I want to move my ec2-instances from private subnet to public subnet. Is there is a way to do that other than creating AMI of those instances and then launching new instances from those AMI's and attaching volumes and elastic ips with them?
An Amazon EC2 instance is permanently connected to a subnet. (Well, the Primary interface is.)
Some options:
You could modify the subnet so that the subnet 'becomes' a public subnet (by configuring the Route Table to send traffic to an Internet Gateway). This does not require any changes to the instance itself.
You could add a secondary Elastic Network Interface (ENI) that connects it to a public subnet. You then need to configure the operating system to use the secondary ENI.
You could launch a new instance in a public subnet, stop it, detach its disks, then attach the disks from the 'private' instance, then start it. It will probably start up okay, and it would then be in a public subnet.
Related
I have created a VPC and within I created a Subnet and a Internet Gateway (attached to the VPC). In that subnet, I created a Route Table in which I set route 0.0.0.0/0 to target the Internet Gateway.
After that I launched an EC2 instance in my subnet but it has no public IP so I can't connect to it using RDP.
I tried to enable 'DNS hostnames' and 'DNS resolution' but it didn't add a public IP to my instance (even after restarting it). In my subnet, I enabled 'Auto-assign IPv4' but still no public IP.
Any clue what I'm missing here please?
Your instances won't automatically get public IPs attached to their ENIs after you enable 'Auto-assign IPv4' in your subnet. One possible solution without spinning up a new EC2 is to attach an Elastic IP (as #Oleksii Donoha suggested in the comment) to this instance. You can follow the aws docs to allocate an Elastic IP address and then associate it with your running instance.
Side note: It's not possible to attach an ephemeral ip to an already-created ENI or EC2 instance. See discussions here.
Though your instance sits in public subnet, you have to make sure that 'Auto-assign Public IP' is either set to 'Enable' or 'Use subnet setting (Enable)'on Configure Instance Details page. Sometimes folks forget to check/reverify this setting while creating EC2 instances.
What is the security concern in launching AWS EC2 instances in public subnet. I assume when an EC2 instance is launched in public subnet , it will have access to outside world provided security groups allow it. Is all traffic from internet allowed to public subnet? I assume even this could be restricted via NACLs.
About launching the ec2 instance in public subnet, it is recommended that EC2 instances which need direct Internet access need to be placed in the public subnet, else instances that need direct access to internal networks must be placed in a private subnet with routes to a virtual private gateway.
About NACL, you can control incoming and outgoing traffic at subnet level through NACL.
By default, NACL allows all inbound and outbound traffic.
Can customize NACL with required rules in order to provide the extra security at the subnet level.
I have a "Custom VPC" with two subnets (A private subnet & a public subnet).
In ECS, when I try and create a cluster with "Custom VPC" and both subnets selected. The EC2 instances launched, are by default launched in the private subnets.
Why?, Is there a way to change the instance subnet after it is launched?
Should ECS cluster only have public subnets of a VPC? and launch an instance on the private subnet through the 'Launch instance' wizard?
Also, these instances have a public DNS even when the private subnet 'auto assign public IP' is disabled. Why?
1: You need run ECS in the public subnets reference : https://docs.aws.amazon.com/AmazonECS/latest/developerguide/get-set-up-for-amazon-ecs.html
2: Yes or you need to create a private subnet with NAT gateway tied to it
Every instance in a VPC has a default network interface, called the primary network interface (eth0). You cannot detach a primary network interface from an instance. You can attach a new network interface.
To change the subnet of launched EC2 instance, you can follow this steps:
Create a new ENI (elastic network interface) with the new subnet you want to change. Notice that you cannot change VPC of an launched EC2 instance. If the same VPC or availability zone does not have other available subnets, you should create a new subnet first.
Go to your EC2 console and select the EC2 instance you want to change subnet.
In the Action menu above, go to Networking > Attach New Interface.
In the Network Interface menu, choose the network interface you just created.
You can reference to this document for how to create and attach a new network interface for an EC2 instance.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html
I have set up below VPC configuration but the SSH to the instance is not happening at the moment:
Created a new VPC
Created a public and private subnet
Launched an ec2 instance to the public subnet updated route tables for internet gateway
Launched ec2 instance to private subnet.
Associated a natgateway to the public subnet with in EIP
Route table updated for private subnet with natgateway
SSH from public instance to private instance is not happening with keypair.
Can you let me know what have I missed here.
First things first:
NAT Gateway in Public Subnet allows Instances from Private Subnet to reach internet for software updates etc via Internet Gateway.
NAT Gateway doesn't play any role in SSHing into an Instance.
Try this to test:
Attach Default NACL(allows all inbound and outbound) on Public and Private Subnet where your EC2 Instances resides.
Create 2 security groups for public(lets say Pub-SG) and private subnets(Prv-SG).
Allow SSH from everywhere/specific ip on Pub-SG.
On Prv-SG allow SSH from Pub-SG as source for better security reasons.
If both instances are launched using same key pair then with SSH-Agent Forwarding You can connect Private Instance through Public Instance.
I suspect you are missing a security group that permits SSH traffic between the instances on the two subnets.
AWS is secure by default - you need to explicitly permit traffic, roles, etc.
So in this case, the easiest thing to do would be to create a security group that spans the CIDR block of the VPC, and assign this to both instances.
Edit: I just noticed you say you added your NAT gateway to the public subnet - I presume you mean private.
This guide covers a similar scenario - public web subnet and private db subnet, and discusses all the routes + ACLs you need.
Also, when you say ssh with the keypair isn't happening - are you connecting at all, or does the connection time out?
When it comes to one EC2 instance communicating with another EC2 instance within a VPC, NAT Gateway has no role.
Make sure that the Security Group to which the private subnet instance belongs, allows SSH protocol from the Security Group to which the public subnet instance belongs.
Also, the NACL associated with the private subnet should allow inbound and outbound SSH traffic from CIDR block to which the public subnet instance belongs.
copy th ssh public key of the private instance to the public instance. open the ssh key material using vscode then use nano or vim to paste the content of the public key the save and exit. Now you can ssh into your private instance given the SG of the private instance allows traffic from the public instance.
Is it possible to connect an EC2 instance in AWS VPC to both a private and a public subnet using ENIs? I'm aware of the bastion host concept from public/private subnet communication, but curious as anything that will prevent me from configuring an EC2 instance to reside in both public and private subnets.
Yes you can do it. You simply have to attach two Network interfaces. Those two network interfaces needs to be placed in two subnets. Here is the official documentation for that https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html
Yes you can have multiple ENI's in different subnets and the same can be associated with a single instance, however the instance will once have a single ENI associated with it(from the OS perspective it will have eth0 and eth1). In this case the instance will assume the role(subnet) of the ENI which the OS is associated with it(it is generally eth0).