2

I have an existing VPC endpoint on my AWS account. When I deploy my CDK stack i need to somehow add a security group to that VPC endpoint for my server to be able to talk to a Redshift cluster on another network.

I define my security group like this:

const securityGroup = new ec2.SecurityGroup(this, "SecurityGroup", {
        vpc,
        allowAllOutbound: true,
    });

How can I add that security group to the VPC endpoint? I know the endpoint ID but somehow cant figure out how to do this. I have tried to get the VPC endpoint by ID and played around with security groups

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
smallbirds
  • 877
  • 12
  • 35

2 Answers2

2

You'll want to use ec2.InterfaceVpcEndpoint which creates a new Vpc Endpoint and allows for you to add in security groups ids. Borrowing from here it might look like this:

    ec2.InterfaceVpcEndpoint(
        self,
        "VPCe - Redshift",
        service=ec2.InterfaceVpcEndpointService("redshift.amazonaws.com")
        ),
        private_dns_enabled=True,
        vpc=self.vpc,
        security_groups=[securityGroup],
    )
Coin Graham
  • 1,343
  • 3
  • 11
  • This is how the system is set up and it works when i do it manually. Therefore I just would like to know how to add a security group to the VPC Endpoint – smallbirds May 18 '21 at 18:05
  • 1
    Create the SG, attach to your system, update the Redshift SG. That should be all you need to do. Otherwise, you can have the Redshift SG whitelist the internal VPC range a la 10.0.0.0/16. – Coin Graham May 18 '21 at 18:12
  • Thanks for your help :) But I really just want to add a security group to the VPC endpoint (and i know that works). Redshift is not even on my system. So how would i do that? – smallbirds May 19 '21 at 10:31
  • Adjusted based on your comments. – Coin Graham May 20 '21 at 14:53
  • 2
    Thanks, but I dont want to create a new VPC Endpoint - I want to use an existing one. I want to add the security group to the endpoint that already exists. – smallbirds May 20 '21 at 16:08
1

This is how I did it using the AWS Console:

  • Login to console
  • Go to the list of Endpoints (Virtual private cloud > Endpoints)
  • Select and click on your endpoint (very important)
  • On the top right, select 'Managed security groups' from the Actions dropdown.
  • This will bring a list of SG, where you will be able to select the ones you want to attach to your Endpoint
  • Click 'Modify security groups'

Hope that helps!

yaach
  • 386
  • 2
  • 3