I have an AWS infrastructure as follow:
EC2-WS01
EC2-WS02
Load balancer
These machines run the same code. In front of these machines is there a Load Balancer that distribute the load. So the clients point to the load balancer that forward the requests. One of the services of my app is a webhook service that send to an external server, protected by a firewall, some information every 15 minutes. We had to setup the firewall accepting the request from the two EC2 IP Address. I want to know if is possible make sure that regardless of the instances I have, when I make a request, it is always made by the same ip
Is possible to do that with an Elastic IP or what else?
Your architecture would need to be:
Load Balancer in a public subnet
Amazon EC2 instances in private subnet(s)
A NAT Gateway or NAT Instance in a public subnet, with an Elastic IP address
A Route Table on the private subnet(s) that sends Internet-bound traffic via the NAT Gateway/NAT Instance
The traffic from the Amazon EC2 instances will "come from" the public Elastic IP address associated with the NAT Gateway/NAT Instance.
Related
My production and development application are running on EBS's EC2 instances where I need to attach an elastic IP to each instance. I am able to associate the elastic IPs to each instance but after some time the IPs disassociated automatically due to application load balance which creates a new instance of EC2, I know it's due to Application Loadbalance but I want to know how can I persist the elastic IPs to each instance? I am using third party integration in which I have to send my static IPs to make them whitelisted.
The AWS solution for sending requests to third parties from a fixed IP (or fixed set of IPs) when running in an auto-scaled environment is to create a NAT Gateway in your public subnet (or one in each public subnet), assign Elastic IPs to the NAT Gateways, and place your EC2 instances in private subnets with a route to the NAT Gateway.
In this configuration, all outbound requests will go through the NAT Gateway(s) which will have static (Elastic) IPs that can be whitelisted by third-parties.
So I have just setup an application load balancer but I need a static IP to whitelist my database connection, I found Global Accelerator can do the job so I have set it up and assigned it to the ALB. All showing fine in the console but when I ping my domain (www.example.com), I don't see either of the 2 static IP's assigned... and when I whitelist both IP's my application still cannot connect.
Am I doing something wrong?
Edit: My database is Mongo DB hosted on the Atlas Cloud. In my staging environment I have secured the connection to a single server instance using that servers IP address. Now I'm moving to a production environment with a load balancer, I'm not quite sure how I would achieve the same result, since I have multiple EC2 instances which can be created/destroyed via autoscaling. My thinking is that I need to whitelist the load balancer IP address rather than individual instances.
I am assuming that your architecture is:
Domain name pointing to an Application Load Balancer in AWS
Load Balancer points to an Auto Scaling group of Amazon EC2 instances
The EC2 instances point to your MongoDB database hosted on the Atlas Cloud
You want an static IP address so that the database can permit access from the Amazon EC2 instances
While incoming traffic to the EC2 instances goes through the Load Balancer, please note that the connection from an EC2 instance to the database is a separate outbound connection that is established to the database. This traffic does not go through the Load Balancer. The only traffic coming 'out' of a Load Balancer is the response to requests that came 'in'.
The typical way to implement this architecture is:
Load Balancer in public subnets
Auto-Scaled Amazon EC2 instances in private subnets
A NAT Gateway in the public subnet(s)
This way, the instances in the private subnets can access the Internet via the NAT Gateway, yet they are fully isolated from traffic coming in from the Internet. It has the additional benefit that the NAT Gateway has a static IP address. All traffic going through the NAT Gateway to the Internet will 'appear' to be coming from this IP address.
For fault tolerance, it is recommended to put a NAT Gateway in at least two Availability Zones. Each will have its own static IP address.
Oh, and you could consider moving your database to Amazon DocumentDB (with MongoDB Compatibility), which would reduce latency between the application servers and the database.
Suppose we have an application running on an EC2 instance in a load-balanced Elastic Beanstalk stack. And this application wants to (1) call web services served by external hosts, and/or (2) open secured TN5250 (i.e, 5250 data stream over SSL-secured Telnet) sessions on external hosts.
Is there a way we can give those external hosts a reliable IP address range from which to expect our traffic?
(Cross-posted to the AWS EC2 developer forum.)
If the Amazon EC2 instances are in a private subnet, then you will need a NAT Gateway in a public subnet to provide them with Internet access. An Elastic IP address is associated with the NAT Gateway, which remains static and can be used for whitelisting. All outbound traffic from the instances will come from the NAT Gateway's IP address.
If the Amazon EC2 instances are in a public subnet and require a static IP address, they will each require their own Elastic IP address. Please note that there are limits on the number of Elastic IP addresses in your account.
My utility deployed on AWS beanstalk and push some data in one of our client's DB server. Client wants public IP of beanstalk instance for whitelisting but problem is beanstalk is on autoscaling mode and spawn instances dynamically.
Is there any way to get rid of this situation?
One way to assign static IP from the pool and associate static IP during launch time from user data, but will not recommend this approach seems easy to go with the existing server, all you need create some elastic IP and update user data in elastic beanstalk instance.
using-features-user-data
But you may be intrested the recommended approach here.
How do I assign a static source IP address for all instances in a load balanced Elastic Beanstalk environment?
Short Description
You can use a network address translation (NAT) gateway to map
multiple IP addresses into a single publicly exposed IP address. When
your Elastic Beanstalk environment uses a NAT gateway, the backend
instances in your environment are launched in private subnets. All
outbound traffic from these instances is routed through the NAT
gateway. All outbound traffic originating from your backend instances
can be uniquely identified by an Elastic IP address, which is a static
IP address required by the NAT gateway.
Resolution
In the following steps, your Amazon Elastic Compute Cloud (Amazon EC2)
instances are launched in a private subnet that uses a NAT gateway,
with an attached Elastic IP address, as a default route. The load
balancer is in a public subnet and all external traffic to and from
the load balancer is routed through an internet gateway.
For the Network card, choose Modify.
For VPC, choose your VPC. In the
Load balancer settings section, for Visibility, choose Public. In the
Load balancer subnets table, choose the public subnets. In the
Instance settings section, clear Public IP address. In the Instance
subnets table, choose only private subnets with the NAT gateway that
you set up earlier.
For more details, you can look into this elastic-beanstalk-static-IP-address
I have ETL servers in a private subnet in my VPC on AWS. These ETL servers are locked down with specific outbound rules per approved outbound IP addresses. I have a service these ETL tools need to communicate with outside the VPC using TLS1.2/443 that uses a DNS name and not an IP address. Let's say "account.service.com". For this reason, it was suggested I consider using an elastic load balancer in the public subnet as a proxy.
If I send requests to the ELB private IP address from the ETL instance, how do I tell the ELB to send those requests on to "account.service.com"?
Essentially, I want the ELB to work as a tunneling proxy, since I can't specify "account.service.com" in my outbound security group rules in the private subnet.
This is not possible.
Elastic Load Balancers can only send traffic to Amazon EC2 instances, and those instances need to be in the same VPC as the Load Balancer.
You would need to use some other technology (eg Squid proxy) in your Public Subnet to send traffic to a non-EC2 destination.