Sticky Elastic IP on AWS EC2 - linux

A specific 'Elastic IP' is always associated with the EC2 instance launched from one of my custom AWS AMI.
ubuntu#ip-:~$ sudo ip addr show lo
inet 157.XX.XX.235/32 scope global lo
It is also persistent across server restarts. Can't find any configuration for the elastic IP in /etc/network/interfaces.
Is this setting coming from EC2 instance metadata and cloud-init? Couldn't find anything in /var/log/ as well. There is no user supplied user_data.

Elastic IP addresses exist within the VPC networking layer and are used by Internet Gateways.
When traffic enters a VPC with an Elastic IP address as the destination, the Internet Gateway performs a reverse NAT and translates the public IP address into a private IP address within the VPC. The EC2 instance receives the request on its public IP.
When traffic sent from an instance with an Elastic IP, the traffic comes 'from' the private IP address, but it is translated into the public IP address when it goes through the Internet Gateway.
So, an Amazon EC2 instance is never actually aware of its public IP address. It only sees traffic via its private IP address. This has the benefit that the Elastic IP address can be reassociated with another EC2 instance and no configuration changes are required on the old or new instances. It's magic!
I'm not familiar with the command you are using. When I run it on an Amazon Linux instance that has an Elastic IP address, the command does not show the public IP address of the instance. Perhaps this is different on Ubuntu, so somebody has configured it somewhere on the instance (which they should not do, since it could change through reassociation).

Related

EC2 instance changed public IP address. Can I get the old IP address back again?

My Amazon EC2 instance was running for the past 3 months.
For some reason, the instance was stopped and started. This caused the instance to change its Public IP address. Can I get the same IP address back again for the instance?
You can't get your previous IP back. By default IP provided by AWS is temporary and changes after each restart of an instance.
To overcome this issue, you should get Elastic IP for your instance. It is static IP address which will persist between instance stops and starts. Elastic IP is free for as long as it is attached to a running instance:
To ensure efficient use of Elastic IP addresses, we impose a small hourly charge if an Elastic IP address is not associated with a running instance, or if it is associated with a stopped instance or an unattached network interface.

EADDRNOTAVAIL while using EC2 instance only

My node application is listening to port 8080. When I add
app.listen(port,'50.30.217.289');
I can access the application from the browser. But when I replace the IP address with the Elastic IP address of my EC2 instance, I get an error :
EADDRNOTAVAIL
How do I fix this ?
What you are trying to do is not how it works in EC2.
The public IP address is mapped to the primary private IP address through network address translation (NAT).
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html
If you examine your network interfaces on the machine, you won't find any public IP addresses on them. The public IP addresses are translated onto the private addresses at the Internet gateway. This is done automatically with no configuration needed, for instances with public IP addresses.
To bind a service to a specific public address, you bind it to the matching private IP address on the instance itself.
EADDRNOTAVAIL means your EC2 instance does not have a network interface that has that IP address assigned, so you cannot start listening on it.

Source security group isn't working as expected in AWS

I have an EC2 node, node1 (security group SG1) which should be accessible from another EC2 node, node2 (security group SG2) on port 9200. Now, when I add an inbound rule in SG1 with port 9200 and specify SG2 as source in Custom IP section, I can't access node1 from node2. On the other hand, if I specify an inbound rule in SG1 with source as 0.0.0.0/0 or IP of node2, it works fine. What is wrong in my approach?
Are you attempting to connect to node1's public or private address? From the documentation:
When you specify a security group as the source or destination for a
rule, the rule affects all instances associated with the security
group. For example, incoming traffic is allowed based on the private
IP addresses of the instances that are associated with the source
security group.
I've been burned on this before by trying to connect to an EC2 instance's public address... sounds very similar to your setup, actually. When you wire up the inbound rule so that the source is a security group, you must communicate through the source instance's private address.
Some things to be aware of:
In EC2 Classic, private IP addresses can change on stop/start of an EC2 instance. If you're using EC2 classic you may want to look into this discussion on Elastic DNS Names for a more static addressing solution.
If you set up your environment in VPC, private IP addresses are static. You can also change security group membership of running instances.
Reason: Inter security-group communication works over private addressing. If you use the public IP address the firewall rule will not recognise the source security group.
Solution: You should address your instances using the Public DNS record - this will actually be pointed at the private IP address when one of your instances queries the DNS name.
e.g. if your instance has public IP 203.0.113.185 and private IP 10.1.234.12, you are given a public DNS name like ec2-203-0-113-185.eu-west-1.compute.amazonaws.com.
ec2-203-0-113-185.eu-west-1.compute.amazonaws.com will resolve to 203.0.113.185 if queried externally, or 10.1.234.12 if queried internally. This will enable your security groups to work as intended.
This will enable you to use an elastic IP as you simply use the Public DNS entry of the elastic IP. Also, having the DNS resolve to the internal IP means that you are not incurring bandwidth charges for your data between instances:
Instances that access other instances through their public NAT IP
address are charged for regional or Internet data transfer, depending
on whether the instances are in the same region.
The Public DNS didn't work for me.
What I did instead was create a custom inbound rule using the security group of the other instance.

Amazon EC2 - What is private DNS and private IP?

The details of Amazon EC2 mentions Public DNS, private DNS and private IP. I know public DNS can be used to reach the instance after configuring the security group.
I am not able to understand
What is private DNS?
What is private IP?
Why do we need these number these two when we have public DNS to reach the instance?
EC2 instances are connected to a private local area network and given IP addresses on that network. Those are the 10.x.x.x addresses you see as the "private IP". Amazon provides a DNS service that associates names with those private IP addresses. That's the private DNS.
Unless you are on a VPC, Amazon also connects those private IP addresses to regular routable IP addresses, and gives DNS names that resolve to those public IPs. As near as I can tell, this is pretty much just like an Elastic IP address except that each time you shut the machine down and restart it, you'll get a different one instead of the same one each time.
A neat trick with the public DNS is that the same name will resolve to different addresses depending on who is asking. Machines on Amazon's private network (that is, other EC2 machines in the same AZ, maybe the same region) will have the public DNS resolve to the private IP. That way, traffic between machines inside EC2 stays inside EC2. Machines on the regular internet will have the public DNS resolve to the public IP.

Using Route53 as private DNS

I would like to use Route53 as private DNS in order to map hosts to AWS private IP addresses.
The hosted zone we are using for testing is not declared in any registrar (company-test.com.).
The ActiveMQ server url is activemq.company-test.com and it maps to (A record) private IP address of the AMQ server. This url is only reachable by other ec2 owned by the same aws account.
My question is how to configure ec2 instances so they could reach the ActiveMQ server WITHOUT having to buy a new domain company-test.com ?
Thank you!
You could assign an Elastic IP to your ActiveMQ instance.
Elastic IP addresses are static IP addresses designed for dynamic
cloud computing. An Elastic IP address is associated with your
account, not a particular instance, and you control that address until
you choose to explicitly release it. Unlike traditional static IP
addresses, however, Elastic IP addresses allow you to mask instance or
availability zone failures by programmatically remapping your public
IP addresses to any instance associated with your account.
Another option is to set up a Virtual Private Cloud (VPC), and launch your ActiveMQ instance there. Your private IP address will not change on reboot. Another feature of VPC is the use of Elastic Network Interfaces (ENI). You can move the interface between different instances if needed.

Resources