- Newest
- Most votes
- Most comments
Create a Custom Security Group:
Manually create a security group with the necessary tags that comply with your SCP requirements. Make sure this security group has the required ingress and egress rules to communicate with your backend node groups.
Update Node Group Security Group Ingress Rules:
Add the custom security group you created to the ingress rules of the backend node group's security group. This way, the backend node group's security group will allow traffic from the custom security group.
Modify EKS Service Manifest:
Update the EKS service manifest to include the custom security group by using the service.beta.kubernetes.io/aws-load-balancer-security-groups annotation.
apiVersion: v1
kind: Service
metadata:
name: test-nlb
namespace: default
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '60'
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
service.beta.kubernetes.io/aws-load-balancer-internal: 'true'
service.beta.kubernetes.io/aws-load-balancer-subnets: subnet-000d893f88c8fc7b4,subnet-039fcd7a47689eb2f,subnet-09abd31877dae11c5
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "env_type=true,owner_email=true,gp=true"
service.beta.kubernetes.io/aws-load-balancer-security-groups: sg-0a1b2c3d4e5f67890 # Custom security group ID
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
selector:
app: my-app
type: LoadBalancer
Steps to Implement Create Custom Security Group:
aws ec2 create-security-group --group-name custom-backend-sg --description "Custom backend security group with required tags" --vpc-id vpc-xxxxxx
Tag the Security Group:
aws ec2 create-tags --resources sg-0a1b2c3d4e5f67890 --tags Key=env_type,Value=true Key=owner_email,Value=true Key=gp,Value=true
Add Ingress Rules to Node Group Security Group:
aws ec2 authorize-security-group-ingress --group-id sg-nodegroup --protocol tcp --port 80 --source-group sg-0a1b2c3d4e5f67890
Deploy Updated Service Manifest:
kubectl apply -f updated-service-manifest.yaml
Hello,
Please try this solution.
To both security groups created by the AWS Load Balancer Controller are tagged properly, you can create a simple AWS Lambda function that triggers on the creation of a new security group and automatically applies the necessary tags.create an IAM role with permissions to describe and tag security groups, attaching policies **AmazonEC2ReadOnlyAccess **and AmazonEC2FullAccess. Then, create a Lambda function using the AWS Management Console, writing a script in Python that describes all security groups and checks if the required tags are missing, applying them if necessary. set up a CloudWatch Events rule to trigger this Lambda function whenever a new security group is created, using the CreateSecurityGroup API call as the event source. This setup ensures compliance with your Service Control Policies (SCPs) by automatically tagging both the frontend and backend security groups, thus avoiding the need to disable SCP or manually tag the security groups.
If you want more information, please go through the Document Link you will get more information.
Relevant content
- Accepted Answerasked 4 years ago
- asked 7 months ago
- asked 3 years ago
- AWS OFFICIALUpdated 8 months ago
- How can I troubleshoot issues when I use the AWS Load Balancer Controller to create a load balancer?AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 months ago