允许同一安全组中的每个实例在Cloud Formation JSON之间相互共享任何数据? [英] Allow every instance in the same Security Group to share any data between each other at Cloud Formation JSON?
问题描述
我正在构建Cloud Forming JSON来定义EC2实例和安全组.
I'm building a Cloud Formation JSON to define EC2 Instances and Security Groups.
我需要创建一个安全组,该安全组允许其中的每个实例在彼此之间共享任何数据.
I need to create a security Group that allows every instance that belongs in it to share any data between each other.
我的JSON是这样的:
My JSON was like that:
"InternalSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"VpcId" : {"Ref" : "myVPC"},
"GroupDescription" : "Allow the machines in this group to share all kinds of traffic between each other",
"SecurityGroupIngress" : [
{
"IpProtocol" : "-1",
"FromPort": "-1",
"ToPort": "-1",
"SourceSecurityGroupId" : { "Ref" : "InternalSecurityGroup" }
}
],
"SecurityGroupEgress" : [
{
"IpProtocol" : "-1",
"FromPort": "-1",
"ToPort": "-1",
"DestinationSecurityGroupId" : { "Ref" : "InternalSecurityGroup" }
}
]
}
},
但这显示了以下错误:
调用CreateStack时发生客户端错误(ValidationError) 操作:资源之间的循环依赖
A client error (ValidationError) occurred when calling the CreateStack operation: Circular dependency between resources
要解决此问题,我将代码更改为CidrIp而不是SourceSecurityGroupId,定义了实例所在的子网.
To fix it I changed my code to CidrIp instead of SourceSecurityGroupId, defining the subnet the instances are in.
是否可以引用相同的安全组?实现我想要的最佳(或正确)方法是什么?
Is it possible to reference the same Security Group? What's the best (or correct) way to achieve what I want?
推荐答案
As noted in the documentation, you can use the AWS::EC2::SecurityGroupEgress and AWS::EC2::SecurityGroupIngress resources to define self-referencing security group rules:
重要
如果要在这些安全组的入口和出口规则中交叉引用两个安全组,请使用AWS::EC2::SecurityGroupEgress和AWS::EC2::SecurityGroupIngress资源来定义您的规则.不要使用AWS::EC2::SecurityGroup中的嵌入式入口和出口规则.如果这样做,它将导致循环依赖关系,而AWS CloudFormation不允许这样做.
If you want to cross-reference two security groups in the ingress and egress rules of those security groups, use the AWS::EC2::SecurityGroupEgress and AWS::EC2::SecurityGroupIngress resources to define your rules. Do not use the embedded ingress and egress rules in the AWS::EC2::SecurityGroup. If you do, it causes a circular dependency, which AWS CloudFormation doesn't allow.
结果如下:
{
"Resources":{
"myVPC":{
"Type":"AWS::EC2::VPC",
"Properties":{
"CidrBlock":"10.0.0.0/16"
}
},
"InternalSecurityGroup":{
"Type":"AWS::EC2::SecurityGroup",
"Properties":{
"VpcId":{
"Ref":"myVPC"
},
"GroupDescription":"Allow the machines in this group to share all kinds of traffic between each other"
}
},
"InternalSecurityGroupIngress":{
"Type":"AWS::EC2::SecurityGroupIngress",
"Properties":{
"IpProtocol":"-1",
"FromPort":"-1",
"ToPort":"-1",
"SourceSecurityGroupId":{
"Ref":"InternalSecurityGroup"
},
"GroupId":{
"Ref":"InternalSecurityGroup"
}
}
},
"InternalSecurityGroupEgress":{
"Type":"AWS::EC2::SecurityGroupEgress",
"Properties":{
"IpProtocol":"-1",
"FromPort":"-1",
"ToPort":"-1",
"DestinationSecurityGroupId":{
"Ref":"InternalSecurityGroup"
},
"GroupId":{
"Ref":"InternalSecurityGroup"
}
}
}
}
}
这篇关于允许同一安全组中的每个实例在Cloud Formation JSON之间相互共享任何数据?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
