In Security Groups - Allow All Outbound Traffic does not allow IPv6 Traffic

[jake-jester-nih]

aws-cdk/packages/@aws-cdk/aws-ec2/lib/security-group.ts

Line 528 in 8e3f53a

const ALLOW_ALL_RULE = {

Hello,

When creating a security group, or creating an ec2.Instance with default security group, when one gives the option allowAllOutBoundTraffic: true, only the IPv4 traffic is allowed.

When making calls to services like secretsmanager, the sdk/cli attempts to connect to the ipv6 address first. This causes a timeout error, and is not intuitive to discover, since we have ostensibly specified to allowAllOutboundTraffic.

Unless there is something subtle I am missing, I think allowAllOutboundTraffic: true should specify both ipv4 and ipv6 egress rules.

You can reproduce just by creating a ec2.Instance(...) construct and observing the default rules applied to the security group when allowAllOutboundTraffic: true (default value).

[NetaNir]

Yes you are right, we are working on it (sadly adding this default right now will result in a breaking change).
For now, you can set allowAllOutboundTraffic to false and add the two egress rules to allow IPv6 and IPv4 traffic.

duplicate #7827

[jake-jester-nih]

@NetaNir

Sadly this does not work. When setting the rules like this:

let prefectSecurityGroup = new ec2.SecurityGroup( this, "prefect-security-group", {
allowAllOutbound: false,
vpc: parent.coreStack.spaces_vpc,
description: "Allow all outbound, and inbound app ports",
});

prefectSecurityGroup.connections.allowToAnyIpv4( ec2.Port.allTraffic() );
prefectSecurityGroup.connections.allowTo( ec2.Peer.ipv6( "::/0") , ec2.Port.allTraffic() );

it results in this error:
Error: Cannot add an "all traffic" egress rule in this way; set allowAllOutbound=true on the SecurityGroup instead.

Catch 22.

[jake-jester-nih]

Had to do this:

prefectSecurityGroup.connections.allowTo( ec2.Peer.ipv6( "::/0") , ec2.Port.tcp(80) );
prefectSecurityGroup.connections.allowTo( ec2.Peer.ipv6( "::/0") , ec2.Port.tcp(443) );