I need to add multiple ENIs to an EC2 instance and would like to use each interface with multiple private and associated elastic IPs. My current EC2 instance allows for multiple network interfaces and multiple EIPs per interface. I have already created and connected the ENIs and assigned additional private and elastic IPs. The problem comes when I try to bind to the EIPs on the ENIs (eth1, eth2...) for outbound traffic. The bind is successful, however the outbound request times out.
I am able to add multiple IPs to the default network interface (eth0) of my EC2 instance and was also able to send outbound traffic using those IPs. It required me executing the command below for each new IP, but it work.
ip addr add dev eth0 xxx.xx.x.xxx/24
Does anyone know how to get this to work? I suspect my route table or some other network configuration needs to be updated, however this is out of my wheelhouse. If there is an automated why or script that I can run that would be even better.
Thanks in advance.
Got my answer! I found this blog post which had everything I needed to do. Good luck to those who are looking for something similar.
http://randomizedsort.blogspot.com/2012/06/poor-mans-static-ip-for-ec2-aka-elastic.html
Related
Is it possible to set up a static IP address or range of IPs for server requests to external dbs and web services?
We have a web app running on Google Compute Engine managed instance group. We want to lock down access to our db to specific IP addresses. However the server IPs on the managed instance group are stateless, and the IPs change with each update to the web app. Is it possible to assign a static IP/range of IPs to our outbound server traffic?
We've investigated NAT Gateways, and VPC Peering a bit, but it doesn't seem to exactly fit our requirements. It's kind of a 'load-balancer for outbound server traffic' or something that would seem to fit what we're looking for...
Any advice greatly appreciated.
A use case would be where the IG has to connect back to private cloud that is firewall managed. Having the IG draw from a pre-set 'range' of IP's would be useful to security teams.
The security team could pre-program a range of IP's that the scalable IG would draw from.
This way the IG would draw from a present and preconfigure (on the privCloud FW) range of IPs when it scales up.
I think you can not directly make static IP's during the creation of a Managed Instance Group or by specifying them in an Instance Template. The IP's will be set as ephemeral at first.
By going to VPC Network -> External IP Addresses you can reserve IP's/easily promote them to static IPs and assign them to the specific VM's you wish.
This is a good explanation on how reserving IP's for GCE works.
You can also reserve Static Internal Addresses if you so wish.
Hope this helps.
Locking down access to specific IP's is not a good idea if you have GCP managed instance group. As of now, there is no option for giving static external ips for managed group instances. If you do so also it will be meaningless because of the autoscaling behavior.
I recommend you look into this link if you are using CloudSQL managed service from GCP for DBs.
Also if you are using non-managed/external DB use Nginx proxy
I have four EC2 instances, three of them running api services and another running user interface (UI). The UI instance obtains the data over api calls to another instances. Right now everthing works fine becouse im using the public IP provided for eeach EC2 service for api calling. But, mi cocern is about what happend if the public ip of service change (for any reason)? then miy application go down becouse UI cannot get the data from services. After a little researching i have found that appers to be a solution: use a vpc for connect EC2 instances over private ip (because is static) and associed the UI instance to an Elastic IP (no problem here). Sow, i have some issues:
1) I make a test putting all instances in the same vpc (and sub net) but when I do ping from one to another the pings faild. Its my approach right? or i missing some thing?
2) I read a couple of another options but im not sure what is best: Maybe i have to use an Api Gateway?. Or a NAT Gateway?
3) What is the standar practice to communicate EC2 instances in private way?
1) I make a test putting all instances in the same vpc (and sub net) but when I do ping from one to another the pings faild. Its my approach right? or i missing some thing?
For security reasons, AWS block the ICMP traffic using security group. Please enable Ping traffic (ICMP) in security group from the Ip's you are trying to connect, it's better to allow the entire CIDR block for the VPC for all traffic, will make your life a lot easy. Please make sure you do this in a test Environment only.
2) I read a couple of another options but im not sure what is best: Maybe i have to use an Api Gateway?. Or a NAT Gateway?
Also, as you mentioned that your concern is that the public IP of the Instance will change, (definitely if your Instance stop/starts for any reason), but why don't you use Elastic IP for all of your Instances, that could be on of the solution, but using this approach all of your instances will be exposed to internet, so going with private IP is the best option.
3) What is the standard practice to communicate EC2 instances in private way?
It depends on the use case, if your Instances are in the same vpc no extra configuration is required, you only need to make sure the security groups, Network Access Control List and firewall configuration are correct.
In case if your instances are in different VPC, then you can use VPC Peering/Transit gateway.
1.) You need to update security groups with the permission to ICMP traffic.
Go to your VPC -> Select Security Groups -> Select the relevant security group -> Add Inbound/Outbound rule for all traffic with CIDR of the instance subnet.
2.) Internal network is the better way as long as all your traffic gonna be internal.
Thanks
My aws instance is stuck and cannot connect using ssh client what should i do?
My hosted websites are also not working. I do not want to restart my aws instance through aws console.
Please help me in this regard.
Thanks in advance.
A recommendation to troubleshoot these kinds of problems
Always generate logs.
Always use a Cloudwatch's agent to retrieve specific logs from your instances.
Check this link to learn more about it: https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/send_logs_to_cwl.html
About your problem
I think you tried to connect to it via SSH too many times without closing the previous connections.
Your instance is out of memory, for this situation you must restart your instance.
You could get the last screenshot of your instance using the options from Console.
Follow this link for more information about troubleshooting
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html
Some suggestions from that link:
Check your security group rules. You need a security group rule that allows inbound traffic from your public IPv4 address on the proper port.
[EC2-VPC] Check the route table for the subnet. You need a route that sends all traffic destined outside the VPC to the internet gateway for the VPC.
[EC2-VPC] Check the network access control list (ACL) for the subnet. The network ACLs must allow inbound and outbound traffic from your local IP address on the proper port. The default network ACL allows all inbound and outbound traffic.
-If your computer is on a corporate network, ask your network administrator whether the internal firewall allows inbound and outbound traffic from your computer on port 22 (for Linux instances) or port 3389 (for Windows instances).
And more...
If the issue still continues, please create an AMI(image) of the instance and try to create a new instance from that AMI. Then try to SSH and everything went smooth the terminate the old instance.
We are trying to use Elastic Load Balancing in AWS with auto-scaling so we can scale in and out as needed.
Our application consists of several smaller applications, they are all on the same subnet and the same VPC.
We want to put our ELB between one of our apps and the rest.
Problem is we want the load balancer to be working both internally between different apps using an API and also internet-facing because our application still has some usage that should be done externally and not through the API.
I've read this question but I could not figure out exactly how to do it from there, it does not really specify any steps or maybe I did understand it very well.
Can we have an ELB that is both internal and external?
For the record, I can only access this network through a VPN.
It is not possible to for an Elastic Load Balancer to have both a public IP address and a private IP address. It is one or the other, but not both.
If you want your ELB to have a private IP address, then it cannot listen to requests from the internet.
If your ELB is public-facing, you can still call to it from your internal EC2 instances using the public endpoint. However, there are some caveats that goes with this:
The traffic will exit your VPC and re-enter it. It will not be direct instance-to-ELB connection that a private IP address will afford you.
You also cannot use security groups in your security group rules.
There are 3 alternative scenarios:
Duplicate the ELB and EC2 instances, one dedicated to private traffic, one dedicated to public traffic.
Have 2 ELBs (one public, one private) that share the same back-end EC2 instances.
Don't use an ELB for either private or public traffic, and instead use an Elastic IP address (if public) or a private IP address (if private) on a single EC2 instance.
I disagree with #MattHouser answer. Actually, in a VPC, your ELB have all its internal interfaces listed in Network Interfaces with Public IP AND Primary private IP.
I've tested the private IP of my public ELB and it's working exactly like the external one.
The problem is : theses IPs are not listed anywhere in a up to date manner like on a private ELB DNS. So you have to do it by yourself.
I've made a little POC script on this, with an internal Route53 hosted zone : https://gist.github.com/darylounet/3c6253c60b7dc52da927b80a0ae8d428
I made a Lambda function that checks which private IPs are set to the loadbalancer and will update Route53 record when it changes: https://github.com/Bramzor/lambda-sync-private-elb-ips
Using this function, you can easily make use of the ELB for private traffic. I personally use it to connect multiple regions to each other over a VPC inter-region peering without needing an additional ELB.
The standard AWS solution would be to have an extra internal ELB for this.
Looks like #DaryL has an interesting workaround, but it could fail for 5 minutes if the DNS is not updated. Also there is no way to have a separate security group for the internal IPs since they share the ENI and security of the external IP of the ELB.
I faced the same challenge and I can confirm the best solution so far is to have two different ALBs, one internet-facing and the other internal. You can attach both ALBs to a single AutoScaling Group so you can access the same cluster.
Make sure the networking options (Subnets, security groups) of both ALBs are the same in order for both to access the same cluster instances. Autoscaling and Launch Configuration works seamlessly with both ALBs attached to the same AutoSacling Group. This is also working with ALBs created from ElasticBeanstalk environments.
It takes several minutes for a newly deployed version to ElasticBeanstalk to become available, so I am hoping that someone can spare me all the testing/experimenting :-)
Scenario 1:
I need to connect to an EC2 instance running MySQL from another EC2 instance but belonging to a different security group. Do I use the public DNS or the private IP to specify the MySQL host?
Scenario 2:
Same as above except both instances belong to the same security group. I believe that I need to use the private IP in this case, correct? Would the public DNS also work?
Thank you!
You should always use the private IP when possible for ec2 instances communicating with each other.
Among other reasons, you will get charged money for using the public ip even though the machines are started in the same availability zone.
Also, the security group is just a set of inbound and outbound rules, it doesn't matter that the two machines are in different groups with different rules so long as your mysql server can accept traffic on the port from the other ec2 instance based on the ruleset.
If you're going to be starting and stopping instances frequently, you might benefit from creating an elastic IP and attaching it to instances as needed instead of constantly changing configuration files.