使用 CloudFormation 启动 EC2 实例的安全组问题

【问题标题】:Security Group Issue with launching an EC2 instance with CloudFormation使用 CloudFormation 启动 EC2 实例的安全组问题
【发布时间】:2021-04-18 23:15:28
【问题描述】:

我正在尝试将 EC2 实例启动到公共子网中,但是当我尝试启动 CF 模板时,我不断收到错误消息:

The parameter groupName cannot be used with the parameter subnet

这是子网、EC2 实例和安全组的 CF 模板。

# VPC
  VPC:
    Type: "AWS::EC2::VPC"
    Properties:
      CidrBlock: 10.0.0.0/24
      EnableDnsSupport: true
      InstanceTenancy: "default"

# Public subnet
  PublicSubnet:
    Type: "AWS::EC2::Subnet"
    Properties:
      AvailabilityZone: "us-east-1a"
      CidrBlock: 10.0.0.0/28
      VpcId: !Ref VPC

# EC2 Security Group
  SecurityGroupForEC2:
    Type: "AWS::EC2::SecurityGroup"
    Properties:
      GroupDescription: "This security group allows SSH access into the bastion hosts from your personal IP"
      GroupName: "SecurityGroup-For-Public-Subnet"
      SecurityGroupIngress:
        - CidrIp: My IP
          Description: "Allows SSH Access into the bastion Hosts"
          FromPort: 22
          IpProtocol: 6
          ToPort: 22
      VpcId: !Ref VPC


# EC2 Instances for bastion hosts
  BastionHostEC2:
    Type: "AWS::EC2::Instance"
    Properties:
      AvailabilityZone: "us-east-1a"
      InstanceType: "t2.micro"
      ImageId: ami-0be2609ba883822ec # Amazon Linux 2
      KeyName: My-Keys
      SecurityGroups:
        - !Ref SecurityGroupForPublicSubnet
      SourceDestCheck: false
      SubnetId: !Ref PublicSubnet

当 CF 堆栈尝试创建实例时,错误不断出现。 我不确定在这里做什么,因为我应该能够将安全组与 ec2 实例相关联,对吗?这是安全组已经与 VPC 关联的结果吗?任何建议将不胜感激。

【问题讨论】:

  • 您的模板中没有SecurityGroupForPublicSubnet。只有SecurityGroupForEC2

标签: amazon-web-services amazon-ec2 amazon-cloudformation amazon-vpc aws-security-group


【解决方案1】:

代码中至少有两个问题:

  1. SecurityGroupForPublicSubnet 不存在。我想应该是SecurityGroupForEC2。我认为是的。

  2. SecurityGroups 不能用于非默认 VPC。由于您正在创建自己的 VPC,因此它失败了。您应该使用SecurityGroupIds,如下面的固定代码所示

Resources:

  VPC:
    Type: "AWS::EC2::VPC"
    Properties:
      CidrBlock: 10.0.0.0/24
      EnableDnsSupport: true
      InstanceTenancy: "default"

# Public subnet
  PublicSubnet:
    Type: "AWS::EC2::Subnet"
    Properties:
      AvailabilityZone: "us-east-1a"
      CidrBlock: 10.0.0.0/28
      VpcId: !Ref VPC

# EC2 Security Group
  SecurityGroupForEC2:
    Type: "AWS::EC2::SecurityGroup"
    Properties:
      GroupDescription: "This security group allows SSH access into the bastion hosts from your personal IP"
      GroupName: "SecurityGroup-For-Public-Subnet"
      SecurityGroupIngress:
        - CidrIp: 0.0.0.0/0
          Description: "Allows SSH Access into the bastion Hosts"
          FromPort: 22
          IpProtocol: 6
          ToPort: 22
      VpcId: !Ref VPC


# EC2 Instances for bastion hosts
  BastionHostEC2:
    Type: "AWS::EC2::Instance"
    Properties:
      AvailabilityZone: "us-east-1a"
      InstanceType: "t2.micro"
      ImageId: ami-0be2609ba883822ec # Amazon Linux 2
      #KeyName: My-Keys
      SecurityGroupIds:
        - !GetAtt SecurityGroupForEC2.GroupId
      SourceDestCheck: false
      SubnetId: !Ref PublicSubnet

【讨论】:

  • 嘿,谢谢!我实际上是回来发帖的,因为我使用的是自定义 VPC。感谢您的快速回答!
  • @KoalaKey 没问题。很高兴它解决了:-)
猜你喜欢
相关资源
最近更新 更多
热门标签
Java Python linux javascript C# Mysql Docker 算法 前端 SpringBoot Redis Vue spring .net 设计模式 .net core c++ kubernetes 数据库 机器学习 大数据 数据结构 微服务 js 人工智能 Go Android 面试 程序员 JVM 云原生 后端 ASP.net core 深度学习 CSS k8s git golang PHP devops Nginx Django React mybatis 架构 多线程 Spring Boot 云计算 LeetCode 分布式