Skip to content

feat(report): Remove VPCSecurityGroup from EC2 instances #1574

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
akash1810 wants to merge 1 commit into from
Closed

feat(report): Remove VPCSecurityGroup from EC2 instances #1574

akash1810 wants to merge 1 commit into from

Conversation

@akash1810
Copy link
Member

@akash1810 akash1810 commented Nov 27, 2025
edited
Loading

What does this change?

The VPCSecurityGroup security group allows ingress and egress to/from 0.0.0.0/0 on all protocols and ports. However the ASG is configured to launch instances in the VPC's private subnets (i.e. not routable from the internet) and the launch template explicitly sets AssociatePublicIpAddress to false. That is, there is no route from 0.0.0.0/0 to the EC2 instance. Therefore attaching VPCSecurityGroup to the EC2 instance has no effect and can be removed.

How to test

If we use AWS's Reachability Analyzer tool starting at the internet gateway and ending at an EC2 instance, we can see the only route is through the load balancer.

@akash1810 akash1810 changed the title feat(report): Remove VPCSecurityGroup from EC2 instances feat(report): Remove VPCSecurityGroup from EC2 instances Nov 27, 2025
@akash1810 akash1810 marked this pull request as ready for review November 27, 2025 13:54
@akash1810 akash1810 requested a review from a team as a code owner November 27, 2025 13:54
@akash1810
feat(report): Remove VPCSecurityGroup from EC2 instances
ac1ad44 
The `VPCSecurityGroup` group allows ingress and egress to/from 0.0.0.0/0 on all protocols and ports.

The ASG is configured to launch instances in the VPC's private subnets (i.e. not routable from the internet)
and the launch template explicitly sets `AssociatePublicIpAddress` to false.

That is, there is no route from 0.0.0.0/0 to the EC2 instance;
`VPCSecurityGroup` being attached to the EC2 instance has no effect and can be removed.
@akash1810 akash1810 force-pushed the aa/rm-VPCSecurityGroup branch from 2fde87e to ac1ad44 Compare November 28, 2025 15:31
@github-actions
Copy link
Contributor

github-actions bot commented Nov 28, 2025

Deploy build 4618 of mobile-n10n:eventconsumer to CODE

All deployment options

From guardian/actions-riff-raff.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 28, 2025

Deploy build 4622 of mobile-n10n:schedule to CODE

All deployment options

From guardian/actions-riff-raff.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 28, 2025

Deploy build 4632 of mobile-n10n:football to CODE

All deployment options

From guardian/actions-riff-raff.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 28, 2025

Deploy build 4625 of mobile-n10n:reportextractor to CODE

All deployment options

From guardian/actions-riff-raff.

@akash1810 akash1810 added the maintenance Departmental tracking: maintenance work, not a fix or a feature label Nov 28, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Nov 28, 2025

Deploy build 4640 of mobile-n10n:report to CODE

All deployment options

From guardian/actions-riff-raff.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 28, 2025

Deploy build 4747 of mobile-n10n:slomonitor to CODE

All deployment options

From guardian/actions-riff-raff.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 28, 2025

Deploy build 4632 of mobile-n10n:fakebreakingnewslambda to CODE

All deployment options

From guardian/actions-riff-raff.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 28, 2025

Deploy build 4653 of mobile-n10n:notification to CODE

All deployment options

From guardian/actions-riff-raff.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 28, 2025

Deploy build 4752 of mobile-n10n:registration to CODE

All deployment options

From guardian/actions-riff-raff.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 28, 2025

Deploy build 5050 of mobile-n10n:notificationworkerlambda to CODE

All deployment options

From guardian/actions-riff-raff.

@akash1810
Copy link
Member Author

akash1810 commented Dec 1, 2025

Somehow this change is preventing the load balancer from reaching the instance, consequently it's failing to deploy to CODE. Converting to draft whilst I investigate.

@akash1810 akash1810 marked this pull request as draft December 1, 2025 13:43
@github-actions
Copy link
Contributor

github-actions bot commented Jan 1, 2026

This PR is stale because it has been open 30 days with no activity. Unless a comment is added or the “stale” label removed, this will be closed in 3 days

@github-actions github-actions bot added the Stale label Jan 1, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Jan 5, 2026

This PR was closed because it has been stalled for 3 days with no activity.

@github-actions github-actions bot closed this Jan 5, 2026
@akash1810 akash1810 deleted the aa/rm-VPCSecurityGroup branch January 26, 2026 18:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aracho1 aracho1 aracho1 approved these changes

Assignees

No one assigned

Labels

maintenance Departmental tracking: maintenance work, not a fix or a feature Stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@akash1810 @aracho1