Make Fargate Loadbalancer Only Accept Traffic from Specific IP Address

I am using an AWS example to deploy an MLFlow stack using a NetworkLoadBalancedFargateService. I am able to create the stack and provision the resources, but the issue is that the service is internet facing, i.e. anyone can access the service from any IP address. I want to restrict the incoming traffic to a specific CIDR ip address.

The relevant portion of the code is the following (from app.py). I have tried attaching a security group but the service is still public-facing. Can someone help me modify this code so that the stack is only accessible through a specific IP address? Thank you.

# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
from aws_cdk import (
aws_ec2 as ec2,
aws_s3 as s3,
aws_ecs as ecs,
aws_rds as rds,
aws_iam as iam,
aws_secretsmanager as sm,
aws_ecs_patterns as ecs_patterns,
App,
Stack,
CfnParameter,
CfnOutput,
Aws,
RemovalPolicy,
Duration,
)
from constructs import Construct
class MLflowStack(Stack):
def __init__(self, scope: Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
# ==============================
# ======= CFN PARAMETERS =======
# ==============================
project_name_param = CfnParameter(scope=self, id="ProjectName", type="String")
db_name = "mlflowdb"
port = 3306
username = "master"
bucket_name = f"{project_name_param.value_as_string}-artifacts-{Aws.ACCOUNT_ID}"
container_repo_name = "mlflow-containers"
cluster_name = "mlflow"
service_name = "mlflow"
# ==================================================
# ================= IAM ROLE =======================
# ==================================================
role = iam.Role(
scope=self,
id="TASKROLE",
assumed_by=iam.ServicePrincipal(service="ecs-tasks.amazonaws.com"),
)
role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name("AmazonS3FullAccess")
)
role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name("AmazonECS_FullAccess")
)
# ==================================================
# ================== SECRET ========================
# ==================================================
db_password_secret = sm.Secret(
scope=self,
id="DBSECRET",
secret_name="dbPassword",
generate_secret_string=sm.SecretStringGenerator(
password_length=20, exclude_punctuation=True
),
)
# ==================================================
# ==================== VPC =========================
# ==================================================
public_subnet = ec2.SubnetConfiguration(
name="Public", subnet_type=ec2.SubnetType.PUBLIC, cidr_mask=28
)
private_subnet = ec2.SubnetConfiguration(
name="Private", subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS, cidr_mask=28
)
isolated_subnet = ec2.SubnetConfiguration(
name="DB", subnet_type=ec2.SubnetType.PRIVATE_ISOLATED, cidr_mask=28
)
vpc = ec2.Vpc(
scope=self,
id="VPC",
ip_addresses=ec2.IpAddresses.cidr("10.0.0.0/24"),
max_azs=2,
nat_gateway_provider=ec2.NatProvider.gateway(),
nat_gateways=1,
subnet_configuration=[public_subnet, private_subnet, isolated_subnet],
)
vpc.add_gateway_endpoint(
"S3Endpoint", service=ec2.GatewayVpcEndpointAwsService.S3
)
# ==================================================
# ================= S3 BUCKET ======================
# ==================================================
artifact_bucket = s3.Bucket(
scope=self,
id="ARTIFACTBUCKET",
bucket_name=bucket_name,
public_read_access=False,
)
# # ==================================================
# # ================== DATABASE  =====================
# # ==================================================
# Creates a security group for AWS RDS
sg_rds = ec2.SecurityGroup(
scope=self, id="SGRDS", vpc=vpc, security_group_name="sg_rds"
)
# Adds an ingress rule which allows resources in the VPC's CIDR to access the database.
sg_rds.add_ingress_rule(
peer=ec2.Peer.ipv4("10.0.0.0/24"), connection=ec2.Port.tcp(port)
)
database = rds.DatabaseInstance(
scope=self,
id="MYSQL",
database_name=db_name,
port=port,
credentials=rds.Credentials.from_username(
username=username, password=db_password_secret.secret_value
),
engine=rds.DatabaseInstanceEngine.mysql(
version=rds.MysqlEngineVersion.VER_8_0_26
),
instance_type=ec2.InstanceType.of(
ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.SMALL
),
vpc=vpc,
security_groups=[sg_rds],
vpc_subnets=ec2.SubnetSelection(
subnet_type=ec2.SubnetType.PRIVATE_ISOLATED
),
# multi_az=True,
removal_policy=RemovalPolicy.DESTROY,
deletion_protection=False,
)
# ==================================================
# =============== FARGATE SERVICE ==================
# ==================================================
cluster = ecs.Cluster(
scope=self, id="CLUSTER", cluster_name=cluster_name, vpc=vpc
)
task_definition = ecs.FargateTaskDefinition(
scope=self,
id="MLflow",
task_role=role,
cpu=4 * 1024,
memory_limit_mib=8 * 1024,
)
container = task_definition.add_container(
id="Container",
image=ecs.ContainerImage.from_asset(directory="container"),
environment={
"BUCKET": f"s3://{artifact_bucket.bucket_name}",
"HOST": database.db_instance_endpoint_address,
"PORT": str(port),
"DATABASE": db_name,
"USERNAME": username,
},
secrets={"PASSWORD": ecs.Secret.from_secrets_manager(db_password_secret)},
logging=ecs.LogDriver.aws_logs(stream_prefix="mlflow"),
)
port_mapping = ecs.PortMapping(
container_port=5000, host_port=5000, protocol=ecs.Protocol.TCP
)
container.add_port_mappings(port_mapping)
fargate_service = ecs_patterns.NetworkLoadBalancedFargateService(
scope=self,
id="MLFLOW",
service_name=service_name,
cluster=cluster,
task_definition=task_definition,
)
# Setup security group
fargate_service.service.connections.security_groups[0].add_ingress_rule(
peer=ec2.Peer.ipv4(vpc.vpc_cidr_block),
connection=ec2.Port.tcp(5000),
description="Allow inbound from VPC for mlflow",
)
# Setup autoscaling policy
scaling = fargate_service.service.auto_scale_task_count(max_capacity=2)
scaling.scale_on_cpu_utilization(
id="AUTOSCALING",
target_utilization_percent=70,
scale_in_cooldown=Duration.seconds(60),
scale_out_cooldown=Duration.seconds(60),
)
# ==================================================
# =================== OUTPUTS ======================
# ==================================================
CfnOutput(
scope=self,
id="LoadBalancerDNS",
value=fargate_service.load_balancer.load_balancer_dns_name,
)
app = App()
MLflowStack(app, "MLflowStack")
app.synth()

To restrict access to the Network Load Balancer (NLB) backing your NetworkLoadBalancedFargateService to a specific CIDR IP address, you will need to adjust the security group ingress rules that the service uses.

But: NetworkLoadBalancedFargateService automatically comes with a security group and associates it to the NLB. Therefore, the security group that you are trying to modify in your code (fargate_service.service.connections.security_groups[0]) is essentially the security group of the Fargate tasks, not the NLB (a bit as in aws/aws-cdk issue 9972).

That has caused issues in the past, as aws/aws-cdk issue 4091 attests.

You can see an alternative and more direct method to handle the security group issue when creating a Fargate service using the AWS CDK in aws/aws-cdk issue 1490

Proposal

(as noted by the OP in the comments

> I was unable to figure this out. The service was either public facing or not accessible at all.
I ended up using an oauth2 proxy server to restrict access to users in my organization.
>
> If a solution based on oauth2 is acceptable, mjedrasz/oauth2-mlflow-aws might be of interest.

)

If your organization's permissions prevent developers from performing ec2:CreateSecurityGroup (as illustrated in "IAM policies / Amazon EC2 console"), you can use a pre-existing security group when creating your Fargate service. By supplying this security group when creating the service, the CDK will not automatically create a new security group.

First, create or obtain a reference to your pre-existing security group:

# Assuming you already have a security group created and you are importing it by its ID
my_service_security_group = ec2.SecurityGroup.from_security_group_id(
    self, 'ExistingSG', security_group_id='YOUR_SECURITY_GROUP_ID'
)

Then provide this security group when creating your FargateService.
However, the code you provided uses the NetworkLoadBalancedFargateService pattern, which automatically sets up a Network Load Balancer, a listener, and the service. If you choose to supply a security group directly to the Fargate service as shown in the GitHub comment, you might need to set up the NLB and listener separately.

For instance:

service = ecs.FargateService(
    self, "MyFargateService",
    cluster=myCluster,
    task_definition=task_definition,
    security_groups=[my_service_security_group]
)

If you opt for this method, remember that you will need to manually set up any other resources that the NetworkLoadBalancedFargateService pattern would have automatically created for you.

Given that the original problem is related to the creation of the default security group, supplying a pre-existing one, as suggested in the GitHub comment, is a viable workaround.

However, Paolo mentions in the comments

> This requires the target group of the network load balancer to have client IP preservation

From Elastic Load Balancing / Network Load Balancers/ Client IP preservation

> ## Client IP preservation
>
> Network Load Balancers can preserve the source IP address of clients when routing requests to backend targets. When you disable client IP preservation, the private IP address of the Network Load Balancer becomes the client IP address for all incoming traffic.
>
> By default, client IP preservation is enabled (and can't be disabled) for instance and IP type target groups with UDP and TCP_UDP protocols. However, you can enable or disable client IP preservation for TCP and TLS target groups using the preserve_client_ip.enabled target group attribute.

When creating a Network Load Balancer (NLB), the client's source IP address can be preserved when routing requests to backend targets (e.g., Fargate tasks). That can be vital for applications that need to know the original IP address of the client for functionality or security reasons.

So:

• if you are using a TCP or TLS target group: You should make sure that client IP preservation is enabled on the target group associated with the NLB if you are using a pre-existing security group that has rules based on source IP addresses.

• If you are using a UDP or TCP_UDP target group: You do not need to make any changes, as client IP preservation is always enabled.

The settings for the target group of the NLB might need adjustment based on the type of protocol and the rules set in your pre-existing security group.