I want to connect to an IPv6-only service from a Fargate service, that already connects to IPv4 services.
Ideally, the default security group would include an egress rule for ::/0, like it does for 0.0.0.0/0.
I first tried to add it using a connections, which did not add the rule to the template.
service.connections.allowTo(Peer.anyIpv6(), Port.allTraffic());
Then I tried to construct a security group directly.
const securityGroup = new SecurityGroup(this, 'SecurityGroup', { vpc })
securityGroup.addEgressRule(Peer.anyIpv6(), Port.allTraffic());
This gives the warning, and does not add the rule to the template.
Ignoring Egress rule since 'allowAllOutbound' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup
Finally I tried to construct a security group with allowAllOutbound=false, like the warning suggests.
const securityGroup = new SecurityGroup(this, 'SecurityGroup', { vpc, allowAllOutbound: false })
securityGroup.addEgressRule(Peer.anyIpv4(), Port.allTraffic());
securityGroup.addEgressRule(Peer.anyIpv6(), Port.allTraffic());
This fails to synth with with the error message:
Cannot add an "all traffic" egress rule in this way; set allowAllOutbound=true on the SecurityGroup instead.
The comment in the code suggests this was a 'for now' solution, but not ideal. https://github.com/aws/aws-cdk/blob/b2bba775282a7b031ae34de6bef838558410cb67/packages/%40aws-cdk/aws-ec2/lib/security-group.ts#L530-L535
Environment: aws-cdk 2.10.0 (build e5b301f), Typescript 4.5.5, NodeJS v14.18.1
With the current limitations of CDK the only options I see is using one of the escape hatches (that is, until this bug is fixed):
"SecurityGroupEgress" : [ ipv6EgressRule, ipv4EgressRule ] key-value pair to the underlying Cfn resource.More info on escape hatches: https://docs.aws.amazon.com/cdk/v2/guide/cfn_layer.html