forked from nathanpeck/ecs-cloudformation
-
Notifications
You must be signed in to change notification settings - Fork 0
/
alb-internal.yml
87 lines (85 loc) · 3.16 KB
/
alb-internal.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
AWSTemplateFormatVersion: '2010-09-09'
Description: Internal, private load balancer that only accepts traffic from
containers in the cluster.
Parameters:
EnvironmentName:
Type: String
Default: production
Description: The name of the environment to add this load balancer to
Resources:
EcsSecurityGroupIngressFromPrivateALB:
Type: AWS::EC2::SecurityGroupIngress
Properties:
Description: Ingress from the private ALB
GroupId:
Fn::ImportValue: !Sub ${EnvironmentName}:ContainerSecurityGroup
IpProtocol: -1
SourceSecurityGroupId: !Ref 'PrivateLoadBalancerSG'
# Private load balancer, hosted in private subnets, that only
# accepts traffic from other containers in the Fargate cluster, and is
# intended for private services that should not be accessed directly
# by the public.
PrivateLoadBalancerSG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Access to the internal load balancer
VpcId:
Fn::ImportValue: !Sub ${EnvironmentName}:VpcId
PrivateLoadBalancerIngressFromECS:
Type: AWS::EC2::SecurityGroupIngress
Properties:
Description: Only accept traffic from a container in the fargate container security group
GroupId: !Ref 'PrivateLoadBalancerSG'
IpProtocol: -1
SourceSecurityGroupId:
Fn::ImportValue: !Sub ${EnvironmentName}:ContainerSecurityGroup
PrivateLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Scheme: internal
LoadBalancerAttributes:
- Key: idle_timeout.timeout_seconds
Value: '30'
Subnets:
# This load balancer is put into the private subnet, so that there is no
# route for the public to even be able to access the private load balancer.
- Fn::ImportValue: !Sub ${EnvironmentName}:PrivateSubnetOne
- Fn::ImportValue: !Sub ${EnvironmentName}:PrivateSubnetTwo
SecurityGroups: [!Ref 'PrivateLoadBalancerSG']
# This dummy target group is used to setup the ALB to just drop traffic
# initially, before any real service target groups have been added.
DummyTargetGroupPrivate:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckIntervalSeconds: 6
HealthCheckPath: /
HealthCheckProtocol: HTTP
HealthCheckTimeoutSeconds: 5
HealthyThresholdCount: 2
Port: 80
Protocol: HTTP
UnhealthyThresholdCount: 2
VpcId:
Fn::ImportValue: !Sub ${EnvironmentName}:VpcId
PrivateLoadBalancerListener:
Type: AWS::ElasticLoadBalancingV2::Listener
DependsOn:
- PrivateLoadBalancer
Properties:
DefaultActions:
- TargetGroupArn: !Ref 'DummyTargetGroupPrivate'
Type: 'forward'
LoadBalancerArn: !Ref 'PrivateLoadBalancer'
Port: 80
Protocol: HTTP
Outputs:
PrivateListener:
Description: The ARN of the public load balancer's Listener
Value: !Ref PrivateLoadBalancerListener
Export:
Name: !Sub ${EnvironmentName}:PrivateListener
InternalUrl:
Description: The url of the internal load balancer
Value: !Sub http://${PrivateLoadBalancer.DNSName}
Export:
Name: !Sub ${EnvironmentName}:InternalUrl