I've been trying to set up Google Cloud SQL with a private IP connection, where
the IP range it's bound to is manually allocated, and have not succeeded. I
don't know if this is a bug in the implementation because it's still in beta, if
there's something missing from the docs, or if I'm just doing something wrong.
(A command-line session is at the bottom, for a quick summary of what I'm
seeing.)
Initially, I set it up to automatically allocate the IP range. It all worked
just fine, except that it chose 172.17.0.0/24, which is one of the networks
managed by docker on my GCE instance, so I couldn't connect from there (but
could on another machine without docker). So then I tried going down the manual
allocation route.
First, I tore down all the associated network objects that had been created on
my behalf. There were two VPC Peerings, cloudsql-postgres-googleapis-com and
servicenetworking-googleapis-com, which I deleted, and then I confirmed that
the routing entry associated with them disappeared as well.
Then, I followed the directions at https://cloud.google.com/vpc/docs/configure-private-services-access#allocating-range, creating 10.10.0.0/16, because I wanted it in my default network, which is
auto mode, so I'm limited to the low half (which is currently clear).
At that point, I went back to the Cloud SQL instance creation page, since it
should be doing the rest for me. I checked the "Private IP" box, and chose the
default network.
I wasn't taking notes at the time, so my recollection may be flawed,
particularly since my experience in later attempts was consistently different,
but what I remember seeing was that below the network choice dropdown, it said
"This instance will use the existing managed service connection". I assumed
that meant it would use the address range I'd created, and went forward with the
instance creation, but the instance landed on the 172.17.0.0/24 network again.
Back around the third time, where that message was before, it had a choice box
listing my address range. Again, my recollection was poor, so I don't know if I
either saw or clicked on the "Connect" button, but the end result was the same.
On the fourth attempt, I did notice the "Connect" button, and made sure to click
it, and wait for it to say it succeeded. Which it did, sort of: it replaced the
dropdown and buttons with the same message I'd seen before about using the
existing connection. And again, the instance was created on the wrong network.
I tried a fifth time, this time having created a new address range with a new
name -- google-managed-services-default -- which was the name that the
automatic allocation had given it back when I first started (and what the
private services access docs suggest). But even with that name, and explicitly
choosing it, I still ended up with the instance on the wrong network.
Indeed, I now see that after I click "Connect", I can go check the routes and
see that the route that was created is to 172.17.0.0/24.
The same thing seems to happen if I do everything from the command-line:
$ gcloud beta compute addresses list
NAME ADDRESS/RANGE TYPE PURPOSE NETWORK REGION SUBNET STATUS
google-managed-services-default 10.11.0.0/16 INTERNAL VPC_PEERING default RESERVED
$ gcloud beta services vpc-peerings connect \
--service=servicenetworking.googleapis.com \
--ranges=google-managed-services-default \
--network=default \
--project=...
$ gcloud beta services vpc-peerings list --network=default
---
network: projects/.../global/networks/default
peering: servicenetworking-googleapis-com
reservedPeeringRanges:
- google-managed-services-default
---
network: projects/.../global/networks/default
peering: cloudsql-postgres-googleapis-com
reservedPeeringRanges:
- google-managed-services-default
$ gcloud beta compute routes list
NAME NETWORK DEST_RANGE NEXT_HOP PRIORITY
peering-route-ad7b64a0841426ea default 172.17.0.0/24 cloudsql-postgres-googleapis-com 1000
So now I'm not sure what else to try. Is there some state I didn't think to clear? How is the route supposed to be connected to the address range? Why is it creating two peerings when I only asked for one? If I were to create a route manually to the right address range, I presume that wouldn't work, because the Postgres endpoint would still be at the wrong address.
(Yes, I could reconfigure docker, but I'd rather not.)
I found here https://cloud.google.com/sql/docs/mysql/private-ip that this seems to be the correct behaviour:
After you have established a private services access connection, and created a Cloud SQL instance with private IP configured for that connection, the corresponding (internal) subnet and range used by the Cloud SQL service cannot be modified or deleted. This is true even if you delete the peering and your IP range. After the internal configuration is established, any Cloud SQL instance created in that same region and configured for private IP uses the original internal configuration.
There turned out to be a bug somewhere in the service machinery of Google Cloud, which is now fixed. For reference, see the conversation at https://issuetracker.google.com/issues/118849070.
Related
I feel like this is a beginner question, but after messing with it for days I'm completely stumped.
I set up an instance on Amazon AWS last year, and I'd like to SSH into the instance to upgrade some software. I am unable to find the original .pem file anywhere, and everything I find to try to solve the problem — including these directions — refer to selecting the running instance on my EC2 Dashboard.
However, when I log in as a root user, it shows there are no running instances. By default it comes up as N. Virginia, but when I check the other US locations none of them show any running resources. My instance's address (the link I use for mySQL and phpMyAdmin, for example) is in the form of ec2-XXX-XXX-XXX-XXX.ca-central-1.compute.amazonaws.com, if that makes any difference.
Any ideas on next steps? I have all the data on the running instance backed up so I can recreate things as necessary. I admit that I'm a beginner with AWS (obviously) but I super-pinky-promise to store my .pem file in a safe place next time...
By default it comes up as N. Virginia, but when I check the other US
locations none of them show any running resources. My instance's
address (the link I use for mySQL and phpMyAdmin, for example) is in
the form of ec2-XXX-XXX-XXX-XXX.ca-central-1.compute.amazonaws.com, if
that makes any difference.
Your instance is running in the AWS Canada region, as indicated by the region name ca-central-1 in the address, which is why you aren't seeing it in any US region.
I have an existing Cloud Compute Engine instance that was mistakenly assigned the wrong static internal IP.
I cannot figure out a way to modify the internal IP address to the correct value using the Console or other means. I have tried reserving a new static internal IP, which is easy enough, but there is no way to assign it to an existing resource.
I am talking about Google Console -- not the OS. I know how to change the value in the OS itself.
When I view the resource directly on Google Console and try to edit nic0 in the Google Console, it does not give me any option to modify the existing static IP to a different address. It just says "static ip: 10.x.x.x".
I could easily enough just nuke this resource and make a new one, except for the policy of not being able to re-use the resource name. And I want this specific resource name, so killing it or cloning it is not an option. I just need to modify it's internal IP!
Edit to add: To be clear, I have no problem stopping the instance. I just don't want to destroy it due to reserved naming policy preventing re-use of resource names. I need to modify an in-place resource to a new internal static reserved IP.
Once you have a VM instance created, you cant change internal IP. It is mentioned explicitly.
The only option you have is to create a new VM with a static IP.
You can make a snapshot of the disk from the VM you are using, then create a new VM from that disk marking --private-network-ip.
Create a disk from a snapshot:
gcloud compute --project "your-project" disks create "instance-x" \
--size "100"
--zone "europe-west1-c" \
--source-snapshot "snapshot-x" \
--type "pd-standard"
Use the disk to create a new VM with a predefined internal IP:
gcloud compute --project=your-project instances create instance-x \
--zone=europe-west1-c \
--private-network-ip=your-ip \
--disk=name=instance-x,device-name=instance-x,mode=rw,boot=yes,auto-delete=yes
As of 2021 the accepted answer is incorrect. You can move the instance with the wrong internal static IP address to a different network and then move it back to the original network: This bizarelly allows you to reassign the internal IP.
Newbie to Amazon Web Services here. I launched an instance from a Public AMI and found that I could not ssh into the instance - I received the error "Connection timed out." I checked the security groups to verify that Port 22 was associated with 0.0.0.0/0. Additionally, I checked the route tables to verify that 0.0.0.0/0 is associated with target gateway attached to the VPC.
I find that only 1/2 status checks have passed - the instance status check failed. I have tried stopping and starting the instance as well as terminated and launching a new instance, both to no avail. The error that I see in the system log is:
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(8,1).
From this previous question, it appears that this could be a virtualization issue, but I'm not sure if that was due to something I did on my end when launching the instance or something that occurred from the creators of the AMI? Ec2 1/2 checks passed
Any help would be appreciated!
Can you share any more details about how you deployed the instance? Did you use the AWS Management Console, or one of the command line tools or SDKs to deploy it? Which public AMI did you use? Was it one of the ones provided by Amazon?
Depending on your needs, I would make sure that you use one of the AMIs provided by Amazon, such as Ubuntu, Amazon Linux, CentOS, etc. Here's the links to the docs on AMIs, but you can learn quite a bit by just searching for images. Since you mentioned virtualization types though, I'd suggest reading up briefly on the HVM vs. Paravirtual virtualization types on AWS. Each of the instance types / families uses a certain virtualization type, which is indicated in the chart on this page.
Instance Status Checks
This documentation page covers the instance status checks, which you'll probably want to familiarize yourself with. It's entirely possible that shutting down (not restart, but shutdown) and then starting the instance back up might resolve the instance status check.
Spot Instances - cost savings!
By the way, I'll just mention this since you indicated that you're new to AWS ... if you're just playing around right now, you can save a ton of cost by deploying EC2 Spot Instances, instead of paying the normal, on-demand rates. Depending on current rates, you can save more than 50%, and per-second billing still applies. Although there's the possibility that your EC2 instance could get "interrupted" based on market demand, you can configure your Spot Instance to just "Hibernate" or "Stop" instead of terminating and relaunching. That way, your work is instance state is saved for when it relaunches.
Hope this helps!
1) Use well-known images or contact with the image developer. Perhaps it requires more than one drive or tricky partitioning.
2) make sure you selected proper HVM/PV image according to the instance type.
3) (after checks are passed) make sure the instance has public ip
Issue in a nutshell:
Simple-singular-practice ec2 instances are unexpectedly just falling off the grid even though they are still running, and I have to keep recreating them ,and if not, ssh accessing or online public DNS accessing will result in a "Timeout".
Little More Details Outside the Nutshell :)
I've followed the setting up a LAMP server instructions to the "T" and successfully have served up basic HTML pages.
Everything initially works fine:
I can ssh into the instance no problem
When accessing the public DNS online - the expected html pages render just fine.
Problem:
But then, quiet randomly, I can no longer access the instance through ssh and even online, the public DNS is inaccessible.
In both cases they just "Timeout"
Config:
Basic Free Tier
Amazon Linux AMI 2015.09.1 (HVM), SSD Volume Type
t2.micro
Number of Instances - 1
Auto-assign Public IP(Enabled)
Ports - 22(My IP),80(0.0.0.0),443(0.0.0.0)
Using a key pair
Question:
What typically causes instances freezing up like this?
LAMP stacks on EC2 are extremely common, and the guide you're following is extremely popular and has been used for years so it's likely you've gone wrong somewhere or the problem is something more sinister.
If you can't access the instance by any means, it would sound like it has become overloaded. Unless you've accidentally changed a firewall rule on the AWS side (eg. Security Groups, NACLS) or something on the instance level (eg. IP Tables).
Open up ICMP on your security group and try pinging the instance and see if you get a response.
After you've verified all your firewalls and you've tried to connect to it through every means, check out the logs, they're your friend.
To check the logs, start at the AWS level. CloudWatch records lots of data about your instance - CPU Utilization, Network In & Out and more. Check all of these through the AWS Console ensuring you select the "Maximum" statistic and not "Average". Also, take a look at the "StatusCheckFailed_System" (Hardware problem) and "StatusCheckFailed_Instance" (Instance not responding to health check probes) metrics to see if they have any story to tell. See the docs here and here for more info.
Next, reboot the instance and try stop starting and reconnect via SSH. Check you application logs (if any) and check your Apache Logs and Linux Logs to see what happened.
But to answer your question, what typically causes a instance to freeze up like this:
Bad Application code that sucks up all the CPU overloading the instance
Too much traffic overloading the instance
Running too many services on the instance that it's unable to handle
AWS Hardware problem - Uncommon
I'm puzzled my EC2's use of the bare IP address 169.254.169.254 for the URI's to retrieve user and instance metadata. Wouldn't it be a better design decision for both Amazon and users if a hostname that was easier to remember was used, say metadata.ec2.amazonaws.com? If Amazon decides to change the bare IP address in the future, all the associated scripts that fetch user or instance metadata stop working.
You might say that I should use the Amazon supplied tool EC2 Metadata, but it hasn't been updated in close to two years. Besides, the script itself would need to be updated should Amazon decide to change the IP address from the random 169.254.169.254 to something equally random, say 170.11.19.142.
Is there something I'm missing here?
Is there something I'm missing here?
Yes - the 169.254.0.0/16 block is specified as a private block - see 169.254.0.0/16 addresses explained. Therefore, it's accessibly on that IP from machine within the private network - like your instance. Amazon isn't going to change this address to a whole other block, like your 170.11.19.142, because it wouldn't be a private internal block.
The last two numbers, 169.254 are likely random, as you say. They were chosen by Amazon at some point in time, and will likely stay that way for quite a long time, seeing as Amazon has full control over that IP space.
You might say that I should use the Amazon supplied tool EC2 Metadata
You should.
, but it hasn't been updated in close to two years. Besides, the script itself would need to be updated should Amazon decide to change the IP address
Not necessarily. I haven't seen the script source code, but it's likely that, if the address is expected to change any time soon, it would check somehow with a root EC2 controller what IP the metadata server is at.