By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Error on SecurityGroup adding a new rule to VCP Peering

0

I'm trying to connect two networks on AWS zones:

us-east-1 - CDIR - 172.30.0.0/16 - route table to CDIR - 172.31.0.0 - by peer id - OK

us-west-1 - CDIR - 172.31.0.0/16 - route table to CDIR - 172.30.0.0 - by peer id - OK

I've did all the steps how to describe at: https://docs.aws.amazon.com/vpc/latest/peering/working-with-vpc-peering.html

All the first steps have worked fine, including the route table, but when I've tried to add the securitygroup roules from AWS CLI i've got error:

$ aws ec2 authorize-security-group-ingress --group-id sg-XXXXXXXXXXXXXX --protocol all --port all --source-group sg-YYYYYYYYYYYYY

An error occurred (InvalidGroup.NotFound) when calling the AuthorizeSecurityGroupIngress operation: The security group 'sg-YYYYYYYYYYYYY' does not exist

Even when I've tried to do the same by AWS Console I can't, because the source Security Group ID is not a choice to select. I'tried to input the id, but it's not recognized too.

So, I have checked and redid all the steps but the same problem still continues.

Additionally, I have suspected that something can be wrong at the routes tables, but both of sides have the route added to another side (network) correctly by the Peering ID.

Someone can share me same trick?

Thank you!

Topics
Networking & Content Delivery
Tags
Amazon VPC
Language
English
Zatara
asked 3 years ago195 views
4 Answers
0

You didn't provide all the info, so I'm making an assumption:

is the peering across accounts? If so, add --group-owner where that is the account number of the source-group sg id:
aws ec2 authorize-security-group-ingress --group-id sg-XXXXXXXXXXXXXX --protocol all --port all --source-group sg-YYYYYYYYYYYYY --group-owner 123456789012

cloudbutton
answered 3 years ago
0

Thank you for your helpful, I've progress with your help. But, now I've this error:

An error occurred (InvalidGroup.NotFound) when calling the AuthorizeSecurityGroupIngress operation: The security group 'SG_YYYYYYYY' does not exist in default VPC 'vpc-xyxyxyx'

I've checked to change the VPC at 'aws ec2 authorize-security-group-ingress' command, but according manuals it's don't exist's, and the mentioned VCP is not the Default, so the question is: Is it possible just to Default VCP?

Order of my commands:

$ aws configure set region us-east-1 --profile MY_PROFILE. # it's my target region
$ aws ec2 authorize-security-group-ingress \
--group-id sg-XXXXXXXXX \ # this group is on my target region -> us-east-1
--protocol all \
--port all \
--source-group SG-XXXXXXXX \ # this group is on my source region -> us-west-1
--group-owner yxyxyxyxyxyx

An error occurred (InvalidGroup.NotFound) when calling the AuthorizeSecurityGroupIngress operation: The security group 'SG-XXXXXXXX' does not exist in default VPC 'vpc-AbAbAbAb'

The both of sides are on the same ownerid.

Thank you

Zatara
answered 3 years ago
0

Currently, you can't reference security groups if the vpc peering connections are cross-region.

You will have to use the CIDR block of the peer vpc instead.
https://docs.aws.amazon.com/vpc/latest/peering/vpc-pg.pdf#invalid-peering-configurations
page 15

cloudbutton
answered 3 years ago
0

Thank you! It's working good!

Zatara
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content