You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
We have ASEA with GWLB pattern (Third-party FW) as mentioned in the attached image, but with some modifications
in perimeter Account, we have 3 VPCs, Perimeter and East-West VPC that attached with TGW, and Inspection VPC that host FWs and GWLB and that not attached with TGW.
actualy we manage FW via Public IP.
We need to connect Third-party FWs with our on-premise Firewall Management Console via Ditrect connect.
for this, I edit config file to create these resources:
New subnet (with RT) in VPC Inspection that will be used for TGW ENI. (in Perimeter Account Section)
New TGW route table that will be used by VPC Inspection Attachment (in Shared_network Account Section)
==> Execute Stat machine ==> Successful and resources are created
New Attachement for VPC Inspection with new subnet and new TGW RT.
==> Execute Stat Machine again ==> Phase1 failed with ASEA-DeployPrebuilt FAIL. with this error:
"" PerimeterPhase1/VpcStackInspection.NestedStack/VpcStackInspection.NestedStackResource (VpcStackInspectionNestedStackVpcStackInspectionNestedStackResourceWSEDFGYH) Embedded stack arn:aws:cloudformation:ca-central-1:123456789:stack/ASEA-Perimeter-Phase1-VpcStackInspectionNestedStackVpcStackInspectionNestedStackResour-WERTYHGFDSAX/124e2014-4de3-11ee-a6fe-0253bddf2084 was not successfully updated. Currently in UPDATE_ROLLBACK_IN_PROGRESS with reason: The following resource(s) failed to create: [CustomModifyTransitGatewayAttachmentLambda24C8745E, InspectionTgwAttach1BCE47FE]. ""
==> and when i sign-in in Perimeter Account, to check Nested stack mentioned above, i have this error in create Inspection Attach step :
"" Resource handler returned message: "The request must include the SubnetIds parameter. Add the required parameter and retry the request. (Service: Ec2, Status Code: 400, Request ID: dfcddc25-e5s8-8s59-af8e-176ed10b3a59)" (RequestToken: 5db1hh8f-5482-1baa-222f-d535af8a458c, HandlerErrorCode: InvalidRequest) ""
--
Here is the Attach config that i add in VPC Inspection section in config file:
"tgw-attach": {
"associate-to-tgw": "Main",
"account": "shared-network",
"associate-type": "ATTACH",
"tgw-rt-associate": ["New_TGW_RT"],
"tgw-rt-propagate": [],
"blackhole-route": false,
"attach-subnets": ["new_subnet_RT"],
"options": ["DNS-support"]
}
I duplicated the same Subnet and Attach configuration from other VPC to be sur, but i always have the same error.
have you an idea please? why the nested template can't find SubnetIds that I already deployed?
there is a Lumbda or other things that I need to update to find SubnetIds?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi,
We have ASEA with GWLB pattern (Third-party FW) as mentioned in the attached image, but with some modifications
in perimeter Account, we have 3 VPCs, Perimeter and East-West VPC that attached with TGW, and Inspection VPC that host FWs and GWLB and that not attached with TGW.
actualy we manage FW via Public IP.
We need to connect Third-party FWs with our on-premise Firewall Management Console via Ditrect connect.
for this, I edit config file to create these resources:
==> Execute Stat machine ==> Successful and resources are created
==> Execute Stat Machine again ==> Phase1 failed with ASEA-DeployPrebuilt FAIL. with this error:
"" PerimeterPhase1/VpcStackInspection.NestedStack/VpcStackInspection.NestedStackResource (VpcStackInspectionNestedStackVpcStackInspectionNestedStackResourceWSEDFGYH) Embedded stack arn:aws:cloudformation:ca-central-1:123456789:stack/ASEA-Perimeter-Phase1-VpcStackInspectionNestedStackVpcStackInspectionNestedStackResour-WERTYHGFDSAX/124e2014-4de3-11ee-a6fe-0253bddf2084 was not successfully updated. Currently in UPDATE_ROLLBACK_IN_PROGRESS with reason: The following resource(s) failed to create: [CustomModifyTransitGatewayAttachmentLambda24C8745E, InspectionTgwAttach1BCE47FE]. ""
==> and when i sign-in in Perimeter Account, to check Nested stack mentioned above, i have this error in create Inspection Attach step :
"" Resource handler returned message: "The request must include the SubnetIds parameter. Add the required parameter and retry the request. (Service: Ec2, Status Code: 400, Request ID: dfcddc25-e5s8-8s59-af8e-176ed10b3a59)" (RequestToken: 5db1hh8f-5482-1baa-222f-d535af8a458c, HandlerErrorCode: InvalidRequest) ""
--
Here is the Attach config that i add in VPC Inspection section in config file:
"tgw-attach": {
"associate-to-tgw": "Main",
"account": "shared-network",
"associate-type": "ATTACH",
"tgw-rt-associate": ["New_TGW_RT"],
"tgw-rt-propagate": [],
"blackhole-route": false,
"attach-subnets": ["new_subnet_RT"],
"options": ["DNS-support"]
}
I duplicated the same Subnet and Attach configuration from other VPC to be sur, but i always have the same error.
have you an idea please? why the nested template can't find SubnetIds that I already deployed?
there is a Lumbda or other things that I need to update to find SubnetIds?
Thanks.
Beta Was this translation helpful? Give feedback.
All reactions