Merge pull request #3425 from geoffcline/gdc-revise-sg

k8s-ci-robot · web-flow · commit 72602d337d76 · 2023-10-26T23:17:19.000+02:00
Revise page on security groups
diff --git a/docs/deploy/security_groups.md b/docs/deploy/security_groups.md
@@ -1,32 +1,74 @@
-# Security groups
+# Security Groups for Load Balancers
 
-The AWS Load Balancer Controller classifies security groups into two categories: frontend and backend.
+Use security groups to limit client connections to your load balancers, and restrict connections with nodes. The AWS Load Balancer Controller (LBC) defines two classifications of security groups: **frontend** and **backend**.
+
+- **Frontend Security Groups:** Determine the clients that can access the load balancers.
+- **Backend Security Groups:** Permit the load balancer to connect to targets, such as EC2 instances or ENIs.
 
 ## Frontend Security Groups
 
-Frontend security groups control which clients can access the load balancers. The frontend security groups can be configured with the `alb.ingress.kubernetes.io/security-groups` annotation on Ingress resources or `service.beta.kubernetes.io/aws-load-balancer-security-groups` annotation on Service resources. If the annotations are not specified, the LBC will create one security group per load balancer, allowing traffic from `inbound-cidrs` to `listen-ports`.
+Frontend security groups control access to load balancers by specifying which clients can connect to them.
+
+Use cases for Frontent Security Groups include:
+
+* Placing the load balancer behind another service, such as [AWS Web Application Firewall](https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html) or [AWS CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html).
+* Blocking the IP address range (CIDR) of a region.
+* Configuring the Load Balancer for private or internal use, by specifying internal CIDRs and Security Groups. 
+
+In the default configuration, the LBC automatically creates one security group per load balancer, allowing traffic from `inbound-cidrs` to `listen-ports`.
+
+### Configuration
+
+Apply custom frontend security groups with an annotation. This disables automatic generation of frontend security groups. 
+
+- For Ingress resources, use the [`alb.ingress.kubernetes.io/security-groups`](../guide/ingress/annotations.md#security-groups) annotation.
+- For Service resources, use the [`service.beta.kubernetes.io/aws-load-balancer-security-groups`](../guide/service/annotations.md#security-groups) annotation.
+- The annotation must be set to one or more security group IDs or security group names.
+
 
 ## Backend Security Groups
 
-A single shared backend security group controls the traffic between load balancers and their target EC2 instances or ENIs. This security group is attached to the load balancers and is used as the traffic source in the ENI/Instance security group rules. The backend security group is shared between multiple load balancers.
+Backend Security Groups control traffic between AWS Load Balancers and their target EC2 instances or ENIs. For example, backend security groups can restrict the ports load balancers may access on nodes.
+
+- Backend security groups permit traffic from AWS Load Balancers to their targets. 
+- LBC uses a single, shared backend security group, attaching it to each load balancer and using as the traffic source in the security group rules it adds to targets.
+- When configuring security group rules at the ENI/Instance level, use the Security Group ID of the backend security group. Avoid using the IP addresses of a specific AWS Load Balancer, these IPs are dynamic and the security group rules aren't updated automatically.
+
+### Configuration
+
+**Enable or Disable:** Use `--enable-backend-security-group` (default `true`) to enable/disable the shared backend security group.
+
+You can turn off the shared backend security group feature by setting it to `false`. However, if you have a high number of Ingress resources with frontend security groups auto-generated by the controller, you might run into security group rule limits on the instance/ENI security groups.
+
+**Specification:** Use `--backend-security-group` to pass in a security group ID to use as a custom shared backend security group. 
+
+If `--backend-security-group` is left empty, a security group with the following attributes will be created:
+
+  ```yaml
+  name: k8s-traffic-<cluster_name>-<hash_of_cluster_name>
+  tags: 
+      elbv2.k8s.aws/cluster: <cluster_name>
+      elbv2.k8s.aws/resource: backend-sg
+  ```
+
 
-The controller flag `--enable-backend-security-group` (default `true`) is used to enable/disable the shared backend security group. The flag `--backend-security-group` (default empty) is used to pass in the security group to use as a shared backend security group. If it is empty, the LBC will auto-generate a security group with the following name and tags -
+### Coordination of Frontend and Backend Security Groups
 
-```
-name: k8s-traffic-<cluster_name>-<hash_of_cluster_name>
-tags: 
-    elbv2.k8s.aws/cluster: <cluster_name>
-    elbv2.k8s.aws/resource: backend-sg
-```
 
-You can turn off the shared backend security group feature by setting `--enable-backend-security-group` to `false`. However, if you have a high number of Ingress resources with frontend security groups auto-generated by the controller, you might run into security group rule limits on the instance/ENI security groups.
+- If the LBC auto-creates the frontend security group for a load balancer, it automatically adds the security group rules to allow traffic from the load balancer to the backend instances/ENIs.
+- If the frontend security groups are manually specified, the LBC will not **by default** add any rules to the backend security group.
 
-### Management of Backend Security Group Rules
+#### Enable Autogeneration of Backend Security Group Rules
 
-When the LBC auto-creates the frontend security group for a load balancer, it automatically adds the security group rules to allow traffic from the load balancer to the backend instances/ENIs.
+- If using custom frontend security groups, the LBC can be configured to automatically manage backend security group rules.
+- To enable managing backend security group rules, apply an additional annotation to Ingress and Service resources.
+  - For Ingress resources, set the `alb.ingress.kubernetes.io/manage-backend-security-group-rules` annotation to `true`.
+  - For Service resources, set the `service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules` annotation to `true`.
+- If management of backend security group rules is enabled with an annotation on a Service or Ingress, then `--enable-backend-security-group` must be set to true.
+- These annotations are ignored when using auto-generated frontend security groups. 
 
-When the frontend security group is specified via the `alb.ingress.kubernetes.io/security-groups` annotation on Ingress resources or `service.beta.kubernetes.io/aws-load-balancer-security-groups` annotation on Service resources, the controller will not by default add any security group rules to the backend instances/ENIs. The automatic management of instance/ENI security group can be controlled via the additional annotation `alb.ingress.kubernetes.io/manage-backend-security-group-rules` on Ingress resources or `service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules` on Service resources. When these annotations are set to true the security group rules are automatically managed by the controller. These annotations get ignored in the case of auto-generated security groups. `--enable-backend-security-group` needs to be true if either `alb.ingress.kubernetes.io/manage-backend-security-group-rules` or `service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules` are specified, otherwise it is an error.
+### Port Range Restrictions
 
-### Port Range Restrictions for Backend Security Group Rules
+From version v2.3.0 onwards, the controller restricts port ranges in the backend security group rules by default. This improves the security of the default configuration. The LBC should generate the necessary rules to permit traffic, based on the Service and Ingress resources. 
 
-As of version v2.3.0, the controller will by default restrict the backend security group rules to specific port ranges. You can set the controller flag `--disable-restricted-sg-rules` to `true` to get the backend security group rules to allow traffic to ALL ports.
+If needed, set the controller flag `--disable-restricted-sg-rules` to `true` to permit traffic to all ports. This may be appropriate for backwards compatability, or troubleshooting. 
diff --git a/docs/guide/use_cases/frontend_sg/index.md b/docs/guide/use_cases/frontend_sg/index.md
@@ -0,0 +1,121 @@
+---
+title: Restrict Access with Frontend Security Groups
+---
+
+Frontend security groups limit client/internet traffic with a load balancer. This improves security by preventing unauthorized access to cluster services, and blocking unexpected outbound connections. Both [AWS Network Load Balancers (NLBs) and Application Load Balancers (ALBs)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html) support frontend security groups. Learn more about how the Load Balancer Controller uses [Frontend and Backend Security Groups](../../../deploy/security_groups.md). 
+
+## Solution Overview
+
+Load balancers expose cluster workloads to a wider network. Creating a frontend security group limits access to these workloads (service or ingress resources). More specifically, a security group acts as a virtual firewall to control incoming and outgoing traffic. Inbound rules control the incoming traffic to your load balancer, and outbound rules control the outgoing traffic from your load balancer.
+
+Security groups are particularly suited for defining what access other AWS resources (services, EC2 instances) have to your cluster. For example, if you have an existing security group including EC2 instances, you can permit only that security group to access a service.
+
+In this example, you will restrict access to a cluster service. You will create a new security group for the frontend of a load balancer, and add an inbound rule permitting traffic. The rule may limit traffic to a specific port, CIDR, or existing security group.
+
+## Prerequisites
+
+- [Kubernetes Cluster Version 1.22+](https://docs.aws.amazon.com/cli/latest/reference/eks/describe-cluster.html)
+- [AWS Load Balancer Controller v2.6.0+](../../../deploy/installation/)
+- [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
+
+## Configure
+
+### 1. Find the VPC ID of your cluster
+
+```sh
+$ aws eks describe-cluster --name <cluster-name> --query "cluster.resourcesVpcConfig.vpcId" --output text
+
+vpc-0101XXXXa356
+```
+
+Ensure you have the right cluster name, AWS region, and the AWS CLI is configured.
+
+### 2. Create a security group using the VPC ID
+
+```sh
+$ aws ec2 create-security-group --group-name <sg-name> --description <description> --vpc-id <vpc-id>
+
+{
+    "GroupId": "sg-0406XXXX645c"
+}
+```
+
+Note the security group ID. This will be the frontend security group for the load balancer.
+
+### 3. Create your ingress rules
+
+Load balancers generally serve as an entrypoint for clients to access your cluster. This makes ingress rules especially important.
+
+For example, this rule permits all traffic on port 443:
+
+```sh
+aws ec2 authorize-security-group-ingress --group-id <sg-id> --protocol all --port 443 --cidr 0.0.0.0/0
+```
+
+Learn more about how to [create an ingress rule with the AWS CLI.](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html)
+
+### 4. Determine your egress rules (optional)
+
+By default, all outbound traffic is allowed. Further, security groups are stateful, and responses to an allowed connection will also be permitted.
+
+Learn how to [create an egress rule with the AWS CLI.](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-egress.html)
+
+### 5. Add the security group annotation to your Ingress or Service
+
+For [Ingress resources](../../../guide/ingress/annotations.md), add the following annotation:
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: frontend
+  annotations:
+    alb.ingress.kubernetes.io/security-groups: <sg-id>
+```
+
+For [Service resources](../../../guide/service/annotations.md#annotations), add the following annotation:
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: frontend
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-security-groups: <sg-id>
+spec:
+    type: LoadBalancer
+    loadBalancerClass: service.k8s.aws/nlb
+```
+
+For Ingress resources, the associated Application Load Balancer will be updated. For Service resources, the associated Network Load Balancer will be updated.
+
+### 6. List your load balancers and verify the security groups are attached
+
+```sh
+$ aws elbv2 describe-load-balancers
+
+{
+    "LoadBalancers": [
+        {
+            "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:1853XXXX5115:loadbalancer/net/k8s-default-frontend-ae3743b818/3ad6d16fb75ff688",
+            <...>
+            "SecurityGroups": [
+                "sg-0406XXXX645c",
+                "sg-0873XXXX2bef"
+            ],
+            "IpAddressType": "ipv4"
+        }
+    ]
+}
+```
+
+If you don't see the security groups, verify:
+
+- The Load Balancer Controller is properly installed.
+- The controller has proper IAM permissions to modify load balancers. Look at the logs of the controller pods for IAM errors.
+
+### 7. Clean up (Optional)
+
+Removing the annotations from Service/Ingress resources will revert to the default frontend ecurity groups.
+
+Load balancers may be costly. Delete Ingress and Service resources to deprovision the load balancers. If the load balancers are deleted from the console, they may be recreated by the controller.
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -34,6 +34,7 @@ nav:
       - Use Cases:
         - NLB TLS Termination: guide/use_cases/nlb_tls_termination/index.md
         - Externally Managed Load Balancer: guide/use_cases/self_managed_lb/index.md
+        - Frontend Security Groups: guide/use_cases/frontend_sg/index.md
   - Examples:
     - EchoServer: examples/echo_server.md
     - gRPCServer: examples/grpc_server.md
