I'm trying to change CISCOASA word here using the output I got. I've tried using lineinfile module in ansible but the replacement is not in order.
ORIG JSON FILE:
{ "servers": [
{
"ingress": "CISCOASA",
"protocol": "tcp",
"source_ip": "IPADDRESS",
"source_port": 12345,
"dest_ip": "IPADDRESS",
"dest_port": "ssh"
},
{
"ingress": "CISCOASA",
"protocol": "tcp",
"source_ip": "IPADDRESS",
"source_port": 12345,
"dest_ip": "IPADDRESS",
"dest_port": "ssh"
},
{
"ingress": "CISCOASA",
"protocol": "tcp",
"source_ip": "IPADDRESS",
"source_port": 12345,
"dest_ip": "IPADDRESS",
"dest_port": 22
},
{
"ingress": "CISCOASA",
"protocol": "tcp",
"source_ip": "IPADDRESS",
"source_port": 12346,
"dest_ip": "IPADDRESS",
"dest_port": "ssh"
}
]}
REPLACE VALUES:
CISCOASA1
CISCOASA2
CISCOASA3
CISCOASA4
CURRENT OUTPUT:
{ "servers": [
{
"ingress": "CISCOASA4",
"protocol": "tcp",
"source_ip": "IPADDRESS",
"source_port": 12345,
"dest_ip": "IPADDRESS",
"dest_port": "ssh"
},
{
"ingress": "CISCOASA3",
"protocol": "tcp",
"source_ip": "IPADDRESS",
"source_port": 12345,
"dest_ip": "IPADDRESS",
"dest_port": "ssh"
},
{
"ingress": "CISCOASA2",
"protocol": "tcp",
"source_ip": "IPADDRESS",
"source_port": 12345,
"dest_ip": "IPADDRESS",
"dest_port": 22
},
{
"ingress": "CISCOASA1",
"protocol": "tcp",
"source_ip": "IPADDRESS",
"source_port": 12346,
"dest_ip": "IPADDRESS",
"dest_port": "ssh"
}
]}
DESIRED OUTPUT:
{ "servers": [
{
"ingress": "CISCOASA1",
"protocol": "tcp",
"source_ip": "IPADDRESS",
"source_port": 12345,
"dest_ip": "IPADDRESS",
"dest_port": "ssh"
},
{
"ingress": "CISCOASA2",
"protocol": "tcp",
"source_ip": "IPADDRESS",
"source_port": 12345,
"dest_ip": "IPADDRESS",
"dest_port": "ssh"
},
{
"ingress": "CISCOASA3",
"protocol": "tcp",
"source_ip": "IPADDRESS",
"source_port": 12345,
"dest_ip": "IPADDRESS",
"dest_port": 22
},
{
"ingress": "CISCOASA4",
"protocol": "tcp",
"source_ip": "IPADDRESS",
"source_port": 12346,
"dest_ip": "IPADDRESS",
"dest_port": "ssh"
}
]}
Below is my task:
- name: Adding extracted ingress in file
become: yes
become_user: root
lineinfile:
path: /filepath/valid.json
regexp: "CISCOASA"
line: "\"ingress\": \"{{ item[0] }}\","
state: present
with_items:
- "{{ foo }}"
Thank you
this one do the trick :)
- replace:
path: ./file.json
regexp: '^(.*?)CISCOASA\"(.*)'
replace: '\1CISCOASA{{ servers_index + 1 }}\"\2'
loop: "{{ vars_file_yml.servers }}"
loop_control:
index_var: servers_index
vars:
vars_file_yml: "{{ lookup('file', './file.json') | from_json }}"
- name: Adding extracted ingress in file
become: yes
become_user: root
replace:
path: filepath/valid.json
regexp: 'CISCOASA{{ servers_index + 1 }}'
replace: "{{ item[0] }}"
loop_control:
index_var: servers_index
with_items:
- "{{ foo }}"
This answered my problem. :)
Related
I created a redshift cluster in EU region. I also created a VPC and other artifacts including route tables with igw (using GUI with VPC and More option). Then attached this VPC to redshift cluster while creation.
However, I’’m unable to connect with this redshift from CD or local machine. I'm using postgres CLI.
Ideally it should have worked. Any ideas?
I'm able to connect from query editor from AWS Redshift console
Edit Troubleshooting done so far
This postgress command times out psql -h redshift-cluster-1.xxxxx.eu-west-1.redshift.amazonaws.com -U awsuser -d dev -p 5497. postgres installation is correct. As I'm able to connect with one of other redshift installations
psql: could not connect to server: Connection timed out
Is the server running on host "redshift-cluster-1.xxxx.eu-west-1.redshift.amazonaws.com" (xx.xx.xx.xx) and accepting
TCP/IP connections on port 5497?
dig works but telnet fails
Adding describes.
VPC
{
"Vpcs": [
{
"CidrBlock": "10.0.0.0/16",
"DhcpOptionsId": "dopt-0f7cfde8258b431f5",
"State": "available",
"VpcId": "vpc-0a673f3e2399e0904",
"OwnerId": "xx",
"InstanceTenancy": "default",
"CidrBlockAssociationSet": [
{
"AssociationId": "vpc-cidr-assoc-0f738813e1a319934",
"CidrBlock": "10.0.0.0/16",
"CidrBlockState": {
"State": "associated"
}
}
],
"IsDefault": false,
"Tags": [
{
"Key": "Name",
"Value": "test-vpc"
}
]
}
]
}
Security Groups
{
"SecurityGroups": [
{
"Description": "default VPC security group",
"GroupName": "default",
"IpPermissions": [
{
"IpProtocol": "-1",
"IpRanges": [],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": [
{
"GroupId": "sg-07c16a51da213b9a8",
"UserId": "xx"
}
]
}
],
"OwnerId": "xx",
"GroupId": "sg-07c16a51da213b9a8",
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": []
}
],
"VpcId": "vpc-0a673f3e2399e0904"
},
{
"Description": "SG1",
"GroupName": "SG1",
"IpPermissions": [
{
"FromPort": 5497,
"IpProtocol": "tcp",
"IpRanges": [
"IpRanges": [
{
"CidrIp": "52.27.190.0/23"
},
{
"CidrIp": "64.39.96.0/20"
},
{
"CidrIp": "10.189.32.85/32"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [
{
"PrefixListId": "pl-6fa54006"
}
],
"ToPort": 6000,
"UserIdGroupPairs": []
}
],
"OwnerId": "xxxxx",
"GroupId": "sg-0fccd6f7706900e54",
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": []
}
],
"VpcId": "vpc-0a673f3e2399e0904"
}
]
}
Redshift cluster
{
"Clusters": [
{
"ClusterIdentifier": "redshift-cluster-1",
"NodeType": "dc2.large",
"ClusterStatus": "available",
"ClusterAvailabilityStatus": "Available",
"MasterUsername": "awsuser",
"DBName": "dev",
"Endpoint": {
"Address": "redshift-cluster-1.xxx.eu-west-1.redshift.amazonaws.com",
"Port": 5497
},
"ClusterCreateTime": "2022-08-09T14:51:58.527000+00:00",
"AutomatedSnapshotRetentionPeriod": 1,
"ManualSnapshotRetentionPeriod": -1,
"ClusterSecurityGroups": [],
"VpcSecurityGroups": [
{
"VpcSecurityGroupId": "sg-07c16a51da213b9a8",
"Status": "active"
},
{
"VpcSecurityGroupId": "sg-0fccd6f7706900e54",
"Status": "active"
}
],
"ClusterParameterGroups": [
{
"ParameterGroupName": "default.redshift-1.0",
"ParameterApplyStatus": "in-sync"
}
],
"ClusterSubnetGroupName": "cluster-subnet-group-1",
"VpcId": "vpc-0a673f3e2399e0904",
"AvailabilityZone": "eu-west-1a",
"PreferredMaintenanceWindow": "mon:03:30-mon:04:00",
"PendingModifiedValues": {},
"ClusterVersion": "1.0",
"AllowVersionUpgrade": true,
"NumberOfNodes": 2,
"PubliclyAccessible": true,
"Encrypted": false,
"ClusterPublicKey": "<>",
"ClusterNodes": [
{
"NodeRole": "LEADER",
"PrivateIPAddress": "10.0.2.114",
"PublicIPAddress": "52.208.40.55"
},
{
"NodeRole": "COMPUTE-0",
"PrivateIPAddress": "10.0.6.171",
"PublicIPAddress": "46.51.199.140"
},
{
"NodeRole": "COMPUTE-1",
"PrivateIPAddress": "10.0.8.205",
"PublicIPAddress": "18.200.92.114"
}
],
"ClusterRevisionNumber": "40496",
"Tags": [],
"EnhancedVpcRouting": false,
"IamRoles": [],
"MaintenanceTrackName": "current",
"ElasticResizeNumberOfNodeOptions": "[4]",
"DeferredMaintenanceWindows": [],
"NextMaintenanceWindowStartTime": "2022-08-15T03:30:00+00:00",
"AvailabilityZoneRelocationStatus": "disabled",
"ClusterNamespaceArn": "<>",
"TotalStorageCapacityInMegaBytes": 800000,
"AquaConfiguration": {
"AquaStatus": "disabled",
"AquaConfigurationStatus": "auto"
}
}
]
}
Terraform always tries to create the aws_security_group resource below, despite containing the resource in in .tfstate.
I didn't think this was the behavior of this resource, as I had been able to use it before without any issues. However, after deleting some old security groups and creating a new vpc in the AWS console, terraform apply now yields: 400: The security group 'web-traffic' already exists for VPC.
I am using this resource across a couple modules. But, I assume if the resource creation respects .tfstate this would only cause issues with parallelization before the resource exists in .tfstate. That is the not the scenario I am currently encountering; the resource already exists in .tfstate.
I've redacted the information below, but the vpc_id in .tfstate and the one used by the resource do match. The state isn't still pointing to a security group on the old vpc.
Resource declaration:
# web_traffic.tf
module "vpc" {
source = "../vpc"
}
resource "aws_security_group" "web_traffic" {
name = "web-traffic"
description = "Allows web traffic on ports 443 and 8080"
vpc_id = module.vpc.aws_vpc.id
ingress {
description = "https"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
ingress {
description = "http"
from_port = 8080
to_port = 8080
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
tags = {
Name = "web-traffic"
}
}
output "web_traffic" {
value = aws_security_group.web_traffic
}
.tfstate:
{
"module": "module.deploy.module.security",
"mode": "managed",
"type": "aws_security_group",
"name": "web_traffic",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 1,
"attributes": {
"arn": "<redacted>",
"description": "Allows web traffic on ports 443 and 8080",
"egress": [
{
"cidr_blocks": [
"0.0.0.0/0"
],
"description": "",
"from_port": 0,
"ipv6_cidr_blocks": [
"::/0"
],
"prefix_list_ids": [],
"protocol": "-1",
"security_groups": [],
"self": false,
"to_port": 0
}
],
"id": "<redacted>",
"ingress": [
{
"cidr_blocks": [
"0.0.0.0/0"
],
"description": "https",
"from_port": 443,
"ipv6_cidr_blocks": [
"::/0"
],
"prefix_list_ids": [],
"protocol": "tcp",
"security_groups": [],
"self": false,
"to_port": 443
},
{
"cidr_blocks": [
"0.0.0.0/0"
],
"description": "http",
"from_port": 8080,
"ipv6_cidr_blocks": [
"::/0"
],
"prefix_list_ids": [],
"protocol": "tcp",
"security_groups": [],
"self": false,
"to_port": 8080
}
],
"name": "web-traffic",
"name_prefix": "",
"owner_id": "<redacted>",
"revoke_rules_on_delete": false,
"tags": {
"Name": "web-traffic"
},
"tags_all": {
"Name": "web-traffic"
},
"timeouts": null,
"vpc_id": "<redacted>"
},
"sensitive_attributes": [],
"private": "<redacted>",
"dependencies": [
"module.deploy.module.security.module.vpc.data.aws_vpc.main"
]
}
]
}
I'd like to create a Cloudwatch filter patterns which is look for security group rules have CIDR ="0.0.0.0/0 whenever someone create them.
Let say I have a log event:
"eventName": "AuthorizeSecurityGroupIngress",
"awsRegion": "eu-central-1",
"userAgent": "EC2ConsoleFrontend, aws-internal/3 aws-sdk-java/1.12.150 Linux/5.4.172-100.336.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.322-b06 java/1.8.0_322 vendor/Oracle_Corporation cfg/retry-mode/standard",
"requestParameters": {
"groupId": "sg-7f1ca612",
"ipPermissions": {
"items": [
{
"ipProtocol": "tcp",
"fromPort": 389,
"toPort": 389,
"groups": {},
"ipRanges": {
"items": [
{
"cidrIp": "0.0.0.0/0"
}
]
},
"ipv6Ranges": {},
"prefixListIds": {}
},
{
"ipProtocol": "udp",
"fromPort": 53,
"toPort": 53,
"groups": {},
"ipRanges": {
"items": [
{
"cidrIp": "0.0.0.0/0"
}
]
},
"ipv6Ranges": {},
"prefixListIds": {}
}
]
}
},
"responseElements": {
"requestId": "1dfe243d-24b3-47c2-acc1-12131f4feb40",
"_return": true,
"securityGroupRuleSet": {
"items": [
{
"groupOwnerId": "030563857246",
"groupId": "sg-7f1ca612",
"securityGroupRuleId": "sgr-0811c8cc4768b7c30",
"isEgress": false,
"ipProtocol": "tcp",
"fromPort": 389,
"toPort": 389,
"cidrIpv4": "0.0.0.0/0"
},
{
"groupOwnerId": "030563857246",
"groupId": "sg-7f1ca612",
"securityGroupRuleId": "sgr-0a0527ecab37548b0",
"isEgress": false,
"ipProtocol": "udp",
"fromPort": 53,
"toPort": 53,
"cidrIpv4": "0.0.0.0/0"
}
]
}
},
I tried the query below, but it not correct as responseElements.securityGroupRuleSet.items list may have more than one element.
{(($.eventName=AuthorizeSecurityGroupIngress) && ($.responseElements.securityGroupRuleSet.items[0].cidrIpv4 = "0.0.0.0/0"))}
I tried to change items[0] to items[*], but it is invalid syntax, any idea?
Alternate way provided in the documentation is to use CloudTrail + EventBridge + SNS to achieve what you want. CloudTrail will log all the account changes. Event Bridge will filter those changes and SNS will trigger the notification.
Sample implementation for similar use-case is shown here: https://aws.amazon.com/premiumsupport/knowledge-center/monitor-security-group-changes-ec2/
I am creating a basic AWS CloudFormation Template with one VPC, 3 Security Group and 5 EC2 Instances my security group looks something like this -
{
"WebApplicationServerSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "DevVpc"
},
"GroupDescription": "Enable HTTP, HTTPS and SSH access",
"Tags": [
{
"Key": "Name",
"Value": "WebApplicationServer Service Group"
}
],
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "a7977f00-48d6-488f-9e23-9bcd0785d399"
}
}
}
}
And the VPC is something like below -
{
"DevVpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "172.31.0.0/16",
"EnableDnsSupport": "false",
"EnableDnsHostnames": "false",
"InstanceTenancy": "dedicated",
"Tags": [
{
"Key": "Name",
"Value": "DevStackVpc"
}
]
}
}
}
I am getting error while stack creation with the template -
Security group sg-31f91b5a and subnet subnet-ea0aa3a7 belong to
different networks.
11:13:01 UTC+0550 CREATE_FAILED AWS::EC2::Instance WebApplicationServer Security group sg-5147a53a and subnet subnet-ea0aa3a7 belong to different networks.
And here is a gist for complete template, any help would really be appreciated.
If anyone using Terraform got here, I had a similar error message and what ended up happening was the following:
variable "name" {}
locals {
vpc_id = "..."
subnet_id = "..."
}
resource "aws_instance" "web" {
ami = "ami-09def150731bdbcc2"
instance_type = "t3.micro"
vpc_security_group_ids = ["${aws_security_group.allow_http.id}"]
user_data = <<-EOF
#!/bin/bash
sudo amazon-linux-extras install nginx1.12 -y
sudo nginx
EOF
tags {
Name = "${var.name}"
}
}
resource "aws_security_group" "allow_http" {
description = "Allow inbound HTTP traffic for ${var.name} instance"
vpc_id = "${local.vpc_id}"
ingress {
from_port = 80
to_port = 80
protocol = "TCP"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
The subnet I was deploying into didn't have auto assign public IPs enabled. As such, I updated the aws_instance to include the subnet_id and associate_public_ip_address:
resource "aws_instance" "web" {
ami = "ami-09def150731bdbcc2"
instance_type = "t3.micro"
subnet_id = "${local.subnet_id}"
vpc_security_group_ids = ["${aws_security_group.allow_http.id}"]
associate_public_ip_address = true
user_data = <<-EOF
#!/bin/bash
sudo amazon-linux-extras install nginx1.12 -y
sudo nginx
EOF
tags {
Name = "${var.name}"
}
}
After which, everything worked.
I got the above problem resolved by the pointers provided in comments, The relation between subnet VPC, Security-Groups and EC2 instance are as below -
1st thing which gets and should be created is VPC
2nd is the Subnet here you mention the VpcId you created earlier
3rd You create security groups here you mention the VpcId you created earlier as well.
4th There is a property NetworkInterfaces where you provide SubnetId and GroupSet which is an array of security group ids and this is where you define the relation between the security group, vpc and subnet and this is what solved the problem.
Below is the sample template which actually worked -
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"DevServerKeyPair": {
"Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance",
"Type": "AWS::EC2::KeyPair::KeyName",
"ConstraintDescription": "Must be the name of an existing EC2 KeyPair."
}
},
"Resources": {
"DevVpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "172.31.0.0/16",
"EnableDnsSupport": "false",
"EnableDnsHostnames": "false",
"InstanceTenancy": "dedicated",
"Tags": [
{
"Key": "Name",
"Value": "DevStackVpc"
}
]
}
},
"DevSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "DevVpc"
},
"CidrBlock": "172.31.0.0/16",
"AvailabilityZone": {
"Fn::Select": [
0,
{
"Fn::GetAZs": ""
}
]
}
}
},
"WebApplicationServerSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "DevVpc"
},
"GroupDescription": "Enable HTTP, HTTPS and SSH access",
"Tags": [
{
"Key": "Name",
"Value": "WebApplicationServer Service Group"
}
],
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
]
}
},
"WebApplicationServer": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-f3e5aa9c",
"InstanceType": "t2.micro",
"Tags": [
{
"Key": "Name",
"Value": "WebApplicationServer"
}
],
"KeyName": {
"Ref": "DevServerKeyPair"
},
"NetworkInterfaces": [
{
"SubnetId": {"Ref": "DevSubnet"},
"AssociatePublicIpAddress": "true",
"DeviceIndex": "0",
"GroupSet": [{ "Ref" : "WebApplicationServerSG" }]
}
]
}
}
}
}
Hope it helps someone looking into similar problem.
The problem with the security group you trying to use! When you create one with a template it used the default VPC.
On the CLoudFormation template where you create a security group, you need to identify VpcId that you like to use (NON-Default), it will solve the problem. Or you can manually create a new security group using (NON-Default)VPC, and then run new instances.
I am trying to create a VPC without the wizard.
I added the routes, internet gateway, NACL and Security groups but my vm remains unreachable, below I have posted details from the aws cli to give you precise details.
I have a feeling that it has something to do with my routes. I am unable to ping or ssh into my jumpbox
Architecture Diagram:-
yamazaki#yamazaki-linux:~$ aws ec2 describe-security-groups --group-ids sg-ab7a71cd
{
"SecurityGroups": [
{
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"UserIdGroupPairs": [],
"PrefixListIds": []
}
],
"Description": "mysg",
"IpPermissions": [
{
"PrefixListIds": [],
"FromPort": 22,
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"ToPort": 22,
"IpProtocol": "tcp",
"UserIdGroupPairs": []
},
{
"PrefixListIds": [],
"FromPort": -1,
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"ToPort": -1,
"IpProtocol": "icmp",
"UserIdGroupPairs": []
}
],
"GroupName": "mysg",
"VpcId": "vpc-220e9346",
"OwnerId": "646132786531",
"GroupId": "sg-ab7a71cd"
}
]
}
yamazaki#yamazaki-linux:~$ aws ec2 describe-network-acls --network-acl-ids acl-1816717c
{
"NetworkAcls": [
{
"Associations": [
{
"SubnetId": "subnet-91a025ac",
"NetworkAclId": "acl-1816717c",
"NetworkAclAssociationId": "aclassoc-78fa7001"
},
{
"SubnetId": "subnet-aea02593",
"NetworkAclId": "acl-1816717c",
"NetworkAclAssociationId": "aclassoc-ede56f94"
},
{
"SubnetId": "subnet-6da02550",
"NetworkAclId": "acl-1816717c",
"NetworkAclAssociationId": "aclassoc-19e46e60"
}
],
"NetworkAclId": "acl-1816717c",
"VpcId": "vpc-220e9346",
"Tags": [],
"Entries": [
{
"CidrBlock": "0.0.0.0/0",
"RuleNumber": 100,
"Protocol": "-1",
"Egress": true,
"RuleAction": "allow"
},
{
"CidrBlock": "0.0.0.0/0",
"RuleNumber": 32767,
"Protocol": "-1",
"Egress": true,
"RuleAction": "deny"
},
{
"RuleNumber": 100,
"Protocol": "6",
"PortRange": {
"To": 22,
"From": 22
},
"Egress": false,
"RuleAction": "allow",
"CidrBlock": "0.0.0.0/0"
},
{
"IcmpTypeCode": {
"Code": -1,
"Type": -1
},
"RuleNumber": 200,
"Protocol": "1",
"Egress": false,
"RuleAction": "allow",
"CidrBlock": "0.0.0.0/0"
},
{
"CidrBlock": "0.0.0.0/0",
"RuleNumber": 32767,
"Protocol": "-1",
"Egress": false,
"RuleAction": "deny"
}
],
"IsDefault": true
}
]
yamazaki#yamazaki-linux:~$ aws ec2 describe-vpcs --vpc-id vpc-220e9346
{
"Vpcs": [
{
"VpcId": "vpc-220e9346",
"InstanceTenancy": "default",
"Tags": [
{
"Value": "big",
"Key": "Name"
}
],
"State": "available",
"DhcpOptionsId": "dopt-80c96ce5",
"CidrBlock": "192.168.0.0/20",
"IsDefault": false
}
]
}
yamazaki#yamazaki-linux:~$ aws ec2 describe-subnets --subnet-ids subnet-6da02550 subnet-aea02593 subnet-91a025ac
{
"Subnets": [
{
"VpcId": "vpc-220e9346",
"Tags": [
{
"Value": "big-private-databases",
"Key": "Name"
}
],
"CidrBlock": "192.168.3.0/24",
"MapPublicIpOnLaunch": false,
"DefaultForAz": false,
"State": "available",
"AvailabilityZone": "us-east-1e",
"SubnetId": "subnet-91a025ac",
"AvailableIpAddressCount": 251
},
{
"VpcId": "vpc-220e9346",
"Tags": [
{
"Value": "big-internet",
"Key": "Name"
}
],
"CidrBlock": "192.168.1.0/24",
"MapPublicIpOnLaunch": false,
"DefaultForAz": false,
"State": "available",
"AvailabilityZone": "us-east-1e",
"SubnetId": "subnet-6da02550",
"AvailableIpAddressCount": 250
},
{
"VpcId": "vpc-220e9346",
"Tags": [
{
"Value": "big-private-computes",
"Key": "Name"
}
],
"CidrBlock": "192.168.2.0/24",
"MapPublicIpOnLaunch": false,
"DefaultForAz": false,
"State": "available",
"AvailabilityZone": "us-east-1e",
"SubnetId": "subnet-aea02593",
"AvailableIpAddressCount": 250
}
]
}
yamazaki#yamazaki-linux:~$ aws ec2 describe-route-tables --route-table-ids rtb-fb83c99f rtb-1eb9f37a rtb-c980caad rtb-9980cafd
{
"RouteTables": [
{
"Associations": [],
"RouteTableId": "rtb-fb83c99f",
"VpcId": "vpc-220e9346",
"PropagatingVgws": [],
"Tags": [
{
"Value": "big-in",
"Key": "Name"
}
],
"Routes": [
{
"GatewayId": "local",
"DestinationCidrBlock": "192.168.0.0/20",
"State": "active",
"Origin": "CreateRouteTable"
},
{
"GatewayId": "igw-51638f35",
"DestinationCidrBlock": "0.0.0.0/0",
"State": "active",
"Origin": "CreateRoute"
}
]
},
{
"Associations": [
{
"RouteTableAssociationId": "rtbassoc-0113ef66",
"Main": true,
"RouteTableId": "rtb-1eb9f37a"
}
],
"RouteTableId": "rtb-1eb9f37a",
"VpcId": "vpc-220e9346",
"PropagatingVgws": [],
"Tags": [
{
"Value": "big",
"Key": "Name"
}
],
"Routes": [
{
"GatewayId": "local",
"DestinationCidrBlock": "192.168.0.0/20",
"State": "active",
"Origin": "CreateRouteTable"
}
]
},
{
"Associations": [],
"RouteTableId": "rtb-c980caad",
"VpcId": "vpc-220e9346",
"PropagatingVgws": [],
"Tags": [
{
"Value": "big-in-computes",
"Key": "Name"
}
],
"Routes": [
{
"GatewayId": "local",
"DestinationCidrBlock": "192.168.0.0/20",
"State": "active",
"Origin": "CreateRouteTable"
}
]
},
{
"Associations": [],
"RouteTableId": "rtb-9980cafd",
"VpcId": "vpc-220e9346",
"PropagatingVgws": [],
"Tags": [
{
"Value": "big-computes-databases",
"Key": "Name"
}
],
"Routes": [
{
"GatewayId": "local",
"DestinationCidrBlock": "192.168.0.0/20",
"State": "active",
"Origin": "CreateRouteTable"
}
]
}
]
}
yamazaki#yamazaki-linux:~$ aws ec2 describe-internet-gateways --internet-gateway-ids igw-51638f35
{
"InternetGateways": [
{
"Tags": [
{
"Value": "big",
"Key": "Name"
}
],
"InternetGatewayId": "igw-51638f35",
"Attachments": [
{
"State": "available",
"VpcId": "vpc-220e9346"
}
]
}
]
}
yamazaki#yamazaki-linux:~$ aws ec2 describe-instances --instance-ids --instance-ids i-3c6c09c5
{
"Reservations": [
{
"OwnerId": "646132786531",
"ReservationId": "r-12f788fb",
"Groups": [],
"Instances": [
{
"Monitoring": {
"State": "disabled"
},
"PublicDnsName": "",
"State": {
"Code": 16,
"Name": "running"
},
"EbsOptimized": false,
"LaunchTime": "2015-12-10T16:30:41.000Z",
"PublicIpAddress": "52.70.141.142",
"PrivateIpAddress": "192.168.1.67",
"ProductCodes": [],
"VpcId": "vpc-220e9346",
"StateTransitionReason": "",
"InstanceId": "i-3c6c09c5",
"ImageId": "ami-60b6c60a",
"PrivateDnsName": "ip-192-168-1-67.ec2.internal",
"KeyName": "yamazaki",
"SecurityGroups": [
{
"GroupName": "mysg",
"GroupId": "sg-ab7a71cd"
}
],
"ClientToken": "DpGNG1449765041380",
"SubnetId": "subnet-6da02550",
"InstanceType": "t2.micro",
"NetworkInterfaces": [
{
"Status": "in-use",
"MacAddress": "06:1a:f4:6a:b6:f5",
"SourceDestCheck": true,
"VpcId": "vpc-220e9346",
"Description": "Primary network interface",
"Association": {
"PublicIp": "52.70.141.142",
"PublicDnsName": "",
"IpOwnerId": "646132786531"
},
"NetworkInterfaceId": "eni-971b94ab",
"PrivateIpAddresses": [
{
"Association": {
"PublicIp": "52.70.141.142",
"PublicDnsName": "",
"IpOwnerId": "646132786531"
},
"Primary": true,
"PrivateIpAddress": "192.168.1.67"
}
],
"Attachment": {
"Status": "attached",
"DeviceIndex": 0,
"DeleteOnTermination": true,
"AttachmentId": "eni-attach-cdd36cbc",
"AttachTime": "2015-12-10T16:30:41.000Z"
},
"Groups": [
{
"GroupName": "mysg",
"GroupId": "sg-ab7a71cd"
}
],
"SubnetId": "subnet-6da02550",
"OwnerId": "646132786531",
"PrivateIpAddress": "192.168.1.67"
}
],
"SourceDestCheck": true,
"Placement": {
"Tenancy": "default",
"GroupName": "",
"AvailabilityZone": "us-east-1e"
},
"Hypervisor": "xen",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"Status": "attached",
"DeleteOnTermination": true,
"VolumeId": "vol-5ade4392",
"AttachTime": "2015-12-10T16:30:45.000Z"
}
}
],
"Architecture": "x86_64",
"RootDeviceType": "ebs",
"RootDeviceName": "/dev/xvda",
"VirtualizationType": "hvm",
"Tags": [
{
"Value": "jumpbox",
"Key": "Name"
}
],
"AmiLaunchIndex": 0
}
]
}
]
After adding a subnet association for the route table with the one with the internet gateway I was able to connect to my box.
aws ec2 describe-route-tables --route-table-ids rtb-fb83c99f
{
"RouteTables": [
{
"Associations": [
{
"SubnetId": "subnet-6da02550",
"RouteTableAssociationId": "rtbassoc-48a35d2f",
"Main": false,
"RouteTableId": "rtb-fb83c99f"
}
],
"RouteTableId": "rtb-fb83c99f",
"VpcId": "vpc-220e9346",
"PropagatingVgws": [],
"Tags": [
{
"Value": "big-in",
"Key": "Name"
}
],
"Routes": [
{
"GatewayId": "local",
"DestinationCidrBlock": "192.168.0.0/20",
"State": "active",
"Origin": "CreateRouteTable"
},
{
"GatewayId": "igw-51638f35",
"DestinationCidrBlock": "0.0.0.0/0",
"State": "active",
"Origin": "CreateRoute"
}
]
}
]
}