AWS CloudFormation: Reference to subnet causing error - amazon-web-services

I am trying to build an AWS CloudFormation template to create a VPC, public subnet, and then launch an EC2 instance into that subnet. While I'm able to create the VPC and subnet resources when I try to launch the EC2 instance into the newly created subnet I get an error:
The requested configuration is currently not supported. Please check the documentation for supported configurations. (Service: AmazonEC2; Status Code: 400; Error Code: Unsupported; Request ID: 953bf578-375e-4d4a-bc27-b7193543ea94)
If I comment out the reference to the subnet in the EC2 creation block, the script works but the instance gets launched into a default subnet and not the one created earlier in the script (which isn't what I want).
The script:
Resources:
VPC:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: 'false'
EnableDnsHostnames: 'false'
InstanceTenancy: dedicated
PublicSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.0.0/24
AvailabilityZone: !Select [ 0, !GetAZs ]
InternetGateway:
Type: 'AWS::EC2::InternetGateway'
DependsOn: VPC
AttachGateway:
Type: 'AWS::EC2::VPCGatewayAttachment'
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
PublicRoute:
Type: 'AWS::EC2::Route'
DependsOn: 'AttachGateway'
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
PublicSubnetRouteTableAssociation:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref PublicSubnet
RouteTableId: !Ref PublicRouteTable
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
Ec2Instance:
Type: AWS::EC2::Instance
Properties:
InstanceType: t2.micro
ImageId: ami-0323c3dd2da7fb37d
SubnetId: !Ref PublicSubnet # The offending line (?)
KeyName: MyEC2KeyPair

This is a result of your VPC tenancy being dedicated.
I can confirm that t2 instances do not support dedicated hosts. Either remove dedicated hosting for the VPC or update your instance type to be something else.
You can update the VPC tenancy to default which will return with shared hosting, alternatively look at a T3 burstable instance which is supported.
Look here for additional information: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-instance.html

Related

How to make a public EC2 IP to be allocated in an AWS Local Zone?

I have enabled a Local Zone (us-east-1-nyc-1a) in my region (us-east-1), then deployed an EC2 instance into that Local Zone. The public IP that was allocated to my instance, indicates it is geo-located in the parent region (N.Virginia), while I would expect it to be in the Local Zone (NY/NJ).
My CloudFormation template configuration:
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
VpcId:
Type: AWS::EC2::VPC::Id
Resources:
Ec2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-0b0dcb5067f052a63
InstanceType: t3.medium
SubnetId: !Ref Ec2Subnet
SecurityGroupIds:
- !GetAtt WebSecurityGroup.GroupId
Ec2Subnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VpcId
CidrBlock: 172.31.96.0/24
AvailabilityZone: us-east-1-nyc-1a
MapPublicIpOnLaunch: true
WebSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
I also tried allocating EIP in the Local Zone (and assigning it to the EC2 instance), but it also being geo-located in the parent region.
Will appreciate your suggestions.

Cannot connect to EC2 via SSH | AWS Cloudformation Template

I have the following CloudFormation template that I use to create an EC2 instance in a single public subnet in a single availability zone. I have attach the internet gateway to the VPC and created ingress and egress routes to allow SSH connection to the EC2 instance.
Below is my CF template
AWSTemplateFormatVersion: "2010-09-09"
Description: "CF template for test website. v1.0.0. DEV Env"
Metadata:
Instances:
Description: "This is the dev environment architecture. Use the dev settings when setting up this environment"
Parameters:
ECommKeyPair:
Type: AWS::EC2::KeyPair::KeyName
Description: Select the dev key pair for the region
Resources:
DevEnvInternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Environment
Value: Dev
- Key: WebsiteName
Value: test
DevEnvVpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.1.1/16
EnableDnsHostnames: 'true'
EnableDnsSupport: 'true'
Tags:
- Key: Environment
Value: Dev
- Key: WebsiteName
Value: test
DevEnvVpcIgwAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: DevEnvVpc
InternetGatewayId:
Ref: DevEnvInternetGateway
DevEnvPublicSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId:
Ref: DevEnvVpc
CidrBlock: 10.0.1.1/16
AvailabilityZone: "us-west-2a"
MapPublicIpOnLaunch: 'true'
Tags:
- Key: Environment
Value: Dev
- Key: WebsiteName
Value: test
DevEnvSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow all inbound (ingress) and outbound (egress) traffic for port 22
GroupName: test-website-sec-group
VpcId:
Ref: DevEnvVpc
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
Description: allow all inbound traffic
IpProtocol: tcp
FromPort: 22
ToPort: 22
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
Description: allow all outbound traffic
IpProtocol: tcp
FromPort: 22
ToPort: 22
Tags:
- Key: Environment
Value: Dev
- Key: WebsiteName
Value: test
DevEnvRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: DevEnvVpc
Tags:
- Key: Environment
Value: Dev
- Key: WebsiteName
Value: test
DevEnvRoute:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId:
Ref: DevEnvInternetGateway
RouteTableId:
Ref: DevEnvRouteTable
DevEnvEc2Instance:
Type: AWS::EC2::Instance
Properties:
InstanceType: t2.micro
ImageId: ami-00f7e5c52c0f43726
AvailabilityZone: "us-west-2a"
KeyName:
Ref: ECommKeyPair
SecurityGroupIds:
- !GetAtt "DevEnvSecurityGroup.GroupId"
SubnetId:
Ref: DevEnvPublicSubnet
BlockDeviceMappings:
- DeviceName: /dev/xvda
Ebs:
VolumeSize: 20
VolumeType: gp2
Tags:
- Key: Environment
Value: Dev
- Key: WebsiteName
Value: test
I am using Putty to connect to the EC2 instance with the private key file(ppk) that I associated with the EC2 instance. When tried to connect to instance with Putty, it is receiving the "Network error: Connection timed out" error message.
I even cannot connect to the instance using the AWS inbuilt "EC2 Instance Connect" through the web browser as well.
Greatly appreciate if you could point out to me the issue in my CF template.
You forgot to create AWS::EC2::SubnetRouteTableAssociation:
DevRouteAssos:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref DevEnvRouteTable
SubnetId: !Ref DevEnvPublicSubnet

CloudFormation: Unable to access the EC2 instance created using CloudFomation through public DNS

I am deploying an EC2 instance using CloudFormation. Then I installed apache and uploaded the files to EC2 instance after deployment. When the instance is deployed I cannot access it using public DNS from browser.
This is my EC2 instance resource and its security group.
WebServerInstance:
Type: AWS::EC2::Instance
Properties:
InstanceType: !Ref InstanceType
KeyName: !Ref KeyName
SubnetId: !Ref PublicSubnet1
ImageId:
Fn::FindInMap:
- AWSRegionArch2AMI
- Ref: AWS::Region
- Fn::FindInMap:
- AWSInstanceType2Arch
- Ref: InstanceType
- Arch
AvailabilityZone: !Select
- 0
- Fn::GetAZs: !Ref AWS::Region
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable HTTP access via port 80
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp:
Ref: SSHLocation
VpcId: !Ref Vpc
When I access it from the browser, it just keeps loading loading and loading. I set the inbound rules on the security group too. What is wrong with it and how can I fix it?
This is my public DNS,
http://ec2-3-{xxx-xxx-xx}.eu-west-1.compute.amazonaws.com/
This is the Public subnet resource.
PublicSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref Vpc
CidrBlock: !Select [ 0, !Cidr [ !Ref VpcCidr, 12, 8 ] ]
MapPublicIpOnLaunch: True
AvailabilityZone: !Select
- 0
- Fn::GetAZs: !Ref AWS::Region
There is a route table for public subnet.
In the internet gateway console, there is only one gateway and which is not attached to the VPC in the template. Can this be the issue?
Edit
I got this error
There are several reasons outside the security group allowing access. The following should be checked:
Check your instances subnet has a route within its route table for 0.0.0.0/0 which has a destination of a internet gateway.
Each subnet will have an available route table (this will be the default route table if you did not specify one).
This can be completed by using the CloudFormation below
InternetGateway:
Type: AWS::EC2::InternetGateway
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: VPC
InternetGatewayId:
Ref: InternetGateway
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: myVPC
Route:
Type: AWS::EC2::Route
DependsOn: InternetGateway
Properties:
RouteTableId:
Ref: RouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId:
Ref: InternetGateway
SubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId:
Ref: Subnet
RouteTableId:
Ref: RouteTable
If you updated the default NACL make sure you added both port 80 and ephemeral ports to the rules.
Make sure apache is running on the host (not just installed). This can be done by running systemctl start apache on debian based OS or systemctl start httpd on a RHEL based.

failure to create VPC in AWS due to invalid subnets

I'm using cloud formation to create a VPC. And it fails when it gets to creating the subnets. I checked and I believe the subnets to be valid. Though my networking knowledge is somewhat lacking.
This is the error I get:
00:46:49 UTC-0400 CREATE_FAILED AWS::EC2::Subnet SubnetA The CIDR '172.16.64.0/16' is invalid.
00:46:49 UTC-0400 CREATE_IN_PROGRESS AWS::EC2::RouteTable RouteTable Resource creation Initiated
00:46:49 UTC-0400 CREATE_FAILED AWS::EC2::Subnet SubnetB The CIDR '197.16.128.0/16' is invalid.
And this is the template I'm trying to use:
---
AWSTemplateFormatVersion: 2010-09-09
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 172.16.0.0/18
EnableDnsSupport: true
EnableDnsHostnames: true
InstanceTenancy: default
Tags:
- Key: Name
Value: JF-Staging-VPC
InternetGateway:
Type: AWS::EC2::InternetGateway
VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
SubnetA:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-1a
VpcId: !Ref VPC
CidrBlock: 172.16.64.0/16
MapPublicIpOnLaunch: False
SubnetB:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-1b
VpcId: !Ref VPC
CidrBlock: 197.16.128.0/16
MapPublicIpOnLaunch: False
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
InternetRoute:
Type: AWS::EC2::Route
DependsOn: InternetGateway
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
RouteTableId: !Ref RouteTable
SubnetARouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetA
SubnetBRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetB
SecurityGroupSSH:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "SSH Group"
GroupDescription: "SSH traffic in, all traffic out."
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
SecurityGroupWeb:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "Web Group"
GroupDescription: "Web traffic in, all traffic out."
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '443'
ToPort: '443'
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
Metadata:
VPC:
Description: "Creating the JF Staging VPC"
InternetGateway:
Description: "Creating an Internet Gateway"
Can someone let me know where I'm going wrong and how to correct this?
As per the error message, your IP address (CIDR) ranges are invalid.
It sets the following CIDR ranges:
VPC: 172.16.0.0/18
SubnetA: 172.16.64.0/16
SubnetB: 197.16.128.0/16
Neither of these subnet ranges is part of the VPC range. All subnet ranges must fall within the range specified by the VPC. In fact, both of your subnets are larger (/16) than the VPC (/18).
Here, for example, are ranges that work fine:
VPC: 172.16.0.0/16
SubnetA: 172.16.64.0/24
SubnetB: 172.16.128.0/24
If you do not understand CIDR ranges, see: Understanding IP Addresses, Subnets, and CIDR Notation for Networking
The issue is with 197.16.128.0/16 which is a public IP address which cannot be assigned to a VPC or a subnet.
I think that you really meant to use the address:
172.16.128.0/16
[EDIT]
Change your VPC to 172.16.0.0/16
Then change each subnet to use a portion of the /16 e.g. /24
Examples:
172.16.0.0/24
172.16.1.0/24
172.16.2.0/24
etc.
The issue with your current implementation is that your VPC is /18 which is smaller than the subnets that you are trying to create /16. You want the reverse, /16 for the VPC and /24 or anything smaller than /16 for the subnets.

Creating a publicly accessible RDS instance in AWS Cloudformation

I'm totally throwing my hands up with this one. I've been trying to create a publicly accessible RDS instance using CloudFormation. I want to be able to connect to my instance via a mysql client. When I deploy this stack it says that the instance is publicly accessible in the RDS console, but I can't connect to via the endpoint provided in the RDS console. I'm guessing that I messed up/missed something with the VPC pieces. He's my stack.yaml file:
Resources:
Vpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
Tags:
- Key: Name
Value: 'VPC created by cf'
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: Created By CF
VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref Vpc
InternetGatewayId: !Ref InternetGateway
DataSourceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Open database for access
VpcId: !Ref Vpc
DSSGIngressRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
FromPort: "3306"
ToPort: "3306"
GroupId: !Ref DataSourceSecurityGroup
IpProtocol: tcp
SourceSecurityGroupId: !Ref DataSourceSecurityGroup
PublicSubnet1:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-1a
CidrBlock: 10.0.0.0/20
MapPublicIpOnLaunch: true
VpcId: !Ref Vpc
PublicSubnet2:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-1b
CidrBlock: 10.0.16.0/20
MapPublicIpOnLaunch: true
VpcId: !Ref Vpc
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref Vpc
Tags:
- Key: Name
Value: 'RouteTable created by CF'
RouteTable1Association:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet1
RouteTableId: !Ref RouteTable
RouteTable2Association:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PublicSubnet2
RouteTableId: !Ref RouteTable
InternetRouteRule:
Type: AWS::EC2::Route
DependsOn: VPCGatewayAttachment
Properties:
RouteTableId: !Ref RouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
DataSourceSubtNetGroup:
Type: AWS::RDS::DBSubnetGroup
Properties:
DBSubnetGroupDescription: Created by CF
SubnetIds:
- !Ref PublicSubnet1
- !Ref PublicSubnet2
DataSource:
Type: AWS::RDS::DBInstance
Properties:
AllocatedStorage: '5'
DBInstanceClass: db.m1.small
DBName: MyDb
DBSubnetGroupName: !Ref DataSourceSubtNetGroup
Engine: MySQL
MasterUsername: AdminUser
MasterUserPassword: AdminPassword
PubliclyAccessible: true
VPCSecurityGroups:
- !Ref DataSourceSecurityGroup
DeletionPolicy: Snapshot
Thanks
Your DataSourceSecurityGroup security group is currently configured as:
Permit inbounded connections on Port 3306 from Security Group DataSourceSecurityGroup
That is, it will allow inbound connections from any Amazon EC2 instance that is itself a member of the DataSourceSecurityGroup security group.
If you wanted to allow access from anywhere on the Internet, then change your template to permit inbound access from 0.0.0.0/0:
DSSGIngressRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
FromPort: "3306"
ToPort: "3306"
GroupId: !Ref DataSourceSecurityGroup
IpProtocol: tcp
CidrIp: 0.0.0.0/0
I made this change, tested your template and it worked fine.
For future reference: You can debug this type of thing by creating the stack and then examining the Security Group in the management console.