Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

Error on SecurityGroup adding a new rule to VCP Peering

0

I'm trying to connect two networks on AWS zones:

us-east-1 - CDIR - 172.30.0.0/16 - route table to CDIR - 172.31.0.0 - by peer id - OK

us-west-1 - CDIR - 172.31.0.0/16 - route table to CDIR - 172.30.0.0 - by peer id - OK

I've did all the steps how to describe at: https://docs.aws.amazon.com/vpc/latest/peering/working-with-vpc-peering.html

All the first steps have worked fine, including the route table, but when I've tried to add the securitygroup roules from AWS CLI i've got error:

$ aws ec2 authorize-security-group-ingress --group-id sg-XXXXXXXXXXXXXX --protocol all --port all --source-group sg-YYYYYYYYYYYYY

An error occurred (InvalidGroup.NotFound) when calling the AuthorizeSecurityGroupIngress operation: The security group 'sg-YYYYYYYYYYYYY' does not exist

Even when I've tried to do the same by AWS Console I can't, because the source Security Group ID is not a choice to select. I'tried to input the id, but it's not recognized too.

So, I have checked and redid all the steps but the same problem still continues.

Additionally, I have suspected that something can be wrong at the routes tables, but both of sides have the route added to another side (network) correctly by the Peering ID.

Someone can share me same trick?

Thank you!

Tópicos
Rede e entrega de conteúdo
Tags
Amazon VPC
Idioma
English
Zatara
feita há 3 anos199 visualizações
4 Respostas
0

You didn't provide all the info, so I'm making an assumption:

is the peering across accounts? If so, add --group-owner where that is the account number of the source-group sg id:
aws ec2 authorize-security-group-ingress --group-id sg-XXXXXXXXXXXXXX --protocol all --port all --source-group sg-YYYYYYYYYYYYY --group-owner 123456789012

cloudbutton
respondido há 3 anos
0

Thank you for your helpful, I've progress with your help. But, now I've this error:

An error occurred (InvalidGroup.NotFound) when calling the AuthorizeSecurityGroupIngress operation: The security group 'SG_YYYYYYYY' does not exist in default VPC 'vpc-xyxyxyx'

I've checked to change the VPC at 'aws ec2 authorize-security-group-ingress' command, but according manuals it's don't exist's, and the mentioned VCP is not the Default, so the question is: Is it possible just to Default VCP?

Order of my commands:

$ aws configure set region us-east-1 --profile MY_PROFILE. # it's my target region
$ aws ec2 authorize-security-group-ingress \
--group-id sg-XXXXXXXXX \ # this group is on my target region -> us-east-1
--protocol all \
--port all \
--source-group SG-XXXXXXXX \ # this group is on my source region -> us-west-1
--group-owner yxyxyxyxyxyx

An error occurred (InvalidGroup.NotFound) when calling the AuthorizeSecurityGroupIngress operation: The security group 'SG-XXXXXXXX' does not exist in default VPC 'vpc-AbAbAbAb'

The both of sides are on the same ownerid.

Thank you

Zatara
respondido há 3 anos
0

Currently, you can't reference security groups if the vpc peering connections are cross-region.

You will have to use the CIDR block of the peer vpc instead.
https://docs.aws.amazon.com/vpc/latest/peering/vpc-pg.pdf#invalid-peering-configurations
page 15

cloudbutton
respondido há 3 anos
0

Thank you! It's working good!

Zatara
respondido há 3 anos

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante