-
Notifications
You must be signed in to change notification settings - Fork 255
ECS: Compose adds ingress rule to security group when external #1783
Comments
A possible approach to address this request would be to leverage network attribute |
Ran into this issue as well, we are using a named security group which whitelists IP address that should have access to my application ( internal use case). Example Docker Compose File:
This also creates a section as mentioned above in the cloud formation template of :
Tried using the We would like a way to not have the ingress of our security group modified if possible. |
I really need this |
…the ingress rule to other security groups Solves docker-archive#1783 Previously, the ECS stack included an ingress rule to allow LB to reach the tasks. However, it added this ingress rule toe very Docker network security group, meaning other tasks on the same Docker network, possibly sensitive, were accessible externally. We now create a new security group for port assignments for every service that has ports, and attach that security group only to that service. This prevents other tasks in the same Docker networks are not accessible externally.
…the ingress rule to other security groups Solves docker-archive#1783 Previously, the ECS stack included an ingress rule to allow LB to reach the tasks. However, it added this ingress rule toe very Docker network security group, meaning other tasks on the same Docker network, possibly sensitive, were accessible externally. We now create a new security group for port assignments for every service that has ports, and attach that security group only to that service. This prevents other tasks in the same Docker networks are not accessible externally.
…the ingress rule to other security groups Solves docker-archive#1783 Previously, the ECS stack included an ingress rule to allow LB to reach the tasks. However, it added this ingress rule toe very Docker network security group, meaning other tasks on the same Docker network, possibly sensitive, were accessible externally. We now create a new security group for port assignments for every service that has ports, and attach that security group only to that service. This prevents other tasks in the same Docker networks are not accessible externally. Signed-off-by: Nitzan Raz <[email protected]>
Not sure how to add labels, but this is a security issue. I get random scrapes on my containers. |
Description
We are trying to set up a web service inside of a VPC, but we don't want to expose it to the public internet, so we set up a security group with the correct inbound/outbound rules. The problem is that the compose CLI (via the CF template it generates) modifies the existing security group to add 0.0.0.0/0 on port 80 thereby exposing the application to anyone.
Steps to reproduce the issue:
HTTP, TCP, Port 80, 10.0.0.0/16
docker compose up
Describe the results you received:
HTTP, TCP, Port 80, 10.0.0.0/16
andHTTP, TCP, Port 80, 0.0.0.0/0
Describe the results you expected:
HTTP, TCP, Port 80, 10.0.0.0/16
Additional information you deem important (e.g. issue happens only occasionally):
The relevant section that creates the unwanted rule (show by
docker compose convert
) is the followingOutput of
docker version
:Output of
docker context show
:You can also run
docker context inspect context-name
to give us more details but don't forget to remove sensitive content.Output of
docker info
:Additional environment details (AWS ECS, Azure ACI, local, etc.):
AWS ECS
The text was updated successfully, but these errors were encountered: