Does anyone know the ip address range for "https://eks.us-east-1.amazonaws.com"? I cannot find it in https://ip-ranges.amazonaws.com/ip-ranges.json
EKS runs on EC2.
Currently (it will change frequently), EKS resolves to:
eks.us-east-1.amazonaws.com. 1 IN A 18.208.64.151
eks.us-east-1.amazonaws.com. 1 IN A 34.226.180.204
eks.us-east-1.amazonaws.com. 1 IN A 54.208.149.145
Which feature, respectively, in the current ranges:
EC2 | us-east-1 | 18.208.0.0/13
EC2 | us-east-1 | 34.224.0.0/12
EC2 | us-east-1 | 54.208.0.0/15
To improve answer of #jonh. To you able to retrieve the IP list of a domain name you can use a DNS Lookup service. You can find it on major of operational system, eg Linux, Windows or you can use an online service eg https://www.nslookup.io/dns-records/eks.us-east-1.amazonaws.com
Related
I need to provide my customers with fixed urls that don't change when the EC2 instances are stopped/started because sometimes we need to change the size of the EC2 and when we restart the instance the public IP has changed.
I thought on using Elastic IPs so I can keep the same public IP when the instance is rebooted, but I've seen that Amazon tells you that you only have 5 Elastic IPs. If you ask them they say that they can give you more, but I guess they're not giving you 10.000 of them.
How can I use a single public Elastic IP to give each user different URLs for out service?
It would be something like this, being 11.22.33.44 the Elastic IP and 192.168.0.X two EC2 instances:
11.22.33.44:**1000** --> 192.168.0.**1**:22
11.22.33.44:**1001** --> 192.168.0.**1**:80
11.22.33.44:**1002** --> 192.168.0.**1**:443
11.22.33.44:**1003** --> 192.168.0.**2**:22
11.22.33.44:**1004** --> 192.168.0.**2**:80
11.22.33.44:**1005** --> 192.168.0.**2**:443
I need to make it work programmatically, as I'm creating EC2 instances from the SDK as needed.
Another way I thought is using subdomains from my .com domain that points to the current public IP of each EC2 instance, but using the IP as I described before sounds better.
The issue is that instances are receiving new (temporary) Public IP addresses after they are stopped and started.
A simple way to handle this is to add a script to each instance that runs during every boot. This script can update a DNS record to point it at the instance.
The script should go into the /var/lib/cloud/scripts/per-boot directory, which will cause Cloud-Init to automatically run the script each time the instance is started.
# Set these values based on your Route 53 Record Sets
ZONE_ID=Z3NAOAOAABC1XY
RECORD_SET=my-domain.com
# Extract information about the Instance
INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id/)
AZ=$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone/)
MY_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4/)
# Extract Name tag associated with instance
NAME_TAG=$(aws ec2 describe-tags --region ${AZ::-1} --filters "Name=resource-id,Values=${INSTANCE_ID}" --query 'Tags[?Key==`Name`].Value' --output text)
# Update Route 53 Record Set based on the Name tag to the current Public IP address of the Instance
aws route53 change-resource-record-sets --hosted-zone-id $ZONE_ID --change-batch '{"Changes":[{"Action":"UPSERT","ResourceRecordSet":{"Name":"'$NAME_TAG.$RECORD_SET'","Type":"A","TTL":300,"ResourceRecords":[{"Value":"'$MY_IP'"}]}}]}'
The script will extract the Name tag of the instance and update the corresponding Record Set in Route 53. (Feel free to change this to use a different Tag.) The instance will also require IAM permissions for ec2 describe-tags and route53 change-resource-record-sets.
Update: I've turned this answer into a blog post: Amazon Route 53: How to automatically update IP addresses without using Elastic IPs
I am able to connect to my Amazon AWS EC2 instances (Ubuntu) via SSH, but the Instances self can not connect to the Internet, what I noticed when doing
sudo apt-get update
that leads to a timeout. I have drawn a diagram of the current VPC configuration and hope that someone can tell me what is wrong:
I already controlled Inbound and Outbound rules but I cannot see something.
Can someone help me and tell what problem do I have? Is it maybe that the VPC CIDR has suffixmask 16 and the Subnet CIDR has suffixmask 20 or something like that?
By the way - I can not remember that I have changed something here.
VPC "vpc-cf8f91a4"
==================
My VPC-ID is vpc-cf8f91a4
The IPv4 CIDR is 172.31.0.0/16
Route table: rtb-f0da499a
Network ACL ID: acl-05e2486f
Internet Gateway "igw-a6b7aace"
===============================
igw-a6b7aace associated with vpc-cf8f91a4
Associated 2 Subnets
====================
subnet-faefd387 172.31.32.0/20 associated with route table rtb-f0da499a
subnet-febe7f94 172.31.16.0/20 associated with route table rtb-f0da499a
Route Table "rtb-f0da499a"
Destination | Target | Status | Propagated
172.31.0.0/16 | local | active | No
0.0.0.0/0 | igw-a6b7aace | active | No
As stated in one of the comments ACLs are an advanced feature and it's not recommended to use them unless you're familiar with the lower levels of the network stack and have a reason to use them, e.g. working in a highly secure environment, or need role separation such as network and development teams.
From the information you have provided the most likely issue is that you are blocking ephemeral port return traffic with your ACL. ACLs are stateless so you must allow return traffic.
For most tcp connections this means 1024-65535, if you add that as an inbound ACL rule and retest.
As a side note, you should not allow the internet to access your database, this is very bad practice. I would recommend you create another subnet that is private (no IGW route) and put the database in there, and do not give it a public IP address.
I am using AWS and i created Auto scaling launch configuration using shell Script:
#!/bin/sh
curl -L https://us-west-2-aws-training.s3.amazonaws.com/awsu-spl/spl03-working-elb/static/bootstrap-elb.sh | sh
After creating this and the load balancer, two instances were created. I then copied the DNS Name and pasted it in browser, but it says:
This site can’t be reached
internal-elb-asg-167368762.us-east-1.elb.amazonaws.com took too long to respond.
Go to http://amazonaws.com/
Search Google for internal elb asg 167368762 east amazonaws
ERR_CONNECTION_TIMED_OUT
EDIT
I followed your steps and it failed.
You have to change this part of the User Data:
#!/bin/sh curl -L https://us-west-2-aws-training.s3.amazonaws.com/awsu-spl/spl03-working-elb/static/bootstrap-elb.sh | sh
With this:
#!/bin/sh
curl -L https://us-west-2-aws-training.s3.amazonaws.com/awsu-spl/spl03-working-elb/static/bootstrap-elb.sh | sh
Edit: As #john-rotenstein mentioned is not necessary to use sudo.
Also, check this:
You have the correct security groups on EC2 and with your ELB.
Check if you are listening to the port 80 in you ELB.
The port 80 must be opened in your EC2 security group to your ELB security group and the port 80 must be opened worldwide (0.0.0.0) in your ELB security group.
Finally, are you sure that you are not using an internal load balancer right?
Hope it helps you.
All,
Request you to go through below scenario and help me in achieving a solution around this.
We're setting up 2 NodeJS web applications which will be running on 4 different EC2 instances (2 for each).
App - Applications
EC1, EC2 --> EC2 instances
ASG - Auto scaling groups
App-A -- EC1, EC2 --> ASG1 --> ELB1 (ELB based healthcheck in ASG1)
App-B -- EC3, EC4 --> ASG2 --> ELB2 (ELB based healthcheck in ASG2)
We have only one public domain registered --> e.g: mycloud.services.com due to other constraints. We would like to route traffic from this single domain using path based approach.
i.e. mycloud.services.com/appa --> should redirect to website running under ASG1 (i.e.EC1,EC2)
i.e. mycloud.services.com/appb --> should redirect to website running under ASG2 (i.e.EC3,EC4)
What is the best way in acheiving this and is there any drawback with this approach?
I checked that Classic load balancer has this type of feature & I tried this (classic lb) but I couldn't select the ELB's in listener config page and it only looks for target groups.
Could someone help in elaborating the details for acheving this through this way or any other better ways?
Tried solution by #BerryRee and facing another issue detailed below,
Thx & wish you a great year ahead. Your above solution seems to work. I have done the configuration but one issue is still open on this front.
I have a simple website running to test this out on two diff ports, 8000 & 8001. I can access both the sites with this port in my browser using public ip of my EC2 server.
I have created 2 target groups master & child for these port's traffic and both of them is showing healthy with these registered instances. Then I created an ALB to map these target groups and created path pattern as you suggested.
ht://XX.XX.XX.XX:8000/ ---> MASTER (ext-tg-master)
Hello World!
ht://XX.XX.XX.XX:8001/ ---> CHILD (ext-tg-child)
Hello World from CHILD!
ht://lb-name.us-east-1.elb.amazonaws.com/master/ (/child
Cannot GET /master/ or /child/
ht://lb-name.us-east-1.elb.amazonaws.com/
Hello World!
Path pattern Target group name Priority Rule ARN Actions
/master/* ext-tg-master 1
/child/* ext-tg-child 2
ext-tg-master default
The only issue now is that when I hit the URL without any path pattern at last its defaulting to the correct target group and giving the hello world output of "master" as
per the configuration above. But when i hit with any path value at the last then i get the above error "Cannot GET /child or Cannot GET /master".
Can you give some insights on fixing this?
The use case of putting an ELB behind an ALB (or ALB behind ELB, etc.) isn't supported by AWS.
For you, though, your routing and load balancing can all be handled with a single ALB.
_______________
==> /appa ==> | | ===> target-group for App-A
| AWS ALB |
==> /appb ==> |_______________| ===> target-group for App-B
You can create your ALB and target group using the AWS CLI - I leave it as an exercise to execute these same steps on the AWS console.
Since you already have autoscaling groups created for your apps, I'll just assume that they're called asg-group-a and asg-group-b.
# Create a target group for each of your apps
# There are plenty more options you can specify like health checks,
# but that is specific to you
aws elbv2 create-target-group --name app-a-target-group --protocol HTTP --port 80 --vpc-id vpc-(YOUR VPC ID)
aws elbv2 create-target-group --name app-b-target-group --protocol HTTP --port 80 --vpc-id vpc-(YOUR VPC ID)
The above two commands should each output a JSON blob that looks like the one below. Take note of the TargetGroupArn value because you will need that to associate the target group with your autoscaling groups.
{
"TargetGroups": [
{
"HealthCheckPath": "/",
"HealthCheckIntervalSeconds": 30,
"VpcId": "vpc-(YOUR VPC ID)",
"Protocol": "HTTP",
"HealthCheckTimeoutSeconds": 5,
"HealthCheckProtocol": "HTTP",
"UnhealthyThresholdCount": 2,
"HealthyThresholdCount": 5,
"TargetGroupArn": "arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/app-a-target-group/73e2d6bc24d8a067",
"Matcher": {
"HttpCode": "200"
},
"HealthCheckPort": "traffic-port",
"Port": 80,
"TargetGroupName": "my-targets"
}
]
}
Now attach the target groups to their respective autoscaling groups.
# Attach the target groups to your ASGs
aws autoscaling attach-load-balancer-target-groups --auto-scaling-group-name asg-group-a --target-group-arn TARGET_GROUP_A_ARN
aws autoscaling attach-load-balancer-target-groups --auto-scaling-group-name asg-group-b --target-group-arn TARGET_GROUP_B_ARN
Now create the application load balancer. You will need two subnets from the same region that are in different availability zones.
aws elbv2 create-load-balancer --name node-app-alb \
--subnets SUBNET-A SUBNET-B (...) --security-groups [SECURITY-GROUP ...]
The above command will return another JSON blob that contains an ARN of the load balancer, as shown below. Keep this around as you will need it for creating listeners.
arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/node-app-alb/1234567890123456
Now we will configure path-based routing for app-A.
# Create a listener for app-a
# This command will return an ARN for the listener, use that in the next command
aws elbv2 create-listener --load-balancer-arn (ALB ARN) \
--protocol HTTP --port 80 \
--default-actions Type=forward,TargetGroupArn=(ARN FOR APP-A TARGET GROUP)
# create a path routing rule for your new listener to route requests for app-a
aws elbv2 create-rule --listener-arn (APP-A LISTENER ARN) --priority 10 \
--conditions Field=path-pattern,values='/appa/*' \
--actions Type=forward,TargetGroupArn=(ARN FOR APP-A TARGET GROUP)
You can repeat the previous block for appb path routing.
I have a VPC. Now I have a script which creates ec2-instances and configures them. The configuration is dependent of the public IP during the installation. The problem is that the configuration is wrong for my instance after rebooting it. Because the public ip changed but the config contains the old public IP. Is there a way to define an automatic allocation of an Elastic IP to instances in a specific VPC? (assign an elastic ip immediatley after the creation)
I usually set the Elastic IP from within the EC2 instance, instead of from whatever created the instance to begin with, with userdata, though I don't see why you can't do the same thing from an external script.
Here is my script that I pass in to userdata when launching an application.
Note, this script relies on variables created by other (parent) scripts
e.g.:
REGION = a string holding the region you launched the instance into
RESOURCE_ID = a string holding the ID of the newly launched instance
IP = a string holding the original public IP address
You should be able to get those variables within the response from the initial launch.
You will need to create additional functionality and this assumes you already have launched the instance, however this should get you mostly there.
Note, there is no need to reboot the instance in-between launching and assigning the elastic IP address. In fact, doing so might, as you mentioned, "lose" the public IP address (though I BELIEVE that a simple reboot from the console holds on to the public IP).
#!/bin/bash
EIPID=`aws ec2 allocate-address --domain vpc --region ${REGION} | grep -m 1 'AllocationId' | awk -F : '{print $2}' | sed 's|^ "||' | sed 's|"||'`
IP=`ec2metadata --public-ipv4`
EIP=${IP}
if [ -n "$EIPID" ]
then
conf=`aws ec2 associate-address --instance-id ${RESOURCE_ID} --allocation-id ${EIPID} --region ${REGION} | grep -m 1 'AssociationId' | awk -F : '{print $2}' | sed 's|^ "||' | sed 's|"||'`
if [ -n "$conf" ]
then
while [ "$IP" == "$EIP" ]
do
EIP=`ec2metadata --public-ipv4`
sleep 2
done
echo "Elastic IP ${EIPID} successfully mapped";
echo "ELASTIC_IP=\"${EIP}\"" | sudo tee -a /etc/environment
else
echo "Failed to map Elastic IP Address: ${EIPID}";
fi
else
echo "Failed to acquire Elastic IP address: ${EIPID}";
fi
There is no features inside VPC to make EIP automatic attach to EC2 instance.
You need to use the AWS API language you are familiar with to write own script to do your own automation.
1) Preparation:
Allocate an elastic IP, write down the EIP-id
2) Associate EIP-id to EC2 IP allocation work :
Use AWS API script to create and launch your EC2 instance, capture the EC2-instance ID (or the Instance interface ID) .
Then in the same script, use the API ec2 associate-address(naming is vary slight depends on the AWS API language you use) to attach EIP-id to the EC2 isntance ID(or instance Interface ID)
If you are using API, you may actually use "ec2 describe_addresse" to dynamically find the idle EIP-id that not associated to any instance.
And you need to think ahead of the automation if you want to stop the EC2 from time to time and relaunch them : EC2 Instances will not keep elastic IP
There are two methods
1) use a the API method that is exposed in the aws ec2 associate-address, see http://docs.aws.amazon.com/cli/latest/reference/ec2/associate-address.html
2) use cloudformation instead of a script see http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-ec2.html#scenario-ec2-eip
As answered by mootmoot I would say there is no features inside VPC to make an EIP automatic attach to a specific EC2 instance. In addition, stopping the instance also disassociates the EIP from it. So EC2 Instances will not keep elastic IP.
There is an option that does not require an Elastic IP.to be assigned by using a service called DynamicURL that change IP Address on A of your domain follow to the Public IP that is assigned to your instance. So whenever the IP is changed your domain is keep associated with your instance.