I'm setting up virtual servers on an F5 VE in AWS using Ansible. I see how to allocate or release EIPs using the Ansible ec2_eip module; how do I do the same with my private IP subnets? All the examples I see involving either a) specifying a private IP, which presumably has already been allocated somehow, or b) querying for the private IP of something that already exists. I'm trying to create something new, and don't know what free IP is available. There is no new ENI; I presume it would be considered another secondary IP on the existing external interface, and each new private IP would then be assigned a public EIP to correspond to it.
The only two modules that seem remotely related are ec2_eip and ec2_eni, but they don't appear to address the problem.
A secondary question, just to make sure I understand what is going on, is that the Ansible ec2_eip official documentation shows some examples using the argument 'ip' and a public address, but the argument list only includes 'public_ip' and 'private_ip_address'. Is this a mistake, or am I totally missing something here?
I'd like to be able to allocate 1 EIP, 1 private IP from my external subnet in AZ1 to assign to the BigIP ENI in AZ1, and 1 private IP from my external subnet in AZ2 to assign to the BigIP ENI in AZ2. From that, I would then create a pair of virtual servers. The F5 failover API will dynamically reassociate the EIP with either the AZ1 or AZ2 BigIP depending upon which is considered 'Active' at the moment. This works, but assumes that the IPs are all entered manually, and I want to automate this process using Ansible.
Related
I have a AWS VPC where the DHCP optionset gives me random addresses in the scope of the CIDR 10.128.1.0/24.
But I want to have the DHCP scope limited, so that I can use static private ip addresses for some of the servers and dynamic for another set of server, like
Static Server scope:
10.128.1.1 .. 10.128.1.99
Dynamic Server scope:
10.128.1.100 .. 10.128.1.200
I have tried using the aws ec2 create-dhcp-options but it doesn't give me the opportunity to limit any ip addresses.
The question is perhaps, Can it done? then of course how to, or should I think complete different when having this perhaps odd need and should do it another AWS way....?
You can't do this on AWS. It is common on standard networking, but not on cloud.
If you really need to use "static" IPs you can reserve the IP creating ENI, Elastic Network Interface, in advance.
When an ENI exist, even if it is available, the IP associated with ENI is already in use, so DHCP will not use it anymore
When you create an EC2 instance you can allow it to use DHCP to get an random IP or you can choose an available ENI.
Just notice some IPs are reserved by AWS, you can't create an ENI for it.
See the reserved IPs on documentation below:
https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html#subnet-sizing
in the application I manage, in several places, there are hard-coded references to the Private DNS of an EC2. The code will refer to: ip-(some private IP here).eu-west-1.compute.internal.
If I stop and start an instance the private IP will change, and I assume also that the Private DNS URL will also change.
When this happens the code crashes. Is there any way I can avoid this change? Is there some way to create a Private DNS so it does not change even when an instance is stopped and started again?
The private DNS and the IP shouldn't change.
However one feasible option is to launch your instances within a VPC and assign a Route 53 Private Hosted Zone that resolves your instances.
The bridge between VPC and Route53 is a DHCP options in the VPC.
I have a simple AWS EC2 server (Created before Dec 2013). I want to have two domains hosted on it, each with a different public (elastic) IP.
How do I do that?
From what I read, the 'VPC' word keeps appearing, but I don't need any sophisticated VPC - just a simple server listening to two public IPs.
Thanks.
Have you created your account after December 4th, 2013?
If so, every EC2 instance you have is already on a VPC - the default VPC.
Each private IP can be mapped to a single public elastic IP. So what you need are more private IPs - and you can do that to either an existing instance or a new instance without touching VPC configuration!
Take a look at this tutorial by AWS.
If you are looking to do this to an instance during setup, ctrl+f for: 'To assign a secondary private IP address when launching an instance in EC2-VPC'
If you are looking to do this to an existing instance, ctrl+f for: 'To assign a secondary private IP to an existing instance'
Then, on the same tutorial ctrl+f for Associating an Elastic IP Address with the Secondary Private IP Address to see how to add a public IP to your second private IP.
In this tutorial you will see references to EC2-VPC - this means EC2 instances that are on a VPC, and, as I mentioned earlier, if you created your account after December 4th, 2013, it is.
If not, you will need to take a look at how to create a simple VPC and add your instances there.
We have two AWS instances (Instance A and Instance B) which are running in the same VPC. There is an internet facing service on Instance A which is restricted (via security group) to a subset of IP addresses. Instance A has a DNS entry so the service can be accessed via someservice.example.org.
When trying to access the service from Instance B it works correctly if we used the VPC internal IP address however we cannot seem to get the correct security group configuration to allow this instance access via the public DNS.
We have added the 'default' VPC security group to Instance A but we're still unable to access this service directly. We also have the same problem trying to configure access to Instance A from other VPCs.
I know that we can create a private DNS for the VPC which could solve the problem when we are in the same VPC but this doesn't get around the problem when running in another VPC.
This sounds like a DNS resolution issue. If you are using Route53 for DNS the easiest way to fix this is to create a private Route53 DNS zone for your VPC and add something like:
CNAME 'someservice.example.org' that points to the instance's internal IP address.
Note that you really want to use the internal private IP address whenever possible. It will keep the network traffic within your VPC, which will be much faster and more secure. It may also be cheaper for you, at least if the instances are also within the same availability zone. You can read more about that on the EC2 pricing page in the Data Transfer section.
Also note that you can't open up the security group to allow only instances from your VPC/security group to access something via the public IP. This is because the traffic hitting the public IP is seen as coming "from the internet", not from your VPC. You would have to grant access to the servers via their public IP addresses instead of their security groups.
You mention also using a second VPC, but that would be a separate problem that could be addressed via VPC Peering.
I recently moved a small R project from a regular EC2 instance to an instance behind a VPC. I installed rstudio-server as normal, and it seems to be running. However, unlike a regular EC2 instance, there is no public DNS to connect to. (There is a public IP address, but going there doesn't seem to do the trick.)
In this case, what browser address should I go to to access rstudio server?
Many thanks!
You have launched the instance in VPC. Here is the check list:
When launching the instances in VPC, make sure you launch it in the public subnet of your VPC. Else it will not be accessible from outside
When launching the instances in VPC (presuming public Subnet), do ensure that you check a box which says something like "assign a public IP address to the instance" at the time of creating the instance. By default this is not checked. So if you fail to check this box, then Instance will not have a public host name. You can however, assign an elastic IP later on.
Make sure you VPC security groups are configured properly to allow necessary incoming/outgoing access. In your case, incoming access on port 80 is/443 is essential.