Cluster and Nodegroup's Security Group Control
Using CloudFormation for Cluster and EC2 Nodegroup
STACK_NAME=""
PROJECT_NAME=""
REGION=""
ClusterSecurityGroup="" # [REQUIRED] The Id of EKS Cluster Security Group.
AdditionalClusterSecurityGroup="" # [REQUIRED] The Id of EKS Additional Cluster Security Group.
GeneralNodegroupSecurityGroup="" # [REQUIRED] The Id of EKS General Nodegroup Security Group.
BastionInstanceSecurityGroup="" # [optional] The Id of Bastion Instance Security Group.
VpcEndpointSecurityGroup="" # [optional] The Id of VPC Endpoint Security Group.
curl -LO https://raw.githubusercontent.com/marcus16-kang/cloudformation-templates/main/eks/security-group/security-group-rules.yaml
aws cloudformation deploy \
--template-file ./security-group-rules.yaml \
--stack-name $STACK_NAME \
--parameter-overrides \
ClusterSecurityGroup=$ClusterSecurityGroup \
AdditionalClusterSecurityGroup=$AdditionalClusterSecurityGroup \
GeneralNodegroupSecurityGroup=$GeneralNodegroupSecurityGroup \
BastionInstanceSecurityGroup=$BastionInstanceSecurityGroup \
VpcEndpointSecurityGroup=$VpcEndpointSecurityGroup \
--disable-rollback \
--tags project=$PROJECT_NAME \
--region $REGION
$STACK_NAME=""
$PROJECT_NAME=""
$REGION=""
$ClusterSecurityGroup="" # [REQUIRED] The Id of EKS Cluster Security Group.
$AdditionalClusterSecurityGroup="" # [REQUIRED] The Id of EKS Additional Cluster Security Group.
$GeneralNodegroupSecurityGroup="" # [REQUIRED] The Id of EKS General Nodegroup Security Group.
$BastionInstanceSecurityGroup="" # [optional] The Id of Bastion Instance Security Group.
$VpcEndpointSecurityGroup="" # [optional] The Id of VPC Endpoint Security Group.
curl.exe -LO https://raw.githubusercontent.com/marcus16-kang/cloudformation-templates/main/eks/security-group/security-group-rules.yaml
aws cloudformation deploy `
--template-file ./security-group-rules.yaml `
--stack-name $STACK_NAME `
--parameter-overrides `
ClusterSecurityGroup=$ClusterSecurityGroup `
AdditionalClusterSecurityGroup=$AdditionalClusterSecurityGroup `
GeneralNodegroupSecurityGroup=$GeneralNodegroupSecurityGroup `
BastionInstanceSecurityGroup=$BastionInstanceSecurityGroup `
VpcEndpointSecurityGroup=$VpcEndpointSecurityGroup `
--disable-rollback `
--tags project=$PROJECT_NAME `
--region $REGION
You can use CloudFormation template here.
Using CloudFormation for Cluster and Fargate
STACK_NAME=""
PROJECT_NAME=""
REGION=""
AdditionalClusterSecurityGroup="" # [REQUIRED] The Id of EKS Additional Cluster Security Group.
AddonNodegroupSecurityGroup="" # [REQUIRED] The Id of EKS Add-on Nodegroup Security Group.
FargateAppSecurityGroup="" # [REQUIRED] The Id of Fargate App Security Group.
VpcEndpointSecurityGroup="" # [optional] The Id of VPC Endpoint Security Group.
curl -LO https://raw.githubusercontent.com/marcus16-kang/cloudformation-templates/main/eks/security-group/fargate-security-group-rules.yaml
aws cloudformation deploy \
--template-file ./fargate-security-group-rules.yaml \
--stack-name $STACK_NAME \
--parameter-overrides \
AdditionalClusterSecurityGroup=$AdditionalClusterSecurityGroup \
AddonNodegroupSecurityGroup=$AddonNodegroupSecurityGroup \
FargateAppSecurityGroup=$FargateAppSecurityGroup \
VpcEndpointSecurityGroup=$VpcEndpointSecurityGroup \
--disable-rollback \
--tags project=$PROJECT_NAME \
--region $REGION
$STACK_NAME=""
$PROJECT_NAME=""
$REGION=""
$AdditionalClusterSecurityGroup="" # [REQUIRED] The Id of EKS Additional Cluster Security Group.
$AddonNodegroupSecurityGroup="" # [REQUIRED] The Id of EKS Add-on Nodegroup Security Group.
$FargateAppSecurityGroup="" # [REQUIRED] The Id of Fargate App Security Group.
$VpcEndpointSecurityGroup="" # [optional] The Id of VPC Endpoint Security Group.
curl.exe -LO https://raw.githubusercontent.com/marcus16-kang/cloudformation-templates/main/eks/security-group/fargate-security-group-rules.yaml
aws cloudformation deploy `
--template-file ./fargate-security-group-rules.yaml `
--stack-name $STACK_NAME `
--parameter-overrides `
AdditionalClusterSecurityGroup=$AdditionalClusterSecurityGroup `
AddonNodegroupSecurityGroup=$AddonNodegroupSecurityGroup `
FargateAppSecurityGroup=$FargateAppSecurityGroup `
VpcEndpointSecurityGroup=$VpcEndpointSecurityGroup `
--disable-rollback `
--tags project=$PROJECT_NAME `
--region $REGION
Cluster Security Group
Inbound
| Protocol | Port | Source | Description |
|---|---|---|---|
| ALL | ALL | Cluster Security Group | Cluster Security Group (MySelf) - ALL |
Outbound
| Protocol | Port | Destination | Description |
|---|---|---|---|
| TCP | 443 | Cluster Security Group | Cluster Security Group (MySelf) - APIServer |
Additional Cluster Security Group
Inbound
| Protocol | Port | Source | Description |
|---|---|---|---|
| TCP | 443 | Additional Cluster Security Group | Additional Cluster Security Group (MySelf) - APIServer |
| TCP | 443 | Nodegroup General Security Group | Nodegroup General Security Group - APIServer |
| TCP | 443 | Fargate App Security Group | Fargate App Security Group - APIServer |
| TCP | 443 | Bastion Instance Security Group | Bastion Instance Security Group - APIServer |
Outbound
| Protocol | Port | Destination | Description |
|---|---|---|---|
| TCP | 1024 - 65535 | Nodegroup General Security Group | Nodegroup General Security Group - Controllers |
| TCP | 1024 - 65535 | Fargate App Security Group | Fargate App Security Group - Controllers |
Nodegroup General Security Group
Inbound
| Protocol | Port | Source | Description |
|---|---|---|---|
| ALL | ALL | Nodegroup General Security Group | Nodegroup General Security Group (MySelf) - ALL |
| TCP | 1024 - 65535 | Additional Cluster Security Group | Additional Cluster Security Group - Controllers |
Outbound
| Protocol | Port | Destination | Description |
|---|---|---|---|
| ALL | ALL | Nodegroup General Security Group | Nodegroup General Security Group (MySelf) - ALL |
| TCP | 443 | 0.0.0.0/0 | Images & AWS APIs - HTTPS |
| TCP | 80 | 0.0.0.0/0 | Images & AWS APIs - HTTP |
Nodegroup Add-on Security Group
Inbound
| Protocol | Port | Source | Description |
|---|---|---|---|
| TCP | 53 | Fargate App Security Group | Fargate App Security Group - CoreDNS |
| UDP | 53 | Fargate App Security Group | Fargate App Security Group - CoreDNS |
Outbound
| Protocol | Port | Destination | Description |
|---|---|---|---|
| TCP | 1024 - 65535 | Fargate App Security Group | Fargate App Security Group - Controllers |
Nodegroup App Security Group
Inbound
| Protocol | Port | Source | Description |
|---|---|---|---|
| TCP | Service Port | Elastic Load Balancer Security Group | Elastic Load Balancer Security Group - Application Service |
Outbound
| Protocol | Port | Destination | Description |
|---|---|---|---|
| TCP | Database Port1 | Database Security Group | Database Security Group - Database |
| TCP | Cache Port2 | Cache Security Group | Cache Security Group - Cache |
Fargate App Security Group
Inbound
| Protocol | Port | Source | Description |
|---|---|---|---|
| ALL | ALL | Fargate App Security Group | Fargate App Security Group (MySelf) - ALL |
| TCP | 1024 - 65535 | Additional Cluster Security Group | Additional Cluster Security Group - Controllers |
| TCP | 1024 - 65535 | Nodegroup Add-on Security Group | Nodegroup Add-on Security Group - Controllers |
| TCP | Service Port | Elastic Load Balancer Security Group | Elastic Load Balancer Security Group - Application Service |
Outbound
| Protocol | Port | Destination | Description |
|---|---|---|---|
| ALL | ALL | Fargate App Security Group | Fargate App Security Group (MySelf) - ALL |
| TCP | 53 | Nodegroup Add-on Security Group | Nodegroup Add-on Security Group - CoreDNS |
| UDP | 53 | Nodegroup Add-on Security Group | Nodegroup Add-on Security Group - CoreDNS |
| TCP | 80 | 0.0.0.0/0 | Images & AWS APIs - HTTP |
| TCP | 443 | 0.0.0.0/0 | Images & AWS APIs - HTTPS |
| TCP | Database Port1 | Database Security Group | Database Security Group - Database |
| TCP | Cache Port2 | Cache Security Group | Cache Security Group - Cache |
VPC Endpoint Security Group
Inbound
| Protocol | Port | Source | Description |
|---|---|---|---|
| TCP | 443 | Nodegroup General Security Group | Nodegroup General Security Group - AWS APIs |
| TCP | 443 | Fargate App Security Group | Fargate App Security Group AWS APIs |
| TCP | 443 | Bastion Instance Security Group | Bastion Instance Security Group - AWS APIs |
Outbound
| Protocol | Port | Destination | Description |
|---|
Elastic Load Balancer Security Group
Inbound
| Protocol | Port | Source | Description |
|---|---|---|---|
| TCP | Listener Port | 0.0.0.0/0 | Fron Internet |
| TCP | Listener Port | CloudFront MAnaged Prefix List | From CloudFront Only |
Outbound
| Protocol | Port | Destination | Description |
|---|---|---|---|
| TCP | Service Port | Nodegroup App Security Group | Nodegroup App Security Group - Application Service |
| TCP | Service Port | Fargate App Security Group | Fargate App Security Group - Application Service |
Database Security Group
Inbound
| Protocol | Port | Source | Description |
|---|---|---|---|
| TCP | Database Port1 | Nodegroup App Security Group | Nodegroup App Security Group - Database |
| TCP | Database Port | Fargate App Security Group | Fargate App Security Group - Database |
Outbound
| Protocol | Port | Destination | Description |
|---|
Cache Security Group
Inbound
| Protocol | Port | Source | Description |
|---|---|---|---|
| TCP | Cache Port2 | Nodegroup App Security Group | Nodegroup App Security Group - Cache |
| TCP | Cache Port | Fargate App Security Group | Fargate App Security Group - Cache |
Outbound
| Protocol | Port | Destination | Description |
|---|