Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-ec2: Security groups for interface VPC endpoints #28350

Closed
azatoth opened this issue Dec 13, 2023 · 2 comments · Fixed by #28632
Closed

aws-ec2: Security groups for interface VPC endpoints #28350

azatoth opened this issue Dec 13, 2023 · 2 comments · Fixed by #28632
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. documentation This is a problem with documentation. effort/small Small work item – less than a day of effort p2

Comments

@azatoth
Copy link
Contributor

azatoth commented Dec 13, 2023

Describe the issue

In the README for EC2, under the section "Security groups for interface VPC endpoints", it states:

By default, interface VPC endpoints create a new security group and traffic is not automatically allowed from the VPC CIDR.

Use the connections object to allow traffic to flow to the endpoint:

declare const myEndpoint: ec2.InterfaceVpcEndpoint;

myEndpoint.connections.allowDefaultPortFromAnyIpv4();

In contrast, the InterfaceVpcEndpoint class does have a open property that is default true which states:

Whether to automatically allow VPC traffic to the endpoint.

If enabled, all traffic to the endpoint from within the VPC will be automatically allowed. This is done based on the VPC's CIDR range.

Links
@azatoth azatoth added documentation This is a problem with documentation. needs-triage This issue or PR still needs to be triaged. labels Dec 13, 2023
@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Dec 13, 2023
@pahud
Copy link
Contributor

pahud commented Dec 13, 2023

aws-cdk/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts

Lines 718 to 720 in db22b85

if (props.open !== false) {
this.connections.allowDefaultPortFrom(Peer.ipv4(props.vpc.vpcCidrBlock));
}

Yes you are right. And we should fix the document.

Are you interested to submit a PR for that?

@pahud pahud added p2 effort/small Small work item – less than a day of effort bug This issue is a bug. and removed needs-triage This issue or PR still needs to be triaged. labels Dec 13, 2023
@github-actions github-actions bot mentioned this issue Jan 1, 2024
Closed
This was referenced Jan 9, 2024
Closed
Merged
@mergify mergify bot closed this as completed in #28632 Jan 9, 2024
mergify bot pushed a commit that referenced this issue Jan 9, 2024
@ayush-shah-1501
docs(ec2): wrong description for InterfaceVpcEndpoint (#28632)
3bf57de 
Change the documentation as it showing wrong description.

InterfaceVpcEndpoint class does have a open property that is default true which states traffic is automatically allowed from the VPC CIDR.

Closes #28350.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 9, 2024

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. documentation This is a problem with documentation. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
2 participants
@azatoth @pahud