Cloudformation: how to use prefix list as source ?

0

I did this

aws ec2 describe-managed-prefix-lists --filters Name=prefix-list-name,Values=com.amazonaws.global.cloudfront.origin-facing

I obtained

{
    "PrefixLists": [
        {
            "PrefixListId": "pl-a3a144ca",
            "AddressFamily": "IPv4",
            "State": "create-complete",
            "PrefixListArn": "arn:aws:ec2:eu-central-1:aws:prefix-list/pl-a3a144ca",
            "PrefixListName": "com.amazonaws.global.cloudfront.origin-facing",
            "Tags": [],
            "OwnerId": "AWS"
        }
    ]
}

So I tried to add a rule to allow my ALB to receive traffica from cloud front

  LoadBalancerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: !Sub "${AWS::StackName}-LB-SG"
      VpcId: !ImportValue 'Test-Ipv6-VPC'
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIpv6: ::/0
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIpv6: ::/0
        # allow traffoc from cloud front 
        #  aws ec2 describe-managed-prefix-lists --filters Name=prefix-list-name,Values=com.amazonaws.global.cloudfront.origin-facing
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          SourcePrefixListId: pl-a3a144ca 

But I get this

Resource handler returned message: "The prefix list ID 'pl-a3a144ca' does not exist

I am deploying to Milan (eu-south-1) region.

what am I doing wrong?

preguntada hace 2 meses414 visualizaciones
3 Respuestas
3
Respuesta aceptada

You have found Cloudfront prefix from Frankfurt region =)

aws ec2 describe-managed-prefix-lists --filters Name=prefix-list-name,Values=com.amazonaws.global.cloudfront.origin-facing --region eu-central-1

{
    "PrefixLists": [
        {
            "PrefixListId": "pl-a3a144ca",
            "AddressFamily": "IPv4",
            "State": "create-complete",
            "PrefixListArn": "arn:aws:ec2:eu-central-1:aws:prefix-list/pl-a3a144ca",
            "PrefixListName": "com.amazonaws.global.cloudfront.origin-facing",
            "Tags": [],
            "OwnerId": "AWS"
        }
    ]
}

Milan is different

    eu-south-1:
      PrefixList: pl-1bbc5972
profile picture
EXPERTO
respondido hace 2 meses
profile picture
EXPERTO
A_J
revisado hace un mes
profile picture
EXPERTO
Artem
revisado hace 2 meses
profile pictureAWS
EXPERTO
iBehr
revisado hace 2 meses
1

The prefix list is in eu-central-1 (Frankfurt, Germany) and the security group is in eu-south-1 (Milan, Italy), as you said.

You have to use the equivalent prefix list in eu-south-1.

EXPERTO
Leo K
respondido hace 2 meses
1

Hello,

Adding a region options to the command would get the correct Prefix id for Milan region:

aws ec2 describe-managed-prefix-lists --filters Name=prefix-list-name,Values=com.amazonaws.global.cloudfront.origin-facing --region eu-south-1

profile picture
EXPERTO
respondido hace 2 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas