I noticed there is already a
-subnet=... The AWS subnet to deploy to (single instance apps only)
parameter but not for ELB-based deployments, yet. Is it already possible to define which vpc/subnets should be used for a deployment?
Currently all subnets of the default VPC are associated with the automatically created auto-scaling groups. The auto-scaling groups will then launch instances across them in a balanced fashion.
Please file a feature request if you need more control: https://github.com/cloudcaptainsh/cloudcaptain/issues
Related
Can we have two elastic beanstalk applications along with RDS database instances in one VPC.
What i am trying to do is the following:
1) EB App1: Web tier which hands web request
2) EB App2: Worker (application) Tier that performs the processing
3) RDS Db Instances: This is the database tier.
I want to put each of the above in one VPC and assign them within there separate VPC Security Groups in this VPC, hence controlling the flow of traffic between all the tiers.
Also, can i span these security groups into multiple availability zones.
Does beanstalk and VPC allow this above proposed design and is it a good design or am i overcomplicating stuff.
Thanks
MHF
I want to put each of the above in one VPC and assign them within
there separate VPC Security Groups in this VPC, hence controlling the
flow of traffic between all the tiers.
Yes of course, that's exactly how a VPC works.
Also, can i span these security groups into multiple availability
zones.
Security groups are VPC wide, they automatically span all availability zones. You would have to create Security Group rules that specify a specific subnet's IP range to narrow a security group to a specific availability zone.
Does beanstalk and VPC allow this above proposed design and is it a
good design or am i overcomplicating stuff.
Yes, this is just a normal AWS VPC configuration. What you are proposing is the normal way to do this.
I'm thinking of using cloud formation as a means of blue-green deployment.
Part of it is putting instances of the Autoscaling group instances on stand by.
Is that possible?
Amazon EC2 Auto Scaling groups are responsible for launching and terminating Amazon EC2 instances. Note that instances are launched as new instances -- they are not kept on standby.
You can certainly do blue-green deployments by using two separate CloudFormation stacks, each with their own Auto Scaling group and, presumably, Elastic Load Balancer.
Both Auto Scaling groups would be 'operating', but not necessarily receiving traffic. You would then need some mechanism to 'switch' between the blue/green groups, such as changing a DNS entry in Route 53 to point to the different Load Balancer.
Adding to John's Answer, On route 53 you can use weighted load balancing to route traffic. It allows you to route percentage traffic to the setups.
Is this possible? I would like to use elasticache, which seems to only be allowed to be created in my default VPC (alternative question is: How can I launch elasticache in a custom VPC), however I can't connect to it in a separate VPC. I don't know how to configure my clusters (or launch them outside of the "Getting Started")so that I can launch them in an existing VPC that I can set.
You could just create the elasticache instance in the VPC created by the ECS cluster. Though, you'll need to create a cache subnet group first. See: ElastiCache (redis) for non default VPC
I've created a new environment for my beanstalk app under a vpc.
I created a vpc with private and public subnets.
I've configured the security groups as outlined here:
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo-vpc-basic.html
The environment seemed to setup correctly but the status is red.
Clicking on monitor reveals no data for latency or requests.
The website url returns error code 503.
Not sure what to do
This is almost certainly an issue with not being able to communicate with the NAT. The documentation is a little ambiguous when it comes to configuring your .ebextensions config files.
Don't mess with the Network ACLs for the VPC. The infrastructure needs to be able to talk to itself.
The NAT instance & Beanstalk ELB need to be in the Public subnet (10.0.0.0/24)
The Beanstalk instances themselves need to be in the Private subnet (10.0.1.0/24)
The Security Group that you apply to the instances needs to also apply to the NAT. That Security Group also needs to be on its own Inbound list so that everything inside that SG can talk to each other.
Using curl, try to make outbound calls. First on the Bastion Host, then on the NAT, then on a Beanstalk instance. Are any of them unable to make outbound calls?
I just recently spent a couple of weeks trying to develop a CloudFormation template that handles this stuff. I think that most of it is still in my brain. I think.
If these troubleshooting steps don't help, let me know and I'll dig a little deeper.
When you created the VPC, I assume you did it using the wizard. In this situation, the NAT is configured to accept calls from "default" security group.
When you created the Elastic beanstalk environment, did you specify that you want the new instances to be on "default" security group?
Check if the new instance belongs to the VPC's default security group in EC2 management area. If it is not a member of default Security group, add this security group to your NAT's inbound connections.
There is a good AWS CloudFormation template example to create VPC with public and private subnets and the NATs:
https://github.com/awsdocs/elastic-beanstalk-samples/blob/9720e38e9da155752dce132a31d8e13a27364b83/cfn-templates/vpc-privatepublic.yaml
May be very useful for those having issues with such VPC configuration.
To deploy it to your AWS using cli:
aws cloudformation deploy --stack-name mystackname --template-file path/to/vpc-privatepublic.yaml
Or you can deploy from CloudFormation UI dashboard.
I have a pretty standard stack, RDS, 2 EC2 instances using ELB. Because I wanted the ELB to be restricted to a particular IP range I've launched the stack in VPC, for DR reasons across 2 subnets.
I use several ephemeral ec2 machines, which when not in VPC I allowed to startup in any availability zone. Which (as far as I understand) would mean that if an AZ were unavailable then machines would be started in other zones.
Is there a way to emulate this in VPC? Is there a way of saying launch a machine in any subnet in a VPC?
If not its fairly easy to workaround by picking a subnet at random, and if it fails trying another. Just wondered if there was a supported method that's cleaner?
I'm using python and boto.
thanks
Which (as far as I understand) would mean that if an AZ were unavailable then machines would be started in other zones.
That's correct and it would indeed be nice to have this option available within an Amazon VPC as well when running instances directly via the available Amazon EC2 API actions.
Unfortunately both the RunInstances and the RequestSpotInstances API actions only allow to specify the optional parameters SubnetId or LaunchSpecification.SubnetId respectively (The ID of the subnet in which to launch the [Spot] Instance), thus won't have any information into which VPC you would want to launch the instance if no subnet is specified.
Workaround
You can achieve the desired behavior indirectly via Auto Scaling by means of its CreateAutoScalingGroup API action, see parameter VPCZoneIdentifier:
A comma-separated list of subnet identifiers of Amazon Virtual Private Clouds (Amazon VPCs).
This feature is also available via the AutoScalingGroup resource type within AWS CloudFormation.