Skip to content

feat(elasticloadbalancingv2): create security group settings for NLB by default (under feature flag) #34675

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 34 commits into from
Oct 29, 2025
Merged

feat(elasticloadbalancingv2): create security group settings for NLB by default (under feature flag) #34675

merged 34 commits into from
Oct 29, 2025
+33,315 −146

Conversation

@badmintoncryer
Copy link
Contributor

@badmintoncryer badmintoncryer commented Jun 10, 2025
edited
Loading

Issue # (if applicable)

Closes #34606.

Reason for this change

Currently, CDK's L2 constructs allow setting security groups for NLBs, but this requires explicit configuration.

declare const sg1: ec2.ISecurityGroup;

const lb = new elbv2.NetworkLoadBalancer(this, 'LB', {
  vpc,
  securityGroups: [sg1], // configure SG explicitly
});

This was not originally intended - NLB security group support was implemented later, and the current specification exists to maintain backward compatibility.

#27978
#28494

However, when comparing NLBs without security groups to NLBs with security groups configured, the latter has significantly more advantages. Furthermore, once an NLB is created without security groups, it's impossible to add security group configuration later.

Therefore, I propose using feature flags to make security group configuration the default for NLBs in CDK.

Description of changes

  • Add @aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault feature flag
  • Create security groups by default when feature flags are enabled

Describe any new or updated permissions being added

None

Description of how you validated changes

Add both unit and integ tests

Other information

This implementation was also proposed in the issue, but it was not implemented because it was difficult to detect when referenced from other Connectables as follows case2.

declare const nlb: elbv2.INetworkLoadBalancer;
declare const other: IConnectable;

// case1
nlb.connections.allowTo(other, ec2.Port.tcp(1234));

// case2
other.connections.allowTo(nlb, ec2.Port.tcp(2181));

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team June 10, 2025 15:25
@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 distinguished-contributor [Pilot] contributed 50+ PRs to the CDK labels Jun 10, 2025
@badmintoncryer badmintoncryer changed the title feat(elasticloadbalancingv2): default security group settings for NLB feat(elasticloadbalancingv2): default security group settings for NLB (under feature flag) Jun 10, 2025
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jun 12, 2025
@github-actions github-actions bot mentioned this pull request Jul 1, 2025
Closed
@aws-cdk-automation
Copy link
Collaborator

aws-cdk-automation commented Jul 11, 2025

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 8cb8370
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@Abogical
Copy link
Member

Abogical commented Oct 27, 2025

You'll need to run rosetta for the docs.

Abogical
Abogical previously approved these changes Oct 28, 2025
View reviewed changes
Copy link
Member

@Abogical Abogical left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@mergify
Copy link
Contributor

mergify bot commented Oct 28, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Oct 28, 2025
@badmintoncryer
Copy link
Contributor Author

badmintoncryer commented Oct 28, 2025

@Abogical Thank you very much!

@mergify
Copy link
Contributor

mergify bot commented Oct 28, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify
Copy link
Contributor

mergify bot commented Oct 28, 2025

This pull request has been removed from the queue for the following reason: pull request branch update failed.

The pull request can't be updated.

You should update or rebase your pull request manually. If you do, this pull request will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue, you can requeue the pull request, without updating it, by posting a @mergifyio requeue comment.

@badmintoncryer
Copy link
Contributor Author

badmintoncryer commented Oct 28, 2025

@Mergifyio update

@mergify
Copy link
Contributor

mergify bot commented Oct 28, 2025

update

❌ Mergify doesn't have permission to update

For security reasons, Mergify can't update this pull request. Try updating locally.
GitHub response: refusing to allow a GitHub App to create or update workflow .github/workflows/pr-build.yml without workflows permission

@badmintoncryer
Copy link
Contributor Author

badmintoncryer commented Oct 28, 2025

@Abogical Could you please approve again?

@mergify mergify bot dismissed Abogical’s stale review October 28, 2025 23:13

Pull request has been modified.

@mergify
Copy link
Contributor

mergify bot commented Oct 29, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@Abogical
Copy link
Member

Abogical commented Oct 29, 2025

@Mergifyio update

@mergify
Copy link
Contributor

mergify bot commented Oct 29, 2025

update

☑️ Nothing to do, the required conditions are not met

  • #commits-behind > 0 [📌 update requirement]
  • -closed [📌 update requirement]
  • -conflict [📌 update requirement]
  • queue-position = -1 [📌 update requirement]

@Abogical
Copy link
Member

Abogical commented Oct 29, 2025

@Mergifyio requeue

@mergify
Copy link
Contributor

mergify bot commented Oct 29, 2025

requeue

✅ The queue state of this pull request has been cleaned. It can be re-embarked automatically

@mergify mergify bot merged commit ff83cfd into aws:main Oct 29, 2025
21 of 23 checks passed
@github-actions
Copy link
Contributor

github-actions bot commented Oct 29, 2025

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 29, 2025
@badmintoncryer badmintoncryer deleted the 34606-nlb branch October 29, 2025 09:07
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@Abogical Abogical Abogical approved these changes

+1 more reviewer

@mazyu36 mazyu36 mazyu36 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@Abogical Abogical

Labels

distinguished-contributor [Pilot] contributed 50+ PRs to the CDK effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

elestivloadbalancingv2: default security group settings for NLB (Network Load Balancer)

4 participants

@badmintoncryer @aws-cdk-automation @Abogical @mazyu36