Security Group and Subnet Belongs to different networks

Question

I am creating a basic AWS CloudFormation Template with one VPC, 3 Security Group and 5 EC2 Instances my security group looks something like this -

{
  "WebApplicationServerSG": {
    "Type": "AWS::EC2::SecurityGroup",
    "Properties": {
      "VpcId": {
        "Ref": "DevVpc"
      },
      "GroupDescription": "Enable HTTP, HTTPS and SSH access",
      "Tags": [
        {
          "Key": "Name",
          "Value": "WebApplicationServer Service Group"
        }
      ],
      "SecurityGroupIngress": [
        {
          "IpProtocol": "tcp",
          "FromPort": "443",
          "ToPort": "443",
          "CidrIp": "0.0.0.0/0"
        },
        {
          "IpProtocol": "tcp",
          "FromPort": "80",
          "ToPort": "80",
          "CidrIp": "0.0.0.0/0"
        },
        {
          "IpProtocol": "tcp",
          "FromPort": "22",
          "ToPort": "22",
          "CidrIp": "0.0.0.0/0"
        }
      ],
      "SecurityGroupEgress": [
        {
          "IpProtocol": "tcp",
          "FromPort": "443",
          "ToPort": "443",
          "CidrIp": "0.0.0.0/0"
        },
        {
          "IpProtocol": "tcp",
          "FromPort": "80",
          "ToPort": "80",
          "CidrIp": "0.0.0.0/0"
        },
        {
          "IpProtocol": "tcp",
          "FromPort": "22",
          "ToPort": "22",
          "CidrIp": "0.0.0.0/0"
        }
      ]
    },
    "Metadata": {
      "AWS::CloudFormation::Designer": {
        "id": "a7977f00-48d6-488f-9e23-9bcd0785d399"
      }
    }
  }
}

And the VPC is something like below -

{
  "DevVpc": {
    "Type": "AWS::EC2::VPC",
    "Properties": {
      "CidrBlock": "172.31.0.0/16",
      "EnableDnsSupport": "false",
      "EnableDnsHostnames": "false",
      "InstanceTenancy": "dedicated",
      "Tags": [
        {
          "Key": "Name",
          "Value": "DevStackVpc"
        }
      ]
    }
  }
}

I am getting error while stack creation with the template -

Security group sg-31f91b5a and subnet subnet-ea0aa3a7 belong to different networks.

11:13:01 UTC+0550   CREATE_FAILED   AWS::EC2::Instance  WebApplicationServer    Security group sg-5147a53a and subnet subnet-ea0aa3a7 belong to different networks.

And here is a gist for complete template, any help would really be appreciated.

And how are you associating your EC2 instance with the security group and subnet? — Matt Houser, Jan 14 '18 at 19:35
Most likely the problem is in subnet definition, full template can be useful to say for sure. And don't use visual editors if you want to have full control over your code :) — Putnik, Jan 14 '18 at 21:42
Have updated the original question with the Gist for Complete template. — Jeet, Jan 15 '18 at 02:56
[**Do not post images of code or errors!**](https://meta.stackoverflow.com/q/303812/995714) — Rob, Jan 15 '18 at 03:02
@Rob Thanks for pointing out, would remove the screenshot. It makes perfect sense to not post screen shot. Thanks again. — Jeet, Jan 15 '18 at 05:39
I don't see any subnets declared in your template. You will probably find, if you cross-reference the subnet-id in the error, that it's coming from your [Default VPC](https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/default-vpc.html) in the region, rather than the VPC in this stack, and your instances are going there instead of here. — Michael - sqlbot, Jan 15 '18 at 05:39
@Michael-sqlbot May I Request you to provide a sample if you can. Thanks for the pointer. — Jeet, Jan 15 '18 at 05:40
AFAIK, you need to create [EC2 subnets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet.html) and then you need to declare a logical collection of two or more of those subnets for RDS [subnet groups](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbsubnet-group.html) for RDS instances. — Michael - sqlbot, Jan 15 '18 at 05:45
Here i have documented the troubleshooting steps - https://jhooq.com/terraform-security-group-with-different-subnet/ — Rahul Wagh, Apr 27 '23 at 19:32

score 20 · Answer 1 · answered Mar 26 '19 at 10:12

If anyone using Terraform got here, I had a similar error message and what ended up happening was the following:

variable "name" {}

locals {
  vpc_id    = "..."
  subnet_id = "..."
}

resource "aws_instance" "web" {
  ami                         = "ami-09def150731bdbcc2"
  instance_type               = "t3.micro"
  vpc_security_group_ids      = ["${aws_security_group.allow_http.id}"]

  user_data = <<-EOF
    #!/bin/bash
    sudo amazon-linux-extras install nginx1.12 -y
    sudo nginx
  EOF

  tags {
    Name = "${var.name}"
  }
}

resource "aws_security_group" "allow_http" {
  description = "Allow inbound HTTP traffic for ${var.name} instance"
  vpc_id      = "${local.vpc_id}"

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "TCP"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

The subnet I was deploying into didn't have auto assign public IPs enabled. As such, I updated the aws_instance to include the subnet_id and associate_public_ip_address:

resource "aws_instance" "web" {
  ami                         = "ami-09def150731bdbcc2"
  instance_type               = "t3.micro"
  subnet_id                   = "${local.subnet_id}"
  vpc_security_group_ids      = ["${aws_security_group.allow_http.id}"]
  associate_public_ip_address = true

  user_data = <<-EOF
    #!/bin/bash
    sudo amazon-linux-extras install nginx1.12 -y
    sudo nginx
  EOF

  tags {
    Name = "${var.name}"
  }
}

After which, everything worked.

Here i have documented the troubleshooting steps - https://jhooq.com/terraform-security-group-with-different-subnet — Rahul Wagh, Apr 27 '23 at 19:32

score 15 · Accepted Answer · answered Jan 18 '18 at 07:47

I got the above problem resolved by the pointers provided in comments, The relation between subnet VPC, Security-Groups and EC2 instance are as below -

1st thing which gets and should be created is VPC 2nd is the Subnet here you mention the VpcId you created earlier 3rd You create security groups here you mention the VpcId you created earlier as well. 4th There is a property NetworkInterfaces where you provide SubnetId and GroupSet which is an array of security group ids and this is where you define the relation between the security group, vpc and subnet and this is what solved the problem.

Below is the sample template which actually worked -

{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
    "DevServerKeyPair": {
        "Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance",
        "Type": "AWS::EC2::KeyPair::KeyName",
        "ConstraintDescription": "Must be the name of an existing EC2 KeyPair."
    }
},
"Resources": {
    "DevVpc": {
        "Type": "AWS::EC2::VPC",
        "Properties": {
            "CidrBlock": "172.31.0.0/16",
            "EnableDnsSupport": "false",
            "EnableDnsHostnames": "false",
            "InstanceTenancy": "dedicated",
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "DevStackVpc"
                }
            ]
        }
    },
    "DevSubnet": {
        "Type": "AWS::EC2::Subnet",
        "Properties": {
            "VpcId": {
                "Ref": "DevVpc"
            },
            "CidrBlock": "172.31.0.0/16",
            "AvailabilityZone": {
                "Fn::Select": [
                    0,
                    {
                        "Fn::GetAZs": ""
                    }
                ]
            }
        }
    },
    "WebApplicationServerSG": {
        "Type": "AWS::EC2::SecurityGroup",
        "Properties": {
            "VpcId": {
                "Ref": "DevVpc"
            },
            "GroupDescription": "Enable HTTP, HTTPS and SSH access",
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "WebApplicationServer Service Group"
                }
            ],
            "SecurityGroupIngress": [
                {
                    "IpProtocol": "tcp",
                    "FromPort": "443",
                    "ToPort": "443",
                    "CidrIp": "0.0.0.0/0"
                },
                {
                    "IpProtocol": "tcp",
                    "FromPort": "80",
                    "ToPort": "80",
                    "CidrIp": "0.0.0.0/0"
                },
                {
                    "IpProtocol": "tcp",
                    "FromPort": "22",
                    "ToPort": "22",
                    "CidrIp": "0.0.0.0/0"
                }
            ],
            "SecurityGroupEgress": [
                {
                    "IpProtocol": "tcp",
                    "FromPort": "443",
                    "ToPort": "443",
                    "CidrIp": "0.0.0.0/0"
                },
                {
                    "IpProtocol": "tcp",
                    "FromPort": "80",
                    "ToPort": "80",
                    "CidrIp": "0.0.0.0/0"
                },
                {
                    "IpProtocol": "tcp",
                    "FromPort": "22",
                    "ToPort": "22",
                    "CidrIp": "0.0.0.0/0"
                }
            ]
        }
    },
    "WebApplicationServer": {
        "Type": "AWS::EC2::Instance",
        "Properties": {
            "ImageId": "ami-f3e5aa9c",
            "InstanceType": "t2.micro",
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "WebApplicationServer"
                }
            ],
            "KeyName": {
                "Ref": "DevServerKeyPair"
            },
            "NetworkInterfaces": [
                {
                    "SubnetId": {"Ref": "DevSubnet"},
                    "AssociatePublicIpAddress": "true",
                    "DeviceIndex": "0",
                    "GroupSet": [{ "Ref" : "WebApplicationServerSG" }]
                }
            ]
        }
    }
  }
}

Hope it helps someone looking into similar problem.

// , Your clear explanation of the relationships has helped me, Jeet. Thanks for following up on this. — Nathan Basanese, Jun 03 '21 at 00:31
Helpful. I added a AWS::EC2::NetworkInterface and then referenced it in the NetworkInterfaceId property of the NetworkInterfaces property of the AWS::EC2::Instance resource. Make sure to delete the SecurityGroupIds and AssociatePublicIpAddress properties. — abk, Aug 11 '21 at 01:20
I was missing this part // security groups here you mention the VpcId Now add VpcId in security group and its working. Thanks Jeet. — Kamran, Jan 25 '23 at 09:49

score 3 · Answer 3 · answered Oct 22 '20 at 04:13

The problem with the security group you trying to use! When you create one with a template it used the default VPC. On the CLoudFormation template where you create a security group, you need to identify VpcId that you like to use (NON-Default), it will solve the problem. Or you can manually create a new security group using (NON-Default)VPC, and then run new instances.

Security Group and Subnet Belongs to different networks

3 Answers3

Linked