ecs_patters: ECS pattern ApplicationLoadBalancedFargateService adding 0.0.0.0/0 access to security group

[robert-lilleker]

Describe the bug

I am creating a public load balancer that routes to fargate ECS deployment. This load balancer needs to be routable on the internet hence public but tied to a few IPs. I try the following in C# to have it open to two IP address on ports 80 and 443. When the load balancer is created without assigning it to the ApplicationLoadBalancedFargateService construct it creates a load balancer with just the four rules I expect. However when assigned it adds two rules allowing ports 80 and 443 from 0.0.0.0/0

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

I should expect the load balancer with a security group that only has 4 rules allowing two ips on ports 80 and 443

Current Behavior

It creates the load balancer with a security group that only has 6 rules allowing the two ips and 0.0.0.0/0 on ports 80 and 443

Reproduction Steps

SecurityGroup securityGroup = new SecurityGroup(scope, $"platform-engine-sg", new SecurityGroupProps
            {
                Vpc = vpc,
                Description = "Engine Security group",
                AllowAllOutbound = true,
                SecurityGroupName = $"platform-engine-sg"
            });
            securityGroup.AddIngressRule(Peer.Ipv4("1.1.1.1/32"), Port.Tcp(80), "Allow local access");
            securityGroup.AddIngressRule(Peer.Ipv4("1.1.1.1/32"), Port.Tcp(443), "Allow local access");
            securityGroup.AddIngressRule(Peer.Ipv4("2.2.2.2/32"), Port.Tcp(80), "Allow local access");
            securityGroup.AddIngressRule(Peer.Ipv4("2.2.2.2/32"), Port.Tcp(443), "Allow local access");
            ApplicationLoadBalancer engineloadBalancer = new ApplicationLoadBalancer(scope, $"engine-load-balancer", new Amazon.CDK.AWS.ElasticLoadBalancingV2.ApplicationLoadBalancerProps
            {
                Vpc = vpc,
                InternetFacing = true,
                SecurityGroup = securityGroup,
                LoadBalancerName = $"engine"
            });
            return new ApplicationLoadBalancedFargateServiceProps
            {
                ServiceName = $"engine-svc",
                Cluster = new Cluster(scope, $"engine-cluster", new ClusterProps
                {
                    ClusterName = $"engine-cluster",
                    Vpc = vpc,
                    ContainerInsightsV2 = ContainerInsights.ENABLED
                }),
                RedirectHTTP = true,
                ListenerPort = 443,
                CircuitBreaker = new DeploymentCircuitBreaker
                {
                    Rollback = true
                },
                LoadBalancer = engineloadBalancer,
                SslPolicy = SslPolicy.TLS12_EXT,
                TaskDefinition = engineTask,
                MinHealthyPercent = 100,
                DesiredCount = numberEngineTasks
            };

Possible Solution

No response

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

2.212.0

AWS CDK CLI version

2.212.0

Node.js Version

v20.15.1

OS

Windows

Language

.NET

Language Version

No response

Other information

No response

[pahud]

Hi @robert-lilleker,

Thank you for reporting this issue. You've identified a valid security concern with the ApplicationLoadBalancedFargateService pattern.

The root cause is that the ApplicationListener automatically adds 0.0.0.0/0 ingress rules when the open property is true (which is the default). This happens regardless of whether you provide a custom security group with restricted access.

Immediate Workaround:
Set openListener: false in your ApplicationLoadBalancedFargateService configuration:

return new ApplicationLoadBalancedFargateServiceProps
{
   ServiceName = "engine-svc",
   Cluster = new Cluster(scope, "engine-cluster", new ClusterProps
   {
       ClusterName = "engine-cluster",
       Vpc = vpc,
       ContainerInsightsV2 = ContainerInsights.ENABLED
   }),
   RedirectHTTP = true,
   ListenerPort = 443,
   OpenListener = false, // Add this line
   CircuitBreaker = new DeploymentCircuitBreaker
   {
       Rollback = true
   },
   LoadBalancer = engineloadBalancer,
   SslPolicy = SslPolicy.TLS12_EXT,
   TaskDefinition = engineTask,
   MinHealthyPercent = 100,
   DesiredCount = numberEngineTasks
};

Long-term Solution:
We should improve the default behavior to be more security-conscious when users provide custom security groups. Would you be interested in contributing a PR to address this? The fix could involve:

1. Detecting when a custom security group is provided to the load balancer
2. Defaulting openListener to false in such cases
3. Adding appropriate documentation and warnings

This is a legitimate bug that affects security posture, and we appreciate you bringing it to our attention!

[pahud]

bump to p1. PR WIP.