如何在 AWS CDK 中指定源安全组 ID?
How to specify source security group Id in AWS CDK?
您好,我正在研究 AWS CDK。我正在编写安全组模板。我能够在云形成中编写它。现在我在 AWS CDK 中编写它。我没有得到任何包含源安全组的例子。下面是我之前写的云层模板。
Resources:
MerchWebServicesSecurityGroup:
Type: "AWS::EC2::SecurityGroup"
Properties:
Tags:
- Key: "Name"
Value: !Ref "AWS::StackName"
GroupDescription: "EC2 Services Security Group"
VpcId:
Fn::ImportValue: "infra-vpc-base::VpcId"
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: "80"
ToPort: "80"
SourceSecurityGroupId: !Ref MerchWebServicesLoadBalancerSecurityGroup
- IpProtocol: tcp
FromPort: "443"
ToPort: "443"
SourceSecurityGroupId: !Ref MerchWebServicesLoadBalancerSecurityGroup
- IpProtocol: tcp
FromPort: 31000
ToPort: 65535
SourceSecurityGroupId: !Ref MerchWebServicesLoadBalancerSecurityGroup
MerchWebServicesLoadBalancerSecurityGroup:
Type: "AWS::EC2::SecurityGroup"
Properties:
Tags:
-
Key: "Name"
Value: !Ref "AWS::StackName"
GroupDescription: "MerchWebServices ALB Group"
VpcId:
Fn::ImportValue: "infra-vpc-base::VpcId"
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: '172.30.1.0/15'
在上面的模板中,我创建了 SG MerchWebServicesSecurityGroup,并将 SourceSecurityGroupId 指定为另一个 SG MerchWebServicesLoadBalancerSecurityGroup。
#create SG MerchWebServicesLoadBalancerSecurityGroup
mws_vpc_sg_alb = ec2.SecurityGroup(self,"MerchWebServicesLoadBalancerSecurityGroup",
description = "MerchWebServices ALB Group",
security_group_name = "MerchWebServicesLoadBalancerSecurityGroup",
vpc= vpc);
mws_vpc_sg_alb.add_ingress_rule(peer = ec2.Peer.ipv4('172.30.0.0/15'), connection = ec2.Port.tcp(80));
#create SG MerchWebServicesSecurityGroup
mws_vpc_sg = ec2.SecurityGroup(self,"MerchWebServicesSecurityGroup",
description="EC2 Services Security Group",
security_group_name="MerchWebServicesSecurityGroup",
vpc = vpc);
mws_vpc_sg.add_ingress_rule(peer = ec2.Peer.ipv4(mws_vpc_sg_alb), connection = ec2.Port.tcp(80));
在上面的代码中,我尝试创建 SG MerchWebServicesSecurityGroup,下面我添加入口规则
mws_vpc_sg.add_ingress_rule(peer = ec2.Peer.ipv4(mws_vpc_sg_alb), connection = ec2.Port.tcp(80));
这里我不想指定 Cidr 块,而是想指定 SourceSecurityGroupId。在 AWS CDK 中,我不确定如何使用 Ref 和包含 SourceSecurityGroupId。有人可以帮我完成这个吗?任何帮助,将不胜感激。谢谢
ec2.SecurityGroup实现了IPeer接口,因此安全组本身可以作为peer使用。
mws_vpc_sg_alb.add_ingress_rule(
peer=mws_vpc_sg_alb,
connection=ec2.Port.tcp(80),
description='ALB access'
)
您好,我正在研究 AWS CDK。我正在编写安全组模板。我能够在云形成中编写它。现在我在 AWS CDK 中编写它。我没有得到任何包含源安全组的例子。下面是我之前写的云层模板。
Resources:
MerchWebServicesSecurityGroup:
Type: "AWS::EC2::SecurityGroup"
Properties:
Tags:
- Key: "Name"
Value: !Ref "AWS::StackName"
GroupDescription: "EC2 Services Security Group"
VpcId:
Fn::ImportValue: "infra-vpc-base::VpcId"
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: "80"
ToPort: "80"
SourceSecurityGroupId: !Ref MerchWebServicesLoadBalancerSecurityGroup
- IpProtocol: tcp
FromPort: "443"
ToPort: "443"
SourceSecurityGroupId: !Ref MerchWebServicesLoadBalancerSecurityGroup
- IpProtocol: tcp
FromPort: 31000
ToPort: 65535
SourceSecurityGroupId: !Ref MerchWebServicesLoadBalancerSecurityGroup
MerchWebServicesLoadBalancerSecurityGroup:
Type: "AWS::EC2::SecurityGroup"
Properties:
Tags:
-
Key: "Name"
Value: !Ref "AWS::StackName"
GroupDescription: "MerchWebServices ALB Group"
VpcId:
Fn::ImportValue: "infra-vpc-base::VpcId"
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: '172.30.1.0/15'
在上面的模板中,我创建了 SG MerchWebServicesSecurityGroup,并将 SourceSecurityGroupId 指定为另一个 SG MerchWebServicesLoadBalancerSecurityGroup。
#create SG MerchWebServicesLoadBalancerSecurityGroup
mws_vpc_sg_alb = ec2.SecurityGroup(self,"MerchWebServicesLoadBalancerSecurityGroup",
description = "MerchWebServices ALB Group",
security_group_name = "MerchWebServicesLoadBalancerSecurityGroup",
vpc= vpc);
mws_vpc_sg_alb.add_ingress_rule(peer = ec2.Peer.ipv4('172.30.0.0/15'), connection = ec2.Port.tcp(80));
#create SG MerchWebServicesSecurityGroup
mws_vpc_sg = ec2.SecurityGroup(self,"MerchWebServicesSecurityGroup",
description="EC2 Services Security Group",
security_group_name="MerchWebServicesSecurityGroup",
vpc = vpc);
mws_vpc_sg.add_ingress_rule(peer = ec2.Peer.ipv4(mws_vpc_sg_alb), connection = ec2.Port.tcp(80));
在上面的代码中,我尝试创建 SG MerchWebServicesSecurityGroup,下面我添加入口规则
mws_vpc_sg.add_ingress_rule(peer = ec2.Peer.ipv4(mws_vpc_sg_alb), connection = ec2.Port.tcp(80));
这里我不想指定 Cidr 块,而是想指定 SourceSecurityGroupId。在 AWS CDK 中,我不确定如何使用 Ref 和包含 SourceSecurityGroupId。有人可以帮我完成这个吗?任何帮助,将不胜感激。谢谢
ec2.SecurityGroup实现了IPeer接口,因此安全组本身可以作为peer使用。
mws_vpc_sg_alb.add_ingress_rule(
peer=mws_vpc_sg_alb,
connection=ec2.Port.tcp(80),
description='ALB access'
)