[ec2] allow_to for IPv6 has no effect on connections #9017

gergnz · 2020-07-11T05:32:52Z

Unable to allow all outbound/egress traffic for IPv6 on a connection class.

Reproduction Steps

asg = asg.AutoScalingGroup(self, "asg",
                vpc=vpc,
                instance_type=ec2.InstanceType('t3a.nano'),            
                machine_image=ec2.MachineImage.latest_amazon_linux(generation=ec2.AmazonLinuxGeneration('AMAZON_LINUX_2')))

asg.connections.allow_to(ec2.Peer.any_ipv6(),ec2.Port.all_traffic())

Error Log

No error is produced.

Environment

**CLI Version: 1.51.0 (build 8c2d53c)
**Framework Version: aws-cdk.aws-ec2 1.51.0
**Node.js Version: v12.8.0
**OS : MacOS 10.15.5 (19F101)
**Language (Version): Python 3.7.7

Other

Expected Result:

        "SecurityGroupEgress": [
          {
            "CidrIp": "0.0.0.0/0",
            "Description": "Allow all outbound traffic by default",
            "IpProtocol": "-1"
          },
          {
            "CidrIp": "::/0",
            "IpProtocol": "-1"
          }
        ],

Actual Result:

        "SecurityGroupEgress": [
          {
            "CidrIp": "0.0.0.0/0",
            "Description": "Allow all outbound traffic by default",
            "IpProtocol": "-1"
          }
        ],

This is 🐛 Bug Report

The text was updated successfully, but these errors were encountered:

NetaNir · 2020-07-15T06:54:07Z

The SecurityGroupEgress resource is created by the configuration set on the AutoScalingGroup default SecurityGroup, which is created when no SecurityGroup is provided to the AutoScalingGroup constructor. By default, all IPV4 traffic is allowed (we have an issue #7094 to change the default behavior to allow IPV6 & IPV4 by default). You can set custom rules by providing a SecurityGroup to the AutoScalingGroup:

const securityGroup = new ec2.SecurityGroup(stack, 'Resource-Security-Group', { vpc,
  allowAllOutbound: false
})
securityGroup.addEgressRule(Peer.anyIpv6(), Port.allTraffic())

new autoscaling.AutoScalingGroup(this, 'ASG', {
  vpc,
  instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.MICRO),
  machineImage: new ec2.AmazonLinuxImage(),
  securityGroup,
});

NetaNir · 2020-07-16T17:53:57Z

Im closing this as duplicate of #7094 as it will prevent the need to actually add the "allow traffic from Ipv6"

gergnz added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 11, 2020

github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Jul 11, 2020

github-actions bot assigned rix0rrr Jul 11, 2020

SomayaB assigned ericzbeard and unassigned rix0rrr Jul 13, 2020

ericzbeard added p1 and removed needs-triage This issue or PR still needs to be triaged. labels Jul 15, 2020

ericzbeard assigned NetaNir and rix0rrr and unassigned ericzbeard Jul 15, 2020

NetaNir added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jul 15, 2020

github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jul 16, 2020

NetaNir added guidance Question that needs advice or information. and removed bug This issue is a bug. p1 labels Jul 16, 2020

NetaNir closed this as completed Jul 16, 2020

NetaNir mentioned this issue Jun 3, 2021

allowAllOutbound on autoscaling groups should include ipv6 #7094

Closed

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[ec2] allow_to for IPv6 has no effect on connections #9017

[ec2] allow_to for IPv6 has no effect on connections #9017

gergnz commented Jul 11, 2020

NetaNir commented Jul 15, 2020

NetaNir commented Jul 16, 2020

[ec2] allow_to for IPv6 has no effect on connections #9017

[ec2] allow_to for IPv6 has no effect on connections #9017

Comments

gergnz commented Jul 11, 2020

Reproduction Steps

Error Log

Environment

Other

NetaNir commented Jul 15, 2020

NetaNir commented Jul 16, 2020