问题
I'm building a Cloud Formation JSON to define EC2 Instances and Security Groups.
I need to create a security Group that allows every instance that belongs in it to share any data between each other.
My JSON was like that:
"InternalSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"VpcId" : {"Ref" : "myVPC"},
"GroupDescription" : "Allow the machines in this group to share all kinds of traffic between each other",
"SecurityGroupIngress" : [
{
"IpProtocol" : "-1",
"FromPort": "-1",
"ToPort": "-1",
"SourceSecurityGroupId" : { "Ref" : "InternalSecurityGroup" }
}
],
"SecurityGroupEgress" : [
{
"IpProtocol" : "-1",
"FromPort": "-1",
"ToPort": "-1",
"DestinationSecurityGroupId" : { "Ref" : "InternalSecurityGroup" }
}
]
}
},
But this shows me the following error:
A client error (ValidationError) occurred when calling the CreateStack operation: Circular dependency between resources
To fix it I changed my code to CidrIp instead of SourceSecurityGroupId, defining the subnet the instances are in.
Is it possible to reference the same Security Group? What's the best (or correct) way to achieve what I want?
回答1:
As noted in the documentation, you can use the AWS::EC2::SecurityGroupEgress and AWS::EC2::SecurityGroupIngress resources to define self-referencing security group rules:
Important
If you want to cross-reference two security groups in the ingress and egress rules of those security groups, use the
AWS::EC2::SecurityGroupEgressandAWS::EC2::SecurityGroupIngressresources to define your rules. Do not use the embedded ingress and egress rules in theAWS::EC2::SecurityGroup. If you do, it causes a circular dependency, which AWS CloudFormation doesn't allow.
The result looks like this:
{
"Resources":{
"myVPC":{
"Type":"AWS::EC2::VPC",
"Properties":{
"CidrBlock":"10.0.0.0/16"
}
},
"InternalSecurityGroup":{
"Type":"AWS::EC2::SecurityGroup",
"Properties":{
"VpcId":{
"Ref":"myVPC"
},
"GroupDescription":"Allow the machines in this group to share all kinds of traffic between each other"
}
},
"InternalSecurityGroupIngress":{
"Type":"AWS::EC2::SecurityGroupIngress",
"Properties":{
"IpProtocol":"-1",
"FromPort":"-1",
"ToPort":"-1",
"SourceSecurityGroupId":{
"Ref":"InternalSecurityGroup"
},
"GroupId":{
"Ref":"InternalSecurityGroup"
}
}
},
"InternalSecurityGroupEgress":{
"Type":"AWS::EC2::SecurityGroupEgress",
"Properties":{
"IpProtocol":"-1",
"FromPort":"-1",
"ToPort":"-1",
"DestinationSecurityGroupId":{
"Ref":"InternalSecurityGroup"
},
"GroupId":{
"Ref":"InternalSecurityGroup"
}
}
}
}
}
回答2:
Define two security groups, this should work a little better:
"InternalSecurityGroup1" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"VpcId" : {"Ref" : "myVPC"},
"GroupDescription" : "Allow the machines in this group to share all kinds of traffic between each other",
"SecurityGroupIngress" : [ {
"IpProtocol" : "-1",
"FromPort": "-1",
"ToPort": "-1",
"SourceSecurityGroupId" : { "Ref" : "InternalSecurityGroup2" }
}
]
}
}
"InternalSecurityGroup2" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"VpcId" : {"Ref" : "myVPC"},
"GroupDescription" : "Allow the machines in this group to share all kinds of traffic between each other",
"SecurityGroupIngress" : [ {
"IpProtocol" : "-1",
"FromPort": "-1",
"ToPort": "-1",
"SourceSecurityGroupId" : { "Ref" : "InternalSecurityGroup1" }
}
]
}
}
来源:https://stackoverflow.com/questions/26781255/allow-every-instance-in-the-same-security-group-to-share-any-data-between-each-o