I am trying out the tutorial for amazon VPC - Virtual private cloud.
http://docs.amazonwebservices.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html#Case2_Launch_NAT
I have followed these steps....
Navigate to https://console.aws.amazon.com/vpc
Create a VPC.
Create security groups as outlined by the article.
I have created the NATSG security group as required by the article.
When I try to change the security group of the instance to run under the NATSG group it gives me an error - saying it encountered an error without any description.
Any pointers would be appreciated.
I am not facing the issue any longer - it appeared to be an ongoing issue at the time, I can currently switch security groups properly.
The one change I have made over the past 2 years is switch all my manual interactions with AWS to be programmatic using boto3 or cloudformation, which has eliminated a lot of errors.
Related
i am trying to create a firewall manager policy using terraform. During the process i came across 2 resource groups for creating a rule group i.e. wasfv2_rule_group and wafregional_rule_group. i am confused to understand the difference between these 2 resources when creating an fms policy.
Since when i am creating a waf policy via console we don't see any difference between rule group for a region or without region.
Can someone please elaborate how these differ from one another and point to some documentation.
Thanks.
I am new to AWS and,
Here's the drill:
- Logged in to AWS with root admin credentials.
- I created few security groups in AWS.
- Terminated all the EC2 instances that I had.
- Deleted ELB successfully.
- Deleted RDS successfully.
- Using default VPC and no Elastic IPs.
Now, when I am trying to delete security groups, one group says its being referenced by another. When I try to delete the referenced one, it says that the security group is being referenced by a Network Interface.
We get two options here- Associate with another group or Delete that Network Interface.
Trying first makes no sense as I want to get rid of all the Security Groups except the default (Like it was in the beginning). Still I tried that option and got the error "You do not have permission to access the specified resource" and it did not let me associate that Network Interface (Status-In Use) with any Security Group.
Tried deleting/detaching(force) that Network Interface and got an error message "You do not have permission to access the specified resource."
A similar issue can be found below without any known solution:
https://forums.aws.amazon.com/thread.jspa?threadID=99189&start=0&tstart=0
Unresolved Stackoverflow link: issue in deleting VPC and network interface
I would really appreciate if someone hits me with a hammer of facts :)
Thanks, in advance!
I had the same issue, after having removed load balancers, auto-scaling groups, the memcached cluster and so on, I couldn't delete the VPC.
I had the feeling that there was some vicious circle between two network interfaces that I couldn't detach or modify and the security group itself that I couldn't remove as long as it was attached to the interfaces.
I ran the aws elasticache describe-instances command (I saw a reference to elasticache in a network interface description) to see if it would show something I missed.
And indeed, there was some redis cluster remaining, that I didn't see in the mess of the UI, which was some remnant of a long forgotten test. After having removed this cluster, I could delete the VPC.
So I'd say that kind of issue: unauthorized access, even for admins is mainly related to a component managed by AWS, and to the fact that the UI is far from friendly when it comes to know from where an error comes.
https://forums.aws.amazon.com/thread.jspa?threadID=168376
It looks like sg-72bd411a does in fact reference itself. You'll need to go into it and remove the reference before you can delete it.
I'm creating EC2 machines in AWS using JClouds. The machines are created without any issues but they are put into a default security group created by JClouds. A typical default security group by JClouds will have the "jclouds#" prefix like here:
jclouds#euweawlt-c96-j40788-26
Since we have predefined security groups I want to use them instead.
According the link JClouds AWS guide this should be possible through a simple line of code:
template.getOptions().as(EC2TemplateOptions.class).securityGroups(group1, group2);
So I've added it to my code as well:
computeTemplate.getOptions().as(EC2TemplateOptions.class).securityGroups(securityGroup);
...where securityGroup is the name of our predefined security group.
The same documentation page states that this should be enough:
"With respect to the security group, jclouds creates a security group for you, with rules corresponding to the inboundPorts() option (defaults to open port 22), unless you use the option EC2TemplateOptions.securityGroups()."
The end result is that the EC2 machine is added to the security group specified by the above code AND the default "jcloud#..." security group as well. Hence JClouds does create a default security group after all.
I really want to get rid of that since we already have a security group, it is not removed when the machine is terminated and there have been exceptions thrown by the JClouds API due the security group not being available after creation, whatever that means.
Any pointers are welcome.
Looking at the code, it looks like you're right and jclouds will always create that security group by default. I think there is no current workaround for that and I'd suggest you report that as an issue in the jclouds JIRA.
I think the fix should be as easy as moving the highlighted lines into the previous else clause, but let's better open the issue so it can be properly tracked
I am following the AWS tutorial to create a Webapp here: http://docs.aws.amazon.com/gettingstarted/latest/wah-linux/getting-started-create-rds.html
I am stuck at the part 'Create a Security Group for Your DB Instance'.
The tutorial instructs you to start writing 'WebserverSG' into the IP source, and to select an option. However, even after completely typing 'WebserverSG', no such option is presented and I am unable to create the security group.
Is there a way to know the source without selecting it from the options? Alternatively, have I done something wrong for the option to not be presented?
This is my first time dealing with AWS; I don't have a concrete understanding of the purpose of security groups - so please bear this in mind!
Thanks in advance for any answers.
Are you going through the VPC area of the console or trying to edit it from within RDS? If I remember correctly you can only enter another Security Group as a source from within the VPC area.
This was fixed by: remaking the web server security group with the exact name WebServerSG, then making the database security group by starting typing the inbound IP with 'sg-...' instead of 'WebSe...'. Assigning the new security group to a similar instance has everything working.
I have an OpWorks stack setup with layers and instances.
On one of the layers I decided I needed a new security attached to it. I attached the group but it is not being applied to the EC2 instance.
Is there a command anywhere to perform the applying of the security group changes?
You've probably figured this out by now, but if anyone else stumbles over the same problem - you need to rebuild the EC2 instances in order for them to pick up the new security group assignment.
Changes within already assigned security groups are applied immediately, but security groups themselves get assigned to instances upon launch only.