3

My Cloudformation YAML for autoscaling group keeps creating EC2 instances in default VPC even after I specify a custom VPC. Here's the snippets of code:

  TargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      Port: 80
      Protocol: HTTP
      VpcId: !Ref VpcId

Parameters section:

  VpcId:
    Description: Enter the VpcId
    Type: AWS::EC2::VPC::Id
    Default: vpc-0ed238eeecc11b493

I keep seeing termination of EC2 instances because the launch config is for some reason creating the instances in the default VPC even through I have specified to use the custom in the parameters section. I dont know why it is not taking the custom VPC. When I check security groups, launch config in the AWS console it shows the custom VPC but when I check the EC2 instance launched by the auto scaling group, I see the default VPC. My default VPC is vpc-6a79470d and my custom VPC is vpc-0ed238eeecc11b493

The error I see in the Autoscaling group section of the console is:

Description:DescriptionLaunching a new EC2 instance: i-041b680f6470379e3. 
Status Reason: Failed to update target group arn:aws:elasticloadbalancing:us-west-1:targetgroup/ALBTe-Targe-7DMLWW46T1E6/f74a31d17bf3c4dc: 
The following targets are not in the target group VPC 'vpc-0ed238eeecc11b493': 'i-041b680f6470379e3' Updating load balancer configuration failed.

Hope someone can help point out what I am doing wrong. I see in AWS documentation that ASG by default launches in default VPC but there must be a way to do it in CloudFormation if it is possible to do it through console.

=============================== After update==========================

Here's how it looks now after adding VPCZoneIdentifier, not sure what I am doing wrong and getting an issue with security group now

  AutoScalingGroup:
    Type: AWS::AutoScaling::AutoScalingGroup
    Properties:
      AvailabilityZones: !GetAZs
      VPCZoneIdentifier: !Ref SubnetIds
      LaunchConfigurationName: !Ref LaunchConfiguration
      MinSize: 1
      MaxSize: 3
      TargetGroupARNs: 
        - !Ref TargetGroup
  LaunchConfiguration:
    Type: AWS::AutoScaling::LaunchConfiguration
    Properties:
      KeyName: !Ref KeyName
      InstanceType: t2.micro
      SecurityGroups:
        - !Ref EC2SecurityGroup
      ImageId:
        Fn::FindInMap:
        - RegionMap
        - !Ref AWS::Region
        - AMI
      LaunchConfiguration --region ${AWS::Region}
  ALBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: ALB Security Group
      VpcId: VpcId: !Ref VpcId
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
  EC2SecurityGroup: 
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: EC2 Instance
Santosh R
  • 33
  • 4

2 Answers2

3

The snippet you are providing is for the target group of the load balancer.

This error will occur because the subnets attached to your auto scaling group are not within the same VPC as your target group.

Use a parameter type of List<AWS::EC2::Subnet::Id> to specify the subnets for your autoscaling group.

For your autoscaling group the VPCZoneIdentifier parameter should be assigned the values of the parameter.

More information is available here for this parameter type.

Chris Williams
  • 32,215
  • 4
  • 30
  • 68
2

In your ASG you usually would define VPCZoneIdentifier:

  • A list of subnet IDs for a virtual private cloud (VPC). If you specify VPCZoneIdentifier with AvailabilityZones, the subnets that you specify for this property must reside in those Availability Zones.

The example is as follows:


Parameters:

  SubnetIds:
    Type: List<AWS::EC2::Subnet::Id>
    Description: Subnet IDs for ASG

Resources:

  MyASG:
    Type: AWS::AutoScaling::AutoScalingGroup
    Properties: 
      # ... other properties
      VPCZoneIdentifier: !Ref SubnetIds
Marcin
  • 215,873
  • 14
  • 235
  • 294
  • Thanks for that...the issue moved to Security groups for that ALB. I am getting this error now: One or more security groups in the launch configuration are not linked to the VPCs configured in the Auto Scaling group (Service: AmazonAutoScaling; Status Code: 400; Error Code: ValidationError; Request ID: 83c8106b-149a-4ff3-b59b-4f151313206e) – Santosh R Jun 22 '20 at 22:49
  • @SantoshR Security groups also must be associated with your vpc, using [VpcId](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#cfn-ec2-securitygroup-vpcid) parameter. – Marcin Jun 22 '20 at 22:52
  • I just updated my original post with the changed YAML. The VPCid is there in the Security Group definition – Santosh R Jun 22 '20 at 23:01
  • @SantoshR This is incorrect yaml `VpcId: VpcId: !Ref VpcId`. Also `EC2SecurityGroup` is not in your VPC. – Marcin Jun 22 '20 at 23:02
  • That was a typo...yikes (I cannot believe I did not catch that)! I added VPCId for EC2SecurityGroup as well and it worked! Thank you for your help! – Santosh R Jun 22 '20 at 23:29
  • 1
    Absolutely! Thanks! – Santosh R Jun 22 '20 at 23:31