feat(report): Remove VPCSecurityGroup from EC2 instances
#1574
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
akash1810
changed the title
VPCSecurityGroup from EC2 instances
The `VPCSecurityGroup` group allows ingress and egress to/from 0.0.0.0/0 on all protocols and ports. The ASG is configured to launch instances in the VPC's private subnets (i.e. not routable from the internet) and the launch template explicitly sets `AssociatePublicIpAddress` to false. That is, there is no route from 0.0.0.0/0 to the EC2 instance; `VPCSecurityGroup` being attached to the EC2 instance has no effect and can be removed.
akash1810
force-pushed
the
aa/rm-VPCSecurityGroup
branch
from
2fde87e to
ac1ad44
Compare
Contributor
Contributor
Contributor
Contributor
akash1810
added
the
maintenance
Contributor
Contributor
Contributor
Contributor
Contributor
Contributor
aracho1
approved these changes
Dec 1, 2025
Member
Author
|
Somehow this change is preventing the load balancer from reaching the instance, consequently it's failing to deploy to CODE. Converting to draft whilst I investigate. |
Contributor
|
This PR is stale because it has been open 30 days with no activity. Unless a comment is added or the “stale” label removed, this will be closed in 3 days |
Contributor
|
This PR was closed because it has been stalled for 3 days with no activity. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this change?
The
VPCSecurityGroupsecurity group allows ingress and egress to/from0.0.0.0/0on all protocols and ports. However the ASG is configured to launch instances in the VPC's private subnets (i.e. not routable from the internet) and the launch template explicitly setsAssociatePublicIpAddressto false. That is, there is no route from0.0.0.0/0to the EC2 instance. Therefore attachingVPCSecurityGroupto the EC2 instance has no effect and can be removed.How to test
If we use AWS's Reachability Analyzer tool starting at the internet gateway and ending at an EC2 instance, we can see the only route is through the load balancer.