4

Question: how do I migrate an ALB performing allowFrom operation in the following snippdt to a NLB?

loadBalancer.connections.allowFrom(
    Peer.ipv4(vpc.vpcCidrBlock),
    Port.tcp(externalPort),
    `Allow from VPC on port ${externalPort}`,
);

Why and what I have: I need to redirect API Gateway to an EC2 Autoscaling group. Here I've read that this is possible only through NLB, so I have to migrate existing ALB to NLB. I have this ALB code (partial):

    this.autoScalingGroup = new AutoScalingGroup()
    this.autoScalingGroup.connections.allowFrom(
        Peer.ipv4(props.vpc.vpcCidrBlock),
        Port.tcp(22),
        "SSH Access from local VPC",
    );

    const externalPort = 80;
    const internalPort = 8080;

    const targetGroup = new ApplicationTargetGroup(this, "ApplicationTargetGroup", {
        targets: [asg],
        vpc: vpc,
        healthCheck: {
            path: "/ping",
        },
        port: internalPort,
        protocol: ApplicationProtocol.HTTP,
    });
    const loadBalancer = new ApplicationLoadBalancer(this, "ApplicationLoadBalancer", {
        vpc: vpc,
    });
    loadBalancer.addListener("ApplicationListener", {
        defaultTargetGroups: [targetGroup],
        open: false,
        port: externalPort,
        protocol: ApplicationProtocol.HTTP,
    });
    loadBalancer.connections.allowFrom(
        Peer.ipv4(vpc.vpcCidrBlock),
        Port.tcp(externalPort),
        `Allow from VPC on port ${externalPort}`,
    );

This is how I thought to migrate it to the NLB, but I'm not sure if I'm missing something (especially I don't know how to migrate the loadBalancer.connections.allowFrom):

this.autoScalingGroup = new AutoScalingGroup()
this.autoScalingGroup.connections.allowFrom(
    Peer.ipv4(props.vpc.vpcCidrBlock),
    Port.tcp(22),
    "SSH Access from local VPC",
);

const externalPort = 80;
const internalPort = 8080;

const targetGroup = new NetworkTargetGroup(this, "NetworkLoadBalancer", {
    targets: [asg],
    vpc: vpc,
    healthCheck: {
        path: "/ping",
    },
    port: internalPort,
});

const networkLoadBalancer = new NetworkLoadBalancer(this, "NetworkLoadBalancer", {
    vpc: vpc,
});

networkLoadBalancer.addListener("ApplicationListener", {
    defaultTargetGroups: [targetGroup],
    port: externalPort,
});

// Is this ok to replace loadbalancer.connections.allowFrom ?
asg.connections.allowFrom(
    Peer.ipv4(vpc.vpcCidrBlock),
    Port.tcp(externalPort),
    `Allow from VPC on port ${externalPort}`,
);
justHelloWorld
  • 6,478
  • 8
  • 58
  • 138

0 Answers0