AWS AWSCloudFormation documentation change
Summary
Added support for QUIC and TCP_QUIC protocols, introduced TargetControlPort parameter for target optimizer management traffic, updated health check parameters, and provided a QUIC target configuration example.
Security assessment
The changes primarily add support for QUIC/TCP_QUIC protocols, which use TLS 1.3 encryption by default, improving secure communication capabilities. The TargetControlPort addition relates to management traffic for a new feature but does not explicitly address vulnerabilities. While QUIC enhances security, the documentation updates focus on protocol support rather than patching a specific security issue.
Diff
diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.md index e64b745f3..d74d89b69 100644 --- a//AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.md +++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-targetgroup.md @@ -36,0 +37 @@ To declare this entity in your CloudFormation template, use the following syntax + "TargetControlPort" : Integer, @@ -66,0 +68 @@ To declare this entity in your CloudFormation template, use the following syntax + TargetControlPort: Integer @@ -92 +94 @@ _Required_ : No -The approximate amount of time, in seconds, between health checks of an individual target. The range is 5-300. If the target group protocol is TCP, TLS, UDP, TCP_UDP, HTTP or HTTPS, the default is 30 seconds. If the target group protocol is GENEVE, the default is 10 seconds. If the target type is `lambda`, the default is 35 seconds. +The approximate amount of time, in seconds, between health checks of an individual target. The range is 5-300. If the target group protocol is TCP, TLS, UDP, TCP_UDP, QUIC, TCP_QUIC, HTTP or HTTPS, the default is 30 seconds. If the target group protocol is GENEVE, the default is 10 seconds. If the target type is `lambda`, the default is 35 seconds. @@ -126 +128 @@ _Required_ : No -The port the load balancer uses when performing health checks on targets. If the protocol is HTTP, HTTPS, TCP, TLS, UDP, or TCP_UDP, the default is `traffic-port`, which is the port on which each target receives traffic from the load balancer. If the protocol is GENEVE, the default is port 80. +The port the load balancer uses when performing health checks on targets. If the protocol is HTTP, HTTPS, TCP, TLS, UDP, TCP_UDP, QUIC, or TCP_QUIC the default is `traffic-port`, which is the port on which each target receives traffic from the load balancer. If the protocol is GENEVE, the default is port 80. @@ -137 +139 @@ _Required_ : No -The protocol the load balancer uses when performing health checks on targets. For Application Load Balancers, the default is HTTP. For Network Load Balancers and Gateway Load Balancers, the default is TCP. The TCP protocol is not supported for health checks if the protocol of the target group is HTTP or HTTPS. The GENEVE, TLS, UDP, and TCP_UDP protocols are not supported for health checks. +The protocol the load balancer uses when performing health checks on targets. For Application Load Balancers, the default is HTTP. For Network Load Balancers and Gateway Load Balancers, the default is TCP. The TCP protocol is not supported for health checks if the protocol of the target group is HTTP or HTTPS. The GENEVE, TLS, UDP, TCP_UDP, QUIC, and TCP_QUIC protocols are not supported for health checks. @@ -143 +145 @@ _Required_ : No - _Allowed values_ : `HTTP | HTTPS | TCP | TLS | UDP | TCP_UDP | GENEVE` + _Allowed values_ : `HTTP | HTTPS | TCP | TLS | UDP | TCP_UDP | GENEVE | QUIC | TCP_QUIC` @@ -193 +195 @@ _Required_ : No -[HTTP/HTTPS health checks] The HTTP or gRPC codes to use when checking for a successful response from a target. For target groups with a protocol of TCP, TCP_UDP, UDP or TLS the range is 200-599. For target groups with a protocol of HTTP or HTTPS, the range is 200-499. For target groups with a protocol of GENEVE, the range is 200-399. +[HTTP/HTTPS health checks] The HTTP or gRPC codes to use when checking for a successful response from a target. For target groups with a protocol of TCP, TCP_UDP, UDP, QUIC, TCP_QUIC, or TLS the range is 200-599. For target groups with a protocol of HTTP or HTTPS, the range is 200-499. For target groups with a protocol of GENEVE, the range is 200-399. @@ -232 +234 @@ _Required_ : Conditional -The protocol to use for routing traffic to the targets. For Application Load Balancers, the supported protocols are HTTP and HTTPS. For Network Load Balancers, the supported protocols are TCP, TLS, UDP, or TCP_UDP. For Gateway Load Balancers, the supported protocol is GENEVE. A TCP_UDP listener must be associated with a TCP_UDP target group. If the target is a Lambda function, this parameter does not apply. +The protocol to use for routing traffic to the targets. For Application Load Balancers, the supported protocols are HTTP and HTTPS. For Network Load Balancers, the supported protocols are TCP, TLS, UDP, TCP_UDP, QUIC, or TCP_QUIC. For Gateway Load Balancers, the supported protocol is GENEVE. A TCP_UDP listener must be associated with a TCP_UDP target group. A TCP_QUIC listener must be associated with a TCP_QUIC target group. If the target is a Lambda function, this parameter does not apply. @@ -238 +240 @@ _Required_ : Conditional - _Allowed values_ : `HTTP | HTTPS | TCP | TLS | UDP | TCP_UDP | GENEVE` + _Allowed values_ : `HTTP | HTTPS | TCP | TLS | UDP | TCP_UDP | GENEVE | QUIC | TCP_QUIC` @@ -265,0 +268,15 @@ _Required_ : No +`TargetControlPort` + + +The port on which the target control agent and application load balancer exchange management traffic for the target optimizer feature. + +_Required_ : No + + _Type_ : Integer + + _Minimum_ : `1` + + _Maximum_ : `65535` + + _Update requires_ : [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) + @@ -315 +332 @@ _Required_ : No -The number of consecutive health check failures required before considering a target unhealthy. The range is 2-10. If the target group protocol is TCP, TCP_UDP, UDP, TLS, HTTP or HTTPS, the default is 2. For target groups with a protocol of GENEVE, the default is 2. If the target type is `lambda`, the default is 5. +The number of consecutive health check failures required before considering a target unhealthy. The range is 2-10. If the target group protocol is TCP, TCP_UDP, UDP, TLS, QUIC, TCP_QUIC, HTTP or HTTPS, the default is 2. For target groups with a protocol of GENEVE, the default is 2. If the target type is `lambda`, the default is 5. @@ -383,0 +401,2 @@ You can create target groups for use with your listener rules. For more informat + * Target group with QUIC targets + @@ -508,0 +528,63 @@ The following example creates a target group where the targets are IP addresses. +### Target group with QUIC targets + +The following example creates a target group where the targets are configured for QUIC traffic. + +#### YAML + + + myTargetGroup: + Type: AWS::ElasticLoadBalancingV2::TargetGroup + Properties: + Name: my-target-group + Protocol: QUIC + Port: 443 + TargetType: ip + VpcId: !Ref myVPC + Targets: + - Id: !GetAtt Instance1.PrivateIp + Port: 80 + QuicServerId: 0xa1b2c3d4e5f65890 + - Id: !GetAtt Instance2.PrivateIp + Port: 80 + QuicServerId: 0xa1b2c3d4e5f65899 + +#### JSON + + + { + "myTargetGroup": { + "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", + "Properties": { + "Name": "my-target-group", + "Protocol": "QUIC", + "Port": 443, + "TargetType": "ip", + "VpcId": { + "Ref": "myVPC" + }, + "Targets": [ + { + "Id": { + "Fn::GetAtt": [ + "Instance1", + "PrivateIp" + ] + }, + "Port": 80, + "QuicServerId": "0xa1b2c3d4e5f65890" + }, + { + "Id": { + "Fn::GetAtt": [ + "Instance2", + "PrivateIp" + ] + }, + "Port": 80, + "QuicServerId": "0xa1b2c3d4e5f65899" + } + ] + } + } + } +