feat(elbv2): Implement IConnectable to NLB #28494
Conversation
github-actions
bot
added
effort/medium
github-actions
bot
added
the
admired-contributor
aws-cdk-automation
left a comment
aws-cdk-automation
left a comment
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/nlb/load-balancer.test.ts
Show resolved
Hide resolved
| securityGroups: Lazy.list({ | ||
| produce: () => this.connections.securityGroups.length >= 1 ? this.connections.securityGroups.map(sg => sg.securityGroupId) : undefined, | ||
| }), |
There was a problem hiding this comment.
If securityGroups becomes an empty array from undefined, an update will be applied and deployment will not be possible, so in the case of an empty array, it is undefined for backwards compatibility.
ref: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-security-groups.html#security-group-considerations
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
| const backend = new elbv2.ApplicationLoadBalancer(stack, 'Backend', { | ||
| vpc, | ||
| }); | ||
| backend.addListener('Listener', { | ||
| protocol: elbv2.ApplicationProtocol.HTTP, | ||
| defaultAction: elbv2.ListenerAction.fixedResponse(200, { | ||
| contentType: 'application/json', | ||
| messageBody: JSON.stringify({ | ||
| Message: 'I am ALB!', | ||
| }), | ||
| }), | ||
| }); |
There was a problem hiding this comment.
I changed target to ALB from IP to test reachability client -> nlb -> backend. This test can check security group settings via http api call.
aws-cdk-automation
added
the
pr/needs-community-review
lpizzinidev
left a comment
lpizzinidev
left a comment
There was a problem hiding this comment.
Thanks 👍
I left some suggestions for adjustments, feel free to comment on those.
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/nlb/network-load-balancer.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/nlb/network-load-balancer.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/nlb/network-load-balancer.ts
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/nlb/network-load-balancer.ts
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/nlb/load-balancer.test.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/nlb/load-balancer.test.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/nlb/load-balancer.test.ts
Show resolved
Hide resolved
aws-cdk-automation
removed
pr/needs-community-review
…k-load-balancer.ts Co-authored-by: Luca Pizzini <[email protected]>
…balancer.test.ts Co-authored-by: Luca Pizzini <[email protected]>
…balancer.test.ts Co-authored-by: Luca Pizzini <[email protected]>
…k-load-balancer.ts Co-authored-by: Luca Pizzini <[email protected]>
|
@lpizzinidev Thanks your reviewing!! |
lpizzinidev
left a comment
lpizzinidev
left a comment
There was a problem hiding this comment.
Nice 👍
I left some comments for a final cleanup and adjustments.
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/nlb/network-load-balancer.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/nlb/network-load-balancer.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/nlb/network-load-balancer.ts
Outdated
Show resolved
Hide resolved
…k-load-balancer.ts Co-authored-by: Luca Pizzini <[email protected]>
…k-load-balancer.ts Co-authored-by: Luca Pizzini <[email protected]>
…k-load-balancer.ts Co-authored-by: Luca Pizzini <[email protected]>
aws-cdk-automation
added
the
pr/needs-maintainer-review
…after initialization
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
paulhcsun
left a comment
paulhcsun
left a comment
There was a problem hiding this comment.
Thanks for the contribution @WinterYukky! This will be a very useful addition for the community.
As always, thanks for reviewing @lpizzinidev!
paulhcsun
left a comment
paulhcsun
left a comment
There was a problem hiding this comment.
Thanks for the contribution @WinterYukky! This will be a very useful addition for the community.
As always, thanks for reviewing @lpizzinidev!
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
aws-cdk-automation
removed
the
pr/needs-maintainer-review
…by default (under feature flag) (#34675) ### Issue # (if applicable) Closes #34606. ### Reason for this change Currently, CDK's L2 constructs allow setting security groups for NLBs, but this requires explicit configuration. ```ts declare const sg1: ec2.ISecurityGroup; const lb = new elbv2.NetworkLoadBalancer(this, 'LB', { vpc, securityGroups: [sg1], // configure SG explicitly }); ``` This was not originally intended - NLB security group support was implemented later, and the current specification exists to maintain backward compatibility. #27978 #28494 However, when comparing NLBs without security groups to NLBs with security groups configured, the latter has significantly more advantages. Furthermore, once an NLB is created without security groups, it's impossible to add security group configuration later. Therefore, I propose using feature flags to make security group configuration the default for NLBs in CDK. ### Description of changes - Add `@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault` feature flag - Create security groups by default when feature flags are enabled ### Describe any new or updated permissions being added None ### Description of how you validated changes Add both unit and integ tests ### Other information [This implementation](#34606 (comment)) was also proposed in the issue, but it was not implemented because it was difficult to detect when referenced from other Connectables as follows case2. ```ts declare const nlb: elbv2.INetworkLoadBalancer; declare const other: IConnectable; // case1 nlb.connections.allowTo(other, ec2.Port.tcp(1234)); // case2 other.connections.allowTo(nlb, ec2.Port.tcp(2181)); ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
4 participants
Summary
Implement an
IConnectableinterface to a NetworkLoadBalancer.Why need this change?
AWS CDK has great features for abstraction.
IConnectableinterface is one of this.IConnectablesimplifies the management of security groups. AWS CDK add support security group to NLB at #27978. However, Currently NLB not implementIConnectable, so customers can't use useful interface in AWS CDK.Example use case
Closes #26735
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license