copilot-cli icon indicating copy to clipboard operation
copilot-cli copied to clipboard
verified publisher icon aws

Add additional load balancers

Open CorinWilkins opened this issue 3 years ago • 2 comments

We have a number of internal load balanced services. We want to use security groups to restrict what can talk to our internal services. However, because the internal services all share an internal load balancer if something can reach that load balancer it can reach every service behind it.

I'd like the ability to define the load balancer either to be created by copilot or to reference an already created. In my case this alb would ideally created outside of copilot.

http:
    alb:
        name: foobar

CorinWilkins avatar Aug 23 '22 20:08 CorinWilkins

Related: #1457, #3319.

huanjani avatar Aug 23 '22 21:08 huanjani

  1. A manifest proposal for creating separate Load Balancers per service could be (for import we can follow @CorinWilkins's proposal):

    name: api
type: Load Balanced Web Service # or 'Backend Service'

http:
  dedicated: true

  2. For configuring which other workloads should be allowed to connect to the load balancer:

    http:
  dedicated: true
  ingress:
    names: 
      - other_service1
      - other_service2
      - other_job1

    This UX raises the question how can we have the ALB security group allow ingress from other_service1, other_service2, other_job1 without having cross service or job-stack dependencies which would make deletions extremely complicated. I believe the solution is for us to define a separate security group per workload at the environment level as an environment addon. The security groups can be imported in workload stacks and an EC2::SecurityGroupIngress resource can be created in the workload stack for the ALB to allow ingress from the workload sg.

efekarakus avatar Sep 16 '22 18:09 efekarakus

Having thought about this a bit more we could achieve this by deploying our internal service into another copilot app if we could add security groups to the internal load balancer to enable inter app communication. Is adding security groups to load balancers on your roadmap?

CorinWilkins avatar Oct 12 '22 08:10 CorinWilkins

@CorinWilkins, adding security groups to the load balancer is indeed in our roadmap. You can find more details in this proposal that we recently posted to gauge the need of security group to the load balancer. Please leave your feedback on the proposal if you have any.

paragbhingre avatar Oct 12 '22 17:10 paragbhingre

Hello 👋🏼 AWS Copilot v1.32.0 is now released: https://github.com/aws/copilot-cli/releases/tag/v1.32.0 🎉🚀 We shipped the feature that lets you place your existing ALB in front of your Load-Balanced Web Service - just specify the name or the ARN of the ALB in the http.alb field. Check out our blog post for more details, as well as other very cool features ❤️ !

Lou1415926 avatar Nov 09 '23 21:11 Lou1415926