When you edit an AWS security group, the changes are automatically applied to any EC2 instances associated with the security group.
When you change the launch configuration for your Auto Scaling group, any new instances are launched using the new configuration parameters, but existing instances are not affected.
So, my question is what happens when you edit the security group used by your Auto Scaling launch config? Are the changes applied only to new instances? Or do existing instances get the new security group rules as well?
Thanks!
Existing instances in the Auto Scaling Group will see any rule changes to the security group.
Related
When an ENI is created at least one security group has to be attached to it and it's the same for EC2 instances. why do we have to mention securing a group in both of them separately when it works the same?
what happens if you attach a security group to an instance and attach an existing ENI to that instance with a different security group as its primary ENI? will that ENI be modified after it's detached from the instance?
what will happen if an instance with multiple ENI uses diffrent security groups?
Is attaching security group to an ENI same as attaching security group to an instance?
Yes. In fact you don't attach a SG to an instance technically, but to ENI associated with the instance.
Also what will happen if an instance with multiple ENI uses diffrent security groups?
Yes. Each ENI can have its own set of SGs.
An EFS file system was temporarily setup for use with two EC2 instances in different availability zones. Security groups were automatically created for each subnet within the region to which the EFS was launched. This region has three availability zones so three subnets and thus three security groups. Looking at the security groups description details the SGs' creation:
The EFS and the EC2s to which the EFS was attached have now all been terminated/deleted. However when attempting to delete the security groups I get the following notification for each:
Clicking on the link "1 security group associated" for details the of why security group sg-053f4a90837fda586 cannot be deleted shows that the associated security group is sg-0f481995d4e99ac12. Upon attempting to delete sg-0f481995d4e99ac12, the same information says that it cannot be deleted as it is associated with sg-053f4a90837fda586. So sg-053f4a90837fda586 cannot be deleted because sg-0f481995d4e99ac12 exists and vice-versa.
Attempting to delete both at the same time gives the same issue:
What is the error in my approach?
This error can happen when the security group you are trying to delete is referenced in a rule of another security group.
To fix this, in each security group remove the rule that is referencing the other group.
Then, delete the security groups themselves.
As far as I can see, you might be using default SG, which is unable to be deleted, as mentioned here:
Troubleshoot delete SG
All VPCs have a default security group. If you don't specify a different security group when you launch the instance, a default security group is automatically associated with your instance. You can't delete a default security group. But, you can change the default security group's rules.
I have a running EC2 instance with few security groups added. What I want to do is to remove one of the security group and add a new one.
I think there will be no problem in adding a new security group. But is it possible to remove a security group without terminating existing ec2 instance and creating a new one from the ami ?
yes, it is possible both to add and remove security group. In AWS web console go to EC2 Instances page, right click on instance you want to change -> Networking -> Change Security Group
You can easily check that it is done without terminating or even stopping the instance.
FWIW, you can also change the inbound/outbound rules of the current security group instead of removing it and adding a new one. Changes to inbound/outbound rules also take effect immediately with no need to stop EC2.
From the AWS documentation this is how you can remove a security group from a insance:
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
In the navigation pane, choose Instances.
Select your instance, and then choose Actions, Security, Change
security groups.
For Associated security groups, select a security group from the
list and choose Add security group.
To remove an already associated security group, choose Remove for
that security group.
Choose Save.
I should start by saying that this is only me playing with AWS, which is why there is nothing about configuring VPC and subnets.
I'd like to launch 2 EC2 instances with an Apache server inside through a Scaling Group. I'd also like these instances get registered with an ELB and be only reachable through the ELB (so no direct access to instances). I associated ELB with both VPC's default Security Group and a custom one that allows inbound requests from my IP via part 80. On the other hand, I configured a Launch Configuration (as part of creating the Scaling Group) that associates instances with only VPC's default security group.
Problems
1- ELB can't reach instances and fails health check. If I create another Launch Configuration that associate instances with both default and my custom security groups, ELB can then reach instances. Why? The custom security group has only inbound rules from my IP.
2- Even if I change the instances' network configuration directly and associate the custom Security Group, it makes no difference. I have to recreate the Launch Configuration and Scaling Group with new configuration so that when created, the the new association gets propagated to instances. Is this an expected behaviour? Why wouldn't AWS console then disable the options to edit instance's config if they're launched through Scaling Groups.
I'm sorry if it feels like a dumb question to you.But I have to know this.
What is the use of "Attach to Auto-scaling Group" in AWS?
Let me be more specific about this question.
Suppose I have an auto-scaling group with a launch configuration. Lets name it
ABC-asg I used ami-12345 for that launch configuration.
Now I have another instance from ami-56789. Lets name my instance xyz and I've installed some packages in it.
I attached my instance xyz to the autoscaling group ABC-asg.But the new instances launched by that asg are using ami-12345.
My questions are
1.What is the use of attaching my instance to an existing auto-scaling group?
2.If it is about the "different ami" in my instance. So if I attach an instance with "same ami" will my packages replicated to the next instances launched by the asg?
Please someone help me with this question.
The Attach to Auto-scaling Group simply adds the given instance to the Auto Scaling group. This means the instance will be part of the group of instances that can receive traffic from a Load Balancer associated with the group and it also means that Auto Scaling might Terminate the instance when scaling-in a group.
The only different between an instance attached to an Auto Scaling group in this manner is that it was not created by Auto Scaling.
So, why have such a command? Here's a few scenarios:
You have a new version of software or a different server configuration that you wish to test. You can attach the instance to the Auto Scaling group and monitor its performance without having to update the whole group.
You have an instance in an Auto Scaling group that is misbehaving. You can remove it from the group with the Detach Instances command and examine the instance to perform forensic analysis to determine what is going wrong. You could then put it back into the group with the Attach Instances command.
AWS customers asked for the ability
Attaching/detaching an instance in no way affects your Launch Configuration. Any additional instances launched by Auto Scaling will not be impacted by an attach/detach command -- they will launch using the existing Launch Configuration.