Every single day I need to update inbound rules, because the dev team is at homeoffice.
Is there any solution for my dev team with dynamic IP addresses?
Since your team's IP addresess change and you only want to allow those specific IP addresses, you are out of luck: you need to update Security Groups inbound rules every time the IP changes.
What you can do though is simplify this process. AWS recently announced Prefix Lists. You can create a Prefix List with all your team's IP addresses and reference this in any Security Group you need. You can then maintain one Prefix List instead of a number of Security Groups.
If you are willing to increase your exposure to a wider IP range, as a trade-off for less frequent IP address list maintenance, you can add your user's CIDR block instead of each specific IP address. Then, assuming that most dynamic IP addresses are allocated from the same CIDR block, your team members will be able to connect to your EC2 instances. A simple whois query for a specific IP address can show you the CIDR (IP range) it belongs too (usually your ISP's CIDR).
Related
I have a AWS VPC where the DHCP optionset gives me random addresses in the scope of the CIDR 10.128.1.0/24.
But I want to have the DHCP scope limited, so that I can use static private ip addresses for some of the servers and dynamic for another set of server, like
Static Server scope:
10.128.1.1 .. 10.128.1.99
Dynamic Server scope:
10.128.1.100 .. 10.128.1.200
I have tried using the aws ec2 create-dhcp-options but it doesn't give me the opportunity to limit any ip addresses.
The question is perhaps, Can it done? then of course how to, or should I think complete different when having this perhaps odd need and should do it another AWS way....?
You can't do this on AWS. It is common on standard networking, but not on cloud.
If you really need to use "static" IPs you can reserve the IP creating ENI, Elastic Network Interface, in advance.
When an ENI exist, even if it is available, the IP associated with ENI is already in use, so DHCP will not use it anymore
When you create an EC2 instance you can allow it to use DHCP to get an random IP or you can choose an available ENI.
Just notice some IPs are reserved by AWS, you can't create an ENI for it.
See the reserved IPs on documentation below:
https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html#subnet-sizing
I need to know what IP subnet will be used by AWS EC2 instances
Reading:
https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
https://superuser.com/questions/989123/amazon-ec2-public-ip-address/989400
I understand that I can use this URL giving the IP ranges:
https://ip-ranges.amazonaws.com/ip-ranges.json
But I am a bit confused by the output.
I understand I need to filter on:
region
type: EC2
Is my understanding correct ?
If so I get 137 IP subnets which is very important number.
How can I have more control on IP subnets ?
It will be extremely fragile to base your firewall system on the possible IPs that any EC2 instance in those regions can have.
Allowing access from 1 region may arguably have been fine but you're opening up your firewall to five traffic-heavy & very popular AWS regions.
That blanket policy allowing all traffic will essentially defeat the purpose of having a firewall that should only allow specific traffic through.
If you're actually looking for security, assign your EC2 instances an Elastic IP (EIP) and allow traffic only from those particular IPs.
Depending on how many EC2 instances you have, it may also be much easier, quicker & cheaper (however small) to route all your EC2 instances through 1 NAT gateway with 1 EIP (if you don't need all your EC2 instances to have different public IPs).
You'll save yourself the headache of keeping up to date with possible IP range changes made by Amazon, have cleaner firewall policies and have tighter security by only letting traffic that you're sure is coming from your instances through.
Win, win, win.
When I allocate an Elastic IP, it stays with me forever (until I remove it).
This also means, no one can ever use this IP address in the entire world. And you can see there is not DNS or stuff. Its is a straight forward IP address reachable from browser.
How does Amazon block the IP to itself? In other words, how does Amazon hold an IP address so that no one can use it.
Same way anybody else can:
https://www.apnic.net/get-ip/faqs/obtaining-resources/
Can I buy IP addresses?
IP addresses are not for sale, instead, they are public resources
administered by the Internet Numbers Registry System for the entire
Internet community. IP addresses delegated by the Regional registries,
such as APNIC are not "owned" by the Members. IP addresses will be
reclaimed by APNIC when the Membership is terminated.
Why does APNIC require so much detailed information about my network?
APNIC must ensure that address space, which is a shared public
resource, is managed responsibly in the region. APNIC needs detailed
information so that it can properly evaluate whether your plans
conform to agreed addressing policy and are consistent with the goals
of global Internet management.
I have a Webserver in a VPC that will occasionally use curl to get or post a resource from itself, using one of the domains associated to that server. I have a restrictive security group assigned to this server, as I only want to allow traffic from specific IP ranges. Additionally, I added the security group itself as a source of inbound traffic, in order to deal with the curl calls.
Unfortunately this isn't working. The connections timeout. Using wget from command-line on the server's IP or one of the domains goes timeout too. The only way to fix it is to allow traffic from '0.0.0.0/0' on the security group, which I don't want to do.
As a workaround I've added '127.0.0.1' entries for every domain to the hosts file, but this isn't a long term solution for me.
Is any help to fixe?
The traffic is basically going out to the internet and back, which means it is leaving the VPC, so it is no longer identified as coming from within the Security Group. To allow traffic from a Security Group, that traffic has to be addressed to the Private IP address, not the public IP or domain name.
One way to do this is add hosts file entries like you have done. You could also create a private hosted zone in Route53 and assign it to the VPC, then override certain DNS records within your VPC to route to the private IP address.
Is there a way to duplicate a EC2 instance in the same VPC in different AZ for HA purpose, so that when the primary instance is bad (e.g. due to check status failure), I can shut it down and quickly switch over to the standby one.
For some reason, I need to keep the same private IP address, and public/EIP IP address.
For the EIP address, I can dis-associate it from the OLD instance, and re-associate it to the NEW instance, but how about the private IP address?
Any suggestion? Thanks in advance...
What is "an instance"?
It's worth thinking about what people mean when they talk about "duplicating an EC2 instance". An EC2 instance consists of:
The boot disk with Operating System
Any data disks
Network settings (eg public & private IP addresses)
Configurations (eg Instance Type, User Data, Tags, etc)
Duplicating an EC2 instance usually means launching another instance with the same configuration, but it's not necessarily a "duplicate". For example, a different Availability Zone means it will have a different IP address (see below) and the new instance will be booted from an AMI (Amazon Machine Image) rather than being an exact duplicate of the disk from the previous instance.
Duplicates for High Availability
Next comes the issue of High Availability. A new instance can take a few minutes to launch. If the requirement is for near-instant cut-over, then the only solution is to always run more than one instance, and then re-point an IP address or DNS name.
As you mentioned, it is easy and fast to associate an Elastic IP Address to an alternate EC2 instance. This change immediately redirects traffic sent to that IP address.
However, it is not possible to reassign an Internal IP Address to another instance (but see below).
Using Auto Scaling to launch another instance
If the requirement allows for a few minutes of outage, then more possibilities arise. The simplest would be to launch the EC2 instance within an Auto Scaling group. The group can be configured to always have a certain number of instances (eg a minimum of 1 instance). Thus, when an instance fails, Auto Scaling can automatically launch a replacement instance with the same configuration (boot disk, instance type, etc).
Further, Auto Scaling can automatically launch instances in another Availability Zone if a zone fails.
However, please note that internal IP address ranges are associated with Subnets within a VPC (Virtual Private Cloud). Each subnet is associated with a single Availability Zone. The hierarchy is:
VPC
Availability Zone
Subnet (with CIDR range of IP addresses)
Instance
Thus, launching an instance in a different Availability Zone (and thus a different Subnet) will require the instance to have a different Internal IP Address.
A hack for reassigning IP addresses
While Internal IP Addresses cannot be reassigned (and especially not between Subnets), an interesting hack was described in the ARC401 session at re:Invent 2014 (see slides 33 & 34, or on YouTube).
This involved associating an IP address with a secondary Elastic Network Interface (ENI), where the IP address falls outside the VPC range. Then, use routing rules to route the traffic destined for that address to the ENI (turning off Source/Dest Check). Effectively, the traffic can be re-routed to a different instance by modifying the routing rules. A bit of a hack, but it apparently works.
You may not be able to keep the same private, primary IP address, but you cano assign a secondary private IP address to an EC2 instance in a VPC, and they are reassignable:
Private IP addresses
When you launch an instance into a VPC, a primary private IP address
from the address range of the subnet is assigned to the default
network interface (eth0) of the instance. If you don't specify a
primary private IP address, we select an available IP address in the
subnet range for you.
You can assign additional private IP addresses, known as secondary
private IP addresses, to instances that are running in a VPC. Unlike a
primary private IP address, you can reassign a secondary private IP
address from one network interface to another.
From here: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-ip-addressing.html