Skip to content
Permalink
Browse files

fix(elasticloadbalancingv2): dualstack ALB missing default IPv6 ingre…

…ss rule (#8798)

**[ISSUE]**
ALB configured with `ipAddressType: dualstack` and `internetFacing: true` missing ingress rule for IPv6. 

**[APPROACH]**
Add a property in `IApplicationLoadBalancer` to obtain `ipAddressType` in listener constructor.
Add a check in `ApplicationListener` constructor to check for `ipAddressType` of `dualstack` 

**[NOTE]**
Implemented `dualstack` check only in the constructor because any additional ingress rule should be specified by the user upon further use.

Fixes #7043

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
BryanPan342 committed Jul 2, 2020
1 parent 916706b commit 66f963494fc10db61cd61e36550de813821561e4
@@ -2,7 +2,7 @@ import * as ec2 from '@aws-cdk/aws-ec2';
import { Construct, Duration, IResource, Lazy, Resource, Token } from '@aws-cdk/core';
import { BaseListener } from '../shared/base-listener';
import { HealthCheck } from '../shared/base-target-group';
import { ApplicationProtocol, SslPolicy } from '../shared/enums';
import { ApplicationProtocol, IpAddressType, SslPolicy } from '../shared/enums';
import { IListenerCertificate, ListenerCertificate } from '../shared/listener-certificate';
import { determineProtocolAndPort } from '../shared/util';
import { ListenerAction } from './application-listener-action';
@@ -185,6 +185,9 @@ export class ApplicationListener extends BaseListener implements IApplicationLis

if (props.open !== false) {
this.connections.allowDefaultPortFrom(ec2.Peer.anyIpv4(), `Allow from anyone on port ${port}`);
if (this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK) {
this.connections.allowDefaultPortFrom(ec2.Peer.anyIpv6(), `Allow from anyone on port ${port}`);
}
}
}

@@ -56,6 +56,7 @@ export class ApplicationLoadBalancer extends BaseLoadBalancer implements IApplic
}

public readonly connections: ec2.Connections;
public readonly ipAddressType?: IpAddressType;
private readonly securityGroup: ec2.ISecurityGroup;

constructor(scope: Construct, id: string, props: ApplicationLoadBalancerProps) {
@@ -65,6 +66,7 @@ export class ApplicationLoadBalancer extends BaseLoadBalancer implements IApplic
ipAddressType: props.ipAddressType,
});

this.ipAddressType = props.ipAddressType ?? IpAddressType.IPV4;
this.securityGroup = props.securityGroup || new ec2.SecurityGroup(this, 'SecurityGroup', {
vpc: props.vpc,
description: `Automatically created Security Group for ELB ${this.node.uniqueId}`,
@@ -458,6 +460,13 @@ export interface IApplicationLoadBalancer extends ILoadBalancerV2, ec2.IConnecta
*/
readonly vpc?: ec2.IVpc;

/**
* The IP Address Type for this load balancer
*
* @default IpAddressType.IPV4
*/
readonly ipAddressType?: IpAddressType;

/**
* Add a new listener to this load balancer
*/
@@ -48,7 +48,7 @@ export = {
test.done();
},

'Listener default to open'(test: Test) {
'Listener default to open - IPv4'(test: Test) {
// GIVEN
const stack = new cdk.Stack();
const vpc = new ec2.Vpc(stack, 'Stack');
@@ -76,6 +76,41 @@ export = {
test.done();
},

'Listener default to open - IPv4 and IPv6 (dualstack)'(test: Test) {
// GIVEN
const stack = new cdk.Stack();
const vpc = new ec2.Vpc(stack, 'Stack');
const loadBalancer = new elbv2.ApplicationLoadBalancer(stack, 'LB', { vpc, ipAddressType: elbv2.IpAddressType.DUAL_STACK});

// WHEN
loadBalancer.addListener('MyListener', {
port: 80,
defaultTargetGroups: [new elbv2.ApplicationTargetGroup(stack, 'Group', { vpc, port: 80 })],
});

// THEN
expect(stack).to(haveResource('AWS::EC2::SecurityGroup', {
SecurityGroupIngress: [
{
Description: 'Allow from anyone on port 80',
CidrIp: '0.0.0.0/0',
FromPort: 80,
IpProtocol: 'tcp',
ToPort: 80,
},
{
Description: 'Allow from anyone on port 80',
CidrIpv6: '::/0',
FromPort: 80,
IpProtocol: 'tcp',
ToPort: 80,
},
],
}));

test.done();
},

'HTTPS listener requires certificate'(test: Test) {
// GIVEN
const stack = new cdk.Stack();

0 comments on commit 66f9634

Please sign in to comment.
You can’t perform that action at this time.