I am trying to create Worker Environmenton EBS with Sample Application of Node js which should use existing Security group on VPC.
I create this environment inside VPC (Virtual Private Cloud).
When I create this environment, I keep following configuration for VPC.
Security Group which is selected here is already exist.
In the next screen, I also select instance profile and service role which also exist.
While I create Environment with this setting, It does create Environment fine but it always create new Security group instead of using existing security group.
Why it always create new Security group and not use existing one ?
I want to reuse Security group and not create separate for each worker environment.
Appreciate if someone can guide me in right direction.
Thanks in advance.
Beanstalk uses the security group you asked for, but on creation it also creates a unique one for that configuration. If you launch your instance it will be in the security group as expected.
Instead of stopping it from being created, was able to modify its rules such that I changed to just allow port 22 access only from my private security group.
Namespace: aws:autoscaling:launchconfiguration
OptionName: SSHSourceRestriction
Value: tcp, 22, 22, my-private-security-group
Visit : https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html#SSHSourceRestriction
Related
I would like to launch a single instance in each AZ(us-east-1a,us-east-1b).
I need to attach security Groups A,B,C to instance launching in subnet us-east-1a,
I need to attach security Groups D,E,F to instance launching in subnet us-east-1b, using launch configuration and autoscaling group in AWS via terraform.
please advise your thoughts
You'd have to script that as part of your userdata. An ASG will attach the same security group to all instances. Why do you want different ones in different subnets? Shouldn't all the instances in the ASG need the same access as all the others?
I'd also recommend using security group name/ID references instead of specific subnet ranges when possible
What are the roles required for the following
Start/Stop the VM
Connect to VM using Remote Desktop.I tried connecting with the IP the owner provided but i cannot connect.I have also tried viewing the Public IP but can't see anything in the Public IP field nor there i can see details under networking tab.
1: You could use the builtin role: VM Contributor, or if you want to scope it down even farther by making a custom role. *
2: There can be multiple reasons: Firewall blocks you, there is no public IP attached to the NIC, or perhaps the permissions are incorrect. So for your permissions you might need to be added as contributor (default role) on the resource group, or it can even be scoped down to just contirbutor on the VM itself.
In custom roles you can add as many resource provider operations as you want. These operations will define your permissions on the resources in Azure: https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Have a look at for example: Microsoft.Compute/virtualMachines
You will see many operations, including PowerOff/action
usually people tend to use the default roles, but I prefer making custom role templates to prevent possible security concerns.
When I create an AKS cluster using Azure portal I can see that new resource groups are created. It seems that I have no control over how they are named, especially the one with with "MC_" prefix. I also don't see an option to change its name when using ARM template.
In addition, if I create a cluster in customer's subscription, where I only have access to 1 resource group, I don't even see the newly created RG and can't manage it.
Is there a way to force deployment of all AKS components into a single resource group?
No, there is no way to force it at this point in time. As for the access, you should request access to that RG. No real workarounds.
Secondary resource group name can be inferred, I think, its something like:
MC_original-resource-group-name_aks-resource-name_location
it also creates OMS resource group (if you enable OMS) and Network Watcher (this can be disabled, btw, but its a provider setting). you have no control over that as well.
there is a not implemented yet nodeResourceGroup property: https://learn.microsoft.com/en-us/rest/api/aks/managedclusters/createorupdate#examples
EDIT: this is actually working right now, so the nodeResourceGroup property can be used. But it would still be a new resource group, so you would still need to request access to that group and using this property is not possible with the portal (so ARM Templates\pulumi\terraform)
I am creating multiple servers on Azure using Terraform template in a same Azure "Resource group", However when i try to run the template for individual servers each time, it is deleting the previous server while creating for next one.
Any idea how i can i reuse the same template for creating multiple server in a same Resource Group.
Thanks.
Terraform is intended to be idempotent, meaning that reapplying the same template makes no changes. If you edit the template, Terraform will edit the environment to reflect any changes or deletions.
If you need multiple VMs, you have at least two options:
Define multiple VM resources in your template.
Define a VM scale set and simply specify the number of VMs that you need.
I was able to achieve this, Here is what i did.
I created 2 separate .tf files under different folders.
1) For creating Resource group, NSG, Storage account, Vnet
2) For creating public ip, network interface and VM itself.
So i could use second configuration file for creating multiple server by just changing the values though parameters
I'm having trouble creating an availability group listener for my newly created SQL 2012 Enterprise AG.
My AG resides on two virtual machines on top of Server 2012 Datacentre with the Hyper-V role. The VM's are part of my domain, and in a WSFC. Each VM has 4 subnets :
(a) 172.33.0.x for management
(b) 172.33.1.x for iSCSI communication
(c) 172.33.2.x for iSCSI communication
(d) 172.33.5.x for inter-VM communication
Only (a) and (d) are set in my cluster to allow cluster communication, and allow client connections.
Whenever I try to create a listener with this query
USE [master]
GO
ALTER AVAILABILITY GROUP [Sharepoint-System-DB-AvailabilityGroup]
ADD LISTENER N'SQL-SHP-AG01-L1' (
WITH IP
((N'172.33.5.203', N'255.255.255.0'),(N'172.33.0.203', N'255.255.255.0'))
, PORT=1433);
GO
I get this error :
Msg 19471, Level 16, State 0, Line 1
The WSFC cluster could not bring the Network Name resource with DNS name 'SQL-SHP-AG01-L1' online. The DNS name may have been taken or have a conflict with existing name services, or the WSFC cluster service may not be running or may be inaccessible. Use a different DNS name to resolve name conflicts, or check the WSFC cluster log for more information.
Msg 19476, Level 16, State 4, Line 1
The attempt to create the network name and IP address for the listener failed. The WSFC service may not be running or may be inaccessible in its current state, or the values provided for the network name and IP address may be incorrect. Check the state of the WSFC cluster and validate the network name and IP address with the network administrator.
I've tried :
Some online posts suggest I try and pre-stage the creation of the computer object in AD, which I did, same error
Set security settings on the Computer OU to allow the computers running the AG to create computer objects, same error
I have another cluster setup (for another AG), that also generates the same error
Something that might be related is, I regularly get one of the following errors on the owner node of the cluster :
Cluster network name resource 'Cluster Name' failed registration of one or more associated DNS name(s) for the following reason:
DNS server failure.
For this, I've tried :
Creating the A record manually, setting the "Allow all authenticated users to change this record"
Allowing "Everyone" full access to the DNS A record
Allowing non-secure updates to my domain's DNS records
Also to no avail, which makes me think there's something deeper wrong. Any suggestions?
We had the same problem. Resolution was to grant the computer object associated with the cluster group 'create computer' rights in Active Directory as per this link - http://technet.microsoft.com/en-us/library/cc731002%28WS.10%29.aspx#BKMK_steps_precreating
It's the cluster group computer object thats needs these permissions.
Open Active Directory Users and Computers, grant permission to the Cluster Name Object (CNO) in which the Availability Group will be created. Two permissions that need to be granted are:
"Read all properties" and "Create computer objects" to the CNO via the container. More details can be found in the following blog
http://blogs.msdn.com/b/psssql/archive/2013/09/30/error-during-installation-of-an-sql-server-failover-cluster-instance.aspx
An additional issue we had was having - versus _ in the name of the AOAG and listener. Once we recreated the AOAG using the underscore we were able to create the listener using an underscore also.
In our case, all the AD permissions were already in place - and yet it was failing to create the Listener with the same error message. In the end, we found that stopping and starting the Cluster Service on both of the Nodes (using cluadmin.msc) somehow rectified the problem and the Listener got created successfully.