diff --git a/lib/networking/vpc-stack.ts b/lib/networking/vpc-stack.ts index 8d1f22c2457..e8f6dfdf5d3 100644 --- a/lib/networking/vpc-stack.ts +++ b/lib/networking/vpc-stack.ts @@ -90,7 +90,11 @@ export class NetworkStack extends Stack { /* The security group allows all ip access by default to all the ports. Please update below if you want to restrict access to certain ips and ports */ - this.osSecurityGroup.addIngressRule(serverAccess, Port.allTcp()); + this.osSecurityGroup.addIngressRule(serverAccess, Port.tcp(80)); + this.osSecurityGroup.addIngressRule(serverAccess, Port.tcp(443)); + this.osSecurityGroup.addIngressRule(serverAccess, Port.tcp(9200)); + this.osSecurityGroup.addIngressRule(serverAccess, Port.tcp(5601)); + this.osSecurityGroup.addIngressRule(serverAccess, Port.tcp(8443)); this.osSecurityGroup.addIngressRule(this.osSecurityGroup, Port.allTraffic()); } diff --git a/test/opensearch-cluster-cdk.test.ts b/test/opensearch-cluster-cdk.test.ts index 511efa39254..a5524f963f9 100644 --- a/test/opensearch-cluster-cdk.test.ts +++ b/test/opensearch-cluster-cdk.test.ts @@ -209,6 +209,38 @@ test('Test Resources with security enabled multi-node with existing Vpc with use SecurityGroupIngress: [ { CidrIp: '10.10.10.10/32', + Description: 'from 10.10.10.10/32:80', + FromPort: 80, + IpProtocol: 'tcp', + ToPort: 80, + }, + { + CidrIp: '10.10.10.10/32', + Description: 'from 10.10.10.10/32:443', + FromPort: 443, + IpProtocol: 'tcp', + ToPort: 443, + }, + { + CidrIp: '10.10.10.10/32', + Description: 'from 10.10.10.10/32:9200', + FromPort: 9200, + IpProtocol: 'tcp', + ToPort: 9200, + }, + { + CidrIp: '10.10.10.10/32', + Description: 'from 10.10.10.10/32:5601', + FromPort: 5601, + IpProtocol: 'tcp', + ToPort: 5601, + }, + { + CidrIp: '10.10.10.10/32', + Description: 'from 10.10.10.10/32:8443', + FromPort: 8443, + IpProtocol: 'tcp', + ToPort: 8443, }, ], });