Note: proper attention to the items outlined below will probably resolve the various open tickets relating to AWS Security Groups as well as making overall AWS networking more functional.

Overview: Amazon EC2 networking can be confusing. It allows Virtual Private Clouds, isolated from each other. It allows Virtual Private Networks. And it supports multiple sub-zones within a VPC, each with its own subnet. AWS normally provides DHCP services to the VPC, customizable by the user, if needed.

As of Foreman v1.9.2, there appears to be a subnet hard-coded into the EC2 Foreman plugin named "EC2". This subnet exists solely within program logic and not within the Foreman database. This appears to cause issues on certain screens which only populate based on actual subnets defined in the database. Adding the various regional sub-nets explicitly to Foreman doesn't help, as the default subnet choice for deploying an AMI is "No Preference", plus explicit requesting of a subnet appears not to be able to work with Amazon's DHCP server.

There is also the matter of Security Groups. Numerous tickets exist concerning failure of the UI to retrieve and list security groups as part of resource definition. Experience seems to indicate that groups can be retrieved when an individual regional subnet is requested, but security groups are owned by VPCs, not their subnets, so this is not the proper behaviour.

The fact that "EC2" isn't a "real" subnet has lead to cases where defining a new Host fails because EC2 is not a selectable subnet, and no domain is available. Selecting a domain can lead to the dread "Reverse DNS" error, since the UI attempts to attach an explicit subnet that doesn't provide proper services.

Suggested remedies:

1. Consider replacing the "EC2" subnet with a set of real subnets, one per VPC for the AWS account in question. Create actual entries in the Foreman subnets table for them so that they can be selected where appropriate and to associate domain(s) with the in the usual way. Define actual subnet entries in the Foreman database to correspond to VPCs. NOTE: The default VPC has a blank name in AWS.

2. Take appropriate actions to ensure that Foreman knows that explicit regional subnets have the proper relationships to their corresponding VPC's and regions.

3. Repair the Security group logic so that it pulls groups based on VPC's, not on subnet IDs.