I just created a new site on my IIS on Amazon's EC2 and I was wondering if there is a way to access it publicly without assigning a domain.
In detail. I created a new site dev.example.com which is accessible when I am logged in my instance. Is there a way to access it outside by doing let's say 54.xxx.xx.xxx:80:dev.example.com
I don't know if that's even possible so any hints are appreciated
You can definitely do this, but here's what you'll need to do:
Make sure IIS is configured to route any incoming connection on a particular IP address to your site. This is distinct from IIS specifically listening for a particular hostname (e.g. mywebsite.com).
As an alternative to the above, you could also manually set your DNS on your local computer and then use your web browser to visit mywebsite.com. From IIS's perspective, a user will have requested mywebsite.com just as if public DNS were set
As far as the IP address you visit, your instance will either have an ephemeral Public IP Address which will be reset when the instance is stopped and started, or an Elastic IP Address, which persists across restarts.
As #Anthony Manzo mentioned, you'll need to make sure that your Security Group associated with this instance allows Port 80. In addition, you may want to disable Windows Firewall completely (or check that it allows Port 80 on all three "Zones" (Windows Firewall has 3 different zones to manage).
Afaik the IP addresses assigned to EC2 instances can change throughout its lifetime and therefore you should instead generate an Elastic IP Address (which will always direct to your instance). That way, you don't have to deal with DNS yourself and still are always able to connect to your instance.
Have a look at the "Security Groups" on the left hand of your EC2 web console. You'll have to allow TCP 80 (and whatever else) in the Security Group (probably 'default') first.
Related
I would like set DNS records visible from instances inside the Google cloud.
For example if I query DNS from my PC I'll get one IP; however if I query DNS from the instance I'll get another IP. (A record to be exact)
Ideally I'd like doing this in most sane/convenient way possible; since I can install caching DNS server on every instance and setup authorative results; and forward caching for the rest (I guess bind9 can do that, never tried it before). But this is configuration sync mess; and it's not elegant. I kinda assume there might exist a better way.
One solution is to use totally different zones for different sets of machines and use the DNS search path to select.
So for example you could set up
server1.internal.yourdomain.com IN A 1.2.3.4
server1.external.yourdomain.com IN A 5.6.7.8
Then set up your machines with resolv.conf containing either
search internal.yourdomain.com
or
search external.yourdomain.com
And then when you lookup server1 on such a machine it will return the address from the appropriate zone. This scheme means you don't need to rely complex routing or IP detection. You will be immune to incidents where internal or external IPs get leaked into each others result.
Of course this does mean that you aren't keeping any IP addresses secret, so make sure you have other security layers in place (you probably shouldn't rely on secret IPs for security anyway)
Assuming you want your VM instances to be able to query other instances by name, and retrieve the desired instance’s private IP, this is already baked into GCP.
Google Cloud Platform (GCP) Virtual Private Cloud (VPC) networks have an internal DNS service that allows you to use instance names instead of instance IP addresses to refer to Compute Engine virtual machine (VM) instances.
Each instance has a metadata server that also acts as a DNS resolver for that instance. DNS lookups are performed for instance names. The metadata server itself stores all DNS information for the local network and queries Google's public DNS servers for any addresses outside of the local network.
[snip]
An internal fully qualified domain name (FQDN) for an instance looks like this:
hostName.c.[PROJECT_ID].internal
You can always connect from one instance to another using this FQDN.
Otherwise, if you want to serve up entirely arbitrary records to a set of machines, you’ll need to serve those records yourself (perhaps using Cloud DNS). In this case, you’d need to reconfigure the resolv.conf file on those instances appropriately (although you can’t just change the file as you see fit). Note that you can't restrict queries to only your own machines, but as David also mentioned, security through obscurity isn't security at all.
Google Cloud DNS Private DNS was just announced to beta and does exactly what you need
I need to set up a custom DNS server within EC2. I have one instance that acts as the DNS server, and N other instances that use this DNS server to connect to one another. Is this posible? Basically, I need to modify the DHCP settings for the N instances so that they connect to the DNS server. I can't find any good documentation on modifying the DHCP settings for an instance.
Note: I did find some documents, but they seem to only apply to Amazon VPC. Is there any way to do this without using VPC?
Short answer - no. You need a VPC. But once you have the VPC created - you can effectively do whatever you like with it.
Long answer - traditional AWS hosting gets an address directly from Amazon. This means you've got no control whatsoever of the IP addresses.
New accounts however come with a VPC by default, which means you can install a machine to act as a DNS server. (And I've done this in the past using Windows Active Directory)
I have set up an EC2 instance and an Elastic IP which is associated to the instance. I have also set an A record in my DNS provider's Zone editor so that the domain name points to the elastic IP e.g. example.com = 123.123.123.123.
After reading many posts, this seems like it should be enough to work but my domain name still isn't resolving. I can't even ping the IP address! Weirdly I CAN ssh into the EC2 instance via the elastic IP and everything seems fine, except that my domain name doesn't resolve to the EC2 instance!
Any thoughts?
DNS names take a while to propagate so that is probably your first issue.
Go to http://www.whatsmydns.net/ and enter your domain name. If all of the locations are returning with the correct ip then you can safely assume its not a DNS propagation issue.
Enable ICMP rules in the security group. If using the aws console create a new rule for "All ICMP" with a source of "0.0.0.0/0". Enabling this creates a security risk for your server so only enable this temporarily while testing. At this point you should be able to ping your instance.
If using HTTP or HTTPS enable the correct ports on the security group for those protocols and as long as the instance is configured correctly with Apache you should be up and running.
Please check your EC2 security group & make sure desired ports are open
Test case:
Created new cloud project with standard asp.net web site template.
Deployed.
The default configuration defines an endpoint on port 80 without any host headers.
I would have thought this translates to a binding of
*:80:
However, it actually creates a binding of:
10.211.196.111:80:
Where 10.211.196.111 is an IP address of the web role instance.
If we look at the available IP addresses on the machine we have 2:
10.211.196.111
2001:0:4137:9e76:c8c:387d:f52c:3b90
What's interesting is that if we change our IIS binding to listen on all IP addresses *:80 the web site actually stops working. Instead we get a 503 - Service unavailable error.
Why is this important to me? Well we've been recently making use of the Azure Accelerator for web roles and have found that it does not work if you don't specify a host name. The reason, as explained above, is that it will interpret an empty host name as *.80 which of course results in the 503 error.
So the first question is - could someone explain this behaviour (why listening on all IP addresses doesn't work) and what that second IP address is used for?
Since it looks like I need to patch the azure accelerator so that it uses a specific IP address of the instance, what's the recommended way of finding this? Do you think it's safe to look for an adapter that starts with Microsoft Virtual Machine Bus Network Adapter or perhaps a specific subnet?
Thanks,
Ben
I believe the other IP address is for a second network adapter in the VM that's used for internal communication between the VMs and the fabric controller. It's possible you don't have permission to bind to that other address (so the wildcard "all unassigned IP addresses" mapping doen't work).
However, I'm not quite convinced of that. If (which is I believe what you're saying) the Windows Azure Accelerator for Web Roles binds everything to *:80:hostname, that seems like evidence that you can do bindings like that.
In any case, to get the IP address, you'd just use RoleEnvironment.CurrentRoleInstance.Endpoints["name"].IPEndpoint. I think for name you'll want HttpIn for the accelerator. You can try using that IP address instead of "*" in that code and see if it helps, but note that the management UI itself has a wildcard mapping, so you're likely to have some sort of conflict (and be unable to make other management changes) unless you also change the management UI to listen on a specific hostname.
My farm consists of two front end (FE) web servers that are managed by a load balancer. One FE went down so we configured the load balancer to only send traffic to the other FE. We rebuilt the failed FE and rejoined the farm which appears to have worked successfully (looking at IIS). I want to test the new FE before configuring the Load Balancer to use the new server.
The approach I took was to add the IP/URL to my host file that pointed to the new server but nothing comes up.
Any advice would be great. Thanks
How you would normally do this is to add an AAM entry for the servers hostname.
For example have
intranet.domain.com resolves to your
NLB which then distributes requests
to SharePoint servers called WFE1,
WFE2 etc.
If you check SharePoints AAM (Central Administration > Operations > Alternate Access Mappings) you should have intranet.domain.com as url for the default zone (and you should only have one default zone entry per web applicaton).
If you add WFE1/WFE2 etc the AAM under the custom zone so the internal URL (WFEx) is mapped to the public URL (intranet.domain.com) then you should be able to go directly to your WFE by using the address http://WFEx/ in your browser.
As long as your DNS server is setup correctly this will work from any computer on your network regardless if its part of the NLB farm or not - essential for troubleshooting.
If you can't do this check a ping to WFEx is returning the servers IP address and not some other address such as the NLB/firewall etc.
MSDN - What every SharePoint administrator needs to know about Alternate Access Mappings
you need to edit internal URL based on the user profile.You can also edit the user permission if the anonymous user tries to access WFE1 instaed of WFE2.
If you are currently using hardware load balancing (and both servers sit behind it) you will probably need to add a new virtual IP address to your load balancer that connects only to the new FE before re-introducing it into the farm.
Add this virtual IP address to your hosts file for your domain name and you should be able to test it individually.
what if you add the ip/url of the working FE server to your host file? does nothing come up then? also, be careful about spaces vs. tabs vs. multiple spaces in your host file:
http://geekswithblogs.net/JanS/archive/2009/06/17/beware-of-spacing-in-windows7-hosts-file.aspx
So you've made a hosts file entry that points the cluster DNS name to one of the WFE's private ip adresses?
Make sure you can see that ip address. Sometimes only the cluster ip adress is visible to the outside and not the servers' private ip.
I usually add a host file entry for the cluster DNS name to each WFE. That way I can remote desktop to a machine and test it locally there. I do have remote desktop access..