From a56ed5c15e96d38e35699ad6d3db03c81ba8a1c0 Mon Sep 17 00:00:00 2001
From: Andrew Plummer <andrew.plummer@isotoma.com>
Date: Mon, 22 Apr 2024 09:56:23 +0100
Subject: [PATCH] Fix NLB health checks

---
 index.ts | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/index.ts b/index.ts
index c2b1ce5..0b6ce55 100644
--- a/index.ts
+++ b/index.ts
@@ -223,6 +223,10 @@ export class Ec2HaBastion extends Construct implements ec2.IConnectable {
         this.networkLoadBalancer = new elbv2.NetworkLoadBalancer(this, 'LB', {
             vpc: props.vpc,
             internetFacing: true,
+            // Public subnets
+            vpcSubnets: {
+                subnetType: ec2.SubnetType.PUBLIC,
+            },
         });
 
         const listener = this.networkLoadBalancer.addListener('Listener', { port: 22 });
@@ -236,6 +240,13 @@ export class Ec2HaBastion extends Construct implements ec2.IConnectable {
             for (const cidr of props.allowedCidrs) {
                 asg.connections.allowFrom(ec2.Peer.ipv4(cidr), ec2.Port.tcp(22));
             }
+            // Also allow the NLB to connect to the ASG by allowing
+            // access from the public subnets, this allows the NLB to
+            // health check the instances.
+            for (const subnet of props.vpc.publicSubnets) {
+                const subnetPeer = ec2.Peer.ipv4(subnet.ipv4CidrBlock);
+                asg.connections.allowFrom(subnetPeer, ec2.Port.tcp(22));
+            }
         } else if (props.openToInternet) {
             asg.connections.allowFromAnyIpv4(ec2.Port.tcp(22));
         } else {