AWS Cloudformation – can’t add multiple subnet associations to a public routing table

amazon-cloudformationamazon-web-services

We have a VPC with an Internet Gateway. We have 3 subnets (one in each AZ) and want to use one routing table for all three. This RT contains a rule to route 0.0.0.0/0 to the igw however when we try associate more than one subnet with this RT the stack creation fails on creating the routing rule, giving the following error message:

route table rtb-xxxxxxx and network gateway igw-xxxxx belong to different networks.

This is weird because the igw isn't attached to a subnet, it's attached to the VPC itself.

What I have to do to get the template working is to only have 1 subnet association with the RT and then update the stack afterwards with the other two.

I've tried adding 2 Wait Conditions, one tied to the creation of the RT and the other to the creation of the routing rule however they don't fix the problem – I still get the same error on the same damn rule 🙁

Can anyone shed some light on what I need to do to fix this issue?

Best Answer

As @Marcus explained in his response to his own question; it is the lack of the DependsOn attribute when you create an AWS::EC2::Route entry where you specify a Gateway.

For route entries that specify a gateway, you must specify a dependency on the gateway attachment resource.

Having received the same error and scratching my head as to how this failed when the IGW is attached to the VPC it was a simple change in the AWS::EC2::Route declaration.

Failing CFN:

"VPC" : {
    "Type" : "AWS::EC2::VPC",
    "Properties" : {"CidrBlock" : "10.1.0.0/16"}
},
"InternetGateway" : {
    "Type" : "AWS::EC2::InternetGateway"
},
"InternetGatewayAttachment" : {
    "Type" : "AWS::EC2::VPCGatewayAttachment",
    "Properties" : {
        "VpcId" : {"Ref" : "VPC"},
        "InternetGatewayId" : {"Ref" : "InternetGateway"}
    }
},
"ManagementRouteTable" : {
    "Type" : "AWS::EC2::RouteTable",
    "Properties" : {
        "VpcId" : {"Ref" : "VPC"}
    }
},
"NATDefaultRoute" : {
    "Type" : "AWS::EC2::Route",
    "Properties" : {
        "RouteTableId" : {"Ref" : "ManagementRouteTable"},
        "DestinationCidrBlock" : "0.0.0.0/0",
        "GatewayId" : {"Ref" : "InternetGateway"}
    }
}

Working CFN:

"VPC" : {
    "Type" : "AWS::EC2::VPC",
    "Properties" : {"CidrBlock" : "10.1.0.0/16"}
},
"InternetGateway" : {
    "Type" : "AWS::EC2::InternetGateway"
},
"InternetGatewayAttachment" : {
    "Type" : "AWS::EC2::VPCGatewayAttachment",
    "Properties" : {
        "VpcId" : {"Ref" : "VPC"},
        "InternetGatewayId" : {"Ref" : "InternetGateway"}
    }
},
"ManagementRouteTable" : {
    "Type" : "AWS::EC2::RouteTable",
    "Properties" : {
        "VpcId" : {"Ref" : "VPC"}
    }
},
"NATDefaultRoute" : {
    "DependsOn" : "InternetGatewayAttachment",
    "Type" : "AWS::EC2::Route",
    "Properties" : {
        "RouteTableId" : {"Ref" : "ManagementRouteTable"},
        "DestinationCidrBlock" : "0.0.0.0/0",
        "GatewayId" : {"Ref" : "InternetGateway"}
    }
}
Related Topic