Add inbound rule to security group aws cdk

Question

I am working with AWS Opensearch (Elasticsearch 6.8) and an AWS lambda. The lambda inserts records into Elasticsearch when an event is received. Below is how the elasticsearch is defined:

this.loggingES = new opensearch.Domain(this, 'LogsES', {
    version: opensearch.EngineVersion.ELASTICSEARCH_6_8,
    domainName: "app-logs-es",
    vpc: this.loggingVPC,
    zoneAwareness: {
        availabilityZoneCount: 3,
    },
    enforceHttps: true,
    nodeToNodeEncryption: true,
    encryptionAtRest: {
        enabled: true
    },
    capacity: {
        masterNodes: 3,
        dataNodes: 3,
    }
});

Now what happens is, two security groups get created under the same VPC, one for the ES and another for the lambda. The lambda is unable to connect to the Elasticsearch because the elasticsearch security group doesn't have an inbound rule setup that allows traffic from lambda security group.

Is there a way, I can either:

• Define a VPC that only has a single security group and all components inside the VPC can access each other?
• Or in the CDK itself, I can setup an inbound rule in Elasticsearch SG to allow traffic from lambda SG.

Answer 1

Yup, CDK makes this very easy with the Connections class, which Domain exposes. Here's an example in Python:

my_domain.connections.allow_default_port_from(my_lambda)

And that's it. You don't have to think about security groups, they're abstracted away.