AWS Lambda in VPC doesn't have internet access behind NAT - amazon-web-services

My problem is that a Lambda function that I run behind NAT inside a VPC with an IGW doesn't have access to anything on the Internet.
What I'm trying to do is creating a VPC that has:
Internet Gateway;
2 private subnets (PrivateA and PrivateB) in availability zones A and B respectively;
1 public subnet (PublicA) in availability zone A
NAT Gateway in PublicA subnet
PrivateA and PrivateB have a route table that routes 0.0.0.0/0 to the NAT Gateway.
PublicA has a route table that routes 0.0.0.0/0 to the Internet Gateway.
Private subnets, as well as the public subnet have Access Control Lists allowing all Ingress and Egress traffic.
That part kind of works.
Next, I want to create a Lambda function inside the VPC. I put it into PrivateA and PrivateB and assign to it a Security Group that allows all Egress and Ingress traffic.
Below is a self-contained example (the whole template) that reproduces the issue. I've read all the possible docs and articles on the Internet so I would very much appreciate it if anybody could point me in the right direction.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"Vpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16",
"EnableDnsSupport": true,
"EnableDnsHostnames": true,
"InstanceTenancy": "default"
}
},
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway"
},
"VpcGatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": { "Ref": "Vpc" },
"InternetGatewayId": { "Ref": "InternetGateway" }
}
},
"ElasticIP":{
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc"
}
},
"NatGateway": {
"Type": "AWS::EC2::NatGateway",
"DependsOn": [ "VpcGatewayAttachment" ],
"Properties": {
"AllocationId": { "Fn::GetAtt": [ "ElasticIP", "AllocationId" ] },
"SubnetId": { "Ref": "SubnetAPublic" }
}
},
"SubnetAPublic": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": { "Fn::Select" : [ "0", { "Fn::GetAZs" : "" } ] },
"CidrBlock": "10.0.0.0/19",
"MapPublicIpOnLaunch": true,
"VpcId": { "Ref": "Vpc" }
}
},
"SubnetAPrivate": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": { "Fn::Select" : [ "0", { "Fn::GetAZs" : "" } ] },
"CidrBlock": "10.0.64.0/19",
"VpcId": { "Ref": "Vpc" }
}
},
"SubnetBPrivate": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"AvailabilityZone": { "Fn::Select" : [ "1", { "Fn::GetAZs" : "" } ] },
"CidrBlock": "10.0.96.0/19",
"VpcId": { "Ref": "Vpc" }
}
},
"RouteTablePublic": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": { "Ref": "Vpc" }
}
},
"RouteTablePrivate": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": { "Ref": "Vpc" }
}
},
"RouteTableAssociationAPublic": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": { "Ref": "SubnetAPublic" },
"RouteTableId": { "Ref": "RouteTablePublic" }
}
},
"RouteTableAssociationAPrivate": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": { "Ref": "SubnetAPrivate" },
"RouteTableId": { "Ref": "RouteTablePrivate" }
}
},
"RouteTableAssociationBPrivate": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"SubnetId": { "Ref": "SubnetBPrivate" },
"RouteTableId": { "Ref": "RouteTablePrivate" }
}
},
"RouteTablePrivateInternetRoute": {
"Type": "AWS::EC2::Route",
"DependsOn": [ "VpcGatewayAttachment" ],
"Properties": {
"RouteTableId": { "Ref": "RouteTablePrivate" },
"DestinationCidrBlock": "0.0.0.0/0",
"NatGatewayId": { "Ref": "NatGateway" }
}
},
"RouteTablePublicInternetRoute": {
"Type": "AWS::EC2::Route",
"DependsOn": [ "VpcGatewayAttachment" ],
"Properties": {
"RouteTableId": { "Ref": "RouteTablePublic" },
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": { "Ref": "InternetGateway" }
}
},
"NetworkAclPublic": {
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": { "Ref": "Vpc" }
}
},
"NetworkAclPrivate": {
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": { "Ref": "Vpc" }
}
},
"SubnetNetworkAclAssociationAPublic": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties":{
"SubnetId": { "Ref": "SubnetAPublic" },
"NetworkAclId": { "Ref": "NetworkAclPublic" }
}
},
"SubnetNetworkAclAssociationAPrivate": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties":{
"SubnetId": { "Ref": "SubnetAPrivate" },
"NetworkAclId": { "Ref": "NetworkAclPrivate" }
}
},
"SubnetNetworkAclAssociationBPrivate": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"SubnetId": { "Ref": "SubnetBPrivate" },
"NetworkAclId": { "Ref": "NetworkAclPrivate" }
}
},
"NetworkAclEntryInPublicAllowAll": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "NetworkAclPublic" },
"RuleNumber": 99,
"Protocol": -1,
"RuleAction": "allow",
"Egress": false,
"CidrBlock": "0.0.0.0/0"
}
},
"NetworkAclEntryOutPublicAllowAll": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "NetworkAclPublic" },
"RuleNumber": 99,
"Protocol": -1,
"RuleAction": "allow",
"Egress": true,
"CidrBlock": "0.0.0.0/0"
}
},
"NetworkAclEntryInPrivateAllowVpc": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "NetworkAclPrivate" },
"RuleNumber": 99,
"Protocol": -1,
"RuleAction": "allow",
"Egress": false,
"CidrBlock": "0.0.0.0/16"
}
},
"NetworkAclEntryOutPrivateAllowVpc": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"NetworkAclId": { "Ref": "NetworkAclPrivate" },
"RuleNumber": 99,
"Protocol": -1,
"RuleAction": "allow",
"Egress": true,
"CidrBlock": "0.0.0.0/0"
}
},
"LambdasSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Lambdas security group",
"SecurityGroupEgress": [
{ "CidrIp": "0.0.0.0/0", "IpProtocol": "-1" }
],
"SecurityGroupIngress": [
{ "CidrIp": "0.0.0.0/0", "IpProtocol": "-1" }
],
"VpcId": { "Ref": "Vpc" }
}
},
"LambdaFunctionExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "lambda.amazonaws.com" },
"Action": "sts:AssumeRole"
}
]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
"arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
]
}
},
"LambdaFunction": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Handler": "index.lambda_handler",
"Runtime": "python2.7",
"Role": {
"Fn::GetAtt": ["LambdaFunctionExecutionRole", "Arn"]
},
"Code": {
"ZipFile": {
"Fn::Join": ["\n", [
"import urllib2",
"def lambda_handler(event, context):",
"\tresponse = urllib2.urlopen('http://python.org/')",
"\treturn response.read()"
]]
}
},
"VpcConfig": {
"SecurityGroupIds": [
{ "Fn::GetAtt": [ "LambdasSecurityGroup", "GroupId"] }
],
"SubnetIds": [
{ "Ref": "SubnetAPrivate" },
{ "Ref": "SubnetBPrivate" }
]
}
}
}
}
}

The cause of the failed connectivity lies within your ACL config for "NetworkAclEntryInPrivateAllowVpc" and "NetworkAclEntryOutPrivateAllowVpc".
If you open that CIDR block from "0.0.0.0/16" to "0.0.0.0/0", Lambda can access the internet.
I'm not that knowledgeable about NAT, but it seems that the NAT traffic is blocked by that ACL rule.

Related

How to solve JSON error on AWS Bad String?

Don't know where is the bad string here, someone can help me?
It appears like a bad error message on the AWS Console, but i can't find what am i missing here.
This script is to create VPCs, Routes, IGW and a Palo Alto Firewall, think that the problem is some ] or } that i am missing.
Do we have a tool to analyze it, instead of searching manually?
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "PANW Firewall (sample-cft).",
"Parameters": {
"BootstrapBucketName":{
"Description": "Bucket name for FW bootstrap configuration",
"Type": "String"
},
"ServerKeyName": {
"Description": "Name of an existing EC2 KeyPair to enable SSH access to the FW (Hint: You MUST have its private key)",
"Type": "AWS::EC2::KeyPair::KeyName"
}
},
"Mappings": {
"PANFWRegionMap" : {
"us-west-2" : { "AMI": "ami-d28992ab"},
"ap-northeast-1" : { "AMI": "ami-ab04e7cd"},
"us-west-1" : { "AMI": "ami-0f88a16f"},
"ap-northeast-2" : { "AMI": "ami-6cbd6402"},
"ap-southeast-1" : { "AMI": "ami-1897057b"},
"ap-southeast-2" : { "AMI": "ami-8ed3cced"},
"eu-central-1" : { "AMI": "ami-6df35f02"},
"eu-west-1" : { "AMI": "ami-86d63eff"},
"eu-west-2" : { "AMI": "ami-3c170658"},
"sa-east-1" : { "AMI": "ami-15651279"},
"us-east-1" : { "AMI": "ami-0d7ef242edccdad95"},
"us-east-2" : { "AMI": "ami-f1200094"},
"ca-central-1" : { "AMI": "ami-0f08b76b"},
"ap-south-1" : { "AMI": "ami-1ffc8470"}
},
"Resources": {
"BootstrapRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
} ]
},
"Path":"/",
"Policies": [ {
"PolicyName" : "BootstrapRolePolicy",
"PolicyDocument": {
"Version" : "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": { "Fn::Join" : ["", [ "arn:aws:s3:::", { "Ref" : "BootstrapBucketName" }]]}
},
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": { "Fn::Join" : ["", [ "arn:aws:s3:::", { "Ref" : "BootstrapBucketName" } , "/*" ]]}
}]
}
}]
}
},
"BootstrapInstanceProfile":{
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ {
"Ref": "BootstrapRole"
}]
}
},
"NewVPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16",
"InstanceTenancy": "default",
"EnableDnsSupport": "true",
"EnableDnsHostnames": "true",
"Tags": [{ "Key": "Name", "Value": "PAN Sample CFT" }]
}
},
"PublicElasticIP": {
"Type" : "AWS::EC2::EIP",
"Properties" : {
"Domain" : "vpc"
},
"DependsOn": [ "NewVPC" ]
},
"ManagementElasticIP": {
"Type" : "AWS::EC2::EIP",
"Properties" : {
"Domain" : "vpc"
},
"DependsOn": [ "NewVPC" ]
},
"NewDBSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": "10.0.2.0/24",
"VpcId": {"Ref": "NewVPC"},
"AvailabilityZone": "" ,
"Tags": [{ "Key": "Name", "Value": "PAN Sample CFT" }]
},
"DependsOn": "NewVPC"
},
"NewPublicSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": "10.0.0.0/24",
"VpcId": {"Ref": "NewVPC"},
"AvailabilityZone": { "Fn::GetAtt" : [ "NewDBSubnet", "AvailabilityZone" ] },
"Tags": [{ "Key": "Name", "Value": "PAN Sample CFT" }]
},
"DependsOn": [ "NewVPC", "NewDBSubnet" ]
},
"NewWebSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": "10.0.1.0/24",
"AvailabilityZone": { "Fn::GetAtt" : [ "NewDBSubnet", "AvailabilityZone" ] },
"VpcId": {"Ref": "NewVPC"},
"Tags": [{ "Key": "Name", "Value": "PAN Sample CFT" }]
},
"DependsOn":[ "NewVPC", "NewDBSubnet" ]
},
"igweb3def8e": {
"Type": "AWS::EC2::InternetGateway",
"Properties": {
"Tags": [{ "Key": "Name", "Value": "PAN Sample CFT" }]
}
},
"dopt21c7d043": {
"Type": "AWS::EC2::DHCPOptions",
"Properties": {
"DomainName": "us-west-2.compute.internal",
"DomainNameServers": [
"AmazonProvidedDNS"
]
}
},
"aclb765d6d2": {
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": {"Ref": "NewVPC"}
}
},
"rtb059a2460": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {"Ref": "NewVPC"}
}
},
"rtb049a2461": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {"Ref": "NewVPC"}
}
},
"FWManagementNetworkInterface": {
"Type": "AWS::EC2::NetworkInterface",
"Properties": {
"Description": "AWS FW1 MGMT",
"SubnetId": {"Ref": "NewPublicSubnet"},
"SourceDestCheck": "false",
"PrivateIpAddresses": [
{
"PrivateIpAddress": "10.0.0.99",
"Primary": "true"
}
],
"GroupSet": [{"Ref": "sgWideOpen"}],
"Tags": [{"Key": "Name","Value": "WP AWS FW1 MGMT"}]
},
"DependsOn": [ "sgWideOpen" ]
},
"FWPublicNetworkInterface": {
"Type": "AWS::EC2::NetworkInterface",
"Properties": {
"Description": "AWS FW1 E1/1",
"SubnetId": {"Ref": "NewPublicSubnet"},
"SourceDestCheck": "false",
"PrivateIpAddresses": [
{
"PrivateIpAddress": "10.0.0.100",
"Primary": "true"
}
],
"GroupSet": [{"Ref": "sgWideOpen"}],
"Tags": [{"Key": "Name","Value": "WP AWS FW1 E1/1"}]
},
"DependsOn": [ "sgWideOpen" ]
},
"FWPrivate12NetworkInterface": {
"Type": "AWS::EC2::NetworkInterface",
"Properties": {
"Description": "AWS FW1 E1/2",
"SubnetId": {"Ref": "NewWebSubnet"},
"SourceDestCheck": "false",
"PrivateIpAddresses": [
{
"PrivateIpAddress": "10.0.1.11",
"Primary": "true"
}
],
"GroupSet": [{"Ref": "sgWideOpen"}],
"Tags": [{"Key": "Name","Value": "WP AWS FW1 E1/2"}]
},
"DependsOn": [ "sgWideOpen" ]
},
"FWPrivate13NetworkInterface": {
"Type": "AWS::EC2::NetworkInterface",
"Properties": {
"Description": "AWS FW1 E1/3",
"SubnetId": {"Ref": "NewDBSubnet"},
"SourceDestCheck": "false",
"PrivateIpAddresses": [
{
"PrivateIpAddress": "10.0.2.11",
"Primary": "true"
}
],
"GroupSet": [{"Ref": "sgWideOpen"}],
"Tags": [{"Key": "Name", "Value": "WP AWS FW1 E1/3"}]
},
"DependsOn": [ "sgWideOpen" ]
},
"FWEIPMAnagementAssociation": {
"Type": "AWS::EC2::EIPAssociation",
"Properties": {
"AllocationId": { "Fn::GetAtt": [ "ManagementElasticIP", "AllocationId" ] },
"NetworkInterfaceId": { "Ref": "FWManagementNetworkInterface" }
},
"DependsOn": [ "FWManagementNetworkInterface", "ManagementElasticIP" ]
},
"FWEIPPublicAssociation": {
"Type": "AWS::EC2::EIPAssociation",
"Properties": {
"AllocationId": { "Fn::GetAtt": [ "PublicElasticIP", "AllocationId" ] },
"NetworkInterfaceId": { "Ref": "FWPublicNetworkInterface" }
},
"DependsOn": [ "FWPublicNetworkInterface", "PublicElasticIP" ]
},
"sgWideOpen": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Wide open security group",
"VpcId": {"Ref": "NewVPC"},
"Tags": [{"Key": "Name","Value": "Lab External SG"}],
"SecurityGroupIngress" : [
{
"IpProtocol": "-1",
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress" : [
{
"IpProtocol": "-1",
"CidrIp": "0.0.0.0/0"
}
]
}
},
"acl1": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"CidrBlock": "0.0.0.0/0",
"Egress": "true",
"Protocol": "-1",
"RuleAction": "allow",
"RuleNumber": "100",
"NetworkAclId": {
"Ref": "aclb765d6d2"
}
}
},
"acl2": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"CidrBlock": "0.0.0.0/0",
"Protocol": "-1",
"RuleAction": "allow",
"RuleNumber": "100",
"NetworkAclId": {
"Ref": "aclb765d6d2"
}
}
},
"subnetacl1": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"NetworkAclId": {"Ref": "aclb765d6d2"},
"SubnetId": {"Ref": "NewDBSubnet"}
}
},
"subnetacl2": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"NetworkAclId": {"Ref": "aclb765d6d2"},
"SubnetId": {"Ref": "NewPublicSubnet"}
}
},
"subnetacl3": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"NetworkAclId": {"Ref": "aclb765d6d2"},
"SubnetId": {"Ref": "NewWebSubnet"}
}
},
"gw1": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": {"Ref": "NewVPC"},
"InternetGatewayId": {"Ref": "igweb3def8e"}
}
},
"subnetroute2": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {"Ref": "rtb049a2461"},
"SubnetId": {"Ref": "NewPublicSubnet"}
}
},
"route1": {
"Type": "AWS::EC2::Route",
"Properties": {
"DestinationCidrBlock": "0.0.0.0/0",
"RouteTableId": {"Ref": "rtb059a2460"},
"GatewayId": {"Ref": "igweb3def8e"}
},
"DependsOn": "gw1"
},
"route2": {
"Type": "AWS::EC2::Route",
"Properties": {
"DestinationCidrBlock": "0.0.0.0/0",
"RouteTableId": {"Ref": "rtb049a2461"},
"GatewayId": {"Ref": "igweb3def8e"}
},
"DependsOn": "gw1"
},
"dchpassoc1": {
"Type": "AWS::EC2::VPCDHCPOptionsAssociation",
"Properties": {
"VpcId": {"Ref": "NewVPC"},
"DhcpOptionsId": {"Ref": "dopt21c7d043"}
}
},
"FWInstance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"DisableApiTermination": "false",
"IamInstanceProfile": {"Ref": "BootstrapInstanceProfile"},
"InstanceInitiatedShutdownBehavior": "stop",
"EbsOptimized": "true",
"ImageId": { "Fn::FindInMap" : [ "PANFWRegionMap", { "Ref" : "AWS::Region" }, "AMI" ] },
"InstanceType": "m4.xlarge",
"BlockDeviceMappings" :
[
{
"DeviceName" : "/dev/xvda",
"Ebs" :
{
"VolumeType" : "gp2",
"DeleteOnTermination" : "true",
"VolumeSize" : "60"
}
}
],
"KeyName": { "Ref" : "ServerKeyName" },
"Monitoring": "false",
"Tags": [{ "Key": "Name", "Value": "WP VM-Series Firewall" }],
"NetworkInterfaces": [
{
"NetworkInterfaceId": { "Ref": "FWManagementNetworkInterface"},
"DeviceIndex": 0
},
{
"NetworkInterfaceId": { "Ref": "FWPublicNetworkInterface"},
"DeviceIndex": 1
},
{
"NetworkInterfaceId": { "Ref": "FWPrivate12NetworkInterface"},
"DeviceIndex": 2
},
{
"NetworkInterfaceId": { "Ref": "FWPrivate13NetworkInterface"},
"DeviceIndex": 3
}
],
"UserData": { "Fn::Base64" : { "Fn::Join" : ["", [
"vmseries-bootstrap-aws-s3bucket=", { "Ref" : "BootstrapBucketName" }
]]}}
},
"DependsOn": [ "FWPublicNetworkInterface", "FWPrivate12NetworkInterface", "FWPrivate13NetworkInterface", "NewPublicSubnet" ]
},
"Outputs": {
"FirewallManagementURL": {
"Description": "VM-Series management interface URL",
"Value": { "Fn::Join" : ["", [
"https://",
{ "Ref": "ManagementElasticIP"}
]]}}
},
}]]
}
}
}
Yes, you had missing } and some extra ,. Below is valid json. The template may have other issues, but your current error is about invalid json, so I fixed only that. For new issues, please make new question.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "PANW Firewall (sample-cft).",
"Parameters": {
"BootstrapBucketName": {
"Description": "Bucket name for FW bootstrap configuration",
"Type": "String"
},
"ServerKeyName": {
"Description": "Name of an existing EC2 KeyPair to enable SSH access to the FW (Hint: You MUST have its private key)",
"Type": "AWS::EC2::KeyPair::KeyName"
}
},
"Mappings": {
"PANFWRegionMap": {
"us-west-2": {
"AMI": "ami-d28992ab"
},
"ap-northeast-1": {
"AMI": "ami-ab04e7cd"
},
"us-west-1": {
"AMI": "ami-0f88a16f"
},
"ap-northeast-2": {
"AMI": "ami-6cbd6402"
},
"ap-southeast-1": {
"AMI": "ami-1897057b"
},
"ap-southeast-2": {
"AMI": "ami-8ed3cced"
},
"eu-central-1": {
"AMI": "ami-6df35f02"
},
"eu-west-1": {
"AMI": "ami-86d63eff"
},
"eu-west-2": {
"AMI": "ami-3c170658"
},
"sa-east-1": {
"AMI": "ami-15651279"
},
"us-east-1": {
"AMI": "ami-0d7ef242edccdad95"
},
"us-east-2": {
"AMI": "ami-f1200094"
},
"ca-central-1": {
"AMI": "ami-0f08b76b"
},
"ap-south-1": {
"AMI": "ami-1ffc8470"
}
}
},
"Resources": {
"BootstrapRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
},
"Path": "/",
"Policies": [{
"PolicyName": "BootstrapRolePolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": {
"Fn::Join": ["", ["arn:aws:s3:::", {
"Ref": "BootstrapBucketName"
}]]
}
},
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": {
"Fn::Join": ["", ["arn:aws:s3:::", {
"Ref": "BootstrapBucketName"
}, "/*"]]
}
}
]
}
}]
}
},
"BootstrapInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [{
"Ref": "BootstrapRole"
}]
}
},
"NewVPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16",
"InstanceTenancy": "default",
"EnableDnsSupport": "true",
"EnableDnsHostnames": "true",
"Tags": [{
"Key": "Name",
"Value": "PAN Sample CFT"
}]
}
},
"PublicElasticIP": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc"
},
"DependsOn": ["NewVPC"]
},
"ManagementElasticIP": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc"
},
"DependsOn": ["NewVPC"]
},
"NewDBSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": "10.0.2.0/24",
"VpcId": {
"Ref": "NewVPC"
},
"AvailabilityZone": "",
"Tags": [{
"Key": "Name",
"Value": "PAN Sample CFT"
}]
},
"DependsOn": "NewVPC"
},
"NewPublicSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": "10.0.0.0/24",
"VpcId": {
"Ref": "NewVPC"
},
"AvailabilityZone": {
"Fn::GetAtt": ["NewDBSubnet", "AvailabilityZone"]
},
"Tags": [{
"Key": "Name",
"Value": "PAN Sample CFT"
}]
},
"DependsOn": ["NewVPC", "NewDBSubnet"]
},
"NewWebSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": "10.0.1.0/24",
"AvailabilityZone": {
"Fn::GetAtt": ["NewDBSubnet", "AvailabilityZone"]
},
"VpcId": {
"Ref": "NewVPC"
},
"Tags": [{
"Key": "Name",
"Value": "PAN Sample CFT"
}]
},
"DependsOn": ["NewVPC", "NewDBSubnet"]
},
"igweb3def8e": {
"Type": "AWS::EC2::InternetGateway",
"Properties": {
"Tags": [{
"Key": "Name",
"Value": "PAN Sample CFT"
}]
}
},
"dopt21c7d043": {
"Type": "AWS::EC2::DHCPOptions",
"Properties": {
"DomainName": "us-west-2.compute.internal",
"DomainNameServers": [
"AmazonProvidedDNS"
]
}
},
"aclb765d6d2": {
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": {
"Ref": "NewVPC"
}
}
},
"rtb059a2460": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "NewVPC"
}
}
},
"rtb049a2461": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "NewVPC"
}
}
},
"FWManagementNetworkInterface": {
"Type": "AWS::EC2::NetworkInterface",
"Properties": {
"Description": "AWS FW1 MGMT",
"SubnetId": {
"Ref": "NewPublicSubnet"
},
"SourceDestCheck": "false",
"PrivateIpAddresses": [{
"PrivateIpAddress": "10.0.0.99",
"Primary": "true"
}],
"GroupSet": [{
"Ref": "sgWideOpen"
}],
"Tags": [{
"Key": "Name",
"Value": "WP AWS FW1 MGMT"
}]
},
"DependsOn": ["sgWideOpen"]
},
"FWPublicNetworkInterface": {
"Type": "AWS::EC2::NetworkInterface",
"Properties": {
"Description": "AWS FW1 E1/1",
"SubnetId": {
"Ref": "NewPublicSubnet"
},
"SourceDestCheck": "false",
"PrivateIpAddresses": [{
"PrivateIpAddress": "10.0.0.100",
"Primary": "true"
}],
"GroupSet": [{
"Ref": "sgWideOpen"
}],
"Tags": [{
"Key": "Name",
"Value": "WP AWS FW1 E1/1"
}]
},
"DependsOn": ["sgWideOpen"]
},
"FWPrivate12NetworkInterface": {
"Type": "AWS::EC2::NetworkInterface",
"Properties": {
"Description": "AWS FW1 E1/2",
"SubnetId": {
"Ref": "NewWebSubnet"
},
"SourceDestCheck": "false",
"PrivateIpAddresses": [{
"PrivateIpAddress": "10.0.1.11",
"Primary": "true"
}],
"GroupSet": [{
"Ref": "sgWideOpen"
}],
"Tags": [{
"Key": "Name",
"Value": "WP AWS FW1 E1/2"
}]
},
"DependsOn": ["sgWideOpen"]
},
"FWPrivate13NetworkInterface": {
"Type": "AWS::EC2::NetworkInterface",
"Properties": {
"Description": "AWS FW1 E1/3",
"SubnetId": {
"Ref": "NewDBSubnet"
},
"SourceDestCheck": "false",
"PrivateIpAddresses": [{
"PrivateIpAddress": "10.0.2.11",
"Primary": "true"
}],
"GroupSet": [{
"Ref": "sgWideOpen"
}],
"Tags": [{
"Key": "Name",
"Value": "WP AWS FW1 E1/3"
}]
},
"DependsOn": ["sgWideOpen"]
},
"FWEIPMAnagementAssociation": {
"Type": "AWS::EC2::EIPAssociation",
"Properties": {
"AllocationId": {
"Fn::GetAtt": ["ManagementElasticIP", "AllocationId"]
},
"NetworkInterfaceId": {
"Ref": "FWManagementNetworkInterface"
}
},
"DependsOn": ["FWManagementNetworkInterface", "ManagementElasticIP"]
},
"FWEIPPublicAssociation": {
"Type": "AWS::EC2::EIPAssociation",
"Properties": {
"AllocationId": {
"Fn::GetAtt": ["PublicElasticIP", "AllocationId"]
},
"NetworkInterfaceId": {
"Ref": "FWPublicNetworkInterface"
}
},
"DependsOn": ["FWPublicNetworkInterface", "PublicElasticIP"]
},
"sgWideOpen": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Wide open security group",
"VpcId": {
"Ref": "NewVPC"
},
"Tags": [{
"Key": "Name",
"Value": "Lab External SG"
}],
"SecurityGroupIngress": [{
"IpProtocol": "-1",
"CidrIp": "0.0.0.0/0"
}],
"SecurityGroupEgress": [{
"IpProtocol": "-1",
"CidrIp": "0.0.0.0/0"
}]
}
},
"acl1": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"CidrBlock": "0.0.0.0/0",
"Egress": "true",
"Protocol": "-1",
"RuleAction": "allow",
"RuleNumber": "100",
"NetworkAclId": {
"Ref": "aclb765d6d2"
}
}
},
"acl2": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"CidrBlock": "0.0.0.0/0",
"Protocol": "-1",
"RuleAction": "allow",
"RuleNumber": "100",
"NetworkAclId": {
"Ref": "aclb765d6d2"
}
}
},
"subnetacl1": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"NetworkAclId": {
"Ref": "aclb765d6d2"
},
"SubnetId": {
"Ref": "NewDBSubnet"
}
}
},
"subnetacl2": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"NetworkAclId": {
"Ref": "aclb765d6d2"
},
"SubnetId": {
"Ref": "NewPublicSubnet"
}
}
},
"subnetacl3": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"NetworkAclId": {
"Ref": "aclb765d6d2"
},
"SubnetId": {
"Ref": "NewWebSubnet"
}
}
},
"gw1": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": {
"Ref": "NewVPC"
},
"InternetGatewayId": {
"Ref": "igweb3def8e"
}
}
},
"subnetroute2": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "rtb049a2461"
},
"SubnetId": {
"Ref": "NewPublicSubnet"
}
}
},
"route1": {
"Type": "AWS::EC2::Route",
"Properties": {
"DestinationCidrBlock": "0.0.0.0/0",
"RouteTableId": {
"Ref": "rtb059a2460"
},
"GatewayId": {
"Ref": "igweb3def8e"
}
},
"DependsOn": "gw1"
},
"route2": {
"Type": "AWS::EC2::Route",
"Properties": {
"DestinationCidrBlock": "0.0.0.0/0",
"RouteTableId": {
"Ref": "rtb049a2461"
},
"GatewayId": {
"Ref": "igweb3def8e"
}
},
"DependsOn": "gw1"
},
"dchpassoc1": {
"Type": "AWS::EC2::VPCDHCPOptionsAssociation",
"Properties": {
"VpcId": {
"Ref": "NewVPC"
},
"DhcpOptionsId": {
"Ref": "dopt21c7d043"
}
}
},
"FWInstance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"DisableApiTermination": "false",
"IamInstanceProfile": {
"Ref": "BootstrapInstanceProfile"
},
"InstanceInitiatedShutdownBehavior": "stop",
"EbsOptimized": "true",
"ImageId": {
"Fn::FindInMap": ["PANFWRegionMap", {
"Ref": "AWS::Region"
}, "AMI"]
},
"InstanceType": "m4.xlarge",
"BlockDeviceMappings": [{
"DeviceName": "/dev/xvda",
"Ebs": {
"VolumeType": "gp2",
"DeleteOnTermination": "true",
"VolumeSize": "60"
}
}],
"KeyName": {
"Ref": "ServerKeyName"
},
"Monitoring": "false",
"Tags": [{
"Key": "Name",
"Value": "WP VM-Series Firewall"
}],
"NetworkInterfaces": [{
"NetworkInterfaceId": {
"Ref": "FWManagementNetworkInterface"
},
"DeviceIndex": 0
},
{
"NetworkInterfaceId": {
"Ref": "FWPublicNetworkInterface"
},
"DeviceIndex": 1
},
{
"NetworkInterfaceId": {
"Ref": "FWPrivate12NetworkInterface"
},
"DeviceIndex": 2
},
{
"NetworkInterfaceId": {
"Ref": "FWPrivate13NetworkInterface"
},
"DeviceIndex": 3
}
],
"UserData": {
"Fn::Base64": {
"Fn::Join": ["", [
"vmseries-bootstrap-aws-s3bucket=", {
"Ref": "BootstrapBucketName"
}
]]
}
}
},
"DependsOn": ["FWPublicNetworkInterface", "FWPrivate12NetworkInterface", "FWPrivate13NetworkInterface", "NewPublicSubnet"]
},
"Outputs": {
"FirewallManagementURL": {
"Description": "VM-Series management interface URL",
"Value": {
"Fn::Join": ["", [
"https://",
{
"Ref": "ManagementElasticIP"
}
]]
}
}
}
}
}

AWS Lambda + VPC Elastic IP Timeout

I'm trying to assign a static ip to multiple lambdas so that when a lambda makes a call to a specific service I can whitelist that ip.
I was able to get this working but as far as I can tell, it will randomly start either taking almost exactly 2 minutes to return where before it was 500ms or just start timing out all together.
Below is the cloudformation I used to setup this VPC and in this cloudformation I setup the following:
Public Subnet
Private Subnet
NAT Gateway
Elastic IP
2 Routes (public/private)
Internet Gateway
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "AWS CloudFormation for VPC",
"Parameters": {
"env": {
"Type": "String"
}
},
"Resources": {
"VPCStaticIP": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "11.0.0.0/16",
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"",
["lambavpc", "-", { "Ref": "env" }]
]
}
}
]
}
},
"SubnetPublic": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": "11.0.0.0/24",
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"",
[
"lambavpc",
"-",
{ "Ref": "env" },
"-",
"public-subnet"
]
]
}
}
],
"VpcId": {
"Ref": "VPCStaticIP"
}
}
},
"SubnetPrivate": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": "11.0.1.0/24",
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"",
[
"lambavpc",
"-",
{ "Ref": "env" },
"-",
"private-subnet"
]
]
}
}
],
"VpcId": {
"Ref": "VPCStaticIP"
}
}
},
"InternetGateway": {
"Type": "AWS::EC2::InternetGateway",
"Properties": {
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"",
["lambavpc", "-", { "Ref": "env" }, "-", "igw"]
]
}
}
]
}
},
"VPCGatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"InternetGatewayId": {
"Ref": "InternetGateway"
},
"VpcId": {
"Ref": "VPCStaticIP"
}
}
},
"RouteTablePublic": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPCStaticIP"
},
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"",
[
"lambavpc",
"-",
{ "Ref": "env" },
"-",
"public-route"
]
]
}
}
]
}
},
"RoutePublic": {
"Type": "AWS::EC2::Route",
"Properties": {
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {
"Ref": "InternetGateway"
},
"RouteTableId": {
"Ref": "RouteTablePublic"
}
}
},
"SubnetRouteTableAssociationPublic": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "RouteTablePublic"
},
"SubnetId": {
"Ref": "SubnetPublic"
}
}
},
"EIP": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc",
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"",
["lambavpc", "-", { "Ref": "env" }, "-", "eip"]
]
}
}
]
}
},
"NatGateway": {
"Type": "AWS::EC2::NatGateway",
"Properties": {
"AllocationId": {
"Fn::GetAtt": ["EIP", "AllocationId"]
},
"SubnetId": {
"Ref": "SubnetPublic"
}
}
},
"RouteTablePrivate": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "VPCStaticIP"
},
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"",
[
"lambavpc",
"-",
{ "Ref": "env" },
"-",
"private-route"
]
]
}
}
]
}
},
"RoutePrivate": {
"Type": "AWS::EC2::Route",
"Properties": {
"DestinationCidrBlock": "0.0.0.0/0",
"NatGatewayId": {
"Ref": "NatGateway"
},
"RouteTableId": {
"Ref": "RouteTablePrivate"
}
}
},
"SubnetRouteTableMainAssociationPrivate": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "RouteTablePrivate"
},
"SubnetId": {
"Ref": "SubnetPrivate"
}
}
}
},
"Outputs": {}
}
I've done quite a bit of research and turned up these references:
https://gist.github.com/reggi/dc5f2620b7b4f515e68e46255ac042a7
AWS Lambda: How to set up a NAT gateway for a lambda function with VPC access
but I can't seem to reason what the delta is between what I'm doing and what they are suggesting.
Any suggestions would be greatly appreciated it!
The EIP timeouts probably because you do not have DependsOn attribute on your AWS::EC2::VPCGatewayAttachment. This is required in your case:
If you define an Elastic IP address and associate it with a VPC that is defined in the same template, you must declare a dependency on the VPC-gateway attachment by using the DependsOn Attribute on this resource.
Thus, you could try the following which adds the dependency:
"EIP": {
"Type": "AWS::EC2::EIP",
"DependsOn" : "VPCGatewayAttachment",
"Properties": {
"Domain": "vpc",
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
"",
["lambavpc", "-", { "Ref": "env" }, "-", "eip"]
]
}
}
]
}
}
Also, if possible, I would consider using a private IP range of 10.0.0.0/16 for your VPC and subnets instead of 11.0.0.0/16. The range is recommended to be used by AWS:
When you create a VPC, we recommend that you specify a CIDR block (of /16 or smaller) from the private IPv4 address ranges as specified in RFC 1918:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
You don't show how you are creating the Lambda function, is that created outside of CloudFormation? It sounds like you have the Lambda function configured to use both VPC subnets, and when it runs inside the public subnet it is getting timeouts. You need to configure the Lambda function to only use the private subnet with a route to the NAT Gateway.

Cloudformation application load balancer elastic IP error

I am trying to automate a stack consisting of one Fargate cluster, multiple services and one application load balancer with Cloudformation.
Unfortunately the creation of the LoadBalancer fails with the following error message: "Elastic IPs are not supported for load balancers with type 'application'"
I know that elastic IPs are not supported however I cannot figure out why Cloudformation tries to assign an elastic IP to my loadbalancer. I found no hints in the reference about some value defaulting to elastic IP assignment.
"Resources": {
"Cluster": {
"Type": "AWS::ECS::Cluster",
"Properties": {}
},
"Service": {
"Type": "AWS::ECS::Service",
"Properties": {
"Cluster": {
"Ref": "Cluster"
},
"TaskDefinition": {
"Ref": "Task"
},
"LoadBalancers": [
{
"ContainerName": "service1",
"ContainerPort": 80,
"LoadBalancerName": {
"Ref": "LoadBalancer"
},
"TargetGroupArn": {
"Ref": "TargetGroup"
}
}
],
"NetworkConfiguration": {
"AwsvpcConfiguration": {
"AssignPublicIp": "false",
"Subnets": [
{
"Ref": "Subnet1"
},
{
"Ref": "Subnet2"
}
]
}
}
}
},
"Task": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"ContainerDefinitions": [
{
"PortMappings": [
{
"HostPort": 80,
"Protocol": "tcp",
"ContainerPort": 80
}
],
"Environment": [
{
"Name": "SERVER_PORT",
"Value": "80"
}
],
"Image": "arn",
"Essential": true,
"Name": "service1",
"Memory": 2048
}
],
"TaskRoleArn": "arn",
"NetworkMode": "awsvpc"
}
},
"LoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"SubnetMappings": [
{
"SubnetId": {
"Ref": "Subnet1"
},
"AllocationId": "subnet-1"
},
{
"SubnetId": {
"Ref": "Subnet2"
},
"AllocationId": "subnet-2"
}
],
"SecurityGroups": [
{
"Ref": "VPCSecurityGroup"
}
]
}
},
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16"
}
},
"VPCSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"GroupDescription": "security group"
}
},
"Subnet1": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": "10.0.0.0/24",
"MapPublicIpOnLaunch": false
}
},
"Subnet2": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"CidrBlock": "10.0.1.0/24",
"MapPublicIpOnLaunch": false
}
},
"Listener": {
"Type": "AWS::ElasticLoadBalancingV2::Listener",
"Properties": {
"LoadBalancerArn": {
"Ref": "LoadBalancer"
},
"DefaultActions": [
{
"Type": "FORWARD"
}
],
"Port": 443,
"Protocol": "HTTPS",
"Certificates": [
{
"CertificateArn": "arn"
}
]
}
},
"TargetGroup": {
"Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"Port": 80,
"Protocol": "HTTP"
}
},
"ListenerRule": {
"Type": "AWS::ElasticLoadBalancingV2::ListenerRule",
"Properties": {
"Actions": [
{
"Type": "FORWARD"
}
],
"Priority": 1,
"Conditions": [],
"ListenerArn": {
"Ref": "Listener"
}
}
}
I fixed the elastic IP error by removing the SubnetMappings property and declaring the Subnets property instead.
"LoadBalancer": {
"Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
"Properties": {
"Subnets": [
{
"Ref": "PublicSubnet1"
},
{
"Ref": "PublicSubnet2"
}
],
"SecurityGroups": [
{
"Ref": "VPCSecurityGroup"
}
]
}
}

How can i ensure NAT is up before instances

My instances when created by my cloudformation template do not run yum update or install aws-cfn-bootstrap. I see a timeout in the logs however it works after I login and they have fully booted.
Logs show me they are unable to connect at boot, I think because the natgw hasn't been built yet. It was working yesterday i have been tweaking since but cannot seem to get it to load anymore.
"Parameters": {
"ONtestenv": {
"Description": "env name",
"Type": "String"
},
"ONcidr": {
"Description": "subs for vpc",
"Type": "String",
"Default": "10.0.0.0/16"
},
"pubONsubnet": {
"Description": "pub sub block",
"Type": "String",
"Default": "10.0.0.0/24"
},
"privONsubnet": {
"Description": "priv subn clok",
"Type": "String",
"Default": "10.0.1.0/24"
},
"KeyName": {
"Description": "Name of an existing EC2 KeyPair to enable SSH access to the instances",
"Type": "AWS::EC2::KeyPair::KeyName",
"ConstraintDescription": "must be the name of an existing EC2 KeyPair."
},
"SSHLocation": {
"Description": "The IP address range that can be used to SSH to the EC2 instances",
"Type": "String",
"MinLength": "9",
"MaxLength": "18",
"Default": "0.0.0.0/0",
"AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
"ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x."
},
"InstanceType": {
"Description": "WebServer EC2 instance type",
"Type": "String",
"Default": "t2.micro",
"AllowedValues": [
"t2.micro",
"m1.small",
"m1.medium",
"m1.large",
"m1.xlarge",
"m2.xlarge",
"m2.2xlarge",
"m2.4xlarge"
],
"ConstraintDescription": "must be a valid EC2 instance type."
}
},
"Mappings": {
"Region2Examples": {
"us-east-1": {
"Examples": "https://s3.amazonaws.com/cloudformation-examples-us-east-1"
},
"ca-central-1": {
"Examples": "https://s3.amazonaws.com/cloudformation-examples-us-east-1"
},
"us-west-2": {
"Examples": "https://s3-us-west-2.amazonaws.com/cloudformation-examples-us-west-2"
},
"us-west-1": {
"Examples": "https://s3-us-west-1.amazonaws.com/cloudformation-examples-us-west-1"
},
"eu-west-1": {
"Examples": "https://s3-eu-west-1.amazonaws.com/cloudformation-examples-eu-west-1"
},
"eu-central-1": {
"Examples": "https://s3-eu-central-1.amazonaws.com/cloudformation-examples-eu-central-1"
},
"ap-southeast-1": {
"Examples": "https://s3-ap-southeast-1.amazonaws.com/cloudformation-examples-ap-southeast-1"
},
"us-east-2": {
"Examples": "https://s3-us-east-2.amazonaws.com/cloudformation-examples-us-east-2"
},
"sa-east-1": {
"Examples": "https://s3-sa-east-1.amazonaws.com/cloudformation-examples-sa-east-1"
},
"cn-north-1": {
"Examples": "https://s3.cn-north-1.amazonaws.com.cn/cloudformation-examples-cn-north-1"
}
},
"AWSInstanceType2Arch": {
"t2.micro": {
"Arch": "64"
},
"m1.small": {
"Arch": "64"
},
"m1.medium": {
"Arch": "64"
},
"m1.large": {
"Arch": "64"
},
"m1.xlarge": {
"Arch": "64"
},
"m2.xlarge": {
"Arch": "64"
},
"m2.2xlarge": {
"Arch": "64"
},
"m2.4xlarge": {
"Arch": "64"
},
"c1.medium": {
"Arch": "64"
},
"c1.xlarge": {
"Arch": "64"
},
"cc1.4xlarge": {
"Arch": "64HVM"
},
"cc2.8xlarge": {
"Arch": "64HVM"
},
"cg1.4xlarge": {
"Arch": "64HVM"
}
},
"AWSRegionArch2AMI": {
"us-east-1": {
"32": "ami-31814f58",
"64": "ami-1b814f72",
"64HVM": "ami-0da96764"
},
"ca-central-1": {
"32": "ami-31814f58",
"64": "ami-b61b96d2",
"64HVM": "ami-b61b96d2"
},
"us-west-2": {
"32": "ami-38fe7308",
"64": "ami-30fe7300",
"64HVM": "NOT_YET_SUPPORTED"
},
"us-west-1": {
"32": "ami-11d68a54",
"64": "ami-1bd68a5e",
"64HVM": "NOT_YET_SUPPORTED"
},
"eu-west-1": {
"32": "ami-973b06e3",
"64": "ami-953b06e1",
"64HVM": "NOT_YET_SUPPORTED"
},
"ap-southeast-1": {
"32": "ami-b4b0cae6",
"64": "ami-beb0caec",
"64HVM": "NOT_YET_SUPPORTED"
},
"ap-northeast-1": {
"32": "ami-0644f007",
"64": "ami-0a44f00b",
"64HVM": "NOT_YET_SUPPORTED"
},
"sa-east-1": {
"32": "ami-3e3be423",
"64": "ami-3c3be421",
"64HVM": "NOT_YET_SUPPORTED"
}
}
},
"Resources": {
"ONtestVPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": {
"Ref": "ONcidr"
},
"Tags": [
{
"Key": "Name",
"Value": {
"Ref": "ONtestenv"
}
}
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "3321d2b3-88cd-4e8f-bef1-b5d0b853ca46"
}
}
},
"ONIG": {
"Type": "AWS::EC2::InternetGateway",
"Properties": {
"Tags": [
{
"Key": "Name",
"Value": {
"Ref": "ONtestenv"
}
}
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "d5878b9e-87f5-4088-8401-1a60d827a01a"
}
}
},
"ONgatewayattach": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"InternetGatewayId": {
"Ref": "ONIG"
},
"VpcId": {
"Ref": "ONtestVPC"
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "b654db30-aa3f-4ffe-ab5c-27b9a14be28e"
}
}
},
"natGW": {
"Type": "AWS::EC2::NatGateway",
"Properties": {
"AllocationId": {
"Fn::GetAtt": [
"natEIP",
"AllocationId"
]
},
"SubnetId": {
"Ref": "pubsub"
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "b030b414-e088-4733-8d0a-bbe426610828"
}
}
},
"pubsub": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "ONtestVPC"
},
"AvailabilityZone": {
"Fn::Select": [
0,
{
"Fn::GetAZs": ""
}
]
},
"CidrBlock": {
"Ref": "pubONsubnet"
},
"MapPublicIpOnLaunch": false,
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Sub": "${ONtestenv} pub sub"
}
}
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "dd0e3e42-3b94-4ffe-a8e3-85690934c839"
}
}
},
"privsub": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "ONtestVPC"
},
"AvailabilityZone": {
"Fn::Select": [
0,
{
"Fn::GetAZs": ""
}
]
},
"CidrBlock": {
"Ref": "privONsubnet"
},
"MapPublicIpOnLaunch": false,
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Sub": "${ONtestenv} priv sub"
}
}
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "4cfc646e-acb2-45ea-a075-596b7453e7d7"
}
}
},
"natEIP": {
"Type": "AWS::EC2::EIP",
"DependsOn": "ONgatewayattach",
"Properties": {
"Domain": "vpc"
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "c3501a25-dec8-4d5b-a8af-4c8ddc2b8c48"
}
}
},
"pubroutes": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "ONtestVPC"
},
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Sub": "${ONtestenv} pub routes"
}
}
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "15610e2e-2838-4b07-9ed0-3339a8ee2c6b"
}
}
},
"defaultpubroute": {
"Type": "AWS::EC2::Route",
"DependsOn": "ONgatewayattach",
"Properties": {
"RouteTableId": {
"Ref": "pubroutes"
},
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": {
"Ref": "ONIG"
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "2ccd0372-a83b-42cf-8d24-4bf2937f9db2"
}
}
},
"pubsubrtassoc": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "pubroutes"
},
"SubnetId": {
"Ref": "pubsub"
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "871f2e97-ff70-4bcf-a707-07cd7629a070"
}
}
},
"privroutetable": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "ONtestVPC"
},
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Sub": "${ONtestenv} priv routes"
}
}
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "e3959861-54ef-41eb-8732-644b3302f1a2"
}
}
},
"defaultprivroute": {
"Type": "AWS::EC2::Route",
"Properties": {
"RouteTableId": {
"Ref": "privroutetable"
},
"DestinationCidrBlock": "0.0.0.0/0",
"NatGatewayId": {
"Ref": "natGW"
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "0bd7af21-8d8c-4bcb-ac8d-b7a0c1bcc7f1"
}
}
},
"privsubrtassoc": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "privroutetable"
},
"SubnetId": {
"Ref": "privsub"
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "e4a0e22d-b70f-498f-8269-7569a2a260cc"
}
}
},
"SG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enable ping and ssh access via port 22 and ALL from VPC CIDR",
"VpcId": {
"Ref": "ONtestVPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "icmp",
"FromPort": "8",
"ToPort": "-1",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "icmp",
"FromPort": "-1",
"ToPort": "-1",
"CidrIp": "10.0.0.0/16"
},
{
"IpProtocol": "udp",
"FromPort": "1",
"ToPort": "65535",
"CidrIp": "10.0.0.0/16"
},
{
"IpProtocol": "tcp",
"FromPort": "1",
"ToPort": "65535",
"CidrIp": "10.0.0.0/16"
}
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "64176529-142e-41de-a97d-b4306dd2c445"
}
}
},
"webAutoscalingGroup": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"Properties": {
"LaunchConfigurationName": {
"Ref": "LaunchConfig"
},
"LoadBalancerNames": [
{
"Ref": "ElasticLoadBalancer"
}
],
"MaxSize": 4,
"MinSize": 2,
"VPCZoneIdentifier": [
{
"Ref": "pubsub"
}
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "a331154a-b1ca-416c-80d3-651425c8ad8e"
}
}
},
"webAutoscalePolicy": {
"Type": "AWS::AutoScaling::ScalingPolicy",
"Description": "A policy to expand the size of the pool by 1 instance",
"Properties": {
"AutoScalingGroupName": {
"Ref": "webAutoscalingGroup"
},
"AdjustmentType": "ChangeInCapacity",
"Cooldown": 300,
"ScalingAdjustment": 1
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "77ce9e6f-f50d-4f96-a229-76ffe3bfc32a"
}
}
},
"webAutoScaleAlarm": {
"Type": "AWS::CloudWatch::Alarm",
"Description": "When average bandwidth for the instances exceeds a threshold trigger\nthe policy (increasing instance count by 1)\n",
"Properties": {
"AlarmName": {
"Fn::Join": [
"-",
[
{
"Ref": "AWS::StackName"
},
"bytes out alarm"
]
]
},
"AlarmDescription": "This metric monitors network utilization",
"ComparisonOperator": "GreaterThanOrEqualToThreshold",
"EvaluationPeriods": 2,
"MetricName": "NetworkIn",
"Namespace": "AWS/EC2",
"Period": 60,
"Statistic": "Average",
"Threshold": 5000,
"Dimensions": [
{
"Name": "AutoScalingGroupName",
"Value": {
"Ref": "webAutoscalingGroup"
}
}
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "e04f759b-93b9-4072-8966-484a4e953230"
}
}
},
"LBSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "SSH and HTTP inbound, egress to VPC",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": {
"Ref": "SSHLocation"
}
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 65535,
"CidrIp": "0.0.0.0/0"
}
],
"VpcId": {
"Ref": "ONtestVPC"
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "f6b443e1-6c3f-4e3c-bcc4-fbccb527b1f1"
}
}
},
"ElasticLoadBalancer": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"Subnets": [
{
"Ref": "pubsub"
}
],
"CrossZone": "true",
"Listeners": [
{
"LoadBalancerPort": "80",
"InstancePort": "80",
"Protocol": "HTTP"
}
],
"HealthCheck": {
"Target": "HTTP:80/",
"HealthyThreshold": "3",
"UnhealthyThreshold": "5",
"Interval": "30",
"Timeout": "5"
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "33772321-0e4d-4a0e-bfc6-e4196b7cdead"
}
}
},
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "SSH inbound, port 80 inbound from the load balancer",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": {
"Ref": "SSHLocation"
}
},
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": {
"Ref": "SSHLocation"
}
}
],
"VpcId": {
"Ref": "ONtestVPC"
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "9bed003f-7101-4f65-a41c-175bfa579c08"
}
}
},
"LaunchConfig": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Metadata": {
"Comment": "Install a simple application",
"AWS::CloudFormation::Init": {
"config": {
"packages": {
"yum": {
"httpd": []
}
},
"files": {
"/var/www/html/index.html": {
"content": {
"Fn::Join": [
"\n",
[
"<img src=\"",
{
"Fn::FindInMap": [
"Region2Examples",
{
"Ref": "AWS::Region"
},
"Examples"
]
},
"/cloudformation_graphic.png\" alt=\"AWS CloudFormation Logo\"/>",
"<h1>Congratulations, you have successfully launched the AWS CloudFormation sample.</h1>"
]
]
},
"mode": "000644",
"owner": "root",
"group": "root"
},
"/etc/cfn/cfn-hup.conf": {
"content": {
"Fn::Join": [
"",
[
"[main]\n",
"stack=",
{
"Ref": "AWS::StackId"
},
"\n",
"region=",
{
"Ref": "AWS::Region"
},
"\n"
]
]
},
"mode": "000400",
"owner": "root",
"group": "root"
},
"/etc/cfn/hooks.d/cfn-auto-reloader.conf": {
"content": {
"Fn::Join": [
"",
[
"[cfn-auto-reloader-hook]\n",
"triggers=post.update\n",
"path=Resources.LaunchConfig.Metadata.AWS::CloudFormation::Init\n",
"action=/opt/aws/bin/cfn-init -v ",
" --stack ",
{
"Ref": "AWS::StackName"
},
" --resource LaunchConfig ",
" --region ",
{
"Ref": "AWS::Region"
},
"\n",
"runas=root\n"
]
]
}
}
},
"services": {
"sysvinit": {
"httpd": {
"enabled": "true",
"ensureRunning": "true"
},
"cfn-hup": {
"enabled": "true",
"ensureRunning": "true",
"files": [
"/etc/cfn/cfn-hup.conf",
"/etc/cfn/hooks.d/cfn-auto-reloader.conf"
]
}
}
}
}
},
"AWS::CloudFormation::Designer": {
"id": "fb6eab98-3a1b-426a-945f-14c25bb99862"
}
},
"Properties": {
"KeyName": {
"Ref": "KeyName"
},
"ImageId": {
"Fn::FindInMap": [
"AWSRegionArch2AMI",
{
"Ref": "AWS::Region"
},
{
"Fn::FindInMap": [
"AWSInstanceType2Arch",
{
"Ref": "InstanceType"
},
"Arch"
]
}
]
},
"SecurityGroups": [
{
"Ref": "InstanceSecurityGroup"
}
],
"InstanceType": {
"Ref": "InstanceType"
},
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"#!/bin/bash -xe\n",
"yum update -y aws-cfn-bootstrap\n",
"/opt/aws/bin/cfn-init -v ",
" --stack ",
{
"Ref": "AWS::StackName"
},
" --resource LaunchConfig ",
" --region ",
{
"Ref": "AWS::Region"
},
"\n",
"/opt/aws/bin/cfn-signal -e $? ",
" --stack ",
{
"Ref": "AWS::StackName"
},
" --resource WebServerGroup ",
" --region ",
{
"Ref": "AWS::Region"
},
"\n"
]
]
}
}
}
}
},
"Outputs": {
"VPC": {
"Description": "A reference to the created VPC",
"Value": {
"Ref": "ONtestVPC"
}
},
"PublicSubnet": {
"Description": "public subnet",
"Value": {
"Fn::Join": [
",",
[
{
"Ref": "pubsub"
}
]
]
}
},
"PrivateSubnet": {
"Description": "private subnet",
"Value": {
"Fn::Join": [
",",
[
{
"Ref": "privsub"
}
]
]
}
}
}
}```
I am hoping it will install the simple httpd server but it does not. I am able to run the exact same command ```yum update -y``` after it's booted and I login to it.
You can put a DependsOn condition on the Auto Scaling group referencing the natGW, so that it won't launch instances until the NAT Gateway is ready.
See: DependsOn Attribute - AWS CloudFormation
CloudFormation normally figures out "depends on" linkages automatically, based on references from one resource to another (eg a Subnet references a VPC, so CloudFormation waits for the VPC to be ready before creating the Subnet).
However, not all relationships are obvious such as between your Auto Scaling group and the NAT Gateway. For these situations, you can manually add a DependsOn.
It can also be beneficial to use multiple stacks. This reduces the number of resource dependencies that need to be specified.
Key things like a NAT Gateway should be in one of the first stacks and then if you put things like an autoscaling group in a stack added later the dependency doesn't have to be specified as the NAT Gateway will already be up from the earlier stack.

Trying to setup lambda to access my RDS server on AWS but getting timeouts

I know AWS allows this now and has instructions for a manual setup. I'm trying to set this up in a cloudformation though and am running into difficulties. Currently when I try to access my RDS server I am getting connect ETIMEDOUT errors.
I have my VPC, Subnets and security groups setup with the following:
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16",
"EnableDnsSupport": "false",
"EnableDnsHostnames": "false",
"InstanceTenancy": "default",
"Tags" : [{ "Key": "Name", "Value": { "Ref": "DomainName" } }]
}
},
"SubnetA": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": { "Ref": "VPC" },
"CidrBlock": "10.0.0.0/24",
"AvailabilityZone": { "Fn::Select": [ "0", { "Fn::GetAZs": { "Ref": "AWS::Region" } }]},
"Tags" : [{ "Key": "Name", "Value": { "Ref": "DomainName" } }]
}
},
"SubnetB": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": { "Ref": "VPC" },
"CidrBlock": "10.0.1.0/24",
"AvailabilityZone": { "Fn::Select": [ "1", { "Fn::GetAZs": { "Ref": "AWS::Region" } }]},
"Tags" : [{ "Key": "Name", "Value": { "Ref": "DomainName" } }]
}
},
"SubnetGroup": {
"Type": "AWS::RDS::DBSubnetGroup",
"Properties": {
"DBSubnetGroupDescription": "Database Access",
"SubnetIds" : [{ "Ref": "SubnetA" }, { "Ref": "SubnetB" }],
"Tags" : [{ "Key": "Name", "Value": { "Ref": "DomainName" } }]
}
},
"SecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Database Access",
"VpcId": {"Ref": "VPC"},
"SecurityGroupIngress" : [{
"IpProtocol": "tcp",
"FromPort": "3306",
"ToPort": "3306",
"CidrIp": "10.0.0.0/16"
}],
"Tags" : [{ "Key": "Name", "Value": { "Ref": "DomainName" } }]
}
},
I don't actually use SubnetB but to make AWS::RDS::DBSubnetGroup you need subnets in at least two availability zones.
My RDS database is setup with the VPC and Security group.
"Database": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBName": { "Fn::Join": ["", { "Fn::Split": [".", { "Ref": "DomainName" }]}]},
"AllocatedStorage": "5",
"DBInstanceClass": "db.t2.micro",
"Engine": "MySQL",
"EngineVersion": "5.5",
"MasterUsername": { "Ref": "DBUsername" },
"MasterUserPassword": { "Ref": "DBPassword" },
"DBSubnetGroupName": { "Ref": "SubnetGroup" },
"VPCSecurityGroups" : [{ "Fn::GetAtt": [ "SecurityGroup", "GroupId" ] }],
"Tags" : [{ "Key": "Name", "Value": { "Ref": "DomainName" } }]
},
"DeletionPolicy": "Snapshot"
},
So I think the database side is correctly in the VPC and able to talk both subnets.
My lambda is setup in the security group and in SubnetA.
"LambdaFunctionUpdate": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"ZipFile": "exports.handler = function (event, context) { context.succeed(\"Hello, World!\"); };"
},
"Description": "Used to create and or sync database tables to the application models",
"Handler": "index.handler",
"MemorySize": 128,
"Role": { "Fn::GetAtt": ["LambdaExecutionRole", "Arn" ] },
"Runtime": "nodejs4.3",
"Timeout": 30,
"VpcConfig": {
"SecurityGroupIds": [{ "Fn::GetAtt": ["SecurityGroup", "GroupId"] }],
"SubnetIds": [{"Ref": "SubnetA"}]
}
}
},
At the end of everything I'm outputting the database endpoint information.
"Outputs": {
"DatabaseEndpoint": {
"Value": { "Fn::Join" : [":", [{ "Fn::GetAtt": ["Database", "Endpoint.Address" ] }, { "Fn::GetAtt": ["Database", "Endpoint.Port" ] }]]},
"Description": "Database endpoint"
}
}
When I run my lambda and try to connect to the RDS server with the endpoint given I get timeout errors.
{
"errorMessage": "connect ETIMEDOUT",
"errorType": "SequelizeConnectionError",
"stackTrace": [
"Handshake._callback (/var/task/node_modules/sequelize/lib/dialects/mysql/connection-manager.js:95:20)",
"Handshake.Sequence.end (/var/task/node_modules/mysql/lib/protocol/sequences/Sequence.js:86:24)",
"Protocol.handleNetworkError (/var/task/node_modules/mysql/lib/protocol/Protocol.js:364:14)",
"Connection._handleNetworkError (/var/task/node_modules/mysql/lib/Connection.js:428:18)",
"Connection._handleConnectTimeout (/var/task/node_modules/mysql/lib/Connection.js:424:8)",
"Socket.g (events.js:260:16)",
"emitNone (events.js:67:13)",
"Socket.emit (events.js:166:7)",
"Socket._onTimeout (net.js:318:8)",
"_runOnTimeout (timers.js:524:11)",
"_makeTimerTimeout (timers.js:515:3)",
"Timer.unrefTimeout (timers.js:584:5)"
]
}
The VPC configuration was incorrect. DNS services can't be turned off.
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "10.0.0.0/16",
"EnableDnsSupport": "true",
"EnableDnsHostnames": "true",
"InstanceTenancy": "default",
"Tags" : [{ "Key": "Name", "Value": { "Ref": "DomainName" } }]
}
},