I am trying to understand the difference between a private IP and a private DNS. From what I can tell either can be used to SSH into the instance, then what is the use case/advantage of having both assigned when an EC2 is spun up. Having either one of them wasn't sufficient? Am I missing something?
private IP and a private DNS
Private means not public, so it cannot be used publicly.
either can be used to SSH into the instance
None of them can be used for that. Because you cannot connect to private instance via SSH.
IP can be changed, DNS name can be preserved. i.e. One DNS name can correspond to many IPs in different moments. Users of this service don't need to be updated every time IP is changed, because they use its DNS name that is static.
Related
I have an instance inside a VPC with DNS hostnames & DNS resolution enabled
Today, each instances I spawn get the hostname & Private IP DNS name as
ip-xx-xx-xx-xx.ec2.internal
The problem with this is everytime my instance is terminated and I have to replace it, the IP address is going to change. Other machines in the same VPC need a deterministic way to access this instance. e.g. by connecting to mymasterinstance.dev. Any idea how do I give an internal / private DNS for my instance?
Private IP addresses on Amazon EC2 instances do not change. Therefore, the other machines could simply reference the private IP address.
Alternatively, you can create a "Private hosted zone" in Amazon Route 53 and create an A-Record to associate a domain name (eg mymasterinstance.dev) with the private IP address of the instance.
The public IP address on an instance will change when the instance is Stopped and Started (but will not change when the instance is Rebooted). If you require a static public IP address, you can create an Elastic IP Address and associate it with the instance.
Another perhaps simpler way to do this is to add a second IP address to your EC2 instance. When you terminate an instance, and add back a "replacement" instance, set its second IP address to what the terminated instance's second IP address was. Then you can do all of your referencing directly by IP address and you have full control over that second IP address. None of your configs needs to change.
in the application I manage, in several places, there are hard-coded references to the Private DNS of an EC2. The code will refer to: ip-(some private IP here).eu-west-1.compute.internal.
If I stop and start an instance the private IP will change, and I assume also that the Private DNS URL will also change.
When this happens the code crashes. Is there any way I can avoid this change? Is there some way to create a Private DNS so it does not change even when an instance is stopped and started again?
The private DNS and the IP shouldn't change.
However one feasible option is to launch your instances within a VPC and assign a Route 53 Private Hosted Zone that resolves your instances.
The bridge between VPC and Route53 is a DHCP options in the VPC.
We have two AWS instances (Instance A and Instance B) which are running in the same VPC. There is an internet facing service on Instance A which is restricted (via security group) to a subset of IP addresses. Instance A has a DNS entry so the service can be accessed via someservice.example.org.
When trying to access the service from Instance B it works correctly if we used the VPC internal IP address however we cannot seem to get the correct security group configuration to allow this instance access via the public DNS.
We have added the 'default' VPC security group to Instance A but we're still unable to access this service directly. We also have the same problem trying to configure access to Instance A from other VPCs.
I know that we can create a private DNS for the VPC which could solve the problem when we are in the same VPC but this doesn't get around the problem when running in another VPC.
This sounds like a DNS resolution issue. If you are using Route53 for DNS the easiest way to fix this is to create a private Route53 DNS zone for your VPC and add something like:
CNAME 'someservice.example.org' that points to the instance's internal IP address.
Note that you really want to use the internal private IP address whenever possible. It will keep the network traffic within your VPC, which will be much faster and more secure. It may also be cheaper for you, at least if the instances are also within the same availability zone. You can read more about that on the EC2 pricing page in the Data Transfer section.
Also note that you can't open up the security group to allow only instances from your VPC/security group to access something via the public IP. This is because the traffic hitting the public IP is seen as coming "from the internet", not from your VPC. You would have to grant access to the servers via their public IP addresses instead of their security groups.
You mention also using a second VPC, but that would be a separate problem that could be addressed via VPC Peering.
I created an Ubuntu instance in AWS. I assigned an IP address from which I can connect to the instance from outside using PuTTY. Now I've changed my location and my IP address is different so I cannot connect to the instance with PuTTY any more. I'm trying to add another IP address (my current IP) to the instance network settings but for some reason AWS says it cannot accept the address:
IP Address not in Subnet
What does it mean? Why does it require an address in Subnet?
My questions are:
How to bypass it? or
How to change settings so that it could accept any arbitrary IP I provede? or
How to include any arbitrary IP into the Subnet of addresses? or
How can I just change previous initial address to a new one?
Your question is somewhat confusing, so I'll list my assumptions as I go along.
I assigned an IP address from which I can connect to the instance from outside using PuTTY
Are you talking about Elastic IP, and connecting to the instance from the internet? If so, it is irrelevant to being able to assign private IP.
Now I've changed my location
What does it mean? The location of EC2 instance? Like, a different region or something?
my IP address is different
The IP of the instance, right? So, why can't you connect to this new IP?
The bottom line, you can add another private IP on the same subnet. That will not allow you to connect to a diiferent private IP, if you can't connect to original IP. If you are trying to do something different, please clarify!
I accidentally found the reason of an issue. It has nothing to do with private IP addresses.
"Security groups" are responsible for connection to the instance from outside (from internet using PuTTY). Since my IP has changed I have to reflect it in settings for the instance. See the "Security groups" of your instance and then select the appropriate to adjust:
In PuTTY:
Host name (or IP address) field: ubuntu#Public DNS or Public IP of your instance
Connection > SSH > Auth: use ssh2dsa.ppk or ssh2rsa.ppk, both seems to work fine
I have created an Elastic IP. The IP address listed seems to be stable. It is associated with an instance. However, I get this weird behaviour:
The public DNS listed for that IP contains a different address than the literal IP address.
The public DNS does not resolve to the Elastic IP; it resolves to the IP implied by the DNS name.
Stopping and starting the instance changes the IP address.
I've tried creating a new elastic IP address and a new instance and associating them, and I experience the same bug. What's going on here?
I'm assuming you are looking at the AWS console, not the output of a program using the API directly.
The "public DNS" you see in the console is the public DNS of the instance, not of the elastic IP address. If the instance is associated with an ElasticIP, its public DNS should include the ElasticIP in it and resolve to the ElasticIP. Since it isn't, I suspect a bug in the AWS console. I've noticed a lot of lag in it showing the addresses when ElasticIP addresses are associated or disassociated. To confirm this, you might try completely clearing your browser history and cookies and reconnecting to the console, to see if the display is now right. Or you could use a browser's incognito or private browsing mode.
If you create the obvious public DNS to match your ElasticIP address, I'll bet it resolves correctly.
Yes, the public Elastic IP address is stable (which, of course, is why they exist).
Are you referring to the fact the DNS name will resolve to a different IP address depending on whether you are resolving inside or outside AWS?
If so, this is a feature not a "bug".
If you look up a host name from outside AWS you get the public IP. If you look up the same name from, say, the command line of an EC2 instance you get the private IP (typically a 10.0.0.0 address).
This means that you can refer to an instance by a single name but internal traffic is automatically routed over the local network and not over the (billable) public interface.