Minimally permissive security group rules with VPC Endpoints

Question

I have a 2 VPC setup as follows:

In the first VPC:
- A service in a private subnet
- A network load balancer for the service, also in the private subnet
- A VPC Endpoint Service for the load balancer
In the second VPC:
- A VPC Endpoint ("Interface" mode) to the VPC Endpoint Service
- A client that uses the service via the VPC Endpoint

It is based on this arrangement:

https://aws.amazon.com/blogs/big-data/secure-connectivity-patterns-to-access-amazon-msk-across-aws-regions/

Now, what I am unsure on is how to restrict the security group of the service.

For setup purposes, I made things wide open:

resource "aws_security_group_rule" "service_anywhere" {
  security_group_id = aws_security_group.service.id
  type              = "ingress"
  from_port         = 9096
  to_port           = 9096
  protocol          = "tcp"
  cidr_blocks       = [ "0.0.0.0/0" ]
}

This works, in the sense that the client in the other VPC can access the service, however I want to configure the minimal amount of access that is actually required.

Can I somehow restrict access to the security group of the client, despite that being in another VPC and connected via a VPC Endpoint?

score 0 · Answer 1 · answered May 14 '23 at 05:29

Can I somehow restrict access to the security group of the client, despite that being in another VPC and connected via a VPC Endpoint?

Sadly you can't do that. You can only cross-reference SGs across VPCs if they are in peering connections. Also Network Load Balancers do not use any SGs, so even if you could reference SGs, you can't use them with NLB.

Minimally permissive security group rules with VPC Endpoints

1 Answers1