AWS cfn-signal not working in private subnets

I am writing Cloud Formation template for web service instances with auto scaling and elastic load balancer. My plan is to place the ELB in public subnet and instances in private subnets behind the load balancer. My private subnets are fully restricted without any NAT Gateway. SSH Access is also enabled through ELB.

In Cloud Formation script I’ve also written “Creation Policy” to receive signal from EC2 Instance to proceed in the stack with time out value of 15 minutes.

 "CreationPolicy" : {
 "ResourceSignal" : {
 "Timeout" : "PT15M",
 "Count" : "1"
 }
 }

After running the template – I can see EC2 running and “InService” w.r.t ELB. But the instance not able to send signal and after 15 minutes CF stack is being rolled back.

AutoScale_Error

With in the 15 minutes I’ve logged in to the instance and found the below error.

#/opt/aws/bin/cfn-signal -e 0 --stack AutoScale --resource AutoScalingConfiguration --region ap-southeast-2

2017-06-24 07:38:42,261 [DEBUG] Signaling resource AutoScalingConfiguration in stack AutoScale with unique ID i-062ffccab190a6c5a and status SUCCESS
2017-06-24 07:39:42,261 [WARNING] Timeout of 60 seconds breached
2017-06-24 07:39:42,261 [ERROR] Client-side timeout
Traceback (most recent call last):
 File "/usr/lib/python2.7/dist-packages/cfnbootstrap/util.py", line 162, in _retry
 return f(*args, **kwargs)
 File "/usr/lib/python2.7/dist-packages/cfnbootstrap/util.py", line 231, in _timeout
 raise TimeoutError("Execution did not succeed after %s seconds" % duration)
TimeoutError
2017-06-24 07:39:42,261 [DEBUG] Sleeping for 3.912545 seconds before retrying

I have allocated an EIP and associated to the instance and ran the “cfn-signal” command which this time is successful in sending signal. Also tried with “NAT Gateway” attaching to private subnets also successful in sending signal.

So cfn-signal working only over “internet” even though all resources in stack are internal.

 

Advertisements

2 thoughts on “AWS cfn-signal not working in private subnets

  1. Hi Santosh, did you find answer to above question? I am facing the same problem.
    2018-05-15 12:17:33,578 [DEBUG] CloudFormation client initialized with endpoint https://cloudformation.ap-south-1.amazonaws.com
    2018-05-15 12:17:33,578 [DEBUG] Describing resource LaunchConfiguration in stack xxxxxx
    2018-05-15 12:18:33,579 [WARNING] Timeout of 60 seconds breached
    2018-05-15 12:18:33,579 [ERROR] Client-side timeout

    Like

    1. Hi Chetan.. As mentioned in the last paragraph the CFN signal only works for the instances which have access to internet ( EIP or NAT Gateway ).

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s