I am trying to restrict access to a load balancer to a fixed IP and to CodeBuild agents. To that end, I want to add a security group rule that will prevent access to the load balancer unless traffic comes from the security group associated with the CodeBuild agents (as well as a separate security group rule that restricts access except from the fixed IP). I think this means I need to associate CodeBuild with the VPC of the load balancer.
However, when I try to update an existing CodeBuild project using Terraform's codebuild_project resourcce and configure the VPC like this:
vpc_config {
security_group_ids = [var.codebuild_sg]
subnets = var.public_subnet_ids
vpc_id = var.vpc_id
}
where the variables are the security group to be used by CodeBuild, the subnets into which CodeBuild should be launched and the VPC, respectively, I get the following error message:
Error updating CodeBuild project
(arn:aws:codebuild:eu-west-2:xxxxx:project/my-project):
InvalidInputException: CodeBuild currently doesn't support VPC in
eu-west-2c, please select subnets in other availability zones.
Are there some AZs for which CodeBuild does not support VPCs? Or does this message mean something else?
Yes, CodeBuild is not available in eu-west-2c. In eu-west-2 region, CodeBuild is only available in 2 AZs (eu-west-2a and eu-west-2b).
Related
When I attempt to create a VPC Endpoint for the com.amazonaws.us-east-1.lambda (lambda service), the "us-east-1a" Availability Zone is not an option. However, when I choose a different service, like "com.amazonaws.us-east-1.rds", I can choose a subnet in the "us-east-1a" Availability Zone.
I am creating VPC endpoints via CloudFormation template, but also confirmed this occurs when creating via the UI.
I have been reviewing AWS documentation and also previous questions, but I cannot determine why this is occurring and how to fix this so we can select the subnets in that AZ for that VPC endpoint. Any guidance is appreciated.
Screenshot of attempting to create VPC endpoint for lambda with us-east-1a not allowed:
Screenshot of attempting to create VPC endpoint for another service:
You can run the CLI command to check for a service and the Availability Zones which are available to use for creating a VPC endpoint.
aws ec2 describe-vpc-endpoint-services --service-names SERVICE-NAME
Example for Lambda:
aws ec2 describe-vpc-endpoint-services --service-names com.amazonaws.us-east-1.lambda
{
"ServiceDetails": [
{
"ServiceName": "com.amazonaws.us-east-1.lambda",
"AvailabilityZones": [
"us-east-1a",
"us-east-1b",
"us-east-1c"
]....}
Why can’t I select an Availability Zone for my Amazon VPC interface endpoint?
https://aws.amazon.com/premiumsupport/knowledge-center/interface-endpoint-availability-zone/
i have a aws eks cluster with in the dev vpc now i have few ec2 instance in the test-vpc so now i need add the add test-vpc instance to the existing existing cluster. can we do. ?
FYI VPC peering i have done as well and peering also working
An Amazon EKS cluster is provisioned in a single VPC.
If you have a dev-VPC and a test-VPC, you need to use two different EKS clusters.
I have an AWS MSK cluster running inside a VPC with 3 subnets.
When I created my Elastic Beanstalk (Java) environment it asked for VPC and I configured the same VPC where my MSK cluster is running. I also selected all the three listed subsets in my Elastic Beanstalk Network configuration. I did not assigned a public IP as I don't require access from internet to Elastic Beanstalk instances.
I also assigned AWS MSK Full Access permissions to the IAM Instance Profile that I selected for my Elastic Beanstalk environment under Security configuration. Just for information completeness, I selected the AWSServiceRoleForElasticBeanstalk as a service role.
On a side note, when I configured my Lambda to access the MSK cluster, it asked me for VPC as well as Security Groups explicitly. But I don't see any such configuration options for Security Groups in case of Elastic Beanstalk. Am I overlooking something here? my Lambda is able to successfully access MSK cluster.
I don't understand why my Elastic Beanstalk instance is unable to access my AWS MSK cluster. Am I missing something?
With the help of AWS Support, I was able to resolve this issue.
First, you can configure Security Groups under 'Instances' configuration card.
But, it was a bit confusing for me because, the VPC and Subnets are under 'Networking' configuration card, which is stacked way after the 'Instances' configuration card. And the Security Groups listed under 'Instances' directly depends on the VPC and Subnets selected under 'Networking'. If you change your selection in 'Networking' then you should update/review your Security Groups selection under 'Instances' as well.
So, in my case, first I select my target VPC and related Subnets under 'Networking' and only then I was able to see my target Security Groups under 'Instances'.
I noticed there is already a
-subnet=... The AWS subnet to deploy to (single instance apps only)
parameter but not for ELB-based deployments, yet. Is it already possible to define which vpc/subnets should be used for a deployment?
Currently all subnets of the default VPC are associated with the automatically created auto-scaling groups. The auto-scaling groups will then launch instances across them in a balanced fashion.
Please file a feature request if you need more control: https://github.com/cloudcaptainsh/cloudcaptain/issues
We are trying to expand our reliability setup using VPC in us-west-1. The 'a' and 'b' AZs work fine, but when I try to create subnets on 'c' it just fails with the message:
Value (us-west-1c) for parameter availabilityZone is invalid.
Subnets can currently only be created in the following availability zones:
us-west-1b, us-west-1a.
Is this a transient failure or are there just only two VPC-enabled AZs in that region? If the latter, is there a list somewhere with how many AZs in each region are VPC-enabled?
Each AWS account has own set of the AZ. Get list of the available AZ you can help with AWS cli tools:
aws ec2 describe-availability-zones
See details here: http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-availability-zones.html