aws-ec2: Security groups for interface VPC endpoints

[azatoth]

Describe the issue

In the README for EC2, under the section "Security groups for interface VPC endpoints", it states:

By default, interface VPC endpoints create a new security group and traffic is not automatically allowed from the VPC CIDR.

Use the connections object to allow traffic to flow to the endpoint:

declare const myEndpoint: ec2.InterfaceVpcEndpoint;

myEndpoint.connections.allowDefaultPortFromAnyIpv4();

In contrast, the InterfaceVpcEndpoint class does have a open property that is default true which states:

Whether to automatically allow VPC traffic to the endpoint.

If enabled, all traffic to the endpoint from within the VPC will be automatically allowed. This is done based on the VPC's CIDR range.

Links

• https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2-readme.html#security-groups-for-interface-vpc-endpoints
• https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.InterfaceVpcEndpoint.html#open

[pahud]

aws-cdk/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts

Lines 718 to 720 in db22b85

	if (props.open !== false) {
	this.connections.allowDefaultPortFrom(Peer.ipv4(props.vpc.vpcCidrBlock));
	}

Yes you are right. And we should fix the document.

Are you interested to submit a PR for that?

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.