I have created two EC2 instances using CloudFormation - one for the Apache web-server, another one for the PostgreSQL DB. For some reason the web-server cannot telnet into the DB instance on port 5432 even though the DB instance can telnet into the web-server instance on port 80. When I check the DB instance from localhost, it is working fine and telnetting to the localhost 5432 successfully. There are two security groups for each instance:
"TheWebServerSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Security Group for The web-server instance",
"SecurityGroupIngress" : [
{ "IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80", "CidrIp" : "0.0.0.0/0" },
{ "IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : "0.0.0.0/0" }
],
"VpcId" : { "Ref": "TheVPC" },
"Tags" : [ { "Key": "Name", "Value": "TheWebServerSecurityGroup" } ]
}
},
"TheDBSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Security Group for The DB instance",
"SecurityGroupIngress" : [
{ "IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : "0.0.0.0/0" },
{ "IpProtocol" : "tcp", "FromPort" : "5432", "ToPort" : "5432", "CidrIp" : "0.0.0.0/0" }
],
"VpcId" : { "Ref": "TheVPC" },
"Tags" : [ { "Key": "Name", "Value": "TheDBSecurityGroup" } ]
}
},
What might be wrong with the configuration? Any help is appreciated.
UPD: I tried adding the following inbound/outbound rules, but with that it becomes impossible to install packages via yum:
"TheOutboundRule": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties":{
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 5432,
"DestinationSecurityGroupId": {
"Fn::GetAtt": [
"TheDBSecurityGroup",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"TheWebServerSecurityGroup",
"GroupId"
]
}
}
},
"TheInboundRule": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties":{
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 5432,
"SourceSecurityGroupId": {
"Fn::GetAtt": [
"TheWebServerSecurityGroup",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"TheDBSecurityGroup",
"GroupId"
]
}
}
},
I also tried adding just the inbound rule (without an outbound one), but it does not work either.
Related
Is where anyway I could attach elastic ip from my cloudformation template?
{
"Description" : "Staging single instance",
"Outputs": {
"InstanceID": {
"Description": "The WWW instance id",
"Value": { "Ref": "StageInstance" }
}
},
"Parameters": {
"AMI": {
"Description": "The Amazon Ubuntu AMI",
"Type": "String",
"Default": "ami-009110a2bf8d7dd0a"
},
"EBSVolumeSize": {
"Description": "The size of the EBS volume for the transcoder",
"Type": "String",
"Default": "20"
},
"InstanceType": {
"AllowedValues": [
"t2.micro",
"t2.small",
"t2.medium",
"t2.large",
"c4.large",
"c4.xlarge",
"c4.2xlarge",
"c4.4xlarge",
"c4.8xlarge",
"t3.medium"
],
"ConstraintDescription": "must be a valid EC2 instance type",
"Default": "t2.micro",
"Description": "EC2 instance type",
"Type": "String"
},
"KeyName": {
"Description" : "Name of an existing EC2 KeyPair to enable SSH access to NAT instances.",
"Type": "AWS::EC2::KeyPair::KeyName",
"ConstraintDescription" : "Must be the name of an existing EC2 KeyPair." }
},
"Resources": {
"InstanceProfile" : {
"Type" : "AWS::IAM::InstanceProfile",
"Properties" : {
"Path" : "/",
"Roles" : ["Ec2CloudDeploy"]
}
},
"StageSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow SSH, HTTP, and HTTPS access",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
}
]
}
},
"StageInstance": {
"Type" : "AWS::EC2::Instance",
"Properties": {
"SecurityGroupIds": [{"Ref": "StageSecurityGroup"}],
"KeyName": {"Ref": "KeyName" },
"ImageId": {"Ref": "AMI"},
"InstanceType": {"Ref": "InstanceType"},
"IamInstanceProfile" : {"Ref" : "InstanceProfile"},
"Tags": [
{"Key" : "Staging", "Value" : "Staging"}
]
}
}
}
}
Is there any configuration which I can add to attach the elastic ip to the instance which would be launched by this instance.I know I can attach it using cli command buT i would like to add it through my cloudformation template.
You would use AWS::EC2::EIPAssociation:
{
"Type" : "AWS::EC2::EIPAssociation",
"Properties" : {
"AllocationId" : String,
"EIP" : String,
"InstanceId" : String,
"NetworkInterfaceId" : String,
"PrivateIpAddress" : String
}
}
Sure. as documented in AWS::EC2::EIP:
Specifies an Elastic IP (EIP) address and can, optionally, associate it with an Amazon EC2 instance.
By setting InstanceId, you associate the EIP to your CloudFormation's EC2 instance.
For your case this snippet should do the trick:
"Resources": {
...,
"ElasticIP": {
"Type": "AWS::EC2::EIP",
"Properties": {
"InstanceId": {"Ref" : "StageInstance"}
}
}
}
I'm trying to construct a template for AWS::CloudFormation where create a RDS. But when I trying to launch the model, I get a Encountered unsupported property SourceSecurityGroupId.
I use this parameters to get the security group id
"WebServerSecurityGroupId": {
"Type": "AWS::EC2::SecurityGroup::Id",
}
And the resource I use:
"Resources": {
"DBVPCSecurityGroup" : {
"Type": "AWS::EC2::SecurityGroup",
"Properties" : {
"VpcId" : { "Ref" : "VpcId" },
"SecurityGroupIngress" : [
{
"IpProtocol" : "tcp",
"FromPort" : "80",
"ToPort" : "80",
"SourceSecurityGroupId:" : {
"Ref": "WebServerSecurityGroupId"
}
}
]
}
},
// the rest of template
Actually looks good. Could you try to separate the Security group with Ingress:
"DBVPCSecurityGroup" : {
"Type": "AWS::EC2::SecurityGroup",
"Properties" : {
"VpcId" : { "Ref" : "VpcId" }
}
},
"WebServerSecurityHTTPIn": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "DBVPCSecurityGroup"
},
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"SourceSecurityGroupId": {
"Ref": "WebServerSecurityGroupId"
}
}
},
I am trying to create a cloud formation template to create EC2 instance. I would like to use Security Group Name instead of Security Group Id. When I use that I am getting error "Encountered unsupported property SecurityGroup". How can I use Security Group Name while creating EC2 Instance through Cloud Formation
"Resources":
{
"EC2Instance":
{
"Type" : "AWS::EC2::Instance",
"Properties":
{
"InstanceType":
{
"Ref": "InstanceType"
},
"SecurityGroup":
[
{
"Ref" : "InstanceSecurityGroup"
}
],
"KeyName":
{
"Ref" : "AWS::Region"
},
"ImageId":
{
"Ref": "AMI"
}
}
},
"InstanceSecurityGroup":
{
"Type":"AWS::EC2::SecurityGroup",
"Properties":
{
"GroupDescription": "Enable SSH access via port 22",
"GroupName":
{
"Fn::FindInMap":
[
"EnvironmentConfig",
{
"Ref": "Environment"
},
"SGGroupName"
]
},
"SecurityGroupIngress":
[
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIp":"10.252.0.0/16"
},
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIp":"10.251.0.0/16"
}
],
"VpcId":
{
"Fn::FindInMap":
[
"EnvironmentConfig",
{
"Ref":"Environment"
},
"VPC"
]
}
}
}
It should be SecurityGroups instead of SecurityGroup, i.e.
"SecurityGroups" : [{ "Ref" : "InstanceSecurityGroup" }]
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-ec2.html
I am getting below error on one of my cloud formation template -
13:00:10 UTC+0550 CREATE_FAILED AWS::EC2::Instance WebApplicationServer The requested configuration is currently not supported. Please check the documentation for supported configurations.
My CloudFormation template is -
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"DevServerKeyPair": {
"Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance",
"Type": "AWS::EC2::KeyPair::KeyName",
"ConstraintDescription": "Must be the name of an existing EC2 KeyPair."
}
},
"Resources": {
"DevVpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "172.31.0.0/16",
"EnableDnsSupport": "false",
"EnableDnsHostnames": "false",
"InstanceTenancy": "dedicated",
"Tags": [
{
"Key": "Name",
"Value": "DevStackVpc"
}
]
}
},
"DevSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "DevVpc"
},
"CidrBlock": "172.31.0.0/16",
"AvailabilityZone": {
"Fn::Select": [
0,
{
"Fn::GetAZs": ""
}
]
}
}
},
"WebApplicationServerSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "DevVpc"
},
"GroupDescription": "Enable HTTP, HTTPS and SSH access",
"Tags": [
{
"Key": "Name",
"Value": "WebApplicationServer Service Group"
}
],
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
]
}
},
"WebApplicationServer": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-f3e5aa9c",
"InstanceType": "t2.micro",
"Tags": [
{
"Key": "Name",
"Value": "WebApplicationServer"
}
],
"KeyName": {
"Ref": "DevServerKeyPair"
},
"NetworkInterfaces": [
{
"SubnetId": {"Ref": "DevSubnet"},
"AssociatePublicIpAddress": "true",
"DeviceIndex": "0",
"GroupSet": [{ "Ref" : "WebApplicationServerSG" }]
}
]
}
}
}
}
I tried to diagnose it but failed to understand which particular configuration in this simple template is not supported currently. Any help or pointer would be greatly appreciated.
Your VPC has an instance tenancy of dedicated, however t2 instances cannot be launched as dedicated instances. You will need to pick a different instance type or switch the tenancy of your VPC.
In my case I didn't have tenancy dedicated. The reason was I tried to use the instance type which is too new (r6g) and is missing in my region. So the solution was to fall back to older one (r5a).
Looks problem with subnet creation with fn::select function.
"DevSubnet" : {
"Type" : "AWS::EC2::Subnet",
"Properties" : {
"VpcId" : { "Ref" : "DevVpc" },
"CidrBlock" : "172.31.0.0/16",
"AvailabilityZone" : {
"Fn::Select" : [ "0", { "Fn::GetAZs" :""} ]
}
}
}
Try this. I hope it will work.
"dbxSG":
{
"Type": "AWS::EC2::SecurityGroup",
"Properties":
{
"GroupDescription": "Enable dbX Access",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
]
}
},
"dbxSGIngress" :
{
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties":
{
"GroupName": { "Ref": "dbxSG" },
"IpProtocol": "tcp",
"FromPort": "0",
"ToPort": "65535",
"SourceSecurityGroupName": { "Ref": "dbxSG" }
}
},
How do I add multiple security group names in above json file? "dbxSG" name is referring in many times. I want to add one more security group with a new name. How do I add it?
Yes, you can attach multiple Security Groups to an EC2 Instance when created using CloudFormation. Below is sample json to accomplish it. I have attached WebSubnetSG & AppSubnetSG to the EC2 Instance.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Multiple Security Groups - Demo",
"Resources" : {
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16" ,
"Tags": [
{
"Key": "Name",
"Value": "Multi Security Group"
}
]
}
},
"WebSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": "10.0.10.0/24",
"Tags": [
{
"Key": "Application",
"Value": "Multi SG Subnet"
}]
}
},
"WebServerSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "SG for the Web Server",
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupEgress": [
{
"IpProtocol": "-1",
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupIngress" : [
{
"IpProtocol": "tcp",
"CidrIp": "0.0.0.0/0",
"FromPort": "80",
"ToPort": "80"
},
{
"IpProtocol": "tcp",
"CidrIp": "0.0.0.0/0",
"FromPort": "443",
"ToPort": "443"
}
]
}
},
"AppServerSGIngress": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "AppServerSG"
},
"IpProtocol": "tcp",
"CidrIp": "0.0.0.0/0",
"FromPort" : "9090",
"ToPort" : "9090"
}
},
"AppServerSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "SG for the App Server",
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupEgress": [
{
"IpProtocol": "-1",
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupIngress" : [
{
"IpProtocol": "tcp",
"CidrIp": "0.0.0.0/0",
"FromPort": "8080",
"ToPort": "8080"
}
]
}
},
"MultiSGInstance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-12345678",
"KeyName": "your-key-pair",
"SecurityGroupIds": [
{
"Ref": "WebServerSG"
},
{
"Ref": "AppServerSG"
}
],
"InstanceType": "t2.micro",
"SubnetId": {
"Ref": "WebSubnet"
},
"Tags": [
{
"Key": "Name",
"Value": "MultiSG"
}
]
}
}
},
"Outputs" : {}
}