Is this possible? I would like to use elasticache, which seems to only be allowed to be created in my default VPC (alternative question is: How can I launch elasticache in a custom VPC), however I can't connect to it in a separate VPC. I don't know how to configure my clusters (or launch them outside of the "Getting Started")so that I can launch them in an existing VPC that I can set.
You could just create the elasticache instance in the VPC created by the ECS cluster. Though, you'll need to create a cache subnet group first. See: ElastiCache (redis) for non default VPC
Related
I have 3 AWS Elastic Beanstalk instances which are running Spring microservices. All microservices are making POST requests to each other and using RDS service for database.
Should I isolate database traffic and microservices traffic into separate subnets?
In case it's a good practice is it possible to assign 2 private network IP's for each subnet for every AWS Elastic Beanstalk instance?
I think you cannot do it using EBS as the instances will auto create and terminate. So you should try to create instances separately and add autoscaling policy on it.
What I usually do is create my EC2 instances in Public subnet and RDS in private subnet and use RDS Security Group and add EC2 instance's Elastic IP, so that all the traffic is going through the EC2 instance and all the traffic coming to EC2 instance is HTTPS coming from ELB.
Adding the below steps as requested:
Ok, So I am assuming you already know a bit about how to create the servers and RDS etc.
Create an EC2 instance for each of your microservices.
Attach an EIP to each of these instances.
Add an Auto-Scaling policy to increase or decrease the instances based on the traffic/CPU Utilization. Make sure you terminate the newest created instance.
Add an ELB for this instance and add HTTPS/SSL certificate to secure your traffic.
Create RDS in a Private subnet and add instance EIP in RDS SG for 3306 port.
I think you should be able to do this then.
It's not a good practice to directly communicate between instances in EB. The reason is that that EB instances run in autoscalling group. So they can be terminated and replaced at any time by AWS leading to change in their private Ip addresses.
The change in IP will break your application sooner or later. Instances in EB should be accessed using Load Balancer or private IP.
So if you have some instances that are meant for private access only you could separate them to internal EB environment.
i have a aws eks cluster with in the dev vpc now i have few ec2 instance in the test-vpc so now i need add the add test-vpc instance to the existing existing cluster. can we do. ?
FYI VPC peering i have done as well and peering also working
An Amazon EKS cluster is provisioned in a single VPC.
If you have a dev-VPC and a test-VPC, you need to use two different EKS clusters.
I made and deployed my Django application in AWS Elastic Beanstalk. It has a connection to a Postgres DB in RDS, through the EBS console.
When I click configuration -> network in EBS, I see: "This environment is not part of a VPC."
How can I make it a part of a VPC? Thanks!
NOTE: very new to this ;)
You have to recreate the Elastic Beanstalk environment and pick the VPC during the creation. It is not possible to move an existing environment into a VPC.
But, unless you have access to EC2-Classic, the EC2 servers that were launched are already be in a VPC. They are just in the default VPC. But as far as Elastic Beanstalk is concerned, it seems oblivious to this.
I am not sure if there are any features that are exclusively available to VPC environments. My suggestion is to try to use your current environment, and if you happen to recreate the environment later for some other reason, then you can try picking a VPC and see if it offers anything new.
As already explained by #stefansundin you can't move existing EB into a custom VPC. You have to create new one.
These are general steps to consider:
Create a custom VPC with public and private subnets as described in the docs: VPC with public and private subnets (NAT). NAT is needed for instances and rds in private subnet to communicate with internet, but no inbound internet traffic will be allowed. This ensures that your instances and rds are not accessible from the outside.
Create new RDS, external to EB. This is good practice as otherwise the lifetime of your RDS is coupled with EB environment. Starting point is the following AWS documentation: Launching and connecting to an external Amazon RDS instance in a default VPC
Create new EB environment and ensure to customize its settings to use the VPC. Pass the RDS endpoint to the EB instances using environmental variables. Depending on how you want to handle password to the RDS, there are few options, starting from using environmental variables (low security) through SSM Parameter Store (free) or AWS Secrets Manager (not free).
Setting this all up correctly can be difficult for someone new to AWS. But with patience and practice it can be done. Thus, I would recommend with starting with default VPC, as you have now. Then once you are comfortable with how to work with external RDS, think on creating custom VPC as described.
I'm trying to use CDK (Typescript) to create an RDS (Postgres) instance within an ISOLATED subnet. As far as I understood, the default VPC created automatically in each of my account regions only has Public Subnets.
If I then want to launch a Fargate instance on top of one of those Public Subnets, do I need to create a VPC Peering between the ISOLATED subnet and the default VPC?
Any idea how to create that using CDK?
"Any idea how to create that using CDK?" -> yes:
Use AWS CDK to provision a new VPC similar to this. As you can see, there are subnets for public, applicational and database layers;
[OPTIONAL] For a better AWS CDK project organization, you can use multiple stacks like network (VPC resources), compute (Fargate resources), and database (RDS). You can pass the vpc on network stack to compute & database stacks;
Be sure that you set vpc on the ECS cluster and at load-balanced level (if applicable) and put RDS database in the isolated/database by using vpcSubnets attribute
To sum up, one VPC. No applicational or database exposed to the public. I have a git repo in case you want to look for sample code/template
VPC peering is when you have two VPC with different CIDR ranges. You have one VPC hence no need to use VPC peering.
I'm following AWS's instructions Scenario 2: VPC with Public and Private Subnets and am having issues at the point I try to launch a DB server.
When I launch my instance, all is fine and I am able to assign it to my newly created VPC. However, when it comes to launch the RDS, the only VPC available (on step 4, configure advanced settings) is the default VPC (ie not the one I created as per their instructions).
Has anyone any idea about this or indeed how to resolve it?
RDS requires a little more setup than an EC2 instance if you want to launch it within a VPC.
Specifically, you need to create:
a DB subnet group within the VPC
a VPC security group for the RDS instance
The documentation is a little buried in the AWS RDS documents. It can be found here:
Creating a DB Instance in a VPC