #32197 .

### Reason for this change

Default generated security group ingress rules for open, dual-stack-without-public-ipv4 ALB does not allow IPv6 traffic. Only a rule for IPv4 ingress traffic is added to the security group rules currently.

### Description of changes

Introduced a new feature flag which is enabled by default so that default generated security group ingress rules now have an additional rule that allows IPv6 ingress from anywhere. 


### Describe any new or updated permissions being added

No new IAM permissions. Added IPv6 security group ingress rules for open, internet-facing ALBs if IP address type  is `dual-stack-without-public-ipv4` and feature flag is set to `true` (default).


### Description of how you validated changes

Added unit test which checks the security group rules for both cases where feature flag is enabled/disabled. Updated integration test snapshot.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

Co-authored-by: Clare Liguori <[email protected]>

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
@aws-cdk/aws-elasticloadbalancingv2 Related to Amazon Elastic Load Balancing V2 bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
3 participants
@clareliguori @khushail @samson-keung