0

We are trying to get traffic from the internet to hit our ALB, get decrypted and then sent through the Palo Alto Cloud NGFW and finally reach our containers. See image below:

Network architecture

For some reason we are not able to get this to work when we allow traffic from the security group of the ALB into the security group of the ECS containers. So this is not working:

ContainerSecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupDescription: "Security group for containers"
    SecurityGroupIngress:
      - SourceSecurityGroupId: !Ref ALBSecurityGroup
        Description: "From load balancer"
        FromPort: 80
        IpProtocol: tcp
        ToPort: 80
    VpcId: !ImportValue app-vpc

While this is working:

ContainerSecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupDescription: "Security group for containers"
    SecurityGroupIngress:
      - CidrIp: "<IP_ADDRESSES_OF_ALB>"
        Description: "From load balancer"
        FromPort: 80
        IpProtocol: tcp
        ToPort: 80
    VpcId: !ImportValue app-vpc

Not been able to find any clear documentation on this, does anyone know if this can be solved somehow, if I am missing something? It would rather not hardcode IP addresses in the security group as we are setting up this using CloudFormation.

Skinkpajen
  • 91
  • 5
  • Can you show how `ALBSecurityGroup` is defined and any entries of type `AWS::EC2::SecurityGroupIngress` associated to that group? At a guess I think the solution would be a "self referencing" sg rule - eg https://gist.github.com/alanwill/9254414 for the ALB. Anything you attach that SG will then be able to talk other members of the SG on that rules port. – MisterSmith Feb 08 '23 at 17:10
  • The ALBSecurityGroup allows tcp on port 443 from 0.0.0.0/0. I am not sure what would reference what in this case? – Skinkpajen Feb 08 '23 at 19:50

0 Answers0