create image of an ec2 instance using cloudformation template [duplicate] - amazon-web-services

This question already has answers here:
Create AMI image as part of a cloudformation stack
(4 answers)
Closed 3 years ago.
I have written the cloud formation yaml code to create a VPC with 2 public subnet in multi AZ and 2 private subnet with multi AZ. I have created internet gateway, route table & Security Group ( one for public and one for private for both RT and SG ). Associated the subnets in the respective route tables. I have created ALB and ASG. All these using cloud formation.
I have specified desired instance as 2, min as 1 and max as 4 in ASG cloudformation template. In launch configuration template I have mentioned that all the instance should be launched in private subnets with multi AZ. ALB is placed in public subnet and it is internet facing. I haven't created NAT Gateway.
I will create an instance in public subnet with the user data to install httpd. My Question is: Is there any way to create an image of this instance. Condition in the same code
If this is possible what I will do is I will use this ami id of the image which was created from public instance to create an instance in private subnets.
Resources:
CFVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
EnableDnsSupport: true
InstanceTenancy: default
Tags:
- Key: Name
Value: Cloud_Formation_VPC
CFIGW:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: Cloud_Formation_IGW
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref CFVPC
InternetGatewayId: !Ref CFIGW
CFPublicSubnet1a:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref CFVPC
AvailabilityZone: ap-south-1a
CidrBlock: 10.0.1.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: Public Subnet 1a
CFPrivateSubnet1a:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref CFVPC
AvailabilityZone: ap-south-1a
CidrBlock: 10.0.2.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: Private Subnet 1a
CFPublicSubnet1b:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref CFVPC
AvailabilityZone: ap-south-1b
CidrBlock: 10.0.3.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: Public Subnet 1b
CFPrivateSubnet1b:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref CFVPC
AvailabilityZone: ap-south-1b
CidrBlock: 10.0.4.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: Private Subnet 1b
CFPublicRT:
Type: AWS::EC2::RouteTable
Properties:
Tags:
- Key: Name
Value: Public RT
VpcId: !Ref CFVPC
CFPrivateRT:
Type: AWS::EC2::RouteTable
Properties:
Tags:
- Key: Name
Value: Private RT
VpcId: !Ref CFVPC
routetablepublicsubnetassociation1a:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref CFPublicRT
SubnetId: !Ref CFPublicSubnet1a
routetablepublicsubnetassociation1b:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref CFPublicRT
SubnetId: !Ref CFPublicSubnet1b
routetableprivatesubnetassociation1a:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref CFPrivateRT
SubnetId: !Ref CFPrivateSubnet1a
routetableprivatesubnetassociation1b:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref CFPrivateRT
SubnetId: !Ref CFPrivateSubnet1b
CFPublicRoute:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref CFIGW
RouteTableId: !Ref CFPublicRT
CFALBSG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http/https/ssh
VpcId: !Ref CFVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 106.51.140.198/32
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 122.179.31.197/32
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
IpProtocol: -1
CFec2SG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow SSH
VpcId: !Ref CFVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
SourceSecurityGroupId: !Ref CFALBSG
CFAlbTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckIntervalSeconds: 10
HealthCheckPath: /http
HealthCheckPort: 80
HealthCheckProtocol: HTTP
HealthCheckTimeoutSeconds: 7
HealthyThresholdCount: 5
Name: alb-target-group
Port: 80
Protocol: HTTP
Tags:
- Key: Name
Value: Alb-TargetGp
UnhealthyThresholdCount: 10
VpcId: !Ref CFVPC
CFALB:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
IpAddressType: ipv4
Type: application
Name: cf-elb
Scheme: internet-facing
SecurityGroups:
- !Ref CFALBSG
Subnets:
- !Ref CFPublicSubnet1a
- !Ref CFPublicSubnet1b
Tags:
- Key: Name
Value: CF-ALB
CFALBListner:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- TargetGroupArn: !Ref CFAlbTargetGroup
Type: forward
LoadBalancerArn: !Ref CFALB
Port: 80
Protocol: HTTP
CFASGLaunchConfig:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
AssociatePublicIpAddress: true
ImageId: ami-043f9106e7f451340
InstanceMonitoring: false
InstanceType: t2.micro
KeyName: QuadraKeyBLR
SecurityGroups:
- !Ref CFec2SG
CFPlacementGroup:
Type: AWS::EC2::PlacementGroup
Properties:
Strategy: spread
CFASG:
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
AutoScalingGroupName: Cloudformation_autoscalling
AvailabilityZones:
- ap-south-1a
- ap-south-1b
LaunchConfigurationName: !Ref CFASGLaunchConfig
VPCZoneIdentifier:
- !Ref CFPrivateSubnet1a
- !Ref CFPrivateSubnet1b
Cooldown: 120
DesiredCapacity: 2
MaxSize: 4
MinSize: 1
PlacementGroup: !Ref CFPlacementGroup
TargetGroupARNs:
- !Ref CFAlbTargetGroup


Looks like this question was answered already: Create AMI image as part of a cloudformation stack
It's and old answer, but it still seems valid.
Thanks!

Related

Unable to SSH to my ec2 instance when creating the resources through Cloudformation

I am trying to deploy a set of EC2 instances through cloudformation. The code for my cloudformation :
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref ESVpcCIDR
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: ES-VPC
#Connection configuration Starts
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: ESInternetGateway
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC
#Conection Configuration ends
ESJenkinsSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [ 0, !GetAZs '' ]
CidrBlock: !Ref ESJenkinsCIDR
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: ESJenkinsSubnet
ESDevMuleSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [ 0, !GetAZs '' ]
CidrBlock: !Ref ESDevMuleCIDR
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: ESDevMuleSubnet
#Route Table configuration starts
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: RouteTable
DefaultRoute:
Type: AWS::EC2::Route
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref RouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
ESJenkinsSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref ESJenkinsSubnet
ESDevMuleSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref ESDevMuleSubnet
#Security Group Start
NoIngressSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "no-ingress-security-group"
GroupDescription: "Security group with no ingress rule"
VpcId: !Ref VPC
ESJenkinsSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupName: "ES-Jenkins-security-group"
GroupDescription: Enable SSH access via port 22
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 8080
ToPort: 8085
CidrIp: 0.0.0.0/0
ESDEVMuleSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupName: "ES-DEV-Mule-security-group"
GroupDescription: Enable SSH access via port 22
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 8080
ToPort: 8085
CidrIp: 0.0.0.0/0
EC2InstanceMuleDev:
Type: AWS::EC2::Instance
Properties:
InstanceType: !Ref ESMuleDEVInstanceType
ImageId:
Fn::FindInMap:
- RegionMap
- Ref: AWS::Region
- MuleAMI
NetworkInterfaces:
- GroupSet:
- Ref: ESDEVMuleSecurityGroup
AssociatePublicIpAddress: 'true'
DeviceIndex: '0'
SubnetId: !Ref ESDevMuleSubnet
KeyName: !Ref ESLoginKeyPair
Tags:
- Key: Name
Value: ESDEVMULE
EC2InstanceJenkins:
Type: AWS::EC2::Instance
Properties:
InstanceType: !Ref ESJenkinsInstanceType
ImageId:
Fn::FindInMap:
- RegionMap
- Ref: AWS::Region
- JenkinsAMI
NetworkInterfaces:
- GroupSet:
- Ref: ESJenkinsSecurityGroup
AssociatePublicIpAddress: 'true'
DeviceIndex: '0'
SubnetId:
Ref: ESJenkinsSubnet
KeyName: !Ref ESLoginKeyPair
Tags:
- Key: Name
Value: ESJENKINS
I am creating the Key-pair mentioned here through AWS CLI, using create-key-pair command.
The problem is. i cant SSH into any Instances. the SSH client throws key too public error.Ami i missing any connectivity detail?
All the required parameter references has been taken care of through parameter store. the mapping for AMI is done correctly, not included here for obvious reasons.
Update
I have tried creating a standalone instance in default VPC, in othe AWS accounts as well, same issue. So, i dont believe the problem is with the template, rather a SSH issue.

You should change permissions of the key as explained in the docs:
chmod 400 my-key-pair.pem

This is just a permission problem, your file is too expose to others please try:
chmod 600 ESLoginKeyPair.pem
This changes file's permissions to only be readable by the current user.
Now try to ssh into your server again.

Cloudformation - Connect multiple stack together

I have created the stack VPC, ec2-instance and rds. I have succussfully connected the ec2-instance with VPC template but the problem that I am facing is that how to connect rds with vpc and ec2-instance both. I want to give SubnetB to the rds from vpc template and I want to give webserver to the security group of rds.
Vpc template
---
AWSTemplateFormatVersion: 2010-09-09
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 11.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
InstanceTenancy: default
InternetGateway:
Type: AWS::EC2::InternetGateway
VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
SubnetA:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-2a
VpcId: !Ref VPC
CidrBlock: 11.0.1.0/24
MapPublicIpOnLaunch: true
SubnetB:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-2a
VpcId: !Ref VPC
CidrBlock: 11.0.0.0/24
MapPublicIpOnLaunch: false
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
InternetRoute:
Type: AWS::EC2::Route
DependsOn: VPCGatewayAttachment
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
RouteTableId: !Ref RouteTable
SubnetARouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetA
SubnetBRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetB
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "Internet Group"
GroupDescription: "SSH traffic in, all traffic out."
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: "22"
ToPort: "22"
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
Outputs:
vpcID:
Description: VPC id
Value: !Ref VPC
Export:
Name:
Fn::Sub: "${AWS::StackName}-VpcID"
PublicSubnet:
Description: public subnet
Value: !Ref SubnetA
Export:
Name:
Fn::Sub: "${AWS::StackName}-PublicSubnet"
Public1Subnet:
Description: public1 subnet
Value: !Ref SubnetB
Export:
Name:
Fn::Sub: "${AWS::StackName}-Public1Subnet"
Ec2 template:
---
AWSTemplateFormatVersion: 2010-09-09
Parameters:
SourceStackName:
Description: "Source stack name"
Type: String
AllowedPattern: "^[a-zA-Z][-a-zA-Z0-9]*$"
Default: "shifa-vpc"
Resources:
webserver:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: sg-webserver
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
Description: For traffic from Internet
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Description: For traffic from Internet
GroupDescription: Security Group for demo server
VpcId:
Fn::ImportValue:
Fn::Sub: "${SourceStackName}-VpcID"
EC2Instance:
Type: AWS::EC2::Instance
Properties:
AvailabilityZone: us-east-2a
BlockDeviceMappings:
- DeviceName: /dev/xvda
Ebs:
DeleteOnTermination: "true"
VolumeSize: "8"
VolumeType: gp2
ImageId: ami-0bdcc6c05dec346bf
InstanceType: t2.micro
IamInstanceProfile: !Ref ListS3BucketsInstanceProfile
KeyName: ky-webserver
NetworkInterfaces:
- Description: Primary network interface
DeviceIndex: 0
SubnetId:
Fn::ImportValue:
Fn::Sub: "${SourceStackName}-PublicSubnet"
GroupSet:
- Ref: sg-webserver
Outputs:
ec2:
Description: ec2
Value: !Ref server
Export:
Name:
Fn::Sub: "${AWS::StackName}-server"
Rds template
---
AWSTemplateFormatVersion: 2010-09-09
Resources:
MyDB:
Type: AWS::RDS::DBInstance
DependsOn: myDBSubnetGroup
Properties:
VPCSecurityGroups:
- !Ref DBEC2SecurityGroup
AllocatedStorage: "5"
DBInstanceClass: db.t2.micro
Engine: MySQL
EngineVersion: "5.7.22"
DBName: shifadb
MasterUsername: shifadb
MasterUserPassword: shifa123a
MultiAZ: false
DBSubnetGroupName: MySubnetGroup
myDBSubnetGroup:
Properties:
DBSubnetGroupName: MySubnetGroup
DBSubnetGroupDescription: subnet group
SubnetIds:
- !Ref SubnetA
- !Ref SubnetB
Type: "AWS::RDS::DBSubnetGroup"
DBEC2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Open database for access
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 3306
ToPort: 3306
SourceSecurityGroupId: !Ref webserver
I have understood how to connect one template with one template. But having trouble to connect rds template with 2 templates.

There were multiple mistakes in the templates. I fixed them all and now they deploy. I verified that in us-east-1 region, thus I had to modify them to work in this region. If you need different region, you need to change accordingly.
You can study the templates and you will know how to "connect multiple stack together".
Also I did not change their functionality, e.g. if you can connect to the rds from the instance. I only verified the deployment process.
vpc
---
AWSTemplateFormatVersion: 2010-09-09
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 11.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
InstanceTenancy: default
InternetGateway:
Type: AWS::EC2::InternetGateway
VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
SubnetA:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-1a
VpcId: !Ref VPC
CidrBlock: 11.0.1.0/24
MapPublicIpOnLaunch: true
SubnetB:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-1b
VpcId: !Ref VPC
CidrBlock: 11.0.0.0/24
MapPublicIpOnLaunch: false
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
InternetRoute:
Type: AWS::EC2::Route
DependsOn: VPCGatewayAttachment
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
RouteTableId: !Ref RouteTable
SubnetARouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetA
SubnetBRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetB
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "Internet Group"
GroupDescription: "SSH traffic in, all traffic out."
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: "22"
ToPort: "22"
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
Outputs:
vpcID:
Description: VPC id
Value: !Ref VPC
Export:
Name:
Fn::Sub: "${AWS::StackName}-VpcID"
PublicSubnet:
Description: public subnet
Value: !Ref SubnetA
Export:
Name:
Fn::Sub: "${AWS::StackName}-PublicSubnet"
Public1Subnet:
Description: public1 subnet
Value: !Ref SubnetB
Export:
Name:
Fn::Sub: "${AWS::StackName}-Public1Subnet"
ec2
---
AWSTemplateFormatVersion: 2010-09-09
Parameters:
SourceStackName:
Description: "Source stack name"
Type: String
AllowedPattern: "^[a-zA-Z][-a-zA-Z0-9]*$"
Default: "shifa-vpc"
Resources:
webserver:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: webserver-sg
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
Description: For traffic from Internet
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Description: For traffic from Internet
GroupDescription: Security Group for demo server
VpcId:
Fn::ImportValue:
Fn::Sub: "${SourceStackName}-VpcID"
EC2Instance:
Type: AWS::EC2::Instance
Properties:
AvailabilityZone: us-east-1a
BlockDeviceMappings:
- DeviceName: /dev/xvda
Ebs:
DeleteOnTermination: "true"
VolumeSize: "8"
VolumeType: gp2
ImageId: ami-09d95fab7fff3776c # ami-0bdcc6c05dec346bf
InstanceType: t2.micro
#IamInstanceProfile: !Ref ListS3BucketsInstanceProfile
#KeyName: ky-webserver
NetworkInterfaces:
- Description: Primary network interface
DeviceIndex: 0
SubnetId:
Fn::ImportValue:
Fn::Sub: "${SourceStackName}-PublicSubnet"
GroupSet:
- !Ref webserver
Outputs:
ec2:
Description: ec2
Value: !Ref EC2Instance
Export:
Name:
Fn::Sub: "${AWS::StackName}-server"
sgGroupId:
Description: ec2
Value: !GetAtt webserver.GroupId
Export:
Name:
Fn::Sub: "${AWS::StackName}-sgid"
rds
---
AWSTemplateFormatVersion: 2010-09-09
Parameters:
SourceStackName:
Description: "Source stack name"
Type: String
AllowedPattern: "^[a-zA-Z][-a-zA-Z0-9]*$"
Default: "shifa-vpc"
Ec2StackName:
Description: "Ec2 Source stack name"
Type: String
AllowedPattern: "^[a-zA-Z][-a-zA-Z0-9]*$"
Default: "ec2"
Resources:
MyDB:
Type: AWS::RDS::DBInstance
DependsOn: myDBSubnetGroup
Properties:
VPCSecurityGroups:
- !Ref DBEC2SecurityGroup
AllocatedStorage: "5"
DBInstanceClass: db.t2.micro
Engine: MySQL
EngineVersion: "5.7.22"
DBName: shifadb
MasterUsername: shifadb
MasterUserPassword: shifa123a
MultiAZ: false
DBSubnetGroupName: !Ref myDBSubnetGroup
myDBSubnetGroup:
Type: AWS::RDS::DBSubnetGroup
Properties:
DBSubnetGroupName: MySubnetGroup
DBSubnetGroupDescription: subnet group
SubnetIds:
- Fn::ImportValue:
Fn::Sub: "${SourceStackName}-PublicSubnet"
- Fn::ImportValue:
Fn::Sub: "${SourceStackName}-Public1Subnet"
DBEC2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Open database for access
VpcId:
Fn::ImportValue:
Fn::Sub: "${SourceStackName}-VpcID"
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 3306
ToPort: 3306
SourceSecurityGroupId:
Fn::ImportValue:
Fn::Sub: "${Ec2StackName}-sgid"

Security group does not belong to VPC

I am trying to create an internet facing elb. I have created vpc in ohio region (us-east-2). I have created 4 subnet. 2 public subnets and 2 private subnets.
Public subent: SubnetA (us-east-2a), SubnetB (us-east-2b)
Private subnet: SubnetC (us-east-2a) , SubnetD (us-east-2b)
When I give the availability zone to the load balancer it shows the following error Security group does not belong to VPC
---
AWSTemplateFormatVersion: 2010-09-09
Parameters:
SourceStackName:
Description: "Source stack name"
Type: String
AllowedPattern: "^[a-zA-Z][-a-zA-Z0-9]*$"
Default: "wahaj-vpc"
Resources:
wahajelb:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: wahaj-elb
VpcId:
Fn::ImportValue:
Fn::Sub: "${SourceStackName}-VpcID"
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
Description: For traffic from Internet
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Description: For traffic from Internet
GroupDescription: Security Group for demo server
MyLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
Listeners:
- LoadBalancerPort: "80"
InstancePort: "80"
Protocol: HTTP
SecurityGroups:
- !Ref wahajelb
LoadBalancerName: wahajelb
Subnets:
- Fn::ImportValue: !Sub "${SourceStackName}-SubnetC"
- Fn::ImportValue: !Sub "${SourceStackName}-SubnetD"
HealthCheck:
Target: HTTP:80/SamplePage.php
HealthyThreshold: "3"
UnhealthyThreshold: "5"
Interval: "30"
Timeout: "5"
I am new to this so please if any changes is required to the template do tell me I might have made some mistakes.
Vpc template
---
AWSTemplateFormatVersion: 2010-09-09
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 11.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
InstanceTenancy: default
InternetGateway:
Type: AWS::EC2::InternetGateway
VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
SubnetA:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-2a
VpcId: !Ref VPC
CidrBlock: 11.0.0.0/24
MapPublicIpOnLaunch: true
SubnetB:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-2b
VpcId: !Ref VPC
CidrBlock: 11.0.1.0/24
MapPublicIpOnLaunch: true
SubnetC:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-2a
VpcId: !Ref VPC
CidrBlock: 11.0.2.0/24
MapPublicIpOnLaunch: false
SubnetD:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-2b
VpcId: !Ref VPC
CidrBlock: 11.0.3.0/24
MapPublicIpOnLaunch: false
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
RouteTable2:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
InternetRoute:
Type: AWS::EC2::Route
DependsOn: VPCGatewayAttachment
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
RouteTableId: !Ref RouteTable
SubnetARouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetA
SubnetBRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetB
SubnetCRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable2
SubnetId: !Ref SubnetC
SubnetDRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable2
SubnetId: !Ref SubnetD
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "Internet Group"
GroupDescription: "SSH traffic in, all traffic out."
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: "22"
ToPort: "22"
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
NAT:
Type: AWS::EC2::NatGateway
Properties:
AllocationId:
Fn::GetAtt:
- EIP
- AllocationId
SubnetId:
Ref: SubnetA
Tags:
- Key: Name
Value: wahaj-nat
EIP:
DependsOn: VPCGatewayAttachment
Type: AWS::EC2::EIP
Properties:
Domain: VPC
Route:
Type: AWS::EC2::Route
Properties:
RouteTableId:
Ref: RouteTable2
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId:
Ref: NAT
Outputs:
vpcID:
Description: VPC id
Value: !Ref VPC
Export:
Name:
Fn::Sub: "${AWS::StackName}-VpcID"
SubnetA:
Description: public subnet
Value: !Ref SubnetA
Export:
Name:
Fn::Sub: "${AWS::StackName}-SubnetA"
SubnetB:
Description: public subnet 2
Value: !Ref SubnetB
Export:
Name:
Fn::Sub: "${AWS::StackName}-SubnetB"
SubnetC:
Description: priavte subnet
Value: !Ref SubnetC
Export:
Name:
Fn::Sub: "${AWS::StackName}-SubnetC"
SubnetD:
Description: private subnet 2
Value: !Ref SubnetD
Export:
Name:
Fn::Sub: "${AWS::StackName}-SubnetD"
Autoscaling template
---
AWSTemplateFormatVersion: 2010-09-09
Parameters:
SourceStackName:
Description: "Source stack name"
Type: String
AllowedPattern: "^[a-zA-Z][-a-zA-Z0-9]*$"
Default: "wahaj-vpc"
elb:
Description: "elb"
Type: String
AllowedPattern: "^[a-zA-Z][-a-zA-Z0-9]*$"
Default: "wahaj-elb"
bastion:
Description: "bastion host"
Type: String
AllowedPattern: "^[a-zA-Z][-a-zA-Z0-9]*$"
Default: "wahaj-bastion"
Resources:
wahajwebserver:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: wahaj-webserver
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
SourceSecurityGroupId:
Fn::ImportValue: !Sub "${bastion}-bsgId"
Description: For traffic from Internet
- IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupId:
Fn::ImportValue: !Sub "${elb}-lgsg"
Description: For traffic from Internet
GroupDescription: Security Group for demo server
VpcId:
Fn::ImportValue:
Fn::Sub: "${SourceStackName}-VpcID"
ec2instance:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
BlockDeviceMappings:
- DeviceName: /dev/xvda
Ebs:
DeleteOnTermination: "true"
VolumeSize: "8"
VolumeType: gp2
ImageId: ami-0bdcc6c05dec346bf
InstanceType: t2.micro
IamInstanceProfile: !Ref ListS3BucketsInstanceProfile
KeyName: wahaj(webserver)
SecurityGroups:
- Ref: wahajwebserver
ListS3BucketsInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- Ref: S3FullAccess
ListS3BucketsPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: ListS3BucketsPolicy
PolicyDocument:
Statement:
- Effect: Allow
Action:
- s3:List*
Resource: "*"
Roles:
- Ref: S3FullAccess
S3FullAccess:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
myASG:
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
AvailabilityZones:
- "us-east-2a"
- "us-east-2b"
AutoScalingGroupName: myASG
LoadBalancerNames:
- Fn::ImportValue: !Sub "${elb}-MyLoadBalancer"
MinSize: "2"
MaxSize: "2"
DesiredCapacity: "2"
HealthCheckGracePeriod: 300
LaunchConfigurationName:
Ref: ec2instance
VPCZoneIdentifier:
- Fn::ImportValue: !Sub "${SourceStackName}-SubnetC"
- Fn::ImportValue: !Sub "${SourceStackName}-SubnetD"
Outputs:
Autoscaling:
Description: autoscaling
Value: !Ref myASG
Export:
Name:
Fn::Sub: "${AWS::StackName}-myASG"
ec2instance:
Description: ec2instances
Value: !Ref ec2instance
Export:
Name:
Fn::Sub: "${AWS::StackName}-ec2instance"
sg:
Description: ec2instances securitygroup
Value: !GetAtt wahajwebserver.GroupId
Export:
Name:
Fn::Sub: "${AWS::StackName}-sg"

This is because the ELB and the security group reside within separate VPCs.
Your template has commented out the subnets which result in the load balancer being created in the default VPC of that region, however your security group explicitly sets a VPC ID. Therefore they are in separate VPCs.
It is always good practice to ensure that you define the VPC ID/subnet ID of resources that support it, for some resources such as EC2 without this property they will always replace when you make a change (such as changing a tag) via CloudFormation.

Value of property SecurityGroupIds must be of type List of String error while updating stack

I am getting ROLLBACK_COMPLETE while try to updating a stack using the following code. Under events, I am not getting an error as "Value of property SecurityGroupIds must be of type List of String".please help me to find a solution.
Mycode for first stack:
Resources:
myvpc:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
InstanceTenancy: default
Tags:
- Key: Name
Value: myvpc
myinternetgateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: mygtwy
mygatewayattach:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref myinternetgateway
VpcId: !Ref myvpc
mysubnet1:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-1a
VpcId: !Ref myvpc
CidrBlock: 10.0.1.0/24
MapPublicIpOnLaunch: true
Routetable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref myvpc
Route:
Type: AWS::EC2::Route
DependsOn: myinternetgateway
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref myinternetgateway
RouteTableId: !Ref Routetable
SubnetARouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref Routetable
SubnetId: !Ref mysubnet1
On update, I added the following. During this time I am getting the error I mentioned earlier
Myec2:
Type: 'AWS::EC2::Instance'
Properties:
SecurityGroupIds:
- !Ref Mysecgroup
KeyName: !Ref KeyName
ImageId: ami-0922553b7b0369273
InstanceType: t2.micro
SubnetId: !Ref mysubnet1
Mysecgroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Enable SSH access via port 22
VpcId: !Ref myvpc
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: 0.0.0.0/0

When you specify an AWS::EC2::SecurityGroup type as an argument to the
Ref function, AWS CloudFormation returns the security group name or
the security group ID (for EC2-VPC security groups that are not in a
default VPC).
Your template is referencing the security group name where you should be referencing the group ID.
Myec2:
Type: 'AWS::EC2::Instance'
Properties:
SecurityGroupIds:
- !GetAtt "Mysecgroup.GroupId"
KeyName: !Ref KeyName
ImageId: ami-0922553b7b0369273
InstanceType: t2.micro
SubnetId: !Ref mysubnet1
Mysecgroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Enable SSH access via port 22
VpcId: !Ref myvpc
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: 0.0.0.0/0

Referencing Security Group by name (instead of SecurityGroupIds) works for me:
EC2SG1IKTA:
Type: 'AWS::EC2::SecurityGroup'
EC2I1K240:
Type: 'AWS::EC2::Instance'
Properties:
SecurityGroups:
- !Ref EC2SG1IKTA

Can't Connect to MariaDB RDS instance in VPC

I built a VPC with a few AWS resources inside of it. I can get Internet access if I'm in the VPC and resources inside the VPC can communicate with each other. For instance, I have a Lambda function that can communicate to the Internet and also reach an RDS instance inside the VPC. However, the issue comes in when I am trying to connect to the RDS instance from my local machine.
I've tried updating the VPCSecurityGroup to allow all incoming traffic, but still won't work. The only thing that seems to work is if I switch all of the Route Tables to use an IGW as opposed to a NAT, but I'd prefer if that wasn't the case. Also, I'm not even sure I'd be allowed to do that because I'm pretty sure lambda functions have to exist in private subnets.
vpc.yml
AWSTemplateFormatVersion: 2010-09-09
Description: VPC Stack
Resources:
Vpc:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
InstanceTenancy: default
InternetGateway:
Type: 'AWS::EC2::InternetGateway'
VpcGatewayAttachment:
Type: 'AWS::EC2::VPCGatewayAttachment'
Properties:
VpcId: !Ref Vpc
InternetGatewayId: !Ref InternetGateway
ElasticIP:
Type: 'AWS::EC2::EIP'
Properties:
Domain: vpc
NatGateway:
Type: 'AWS::EC2::NatGateway'
DependsOn:
- VpcGatewayAttachment
Properties:
AllocationId: !GetAtt
- ElasticIP
- AllocationId
SubnetId: !Ref SubnetAPublic
SubnetAPublic:
Type: 'AWS::EC2::Subnet'
Properties:
AvailabilityZone: !Select
- '0'
- !GetAZs ''
CidrBlock: 10.0.0.0/19
MapPublicIpOnLaunch: true
VpcId: !Ref Vpc
SubnetBPublic:
Type: 'AWS::EC2::Subnet'
Properties:
AvailabilityZone: !Select
- '1'
- !GetAZs ''
CidrBlock: 10.0.32.0/19
MapPublicIpOnLaunch: true
VpcId: !Ref Vpc
SubnetAPrivate:
Type: 'AWS::EC2::Subnet'
Properties:
AvailabilityZone: !Select
- '0'
- !GetAZs ''
CidrBlock: 10.0.64.0/19
VpcId: !Ref Vpc
SubnetBPrivate:
Type: 'AWS::EC2::Subnet'
Properties:
AvailabilityZone: !Select
- '1'
- !GetAZs ''
CidrBlock: 10.0.96.0/19
VpcId: !Ref Vpc
RouteTableAPublic:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref Vpc
RouteTableBPublic:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref Vpc
RouteTableAPrivate:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref Vpc
RouteTableBPrivate:
Type: 'AWS::EC2::RouteTable'
Properties:
VpcId: !Ref Vpc
RouteTableAssociationAPublic:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref SubnetAPublic
RouteTableId: !Ref RouteTableAPublic
RouteTableAssociationBPublic:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref SubnetBPublic
RouteTableId: !Ref RouteTableBPublic
RouteTableAssociationAPrivate:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref SubnetAPrivate
RouteTableId: !Ref RouteTableAPrivate
RouteTableAssociationBPrivate:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref SubnetBPrivate
RouteTableId: !Ref RouteTableBPrivate
RouteTableAPrivateInternetRoute:
Type: 'AWS::EC2::Route'
DependsOn:
- VpcGatewayAttachment
Properties:
RouteTableId: !Ref RouteTableAPrivate
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref NatGateway
RouteTableBPrivateInternetRoute:
Type: 'AWS::EC2::Route'
DependsOn:
- VpcGatewayAttachment
Properties:
RouteTableId: !Ref RouteTableBPrivate
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref NatGateway
RouteTableAPublicInternetRoute:
Type: 'AWS::EC2::Route'
Properties:
RouteTableId: !Ref RouteTableAPublic
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
RouteTableBPublicInternetRoute:
Type: 'AWS::EC2::Route'
Properties:
RouteTableId: !Ref RouteTableBPublic
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
NetworkAclPublic:
Type: 'AWS::EC2::NetworkAcl'
Properties:
VpcId: !Ref Vpc
NetworkAclPrivate:
Type: 'AWS::EC2::NetworkAcl'
Properties:
VpcId: !Ref Vpc
SubnetNetworkAclAssociationAPublic:
Type: 'AWS::EC2::SubnetNetworkAclAssociation'
Properties:
SubnetId: !Ref SubnetAPublic
NetworkAclId: !Ref NetworkAclPublic
SubnetNetworkAclAssociationBPublic:
Type: 'AWS::EC2::SubnetNetworkAclAssociation'
Properties:
SubnetId: !Ref SubnetBPublic
NetworkAclId: !Ref NetworkAclPublic
SubnetNetworkAclAssociationAPrivate:
Type: 'AWS::EC2::SubnetNetworkAclAssociation'
Properties:
SubnetId: !Ref SubnetAPrivate
NetworkAclId: !Ref NetworkAclPrivate
SubnetNetworkAclAssociationBPrivate:
Type: 'AWS::EC2::SubnetNetworkAclAssociation'
Properties:
SubnetId: !Ref SubnetBPrivate
NetworkAclId: !Ref NetworkAclPrivate
NetworkAclEntryInPublicAllowAll:
Type: 'AWS::EC2::NetworkAclEntry'
Properties:
NetworkAclId: !Ref NetworkAclPublic
RuleNumber: 99
Protocol: -1
RuleAction: allow
Egress: false
CidrBlock: 0.0.0.0/0
NetworkAclEntryOutPublicAllowAll:
Type: 'AWS::EC2::NetworkAclEntry'
Properties:
NetworkAclId: !Ref NetworkAclPublic
RuleNumber: 99
Protocol: -1
RuleAction: allow
Egress: true
CidrBlock: 0.0.0.0/0
NetworkAclEntryInPrivateAllowVpc:
Type: 'AWS::EC2::NetworkAclEntry'
Properties:
NetworkAclId: !Ref NetworkAclPrivate
RuleNumber: 99
Protocol: -1
RuleAction: allow
Egress: false
CidrBlock: 0.0.0.0/0
NetworkAclEntryOutPrivateAllowVpc:
Type: 'AWS::EC2::NetworkAclEntry'
Properties:
NetworkAclId: !Ref NetworkAclPrivate
RuleNumber: 99
Protocol: -1
RuleAction: allow
Egress: true
CidrBlock: 0.0.0.0/0
LambdaSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Lambdas security group
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
IpProtocol: '-1'
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
IpProtocol: '-1'
VpcId: !Ref Vpc
Outputs:
VpcId:
Description: VPC ID
Value: !Ref Vpc
Export:
Name: !Sub "Portal-VpcId"
SubnetAPrivate:
Description: Subnet A Private
Value: !Ref SubnetAPrivate
Export:
Name: !Sub "SubnetAPrivate"
SubnetBPrivate:
Description: Subnet B Private
Value: !Ref SubnetBPrivate
Export:
Name: !Sub "SubnetBPrivate"
SubnetAPublic:
Description: Subnet A Public
Value: !Ref SubnetAPublic
Export:
Name: !Sub "SubnetAPublic"
SubnetBPublic:
Description: Subnet B Public
Value: !Ref SubnetBPublic
Export:
Name: !Sub "SubnetBPublic"
LambdaSecurityGroup:
Description: Access to Lambda functions
Value: !Ref LambdaSecurityGroup
Export:
Name: !Sub "LambdaSecurityGroup"
rds.yml
DBSubnetGroup:
Type: 'AWS::RDS::DBSubnetGroup'
Properties:
DBSubnetGroupDescription: Subnets available for the RDS DB Instance
SubnetIds:
- !Ref SubnetAPublic
- !Ref SubnetBPublic
VPCSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Security group for RDS DB Instance.
VpcId: !Ref VpcId
SecurityGroupIngress:
-
IpProtocol: "tcp"
FromPort: "3306"
ToPort: "3306"
CidrIp: "[my IP]"
-
IpProtocol: "tcp"
FromPort: "3306"
ToPort: "3306"
CidrIp: "10.0.64.0/19"
-
IpProtocol: "tcp"
FromPort: "3306"
ToPort: "3306"
CidrIp: "10.0.96.0/19"
DBInstance:
Type: 'AWS::RDS::DBInstance'
Properties:
DBName: !Join
- ''
- - portal
- !Ref Environment
AllocatedStorage: !Ref DBAllocatedStorage
DBInstanceClass: !Ref DBClass
Engine: MariaDB
EngineVersion: '10.1.23'
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
DBSubnetGroupName: !Ref DBSubnetGroup
StorageEncrypted: true
PubliclyAccessible: true
VPCSecurityGroups:
- !Ref VPCSecurityGroup
DatabaseDnsRecord:
Type: AWS::Route53::RecordSet
Properties:
HostedZoneName: !Join
- ''
- - !Ref HostedZoneName
- .
Name: !Join
- ''
- - portal
- !Ref Environment
- 'db'
- .
- !Ref HostedZoneName
- .
Type: CNAME
TTL: '60'
ResourceRecords:
- !GetAtt
- DBInstance
- Endpoint.Address
DependsOn: DBInstance

Your problem is this
The only thing that seems to work is if I switch all of the Route
Tables to use an IGW as opposed to a NAT
Your instances are located in private subnets which are not accessible from the public Internet (your home PC). You have three (or more) solutions:
1) Move your instances to a public subnet. NOT RECOMMENDED.
2) Convert your private subnet into a public subnet (switch from NAT to IGW). NOT RECOMMENDED.
3) Create a VPN from your home network to a new EC2 instance located in your public subnet that routes your traffic to the instances in the private subnet. RECOMMENDED.
OpenVPN is a very cool solution. You can build this yourself or just launch an OpenVPN instance from Amazon Marketplace for free (I think the free is limited to 2 users). OpenVPN Access Server
There will be EC2 instance charges while the OpenVPN access server is running. What I do is shutdown that instance when I don't need it and start it back up when I do using the AWS CLI commands stored in batch files.