Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fargate stack not adding the application security group to ALB #40

Open
nickboucart opened this issue Jul 19, 2018 · 3 comments
Open

Fargate stack not adding the application security group to ALB #40

nickboucart opened this issue Jul 19, 2018 · 3 comments

Comments

@nickboucart
Copy link

I used the combination of vpc+bastion stack, a separate db stack (postgres) and the fargate stack to run a containerized web app. I found that the load balancer could not connect to the application.

Adding the application security group to the loadbalancer solved this issue.
@rnzsgh
Copy link
Contributor

rnzsgh commented Jul 19, 2018

Hi Nick,

Did you run with the wrapper stacks or individually (i.e., the files in the templates dir)? Did you create the Fargate cluster using the fargate.cfn.yml file? The fargate.cfn.yml places the service in the application security group:

https://github.com/aws-samples/startup-kit-templates/blob/master/templates/fargate.cfn.yml#L710

The service is in the application security group which allows ingress from the ELB/ALB security group and the bastion host.

https://github.com/aws-samples/startup-kit-templates/blob/master/templates/vpc.cfn.yml#L223

I am not entirely sure why adding the application security group to the ELB/ALB would change anything unless the port number parameters were set incorrectly when the stack was created.

Can you verify the port numbers you set for the ALB/ELB and the application?

Thanks,

Ryan

@nickboucart
Copy link
Author

Hi Ryan,

Thanks for your reply.

I added a line after

startup-kit-templates/templates/fargate.cfn.yml

Line 556 in f7fd8a2

- Fn::ImportValue: !Sub ${NetworkStackName}-ELBSecurityGroupID

- Fn::ImportValue: !Sub ${NetworkStackName}-AppSecurityGroupID
and that made it work. I used the vpc+bastion stack, launched the db stack individually, and launched the fargate stack individually as well,

I'm learning about all of this stuff, so I might have made some mistakes. I'm running the app on port 3000 inside of the container and set it as the appingress port.

In my understanding, the ALB/ELB needs to have the APPSecurityGroupID security group attached, otherwise it won't allow outbound traffic towards the fargate cluster. Adding this line to the fargate template and redeploying made it work.

Hope this helps,
Nick.

@rnzsgh
Copy link
Contributor

rnzsgh commented Dec 12, 2018

Hi Nick,

Apologies for not getting back to you sooner. More than likely this is a configuration issue in the params passed when launching the stack. In the example you sent, you added the application security group to the ALB. The application security group is in place to limit the requests to the application from the ALB and the bastion host. Additionally, it is the source security group that protects the database from access outside of the application and the bastion host.

It's been some time, but if you would like to debug this, please post the CLI calls or the parameters passed to each stack and I will try to recreate or identify what is misconfigured.

Thanks,

Ryan

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nickboucart @rnzsgh