Security Group and Subnet Belongs to different networks
I am creating a basic AWS CloudFormation Template with one VPC, 3 Security Group and 5 EC2 Instances my security group looks something like this -
{
"WebApplicationServerSG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "DevVpc"
},
"GroupDescription": "Enable HTTP, HTTPS and SSH access",
"Tags": [
{
"Key": "Name",
"Value": "WebApplicationServer Service Group"
}
],
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
]
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "a7977f00-48d6-488f-9e23-9bcd0785d399"
}
}
}
}
And the VPC is something like below -
{
"DevVpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "172.31.0.0/16",
"EnableDnsSupport": "false",
"EnableDnsHostnames": "false",
"InstanceTenancy": "dedicated",
"Tags": [
{
"Key": "Name",
"Value": "DevStackVpc"
}
]
}
}
}
I am getting error while stack creation with the template -
Security group sg-31f91b5a and subnet subnet-ea0aa3a7 belong to different networks.
11:13:01 UTC+0550 CREATE_FAILED AWS::EC2::Instance WebApplicationServer Security group sg-5147a53a and subnet subnet-ea0aa3a7 belong to different networks.
And here is a gist for complete template, any help would really be appreciated.
Answer
If anyone using Terraform got here, I had a similar error message and what ended up happening was the following:
variable "name" {}
locals {
vpc_id = "..."
subnet_id = "..."
}
resource "aws_instance" "web" {
ami = "ami-09def150731bdbcc2"
instance_type = "t3.micro"
vpc_security_group_ids = ["${aws_security_group.allow_http.id}"]
user_data = <<-EOF
#!/bin/bash
sudo amazon-linux-extras install nginx1.12 -y
sudo nginx
EOF
tags {
Name = "${var.name}"
}
}
resource "aws_security_group" "allow_http" {
description = "Allow inbound HTTP traffic for ${var.name} instance"
vpc_id = "${local.vpc_id}"
ingress {
from_port = 80
to_port = 80
protocol = "TCP"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
The subnet I was deploying into didn't have auto assign public IPs enabled. As such, I updated the aws_instance to include the subnet_id and associate_public_ip_address:
resource "aws_instance" "web" {
ami = "ami-09def150731bdbcc2"
instance_type = "t3.micro"
subnet_id = "${local.subnet_id}"
vpc_security_group_ids = ["${aws_security_group.allow_http.id}"]
associate_public_ip_address = true
user_data = <<-EOF
#!/bin/bash
sudo amazon-linux-extras install nginx1.12 -y
sudo nginx
EOF
tags {
Name = "${var.name}"
}
}
After which, everything worked.