Skip to content

Commit ee842c1

Browse files
michaelwittigmichaelwittig
authored
[Improvement] * - IPv6 support for subnets, public load balancers, and CloudFront (breaking change) (widdix#426)
1 parent 6410750 commit ee842c1

22 files changed

+641
-7
lines changed

docs/img/vpc-2azs.png

-42.8 KB
Loading

docs/img/vpc-3azs.png

25.4 KB
Loading

docs/img/vpc-4azs.png

-37.5 KB
Loading

docs/vpc.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
> **New**: [Become a sponsor](https://github.com/sponsors/widdix) via GitHub Sponsors!
44
5-
A VPC is a virtual network inside AWS where you can isolate your setup using private IP addresses. A VPC consists of several subnets. Each subnet is bound to an Availability Zone. A **public** subnet has a direct route to the Internet. As long as your EC2 instances have an public IP they can communicate (in and out) with the Internet. A **private** subnet does not have a route to the Internet. Instances in private subnets can not be accessed from the public Internet. If you want to access the Internet from a private subnet you need to create a NAT gateway/instance. You can deploy a bastion host/instance to reduce the attack surface of internal applications.
5+
A VPC is a virtual network inside AWS where you can isolate your workload. A VPC consists of several subnets. Each subnet is bound to an Availability Zone. A **public** subnet has a direct route to/from the Internet. As long as your EC2 instances have an public IPv4 address (default) or IPv6 address, they can communicate (in and out) with the Internet. A **private** subnet does not have a IPv4 route to/from the Internet but an Ipv6 route to the Internet exists. Instances in private subnets can not be accessed from the public Internet. If you want to access the Internet from a private subnet, you need to create a NAT gateway/instance or assign an IPv6 address. You can deploy a bastion host/instance to reduce the attack surface of internal applications.
66

77
# VPC with private and public subnets in two Availability Zones
88
This template describes a VPC with two private and two public subnets.

ecs/cluster.yaml

+19
Original file line numberDiff line numberDiff line change
@@ -377,6 +377,15 @@ Resources:
377377
FromPort: 80
378378
ToPort: 80
379379
CidrIp: '0.0.0.0/0'
380+
ALBSecurityGroupInHttpWorldIPv6:
381+
Type: 'AWS::EC2::SecurityGroupIngress'
382+
Condition: HasNotAuthProxySecurityGroup
383+
Properties:
384+
GroupId: !Ref ALBSecurityGroup
385+
IpProtocol: tcp
386+
FromPort: 80
387+
ToPort: 80
388+
CidrIpv6: '::/0'
380389
ALBSecurityGroupInHttpsWorld:
381390
Type: 'AWS::EC2::SecurityGroupIngress'
382391
Condition: HasNotAuthProxySecurityGroupAndLoadBalancerCertificateArn
@@ -386,6 +395,15 @@ Resources:
386395
FromPort: 443
387396
ToPort: 443
388397
CidrIp: '0.0.0.0/0'
398+
ALBSecurityGroupInHttpsWorldIPv6:
399+
Type: 'AWS::EC2::SecurityGroupIngress'
400+
Condition: HasNotAuthProxySecurityGroupAndLoadBalancerCertificateArn
401+
Properties:
402+
GroupId: !Ref ALBSecurityGroup
403+
IpProtocol: tcp
404+
FromPort: 443
405+
ToPort: 443
406+
CidrIpv6: '::/0'
389407
ALBSecurityGroupInHttpAuthProxy:
390408
Type: 'AWS::EC2::SecurityGroupIngress'
391409
Condition: HasAuthProxySecurityGroup
@@ -511,6 +529,7 @@ Resources:
511529
LoadBalancer: # not monitored, but DefaultTargetGroup is monitored!
512530
Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
513531
Properties:
532+
IpAddressType: !If [HasLoadBalancerSchemeInternal, 'ipv4', 'dualstack']
514533
LoadBalancerAttributes:
515534
- Key: 'idle_timeout.timeout_seconds'
516535
Value: !Ref LoadBalancerIdleTimeout

ecs/service-cluster-alb.yaml

+13
Original file line numberDiff line numberDiff line change
@@ -165,6 +165,19 @@ Resources:
165165
- SubDomainNameWithDot: !Ref SubDomainNameWithDot
166166
HostedZoneName: {'Fn::ImportValue': !Sub '${ParentZoneStack}-HostedZoneName'}
167167
Type: A
168+
RecordSetIPv6: # We can not conditionally create this only if the cluster's ALB has IPv6 turned on. Route53 does not let us query a broken AAAA record either. It just shows up as a Route53 record.
169+
Condition: HasZone
170+
Type: 'AWS::Route53::RecordSet'
171+
Properties:
172+
AliasTarget:
173+
HostedZoneId: {'Fn::ImportValue': !Sub '${ParentClusterStack}-CanonicalHostedZoneID'}
174+
DNSName: {'Fn::ImportValue': !Sub '${ParentClusterStack}-DNSName'}
175+
HostedZoneId: {'Fn::ImportValue': !Sub '${ParentZoneStack}-HostedZoneId'}
176+
Name: !Sub
177+
- '${SubDomainNameWithDot}${HostedZoneName}'
178+
- SubDomainNameWithDot: !Ref SubDomainNameWithDot
179+
HostedZoneName: {'Fn::ImportValue': !Sub '${ParentZoneStack}-HostedZoneName'}
180+
Type: AAAA
168181
LoadBalancerTargetGroup:
169182
Type: 'AWS::ElasticLoadBalancingV2::TargetGroup'
170183
Properties:

ecs/service-dedicated-alb.yaml

+34
Original file line numberDiff line numberDiff line change
@@ -132,12 +132,14 @@ Parameters:
132132
Conditions:
133133
HasAuthProxySecurityGroup: !Not [!Equals [!Ref ParentAuthProxyStack, '']]
134134
HasNotAuthProxySecurityGroup: !Equals [!Ref ParentAuthProxyStack, '']
135+
HasLoadBalancerSchemeInternetFacing: !Equals [!Ref LoadBalancerScheme, 'internet-facing']
135136
HasLoadBalancerSchemeInternal: !Equals [!Ref LoadBalancerScheme, 'internal']
136137
HasLoadBalancerCertificateArn: !Not [!Equals [!Ref LoadBalancerCertificateArn, '']]
137138
HasAuthProxySecurityGroupAndLoadBalancerCertificateArn: !And [!Condition HasAuthProxySecurityGroup, !Condition HasLoadBalancerCertificateArn]
138139
HasNotAuthProxySecurityGroupAndLoadBalancerCertificateArn: !And [!Condition HasNotAuthProxySecurityGroup, !Condition HasLoadBalancerCertificateArn]
139140
HasAlertTopic: !Not [!Equals [!Ref ParentAlertStack, '']]
140141
HasZone: !Not [!Equals [!Ref ParentZoneStack, '']]
142+
HasZoneAndLoadBalancerSchemeInternetFacing: !And [!Condition HasZone, !Condition HasLoadBalancerSchemeInternetFacing]
141143
HasS3Bucket: !Not [!Equals [!Ref ParentS3StackAccessLog, '']]
142144
HasAutoScaling: !Equals [!Ref AutoScaling, 'true']
143145
Resources:
@@ -174,6 +176,15 @@ Resources:
174176
FromPort: 80
175177
ToPort: 80
176178
CidrIp: '0.0.0.0/0'
179+
ALBSecurityGroupInHttpWorldIPv6:
180+
Type: 'AWS::EC2::SecurityGroupIngress'
181+
Condition: HasNotAuthProxySecurityGroup
182+
Properties:
183+
GroupId: !Ref ALBSecurityGroup
184+
IpProtocol: tcp
185+
FromPort: 80
186+
ToPort: 80
187+
CidrIpv6: '::/0'
177188
ALBSecurityGroupInHttpsWorld:
178189
Type: 'AWS::EC2::SecurityGroupIngress'
179190
Condition: HasNotAuthProxySecurityGroupAndLoadBalancerCertificateArn
@@ -183,6 +194,15 @@ Resources:
183194
FromPort: 443
184195
ToPort: 443
185196
CidrIp: '0.0.0.0/0'
197+
ALBSecurityGroupInHttpsWorldIPv6:
198+
Type: 'AWS::EC2::SecurityGroupIngress'
199+
Condition: HasNotAuthProxySecurityGroupAndLoadBalancerCertificateArn
200+
Properties:
201+
GroupId: !Ref ALBSecurityGroup
202+
IpProtocol: tcp
203+
FromPort: 443
204+
ToPort: 443
205+
CidrIpv6: '::/0'
186206
ALBSecurityGroupInHttpAuthProxy:
187207
Type: 'AWS::EC2::SecurityGroupIngress'
188208
Condition: HasAuthProxySecurityGroup
@@ -311,9 +331,23 @@ Resources:
311331
- SubDomainNameWithDot: !Ref SubDomainNameWithDot
312332
HostedZoneName: {'Fn::ImportValue': !Sub '${ParentZoneStack}-HostedZoneName'}
313333
Type: A
334+
RecordSetIPv6:
335+
Condition: HasZoneAndLoadBalancerSchemeInternetFacing
336+
Type: 'AWS::Route53::RecordSet'
337+
Properties:
338+
AliasTarget:
339+
HostedZoneId: !GetAtt 'LoadBalancer.CanonicalHostedZoneID'
340+
DNSName: !GetAtt 'LoadBalancer.DNSName'
341+
HostedZoneId: {'Fn::ImportValue': !Sub '${ParentZoneStack}-HostedZoneId'}
342+
Name: !Sub
343+
- '${SubDomainNameWithDot}${HostedZoneName}'
344+
- SubDomainNameWithDot: !Ref SubDomainNameWithDot
345+
HostedZoneName: {'Fn::ImportValue': !Sub '${ParentZoneStack}-HostedZoneName'}
346+
Type: AAAA
314347
LoadBalancer:
315348
Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
316349
Properties:
350+
IpAddressType: !If [HasLoadBalancerSchemeInternal, 'ipv4', 'dualstack']
317351
LoadBalancerAttributes:
318352
- Key: 'idle_timeout.timeout_seconds'
319353
Value: !Ref LoadBalancerIdleTimeout

fargate/cluster.yaml

+34
Original file line numberDiff line numberDiff line change
@@ -76,12 +76,14 @@ Parameters:
7676
Conditions:
7777
HasAuthProxySecurityGroup: !Not [!Equals [!Ref ParentAuthProxyStack, '']]
7878
HasNotAuthProxySecurityGroup: !Equals [!Ref ParentAuthProxyStack, '']
79+
HasLoadBalancerSchemeInternetFacing: !Equals [!Ref LoadBalancerScheme, 'internet-facing']
7980
HasLoadBalancerSchemeInternal: !Equals [!Ref LoadBalancerScheme, 'internal']
8081
HasLoadBalancerCertificateArn: !Not [!Equals [!Ref LoadBalancerCertificateArn, '']]
8182
HasAuthProxySecurityGroupAndLoadBalancerCertificateArn: !And [!Condition HasAuthProxySecurityGroup, !Condition HasLoadBalancerCertificateArn]
8283
HasNotAuthProxySecurityGroupAndLoadBalancerCertificateArn: !And [!Condition HasNotAuthProxySecurityGroup, !Condition HasLoadBalancerCertificateArn]
8384
HasAlertTopic: !Not [!Equals [!Ref ParentAlertStack, '']]
8485
HasZone: !Not [!Equals [!Ref ParentZoneStack, '']]
86+
HasZoneAndLoadBalancerSchemeInternetFacing: !And [!Condition HasZone, !Condition HasLoadBalancerSchemeInternetFacing]
8587
HasS3Bucket: !Not [!Equals [!Ref ParentS3StackAccessLog, '']]
8688
Resources:
8789
Cluster:
@@ -100,6 +102,19 @@ Resources:
100102
- SubDomainNameWithDot: !Ref SubDomainNameWithDot
101103
HostedZoneName: {'Fn::ImportValue': !Sub '${ParentZoneStack}-HostedZoneName'}
102104
Type: A
105+
RecordSetIPv6:
106+
Condition: HasZoneAndLoadBalancerSchemeInternetFacing
107+
Type: 'AWS::Route53::RecordSet'
108+
Properties:
109+
AliasTarget:
110+
HostedZoneId: !GetAtt LoadBalancer.CanonicalHostedZoneID
111+
DNSName: !GetAtt 'LoadBalancer.DNSName'
112+
HostedZoneId: {'Fn::ImportValue': !Sub '${ParentZoneStack}-HostedZoneId'}
113+
Name: !Sub
114+
- '${SubDomainNameWithDot}${HostedZoneName}'
115+
- SubDomainNameWithDot: !Ref SubDomainNameWithDot
116+
HostedZoneName: {'Fn::ImportValue': !Sub '${ParentZoneStack}-HostedZoneName'}
117+
Type: AAAA
103118
LoadBalancerSecurityGroup:
104119
Type: 'AWS::EC2::SecurityGroup'
105120
Properties:
@@ -114,6 +129,15 @@ Resources:
114129
FromPort: 80
115130
ToPort: 80
116131
CidrIp: '0.0.0.0/0'
132+
LoadBalancerSecurityGroupInHttpFromWorldIPv6:
133+
Type: 'AWS::EC2::SecurityGroupIngress'
134+
Condition: HasNotAuthProxySecurityGroup
135+
Properties:
136+
GroupId: !Ref LoadBalancerSecurityGroup
137+
IpProtocol: tcp
138+
FromPort: 80
139+
ToPort: 80
140+
CidrIpv6: '::/0'
117141
LoadBalancerSecurityGroupInHttpsFromWorld:
118142
Type: 'AWS::EC2::SecurityGroupIngress'
119143
Condition: HasNotAuthProxySecurityGroupAndLoadBalancerCertificateArn
@@ -123,6 +147,15 @@ Resources:
123147
FromPort: 443
124148
ToPort: 443
125149
CidrIp: '0.0.0.0/0'
150+
LoadBalancerSecurityGroupInHttpsFromWorldIPv6:
151+
Type: 'AWS::EC2::SecurityGroupIngress'
152+
Condition: HasNotAuthProxySecurityGroupAndLoadBalancerCertificateArn
153+
Properties:
154+
GroupId: !Ref LoadBalancerSecurityGroup
155+
IpProtocol: tcp
156+
FromPort: 443
157+
ToPort: 443
158+
CidrIpv6: '::/0'
126159
LoadBalancerSecurityGroupInHttpFromAuthProxy:
127160
Type: 'AWS::EC2::SecurityGroupIngress'
128161
Condition: HasAuthProxySecurityGroup
@@ -144,6 +177,7 @@ Resources:
144177
LoadBalancer:
145178
Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
146179
Properties:
180+
IpAddressType: !If [HasLoadBalancerSchemeInternal, 'ipv4', 'dualstack']
147181
LoadBalancerAttributes:
148182
- Key: 'idle_timeout.timeout_seconds'
149183
Value: !Ref LoadBalancerIdleTimeout

fargate/service-cluster-alb.yaml

+13
Original file line numberDiff line numberDiff line change
@@ -427,6 +427,19 @@ Resources:
427427
- SubDomainNameWithDot: !Ref SubDomainNameWithDot
428428
HostedZoneName: {'Fn::ImportValue': !Sub '${ParentZoneStack}-HostedZoneName'}
429429
Type: A
430+
RecordSetIPv6: # We can not conditionally create this only if the cluster's ALB has IPv6 turned on. Route53 does not let us query a broken AAAA record either. It just shows up as a Route53 record.
431+
Condition: HasZone
432+
Type: 'AWS::Route53::RecordSet'
433+
Properties:
434+
AliasTarget:
435+
HostedZoneId: {'Fn::ImportValue': !Sub '${ParentClusterStack}-CanonicalHostedZoneID'}
436+
DNSName: {'Fn::ImportValue': !Sub '${ParentClusterStack}-DNSName'}
437+
HostedZoneId: {'Fn::ImportValue': !Sub '${ParentZoneStack}-HostedZoneId'}
438+
Name: !Sub
439+
- '${SubDomainNameWithDot}${HostedZoneName}'
440+
- SubDomainNameWithDot: !Ref SubDomainNameWithDot
441+
HostedZoneName: {'Fn::ImportValue': !Sub '${ParentZoneStack}-HostedZoneName'}
442+
Type: AAAA
430443
TargetGroup:
431444
Type: 'AWS::ElasticLoadBalancingV2::TargetGroup'
432445
Properties:

fargate/service-dedicated-alb.yaml

+34
Original file line numberDiff line numberDiff line change
@@ -390,12 +390,14 @@ Mappings:
390390
Conditions:
391391
HasAuthProxySecurityGroup: !Not [!Equals [!Ref ParentAuthProxyStack, '']]
392392
HasNotAuthProxySecurityGroup: !Equals [!Ref ParentAuthProxyStack, '']
393+
HasLoadBalancerSchemeInternetFacing: !Equals [!Ref LoadBalancerScheme, 'internet-facing']
393394
HasLoadBalancerSchemeInternal: !Equals [!Ref LoadBalancerScheme, 'internal']
394395
HasLoadBalancerCertificateArn: !Not [!Equals [!Ref LoadBalancerCertificateArn, '']]
395396
HasAuthProxySecurityGroupAndLoadBalancerCertificateArn: !And [!Condition HasAuthProxySecurityGroup, !Condition HasLoadBalancerCertificateArn]
396397
HasNotAuthProxySecurityGroupAndLoadBalancerCertificateArn: !And [!Condition HasNotAuthProxySecurityGroup, !Condition HasLoadBalancerCertificateArn]
397398
HasAlertTopic: !Not [!Equals [!Ref ParentAlertStack, '']]
398399
HasZone: !Not [!Equals [!Ref ParentZoneStack, '']]
400+
HasZoneAndLoadBalancerSchemeInternetFacing: !And [!Condition HasZone, !Condition HasLoadBalancerSchemeInternetFacing]
399401
HasS3Bucket: !Not [!Equals [!Ref ParentS3StackAccessLog, '']]
400402
HasSubnetsReachPublic: !Equals [!Ref SubnetsReach, Public]
401403
HasAutoScaling: !Equals [!Ref AutoScaling, 'true']
@@ -431,6 +433,19 @@ Resources:
431433
- SubDomainNameWithDot: !Ref SubDomainNameWithDot
432434
HostedZoneName: {'Fn::ImportValue': !Sub '${ParentZoneStack}-HostedZoneName'}
433435
Type: A
436+
RecordSetIPv6:
437+
Condition: HasZoneAndLoadBalancerSchemeInternetFacing
438+
Type: 'AWS::Route53::RecordSet'
439+
Properties:
440+
AliasTarget:
441+
HostedZoneId: !GetAtt LoadBalancer.CanonicalHostedZoneID
442+
DNSName: !GetAtt 'LoadBalancer.DNSName'
443+
HostedZoneId: {'Fn::ImportValue': !Sub '${ParentZoneStack}-HostedZoneId'}
444+
Name: !Sub
445+
- '${SubDomainNameWithDot}${HostedZoneName}'
446+
- SubDomainNameWithDot: !Ref SubDomainNameWithDot
447+
HostedZoneName: {'Fn::ImportValue': !Sub '${ParentZoneStack}-HostedZoneName'}
448+
Type: AAAA
434449
LoadBalancerSecurityGroup:
435450
Type: 'AWS::EC2::SecurityGroup'
436451
Properties:
@@ -445,6 +460,15 @@ Resources:
445460
FromPort: 80
446461
ToPort: 80
447462
CidrIp: '0.0.0.0/0'
463+
LoadBalancerSecurityGroupInHttpFromWorldIPv6:
464+
Type: 'AWS::EC2::SecurityGroupIngress'
465+
Condition: HasNotAuthProxySecurityGroup
466+
Properties:
467+
GroupId: !Ref LoadBalancerSecurityGroup
468+
IpProtocol: tcp
469+
FromPort: 80
470+
ToPort: 80
471+
CidrIpv6: '::/0'
448472
LoadBalancerSecurityGroupInHttpsFromWorld:
449473
Type: 'AWS::EC2::SecurityGroupIngress'
450474
Condition: HasNotAuthProxySecurityGroupAndLoadBalancerCertificateArn
@@ -454,6 +478,15 @@ Resources:
454478
FromPort: 443
455479
ToPort: 443
456480
CidrIp: '0.0.0.0/0'
481+
LoadBalancerSecurityGroupInHttpsFromWorldIPv6:
482+
Type: 'AWS::EC2::SecurityGroupIngress'
483+
Condition: HasNotAuthProxySecurityGroupAndLoadBalancerCertificateArn
484+
Properties:
485+
GroupId: !Ref LoadBalancerSecurityGroup
486+
IpProtocol: tcp
487+
FromPort: 443
488+
ToPort: 443
489+
CidrIpv6: '::/0'
457490
LoadBalancerSecurityGroupInHttpFromAuthProxy:
458491
Type: 'AWS::EC2::SecurityGroupIngress'
459492
Condition: HasAuthProxySecurityGroup
@@ -475,6 +508,7 @@ Resources:
475508
LoadBalancer:
476509
Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
477510
Properties:
511+
IpAddressType: !If [HasLoadBalancerSchemeInternal, 'ipv4', 'dualstack']
478512
LoadBalancerAttributes:
479513
- Key: 'idle_timeout.timeout_seconds'
480514
Value: !Ref LoadBalancerIdleTimeout

jenkins/jenkins2-ha-agents.yaml

+25
Original file line numberDiff line numberDiff line change
@@ -255,10 +255,12 @@ Conditions:
255255
HasNotSSHBastionSecurityGroup: !Equals [!Ref ParentSSHBastionStack, '']
256256
HasAuthProxySecurityGroup: !Not [!Equals [!Ref ParentAuthProxyStack, '']]
257257
HasNotAuthProxySecurityGroup: !Equals [!Ref ParentAuthProxyStack, '']
258+
HasMasterELBSchemeInternetFacing: !Equals [!Ref MasterELBScheme, 'internet-facing']
258259
HasMasterELBSchemeInternal: !Equals [!Ref MasterELBScheme, 'internal']
259260
HasAlertTopic: !Not [!Equals [!Ref ParentAlertStack, '']]
260261
HasS3Bucket: !Not [!Equals [!Ref ParentS3StackAccessLog, '']]
261262
HasZone: !Not [!Equals [!Ref ParentZoneStack, '']]
263+
HasZoneAndMasterELBSchemeInternetFacing: !And [!Condition HasZone, !Condition HasMasterELBSchemeInternetFacing]
262264
HasManagedPolicyArns: !Not [!Equals [!Ref ManagedPolicyArns, '']]
263265
HasEFSProvisionedThroughput: !Not [!Condition HasNotEFSProvisionedThroughput]
264266
HasNotEFSProvisionedThroughput: !Equals [!Ref EFSProvisionedThroughputInMibps, '0']
@@ -364,6 +366,15 @@ Resources:
364366
FromPort: 80
365367
ToPort: 80
366368
CidrIp: '0.0.0.0/0'
369+
MasterELBSGInWorldIPv6:
370+
Type: 'AWS::EC2::SecurityGroupIngress'
371+
Condition: HasNotAuthProxySecurityGroup
372+
Properties:
373+
GroupId: !Ref MasterELBSG
374+
IpProtocol: tcp
375+
FromPort: 80
376+
ToPort: 80
377+
CidrIpv6: '::/0'
367378
MasterELBSGInAuthProxy:
368379
Type: 'AWS::EC2::SecurityGroupIngress'
369380
Condition: HasAuthProxySecurityGroup
@@ -458,9 +469,23 @@ Resources:
458469
- SubDomainNameWithDot: !Ref SubDomainNameWithDot
459470
HostedZoneName: {'Fn::ImportValue': !Sub '${ParentZoneStack}-HostedZoneName'}
460471
Type: A
472+
RecordSetIPv6:
473+
Condition: HasZoneAndMasterELBSchemeInternetFacing
474+
Type: 'AWS::Route53::RecordSet'
475+
Properties:
476+
AliasTarget:
477+
HostedZoneId: !GetAtt 'MasterELB.CanonicalHostedZoneID'
478+
DNSName: !GetAtt 'MasterELB.DNSName'
479+
HostedZoneId: {'Fn::ImportValue': !Sub '${ParentZoneStack}-HostedZoneId'}
480+
Name: !Sub
481+
- '${SubDomainNameWithDot}${HostedZoneName}'
482+
- SubDomainNameWithDot: !Ref SubDomainNameWithDot
483+
HostedZoneName: {'Fn::ImportValue': !Sub '${ParentZoneStack}-HostedZoneName'}
484+
Type: AAAA
461485
MasterELB:
462486
Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
463487
Properties:
488+
IpAddressType: !If [HasMasterELBSchemeInternal, 'ipv4', 'dualstack']
464489
LoadBalancerAttributes:
465490
- Key: 'idle_timeout.timeout_seconds'
466491
Value: !Ref MasterLoadBalancerIdleTimeout

0 commit comments

Comments
 (0)