8

I am trying to launch an example CloudFormation template as described in Getting Started with CloudFormation.

I removed the default VPC, added new one (10.0.0.0/16), and created a new subnet in it (10.0.0.0/24). According to the AWS docs, I can't set my own VPC as default and now my CloudFormation template can't be launched.

I am seeing this error:

enter image description here

According to https://aws.amazon.com/premiumsupport/knowledge-center/cloudformation-cloudformer-default-vpc/, I can fix the issue by describing my new VPC, but I don't know why this is correct.

alex
  • 117
  • 6
ipeacocks
  • 321
  • 1
  • 3
  • 10

1 Answers1

9

If you want to continue using default VPC you deleted you will have to contact AWS support to create it again. AWS resources from the template you are using depnd on it.

Otherwise you have to customize it a bit so it can be used with your non-default VPCs. There are suggested changes:

0) Pass your VPC ID and your subnet IDs as CloudFormation parameters:

    "myVPC": {
        "Description" : "Id of my VPC",
        "Type"        : "String",
        "Default"     : "vpc-XXXXXXXX"
    },

    "MySubnet": {
        "Description" : "My subnet from my VPC",
        "Type": "String",
        "Default": "subnet-YYYYYYYY"
    },      

    "RDSSubnets": {
        "Description" : "RDS subnets from my VPC",
        "Type": "CommaDelimitedList",
        "Default": "subnet-YYYYYYY1,subnet-YYYYYY2"
    },

1) Security groups have to be created within your new VPC identified by VPC ID:

"DBSecurityGroup": {
  "Type": "AWS::RDS::DBSecurityGroup",
  "Properties": {
===>>> "EC2VpcId" : { "Ref" : "myVPC" }, <<<====
       "DBSecurityGroupIngress": { "EC2SecurityGroupName": { "Ref": "WebServerSecurityGroup"} },
       "GroupDescription"      : "Frontend Access"
  }
},

"WebServerSecurityGroup" : {
  "Type" : "AWS::EC2::SecurityGroup",
  "Properties" : {
===>>> "VpcId" : {"Ref" : "myVPC"}, <<<====
       "GroupDescription" : "Enable HTTP access via port 80 and SSH access",
       "SecurityGroupIngress" : [
         {"IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80", "CidrIp" : "0.0.0.0/0"},
         {"IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : { "Ref" : "SSHLocation"}}
       ]
  }
}

2) change your EC2 instance to use your VPC subnet1:

"WebServer": {
  "Type": "AWS::EC2::Instance",
  ...
  "Properties": {
     "SubnetId": { "Ref": "MySubnet1" },
  ...

3) Create RDS DB subnet group with your VPC subnets dedicated for RDS (you need to create a subnet in the VPC in at least two of the Availability Zones of the region where the VPC exists):

"MyDBSubnetGroup" : {
  "Type" : "AWS::RDS::DBSubnetGroup",
  "Properties" : {
    "DBSubnetGroupDescription" : "Subnets available for the RDS DB Instance",
    "SubnetIds" : { "Ref" : "RDSSubnets" },
  }
},

4) change your RDS instance to use your VPC subnet and security group (replace DBSecurityGroups parameter with VPCSecurityGroups):

"DBInstance" : {
  "Type": "AWS::RDS::DBInstance",
  "Properties": {
      "DBSubnetGroupName" : { "Ref" : "MyDBSubnetGroup" },
      "VPCSecurityGroups" : [ { "Ref" : "DBSecurityGroup" } ],
      ...

You can find more details about used parameters in AWS documentation:

dsmsk80
  • 5,757
  • 17
  • 22
  • Thank you, @dsmsk80. Now my template looks like this http://pastebin.com/T1eHRxBy And now I have error during launch: https://mrkr.io/W1THcu2Y63 Looks like DC limitation (I am using us-west-2a) – ipeacocks Oct 23 '15 at 11:41
  • 2
    I updated my answer. For RDS instance you are expected to have at least two subnets from different AZs. When you use default VPC subnets are created by defaul. So create another subnet in a different AZ than MySubnet is and use them both as RDSSubnets parameter. – dsmsk80 Oct 23 '15 at 12:46
  • Now I have created second subnet in another region us-west-2b https://mrkr.io/MiDhD7Fq5J. And for now template looks like this http://pastebin.com/2CJfUCC9 But now I have another issue :) https://mrkr.io/uulpIT1bi2 Thank you for patience. – ipeacocks Oct 23 '15 at 14:51