VPC Endpoint is not automatically connectable from instances inside VPC #4589
Description
When creating a new VPC Endpoint, the default security group, created by the endpoint, is not configured with an inbound rule for the provided port.
Reproduction Steps
const vpc = new ec2.Vpc(stack, 'Vpc', { maxAzs: 1 });
const ssmEndpoint = new ec2.InterfaceVpcEndpoint(stack, 'ssm-interface', {
vpc,
service: {
name: `com.amazonaws.${cdk.Aws.REGION}.ssm`,
port: 443
}
});The fix is to add:
const securityGroups = ssmEndpoint.connections.securityGroups;
securityGroups[0].addIngressRule(ec2.Peer.ipv4(vpc.vpcCidrBlock), ec2.Port.tcp(443));Error Log
The generated [relevant] CloudFormation is initially:
"ssminterfaceSecurityGroupA5BC2091": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "stack/ssm-interface/SecurityGroup",
"SecurityGroupEgress": [
{
"CidrIp": "0.0.0.0/0",
"Description": "Allow all outbound traffic by default",
"IpProtocol": "-1"
}
],
"VpcId": {
"Ref": "Vpc8378EB38"
}
},
"Metadata": {
"aws:cdk:path": "stack/ssm-interface/SecurityGroup/Resource"
}
},After the fix, it is:
"ssminterfaceSecurityGroupA5BC2091": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "stack/ssm-interface/SecurityGroup",
"SecurityGroupEgress": [
{
"CidrIp": "0.0.0.0/0",
"Description": "Allow all outbound traffic by default",
"IpProtocol": "-1"
}
],
"SecurityGroupIngress": [
{
"CidrIp": {
"Fn::GetAtt": [
"Vpc8378EB38",
"CidrBlock"
]
},
"Description": {
"Fn::Join": [
"",
[
"from ",
{
"Fn::GetAtt": [
"Vpc8378EB38",
"CidrBlock"
]
},
":443"
]
]
},
"FromPort": 443,
"IpProtocol": "tcp",
"ToPort": 443
}
],
"VpcId": {
"Ref": "Vpc8378EB38"
}
},
"Metadata": {
"aws:cdk:path": "stack/ssm-interface/SecurityGroup/Resource"
}
},Environment
- CLI Version : 1.12.0
- Framework Version: 1.12.0
- OS : All
- Language : All
This is 🐛 Bug Report