Ec2实例创建失败，子网属于不同网络错误

我正在尝试创建一个由2个安全组和1个EC2实例组成的AWS基础设施。实例创建失败，报错:

安全组sg-0ca713960ef97b70b和子网子网-0fb1a03979897974d属于不同的网络。(服务:AmazonEC2;状态码:400;错误码:InvalidParameter;请求ID:5 f03e0f1-fc1b-4ab4-8bef-0d71a1756212;代理:null)

我在模板中使用VPC值作为输入。不知道我错过了什么。有人能帮我解决这个问题吗?下面是我的完整模板:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Template for immediately isolation and forensic investigation of compromised instances
Parameters:
VpcId:
Type: AWS::EC2::VPC::Id
Ec2KeyName:
Type: AWS::EC2::KeyPair::KeyName
PurposeTag:
Type: String
Default: forensics
SSHLocation:
Description: >-
Enter desired Network CIDR to access EC2 instance. Default is set to
access from anywhere and it is not recommended. Please change to appropriate
CIDR.
AllowedPattern: '(d{1,3}).(d{1,3}).(d{1,3}).(d{1,3})/(d{1,2})'
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
Type: String
ConstraintDescription: >-
Must be a valid Network CIDR of the form x.x.x.x/y. Default is set to
0.0.0.0/0, in production do not set default to 0.0.0.0/0  
Mappings:
ImageId:
us-east-1:
AmazonLinux2: ami-00dc79254d0461090
UbuntuCanonical: ami-04b9e92b5572fa0d1
us-east-2:
AmazonLinux2: ami-00bf61217e296b409
UbuntuCanonical: ami-0d5d9d301c853a04a
us-west-1:
AmazonLinux2: ami-024c80694b5b3e51a
UbuntuCanonical: ami-0dd655843c87b6930
us-west-2:
AmazonLinux2: ami-0a85857bfc5345c38
UbuntuCanonical: ami-06d51e91cea0dac8d
eu-west-1:
AmazonLinux2: ami-040ba9174949f6de4
UbuntuCanonical: ami-02df9ea15c1778c9c
Resources:
ForensicSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for forensic EC2 instances
SecurityGroupIngress:
- Description: Allow SSH from company ip address
CidrIp: !Ref SSHLocation
IpProtocol: tcp
FromPort: 22
ToPort: 22
Tags:
- Key: Purpose
Value: !Ref PurposeTag
VpcId: !Ref VpcId
ForensicInstance:
Type: AWS::EC2::Instance
Metadata:
AWS::CloudFormation::Init:
config:
commands:
1_sift_download:
command: "wget https://github.com/teamdfir/sift-cli/releases/download/v1.7.1/sift-cli-linux -P /tmp/"
2_rename:
command: "mv /tmp/sift-cli-linux /usr/local/bin/sift"
3_sift_permissions:
command: "chmod 755 /usr/local/bin/sift"
4_sift_install:
command: "/usr/local/bin/sift install"
Properties:
IamInstanceProfile: !Ref ForensicInstanceProfile
ImageId: !FindInMap
- ImageId
- !Ref 'AWS::Region'
- UbuntuCanonical
InstanceType: t2.micro
KeyName: !Ref Ec2KeyName
SecurityGroupIds:
- !GetAtt ForensicSecurityGroup.GroupId
UserData:
Fn::Base64: !Sub |
#!/bin/bash
sudo su
apt update
apt upgrade
apt -y install python-pip pcre-tools gcc autoconf automake libtool nc git kernel-devel libdwarf-tools python unzip
pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gz
cfn-init -s ${AWS::StackName} --region ${AWS::Region} -r ForensicInstance
pip install distorm3 pycrypto pillow openpyxl ujson pytz IPython netaddr yara-python pylzma psutil colorama
cd /home/ubuntu
wget http://downloads.volatilityfoundation.org/releases/2.6/volatility-2.6.zip
unzip volatility-2.6.zip
mv volatility-master volatility
chown -R ubuntu.ubuntu volatility
# Install LiME
git clone https://github.com/504ensicsLabs/LiME.git
chown -R ubuntu.ubuntu LiME
# Install Loki
wget https://github.com/Neo23x0/Loki/archive/v0.30.5.tar.gz
tar -xzvf v0.30.5.tar.gz
cd Loki-0.30.5/
pip install -r requirements.txt
# Install aws_ir
pip install aws_ir

Tags:
- Key: Purpose
Value: !Ref PurposeTag
ForensicInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Roles:
- !Ref ForensicInstanceRole
ForensicInstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
Service: ec2.amazonaws.com
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEC2FullAccess
IsolatedSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group that allows only SSH from the forensics group
SecurityGroupIngress:
- Description: Allow SSH
SourceSecurityGroupId: !GetAtt ForensicSecurityGroup.GroupId
IpProtocol: tcp
FromPort: 22
ToPort: 22
SecurityGroupEgress:
- Description: Limit outbound traffic to only localhost, removes the default quad-zero outbound rule
CidrIp: 127.0.0.1/32
IpProtocol: '-1'
VpcId: !Ref VpcId
Tags:
- Key: Purpose
Value: !Ref PurposeTag