[英]Allow every instance in the same Security Group to share any data between each other at Cloud Formation JSON?
我正在構建Cloud Formation JSON來定義EC2實例和安全組。
我需要創建一個安全組,該安全組允許其中的每個實例在彼此之間共享任何數據。
我的JSON是這樣的:
"InternalSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"VpcId" : {"Ref" : "myVPC"},
"GroupDescription" : "Allow the machines in this group to share all kinds of traffic between each other",
"SecurityGroupIngress" : [
{
"IpProtocol" : "-1",
"FromPort": "-1",
"ToPort": "-1",
"SourceSecurityGroupId" : { "Ref" : "InternalSecurityGroup" }
}
],
"SecurityGroupEgress" : [
{
"IpProtocol" : "-1",
"FromPort": "-1",
"ToPort": "-1",
"DestinationSecurityGroupId" : { "Ref" : "InternalSecurityGroup" }
}
]
}
},
但這向我顯示了以下錯誤:
調用CreateStack操作時發生客戶端錯誤(ValidationError):資源之間的循環依賴關系
為了修復它,我將代碼更改為CidrIp而不是SourceSecurityGroupId,定義了實例所在的子網。
是否可以引用相同的安全組? 什么是實現我想要的最佳(或正確)方法?
如文檔中所述,您可以使用AWS::EC2::SecurityGroupEgress
和AWS::EC2::SecurityGroupIngress
資源來定義自引用安全組規則:
重要
如果要在這些安全組的入口和出口規則中交叉引用兩個安全組,請使用
AWS::EC2::SecurityGroupEgress
和AWS::EC2::SecurityGroupIngress
資源來定義您的規則。 不要在AWS::EC2::SecurityGroup
使用嵌入的入口和出口規則。 如果這樣做,它將導致循環依賴關系,而AWS CloudFormation不允許這樣做。
結果看起來像這樣:
{
"Resources":{
"myVPC":{
"Type":"AWS::EC2::VPC",
"Properties":{
"CidrBlock":"10.0.0.0/16"
}
},
"InternalSecurityGroup":{
"Type":"AWS::EC2::SecurityGroup",
"Properties":{
"VpcId":{
"Ref":"myVPC"
},
"GroupDescription":"Allow the machines in this group to share all kinds of traffic between each other"
}
},
"InternalSecurityGroupIngress":{
"Type":"AWS::EC2::SecurityGroupIngress",
"Properties":{
"IpProtocol":"-1",
"FromPort":"-1",
"ToPort":"-1",
"SourceSecurityGroupId":{
"Ref":"InternalSecurityGroup"
},
"GroupId":{
"Ref":"InternalSecurityGroup"
}
}
},
"InternalSecurityGroupEgress":{
"Type":"AWS::EC2::SecurityGroupEgress",
"Properties":{
"IpProtocol":"-1",
"FromPort":"-1",
"ToPort":"-1",
"DestinationSecurityGroupId":{
"Ref":"InternalSecurityGroup"
},
"GroupId":{
"Ref":"InternalSecurityGroup"
}
}
}
}
}
定義兩個安全組,這應該會更好一些:
"InternalSecurityGroup1" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"VpcId" : {"Ref" : "myVPC"},
"GroupDescription" : "Allow the machines in this group to share all kinds of traffic between each other",
"SecurityGroupIngress" : [ {
"IpProtocol" : "-1",
"FromPort": "-1",
"ToPort": "-1",
"SourceSecurityGroupId" : { "Ref" : "InternalSecurityGroup2" }
}
]
}
}
"InternalSecurityGroup2" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"VpcId" : {"Ref" : "myVPC"},
"GroupDescription" : "Allow the machines in this group to share all kinds of traffic between each other",
"SecurityGroupIngress" : [ {
"IpProtocol" : "-1",
"FromPort": "-1",
"ToPort": "-1",
"SourceSecurityGroupId" : { "Ref" : "InternalSecurityGroup1" }
}
]
}
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.