Security Group and Subnet Belongs to different networks

Asked 14/1, 2018 at 18:14 Answered 22/10, 2020 at 4:13

Solved amazon-web-services amazon-ec2 aws-cloudformation subnet aws-security-group

I am creating a basic AWS CloudFormation Template with one VPC, 3 Security Group and 5 EC2 Instances my security group looks something like this -

{
  "WebApplicationServerSG": {
    "Type": "AWS::EC2::SecurityGroup",
    "Properties": {
      "VpcId": {
        "Ref": "DevVpc"
      },
      "GroupDescription": "Enable HTTP, HTTPS and SSH access",
      "Tags": [
        {
          "Key": "Name",
          "Value": "WebApplicationServer Service Group"
        }
      ],
      "SecurityGroupIngress": [
        {
          "IpProtocol": "tcp",
          "FromPort": "443",
          "ToPort": "443",
          "CidrIp": "0.0.0.0/0"
        },
        {
          "IpProtocol": "tcp",
          "FromPort": "80",
          "ToPort": "80",
          "CidrIp": "0.0.0.0/0"
        },
        {
          "IpProtocol": "tcp",
          "FromPort": "22",
          "ToPort": "22",
          "CidrIp": "0.0.0.0/0"
        }
      ],
      "SecurityGroupEgress": [
        {
          "IpProtocol": "tcp",
          "FromPort": "443",
          "ToPort": "443",
          "CidrIp": "0.0.0.0/0"
        },
        {
          "IpProtocol": "tcp",
          "FromPort": "80",
          "ToPort": "80",
          "CidrIp": "0.0.0.0/0"
        },
        {
          "IpProtocol": "tcp",
          "FromPort": "22",
          "ToPort": "22",
          "CidrIp": "0.0.0.0/0"
        }
      ]
    },
    "Metadata": {
      "AWS::CloudFormation::Designer": {
        "id": "a7977f00-48d6-488f-9e23-9bcd0785d399"
      }
    }
  }
}

And the VPC is something like below -

{
  "DevVpc": {
    "Type": "AWS::EC2::VPC",
    "Properties": {
      "CidrBlock": "172.31.0.0/16",
      "EnableDnsSupport": "false",
      "EnableDnsHostnames": "false",
      "InstanceTenancy": "dedicated",
      "Tags": [
        {
          "Key": "Name",
          "Value": "DevStackVpc"
        }
      ]
    }
  }
}

I am getting error while stack creation with the template -

Security group sg-31f91b5a and subnet subnet-ea0aa3a7 belong to different networks.

11:13:01 UTC+0550   CREATE_FAILED   AWS::EC2::Instance  WebApplicationServer    Security group sg-5147a53a and subnet subnet-ea0aa3a7 belong to different networks.

And here is a gist for complete template, any help would really be appreciated.

Bergamot answered 14/1, 2018 at 18:14 Comment(9)

Where is your VPC subnet defined? – Snowbird 14/1, 2018 at 19:35

And how are you associating your EC2 instance with the security group and subnet? – Snowbird 14/1, 2018 at 19:35

Most likely the problem is in subnet definition, full template can be useful to say for sure. And don't use visual editors if you want to have full control over your code :) – Amido 14/1, 2018 at 21:42

Have updated the original question with the Gist for Complete template. – Bergamot 15/1, 2018 at 2:56

Do not post images of code or errors! – Mauretta 15/1, 2018 at 3:2

@Mauretta Thanks for pointing out, would remove the screenshot. It makes perfect sense to not post screen shot. Thanks again. – Bergamot 15/1, 2018 at 5:39

I don't see any subnets declared in your template. You will probably find, if you cross-reference the subnet-id in the error, that it's coming from your Default VPC in the region, rather than the VPC in this stack, and your instances are going there instead of here. – Snavely 15/1, 2018 at 5:39

@Michael-sqlbot May I Request you to provide a sample if you can. Thanks for the pointer. – Bergamot 15/1, 2018 at 5:40

AFAIK, you need to create EC2 subnets and then you need to declare a logical collection of two or more of those subnets for RDS subnet groups for RDS instances. – Snavely 15/1, 2018 at 5:45

I got the above problem resolved by the pointers provided in comments.

The relationship between subnets, VPCs, security groups, and EC2 instances are below.

The first thing which should get created is the VPC.
The second is the subnet. Here, you mention the VpcId you created earlier.
The third thing you create are security groups. Here, you mention the VpcId you created earlier as well.
There is a property NetworkInterfaces, where you provide a SubnetId and GroupSet, which is an array of security group IDs. This is where you define the relationship between security groups, VPCs, and subnets.

Below is the sample template which actually worked:

{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
    "DevServerKeyPair": {
        "Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance",
        "Type": "AWS::EC2::KeyPair::KeyName",
        "ConstraintDescription": "Must be the name of an existing EC2 KeyPair."
    }
},
"Resources": {
    "DevVpc": {
        "Type": "AWS::EC2::VPC",
        "Properties": {
            "CidrBlock": "172.31.0.0/16",
            "EnableDnsSupport": "false",
            "EnableDnsHostnames": "false",
            "InstanceTenancy": "dedicated",
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "DevStackVpc"
                }
            ]
        }
    },
    "DevSubnet": {
        "Type": "AWS::EC2::Subnet",
        "Properties": {
            "VpcId": {
                "Ref": "DevVpc"
            },
            "CidrBlock": "172.31.0.0/16",
            "AvailabilityZone": {
                "Fn::Select": [
                    0,
                    {
                        "Fn::GetAZs": ""
                    }
                ]
            }
        }
    },
    "WebApplicationServerSG": {
        "Type": "AWS::EC2::SecurityGroup",
        "Properties": {
            "VpcId": {
                "Ref": "DevVpc"
            },
            "GroupDescription": "Enable HTTP, HTTPS and SSH access",
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "WebApplicationServer Service Group"
                }
            ],
            "SecurityGroupIngress": [
                {
                    "IpProtocol": "tcp",
                    "FromPort": "443",
                    "ToPort": "443",
                    "CidrIp": "0.0.0.0/0"
                },
                {
                    "IpProtocol": "tcp",
                    "FromPort": "80",
                    "ToPort": "80",
                    "CidrIp": "0.0.0.0/0"
                },
                {
                    "IpProtocol": "tcp",
                    "FromPort": "22",
                    "ToPort": "22",
                    "CidrIp": "0.0.0.0/0"
                }
            ],
            "SecurityGroupEgress": [
                {
                    "IpProtocol": "tcp",
                    "FromPort": "443",
                    "ToPort": "443",
                    "CidrIp": "0.0.0.0/0"
                },
                {
                    "IpProtocol": "tcp",
                    "FromPort": "80",
                    "ToPort": "80",
                    "CidrIp": "0.0.0.0/0"
                },
                {
                    "IpProtocol": "tcp",
                    "FromPort": "22",
                    "ToPort": "22",
                    "CidrIp": "0.0.0.0/0"
                }
            ]
        }
    },
    "WebApplicationServer": {
        "Type": "AWS::EC2::Instance",
        "Properties": {
            "ImageId": "ami-f3e5aa9c",
            "InstanceType": "t2.micro",
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "WebApplicationServer"
                }
            ],
            "KeyName": {
                "Ref": "DevServerKeyPair"
            },
            "NetworkInterfaces": [
                {
                    "SubnetId": {"Ref": "DevSubnet"},
                    "AssociatePublicIpAddress": "true",
                    "DeviceIndex": "0",
                    "GroupSet": [{ "Ref" : "WebApplicationServerSG" }]
                }
            ]
        }
    }
  }
}

Hope this helps someone looking into a similar problem.

Bergamot answered 18/1, 2018 at 7:47 Comment(3)

// , Your clear explanation of the relationships has helped me, Jeet. Thanks for following up on this. – Federica 3/6, 2021 at 0:31

Helpful. I added a AWS::EC2::NetworkInterface and then referenced it in the NetworkInterfaceId property of the NetworkInterfaces property of the AWS::EC2::Instance resource. Make sure to delete the SecurityGroupIds and AssociatePublicIpAddress properties. – Benner 11/8, 2021 at 1:20

I was missing this part // security groups here you mention the VpcId Now add VpcId in security group and its working. Thanks Jeet. – Eppie 25/1, 2023 at 9:49

If anyone using Terraform got here, I had a similar error message and what ended up happening was the following:

variable "name" {}

locals {
  vpc_id    = "..."
  subnet_id = "..."
}

resource "aws_instance" "web" {
  ami                         = "ami-09def150731bdbcc2"
  instance_type               = "t3.micro"
  vpc_security_group_ids      = ["${aws_security_group.allow_http.id}"]

  user_data = <<-EOF
    #!/bin/bash
    sudo amazon-linux-extras install nginx1.12 -y
    sudo nginx
  EOF

  tags {
    Name = "${var.name}"
  }
}

resource "aws_security_group" "allow_http" {
  description = "Allow inbound HTTP traffic for ${var.name} instance"
  vpc_id      = "${local.vpc_id}"

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "TCP"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

The subnet I was deploying into didn't have auto assign public IPs enabled. As such, I updated the aws_instance to include the subnet_id and associate_public_ip_address:

resource "aws_instance" "web" {
  ami                         = "ami-09def150731bdbcc2"
  instance_type               = "t3.micro"
  subnet_id                   = "${local.subnet_id}"
  vpc_security_group_ids      = ["${aws_security_group.allow_http.id}"]
  associate_public_ip_address = true

  user_data = <<-EOF
    #!/bin/bash
    sudo amazon-linux-extras install nginx1.12 -y
    sudo nginx
  EOF

  tags {
    Name = "${var.name}"
  }
}

After which, everything worked.

Montserrat answered 26/3, 2019 at 10:12 Comment(0)

I got the above problem resolved by the pointers provided in comments.

The relationship between subnets, VPCs, security groups, and EC2 instances are below.

The first thing which should get created is the VPC.
The second is the subnet. Here, you mention the VpcId you created earlier.
The third thing you create are security groups. Here, you mention the VpcId you created earlier as well.
There is a property NetworkInterfaces, where you provide a SubnetId and GroupSet, which is an array of security group IDs. This is where you define the relationship between security groups, VPCs, and subnets.

Below is the sample template which actually worked:

{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
    "DevServerKeyPair": {
        "Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance",
        "Type": "AWS::EC2::KeyPair::KeyName",
        "ConstraintDescription": "Must be the name of an existing EC2 KeyPair."
    }
},
"Resources": {
    "DevVpc": {
        "Type": "AWS::EC2::VPC",
        "Properties": {
            "CidrBlock": "172.31.0.0/16",
            "EnableDnsSupport": "false",
            "EnableDnsHostnames": "false",
            "InstanceTenancy": "dedicated",
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "DevStackVpc"
                }
            ]
        }
    },
    "DevSubnet": {
        "Type": "AWS::EC2::Subnet",
        "Properties": {
            "VpcId": {
                "Ref": "DevVpc"
            },
            "CidrBlock": "172.31.0.0/16",
            "AvailabilityZone": {
                "Fn::Select": [
                    0,
                    {
                        "Fn::GetAZs": ""
                    }
                ]
            }
        }
    },
    "WebApplicationServerSG": {
        "Type": "AWS::EC2::SecurityGroup",
        "Properties": {
            "VpcId": {
                "Ref": "DevVpc"
            },
            "GroupDescription": "Enable HTTP, HTTPS and SSH access",
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "WebApplicationServer Service Group"
                }
            ],
            "SecurityGroupIngress": [
                {
                    "IpProtocol": "tcp",
                    "FromPort": "443",
                    "ToPort": "443",
                    "CidrIp": "0.0.0.0/0"
                },
                {
                    "IpProtocol": "tcp",
                    "FromPort": "80",
                    "ToPort": "80",
                    "CidrIp": "0.0.0.0/0"
                },
                {
                    "IpProtocol": "tcp",
                    "FromPort": "22",
                    "ToPort": "22",
                    "CidrIp": "0.0.0.0/0"
                }
            ],
            "SecurityGroupEgress": [
                {
                    "IpProtocol": "tcp",
                    "FromPort": "443",
                    "ToPort": "443",
                    "CidrIp": "0.0.0.0/0"
                },
                {
                    "IpProtocol": "tcp",
                    "FromPort": "80",
                    "ToPort": "80",
                    "CidrIp": "0.0.0.0/0"
                },
                {
                    "IpProtocol": "tcp",
                    "FromPort": "22",
                    "ToPort": "22",
                    "CidrIp": "0.0.0.0/0"
                }
            ]
        }
    },
    "WebApplicationServer": {
        "Type": "AWS::EC2::Instance",
        "Properties": {
            "ImageId": "ami-f3e5aa9c",
            "InstanceType": "t2.micro",
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "WebApplicationServer"
                }
            ],
            "KeyName": {
                "Ref": "DevServerKeyPair"
            },
            "NetworkInterfaces": [
                {
                    "SubnetId": {"Ref": "DevSubnet"},
                    "AssociatePublicIpAddress": "true",
                    "DeviceIndex": "0",
                    "GroupSet": [{ "Ref" : "WebApplicationServerSG" }]
                }
            ]
        }
    }
  }
}

Hope this helps someone looking into a similar problem.

Bergamot answered 18/1, 2018 at 7:47 Comment(3)

// , Your clear explanation of the relationships has helped me, Jeet. Thanks for following up on this. – Federica 3/6, 2021 at 0:31

I was missing this part // security groups here you mention the VpcId Now add VpcId in security group and its working. Thanks Jeet. – Eppie 25/1, 2023 at 9:49

The problem with the security group you trying to use! When you create one with a template it used the default VPC. On the CLoudFormation template where you create a security group, you need to identify VpcId that you like to use (NON-Default), it will solve the problem. Or you can manually create a new security group using (NON-Default)VPC, and then run new instances.

Snook answered 22/10, 2020 at 4:13 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags