[Bug]: Security group rule missing in NLB Security group

[cskalyan]

Installation method

Own AWS account

What happened?

After provisioning NLB as mentioned in this lab https://www.eksworkshop.com/docs/fundamentals/exposing/loadbalancer/adding-lb
NLB gets provisioned, but wait-for-lb $(kubectl get service -n ui ui-nlb -o jsonpath="{.status.loadBalancer.ingress[*].hostname}{'\n'}") fails.

After further debugging I found that Security group rule for port 80 is missing in the security group attached to NLB. After adding a new rule for port 80, NLB is accessible and above command returns HTTP 200.

What did you expect to happen?

This command wait-for-lb $(kubectl get service -n ui ui-nlb -o jsonpath="{.status.loadBalancer.ingress[*].hostname}{'\n'} should have returned You can now access <http://<NLB_DNS_NAME> and not time out.

How can we reproduce it?

Create EKS cluster using terraform
follow the steps defined in the lab to deploy the sample app
create NLB
run wait-for-lb $(kubectl get service -n ui ui-nlb -o jsonpath="{.status.loadBalancer.ingress[*].hostname}{'\n'}")

Anything else we need to know?

No response

EKS version

1.30

[niallthomson]

Thanks for reporting this @cskalyan

As far as I know we haven't had any other reports of this so I wonder if its specific to the Terraform path? We'll need to check.

[cskalyan]

Here are some observations.

When NLB is provisioned using the command kubectl apply -k ~/environment/eks-workshop/modules/exposing/load-balancer/nlb, I see that NLB is getting provisioned with a security group attached to it which has a rule Allow traffic from all with CIDR(0.0.0.0/0), if I add another rule in that SG, where I want to allow traffic only from the CIDR of my home IP and remove 0.0.0.0/0 it does not work. NLB is working only with 0.0.0.0/0 rule.