Description
Describe the bug
The automatically generated security group ingress rules for an ALB are incorrect when 1) an ApplicationLoadBalancer IP address type is set to DUAL_STACK_WITHOUT_PUBLIC_IPV4 and 2) a listener on the LB is set to allow anyone to connect to the load balancer on the listener port open: true. The generated rules only allow IPV4 inbound traffic and no IPV6 inbound traffic, which effectively allows no external traffic.
Support for DUAL_STACK_WITHOUT_PUBLIC_IPV4 was added in CDK v2.159.0, but missed this change.
Regression Issue
- Select this option if this issue appears to be a regression.
Last Known Working CDK Version
No response
Expected Behavior
Example security group ingress rules:
"SecurityGroupIngress": [
{
"CidrIp": "0.0.0.0/0",
"Description": "Allow from anyone on port 80",
"FromPort": 80,
"IpProtocol": "tcp",
"ToPort": 80
},
{
"CidrIp": "::/0",
"Description": "Allow from anyone on port 80",
"FromPort": 80,
"IpProtocol": "tcp",
"ToPort": 80
}
],Current Behavior
Example security group ingress rules:
"SecurityGroupIngress": [
{
"CidrIp": "0.0.0.0/0",
"Description": "Allow from anyone on port 80",
"FromPort": 80,
"IpProtocol": "tcp",
"ToPort": 80
}
],Reproduction Steps
I'm using the ECS patterns module, which automatically generated the load balancer:
new patterns.ApplicationLoadBalancedFargateService(this, 'Service', {
cluster,
desiredCount: 1,
domainName,
domainZone,
protocol: ApplicationProtocol.HTTPS,
redirectHTTP: true,
assignPublicIp: false,
ipAddressType: elb.IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4,
taskImageOptions: {
...Possible Solution
I have what I believe is a fix, but I still need to update tests and validate:
diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
index 07cfb949f3..35ba804721 100644
--- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
+++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
@@ -303,7 +303,8 @@ export class ApplicationListener extends BaseListener implements IApplicationLis
if (props.open !== false) {
this.connections.allowDefaultPortFrom(ec2.Peer.anyIpv4(), `Allow from anyone on port ${port}`);
- if (this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK) {
+ if (this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK ||
+ this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4) {
this.connections.allowDefaultPortFrom(ec2.Peer.anyIpv6(), `Allow from anyone on port ${port}`);
}
}
Additional Information/Context
No response
CDK CLI Version
2.164.1
Framework Version
No response
Node.js Version
v20.18.0
OS
Linux
Language
TypeScript
Language Version
5.6.2
Other information
No response