嗨,我正在研究AWS CDK。我正在编写安全组模板。我可以用Cloud形式编写它。现在,我正在使用AWS CDK编写它。我不知道包含源安全组的任何示例。下面是我之前写的云形成模板。
Resources:
MerchWebServicesSecurityGroup:
Type: "AWS::EC2::SecurityGroup"
Properties:
Tags:
- Key: "Name"
Value: !Ref "AWS::StackName"
GroupDescription: "EC2 Services Security Group"
VpcId:
Fn::ImportValue: "infra-vpc-base::VpcId"
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: "80"
ToPort: "80"
SourceSecurityGroupId: !Ref MerchWebServicesLoadBalancerSecurityGroup
- IpProtocol: tcp
FromPort: "443"
ToPort: "443"
SourceSecurityGroupId: !Ref MerchWebServicesLoadBalancerSecurityGroup
- IpProtocol: tcp
FromPort: 31000
ToPort: 65535
SourceSecurityGroupId: !Ref MerchWebServicesLoadBalancerSecurityGroup
MerchWebServicesLoadBalancerSecurityGroup:
Type: "AWS::EC2::SecurityGroup"
Properties:
Tags:
-
Key: "Name"
Value: !Ref "AWS::StackName"
GroupDescription: "MerchWebServices ALB Group"
VpcId:
Fn::ImportValue: "infra-vpc-base::VpcId"
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: '172.30.1.0/15'
在上面的模板中,我创建了SG MerchWebServicesSecurityGroup,并且已将SourceSecurityGroupId指定为另一个SG MerchWebServicesLoadBalancerSecurityGroup。
#create SG MerchWebServicesLoadBalancerSecurityGroup
mws_vpc_sg_alb = ec2.SecurityGroup(self,"MerchWebServicesLoadBalancerSecurityGroup",
description = "MerchWebServices ALB Group",
security_group_name = "MerchWebServicesLoadBalancerSecurityGroup",
vpc= vpc);
mws_vpc_sg_alb.add_ingress_rule(peer = ec2.Peer.ipv4('172.30.0.0/15'), connection = ec2.Port.tcp(80));
#create SG MerchWebServicesSecurityGroup
mws_vpc_sg = ec2.SecurityGroup(self,"MerchWebServicesSecurityGroup",
description="EC2 Services Security Group",
security_group_name="MerchWebServicesSecurityGroup",
vpc = vpc);
mws_vpc_sg.add_ingress_rule(peer = ec2.Peer.ipv4(mws_vpc_sg_alb), connection = ec2.Port.tcp(80));
在上面的代码中,我试图创建SG MerchWebServicesSecurityGroup,在下面的代码中,我添加了入口规则
mws_vpc_sg.add_ingress_rule(peer = ec2.Peer.ipv4(mws_vpc_sg_alb), connection = ec2.Port.tcp(80));
在这里,不是指定Cidr块,而是要指定SourceSecurityGroupId。在AWS CDK中,我不确定如何使用Ref并包含SourceSecurityGroupId。有人可以帮我完成这个吗?任何帮助,将不胜感激。谢谢
ec2.SecurityGroup实现IPeer接口,因此安全组本身可用作对等体。
mws_vpc_sg_alb.add_ingress_rule(
peer=mws_vpc_sg_alb,
connection=ec2.Port.tcp(80),
description='ALB access'
)
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句