Skip to content

Commit

Permalink
feat(ec2): well-known port aliases (#29793)
Browse files Browse the repository at this point in the history
### Issue # (if applicable)

None as far as I can tell

### Reason for this change

The web console lists commonly used ports when adding a rule to a security group, this aims to reproduce this simple quality of life shortcut. It can also help with code readability, and might save people from a typo

### Description of changes

* Add well-known static `Port` instances
  * Intersection of the AWS web console listed ports and the [IANA Service Name and Transport Protocol Port Number Registry](https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt)

### Description of how you validated changes

Compared the AWS web console values to the IANA list, and added a unit test to make sure the alias behaved properly 

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
nmussy authored Apr 12, 2024
1 parent 8198884 commit f10494c
Show file tree
Hide file tree
Showing 3 changed files with 51 additions and 9 deletions.
19 changes: 10 additions & 9 deletions packages/aws-cdk-lib/aws-ec2/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -215,7 +215,7 @@ const provider = ec2.NatProvider.instanceV2({
new ec2.Vpc(this, 'TheVPC', {
natGatewayProvider: provider,
});
provider.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/8'), ec2.Port.tcp(80));
provider.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/8'), ec2.Port.HTTP);
```

You can also customize the characteristics of your NAT instances, including their security group,
Expand Down Expand Up @@ -266,7 +266,7 @@ const provider = ec2.NatProvider.instance({
new ec2.Vpc(this, 'TheVPC', {
natGatewayProvider: provider,
});
provider.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/8'), ec2.Port.tcp(80));
provider.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/8'), ec2.Port.HTTP);
```

### Ip Address Management
Expand Down Expand Up @@ -724,13 +724,13 @@ declare const appFleet: autoscaling.AutoScalingGroup;
declare const dbFleet: autoscaling.AutoScalingGroup;

// Allow connections from anywhere
loadBalancer.connections.allowFromAnyIpv4(ec2.Port.tcp(443), 'Allow inbound HTTPS');
loadBalancer.connections.allowFromAnyIpv4(ec2.Port.HTTPS, 'Allow inbound HTTPS');

// The same, but an explicit IP address
loadBalancer.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/32'), ec2.Port.tcp(443), 'Allow inbound HTTPS');
loadBalancer.connections.allowFrom(ec2.Peer.ipv4('1.2.3.4/32'), ec2.Port.HTTPS, 'Allow inbound HTTPS');

// Allow connection between AutoScalingGroups
appFleet.connections.allowTo(dbFleet, ec2.Port.tcp(443), 'App can call database');
appFleet.connections.allowTo(dbFleet, ec2.Port.HTTPS, 'App can call database');
```

### Connection Peers
Expand All @@ -747,7 +747,7 @@ peer = ec2.Peer.anyIpv4();
peer = ec2.Peer.ipv6('::0/0');
peer = ec2.Peer.anyIpv6();
peer = ec2.Peer.prefixList('pl-12345');
appFleet.connections.allowTo(peer, ec2.Port.tcp(443), 'Allow outbound HTTPS');
appFleet.connections.allowTo(peer, ec2.Port.HTTPS, 'Allow outbound HTTPS');
```

Any object that has a security group can itself be used as a connection peer:
Expand All @@ -758,9 +758,9 @@ declare const fleet2: autoscaling.AutoScalingGroup;
declare const appFleet: autoscaling.AutoScalingGroup;

// These automatically create appropriate ingress and egress rules in both security groups
fleet1.connections.allowTo(fleet2, ec2.Port.tcp(80), 'Allow between fleets');
fleet1.connections.allowTo(fleet2, ec2.Port.HTTP, 'Allow between fleets');

appFleet.connections.allowFromAnyIpv4(ec2.Port.tcp(80), 'Allow from load balancer');
appFleet.connections.allowFromAnyIpv4(ec2.Port.HTTP, 'Allow from load balancer');
```

### Port Ranges
Expand All @@ -770,6 +770,7 @@ the connection specifier:

```ts
ec2.Port.tcp(80)
ec2.Port.HTTPS
ec2.Port.tcpRange(60000, 65535)
ec2.Port.allTcp()
ec2.Port.allIcmp()
Expand Down Expand Up @@ -823,7 +824,7 @@ const mySecurityGroupWithoutInlineRules = new ec2.SecurityGroup(this, 'SecurityG
disableInlineRules: true
});
//This will add the rule as an external cloud formation construct
mySecurityGroupWithoutInlineRules.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(22), 'allow ssh access from the world');
mySecurityGroupWithoutInlineRules.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.SSH, 'allow ssh access from the world');
```

### Importing an existing security group
Expand Down
35 changes: 35 additions & 0 deletions packages/aws-cdk-lib/aws-ec2/lib/port.ts
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,41 @@ export interface PortProps {
* Interface for classes that provide the connection-specification parts of a security group rule
*/
export class Port {
/** Well-known SSH port (TCP 22) */
public static readonly SSH = Port.tcp(22);
/** Well-known SMTP port (TCP 25) */
public static readonly SMTP = Port.tcp(25);
/** Well-known DNS port (UDP 53) */
public static readonly DNS_UDP = Port.udp(53);
/** Well-known DNS port (TCP 53) */
public static readonly DNS_TCP = Port.tcp(53);
/** Well-known HTTP port (TCP 80) */
public static readonly HTTP = Port.tcp(80);
/** Well-known POP3 port (TCP 110) */
public static readonly POP3 = Port.tcp(110);
/** Well-known IMAP port (TCP 143) */
public static readonly IMAP = Port.tcp(143);
/** Well-known LDAP port (TCP 389) */
public static readonly LDAP = Port.tcp(389);
/** Well-known HTTPS port (TCP 443) */
public static readonly HTTPS = Port.tcp(443);
/** Well-known SMB port (TCP 445) */
public static readonly SMB = Port.tcp(445);
/** Well-known IMAPS port (TCP 993) */
public static readonly IMAPS = Port.tcp(993);
/** Well-known POP3S port (TCP 995) */
public static readonly POP3S = Port.tcp(995);
/** Well-known Microsoft SQL Server port (TCP 1433) */
public static readonly MSSQL = Port.tcp(1433);
/** Well-known NFS port (TCP 2049) */
public static readonly NFS = Port.tcp(2049);
/** Well-known MySQL and Aurora port (TCP 3306) */
public static readonly MYSQL_AURORA = Port.tcp(3306);
/** Well-known Microsoft Remote Desktop Protocol port (TCP 3389) */
public static readonly RDP = Port.tcp(3389);
/** Well-known PostgreSQL port (TCP 5432) */
public static readonly POSTGRES = Port.tcp(5432);

/**
* A single TCP port
*/
Expand Down
6 changes: 6 additions & 0 deletions packages/aws-cdk-lib/aws-ec2/test/security-group.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -503,6 +503,12 @@ describe('security group', () => {
}],
});
});

test('Static well-known ports are well-defined', () => {
// THEN
expect(Port.SSH).toEqual(Port.tcp(22));
expect(Port.DNS_UDP).toEqual(Port.udp(53));
});
});
});

Expand Down

0 comments on commit f10494c

Please sign in to comment.