I have a "Custom VPC" with two subnets (A private subnet & a public subnet).
In ECS, when I try and create a cluster with "Custom VPC" and both subnets selected. The EC2 instances launched, are by default launched in the private subnets.
Why?, Is there a way to change the instance subnet after it is launched?
Should ECS cluster only have public subnets of a VPC? and launch an instance on the private subnet through the 'Launch instance' wizard?
Also, these instances have a public DNS even when the private subnet 'auto assign public IP' is disabled. Why?
1: You need run ECS in the public subnets reference : https://docs.aws.amazon.com/AmazonECS/latest/developerguide/get-set-up-for-amazon-ecs.html
2: Yes or you need to create a private subnet with NAT gateway tied to it
Every instance in a VPC has a default network interface, called the primary network interface (eth0). You cannot detach a primary network interface from an instance. You can attach a new network interface.
To change the subnet of launched EC2 instance, you can follow this steps:
Create a new ENI (elastic network interface) with the new subnet you want to change. Notice that you cannot change VPC of an launched EC2 instance. If the same VPC or availability zone does not have other available subnets, you should create a new subnet first.
Go to your EC2 console and select the EC2 instance you want to change subnet.
In the Action menu above, go to Networking > Attach New Interface.
In the Network Interface menu, choose the network interface you just created.
You can reference to this document for how to create and attach a new network interface for an EC2 instance.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html
Related
I want to set up a VPC for my Elastic Beanstalk web app and RDS postgres db. I tried creating a VPC but ran into problems:
I went to VPC on AWS -> Launch VPC Wizard -> VPC with Public and Private Subnets. I am not sure what configurations to use. For example, what should I set Elastic IP Allocation ID? Do I need to set the VPC name?
After I create this, am I ready to just add it in EBS and RDS, or is there something else I need to do? Thanks!
Do I need to set the VPC name?
Its optional, but you can use, e.g. MyVPCforEB or what you want. It easier to find your vpc by name, than by cryptic vpc-id.
what should I set Elastic IP Allocation ID
You have to create EIP first. Its done in VPC -> Elastic IP addresses menu. This is required for NAT gateway, so that instances in private subnet can access the internet.
After I create this, am I ready to just add it in EBS and RDS, or is there something else I need to do?
Not really. To do it properly, you would need to add one more private subnet. The VPC wizard will create only one private subnet. For RDS, to create a subnet group, you need to have at least two private subnets in different Availability Zones.
Thus, once you have two private subnets in two different AZs, then you can create new Subnet Group in RDS with the subnets. Having this, you can create the RDS in these two subnets.
I have created a VPC and within I created a Subnet and a Internet Gateway (attached to the VPC). In that subnet, I created a Route Table in which I set route 0.0.0.0/0 to target the Internet Gateway.
After that I launched an EC2 instance in my subnet but it has no public IP so I can't connect to it using RDP.
I tried to enable 'DNS hostnames' and 'DNS resolution' but it didn't add a public IP to my instance (even after restarting it). In my subnet, I enabled 'Auto-assign IPv4' but still no public IP.
Any clue what I'm missing here please?
Your instances won't automatically get public IPs attached to their ENIs after you enable 'Auto-assign IPv4' in your subnet. One possible solution without spinning up a new EC2 is to attach an Elastic IP (as #Oleksii Donoha suggested in the comment) to this instance. You can follow the aws docs to allocate an Elastic IP address and then associate it with your running instance.
Side note: It's not possible to attach an ephemeral ip to an already-created ENI or EC2 instance. See discussions here.
Though your instance sits in public subnet, you have to make sure that 'Auto-assign Public IP' is either set to 'Enable' or 'Use subnet setting (Enable)'on Configure Instance Details page. Sometimes folks forget to check/reverify this setting while creating EC2 instances.
I want to move my ec2-instances from private subnet to public subnet. Is there is a way to do that other than creating AMI of those instances and then launching new instances from those AMI's and attaching volumes and elastic ips with them?
An Amazon EC2 instance is permanently connected to a subnet. (Well, the Primary interface is.)
Some options:
You could modify the subnet so that the subnet 'becomes' a public subnet (by configuring the Route Table to send traffic to an Internet Gateway). This does not require any changes to the instance itself.
You could add a secondary Elastic Network Interface (ENI) that connects it to a public subnet. You then need to configure the operating system to use the secondary ENI.
You could launch a new instance in a public subnet, stop it, detach its disks, then attach the disks from the 'private' instance, then start it. It will probably start up okay, and it would then be in a public subnet.
I have created a VPC with CIDR 10.0.0.0/16. Then in that VPC, I wanted to create two public subnets. So I have created two subnets with CIDR 10.0.1.0/24 and 10.0.2.0/24.
Now I have launched two EC2 instances on these subnets but I am not getting public IP of both the Instances. Please help me understand why I am not getting public IP of these instances and what should I do to get the public IP of these instances.
To get a public IP address you either
specify a flag on the subnet (in cli it's MapPublicIpOnLaunch, in the console I don't recall where) you want a public address by default on the EC2 instances
explicitly specify you want a public IP when launching an EC2 instance (on the screen you select the vpc and subnets)
assign an elastic IP address to an instance
and do not forget to create a default routing on the subnet to the internet gateway
I have set up below VPC configuration but the SSH to the instance is not happening at the moment:
Created a new VPC
Created a public and private subnet
Launched an ec2 instance to the public subnet updated route tables for internet gateway
Launched ec2 instance to private subnet.
Associated a natgateway to the public subnet with in EIP
Route table updated for private subnet with natgateway
SSH from public instance to private instance is not happening with keypair.
Can you let me know what have I missed here.
First things first:
NAT Gateway in Public Subnet allows Instances from Private Subnet to reach internet for software updates etc via Internet Gateway.
NAT Gateway doesn't play any role in SSHing into an Instance.
Try this to test:
Attach Default NACL(allows all inbound and outbound) on Public and Private Subnet where your EC2 Instances resides.
Create 2 security groups for public(lets say Pub-SG) and private subnets(Prv-SG).
Allow SSH from everywhere/specific ip on Pub-SG.
On Prv-SG allow SSH from Pub-SG as source for better security reasons.
If both instances are launched using same key pair then with SSH-Agent Forwarding You can connect Private Instance through Public Instance.
I suspect you are missing a security group that permits SSH traffic between the instances on the two subnets.
AWS is secure by default - you need to explicitly permit traffic, roles, etc.
So in this case, the easiest thing to do would be to create a security group that spans the CIDR block of the VPC, and assign this to both instances.
Edit: I just noticed you say you added your NAT gateway to the public subnet - I presume you mean private.
This guide covers a similar scenario - public web subnet and private db subnet, and discusses all the routes + ACLs you need.
Also, when you say ssh with the keypair isn't happening - are you connecting at all, or does the connection time out?
When it comes to one EC2 instance communicating with another EC2 instance within a VPC, NAT Gateway has no role.
Make sure that the Security Group to which the private subnet instance belongs, allows SSH protocol from the Security Group to which the public subnet instance belongs.
Also, the NACL associated with the private subnet should allow inbound and outbound SSH traffic from CIDR block to which the public subnet instance belongs.
copy th ssh public key of the private instance to the public instance. open the ssh key material using vscode then use nano or vim to paste the content of the public key the save and exit. Now you can ssh into your private instance given the SG of the private instance allows traffic from the public instance.