I try to set up an ec2-instance using Ansible.
But it fails when I try to ssh for it. The security group is containing port 22.
We reached our maximum of elastisch IP's at the moment. So I want to know if there's something wrong with my script or isn't it possible to ssh to an instance without an elastic IP?
Your instance won't NEED an elastic IP. You'll get a public IP if you put the VM in your default VPC. But note that this IP might and will change if you reboot the instance.
In short, no you won't need an elastic ip, but it's very handy.
Your instance either needs an Elastic IP, or it needs to be in a public VPC subnet with a public IP.
You can also have Ansible go through an instance it has SSH access to in order to get into the VPC and get access to your other instances. Here is a blog post about this process: http://blog.scottlowe.org/2015/12/24/running-ansible-through-ssh-bastion-host/ If you search for "Ansible ssh bastion host" you will find lots of articles on this topic.
Related
Well, I am almost giving up on aws it is really hard to do simple things here. My problem is I am following this link to setup cpanel for commercial use,
https://blog.cpanel.com/part-2-how-i-built-a-cpanel-hosting-environment-on-amazon-aws/
I set up my VPC, Subnet, Internet Gateways, Elastic IPs and Route Tables and still can not connect to my ec2. it is frustrating that I am wasting time over an ssh problem which can be solved in a matter of seconds in OVH and here AWS ruining my day any ideas?
I set up my VPC, Subnet, Internet Gateways, Elastic IPs and Route Tables
I really expect to connect to my ec2 with ease and be able to add more ec2/s to the service
To be able to SSH into an Amazon EC2 instance, you'll need the following:
An Amazon VPC (the default one is fine, or create your own)
An Internet Gateway attached to the VPC (to connect it to the Internet)
A public subnet, which is defined as a subnet that has a route table where the route table sends traffic destined for 0.0.0.0/0 to the Internet Gateway
An Amazon EC2 instance in the public subnet, presumably a Linux instance since you want to SSH to it
When launching the instance, nominate a Keypair. If you launch from an Amazon-provided AMI (eg Amazon Linux 2), the keypair will be copied to /users/ec2-user/.ssh/authorized_keys at startup.
The instance should either be launched with Auto-assign Public IP to receive a random public IP address, or associate the instance with an Elastic IP address to associate a static IP address
A security group attached to the EC2 instance permitting inbound SSH access (port 22) either from 0.0.0.0/0 or your own IP address
Don't play with the Network Access Control List (NACL) settings - they default to allowing all traffic in/out
To connect to the instance:
ssh -i YOUR-KEYPAIR.pem ec2-user#IP-ADDRESS
If the connection is immediately rejected, it suggests a problem with the keypair.
If the connection takes some time before failing, it suggests a network-related problem because it is unable to contact the instance. Some corporate networks block outbound SSH access, so try again from a different network (home vs office, or even tethered via your phone) to try and identify the issue.
I have two EC2 machines, each with their own security group (SG). One is an EC2 instance with a elastic IP. The other is part of an Elastic Beanstalk. I have my Elastic Beanstalk machine SSH to the EC2 machine using the elastic (static) IP address.
I change SG of the EC2 machine to allow port 22 from the SG of the Elastic Beanstalk. SSH does not connect.
I change the SG of the EC2 machine to allow port 22 from the private VPC range (172.31.0.0). SSH does not connect.
Is this because I'm SSH accessing the EC2 via public IP?
I change the SG of the EC2 machine to allow port 22 of the public IP of the Elastic Beanstalk. SSH connects!
How can I set up a Security group for my EC2 machine that allows SSH access from my Elastic Beanstalk instance, without relying on public IPs? (because they change when using Beanstalk I don't want to keep updating security groups).
I'm answering my own question!
The problem was using the public (elastic) IP of the EC2 instance when making a SSH connection. As based on this StackoverFlow answer, when using the public IP address the security group wanted a public IP address as well.
Changing the access to the public DNS (which contains the elastic/static IP address ec2-XXX-XX-XXX-XXX.compute-1.amazonaws.com so shouldn't change on me) allowed EC2 to resolve internal IP addresses, and thus the Security Group rule worked for another security group!
I have Launched an Elastic Beanstalk application in a VPC with Amazon RDS (postgresql) using NAT Gateway (because I want to route my application traffic through a fix public ip address) following these instructions:
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/vpc-rds.html
How can I ssh into the instance from my local system ?
eb ssh is showing following error however my instance is available and not terminating.
ERROR: This instance does not have a Public IP address. This is possibly because the instance is terminating.
How can I login to the postgresql client ?
Following command is not prompting anything:
psql --host= --port=5432 --username= --password --dbname=ebdb
I know they are in private subnet so can't be accessed from public network but I want to know the possibility of that. Please help !
You will have to have a server with a public IP (in a public VPC subnet) that you can connect to from outside your VPC. I recommend setting up a t2.nano server as a bastion host.
If you use VPN, you can also modify sshops.py to use the private DNS name. Varies by OS and version, but mine is located here:
~/Library/Python/2.7/lib/python/site-packages/ebcli/operations/sshops.py
Search for PublicIpAddress (mine is on line 88), and change it to read:
ip = instance['PrivateDnsName'] #was PublicIpAddress
It's too bad that the EB CLI isn't on Github...otherwise I'd contribute a way to do this via a parameter.
I also added a convenient alias for this:
alias appname='eb init appname;eb ssh --region=us-east-1 appname -n'
This allows running appname 1 or appname n, where n is the number of hosts in your cluster.
I have an EC2 instance that had a dynamic public IP. Due to changing requirements I assigned a new Elastic IP. I shut down the instance and restarted it. The console now shows the new IP and no longer the old, dynamic one.
Problem is now I can not ping nor curl/wget to the public Internet any longer from this instance. I do have an outgoing rule for port 80 and 443 setup. I also allow ICMP in both directions.
I have a load balancer setup in another instance. That instance can access the problematic instance over the private IP no problem.
I did notice that while all my other instances list their public IP (dynamic or Elastic) the instance in question lists "ec2-x-x-x-x.compute-1.amazonaws.com". Not sure what to make of that...
What could be my issue?
If you are not seeing the public IP show up in the console for the system, but instead are seeing the hostname as you mention, it means that your public IP is NOT assigned to the instance. Suggest you go to the Elastic IPs section of the console and re-attach the EIP to the instance.
Note, if you are not running in a VPC, when you reboot the instance, the EIP will drop off the instance.
I'm creating a new instance by using the following command,
ec2-run-instances --key "xxxx keypair" --instance-type t1.micro --instance-initiated-shutdown-behavior terminate --user-data-file myscript.sh $ami_id
And my AMI is bitnami default AMI
after I launch the instance, used the following code from my older instance to connect new instance,
ssh -i xxx_yyy.pem bitnami#xxxxxx.compute-1.amazonaws.com
And I can't connect this, there is no response from server,
Can anyone please help me in this??
Thanks in advance.
Typical things to check when trying to connect to an EC2 instance:
Security Groups
Check that at least one of the Security Groups associated with the instance has port 22 (SSH) or port 3389 (RDP) open to your source IP range (eg a specific IP address 54.87.23.11/32, or the whole world 0.0.0.0/0 -- but the latter is very poor security practice). Security Groups are stateful, so you only need to open Inbound access and the return path will automatically work.
Public IP Address
Confirm that you are using a Public IP address associated with the instance. This can either be assigned at instance launch (which will allocate a random IP address from a pool) or can be assigned as an Elastic IP Address (which is a static IP address that you can assign assign to any instance and you keep it until you release it back to AWS).
Public Subnet / Routing
Confirm that your instance is in a "Public" VPC Subnet. This means that the Route Table associated with the Subnet has a route through an Internet Gateway.
AMI Operating System
I've seen situations where people try to SSH to a Windows instance, or RDP to a Linux instance, so also check that you launched the correct AMI for your expected operating system.