diff --git a/pkg/cloud/services/elb/loadbalancer.go b/pkg/cloud/services/elb/loadbalancer.go index c7beb578d4..3ae20ac13e 100644 --- a/pkg/cloud/services/elb/loadbalancer.go +++ b/pkg/cloud/services/elb/loadbalancer.go @@ -64,6 +64,9 @@ const apiServerTargetGroupPrefix = "apiserver-target-" // listeners. const additionalTargetGroupPrefix = "additional-listener-" +// cantAttachSGToNLBRegions is a set of regions that do not support Security Groups in NLBs. +var cantAttachSGToNLBRegions = sets.New("us-iso-east-1", "us-iso-west-1", "us-isob-east-1") + // ReconcileLoadbalancers reconciles the load balancers for the given cluster. func (s *Service) ReconcileLoadbalancers() error { s.scope.Debug("Reconciling load balancers") @@ -395,6 +398,11 @@ func (s *Service) createLB(spec *infrav1.LoadBalancer, lbSpec *infrav1.AWSLoadBa input.IpAddressType = aws.String("dualstack") } + // TODO: remove when security groups on NLBs is supported in all regions. + if cantAttachSGToNLBRegions.Has(s.scope.Region()) { + input.SecurityGroups = nil + } + // Allocate custom addresses (Elastic IP) to internet-facing Load Balancers, when defined. // Custom, or BYO, Public IPv4 Pool need to be created prior install, and the Pool ID must be // set in the VpcSpec.ElasticIPPool.PublicIPv4Pool to allow Elastic IP be consumed from @@ -1788,7 +1796,11 @@ func shouldReconcileSGs(scope scope.ELBScope, lb *infrav1.LoadBalancer, specSGs // Once created without a security group, the NLB can never have any added. // (https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-security-groups.html) if lb.LoadBalancerType == infrav1.LoadBalancerTypeNLB && len(lb.SecurityGroupIDs) == 0 { - scope.Info("Pre-existing NLB %s without security groups, cannot reconcile security groups.", lb.Name) + if cantAttachSGToNLBRegions.Has(scope.Region()) { + scope.Info("Region doesn't support NLB security groups, cannot reconcile security groups.", "region", scope.Region(), "elb-name", lb.Name) + } else { + scope.Info("Pre-existing NLB without security groups, cannot reconcile security groups.", "elb-name", lb.Name) + } return false } if !sets.NewString(lb.SecurityGroupIDs...).Equal(sets.NewString(specSGs...)) {