CODEWITHSUNDEEP
amazon-web-servicesaws-cloudformation
8675309
8675309

Reputation: 127

AWS CloudFormation Errors with Internet Gateway

CloudFormation beginner here. I've been researching and working on developing a CloudFormation template that will eventually be used as the starting point for a development environment for my team.

I've been picking at bits and pieces through some courses and examples online and have been relatively successful in my small attempt... Until tonight.

I am now trying to attach an Internet Gateway to my VPC and it is causing the Stack creation job to fail and rollback. The Internet Gateway will not attach and for the life of me I just cannot determine why.

My full template is here. The plan is to create a VPC with 2 public and 2 private subnets. There will be an Internet Gateway attached to the 2 public subnets. This is where the failure comes in. If I comment out the Internet Gateway creation, the template is successful. Thanks in advance for your help.

AWSTemplateFormatVersion: '2010-09-09'

Resources:
  DevVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: 'true'
      EnableDnsHostnames: 'true'
      InstanceTenancy: default
  Tags:
  - Key: Name
    Value: dev-vpc

  DevRoute53HostedZone:
    Type: "AWS::Route53::HostedZone"
    Properties:
      HostedZoneConfig:
        Comment: "aws hosted dev environment"
      Name: "mydomain.oregon-dev.local"
      VPCs:
        -
          VPCId: !Ref DevVPC
          VPCRegion: "us-west-2"

  DevPublicSubnetA:
Type: AWS::EC2::Subnet
Properties:
  VpcId: !Ref DevVPC
  CidrBlock: 10.0.8.0/25
  AvailabilityZone: "us-west-2a"
  Tags:
  - Key: Name
    Value: DevPublicSubnetA

  DevPublicSubnetB:
      Type: AWS::EC2::Subnet
      Properties:
        VpcId: !Ref DevVPC
        CidrBlock: 10.0.8.128/25
        AvailabilityZone: "us-west-2b"
        Tags:
        - Key: Name
          Value: DevPublicSubnetB

  DevPrivateSubnetA:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref DevVPC
      CidrBlock: 10.0.9.0/25
      AvailabilityZone: "us-west-2a"
      Tags:
      - Key: Name
        Value: DevPrivateSubnetA

  DevPrivateSubnetB:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref DevVPC
      CidrBlock: 10.0.9.128/25
      AvailabilityZone: "us-west-2b"
      Tags:
      - Key: Name
        Value: DevPrivateSubnetB

  RouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId:
        Ref: DevVPC
      Tags:
      - Key: Name
        Value: DevRouteTable

  DevRoute:
    Type: AWS::EC2::Route
    DependsOn: NonProdNATGateway
    Properties:
      RouteTableId:
        Ref: RouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId:
        Ref: NonProdNATGateway

  NonProdNATEIP:
    Type: AWS::EC2::EIP
    Properties:
      Domain: vpc

  NonProdNATGateway:
    Type: AWS::EC2::NatGateway
    Properties:
      AllocationId: !GetAtt NonProdNATEIP.AllocationId
      SubnetId: !Ref DevPublicSubnetA
      SubnetId: !Ref DevPublicSubnetB
    DependsOn:
      - NonProdNATEIP
      - DevPublicSubnetA
      - DevPublicSubnetB

  NonProdGWVPCAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      InternetGatewayId: !Ref NonProdNATGateway
      VpcId: !Ref DevVPC
    DependsOn:
      - NonProdNATGateway

  Route:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId:
        Ref: RouteTable
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId:
        Ref: NonProdNATGateway

  PrivateRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref RouteTable
      SubnetId: !Ref DevPrivateSubnetA
      SubnetId: !Ref DevPrivateSubnetB

  PublicRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId: !Ref RouteTable
      SubnetId: !Ref DevPublicSubnetA
      SubnetId: !Ref DevPublicSubnetB

Mappings:
  R53EnvironmentMapping:
    dev:
      oregonawslocal: mydomain.oregon-dev.local

Outputs:

  DevPublicSubnetA:
    Description: ID for dev subnet A
    Value: !Ref DevPublicSubnetA
    Export:
      Name: DevPublicSubnetA

  DevPublicSubnetB:
    Description: ID for dev subnet B
    Value: !Ref DevPublicSubnetB
    Export:
      Name: DevPublicSubnetB

  DevPrivateSubnetA:
    Description: ID for dev subnet A
    Value: !Ref DevPrivateSubnetA
    Export:
       Name: DevPrivateSubnetA

  DevPrivateSubnetB:
    Description: ID for dev subnet B
    Value: !Ref DevPrivateSubnetB
    Export:
      Name: DevPrivateSubnetB

   DevRoute53OregonAWSLocalHostedZone:
    Description: Hosted zone ID for hosted zone
    Value: !Ref DevRoute53HostedZone
    Export:
      Name: DevRoute53OregonAWSLocalHostedZone

  DevRoute53OregonAWSLocalHostedZoneName:
    Description: Hosted zone name for hosted zone
     Value: !FindInMap [R53EnvironmentMapping, dev, oregonawslocal]
     Export:
       Name: DevRoute53OregonAWSLocalHostedZoneName

Upvotes: 0

Views: 2167

Answers (1)

wjordan
wjordan

Reputation: 20390

As Michael - sqlbot mentioned in a comment, one issue is that you're referencing an AWS::EC2::NATGateway resource in the AWS::EC2::VPCGatewayAttachment resource's InternetGatewayId property, which requires an AWS::EC2::InternetGateway resource.

NAT Gateways and Internet Gateways are two different types of AWS resources - a NAT Gateway provides outbound-only Internet access to a private Subnet, while an Internet Gateway provides two-way Internet access to a public Subnet.

Another issue is that you need two separate sets of AWS::EC2::RouteTable and AWS::EC2::Route Resources, one set for your public Subnet and another for your private Subnet. The public Route should have GatewayId referencing the Internet Gateway, and the private Route should have NatGatewayId referencing the NAT Gateway.

Finally, you have some invalid duplicate SubnetId properties in several resources (NatGateway, SubnetRouteTableAssociation)- each of these Resources only points accepts a single Subnet ID.

Since you're a CloudFormation beginner, I strongly recommend leveraging AWS Quick Start's Amazon VPC Architecture template to get started quickly with a reference VPC architecture. This AWS-supported template creates a single VPC containing both public and private subnets within each specified Availability Zone (you provide 2-4 Availability Zones as Parameters). You can later customize this template to better fit your specific needs if necessary, or use it as a reference for configuring your own template's resources.

Upvotes: 1

Related Questions