25695

CloudFormation - Security Group VPC issue

I have a template which creates an ELB and attaches an existing subnet within a VPC. This creates just fine but when I then update my stack and add a security group with a VpcId property with a value equal to the existing VPC ID in which my attached subnet belongs the stack fails with the following error:

"You have specified two resources that belong to different networks"

If I remove the VpcId property from my security group it creates it in my default VPC and the stack creation works. I cannot understand why this can be because the security group has a relationship to the ELB in the specified ingress rules -

"IpProtocol": "tcp", "FromPort": "8000", "ToPort": "8010", "SourceSecurityGroupOwnerId": { "Fn::GetAtt": [ "ElasticLoadBalancer", "SourceSecurityGroup.OwnerAlias" ] },

I cannot explicitly state the VPC ID on the ELB as it has no such property, only Subnet or AZ.

Answer1:

Thanks for your help guys. I found the issue and solved the problem.

The issue is that I am trying to reference one security group from another in the security group ingress definition within the security group definition. As the documentation says:

If you want to cross-reference two security groups in the ingress and egress rules of those security groups, use the AWS::EC2::SecurityGroupEgress and AWS::EC2::SecurityGroupIngress resources to define your rules. Do not use the embedded ingress and egress rules in the AWS::EC2::SecurityGroup. If you do, it causes a circular dependency, which AWS CloudFormation doesn't allow.

So, I specified my two security groups then specified a SecurityGroupIngress in a separate resource. This must be entered manually into the template as there is no CloudFormation icon from the left hand menu for this resource. It took a while to figure out because the error message generated when I created the stack doesn't make it obvious.

"InstanceIngress": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "GroupId": { "Fn::GetAtt": [ "InstanceSecurityGroup", "GroupId" ] }, "IpProtocol": "tcp", "FromPort": "7997", "ToPort": "8100", "SourceSecurityGroupId": { "Fn::GetAtt": [ "ELBSecurityGroup", "GroupId" ] } },

Recommend

  • Clarify Ingress load balancer
  • How to access K8s's flannel network from outside
  • What's the exactly flow chart of an outside request comes into k8s pod via Ingress?
  • How to handle Azure AD Authentication with Kubernetes Ingress
  • What type of NAT combinations requires a TURN server?
  • Hand written character recognition using neural network
  • How to filter results with Ransack
  • .each() with a filter
  • select query and count based on condition
  • Rails Query to return users belongs to any cities & not belong to any cities
  • SoX running slow using a ProcessBuilder
  • How to check when a method is run in another class in Java (method call listener)?
  • how can we view symfony dump() output with ajax request?
  • Reusing the CQ5 Form into the mywebsite components is not showing up the End of the Form section
  • Load balanced Fiware Orion
  • How to determine the association between a VB6 app and an exe instanced with CreateObject()
  • How to specify a multi-column UNIQUE constraint in code-first Entity Framework fluent API
  • How to add an object in my collection by only using add method? [closed]
  • Detaching entity along with referenced entities
  • Objective-C – access extern const with a string containing its name? [duplicate]
  • CoreData basics – to-many relationship array data
  • Create registry key in 32-bit hive on x64 PC using Installshield 2012 LE - Avoid redirection
  • How to validate a year I enter in textbox using jquery rule?
  • Laravel at least one field is required
  • Is there some graphical way to create my own configuration file on SonarLint?
  • htaccess add www if not subdomain, if subdomain remove www
  • Installing Apache MyFaces 2 on WildFly 8.2.0
  • With Hadoop, can I create a tasktracker on a machine that isn't running a datanode?
  • OpenGL 3.3 on Mac OSX El Capitan with LWJGL
  • Using jQuery closest() method with class selector
  • Regex thinks I'm nesting, but I'm not
  • What is the “return” in scheme?
  • Array.prototype.includes - not transformed with babel
  • How to recover from a Spring Social ExpiredAuthorizationException
  • ILMerge & Keep Assembly Name
  • Large data - storage and query
  • WOWZA + RTMP + HTML5 Playback?
  • How to disable jQuery.jplayer autoplay?
  • Why can't I rebase on to an ancestor of source changesets if on a different branch?
  • How can I remove ASP.NET Designer.cs files?