Hi,
An inbound HTTPS(443) TCP rule is added to my SG when I add a VPC Interface Endpoint using the ec2.Vpc
L1 construct method addInterfaceEndpoint
. If I use CfnVPCEndpoint
(commented out below) instead. all is good.
import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { aws_ec2 as ec2 } from 'aws-cdk-lib';
export class ScratchStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const vpc = new ec2.Vpc(this, 'vpc', {
});
const vpcEndpointSg = new ec2.SecurityGroup(this, 'vpc-endpoint-sg', {
vpc: vpc,
allowAllOutbound: true
});
vpc.addInterfaceEndpoint('vpc-endpoint', {
service: ec2.InterfaceVpcEndpointAwsService.IOT_CORE,
privateDnsEnabled: false,
securityGroups: [vpcEndpointSg]
});
// new ec2.CfnVPCEndpoint(this, 'cfn-vpc-endpoint', {
// serviceName: `com.amazonaws.${process.env.CDK_DEFAULT_REGION}.iot.data`,
// vpcId: `${vpc.vpcId}`,
// vpcEndpointType: 'Interface',
// securityGroupIds: [vpcEndpointSg.securityGroupId]
// });
}
}
Thoughts/help welcome.
Thanks, Gary
Thanks Peter, I didn't spot the 'open' prop! (And I think using the InterfaceVpcEndpoint construct is more appropriate in my context than the Vpc construct method). In my real code, I have other SG rules, so it's useful without 443 i/b :-)