AWS CDK lib version: 2.62.2
When I let the CDK implicitly create the SecurityGroup as below:
this.alb = new ApplicationLoadBalancer(this, 'Alb', {
loadBalancerName: "Raido",
vpc: props.vpc,
internetFacing: true,
vpcSubnets: {
subnetType: SubnetType.PUBLIC,
onePerAz: true,
},
// securityGroup: props.securityGroup,
idleTimeout: Duration.seconds(60),
dropInvalidHeaderFields: false,
desyncMitigationMode: DesyncMitigationMode.DEFENSIVE,
});
It creates an ICMP egress rule blocking port 86, like this:
egress rule:
Type: Custom ICMP - IPv4
Protocol: 252
Port: 86
Destination: 255.255.255.255/32
Description: Disallow all traffic
When I create my own SecurityGroup manually, it doesn't have the egress rule.
Why does the CDK create this egress rule, and should I add a similar rule of my own? I'm reluctant to just copy/paste the rule without knowing what it's for.
Apparently, this rule is added when allowAllOutbound option is false, which is the default for the ApplicationLoadBalancer construct.
My takeaway: no point in setting the bogus rule on your ALB. If you want to allowAllOutbound, then do that; otherwise set your egress rules appropriate to your situation.
Apparenlty the 255.255.255.255/32 is intended to match no traffic because:
No machine can ever actually have the 255.255.255.255 IP address