You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When creating a security group, or creating an ec2.Instance with default security group, when one gives the option allowAllOutBoundTraffic: true, only the IPv4 traffic is allowed.
When making calls to services like secretsmanager, the sdk/cli attempts to connect to the ipv6 address first. This causes a timeout error, and is not intuitive to discover, since we have ostensibly specified to allowAllOutboundTraffic.
Unless there is something subtle I am missing, I think allowAllOutboundTraffic: true should specify both ipv4 and ipv6 egress rules.
You can reproduce just by creating a ec2.Instance(...) construct and observing the default rules applied to the security group when allowAllOutboundTraffic: true (default value).
The text was updated successfully, but these errors were encountered:
Yes you are right, we are working on it (sadly adding this default right now will result in a breaking change).
For now, you can set allowAllOutboundTraffic to false and add the two egress rules to allow IPv6 and IPv4 traffic.
aws-cdk/packages/@aws-cdk/aws-ec2/lib/security-group.ts
Line 528 in 8e3f53a
Hello,
When creating a security group, or creating an ec2.Instance with default security group, when one gives the option allowAllOutBoundTraffic: true, only the IPv4 traffic is allowed.
When making calls to services like secretsmanager, the sdk/cli attempts to connect to the ipv6 address first. This causes a timeout error, and is not intuitive to discover, since we have ostensibly specified to allowAllOutboundTraffic.
Unless there is something subtle I am missing, I think allowAllOutboundTraffic: true should specify both ipv4 and ipv6 egress rules.
You can reproduce just by creating a ec2.Instance(...) construct and observing the default rules applied to the security group when allowAllOutboundTraffic: true (default value).
The text was updated successfully, but these errors were encountered: