amazon-web-servicesamazon-vpcaws-application-load-balancerpulumipulumi-typescript

how to create awsx.lb.ApplicationLoadBalancer in a non-default VPC?


I am trying to create a load balancer in some specific VPC, for example:

export const vpc = new awsx.ec2.Vpc(
  `ls-vpc-${stackName}`,
  {
    numberOfAvailabilityZones: 2,
    cidrBlock: '10.0.0.0/16',
    subnetStrategy: 'Auto',
    subnetSpecs: [
      {
        type: awsx.ec2.SubnetType.Public,
        name: 'public',
        cidrMask: 24,
      },
      {
        type: awsx.ec2.SubnetType.Private,
        name: 'private',
        cidrMask: 24,
      },
    ],
    tags: {
      Name: `ls-vpc-${stackName}`,
      environment: stackName,
    },
  },
)

  const loadBalancer = new awsx.lb.ApplicationLoadBalancer(
    `ls-loadbalancer-${stackName}`,
    {
      subnetIds: publicSubnetIds, // commenting this out deploys, but into a default VPC
      // securityGroups: [lbSecurityGroup.id], // uncommenting this has no effect
      tags: {
        Name: `ls-loadbalancer-${stackName}`,
        environment: stackName,
      },
    },
  )

when I run this, I am getting:

security groups: operation error Elastic Load Balancing v2: SetSecurityGroups, https response error StatusCode: 400
InvalidConfigurationRequest: One or more security groups are invalid: provider=aws@6.56.1

any pointers as to what I have to do to stop getting this 400 error?


Solution

  • If your VPC for some reason changes, and the ALB doesnt get replaced, the ALB may receive the following error:

    errorMessage": "One or more security groups are invalid",
    "requestParameters": {
        "loadBalancerArn": "arn:aws:elasticloadbalancing:XXXX:XXXXXX:loadbalancer/XXXXXX",
        "securityGroups": ["sg-XXXXXXXX"]
    }
    

    The error message is misleading. The reason for the error is that the new security group that is being added is not in the same VPC as the existing security group in the ALB. Specific to CDK and Cloudformation, this is a limitation of the Cfn because it tries to add the security group to the ALB before the old one is removed.

    The way to fix this is to update the LogicalId of the Application Load Balancer by changing the id of the ALB to something else. This will force the ALB to be replaced and the security group will be added to the new ALB in the new VPC.

    In other words:

    Problem:

    1. There is a new VPC and security group being created, replacing the old VPC and security group
    2. The ALB is not being replaced
    3. The new security group, in the new VPC, is attempting to be added to the existing ALB (that already has one or more existing security groups associated with it from the old VPC that is being replaced)
    4. Error is thrown because you can't have two sets of security groups associated with two different VPCs in an ALB

    Solution:

    1. In CDK/CFN, change the LogicalId of the ALB so it gets recreated with the new VPC. This ensures that there is no existing security group associated with the existing ALB, and when the new ALB and new VPC are added, there's no conflict.