Cloudformation: how to use prefix list as source ?

0

I did this

aws ec2 describe-managed-prefix-lists --filters Name=prefix-list-name,Values=com.amazonaws.global.cloudfront.origin-facing

I obtained

{
    "PrefixLists": [
        {
            "PrefixListId": "pl-a3a144ca",
            "AddressFamily": "IPv4",
            "State": "create-complete",
            "PrefixListArn": "arn:aws:ec2:eu-central-1:aws:prefix-list/pl-a3a144ca",
            "PrefixListName": "com.amazonaws.global.cloudfront.origin-facing",
            "Tags": [],
            "OwnerId": "AWS"
        }
    ]
}

So I tried to add a rule to allow my ALB to receive traffica from cloud front

  LoadBalancerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: !Sub "${AWS::StackName}-LB-SG"
      VpcId: !ImportValue 'Test-Ipv6-VPC'
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIpv6: ::/0
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIpv6: ::/0
        # allow traffoc from cloud front 
        #  aws ec2 describe-managed-prefix-lists --filters Name=prefix-list-name,Values=com.amazonaws.global.cloudfront.origin-facing
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          SourcePrefixListId: pl-a3a144ca 

But I get this

Resource handler returned message: "The prefix list ID 'pl-a3a144ca' does not exist

I am deploying to Milan (eu-south-1) region.

what am I doing wrong?

3 réponses
3
Réponse acceptée

You have found Cloudfront prefix from Frankfurt region =)

aws ec2 describe-managed-prefix-lists --filters Name=prefix-list-name,Values=com.amazonaws.global.cloudfront.origin-facing --region eu-central-1

{
    "PrefixLists": [
        {
            "PrefixListId": "pl-a3a144ca",
            "AddressFamily": "IPv4",
            "State": "create-complete",
            "PrefixListArn": "arn:aws:ec2:eu-central-1:aws:prefix-list/pl-a3a144ca",
            "PrefixListName": "com.amazonaws.global.cloudfront.origin-facing",
            "Tags": [],
            "OwnerId": "AWS"
        }
    ]
}

Milan is different

    eu-south-1:
      PrefixList: pl-1bbc5972
profile picture
EXPERT
répondu il y a un mois
profile picture
EXPERT
A_J
vérifié il y a 24 jours
profile picture
EXPERT
Artem
vérifié il y a un mois
profile pictureAWS
EXPERT
iBehr
vérifié il y a un mois
1

The prefix list is in eu-central-1 (Frankfurt, Germany) and the security group is in eu-south-1 (Milan, Italy), as you said.

You have to use the equivalent prefix list in eu-south-1.

EXPERT
Leo K
répondu il y a un mois
1

Hello,

Adding a region options to the command would get the correct Prefix id for Milan region:

aws ec2 describe-managed-prefix-lists --filters Name=prefix-list-name,Values=com.amazonaws.global.cloudfront.origin-facing --region eu-south-1

profile picture
EXPERT
répondu il y a un mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions