Question

我尝试使用Cloudformation模板自动启动实例。在创建堆栈时，我收到以下错误：

Security group sg-xxxxx and subnet subnet-xxxxx belong to different networks.

这是我目前的模板：

{
  "Description": "AWS Cloudformation template to launch a Docker Swarm cluster of two nodes.",
  "Resources" : {
    "TwitterappVPC": {
      "Type": "AWS::EC2::VPC",
      "Properties" : {
        "CidrBlock" : "10.0.0.0/16",
        "EnableDnsSupport" : "true",
        "EnableDnsHostnames" : "true",
        "InstanceTenancy" : "dedicated"
      }
    },
    "PublicSubnet" : {
      "Type" : "AWS::EC2::Subnet",
      "Properties" : {
        "VpcId" : { "Ref" : "TwitterappVPC" },
        "CidrBlock" : "10.0.0.0/16",
        "AvailabilityZone": {
          "Fn::Select" : [ "0", { "Fn::GetAZs" : "" } ]
        }
      }
    },
    "InternetGateway" : {
      "Type" : "AWS::EC2::InternetGateway"
    },
    "AttachGateway" : {
      "Type" : "AWS::EC2::VPCGatewayAttachment",
      "Properties" : {
        "VpcId" : { "Ref" : "TwitterappVPC" },
        "InternetGatewayId" : { "Ref" : "InternetGateway" }
      }
    },
    "TwitterappSecurityGroup" : {
      "Type" : "AWS::EC2::SecurityGroup",
      "Properties" : {
        "GroupDescription" : "Enable all Swarm, Microservices and SSH traffic ports",
        "SecurityGroupIngress" : [
          {"IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : "0.0.0.0/0"},
          {"IpProtocol" : "tcp", "FromPort" : "2377", "ToPort" : "2377", "CidrIp" : "0.0.0.0/0"},
          {"IpProtocol" : "tcp", "FromPort" : "4789", "ToPort" : "4789", "CidrIp" : "0.0.0.0/0"},
          {"IpProtocol" : "udp", "FromPort" : "4789", "ToPort" : "4789", "CidrIp" : "0.0.0.0/0"},
          {"IpProtocol" : "tcp", "FromPort" : "7946", "ToPort" : "7946", "CidrIp" : "0.0.0.0/0"},
          {"IpProtocol" : "udp", "FromPort" : "7946", "ToPort" : "7946", "CidrIp" : "0.0.0.0/0"},
          {"IpProtocol" : "tcp", "FromPort" : "3306", "ToPort" : "3306", "CidrIp" : "0.0.0.0/0"},
          {"IpProtocol" : "tcp", "FromPort" : "8080", "ToPort" : "8095", "CidrIp" : "0.0.0.0/0"}
        ],
        "VpcId" : {"Ref" : "TwitterappVPC"}
      }
    },
    "PublicRouteTable" : {
      "Type" : "AWS::EC2::RouteTable",
      "Properties" : {
        "VpcId" : {"Ref" : "TwitterappVPC"}
      }
    },
    "PublicRoute" : {
      "Type" : "AWS::EC2::Route",
      "DependsOn" : "AttachGateway",
      "Properties" : {
        "RouteTableId" : { "Ref" : "PublicRouteTable" },
        "DestinationCidrBlock" : "0.0.0.0/0",
        "GatewayId" : { "Ref" : "InternetGateway" }
      }
    },
    "PublicSubnetRouteTableAssociation" : {
      "Type" : "AWS::EC2::SubnetRouteTableAssociation",
      "Properties" : {
        "SubnetId" : { "Ref" : "PublicSubnet" },
        "RouteTableId" : { "Ref" : "PublicRouteTable" }
      }
    },
    "TwitterappMasterNode": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "AvailabilityZone": {
          "Fn::Select" : [ "0", { "Fn::GetAZs" : "" } ]
        },
        "InstanceType": "t2.medium",
        "KeyName": "keypair-xxxx",
        "ImageId": "ami-ac442ac3",
        "SecurityGroupIds": [{"Ref" : "TwitterappSecurityGroup"}]
      }
    }
  }
}

导致我进入以下stackoverflow question

建议的解决方案是向EC2实例属性添加一些网络接口属性：

"NetworkInterfaces": [
            {
                "SubnetId": {"Ref": "PublicSubnet"},
                "AssociatePublicIpAddress": "true",
                "DeviceIndex": "0",
                "GroupSet": [{ "Ref" : "TwitterappSecurityGroup" }]
            }
        ]

这给了我以下错误：

Network interfaces and an instance-level security groups may not be specified on the same request

我做错了什么？

Answer 1

相当愚蠢的我...

删除

后问题已解决

"SecurityGroupIds": [{"Ref" : "TwitterappSecurityGroup"}]

来自EC2实例属性。

添加网络接口属性

"NetworkInterfaces": [
        {
            "SubnetId": {"Ref": "PublicSubnet"},
            "AssociatePublicIpAddress": "true",
            "DeviceIndex": "0",
            "GroupSet": [{ "Ref" : "TwitterappSecurityGroup" }]
        }
    ]

安全组sg-xxxxx和子网subnet-xxxxx属于不同的网络

1 个答案: