我正在创建一个基本的AWS CloudFormation模板,其中包含一个VPC,3个安全组和5个EC2实例,我的安全组看起来像这样 -
{
"WebApplicationServerSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "DevVpc"
},
"GroupDescription": "Enable HTTP, HTTPS and SSH access",
"Tags": [
{
"Key": "Name",
"Value": "WebApplicationServer Service Group"
}
],
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "a7977f00-48d6-488f-9e23-9bcd0785d399"
}
}
}
}
VPC就像下面这样 -
{
"DevVpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "172.31.0.0/16",
"EnableDnsSupport": "false",
"EnableDnsHostnames": "false",
"InstanceTenancy": "dedicated",
"Tags": [
{
"Key": "Name",
"Value": "DevStackVpc"
}
]
}
}
}
使用模板创建堆栈时出现错误 -
安全组sg-31f91b5a和子网subnet-ea0aa3a7属于 不同的网络。
11:13:01 UTC+0550 CREATE_FAILED AWS::EC2::Instance WebApplicationServer Security group sg-5147a53a and subnet subnet-ea0aa3a7 belong to different networks.
这里有完整模板的gist,真的很感激任何帮助。
答案 0 :(得分:1)
我通过评论中提供的指针解决了上述问题,subnet VPC,Security-Groups和EC2实例之间的关系如下所示 -
获得并且应该创建的第一件事是VPC
第二个是Subnet,你提到之前创建的VpcId
3您在此创建security groups,同时提及您之前创建的VpcId。
4有一个属性NetworkInterfaces,您提供SubnetId和GroupSet这是一组安全组ID,您可以在此定义安全组,vpc和子网之间的关系。是什么解决了这个问题。
以下是实际工作的示例模板 -
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"DevServerKeyPair": {
"Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance",
"Type": "AWS::EC2::KeyPair::KeyName",
"ConstraintDescription": "Must be the name of an existing EC2 KeyPair."
}
},
"Resources": {
"DevVpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "172.31.0.0/16",
"EnableDnsSupport": "false",
"EnableDnsHostnames": "false",
"InstanceTenancy": "dedicated",
"Tags": [
{
"Key": "Name",
"Value": "DevStackVpc"
}
]
}
},
"DevSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "DevVpc"
},
"CidrBlock": "172.31.0.0/16",
"AvailabilityZone": {
"Fn::Select": [
0,
{
"Fn::GetAZs": ""
}
]
}
}
},
"WebApplicationServerSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "DevVpc"
},
"GroupDescription": "Enable HTTP, HTTPS and SSH access",
"Tags": [
{
"Key": "Name",
"Value": "WebApplicationServer Service Group"
}
],
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
]
}
},
"WebApplicationServer": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-f3e5aa9c",
"InstanceType": "t2.micro",
"Tags": [
{
"Key": "Name",
"Value": "WebApplicationServer"
}
],
"KeyName": {
"Ref": "DevServerKeyPair"
},
"NetworkInterfaces": [
{
"SubnetId": {"Ref": "DevSubnet"},
"AssociatePublicIpAddress": "true",
"DeviceIndex": "0",
"GroupSet": [{ "Ref" : "WebApplicationServerSG" }]
}
]
}
}
}
}
希望它可以帮助有人解决类似的问题。
答案 1 :(得分:1)
您尝试使用的安全组有问题!当您使用模板创建模板时,它将使用默认的VPC。 在创建安全组的CLoudFormation模板上,您需要标识要使用的VpcId(非默认值),它将解决此问题。或者,您可以使用(NON-Default)VPC手动创建一个新的安全组,然后运行新实例。
答案 2 :(得分:0)
如果有人使用Terraform来到这里,我也会收到类似的错误消息,并且最终发生的事情如下:
variable "name" {}
locals {
vpc_id = "..."
subnet_id = "..."
}
resource "aws_instance" "web" {
ami = "ami-09def150731bdbcc2"
instance_type = "t3.micro"
vpc_security_group_ids = ["${aws_security_group.allow_http.id}"]
user_data = <<-EOF
#!/bin/bash
sudo amazon-linux-extras install nginx1.12 -y
sudo nginx
EOF
tags {
Name = "${var.name}"
}
}
resource "aws_security_group" "allow_http" {
description = "Allow inbound HTTP traffic for ${var.name} instance"
vpc_id = "${local.vpc_id}"
ingress {
from_port = 80
to_port = 80
protocol = "TCP"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
我要部署到的子网未启用auto assign public IPs。因此,我更新了aws_instance,使其包含subnet_id和associate_public_ip_address:
resource "aws_instance" "web" {
ami = "ami-09def150731bdbcc2"
instance_type = "t3.micro"
subnet_id = "${local.subnet_id}"
vpc_security_group_ids = ["${aws_security_group.allow_http.id}"]
associate_public_ip_address = true
user_data = <<-EOF
#!/bin/bash
sudo amazon-linux-extras install nginx1.12 -y
sudo nginx
EOF
tags {
Name = "${var.name}"
}
}
此后,一切正常。