AWS VPC DB Security Group
By : Josh -
The other day I was working with a client and creating a CloudFormation template that used RDS instances within a VPC. I found that while creating the DB security group object that I was getting an error like the following:
STACK_EVENT CloudFormationName DBSecurityGroupName AWS::RDS::DBSecurityGroup 2012-12-17T22:30:20Z CREATE_FAILED Please see the documentation for authorizing DBSecurityGroup ingress. For VPC, EC2SecurityGroupName and EC2SecurityGroupOwner must be omitted.To authorize only the source address of this request (and no other address), pass xx.xx.xx.xx/32 as the CIDRIP parameter.
It turns out that beyond the requirement for a DB subnet group, I also needed to change the way that I create DB security groups within the VPC. I solved this problem by using the CIDRIP parameter and included the IP ranges of two private subnets:
"DBSecurityGroupName": { "Type": "AWS::RDS::DBSecurityGroup", "Properties": { "EC2VpcId" : { "Ref" : "VpcName" }, "DBSecurityGroupIngress" : [ { "CIDRIP": "10.1.201.0/24" }, { "CIDRIP": "10.1.301.0/24" } ], "GroupDescription": "Application Server Access" } },
The examples given on the official docs page did not help with this issue, I found that I was experimenting until I was able to get this working. I copied the examples and they failed for this particular scenario.
Cool, thanks