in lib/consul-mesh-extension.ts [512:548]
public useService(service: ecs.Ec2Service | ecs.FargateService) {
this.consulServerSecurityGroup.connections.allowFrom(service.connections.securityGroups[0], Port.tcp(8301), 'allow consul server to accept traffic from consul client on TCP port 8301');
this.consulServerSecurityGroup.connections.allowFrom(service.connections.securityGroups[0], Port.udp(8301), 'allow consul server to accept traffic from consul client on UDP port 8301');
this.consulServerSecurityGroup.connections.allowFrom(service.connections.securityGroups[0], Port.tcp(8300), 'allow consul server to accept traffic from the service client on TCP port 8300');
service.connections.securityGroups[0].addIngressRule(
this.consulServerSecurityGroup.connections.securityGroups[0],
Port.tcp(8301),
'allow service to accept traffic from consul server on tcp port 8301'
);
service.connections.securityGroups[0].addIngressRule(
this.consulServerSecurityGroup.connections.securityGroups[0],
Port.udp(8301),
'allow service to accept traffic from consul server on udp port 8301 '
);
const serviceSecurityGroupIds = service.connections.securityGroups.map(sg => sg.securityGroupId);
serviceSecurityGroupIds.push(this.consulClientSecurityGroup.securityGroupId);
if (serviceSecurityGroupIds.length > maxSecurityGroupLimit) {
throw new Error('Cannot have more than 5 security groups associated with the service');
}
const cfnParentService = this.parentService.ecsService.node.findChild("Service") as ecs.CfnService;
/**
* Inject cfn override for multiple SGs. Override the 'SecurityGroups' property in the
* Cloudformation resource of the parent service with the updated list of security groups.
* This list will have the existing security groups of the parent service plus consulClientSecurityGroup
*/
cfnParentService.addOverride("Properties.NetworkConfiguration.AwsvpcConfiguration.SecurityGroups",
serviceSecurityGroupIds
);
}