CloudFormation-安全组VPC问题 [英] CloudFormation - Security Group VPC issue

问题描述

我有一个模板，该模板可创建ELB并在VPC内连接现有子网。这样做很好，但是当我随后更新堆栈并添加一个安全组，该安全组的VpcId属性的值等于我所连接的子网所属的现有VPC ID时，堆栈将失败，并显示以下错误：

I have a template which creates an ELB and attaches an existing subnet within a VPC. This creates just fine but when I then update my stack and add a security group with a VpcId property with a value equal to the existing VPC ID in which my attached subnet belongs the stack fails with the following error:

您指定了两个属于不同网络的资源

"You have specified two resources that belong to different networks"

如果我从安全组中删除VpcId属性，它将在我的默认VPC中创建它，并且堆栈创建成功。我不明白为什么会这样，因为安全组在指定的入口规则中与ELB有关系-

If I remove the VpcId property from my security group it creates it in my default VPC and the stack creation works. I cannot understand why this can be because the security group has a relationship to the ELB in the specified ingress rules -

"IpProtocol": "tcp",
            "FromPort": "8000",
            "ToPort": "8010",
            "SourceSecurityGroupOwnerId": {
              "Fn::GetAtt": [
                "ElasticLoadBalancer",
                "SourceSecurityGroup.OwnerAlias"
              ]
            },

我无法在ELB上明确声明VPC ID，因为它没有此类属性，只有子网或AZ。

I cannot explicitly state the VPC ID on the ELB as it has no such property, only Subnet or AZ.

推荐答案

感谢您的帮助。我找到了问题并解决了问题。

Thanks for your help guys. I found the issue and solved the problem.

问题是我试图在安全组定义中的安全组入口定义中引用另一个安全组。如文档所述：

The issue is that I am trying to reference one security group from another in the security group ingress definition within the security group definition. As the documentation says:

如果要在这些安全组的入口和出口规则中交叉引用两个安全组，请使用AWS :: EC2 :: SecurityGroupEgress和AWS :: EC2 :: SecurityGroupIngress资源来定义您的规则。不要在AWS :: EC2 :: SecurityGroup中使用嵌入的入口和出口规则。如果这样做，则会导致循环依赖，而AWS CloudFormation不允许这样做。

If you want to cross-reference two security groups in the ingress and egress rules of those security groups, use the AWS::EC2::SecurityGroupEgress and AWS::EC2::SecurityGroupIngress resources to define your rules. Do not use the embedded ingress and egress rules in the AWS::EC2::SecurityGroup. If you do, it causes a circular dependency, which AWS CloudFormation doesn't allow.

因此，我指定了两个安全组，然后在单独的资源中指定了SecurityGroupIngress。必须将此手动输入到模板中，因为此资源的左侧菜单中没有CloudFormation图标。花了一段时间才弄清楚，因为我创建堆栈时生成的错误消息并不明显。

So, I specified my two security groups then specified a SecurityGroupIngress in a separate resource. This must be entered manually into the template as there is no CloudFormation icon from the left hand menu for this resource. It took a while to figure out because the error message generated when I created the stack doesn't make it obvious.

"InstanceIngress": {
  "Type": "AWS::EC2::SecurityGroupIngress",
  "Properties": {
    "GroupId": {
      "Fn::GetAtt": [
        "InstanceSecurityGroup",
        "GroupId"
      ]
    },
    "IpProtocol": "tcp",
    "FromPort": "7997",
    "ToPort": "8100",
    "SourceSecurityGroupId": {
      "Fn::GetAtt": [
        "ELBSecurityGroup",
        "GroupId"
      ]
    }
  },

这篇关于CloudFormation-安全组VPC问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！