安全组和子网属于不同的网络
Posted
技术标签:
【中文标题】安全组和子网属于不同的网络【英文标题】:Security Group and Subnet Belongs to different networks 【发布时间】:2018-06-23 11:22:03 【问题描述】:我正在创建一个基本的 AWS CloudFormation 模板,其中包含一个 VPC、3 个安全组和 5 个 EC2 实例,我的安全组看起来像这样 -
"WebApplicationServerSG":
"Type": "AWS::EC2::SecurityGroup",
"Properties":
"VpcId":
"Ref": "DevVpc"
,
"GroupDescription": "Enable HTTP, HTTPS and SSH access",
"Tags": [
"Key": "Name",
"Value": "WebApplicationServer Service Group"
],
"SecurityGroupIngress": [
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
,
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
,
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
],
"SecurityGroupEgress": [
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
,
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
,
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
]
,
"Metadata":
"AWS::CloudFormation::Designer":
"id": "a7977f00-48d6-488f-9e23-9bcd0785d399"
VPC 如下所示 -
"DevVpc":
"Type": "AWS::EC2::VPC",
"Properties":
"CidrBlock": "172.31.0.0/16",
"EnableDnsSupport": "false",
"EnableDnsHostnames": "false",
"InstanceTenancy": "dedicated",
"Tags": [
"Key": "Name",
"Value": "DevStackVpc"
]
使用模板创建堆栈时出现错误 -
安全组 sg-31f91b5a 和子网 subnet-ea0aa3a7 属于 不同的网络。
11:13:01 UTC+0550 CREATE_FAILED AWS::EC2::Instance WebApplicationServer Security group sg-5147a53a and subnet subnet-ea0aa3a7 belong to different networks.
这里是完整模板的gist,任何帮助将不胜感激。
【问题讨论】:
您的 VPC 子网在哪里定义? 很可能问题出在子网定义中,可以肯定地说完整模板很有用。如果您想完全控制您的代码,请不要使用可视化编辑器 :) 我没有看到您的模板中声明的任何子网。如果您交叉引用错误中的子网 ID,您可能会发现它来自您在该区域中的 Default VPC,而不是此堆栈中的 VPC,并且您的实例将前往那里而不是此处。跨度> @Michael-sqlbot 如果可以的话,我可以请求您提供一个样本。谢谢指点。 AFAIK,您需要创建EC2 subnets,然后您需要为RDS subnet groups 为RDS 实例声明两个或多个这些子网的逻辑集合。 【参考方案1】:如果有人使用 Terraform 来到这里,我会收到类似的错误消息,最终发生的情况如下:
variable "name"
locals
vpc_id = "..."
subnet_id = "..."
resource "aws_instance" "web"
ami = "ami-09def150731bdbcc2"
instance_type = "t3.micro"
vpc_security_group_ids = ["$aws_security_group.allow_http.id"]
user_data = <<-EOF
#!/bin/bash
sudo amazon-linux-extras install nginx1.12 -y
sudo nginx
EOF
tags
Name = "$var.name"
resource "aws_security_group" "allow_http"
description = "Allow inbound HTTP traffic for $var.name instance"
vpc_id = "$local.vpc_id"
ingress
from_port = 80
to_port = 80
protocol = "TCP"
cidr_blocks = ["0.0.0.0/0"]
egress
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
我部署到的子网没有启用auto assign public IPs。因此,我更新了aws_instance 以包含subnet_id 和associate_public_ip_address:
resource "aws_instance" "web"
ami = "ami-09def150731bdbcc2"
instance_type = "t3.micro"
subnet_id = "$local.subnet_id"
vpc_security_group_ids = ["$aws_security_group.allow_http.id"]
associate_public_ip_address = true
user_data = <<-EOF
#!/bin/bash
sudo amazon-linux-extras install nginx1.12 -y
sudo nginx
EOF
tags
Name = "$var.name"
之后,一切正常。
【讨论】:
【参考方案2】:我通过cmets中提供的指针解决了上述问题,subnetVPC、Security-Groups和EC2实例之间的关系如下-
获得并应该创建的第一件事是VPC
第二个是Subnet,在这里你提到了你之前创建的VpcId
3rd 你创建security groups 在这里你提到了你之前创建的VpcId。
4th 有一个属性NetworkInterfaces,您可以在其中提供SubnetId 和GroupSet,这是一组安全组ID,您可以在其中定义安全组、vpc 和子网之间的关系,这就是解决问题的方法。
下面是实际工作的示例模板 -
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters":
"DevServerKeyPair":
"Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance",
"Type": "AWS::EC2::KeyPair::KeyName",
"ConstraintDescription": "Must be the name of an existing EC2 KeyPair."
,
"Resources":
"DevVpc":
"Type": "AWS::EC2::VPC",
"Properties":
"CidrBlock": "172.31.0.0/16",
"EnableDnsSupport": "false",
"EnableDnsHostnames": "false",
"InstanceTenancy": "dedicated",
"Tags": [
"Key": "Name",
"Value": "DevStackVpc"
]
,
"DevSubnet":
"Type": "AWS::EC2::Subnet",
"Properties":
"VpcId":
"Ref": "DevVpc"
,
"CidrBlock": "172.31.0.0/16",
"AvailabilityZone":
"Fn::Select": [
0,
"Fn::GetAZs": ""
]
,
"WebApplicationServerSG":
"Type": "AWS::EC2::SecurityGroup",
"Properties":
"VpcId":
"Ref": "DevVpc"
,
"GroupDescription": "Enable HTTP, HTTPS and SSH access",
"Tags": [
"Key": "Name",
"Value": "WebApplicationServer Service Group"
],
"SecurityGroupIngress": [
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
,
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
,
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
],
"SecurityGroupEgress": [
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
,
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
,
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
]
,
"WebApplicationServer":
"Type": "AWS::EC2::Instance",
"Properties":
"ImageId": "ami-f3e5aa9c",
"InstanceType": "t2.micro",
"Tags": [
"Key": "Name",
"Value": "WebApplicationServer"
],
"KeyName":
"Ref": "DevServerKeyPair"
,
"NetworkInterfaces": [
"SubnetId": "Ref": "DevSubnet",
"AssociatePublicIpAddress": "true",
"DeviceIndex": "0",
"GroupSet": [ "Ref" : "WebApplicationServerSG" ]
]
希望它可以帮助寻找类似问题的人。
【讨论】:
// , Jeet,您对关系的清晰解释帮助了我。感谢您跟进此事。 很有帮助。我添加了一个 AWS::EC2::NetworkInterface,然后在 AWS::EC2::Instance 资源的 NetworkInterfaces 属性的 NetworkInterfaceId 属性中引用它。确保删除 SecurityGroupIds 和 AssociatePublicIpAddress 属性。【参考方案3】:您尝试使用的安全组有问题!当您使用模板创建一个时,它使用默认 VPC。 在您创建安全组的 CLoudFormation 模板上,您需要识别您喜欢使用的 VpcId(非默认),它将解决问题。或者您可以使用(非默认)VPC 手动创建新的安全组,然后运行新实例。
【讨论】:
以上是关于安全组和子网属于不同的网络的主要内容,如果未能解决你的问题,请参考以下文章