I am trying to create a load balancer in some specific VPC, for example:
export const vpc = new awsx.ec2.Vpc(
`ls-vpc-${stackName}`,
{
numberOfAvailabilityZones: 2,
cidrBlock: '10.0.0.0/16',
subnetStrategy: 'Auto',
subnetSpecs: [
{
type: awsx.ec2.SubnetType.Public,
name: 'public',
cidrMask: 24,
},
{
type: awsx.ec2.SubnetType.Private,
name: 'private',
cidrMask: 24,
},
],
tags: {
Name: `ls-vpc-${stackName}`,
environment: stackName,
},
},
)
const loadBalancer = new awsx.lb.ApplicationLoadBalancer(
`ls-loadbalancer-${stackName}`,
{
subnetIds: publicSubnetIds, // commenting this out deploys, but into a default VPC
// securityGroups: [lbSecurityGroup.id], // uncommenting this has no effect
tags: {
Name: `ls-loadbalancer-${stackName}`,
environment: stackName,
},
},
)
when I run this, I am getting:
security groups: operation error Elastic Load Balancing v2: SetSecurityGroups, https response error StatusCode: 400
InvalidConfigurationRequest: One or more security groups are invalid: provider=aws@6.56.1
any pointers as to what I have to do to stop getting this 400 error?
If your VPC for some reason changes, and the ALB doesnt get replaced, the ALB may receive the following error:
errorMessage": "One or more security groups are invalid",
"requestParameters": {
"loadBalancerArn": "arn:aws:elasticloadbalancing:XXXX:XXXXXX:loadbalancer/XXXXXX",
"securityGroups": ["sg-XXXXXXXX"]
}
The error message is misleading. The reason for the error is that the new security group that is being added is not in the same VPC as the existing security group in the ALB. Specific to CDK and Cloudformation, this is a limitation of the Cfn because it tries to add the security group to the ALB before the old one is removed.
The way to fix this is to update the LogicalId
of the Application Load Balancer by changing the id
of the ALB to something else. This will force the ALB to be replaced and the security group will be added to the new ALB in the new VPC.
In other words:
Problem:
Solution:
LogicalId
of the ALB so it gets recreated with the new VPC. This ensures that there is no existing security group associated with the existing ALB, and when the new ALB and new VPC are added, there's no conflict.