copilot-cli icon indicating copy to clipboard operation
copilot-cli copied to clipboard
verified publisher icon aws

Be able to specify the security group(s) for load balancer(s)

Open craigjbass opened this issue 3 years ago • 3 comments

Being able to specify the security group for a load balancer would give us the level of control we need. Something akin to load balanced services

http:
  private:
    security_groups:
      groups: [sg_xyz890, sg_abc123]
      deny_default: true

Originally posted by @CorinWilkins in https://github.com/aws/copilot-cli/issues/3934#issuecomment-1224800583

craigjbass avatar Aug 24 '22 15:08 craigjbass

For context, we want all of our services not to be allowed to egress traffic to the public internet.

Right now, that means removing the default environment-wide security group, but this also means that services cannot talk to the internal application load balancer. We ideally want to be able to give specific access to the internal ALB, via a special security group.

craigjbass avatar Aug 24 '22 16:08 craigjbass

Hi! Could you clarify the context a bit-- do you have an environment with both a public ALB and an internal ALB? Are you importing a VPC or using a Copilot-generated one? Are your workloads in private or public subnets? Thanks!

huanjani avatar Aug 25 '22 18:08 huanjani

We have both public and internal ALBs, and are importing our VPC.

We have workloads in both the public and private subnets.

craigjbass avatar Aug 25 '22 18:08 craigjbass