AWS Level 2 lab number 14
Setting Up a Private VPC with an Isolated EC2 Instance.
Feed Back from kodekloud: Security group rule does not allow access from the VPC’s CIDR block
I think I have configured it all correctly but still getting the lab assessed as failed. I have attached the Screen Shot. I have attempted many times without luck.
please let me know if I doing it incorrectly.
Hi @ali.kachwala,
Thanks for highlighting this. I have forwarded your feedback to the KKE lab team.
Regards,
I think this issue is not yet fixed, I tried several times but getting same “Security group rule does not allow access from the VPC’s CIDR block” Error again.
Can please take a look.
Hi @sawant.akshay.1305 ,
The above post is a bit old. Please create a new one and share the task topic, level, and name, along with the error screenshot, so we can check again and proceed accordingly.
Regards,
FYI, I checked again and didn’t face any issues.
@sawant.akshay.1305
What was the error that you were getting?
Probably try allowing all traffic from the private VPC CIDR, instead of just the ssh rule.
This lab claims the security group does not allow access from the VPC’s CIDR block. However, if you see the screenshots you will see the Security Group has been set up to allow ALL Traffic from the VPC Network (10.140.0.0/16). Please explain the issue; thanks.
I’m having the same issue with this lab as well.
Current behaviour: Lab failed due to “The security group does not allow access from the VPC’s CIDR block”.
Private VPC and private subnet CIDR: 192.168.0.0/24
Private ACL:
Security group:
Instance:
I’m a bit lost here so any advice or clues towards the solution would be highly appreciated.
Thanks!
$ aws ec2 describe-vpcs --vpc-ids vpc-03dbb92a274fd56f3
{
"Vpcs": [
{
"OwnerId": "590184057482",
"InstanceTenancy": "default",
"CidrBlockAssociationSet": [
{
"AssociationId": "vpc-cidr-assoc-02bcfffa1182dc90e",
"CidrBlock": "192.168.0.0/24",
"CidrBlockState": {
"State": "associated"
}
}
],
"IsDefault": false,
"Tags": [
{
"Key": "Name",
"Value": "xfusion-priv-vpc"
}
],
"VpcId": "vpc-03dbb92a274fd56f3",
"State": "available",
"CidrBlock": "192.168.0.0/24",
"DhcpOptionsId": "dopt-0e7ffd6f34e1f7826"
}
]
}
$ aws ec2 describe-subnets --subnet-ids subnet-08950500b683c966d
{
"Subnets": [
{
"AvailabilityZoneId": "use1-az5",
"MapCustomerOwnedIpOnLaunch": false,
"OwnerId": "590184057482",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"Tags": [
{
"Key": "Name",
"Value": "xfusion-priv-subnet"
}
],
"SubnetArn": "arn:aws:ec2:us-east-1:590184057482:subnet/subnet-08950500b683c966d",
"EnableDns64": false,
"Ipv6Native": false,
"PrivateDnsNameOptionsOnLaunch": {
"HostnameType": "ip-name",
"EnableResourceNameDnsARecord": false,
"EnableResourceNameDnsAAAARecord": false
},
"SubnetId": "subnet-08950500b683c966d",
"State": "available",
"VpcId": "vpc-03dbb92a274fd56f3",
"CidrBlock": "192.168.0.0/24",
"AvailableIpAddressCount": 251,
"AvailabilityZone": "us-east-1f",
"DefaultForAz": false,
"MapPublicIpOnLaunch": false
}
]
}
$ aws ec2 describe-network-acls --network-acl-ids acl-045b011f3eb7938f7
{
"NetworkAcls": [
{
"Associations": [
{
"NetworkAclAssociationId": "aclassoc-032d5d96be391e758",
"NetworkAclId": "acl-045b011f3eb7938f7",
"SubnetId": "subnet-08950500b683c966d"
}
],
"Entries": [
{
"CidrBlock": "192.168.0.0/24",
"Egress": true,
"Protocol": "-1",
"RuleAction": "allow",
"RuleNumber": 100
},
{
"CidrBlock": "0.0.0.0/0",
"Egress": true,
"Protocol": "-1",
"RuleAction": "deny",
"RuleNumber": 32767
},
{
"CidrBlock": "192.168.0.0/24",
"Egress": false,
"Protocol": "-1",
"RuleAction": "allow",
"RuleNumber": 100
},
{
"CidrBlock": "0.0.0.0/0",
"Egress": false,
"Protocol": "-1",
"RuleAction": "deny",
"RuleNumber": 32767
}
],
"IsDefault": true,
"NetworkAclId": "acl-045b011f3eb7938f7",
"Tags": [],
"VpcId": "vpc-03dbb92a274fd56f3",
"OwnerId": "590184057482"
}
]
}
$ aws ec2 describe-route-tables --route-table-ids rtb-05490223b61fde3e5
{
"RouteTables": [
{
"Associations": [
{
"Main": true,
"RouteTableAssociationId": "rtbassoc-0467e6524f6fedbf3",
"RouteTableId": "rtb-05490223b61fde3e5",
"AssociationState": {
"State": "associated"
}
}
],
"PropagatingVgws": [],
"RouteTableId": "rtb-05490223b61fde3e5",
"Routes": [
{
"DestinationCidrBlock": "192.168.0.0/24",
"GatewayId": "local",
"Origin": "CreateRouteTable",
"State": "active"
}
],
"Tags": [],
"VpcId": "vpc-03dbb92a274fd56f3",
"OwnerId": "590184057482"
}
]
}
$ aws ec2 describe-security-groups --group-ids sg-04c576daac030d5a3
{
"SecurityGroups": [
{
"GroupId": "sg-04c576daac030d5a3",
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"UserIdGroupPairs": [],
"IpRanges": [
{
"CidrIp": "192.168.0.0/24"
}
],
"Ipv6Ranges": [],
"PrefixListIds": []
}
],
"VpcId": "vpc-03dbb92a274fd56f3",
"OwnerId": "590184057482",
"GroupName": "xfusion-priv-ec2-sc",
"Description": "Allows connection from/to the resources of the private VPC",
"IpPermissions": [
{
"IpProtocol": "-1",
"UserIdGroupPairs": [],
"IpRanges": [
{
"CidrIp": "192.168.0.0/24"
}
],
"Ipv6Ranges": [],
"PrefixListIds": []
}
]
}
]
}
$ aws ec2 describe-instances --instance-ids i-0141c37ce7a20360d
{
"Reservations": [
{
"ReservationId": "r-094910fa5f8f8d144",
"OwnerId": "590184057482",
"Groups": [],
"Instances": [
{
"Architecture": "x86_64",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"AttachTime": "2025-01-17T15:42:08.000Z",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-0e1ae864f1ae90b57"
}
}
],
"ClientToken": "2735df82-d138-4584-b959-9fb19dfaf87a",
"EbsOptimized": false,
"EnaSupport": true,
"Hypervisor": "xen",
"NetworkInterfaces": [
{
"Attachment": {
"AttachTime": "2025-01-17T15:42:08.000Z",
"AttachmentId": "eni-attach-04cc69348b98d5f2c",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached",
"NetworkCardIndex": 0
},
"Description": "",
"Groups": [
{
"GroupId": "sg-04c576daac030d5a3",
"GroupName": "xfusion-priv-ec2-sc"
}
],
"Ipv6Addresses": [],
"MacAddress": "16:ff:e5:48:90:e3",
"NetworkInterfaceId": "eni-068c21de8b07f6023",
"OwnerId": "590184057482",
"PrivateIpAddress": "192.168.0.242",
"PrivateIpAddresses": [
{
"Primary": true,
"PrivateIpAddress": "192.168.0.242"
}
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-08950500b683c966d",
"VpcId": "vpc-03dbb92a274fd56f3",
"InterfaceType": "interface"
}
],
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups": [
{
"GroupId": "sg-04c576daac030d5a3",
"GroupName": "xfusion-priv-ec2-sc"
}
],
"SourceDestCheck": true,
"Tags": [
{
"Key": "Name",
"Value": "xfusion-priv-ec2"
}
],
"VirtualizationType": "hvm",
"CpuOptions": {
"CoreCount": 1,
"ThreadsPerCore": 1
},
"CapacityReservationSpecification": {
"CapacityReservationPreference": "open"
},
"HibernationOptions": {
"Configured": false
},
"MetadataOptions": {
"State": "applied",
"HttpTokens": "required",
"HttpPutResponseHopLimit": 2,
"HttpEndpoint": "enabled",
"HttpProtocolIpv6": "disabled",
"InstanceMetadataTags": "disabled"
},
"EnclaveOptions": {
"Enabled": false
},
"BootMode": "uefi-preferred",
"PlatformDetails": "Linux/UNIX",
"UsageOperation": "RunInstances",
"UsageOperationUpdateTime": "2025-01-17T15:42:08.000Z",
"PrivateDnsNameOptions": {
"HostnameType": "ip-name",
"EnableResourceNameDnsARecord": false,
"EnableResourceNameDnsAAAARecord": false
},
"MaintenanceOptions": {
"AutoRecovery": "default"
},
"CurrentInstanceBootMode": "legacy-bios",
"InstanceId": "i-0141c37ce7a20360d",
"ImageId": "ami-0df8c184d5f6ae949",
"State": {
"Code": 16,
"Name": "running"
},
"PrivateDnsName": "ip-192-168-0-242.ec2.internal",
"PublicDnsName": "",
"StateTransitionReason": "",
"AmiLaunchIndex": 0,
"ProductCodes": [],
"InstanceType": "t2.micro",
"LaunchTime": "2025-01-17T15:42:08.000Z",
"Placement": {
"GroupName": "",
"Tenancy": "default",
"AvailabilityZone": "us-east-1f"
},
"Monitoring": {
"State": "disabled"
},
"SubnetId": "subnet-08950500b683c966d",
"VpcId": "vpc-03dbb92a274fd56f3",
"PrivateIpAddress": "192.168.0.242"
}
]
}
]
}
Hey @cralonso ,
I didn’t have to edit the network ACLs, just creating a vpc, a subnet and an ec2 instance with security group rule allowing ssh traffic(allowing all traffic shouldn’t be an issue as well) from VPC’s CIDR was enough to clear the checks.
I had an issue with this lab, but here is a solution fix. You need to create a security group and associate it to the VPC. Thus, when you are creating and launching the EC2 you can attach that security group to the instance. For example…
Step 1 create VPC ‘xfusion-priv-vpc’ cidr block 10.0.0.0/16
Step 2 create a Subnet ‘xfusion-priv-subnet’ cidr block 10.0.0.0/24
Step 3 create a Security Group for the VPC:
Inbound Rules allow ALL Traffic source 10.0.0.0/16
Outbound Rules All Traffic to any destination 0.0.0.0/0
Step 4 Attach the Security Group to the VPC
Step 5 Create the EC2 using the defaults but choose existing security group and attach the VPC security group.
No need for NACLS or Route Tables the check is only looking for the presence of a security group and bit match for its local network. I hope this helps.
Ok I’m super ashamed 
.
I made a super rookie mistake and forgot to attach the SC to the VPC …
Thanks for your help @amaruxia
@cralonso you’re welcome.
Don’t feel bad, you’re not alone. I made the same mistake as perhaps have others. But, as they say, we learn by doing. 