Skip to main content

Overview

Security Groups act as virtual firewalls controlling inbound and outbound traffic for your resources. Fjall automatically creates and manages security groups when you use ComputeFactory - you rarely need to create them manually.

Automatic Management

Fjall’s ComputeFactory automatically:
  • Creates security groups for ECS services and Lambda
  • Configures ingress rules for load balancers
  • Sets up service-to-service communication via the connections array
  • Opens required ports based on containerPort
// Fjall handles security groups automatically
const api = app.addCompute(
  ComputeFactory.build("API", {
    type: "ecs",
    containerPort: 3000, // Security group allows this port
  })
);

Service-to-Service Communication

Automatic Connection Setup

The connections array automatically configures security group rules: 
const database = app.addDatabase(
  DatabaseFactory.build("DB", {
    type: "Instance",
    databaseName: "mydb",
  })
);

const api = app.addCompute(
  ComputeFactory.build("API", {
    type: "ecs",
    ecsType: "fargate",
    connections: [database], // Security group allows API → DB traffic
  })
);
This automatically:
  1. Creates security groups for both API and database
  2. Adds ingress rule to database security group allowing API traffic
  3. Configures correct ports (3306 for MySQL, 5432 for Postgres, etc.)

Multiple Connections

Connect to multiple services: 
const cache = new DatabaseInstance(this, "Redis", {
  // ... Redis config
});

const queue = new Queue(this, "Queue");

const worker = app.addCompute(
  ComputeFactory.build("Worker", {
    type: "ecs",
    connections: [database, cache, queue],
    // Security groups allow Worker → DB, Cache, Queue
  })
);

Manual Security Group Creation

Only create explicit security groups when you need:
  • Shared security groups across applications
  • Custom rules beyond Fjall’s automatic configuration
  • External service access
import { SecurityGroup, Peer, Port } from "aws-cdk-lib/aws-ec2";

const customSG = new SecurityGroup(this, "CustomSG", {
  vpc,
  description: "Custom security group",
  allowAllOutbound: true,
});

// Allow HTTPS from anywhere
customSG.addIngressRule(
  Peer.anyIpv4(),
  Port.tcp(443),
  "Allow HTTPS"
);

Common Patterns

Allow Lambda to Access RDS

const database = app.addDatabase(
  DatabaseFactory.build("DB", {
    type: "Instance",
    databaseName: "mydb",
  })
);

const lambda = app.addCompute(
  ComputeFactory.build("Function", {
    type: "lambda",
    handler: "index.handler",
    runtime: Runtime.NODEJS_20_X,
    code: Code.fromAsset("./lambda"),
    connections: [database], // Fjall configures security groups
  })
);

Allow Specific IP Range

import { Peer, Port } from "aws-cdk-lib/aws-ec2";

// Add custom rule to Fjall-created security group
api.service.connections.allowFrom(
  Peer.ipv4("10.0.0.0/16"),
  Port.tcp(3000),
  "Allow from VPC"
);

Allow Between ECS Services

const backend = app.addCompute(
  ComputeFactory.build("Backend", {
    type: "ecs",
    containerPort: 4000,
  })
);

const frontend = app.addCompute(
  ComputeFactory.build("Frontend", {
    type: "ecs",
    containerPort: 3000,
    connections: [backend], // Frontend can call Backend:4000
  })
);

Network Configuration

VPC and Subnets

Security groups work within your VPC configuration: 
// Configure VPC in app
const app = App.getApp("MyApp", {
  network: {
    maxAzs: 2,
    natGateways: 1,
  },
});

// All compute resources use this VPC automatically
const api = app.addCompute(
  ComputeFactory.build("API", {
    type: "ecs",
    // Uses app's VPC, security groups created automatically
  })
);

Custom VPC

Use a specific VPC: 
import { Vpc } from "aws-cdk-lib/aws-ec2";

const customVpc = Vpc.fromLookup(this, "CustomVpc", {
  vpcId: "vpc-12345",
});

const api = app.addCompute(
  ComputeFactory.build("API", {
    type: "ecs",
    vpc: customVpc,
  })
);

Troubleshooting

Connection Timeouts

If services can’t communicate:
  1. Check connections array - Did you add the target to connections?
  2. Verify ports match - Is containerPort correct?
  3. Check VPC configuration - Are services in the same VPC?
  4. Review security group rules in AWS Console

Database Connection Issues

// Ensure database is in connections array
const api = app.addCompute(
  ComputeFactory.build("API", {
    type: "ecs",
    connections: [database], // ← Must include this
    containerSecretsImport: {
      DB_HOST: database.getHostEndpoint(),
      DB_PASSWORD: database.getCredentials(),
    },
  })
);

Lambda VPC Configuration

Lambda needs VPC access to use security groups: 
import { Vpc } from "aws-cdk-lib/aws-ec2";

const vpc = Vpc.fromLookup(this, "Vpc", {
  isDefault: true,
});

const lambda = app.addCompute(
  ComputeFactory.build("Function", {
    type: "lambda",
    handler: "index.handler",
    runtime: Runtime.NODEJS_20_X,
    code: Code.fromAsset("./lambda"),
    vpc, // Required for security group connections
    connections: [database],
  })
);

Port Reference

Common ports Fjall uses:
ServicePortProtocol
HTTP80TCP
HTTPS443TCP
PostgreSQL5432TCP
MySQL3306TCP
Redis6379TCP
Custom ContainercontainerPortTCP

Best Practices

  • Use the connections array instead of manual security group rules
  • Let Fjall manage security groups for standard deployments
  • Use Network Configuration to control VPC settings
  • Follow least privilege - only open required ports
  • Document custom rules if you add them manually
  • Test connectivity after deployment
  • Use VPC Flow Logs to troubleshoot traffic issues

See Also