def create_consul_sg(self): # see https://www.consul.io/docs/agent/options.html#ports-used ingress_rules = [net.sg_rule(self.vpc_cidr, port, net.TCP) for port in (53, (8300, 8302), 8400, 8500, 8600)] + [ net.sg_rule(self.vpc_cidr, port, net.UDP) for port in ((8301, 8302), 8600) ] self.consul_sg = ec2.SecurityGroup( "ConsulAgentSecurityGroup", GroupDescription="Security group for Cosul Agents", SecurityGroupIngress=ingress_rules, VpcId=self.vpc_id, Tags=self.default_tags, ) self.add_resource(self.consul_sg) self.output_ref("ConsulAgentSG", self.consul_sg)
def create_ui_sg(self): ingress_rules = [net.sg_rule(net.CIDR_ANY, port, net.TCP) for port in [net.HTTP, net.HTTPS]] + [ net.sg_rule(self.vpc_cidr, net.SSH, net.TCP) ] # egress_rules = [] # TODO: egress should only talk to private subnets over specified ports, # and to everyone over ephemeral ports sg = ec2.SecurityGroup( "ConsulUISecurityGroup", GroupDescription="Consul UI Server Security Group", SecurityGroupIngress=ingress_rules, VpcId=self.vpc_id, Tags=self.default_tags, ) self.add_resource(sg) return sg
def create_nat_sg(self): rules = [net.sg_rule(self.vpc_cidr, net.ANY_PORT, net.ANY_PROTOCOL)] sg = ec2.SecurityGroup('NATSecurityGroup', GroupDescription='NAT Instance Security Group', SecurityGroupIngress=rules, VpcId=self.vpc_id, Tags=self.default_tags) self.add_resource(sg) return sg
def create_bastion_sg(self): rules = [net.sg_rule(net.CIDR_ANY, net.SSH, net.TCP)] sg = ec2.SecurityGroup('BastionSecurityGroup', GroupDescription='Bastion Instance Security Group', SecurityGroupIngress=rules, VpcId=self.vpc_id, Tags=self.default_tags) self.add_resource(sg) return sg
def create_server_sg(self): rules = [net.sg_rule(self.vpc_cidr, net.SSH, net.TCP)] sg = ec2.SecurityGroup( "ConsulServerSecurityGroup", GroupDescription="Consul Server Instance Security Group", SecurityGroupIngress=rules, VpcId=self.vpc_id, Tags=self.default_tags, ) self.add_resource(sg) return sg