Cloudformation Add Instance to Security Group in Different Region

Question

I have a Cloudformation stack that I create through Jenkins in various Regions. I have a Chef server in one Region with a separate security group. I need new instances created via Cloudformation to register/be created and add themselves to the Chef SG in us-west-1 regardless of their region.

Is this feasible?

Edit: I need to do this via the Cloudformation script as opposed to other methods for a multitude of reasons that are lengthy/convoluted.

Edit2: For clarity, I don't want the instance to be part of the SG, but rather for that the EIP of the new instance to be added as an ingress in the SG.

typositoire · Accepted Answer · 2014-01-16 23:43:15Z

1

EC2/VPC Security group are region bound.

From AWS Docs

If you're using EC2-Classic, you must use security groups created specifically for EC2-Classic. When you launch an instance in EC2-Classic, you must specify a security group in the same region as the instance. You can't specify a security group that you created for a VPC when you launch an instance in EC2-Classic.

answered Jan 16, 2014 at 23:43

typositoire

1764 bronze badges

I'm not trying to use the SG in another region. I'm trying to add the EIP of $newinstance to a SG in us-west-1 as in ingress of $EIP - 443. Sorry for the lack of clarity.

Publiccert
– Publiccert

2014-01-16 23:48:11 +00:00
Commented Jan 16, 2014 at 23:48
You could create a script to deploy through CloudFormation and then edit your sg using EC2-CLI. CloudFormation Commands: docs.aws.amazon.com/cli/latest/reference/cloudformation/… EC2-CLI Doc: docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/… I don't think you can do it from the AWS Console :/

typositoire
– typositoire

2014-01-16 23:56:53 +00:00
Commented Jan 16, 2014 at 23:56

Add a comment |

CloudWeavers · Accepted Answer · 2014-01-17 02:09:09Z

It is feasible.

What you want is to have an security group in a security group. It work exactly how it sound.

1) Create security groups called SG-CLIENT and SG-INGRESS

2) For your CHEF instance, tag it with the SG-INGRESS security group. In the SG-INGRESS security group, add a rule to enable access to CHEF ports, using a source of 'SG-CLIENT'

3) Using cloud formation template/script, tag any new instances to the SG-CLIENT security group.

Refer to picture here: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#adding-security-group-rule for example of security group in rules.

Refer to https://s3.amazonaws.com/cloudformation-templates-us-east-1/EC2InstanceWithSecurityGroupSample.template for registration of an instance in a security group through a cloud formation template.

Note: API documentation seems to hint toward allowing using someone else 'security group' as the source by using 'account ID/security group name'. This should be helpful if you try doing this across regions. Info: http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-AuthorizeSecurityGroupIngress.html

This is a very neat idea but doesn't seem to work between regions. — Publiccert
– Publiccert, Commented Jan 17, 2014 at 18:49
Between regions, I would simply do it with a configuration management system & deployment scripts automatically assigning IP to security group through EC2 API. — CloudWeavers
– CloudWeavers, Commented Jan 19, 2014 at 22:15

Stack Exchange Network

Cloudformation Add Instance to Security Group in Different Region

2 Answers 2

You must log in to answer this question.

Hot Network Questions

Cloudformation Add Instance to Security Group in Different Region

2 Answers 2

You must log in to answer this question.

Related

Hot Network Questions