Can't get CloudFormation AutoScalingGroup to work

Question

I'm trying to create an AutoScalingGroup for EC2. I keep getting the following error:

Received 0 SUCCESS signal(s) out of 1. Unable to satisfy 100% MinSuccessfulInstancesPercent requirement

The EC2 instance is being created but it is not getting a public IP or DNS.

I found this other thread about the same issue and one of the answers mentions "Verify that the subnets where AutoScalingGroup's instances will be installed can connect to Internet using either a NAT gateway or Internet gateway." I believe this is the problem, however I'm not sure how to resolve it.

My VPC already has an internet gateway but I'm not sure how to tell my AutoScaling group to use it.

  PrivateSubnetOne:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      MapPublicIpOnLaunch: false
      CidrBlock: !Ref PrivateSubnetOneCidr
      AvailabilityZone:
        Fn::Select:
        - '0'
        - Fn::GetAZs: ''

  PrivateSubnetTwo:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      MapPublicIpOnLaunch: false
      CidrBlock: !Ref PrivateSubnetTwoCidr
      AvailabilityZone:
        Fn::Select:
        - '1'
        - Fn::GetAZs: ''

  WebServerAutoScalingGroup:
    Type: AWS::AutoScaling::AutoScalingGroup
    DependsOn:
    - Db
    - ElasticacheCluster
    Properties:
      AvailabilityZones:
      - !GetAtt PrivateSubnetOne.AvailabilityZone
      - !GetAtt PrivateSubnetTwo.AvailabilityZone
      DesiredCapacity: 1
      HealthCheckType: 'ELB'
      HealthCheckGracePeriod: '300'
      MinSize: '1'
      MaxSize: '10'
      LaunchConfigurationName: !Ref WebServer
      LoadBalancerNames:
      - !Ref WebServerElasticLoadBalancer
      VPCZoneIdentifier:
      - !Ref PrivateSubnetOne
      - !Ref PrivateSubnetTwo
      Tags:
      - Key: Name
        Value: Web Server
        PropagateAtLaunch: true
    CreationPolicy:
      ResourceSignal:
        Timeout: PT5M
        Count: 1
    UpdatePolicy:
      AutoScalingRollingUpdate:
        MinInstancesInService: 1
        MaxBatchSize: '1'
        PauseTime: PT5M
        WaitOnResourceSignals: 'true'

Answer 1

When you don't get a success signal it can be one of two things:

1. The success signal was never sent from the EC2 instance
2. Network problems prevented the signal from being received

The easiest way to debug this problem is connect to the EC2 server so you can check logs files and run manual tests. When I say "connect" I mean SSH for Linux instances, RDP for windows, etc. This requires the EC2 instance to continue running long enough to debug the problem.

Ways to keep it running while you debug the problem:

1. Set the timeout in the CreationPolicy to be longer.
2. Remove the CreationPolicy so CloudFormation doesn't fail when no Success message is sent
3. Launch your stack with an OnFailure attribute of DO_NOTHING instead of the default of ROLLBACK.

There are multiple problems that can cause the network connection to fail, preventing the Success signal from being received.

Most likely in this case is that there is no SubnetRouteTableAssociation. If you don't associate your subnet with a route table then the subnet will use the default route table. The default wouldn't be associated with your internet gateway or NAT gateway unless you manually configured it. I'm assuming you didn't manually configure the default route table since you're trying to use CloudFormation to avoid manual changes.

Here are some other possibilities why the network connection couldn't be made:

1. Network ACLs are configured such that they block either the outbound packets or inbound packets for the connection that is being attempted. Either one will prevent a successful TCP connection from sending data.
2. EC2 Security group is configured to prevent outbound network traffic.
3. The EC2 instance is using jumbo frames (large network MTU) but a server or router in the network doesn't support it and you block ICMP packets that would tell your EC2 instance to adjust its MTU. (Unlikely, but happened to me once)