AWS EKS Network Load Balancer (SG supported)

0

kind: Service metadata: name: test-nlb namespace: default annotations: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '60' service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' service.beta.kubernetes.io/aws-load-balancer-internal: 'true' service.beta.kubernetes.io/aws-load-balancer-subnets: subnet-000d893f88c8fc7b4,subnet-039fcd7a47689eb2f,subnet-09abd31877dae11c5 service.beta.kubernetes.io/aws-load-balancer-type: nlb service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "env_type=true,owner_email=true,gp=true"

two Security Groups are automatically created and attached: One for receiving external traffic (frontend SG) One for communicating with the backend Node Groups (backend SG), which is automatically added to the Node Group's Security Group ingress rules.

Tag's are not applying on 2nd SG and so it is failing as per our SCP service control policy which needs TAGS

WE CANT CHNAGE SCP WHY 2ND SG is not getting tags...we tested by disabling scp and it works but when we see SG only 1st one get the tags and not the 2nd one so we conclude that it is failing as 2nd SG not getting tagged for strange reason

2 Answers
0

Create a Custom Security Group:

Manually create a security group with the necessary tags that comply with your SCP requirements. Make sure this security group has the required ingress and egress rules to communicate with your backend node groups.

Update Node Group Security Group Ingress Rules:

Add the custom security group you created to the ingress rules of the backend node group's security group. This way, the backend node group's security group will allow traffic from the custom security group.

Modify EKS Service Manifest:

Update the EKS service manifest to include the custom security group by using the service.beta.kubernetes.io/aws-load-balancer-security-groups annotation.

apiVersion: v1
kind: Service
metadata:
  name: test-nlb
  namespace: default
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '60'
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
    service.beta.kubernetes.io/aws-load-balancer-internal: 'true'
    service.beta.kubernetes.io/aws-load-balancer-subnets: subnet-000d893f88c8fc7b4,subnet-039fcd7a47689eb2f,subnet-09abd31877dae11c5
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
    service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "env_type=true,owner_email=true,gp=true"
    service.beta.kubernetes.io/aws-load-balancer-security-groups: sg-0a1b2c3d4e5f67890  # Custom security group ID
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  selector:
    app: my-app
  type: LoadBalancer

Steps to Implement Create Custom Security Group:

aws ec2 create-security-group --group-name custom-backend-sg --description "Custom backend security group with required tags" --vpc-id vpc-xxxxxx

Tag the Security Group:

aws ec2 create-tags --resources sg-0a1b2c3d4e5f67890 --tags Key=env_type,Value=true Key=owner_email,Value=true Key=gp,Value=true

Add Ingress Rules to Node Group Security Group:

aws ec2 authorize-security-group-ingress --group-id sg-nodegroup --protocol tcp --port 80 --source-group sg-0a1b2c3d4e5f67890

Deploy Updated Service Manifest:

kubectl apply -f updated-service-manifest.yaml

EXPERT
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago
0

Hello,

Please try this solution.

To both security groups created by the AWS Load Balancer Controller are tagged properly, you can create a simple AWS Lambda function that triggers on the creation of a new security group and automatically applies the necessary tags.create an IAM role with permissions to describe and tag security groups, attaching policies **AmazonEC2ReadOnlyAccess **and AmazonEC2FullAccess. Then, create a Lambda function using the AWS Management Console, writing a script in Python that describes all security groups and checks if the required tags are missing, applying them if necessary. set up a CloudWatch Events rule to trigger this Lambda function whenever a new security group is created, using the CreateSecurityGroup API call as the event source. This setup ensures compliance with your Service Control Policies (SCPs) by automatically tagging both the frontend and backend security groups, thus avoiding the need to disable SCP or manually tag the security groups.

If you want more information, please go through the Document Link you will get more information.

https://dev.to/aws-builders/creating-network-load-balancer-sg-supported-with-aws-load-balancer-controller-168p

EXPERT
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions