I have a AWS VPC where the DHCP optionset gives me random addresses in the scope of the CIDR 10.128.1.0/24.
But I want to have the DHCP scope limited, so that I can use static private ip addresses for some of the servers and dynamic for another set of server, like
Static Server scope:
10.128.1.1 .. 10.128.1.99
Dynamic Server scope:
10.128.1.100 .. 10.128.1.200
I have tried using the aws ec2 create-dhcp-options but it doesn't give me the opportunity to limit any ip addresses.
The question is perhaps, Can it done? then of course how to, or should I think complete different when having this perhaps odd need and should do it another AWS way....?
You can't do this on AWS. It is common on standard networking, but not on cloud.
If you really need to use "static" IPs you can reserve the IP creating ENI, Elastic Network Interface, in advance.
When an ENI exist, even if it is available, the IP associated with ENI is already in use, so DHCP will not use it anymore
When you create an EC2 instance you can allow it to use DHCP to get an random IP or you can choose an available ENI.
Just notice some IPs are reserved by AWS, you can't create an ENI for it.
See the reserved IPs on documentation below:
https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html#subnet-sizing
Related
I'm using the Amazon MQ managed service and have a question as to how MQ behaves on a reboot.
Will the private IP of the broker change or is it static?
I'm using Amazon MQ inside of a VPC.
Assuming you're using a single instance broker it will most likely stay the same. I couldn't find a direct documentation reference for this, but Amazon MQ broker nodes are managed EC2 instances. An EC2 instance by default retains the private IP inside a VPC over its lifecycle.
The problem is that you don't control the lifecycle of the instance. If the instance is broken beyond repair, Amazon MQ may set up a new instance for you, which will get a different private IP address inside the VPC, but that should be rare. After a simple reboot that would be very unlikely.
If you're using an active/standby cluster what I said concerning the IPs of the individual nodes should still be true, but the whoever the active node is may change.
If you need a hard guarantee that the IP addresses don't change, you can set up a private Network Load Balancer in front of your cluster. From the docs (emphasis mine):
When you create an internal load balancer, you can optionally specify one private IP address per subnet. If you do not specify an IP address from the subnet, Elastic Load Balancing chooses one for you. These private IP addresses provide your load balancer with static IP addresses that will not change during the life of the load balancer. You cannot change these private IP addresses after you create the load balancer.
For most services in AWS you want to use the DNS name or CNAME to a service instead of any IP address unless there's a static IP address attached to it.
I have a scenario where I want to setup an haproxy cluster with keepalived. I saw this blog post https://www.peternijssen.nl/high-availability-haproxy-keepalived-aws/ and its pretty detailed and easy to follow, but for my scenario I need the elastic IP's to be private. Is this doable ? As from AWS documentation Elastic IP's are only public IPs.
I need a floating IP which will act as a floating cluster IP. What can I use if Elastic IP is not an option.
An elastic IP within AWS is actually a static public IP address. This functionality is required as by default a public IP address is not reserved by an account, and when enabled limits the total IPv4 addresses you can keep.
For private address ranges however, your instances can be assigned any private IP address that is within any of your VPCs CIDR range(s).
In fact for this reason you can select almost any IP address found within your VPC when launching a new instance, in addition the IP addresses that are attached to an EC2 instance are static and will be attached to that instance until it is terminated.
Therefore as long as you don't terminate the instances the private IP(s) will be maintained. However, in the event the instance fails and is not recoverable you would still need to launch a new instance and use that IP.
It might be more beneficial using a DNS record to resolve the IP just in case of an emergency, or failing that use a load balancer to distribute traffic.
For this case you can provision an Elastic Network Interface (ENI) with a static private IP address which you can attach/re-attach to EC2 instances. As long as you don’t delete the ENI, it will retain the I as p address. Find out more here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html
After restarting AWS EC2, hostname & public IP gets changed.
Remote docker clients get affected as they rely(export DOCKER_HOST) on these public names.
How to resolve this dynamic IP(public) problem of EC2?
By default, AWS assigned public IP addresses as well as hostnames are ephemeral, meaning they will be released back to the pool if you restart the instance. If you really need a persistent IP address, you can use Elastic IPs, but bear in mind there’s a limit per region.
Note: I’d still recommend evaluating the need for using a public IP from the IPv4 pool, as they are a rare resource. Most of the times, one can get by well by using the correct combination of security groups and private IPs, along with Route53 hosted zones for friendly naming, assuming instances are in the same VPC or can communicate via VPC peering.
I need to pass trafffic across two ebs instances on the same AWS VPC.
Let's say I have a VPC with a subnet 10.0.0.0/24 and two running ebs instances
A and B with addresses 10.0.0.130 and 10.0.0.160 respectively. I need to send traffic from A to B.
Currently everything seems to be working fine, as I configure A to send traffic to 10.0.0.130, but I am not confident that this IP address will survive a redeploy.
How can I make sure the private 10.0.0.130 IP addresses is static, or to use some sort of private/internal DNS to make sure I always send traffic to the proper IP address for instance B?
You are correct in thinking that those IP addresses will not survive a redeploy. Those IP addresses won't even survive a scale-in, scale-out, or server failing health check event.
I would try tagging the EC2 instances as part of the EB deployment, and then add some code to the instances that queries the AWS API for the list of instances with those tags. Given that each instance should know its own IP address, it should then be easy to determine what the IP address of the other server is.
While creating NAT Gateway an Elastic IP Address is created in AWS. The AWS documentation (1) also mentions the same. Why is an Elastic IP Address required for NAT Gateway?
Simply stated, the EIP is required because that is the way the NAT Gateway feature was engineered.
It wouldn't make sense to have a dynamic address on a NAT device -- if the address changed, that would be guaranteed to break any sessions in progress... and the only way to allocate a static address is by allocating an Elastic IP address (EIP).
It's also common to have external vendors whitelist your servers (for access to their servers) by providing them with the EIP of your NAT Gateway, in which case a dynamic address from the public pool would be unacceptable.
There may also be internal, proprietary reasons related to the way EIPs function that made this requirement a necessity... but that is not documented, so such an assertion would be mere speculation. An example of this: the public pool addresses (like those auto-assigned to EC2 instances configured with a public IP address from the pool, not an EIP) might be engineered to the specific availability zone, or even a subset of a single availability zone (they do, after all, change, when an instance is stopped/started, implying that they might be dedicated to specific server bays within an AZ), while EIPs can migrate anywhere from one zone to another within a region. This strongly implies different internal topologies.
This requirement (constraint?), to me, seems insignificant: you shouldn't be charged for this EIP, and if you need to increase the maximum allowed number of EIPs in a region, you can submit a support request at no charge, describing your use case, to request a limit increase.
The EIP requirement is rather arbitrary. Having a static IP makes coding the NAT easier (it doesn't have to check the WAN Interface for upstream address changes) but NATs that support a dynamic upstream address are very common - almost every home served by a major ISP has one. Sure, there's a risk the external address might change and break the current connections, but the ISPs know this and try hard NOT to change the address. Generally it changes only when you reboot the router, and at that point all your connections are broken anyway.
On AWS there there are many similar scenarios where you don't care if your NAT gateways external address changes, especially if your VPC does not contain any public servers. I have a lot of these, and I'm trying to run them on free accounts - it annoys me that they force me to burn through my short supply of static IPs.
As others observed this is a small expense, and AWS is still way cheaper than any other way I know to get this kind of cloud power; but that EIP is not strictly required.
No insignificant at all, you are only allowed to have 5 EIPs, so having 2 or 3 apps in two availability zones will hit that threshold.
As of June 2021, the AWS NAT Gateway does not require an ElasticIP (if you choose "Private" mode):
A private NAT Gateway, or NAT Gateway with connectivity type set to private, does not require EIP and you do not need to attach an internet gateway with your VPC.
https://aws.amazon.com/about-aws/whats-new/2021/06/aws-removes-nat-gateways-dependence-on-internet-gateway-for-private-communications/
I think what the answers here are missing is that the NAT Gateway (NATG) traffic is still being routed through an Internet Gateway (IGW), which performs static (one private IP to one public IP) NAT. As the image in the question indicates, the Elastic IP (EIP) is an association. It is the IGW that is translating the NATG's private IP to its associated public EIP.
This EIP requirement is therefore consistent from an AWS implementation perspective for any resource (e.g. EC2 instance) in a public subnet accessing the internet through an IGW.
Let's say you have private network instances, how will they connect to internet? That's when NAT comes in. NAT ip is public. And private subnets can be associated with NAT. So in that way, the instance in private subnet can connect to internet using NAT. This is very useful when you have server to whitelist your ip. Just give them the NAT EIP and problem solved.