I'm using cloud formation to create a VPC. And it fails when it gets to creating the subnets. I checked and I believe the subnets to be valid. Though my networking knowledge is somewhat lacking.
This is the error I get:
00:46:49 UTC-0400 CREATE_FAILED AWS::EC2::Subnet SubnetA The CIDR '172.16.64.0/16' is invalid.
00:46:49 UTC-0400 CREATE_IN_PROGRESS AWS::EC2::RouteTable RouteTable Resource creation Initiated
00:46:49 UTC-0400 CREATE_FAILED AWS::EC2::Subnet SubnetB The CIDR '197.16.128.0/16' is invalid.
And this is the template I'm trying to use:
---
AWSTemplateFormatVersion: 2010-09-09
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 172.16.0.0/18
EnableDnsSupport: true
EnableDnsHostnames: true
InstanceTenancy: default
Tags:
- Key: Name
Value: JF-Staging-VPC
InternetGateway:
Type: AWS::EC2::InternetGateway
VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
SubnetA:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-1a
VpcId: !Ref VPC
CidrBlock: 172.16.64.0/16
MapPublicIpOnLaunch: False
SubnetB:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-1b
VpcId: !Ref VPC
CidrBlock: 197.16.128.0/16
MapPublicIpOnLaunch: False
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
InternetRoute:
Type: AWS::EC2::Route
DependsOn: InternetGateway
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
RouteTableId: !Ref RouteTable
SubnetARouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetA
SubnetBRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetB
SecurityGroupSSH:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "SSH Group"
GroupDescription: "SSH traffic in, all traffic out."
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
SecurityGroupWeb:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "Web Group"
GroupDescription: "Web traffic in, all traffic out."
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '443'
ToPort: '443'
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
Metadata:
VPC:
Description: "Creating the JF Staging VPC"
InternetGateway:
Description: "Creating an Internet Gateway"
Can someone let me know where I'm going wrong and how to correct this?
As per the error message, your IP address (CIDR) ranges are invalid.
It sets the following CIDR ranges:
VPC: 172.16.0.0/18
SubnetA: 172.16.64.0/16
SubnetB: 197.16.128.0/16
Neither of these subnet ranges is part of the VPC range. All subnet ranges must fall within the range specified by the VPC. In fact, both of your subnets are larger (/16) than the VPC (/18).
Here, for example, are ranges that work fine:
VPC: 172.16.0.0/16
SubnetA: 172.16.64.0/24
SubnetB: 172.16.128.0/24
If you do not understand CIDR ranges, see: Understanding IP Addresses, Subnets, and CIDR Notation for Networking
The issue is with 197.16.128.0/16 which is a public IP address which cannot be assigned to a VPC or a subnet.
I think that you really meant to use the address:
172.16.128.0/16
[EDIT]
Change your VPC to 172.16.0.0/16
Then change each subnet to use a portion of the /16 e.g. /24
Examples:
172.16.0.0/24
172.16.1.0/24
172.16.2.0/24
etc.
The issue with your current implementation is that your VPC is /18 which is smaller than the subnets that you are trying to create /16. You want the reverse, /16 for the VPC and /24 or anything smaller than /16 for the subnets.
Related
I am trying to deploy a set of EC2 instances through cloudformation. The code for my cloudformation :
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref ESVpcCIDR
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: ES-VPC
#Connection configuration Starts
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: ESInternetGateway
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGateway
VpcId: !Ref VPC
#Conection Configuration ends
ESJenkinsSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [ 0, !GetAZs '' ]
CidrBlock: !Ref ESJenkinsCIDR
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: ESJenkinsSubnet
ESDevMuleSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
AvailabilityZone: !Select [ 0, !GetAZs '' ]
CidrBlock: !Ref ESDevMuleCIDR
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: ESDevMuleSubnet
#Route Table configuration starts
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: RouteTable
DefaultRoute:
Type: AWS::EC2::Route
DependsOn: InternetGatewayAttachment
Properties:
RouteTableId: !Ref RouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
ESJenkinsSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref ESJenkinsSubnet
ESDevMuleSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref ESDevMuleSubnet
#Security Group Start
NoIngressSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "no-ingress-security-group"
GroupDescription: "Security group with no ingress rule"
VpcId: !Ref VPC
ESJenkinsSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupName: "ES-Jenkins-security-group"
GroupDescription: Enable SSH access via port 22
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 8080
ToPort: 8085
CidrIp: 0.0.0.0/0
ESDEVMuleSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupName: "ES-DEV-Mule-security-group"
GroupDescription: Enable SSH access via port 22
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 8080
ToPort: 8085
CidrIp: 0.0.0.0/0
EC2InstanceMuleDev:
Type: AWS::EC2::Instance
Properties:
InstanceType: !Ref ESMuleDEVInstanceType
ImageId:
Fn::FindInMap:
- RegionMap
- Ref: AWS::Region
- MuleAMI
NetworkInterfaces:
- GroupSet:
- Ref: ESDEVMuleSecurityGroup
AssociatePublicIpAddress: 'true'
DeviceIndex: '0'
SubnetId: !Ref ESDevMuleSubnet
KeyName: !Ref ESLoginKeyPair
Tags:
- Key: Name
Value: ESDEVMULE
EC2InstanceJenkins:
Type: AWS::EC2::Instance
Properties:
InstanceType: !Ref ESJenkinsInstanceType
ImageId:
Fn::FindInMap:
- RegionMap
- Ref: AWS::Region
- JenkinsAMI
NetworkInterfaces:
- GroupSet:
- Ref: ESJenkinsSecurityGroup
AssociatePublicIpAddress: 'true'
DeviceIndex: '0'
SubnetId:
Ref: ESJenkinsSubnet
KeyName: !Ref ESLoginKeyPair
Tags:
- Key: Name
Value: ESJENKINS
I am creating the Key-pair mentioned here through AWS CLI, using create-key-pair command.
The problem is. i cant SSH into any Instances. the SSH client throws key too public error.Ami i missing any connectivity detail?
All the required parameter references has been taken care of through parameter store. the mapping for AMI is done correctly, not included here for obvious reasons.
Update
I have tried creating a standalone instance in default VPC, in othe AWS accounts as well, same issue. So, i dont believe the problem is with the template, rather a SSH issue.
You should change permissions of the key as explained in the docs:
chmod 400 my-key-pair.pem
This is just a permission problem, your file is too expose to others please try:
chmod 600 ESLoginKeyPair.pem
This changes file's permissions to only be readable by the current user.
Now try to ssh into your server again.
I have created CloudFormaton Template with below resources
---
Resources:
InsuranceVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 11.0.0.0/16
EnableDnsSupport: 'false'
EnableDnsHostnames: 'false'
InstanceTenancy: dedicated
Tags:
- Key: work
Value: insurance
- Key: name
Value: InsuranceVPC
InsuranceInternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: work
Value: insurance
- Key: name
Value: InsuranceInternetGateway
InsuranceSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId:
Ref: InsuranceVPC
CidrBlock: 11.0.2.0/24
AvailabilityZone: "ap-south-1a"
Tags:
- Key: work
Value: insurance
- Key: name
Value: InsuranceSubnet
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: InsuranceVPC
InternetGatewayId:
Ref: InsuranceInternetGateway
Ec2Instance:
Type: AWS::EC2::Instance
Properties:
ImageId: "ami-0732b62d310b80e97"
InstanceType: "t2.medium"
KeyName: "DevOpsAutomation"
NetworkInterfaces:
- AssociatePublicIpAddress: "true"
DeviceIndex: "0"
GroupSet:
- Ref: "InsuranceSecurityGroup"
SubnetId:
Ref: "InsuranceSubnet"
InsuranceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http and ssh to client host
VpcId:
Ref: InsuranceVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
All resources creations are successful except EC2Instance which fails with below error:
The requested configuration is currently not supported. Please check the documentation for supported configurations. (Service: AmazonEC2; Status Code: 400; Error Code: Unsupported; Request ID: a59a2d39-3aa9-4f7b-9cbd-db05dca0d61e)
The following resource(s) failed to create: [Ec2Instance]. . Rollback requested by use
What I have checked:
The ImageID and InstanceType exist in the same region (or AZ)
All other objects and its dependencies are met
though I understand I haven't yet created route table, route entries but that shouldn't affect EC2 instance resource creation
I am privileged user to create resources.
Please help or guide what I am missing here
I launched your template on my sandbox account.
I've identified some issues.
missing DependsOn on the instance,
VPC has dedicated tenancy,
and incorrect GroupSet.
I modified the template so it fully works now in us-east-1. You have to adjust it to your own region (AMI also needs to be changed back to your original one if not using us-east-1).
---
Resources:
InsuranceVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 11.0.0.0/16
EnableDnsSupport: 'false'
EnableDnsHostnames: 'false'
InstanceTenancy: default
Tags:
- Key: work
Value: insurance
- Key: name
Value: InsuranceVPC
InsuranceInternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: work
Value: insurance
- Key: name
Value: InsuranceInternetGateway
InsuranceSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId:
Ref: InsuranceVPC
CidrBlock: 11.0.2.0/24
AvailabilityZone: "us-east-1a"
Tags:
- Key: work
Value: insurance
- Key: name
Value: InsuranceSubnet
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: InsuranceVPC
InternetGatewayId:
Ref: InsuranceInternetGateway
Ec2Instance:
Type: AWS::EC2::Instance
DependsOn: AttachGateway
Properties:
ImageId: "ami-08f3d892de259504d"
InstanceType: "t2.medium"
KeyName: "MyKeyPair"
NetworkInterfaces:
- AssociatePublicIpAddress: "true"
DeviceIndex: "0"
GroupSet:
- !GetAtt InsuranceSecurityGroup.GroupId
SubnetId:
Ref: "InsuranceSubnet"
InsuranceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http and ssh to client host
VpcId:
Ref: InsuranceVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Your VPC is set to dedicated tenancy, which has limits over the resources you can use launch in it (including certain instances types.
Some AWS services or their features won't work with a VPC with the instance tenancy set to dedicated. Check the service's documentation to confirm if there are any limitations.
Some instance types cannot be launched into a VPC with the instance tenancy set to dedicated. For more information about supported instances types, see Amazon EC2 Dedicated Instances.
You should check the above link above, to compare against your instance type.
I am deploying an EC2 instance using CloudFormation. Then I installed apache and uploaded the files to EC2 instance after deployment. When the instance is deployed I cannot access it using public DNS from browser.
This is my EC2 instance resource and its security group.
WebServerInstance:
Type: AWS::EC2::Instance
Properties:
InstanceType: !Ref InstanceType
KeyName: !Ref KeyName
SubnetId: !Ref PublicSubnet1
ImageId:
Fn::FindInMap:
- AWSRegionArch2AMI
- Ref: AWS::Region
- Fn::FindInMap:
- AWSInstanceType2Arch
- Ref: InstanceType
- Arch
AvailabilityZone: !Select
- 0
- Fn::GetAZs: !Ref AWS::Region
WebServerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable HTTP access via port 80
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp:
Ref: SSHLocation
VpcId: !Ref Vpc
When I access it from the browser, it just keeps loading loading and loading. I set the inbound rules on the security group too. What is wrong with it and how can I fix it?
This is my public DNS,
http://ec2-3-{xxx-xxx-xx}.eu-west-1.compute.amazonaws.com/
This is the Public subnet resource.
PublicSubnet1:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref Vpc
CidrBlock: !Select [ 0, !Cidr [ !Ref VpcCidr, 12, 8 ] ]
MapPublicIpOnLaunch: True
AvailabilityZone: !Select
- 0
- Fn::GetAZs: !Ref AWS::Region
There is a route table for public subnet.
In the internet gateway console, there is only one gateway and which is not attached to the VPC in the template. Can this be the issue?
Edit
I got this error
There are several reasons outside the security group allowing access. The following should be checked:
Check your instances subnet has a route within its route table for 0.0.0.0/0 which has a destination of a internet gateway.
Each subnet will have an available route table (this will be the default route table if you did not specify one).
This can be completed by using the CloudFormation below
InternetGateway:
Type: AWS::EC2::InternetGateway
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: VPC
InternetGatewayId:
Ref: InternetGateway
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: myVPC
Route:
Type: AWS::EC2::Route
DependsOn: InternetGateway
Properties:
RouteTableId:
Ref: RouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId:
Ref: InternetGateway
SubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId:
Ref: Subnet
RouteTableId:
Ref: RouteTable
If you updated the default NACL make sure you added both port 80 and ephemeral ports to the rules.
Make sure apache is running on the host (not just installed). This can be done by running systemctl start apache on debian based OS or systemctl start httpd on a RHEL based.
I am trying to build an AWS CloudFormation template to create a VPC, public subnet, and then launch an EC2 instance into that subnet. While I'm able to create the VPC and subnet resources when I try to launch the EC2 instance into the newly created subnet I get an error:
The requested configuration is currently not supported. Please check the documentation for supported configurations. (Service: AmazonEC2; Status Code: 400; Error Code: Unsupported; Request ID: 953bf578-375e-4d4a-bc27-b7193543ea94)
If I comment out the reference to the subnet in the EC2 creation block, the script works but the instance gets launched into a default subnet and not the one created earlier in the script (which isn't what I want).
The script:
Resources:
VPC:
Type: 'AWS::EC2::VPC'
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: 'false'
EnableDnsHostnames: 'false'
InstanceTenancy: dedicated
PublicSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.0.0/24
AvailabilityZone: !Select [ 0, !GetAZs ]
InternetGateway:
Type: 'AWS::EC2::InternetGateway'
DependsOn: VPC
AttachGateway:
Type: 'AWS::EC2::VPCGatewayAttachment'
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
PublicRoute:
Type: 'AWS::EC2::Route'
DependsOn: 'AttachGateway'
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
PublicSubnetRouteTableAssociation:
Type: 'AWS::EC2::SubnetRouteTableAssociation'
Properties:
SubnetId: !Ref PublicSubnet
RouteTableId: !Ref PublicRouteTable
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
Ec2Instance:
Type: AWS::EC2::Instance
Properties:
InstanceType: t2.micro
ImageId: ami-0323c3dd2da7fb37d
SubnetId: !Ref PublicSubnet # The offending line (?)
KeyName: MyEC2KeyPair
This is a result of your VPC tenancy being dedicated.
I can confirm that t2 instances do not support dedicated hosts. Either remove dedicated hosting for the VPC or update your instance type to be something else.
You can update the VPC tenancy to default which will return with shared hosting, alternatively look at a T3 burstable instance which is supported.
Look here for additional information: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-instance.html
This question already has answers here:
Create AMI image as part of a cloudformation stack
(4 answers)
Closed 3 years ago.
I have written the cloud formation yaml code to create a VPC with 2 public subnet in multi AZ and 2 private subnet with multi AZ. I have created internet gateway, route table & Security Group ( one for public and one for private for both RT and SG ). Associated the subnets in the respective route tables. I have created ALB and ASG. All these using cloud formation.
I have specified desired instance as 2, min as 1 and max as 4 in ASG cloudformation template. In launch configuration template I have mentioned that all the instance should be launched in private subnets with multi AZ. ALB is placed in public subnet and it is internet facing. I haven't created NAT Gateway.
I will create an instance in public subnet with the user data to install httpd. My Question is: Is there any way to create an image of this instance. Condition in the same code
If this is possible what I will do is I will use this ami id of the image which was created from public instance to create an instance in private subnets.
Resources:
CFVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
EnableDnsSupport: true
InstanceTenancy: default
Tags:
- Key: Name
Value: Cloud_Formation_VPC
CFIGW:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: Cloud_Formation_IGW
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref CFVPC
InternetGatewayId: !Ref CFIGW
CFPublicSubnet1a:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref CFVPC
AvailabilityZone: ap-south-1a
CidrBlock: 10.0.1.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: Public Subnet 1a
CFPrivateSubnet1a:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref CFVPC
AvailabilityZone: ap-south-1a
CidrBlock: 10.0.2.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: Private Subnet 1a
CFPublicSubnet1b:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref CFVPC
AvailabilityZone: ap-south-1b
CidrBlock: 10.0.3.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: Public Subnet 1b
CFPrivateSubnet1b:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref CFVPC
AvailabilityZone: ap-south-1b
CidrBlock: 10.0.4.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: Private Subnet 1b
CFPublicRT:
Type: AWS::EC2::RouteTable
Properties:
Tags:
- Key: Name
Value: Public RT
VpcId: !Ref CFVPC
CFPrivateRT:
Type: AWS::EC2::RouteTable
Properties:
Tags:
- Key: Name
Value: Private RT
VpcId: !Ref CFVPC
routetablepublicsubnetassociation1a:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref CFPublicRT
SubnetId: !Ref CFPublicSubnet1a
routetablepublicsubnetassociation1b:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref CFPublicRT
SubnetId: !Ref CFPublicSubnet1b
routetableprivatesubnetassociation1a:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref CFPrivateRT
SubnetId: !Ref CFPrivateSubnet1a
routetableprivatesubnetassociation1b:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref CFPrivateRT
SubnetId: !Ref CFPrivateSubnet1b
CFPublicRoute:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref CFIGW
RouteTableId: !Ref CFPublicRT
CFALBSG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http/https/ssh
VpcId: !Ref CFVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 106.51.140.198/32
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 122.179.31.197/32
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
IpProtocol: -1
CFec2SG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow SSH
VpcId: !Ref CFVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
SourceSecurityGroupId: !Ref CFALBSG
CFAlbTargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckIntervalSeconds: 10
HealthCheckPath: /http
HealthCheckPort: 80
HealthCheckProtocol: HTTP
HealthCheckTimeoutSeconds: 7
HealthyThresholdCount: 5
Name: alb-target-group
Port: 80
Protocol: HTTP
Tags:
- Key: Name
Value: Alb-TargetGp
UnhealthyThresholdCount: 10
VpcId: !Ref CFVPC
CFALB:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
IpAddressType: ipv4
Type: application
Name: cf-elb
Scheme: internet-facing
SecurityGroups:
- !Ref CFALBSG
Subnets:
- !Ref CFPublicSubnet1a
- !Ref CFPublicSubnet1b
Tags:
- Key: Name
Value: CF-ALB
CFALBListner:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- TargetGroupArn: !Ref CFAlbTargetGroup
Type: forward
LoadBalancerArn: !Ref CFALB
Port: 80
Protocol: HTTP
CFASGLaunchConfig:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
AssociatePublicIpAddress: true
ImageId: ami-043f9106e7f451340
InstanceMonitoring: false
InstanceType: t2.micro
KeyName: QuadraKeyBLR
SecurityGroups:
- !Ref CFec2SG
CFPlacementGroup:
Type: AWS::EC2::PlacementGroup
Properties:
Strategy: spread
CFASG:
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
AutoScalingGroupName: Cloudformation_autoscalling
AvailabilityZones:
- ap-south-1a
- ap-south-1b
LaunchConfigurationName: !Ref CFASGLaunchConfig
VPCZoneIdentifier:
- !Ref CFPrivateSubnet1a
- !Ref CFPrivateSubnet1b
Cooldown: 120
DesiredCapacity: 2
MaxSize: 4
MinSize: 1
PlacementGroup: !Ref CFPlacementGroup
TargetGroupARNs:
- !Ref CFAlbTargetGroup
Looks like this question was answered already: Create AMI image as part of a cloudformation stack
It's and old answer, but it still seems valid.
Thanks!