copilot-cli icon indicating copy to clipboard operation
copilot-cli copied to clipboard
verified publisher icon aws

Proposal: Allow restricting ingress to the load balancer

Open paragbhingre opened this issue 3 years ago • 0 comments

Proposal for #2557

In order to restrict access to the load balancer we will provide an option to configure PublicHTTPLoadBalancerSecurityGroup.

Allow restricting access to the load balancer via limited IP addresses only. This will introduce a new manifest field source_ips that can hold up to 50 IP addresses.

http:
  public:
    ingress:
      source_ips: [ip1, ip2, ...]

In the future, we could extend the manifest so that people can attach their own security groups to the public load balancer. Below is an example of a potential proposal for this functionality

http:
  public:
    security_groups:
      deny_default: true # remove copilot created security group
      groups: [sg123, sg789] # import your own secuirty group

When deny_default is set to true and security groups are mentioned, then Copilot created security groups will be removed and customer-provided security groups will be attached to the load balancer.

We appreciate any feedbacks!

paragbhingre avatar Oct 04 '22 18:10 paragbhingre