Security group does not belong to VPC

0
votes

I am trying to create an internet facing elb. I have created vpc in ohio region (us-east-2). I have created 4 subnet. 2 public subnets and 2 private subnets. Public subent: SubnetA (us-east-2a), SubnetB (us-east-2b) Private subnet: SubnetC (us-east-2a) , SubnetD (us-east-2b) When I give the availability zone to the load balancer it shows the following error Security group does not belong to VPC

---
AWSTemplateFormatVersion: 2010-09-09
Parameters:
  SourceStackName:
    Description: "Source stack name"
    Type: String
    AllowedPattern: "^[a-zA-Z][-a-zA-Z0-9]*$"
    Default: "wahaj-vpc"
Resources:
  wahajelb:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: wahaj-elb
      VpcId:
        Fn::ImportValue:
          Fn::Sub: "${SourceStackName}-VpcID"
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
          Description: For traffic from Internet
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
          Description: For traffic from Internet
      GroupDescription: Security Group for demo server

  MyLoadBalancer:
    Type: AWS::ElasticLoadBalancing::LoadBalancer
    Properties:
      Listeners:
        - LoadBalancerPort: "80"
          InstancePort: "80"
          Protocol: HTTP
      SecurityGroups:
        - !Ref wahajelb
      LoadBalancerName: wahajelb
      Subnets:
        - Fn::ImportValue: !Sub "${SourceStackName}-SubnetC"
        - Fn::ImportValue: !Sub "${SourceStackName}-SubnetD"
      HealthCheck:
        Target: HTTP:80/SamplePage.php
        HealthyThreshold: "3"
        UnhealthyThreshold: "5"
        Interval: "30"
        Timeout: "5"

I am new to this so please if any changes is required to the template do tell me I might have made some mistakes. Vpc template

---
AWSTemplateFormatVersion: 2010-09-09
Resources:
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 11.0.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
      InstanceTenancy: default
  InternetGateway:
    Type: AWS::EC2::InternetGateway
  VPCGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref VPC
      InternetGatewayId: !Ref InternetGateway
  SubnetA:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: us-east-2a
      VpcId: !Ref VPC
      CidrBlock: 11.0.0.0/24
      MapPublicIpOnLaunch: true
  SubnetB:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: us-east-2b
      VpcId: !Ref VPC
      CidrBlock: 11.0.1.0/24
      MapPublicIpOnLaunch: true
  SubnetC:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: us-east-2a
      VpcId: !Ref VPC
      CidrBlock: 11.0.2.0/24
      MapPublicIpOnLaunch: false
  SubnetD:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone: us-east-2b
      VpcId: !Ref VPC
      CidrBlock: 11.0.3.0/24
      MapPublicIpOnLaunch: false
  RouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
  RouteTable2:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
  InternetRoute:
    Type: AWS::EC2::Route
    DependsOn: VPCGatewayAttachment
    Properties:
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway
      RouteTableId: !Ref RouteTable
  SubnetARouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref RouteTable
      SubnetId: !Ref SubnetA
  SubnetBRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref RouteTable
      SubnetId: !Ref SubnetB
  SubnetCRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref RouteTable2
      SubnetId: !Ref SubnetC

  SubnetDRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref RouteTable2
      SubnetId: !Ref SubnetD
  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: "Internet Group"
      GroupDescription: "SSH traffic in, all traffic out."
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: "22"
          ToPort: "22"
          CidrIp: 0.0.0.0/0
      SecurityGroupEgress:
        - IpProtocol: -1
          CidrIp: 0.0.0.0/0
  NAT:
    Type: AWS::EC2::NatGateway
    Properties:
      AllocationId:
        Fn::GetAtt:
          - EIP
          - AllocationId
      SubnetId:
        Ref: SubnetA
      Tags:
        - Key: Name
          Value: wahaj-nat
  EIP:
    DependsOn: VPCGatewayAttachment
    Type: AWS::EC2::EIP
    Properties:
      Domain: VPC
  Route:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId:
        Ref: RouteTable2
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId:
        Ref: NAT
Outputs:
  vpcID:
    Description: VPC id
    Value: !Ref VPC
    Export:
      Name:
        Fn::Sub: "${AWS::StackName}-VpcID"
  SubnetA:
    Description: public subnet
    Value: !Ref SubnetA
    Export:
      Name:
        Fn::Sub: "${AWS::StackName}-SubnetA"
  SubnetB:
    Description: public subnet 2
    Value: !Ref SubnetB
    Export:
      Name:
        Fn::Sub: "${AWS::StackName}-SubnetB"
  SubnetC:
    Description: priavte subnet
    Value: !Ref SubnetC
    Export:
      Name:
        Fn::Sub: "${AWS::StackName}-SubnetC"
  SubnetD:
    Description: private subnet 2
    Value: !Ref SubnetD
    Export:
      Name:
        Fn::Sub: "${AWS::StackName}-SubnetD"

Autoscaling template

---
AWSTemplateFormatVersion: 2010-09-09
Parameters:
  SourceStackName:
    Description: "Source stack name"
    Type: String
    AllowedPattern: "^[a-zA-Z][-a-zA-Z0-9]*$"
    Default: "wahaj-vpc"
  elb:
    Description: "elb"
    Type: String
    AllowedPattern: "^[a-zA-Z][-a-zA-Z0-9]*$"
    Default: "wahaj-elb"
  bastion:
    Description: "bastion host"
    Type: String
    AllowedPattern: "^[a-zA-Z][-a-zA-Z0-9]*$"
    Default: "wahaj-bastion"

Resources:
  wahajwebserver:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: wahaj-webserver
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          SourceSecurityGroupId:
            Fn::ImportValue: !Sub "${bastion}-bsgId"
          Description: For traffic from Internet
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          SourceSecurityGroupId:
            Fn::ImportValue: !Sub "${elb}-lgsg"
          Description: For traffic from Internet
      GroupDescription: Security Group for demo server
      VpcId:
        Fn::ImportValue:
          Fn::Sub: "${SourceStackName}-VpcID"
  ec2instance:
    Type: AWS::AutoScaling::LaunchConfiguration
    Properties:
      BlockDeviceMappings:
        - DeviceName: /dev/xvda
          Ebs:
            DeleteOnTermination: "true"
            VolumeSize: "8"
            VolumeType: gp2
      ImageId: ami-0bdcc6c05dec346bf
      InstanceType: t2.micro
      IamInstanceProfile: !Ref ListS3BucketsInstanceProfile
      KeyName: wahaj(webserver)
      SecurityGroups:
        - Ref: wahajwebserver
  ListS3BucketsInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: "/"
      Roles:
        - Ref: S3FullAccess
  ListS3BucketsPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: ListS3BucketsPolicy
      PolicyDocument:
        Statement:
          - Effect: Allow
            Action:
              - s3:List*
            Resource: "*"
      Roles:
        - Ref: S3FullAccess
  S3FullAccess:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: "/"
  myASG:
    Type: AWS::AutoScaling::AutoScalingGroup
    Properties:
      AvailabilityZones:
        - "us-east-2a"
        - "us-east-2b"
      AutoScalingGroupName: myASG
      LoadBalancerNames:
        - Fn::ImportValue: !Sub "${elb}-MyLoadBalancer"
      MinSize: "2"
      MaxSize: "2"
      DesiredCapacity: "2"
      HealthCheckGracePeriod: 300
      LaunchConfigurationName:
        Ref: ec2instance
      VPCZoneIdentifier:
        - Fn::ImportValue: !Sub "${SourceStackName}-SubnetC"
        - Fn::ImportValue: !Sub "${SourceStackName}-SubnetD"
Outputs:
  Autoscaling:
    Description: autoscaling
    Value: !Ref myASG
    Export:
      Name:
        Fn::Sub: "${AWS::StackName}-myASG"
  ec2instance:
    Description: ec2instances
    Value: !Ref ec2instance
    Export:
      Name:
        Fn::Sub: "${AWS::StackName}-ec2instance"
  sg:
    Description: ec2instances securitygroup
    Value: !GetAtt wahajwebserver.GroupId
    Export:
      Name:
        Fn::Sub: "${AWS::StackName}-sg"
1
amazon-web-servicesamazon-cloudformationamazon-elbamazon-vpc

1 Answers

2
votes

This is because the ELB and the security group reside within separate VPCs.

Your template has commented out the subnets which result in the load balancer being created in the default VPC of that region, however your security group explicitly sets a VPC ID. Therefore they are in separate VPCs.

It is always good practice to ensure that you define the VPC ID/subnet ID of resources that support it, for some resources such as EC2 without this property they will always replace when you make a change (such as changing a tag) via CloudFormation.