Security Group and Subnet Belongs to different networks

梦想与她 提交于 2020-01-24 06:42:28

问题


I am creating a basic AWS CloudFormation Template with one VPC, 3 Security Group and 5 EC2 Instances my security group looks something like this -

{
  "WebApplicationServerSG": {
    "Type": "AWS::EC2::SecurityGroup",
    "Properties": {
      "VpcId": {
        "Ref": "DevVpc"
      },
      "GroupDescription": "Enable HTTP, HTTPS and SSH access",
      "Tags": [
        {
          "Key": "Name",
          "Value": "WebApplicationServer Service Group"
        }
      ],
      "SecurityGroupIngress": [
        {
          "IpProtocol": "tcp",
          "FromPort": "443",
          "ToPort": "443",
          "CidrIp": "0.0.0.0/0"
        },
        {
          "IpProtocol": "tcp",
          "FromPort": "80",
          "ToPort": "80",
          "CidrIp": "0.0.0.0/0"
        },
        {
          "IpProtocol": "tcp",
          "FromPort": "22",
          "ToPort": "22",
          "CidrIp": "0.0.0.0/0"
        }
      ],
      "SecurityGroupEgress": [
        {
          "IpProtocol": "tcp",
          "FromPort": "443",
          "ToPort": "443",
          "CidrIp": "0.0.0.0/0"
        },
        {
          "IpProtocol": "tcp",
          "FromPort": "80",
          "ToPort": "80",
          "CidrIp": "0.0.0.0/0"
        },
        {
          "IpProtocol": "tcp",
          "FromPort": "22",
          "ToPort": "22",
          "CidrIp": "0.0.0.0/0"
        }
      ]
    },
    "Metadata": {
      "AWS::CloudFormation::Designer": {
        "id": "a7977f00-48d6-488f-9e23-9bcd0785d399"
      }
    }
  }
}

And the VPC is something like below -

{
  "DevVpc": {
    "Type": "AWS::EC2::VPC",
    "Properties": {
      "CidrBlock": "172.31.0.0/16",
      "EnableDnsSupport": "false",
      "EnableDnsHostnames": "false",
      "InstanceTenancy": "dedicated",
      "Tags": [
        {
          "Key": "Name",
          "Value": "DevStackVpc"
        }
      ]
    }
  }
}

I am getting error while stack creation with the template -

Security group sg-31f91b5a and subnet subnet-ea0aa3a7 belong to different networks.

11:13:01 UTC+0550   CREATE_FAILED   AWS::EC2::Instance  WebApplicationServer    Security group sg-5147a53a and subnet subnet-ea0aa3a7 belong to different networks.

And here is a gist for complete template, any help would really be appreciated.


回答1:


I got the above problem resolved by the pointers provided in comments, The relation between subnet VPC, Security-Groups and EC2 instance are as below -

1st thing which gets and should be created is VPC 2nd is the Subnet here you mention the VpcId you created earlier 3rd You create security groups here you mention the VpcId you created earlier as well. 4th There is a property NetworkInterfaces where you provide SubnetId and GroupSet which is an array of security group ids and this is where you define the relation between the security group, vpc and subnet and this is what solved the problem.

Below is the sample template which actually worked -

{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
    "DevServerKeyPair": {
        "Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance",
        "Type": "AWS::EC2::KeyPair::KeyName",
        "ConstraintDescription": "Must be the name of an existing EC2 KeyPair."
    }
},
"Resources": {
    "DevVpc": {
        "Type": "AWS::EC2::VPC",
        "Properties": {
            "CidrBlock": "172.31.0.0/16",
            "EnableDnsSupport": "false",
            "EnableDnsHostnames": "false",
            "InstanceTenancy": "dedicated",
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "DevStackVpc"
                }
            ]
        }
    },
    "DevSubnet": {
        "Type": "AWS::EC2::Subnet",
        "Properties": {
            "VpcId": {
                "Ref": "DevVpc"
            },
            "CidrBlock": "172.31.0.0/16",
            "AvailabilityZone": {
                "Fn::Select": [
                    0,
                    {
                        "Fn::GetAZs": ""
                    }
                ]
            }
        }
    },
    "WebApplicationServerSG": {
        "Type": "AWS::EC2::SecurityGroup",
        "Properties": {
            "VpcId": {
                "Ref": "DevVpc"
            },
            "GroupDescription": "Enable HTTP, HTTPS and SSH access",
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "WebApplicationServer Service Group"
                }
            ],
            "SecurityGroupIngress": [
                {
                    "IpProtocol": "tcp",
                    "FromPort": "443",
                    "ToPort": "443",
                    "CidrIp": "0.0.0.0/0"
                },
                {
                    "IpProtocol": "tcp",
                    "FromPort": "80",
                    "ToPort": "80",
                    "CidrIp": "0.0.0.0/0"
                },
                {
                    "IpProtocol": "tcp",
                    "FromPort": "22",
                    "ToPort": "22",
                    "CidrIp": "0.0.0.0/0"
                }
            ],
            "SecurityGroupEgress": [
                {
                    "IpProtocol": "tcp",
                    "FromPort": "443",
                    "ToPort": "443",
                    "CidrIp": "0.0.0.0/0"
                },
                {
                    "IpProtocol": "tcp",
                    "FromPort": "80",
                    "ToPort": "80",
                    "CidrIp": "0.0.0.0/0"
                },
                {
                    "IpProtocol": "tcp",
                    "FromPort": "22",
                    "ToPort": "22",
                    "CidrIp": "0.0.0.0/0"
                }
            ]
        }
    },
    "WebApplicationServer": {
        "Type": "AWS::EC2::Instance",
        "Properties": {
            "ImageId": "ami-f3e5aa9c",
            "InstanceType": "t2.micro",
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "WebApplicationServer"
                }
            ],
            "KeyName": {
                "Ref": "DevServerKeyPair"
            },
            "NetworkInterfaces": [
                {
                    "SubnetId": {"Ref": "DevSubnet"},
                    "AssociatePublicIpAddress": "true",
                    "DeviceIndex": "0",
                    "GroupSet": [{ "Ref" : "WebApplicationServerSG" }]
                }
            ]
        }
    }
  }
}

Hope it helps someone looking into similar problem.




回答2:


If anyone using Terraform got here, I had a similar error message and what ended up happening was the following:

variable "name" {}

locals {
  vpc_id    = "..."
  subnet_id = "..."
}

resource "aws_instance" "web" {
  ami                         = "ami-09def150731bdbcc2"
  instance_type               = "t3.micro"
  vpc_security_group_ids      = ["${aws_security_group.allow_http.id}"]

  user_data = <<-EOF
    #!/bin/bash
    sudo amazon-linux-extras install nginx1.12 -y
    sudo nginx
  EOF

  tags {
    Name = "${var.name}"
  }
}

resource "aws_security_group" "allow_http" {
  description = "Allow inbound HTTP traffic for ${var.name} instance"
  vpc_id      = "${local.vpc_id}"

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "TCP"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

The subnet I was deploying into didn't have auto assign public IPs enabled. As such, I updated the aws_instance to include the subnet_id and associate_public_ip_address:

resource "aws_instance" "web" {
  ami                         = "ami-09def150731bdbcc2"
  instance_type               = "t3.micro"
  subnet_id                   = "${local.subnet_id}"
  vpc_security_group_ids      = ["${aws_security_group.allow_http.id}"]
  associate_public_ip_address = true

  user_data = <<-EOF
    #!/bin/bash
    sudo amazon-linux-extras install nginx1.12 -y
    sudo nginx
  EOF

  tags {
    Name = "${var.name}"
  }
}

After which, everything worked.



来源:https://stackoverflow.com/questions/48252650/security-group-and-subnet-belongs-to-different-networks

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!