From 5f8bfef88094e0a82139adbec4c88a75ad534460 Mon Sep 17 00:00:00 2001 From: Zijun Wang Date: Sun, 24 Sep 2023 13:26:04 -0700 Subject: [PATCH 1/6] Add VpcAssociationPolicy doc --- docs/reference/vpc-association-policy.md | 85 ++++++++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 docs/reference/vpc-association-policy.md diff --git a/docs/reference/vpc-association-policy.md b/docs/reference/vpc-association-policy.md new file mode 100644 index 00000000..ae52904f --- /dev/null +++ b/docs/reference/vpc-association-policy.md @@ -0,0 +1,85 @@ +# VpcAssociationPolicy API Reference + +## VpcAssociationPolicy + +VpcAssociationPolicy is a CRD that can be attached to a Gateway to define the ServiceNetworkVpcAssociation configuration. + + + +One of its option is `securityGroupIds`. it can control the inbound traffic from current cluster workloads to the gateway listeners. Please check the VPC lattice doc for more detail of this option. https://docs.aws.amazon.com/vpc-lattice/latest/ug/security-groups.html + +Recommended security group inbound rules: + +| Source | Protocol | Port Range | Comment | +|-----------------------------|-----------------------------------------------------|-------------------------------------------------|-----------------------------------------------------------| +| Kubernetes cluster VPC CIDR | protocols defined in the gateway's listener section | ports defined in the gateway's listener section | Allow inbound traffic from current cluster vpc to gateway | + + +**Limitations and Considerations** + +When attaching a policy to a resource, the following restrictions apply: + +* A policy can be only attached to `Gateway` resources. +* The attached resource should exist in the same namespace as the policy resource. + +The security Group will not take effect if: + +* The targetRef `Gateway` does not exist +* AssociateWithVpc field set to false + + +**WARNING** + +Current VPC Lattice updateServiceNetworkVpcAssociation api have a limitation that it cannot remove all security groups. +That means, if you have a VpcAssociationPolicy attached to a gateway that already applied security groups, following operations will NOT take effect to remove the security groups: +* Update the VPCAssociationPolicy to empty the security group ids (even though the updated VPCAssociationPolicy can be accepted by the API server) +* Delete the VPCAssociationPolicy (even though the VPCAssociationPolicy can be deleted from k8s successfully) + +To remove security groups, instead, you should delete VPC Association and then create a new VPC Association without security group ids by following steps: +1. Update the VPCAssociationPolicy with AssociateWithVpc is false and empty security group ids +2. Update the VPCAssociationPolicy with AssociateWithVpc is true and empty security group ids + +Be cautious to set AssociateWithVpc to false. That can break traffic from the current cluster workloads to the gateway. + + +| Field | Description | +|---------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------| +| `apiVersion` *string* | ``application-networking.k8s.aws/v1alpha1`` | +| `kind` *string* | ``VpcAssociationPolicy`` | +| `metadata` [*ObjectMeta*](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta) | Kubernetes metadata for the resource. | +| `spec` *VpcAssociationPolicySpec* | Defines the desired state of VpcAssociationPolicy. | + + +## VpcAssociationPolicySpec + +Appears on: VpcAssociationPolicy + +VpcAssociationPolicySpec defines the desired state of VpcAssociationPolicy. + + + +| Field | Description | +|------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `targetRef` *[PolicyTargetReference](https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api)* | TargetRef points to the kubernetes `Gateway` resource that will have this policy attached. This field is following the guidelines of Kubernetes Gateway API policy attachment. | +| `associateWithVpc` *bool* | (Optional) This field indicates whether targetRef Gateway associate with current k8s cluster VPC. the gateway api controller by default set associateWithVpc to true if this field is not defined in VpcAssociationPolicy | +| `securityGroupIds` *string[]* | (Optional) This field defines security groups applied to the gateway (ServiceNetworkVpcAssociation) | + + +## Example Configuration + +This example shows how to configure a Gateway with associateWithVpc set to true and apply security group sg-1234567890 and sg-0987654321 +``` +apiVersion: application-networking.k8s.aws/v1alpha1 +kind: VpcAssociationPolicy +metadata: + name: test-vpc-association-policy +spec: + targetRef: + group: "gateway.networking.k8s.io" + kind: Gateway + name: my-hotel + securityGroupIds: + - sg-1234567890 + - sg-0987654321 + associateWithVpc: true +``` From 418f164d180757082b85b3dc4f1e829ee28b903c Mon Sep 17 00:00:00 2001 From: Zijun Wang Date: Wed, 27 Sep 2023 14:29:16 -0700 Subject: [PATCH 2/6] Address PR comments --- docs/reference/vpc-association-policy.md | 12 ++++++------ mkdocs.yml | 1 + 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/docs/reference/vpc-association-policy.md b/docs/reference/vpc-association-policy.md index ae52904f..fb820918 100644 --- a/docs/reference/vpc-association-policy.md +++ b/docs/reference/vpc-association-policy.md @@ -42,12 +42,12 @@ To remove security groups, instead, you should delete VPC Association and then c Be cautious to set AssociateWithVpc to false. That can break traffic from the current cluster workloads to the gateway. -| Field | Description | -|---------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------| -| `apiVersion` *string* | ``application-networking.k8s.aws/v1alpha1`` | -| `kind` *string* | ``VpcAssociationPolicy`` | -| `metadata` [*ObjectMeta*](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta) | Kubernetes metadata for the resource. | -| `spec` *VpcAssociationPolicySpec* | Defines the desired state of VpcAssociationPolicy. | +| Field | Description | +|-----------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------| +| `apiVersion` *string* | ``application-networking.k8s.aws/v1alpha1`` | +| `kind` *string* | ``VpcAssociationPolicy`` | +| `metadata` [*ObjectMeta*](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta) | Kubernetes metadata for the resource. | +| `spec` *VpcAssociationPolicySpec* | Defines the desired state of VpcAssociationPolicy. | ## VpcAssociationPolicySpec diff --git a/mkdocs.yml b/mkdocs.yml index 940597ef..980f0c97 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -19,6 +19,7 @@ nav: - API Reference: - GRPCRoute: reference/grpc-route.md - TargetGroupPolicy: reference/target-group-policy.md + - VpcAssociationPolicy: reference/vpc-association-policy.md - Design Overview: overview.md plugins: From 369d7081351bf818487df2868ea37d6655a241ac Mon Sep 17 00:00:00 2001 From: Zijun Wang Date: Wed, 27 Sep 2023 16:41:25 -0700 Subject: [PATCH 3/6] Address PR comments --- docs/reference/vpc-association-policy.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/reference/vpc-association-policy.md b/docs/reference/vpc-association-policy.md index fb820918..26edbc30 100644 --- a/docs/reference/vpc-association-policy.md +++ b/docs/reference/vpc-association-policy.md @@ -10,9 +10,9 @@ One of its option is `securityGroupIds`. it can control the inbound traffic from Recommended security group inbound rules: -| Source | Protocol | Port Range | Comment | -|-----------------------------|-----------------------------------------------------|-------------------------------------------------|-----------------------------------------------------------| -| Kubernetes cluster VPC CIDR | protocols defined in the gateway's listener section | ports defined in the gateway's listener section | Allow inbound traffic from current cluster vpc to gateway | +| Source | Protocol | Port Range | Comment | +|---------------------------------------------------------|-----------------------------------------------------|-------------------------------------------------|-----------------------------------------------------------| +| Kubernetes cluster VPC CIDR or security group reference | protocols defined in the gateway's listener section | ports defined in the gateway's listener section | Allow inbound traffic from current cluster vpc to gateway | **Limitations and Considerations** From e3dbb7be28ef9b9681afec01d05c62a6f8a55cb8 Mon Sep 17 00:00:00 2001 From: Zijun Wang Date: Thu, 28 Sep 2023 12:32:42 -0700 Subject: [PATCH 4/6] Address PR comments --- docs/reference/vpc-association-policy.md | 71 ++++++++++++------------ 1 file changed, 34 insertions(+), 37 deletions(-) diff --git a/docs/reference/vpc-association-policy.md b/docs/reference/vpc-association-policy.md index 26edbc30..b6ca38d5 100644 --- a/docs/reference/vpc-association-policy.md +++ b/docs/reference/vpc-association-policy.md @@ -2,67 +2,64 @@ ## VpcAssociationPolicy -VpcAssociationPolicy is a CRD that can be attached to a Gateway to define the ServiceNetworkVpcAssociation configuration. +VpcAssociationPolicy is a Custom Resource Definition (CRD) that can be attached to a Gateway to define the ServiceNetworkVpcAssociation configuration. +### Fields of VpcAssociationPolicy +| Field Name | Required | Description | +|--------------------------------------------------------------------------------------------------------------------|-----------|-----------------------------------------------------| +| `apiVersion` *string* | yes | ``application-networking.k8s.aws/v1alpha1`` | +| `kind` *string* | yes | ``VpcAssociationPolicy`` | +| `metadata` [*ObjectMeta*](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta) | yes | Kubernetes metadata for the resource. | +| `spec` *VpcAssociationPolicySpec* | yes | Defines the desired state of VpcAssociationPolicy. | -One of its option is `securityGroupIds`. it can control the inbound traffic from current cluster workloads to the gateway listeners. Please check the VPC lattice doc for more detail of this option. https://docs.aws.amazon.com/vpc-lattice/latest/ug/security-groups.html -Recommended security group inbound rules: -| Source | Protocol | Port Range | Comment | -|---------------------------------------------------------|-----------------------------------------------------|-------------------------------------------------|-----------------------------------------------------------| -| Kubernetes cluster VPC CIDR or security group reference | protocols defined in the gateway's listener section | ports defined in the gateway's listener section | Allow inbound traffic from current cluster vpc to gateway | +### Fields of VpcAssociationPolicySpec +Appears on: VpcAssociationPolicy -**Limitations and Considerations** - -When attaching a policy to a resource, the following restrictions apply: +VpcAssociationPolicySpec defines the desired state of VpcAssociationPolicy. -* A policy can be only attached to `Gateway` resources. -* The attached resource should exist in the same namespace as the policy resource. -The security Group will not take effect if: -* The targetRef `Gateway` does not exist -* AssociateWithVpc field set to false +| Field Name | Type | Required | Description | +|--------------------|-----------------------------------------------------------------------------------------------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `targetRef` | *[PolicyTargetReference](https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api)* | Yes | TargetRef points to the kubernetes `Gateway` resource that will have this policy attached. This field is following the guidelines of Kubernetes Gateway API policy attachment. | +| `associateWithVpc` | *bool* | No | Indicates whether the targetRef Gateway is associated with the current k8s cluster VPC. By default, the Gateway API controller sets this to true if it's not defined in VpcAssociationPolicy. | +| `securityGroupIds` | *string[]* | No | Defines security groups applied to the gateway (ServiceNetworkVpcAssociation), it controls the inbound traffic from current cluster workloads to the gateway listeners. Please check the [VPC lattice doc](https://docs.aws.amazon.com/vpc-lattice/latest/ug/security-groups.html) for more detail of this field. | -**WARNING** +Recommended security group inbound rules: -Current VPC Lattice updateServiceNetworkVpcAssociation api have a limitation that it cannot remove all security groups. -That means, if you have a VpcAssociationPolicy attached to a gateway that already applied security groups, following operations will NOT take effect to remove the security groups: -* Update the VPCAssociationPolicy to empty the security group ids (even though the updated VPCAssociationPolicy can be accepted by the API server) -* Delete the VPCAssociationPolicy (even though the VPCAssociationPolicy can be deleted from k8s successfully) +| Source | Protocol | Port Range | Comment | +|---------------------------------------------------------|-----------------------------------------------------|-------------------------------------------------|-----------------------------------------------------------| +| Kubernetes cluster VPC CIDR or security group reference | Protocols defined in the gateway's listener section | Ports defined in the gateway's listener section | Allow inbound traffic from current cluster vpc to gateway | -To remove security groups, instead, you should delete VPC Association and then create a new VPC Association without security group ids by following steps: -1. Update the VPCAssociationPolicy with AssociateWithVpc is false and empty security group ids -2. Update the VPCAssociationPolicy with AssociateWithVpc is true and empty security group ids -Be cautious to set AssociateWithVpc to false. That can break traffic from the current cluster workloads to the gateway. +### Limitations and Considerations +When attaching a VpcAssociationPolicy to a resource, the following restrictions apply: -| Field | Description | -|-----------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------| -| `apiVersion` *string* | ``application-networking.k8s.aws/v1alpha1`` | -| `kind` *string* | ``VpcAssociationPolicy`` | -| `metadata` [*ObjectMeta*](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta) | Kubernetes metadata for the resource. | -| `spec` *VpcAssociationPolicySpec* | Defines the desired state of VpcAssociationPolicy. | +* Policies must be attached to *Gateway* resource. +* The attached resource must exist in the same namespace as the policy resource. +The security Group will not take effect if: -## VpcAssociationPolicySpec +* The targetRef `Gateway` does not exist +* AssociateWithVpc field set to false -Appears on: VpcAssociationPolicy -VpcAssociationPolicySpec defines the desired state of VpcAssociationPolicy. +**WARNING** +The VPC Lattice `UpdateServiceNetworkVpcAssociation` API cannot be used to remove all security groups. +That means, if you have a VpcAssociationPolicy attached to a gateway that already applied security groups, update the VPCAssociationPolicy with empty security group ids or delete the whole VPCAssociationPolicy will NOT remove the security groups from this gateway. +To remove security groups, instead, you should delete VPC Association and re-create a new VPC Association without security group ids by following steps: +1. Update the VPCAssociationPolicy by setting associateWithVpc to false and empty security group ids +2. Update the VPCAssociationPolicy by setting associateWithVpc to true and empty security group ids -| Field | Description | -|------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `targetRef` *[PolicyTargetReference](https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api)* | TargetRef points to the kubernetes `Gateway` resource that will have this policy attached. This field is following the guidelines of Kubernetes Gateway API policy attachment. | -| `associateWithVpc` *bool* | (Optional) This field indicates whether targetRef Gateway associate with current k8s cluster VPC. the gateway api controller by default set associateWithVpc to true if this field is not defined in VpcAssociationPolicy | -| `securityGroupIds` *string[]* | (Optional) This field defines security groups applied to the gateway (ServiceNetworkVpcAssociation) | +Be cautious to set AssociateWithVpc to false. It will disable traffic from the current cluster workloads to the gateway. ## Example Configuration From 0fe325830d7a39b8fb2f822478c2d6ff2e4f6db4 Mon Sep 17 00:00:00 2001 From: Zijun Wang Date: Fri, 29 Sep 2023 16:37:21 -0700 Subject: [PATCH 5/6] Address PR comments --- docs/reference/vpc-association-policy.md | 41 ++++++++++++------------ 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/docs/reference/vpc-association-policy.md b/docs/reference/vpc-association-policy.md index b6ca38d5..c8d7c4b0 100644 --- a/docs/reference/vpc-association-policy.md +++ b/docs/reference/vpc-association-policy.md @@ -6,12 +6,12 @@ VpcAssociationPolicy is a Custom Resource Definition (CRD) that can be attached ### Fields of VpcAssociationPolicy -| Field Name | Required | Description | -|--------------------------------------------------------------------------------------------------------------------|-----------|-----------------------------------------------------| -| `apiVersion` *string* | yes | ``application-networking.k8s.aws/v1alpha1`` | -| `kind` *string* | yes | ``VpcAssociationPolicy`` | -| `metadata` [*ObjectMeta*](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta) | yes | Kubernetes metadata for the resource. | -| `spec` *VpcAssociationPolicySpec* | yes | Defines the desired state of VpcAssociationPolicy. | +| Field Name | Type | | Required | Description | +|--------------|---------------------------------------------------------------------------------------------------------|-----------|-----------------------------------------------------|--------------| +| `apiVersion` | *string* | yes | ``application-networking.k8s.aws/v1alpha1`` | +| `kind` | *string* | yes | ``VpcAssociationPolicy`` | +| `metadata` | [*ObjectMeta*](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta) | yes | Kubernetes metadata for the resource. | +| `spec` | *VpcAssociationPolicySpec* | yes | Defines the desired state of VpcAssociationPolicy. | @@ -23,11 +23,11 @@ VpcAssociationPolicySpec defines the desired state of VpcAssociationPolicy. -| Field Name | Type | Required | Description | -|--------------------|-----------------------------------------------------------------------------------------------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `targetRef` | *[PolicyTargetReference](https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api)* | Yes | TargetRef points to the kubernetes `Gateway` resource that will have this policy attached. This field is following the guidelines of Kubernetes Gateway API policy attachment. | -| `associateWithVpc` | *bool* | No | Indicates whether the targetRef Gateway is associated with the current k8s cluster VPC. By default, the Gateway API controller sets this to true if it's not defined in VpcAssociationPolicy. | -| `securityGroupIds` | *string[]* | No | Defines security groups applied to the gateway (ServiceNetworkVpcAssociation), it controls the inbound traffic from current cluster workloads to the gateway listeners. Please check the [VPC lattice doc](https://docs.aws.amazon.com/vpc-lattice/latest/ug/security-groups.html) for more detail of this field. | +| Field Name | Type | Required | Description | +|--------------------|-----------------------------------------------------------------------------------------------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `targetRef` | *[PolicyTargetReference](https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api)* | Yes | TargetRef points to the kubernetes `Gateway` resource that will have this policy attached. It follows the guidelines of Kubernetes Gateway API policy attachment | +| `associateWithVpc` | *bool* | No | Indicates whether the targetRef Gateway is associated with the current k8s cluster VPC. By default, the Gateway API controller sets this to true if it's not defined in VpcAssociationPolicy. | +| `securityGroupIds` | *string[]* | No | Defines security groups applied to the gateway (ServiceNetworkVpcAssociation), it controls the inbound traffic from current cluster workloads to the gateway listeners. Please check the [VPC Lattice doc](https://docs.aws.amazon.com/vpc-lattice/latest/ug/security-groups.html) for more detail. | Recommended security group inbound rules: @@ -44,27 +44,26 @@ When attaching a VpcAssociationPolicy to a resource, the following restrictions * Policies must be attached to *Gateway* resource. * The attached resource must exist in the same namespace as the policy resource. -The security Group will not take effect if: +The security group will not take effect if: -* The targetRef `Gateway` does not exist -* AssociateWithVpc field set to false +* The targetRef `gateway` does not exist. +* The `associateWithVpc` field is set to false. **WARNING** The VPC Lattice `UpdateServiceNetworkVpcAssociation` API cannot be used to remove all security groups. -That means, if you have a VpcAssociationPolicy attached to a gateway that already applied security groups, update the VPCAssociationPolicy with empty security group ids or delete the whole VPCAssociationPolicy will NOT remove the security groups from this gateway. +If you have a VpcAssociationPolicy attached to a gateway that already has security groups applied, updating the VpcAssociationPolicy with empty security group ids or deleting the VpcAssociationPolicy will NOT remove the security groups from the gateway. To remove security groups, instead, you should delete VPC Association and re-create a new VPC Association without security group ids by following steps: -1. Update the VPCAssociationPolicy by setting associateWithVpc to false and empty security group ids -2. Update the VPCAssociationPolicy by setting associateWithVpc to true and empty security group ids - -Be cautious to set AssociateWithVpc to false. It will disable traffic from the current cluster workloads to the gateway. - +1. Update the VpcAssociationPolicy by setting `associateWithVpc` to false and empty security group ids. +2. Update the VpcAssociationPolicy by setting `associateWithVpc` to true and empty security group ids. +` +Note: Setting `associateWithVpc` to false will disable traffic from the current cluster workloads to the gateway. ## Example Configuration -This example shows how to configure a Gateway with associateWithVpc set to true and apply security group sg-1234567890 and sg-0987654321 +This example shows how to configure a gateway with `associateWithVpc` set to true and apply security group sg-1234567890 and sg-0987654321 ``` apiVersion: application-networking.k8s.aws/v1alpha1 kind: VpcAssociationPolicy From 574751d0b6ace74117feaf14a0ee4c1313052cba Mon Sep 17 00:00:00 2001 From: Zijun Wang Date: Tue, 3 Oct 2023 12:02:08 -0700 Subject: [PATCH 6/6] Address more PR comments --- docs/reference/vpc-association-policy.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/reference/vpc-association-policy.md b/docs/reference/vpc-association-policy.md index c8d7c4b0..ff4d4a7a 100644 --- a/docs/reference/vpc-association-policy.md +++ b/docs/reference/vpc-association-policy.md @@ -6,8 +6,8 @@ VpcAssociationPolicy is a Custom Resource Definition (CRD) that can be attached ### Fields of VpcAssociationPolicy -| Field Name | Type | | Required | Description | -|--------------|---------------------------------------------------------------------------------------------------------|-----------|-----------------------------------------------------|--------------| +| Field Name | Type | Required | Description | +|--------------|---------------------------------------------------------------------------------------------------------|-----------|-----------------------------------------------------| | `apiVersion` | *string* | yes | ``application-networking.k8s.aws/v1alpha1`` | | `kind` | *string* | yes | ``VpcAssociationPolicy`` | | `metadata` | [*ObjectMeta*](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#objectmeta-v1-meta) | yes | Kubernetes metadata for the resource. | @@ -25,7 +25,7 @@ VpcAssociationPolicySpec defines the desired state of VpcAssociationPolicy. | Field Name | Type | Required | Description | |--------------------|-----------------------------------------------------------------------------------------------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `targetRef` | *[PolicyTargetReference](https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api)* | Yes | TargetRef points to the kubernetes `Gateway` resource that will have this policy attached. It follows the guidelines of Kubernetes Gateway API policy attachment | +| `targetRef` | *[PolicyTargetReference](https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api)* | Yes | Points to the Kubernetes Gateway resource that will have this policy attached, following the guidelines of [Kubernetes Gateway API policy attachment](https://gateway-api.sigs.k8s.io/geps/gep-713/#policy-targetref-api). | | `associateWithVpc` | *bool* | No | Indicates whether the targetRef Gateway is associated with the current k8s cluster VPC. By default, the Gateway API controller sets this to true if it's not defined in VpcAssociationPolicy. | | `securityGroupIds` | *string[]* | No | Defines security groups applied to the gateway (ServiceNetworkVpcAssociation), it controls the inbound traffic from current cluster workloads to the gateway listeners. Please check the [VPC Lattice doc](https://docs.aws.amazon.com/vpc-lattice/latest/ug/security-groups.html) for more detail. | @@ -46,7 +46,7 @@ When attaching a VpcAssociationPolicy to a resource, the following restrictions The security group will not take effect if: -* The targetRef `gateway` does not exist. +* The `targetRef` gateway does not exist. * The `associateWithVpc` field is set to false.