I would like to use Route53 as private DNS in order to map hosts to AWS private IP addresses.
The hosted zone we are using for testing is not declared in any registrar (company-test.com.).
The ActiveMQ server url is activemq.company-test.com and it maps to (A record) private IP address of the AMQ server. This url is only reachable by other ec2 owned by the same aws account.
My question is how to configure ec2 instances so they could reach the ActiveMQ server WITHOUT having to buy a new domain company-test.com ?
Thank you!
You could assign an Elastic IP to your ActiveMQ instance.
Elastic IP addresses are static IP addresses designed for dynamic
cloud computing. An Elastic IP address is associated with your
account, not a particular instance, and you control that address until
you choose to explicitly release it. Unlike traditional static IP
addresses, however, Elastic IP addresses allow you to mask instance or
availability zone failures by programmatically remapping your public
IP addresses to any instance associated with your account.
Another option is to set up a Virtual Private Cloud (VPC), and launch your ActiveMQ instance there. Your private IP address will not change on reboot. Another feature of VPC is the use of Elastic Network Interfaces (ENI). You can move the interface between different instances if needed.
Related
A specific 'Elastic IP' is always associated with the EC2 instance launched from one of my custom AWS AMI.
ubuntu#ip-:~$ sudo ip addr show lo
inet 157.XX.XX.235/32 scope global lo
It is also persistent across server restarts. Can't find any configuration for the elastic IP in /etc/network/interfaces.
Is this setting coming from EC2 instance metadata and cloud-init? Couldn't find anything in /var/log/ as well. There is no user supplied user_data.
Elastic IP addresses exist within the VPC networking layer and are used by Internet Gateways.
When traffic enters a VPC with an Elastic IP address as the destination, the Internet Gateway performs a reverse NAT and translates the public IP address into a private IP address within the VPC. The EC2 instance receives the request on its public IP.
When traffic sent from an instance with an Elastic IP, the traffic comes 'from' the private IP address, but it is translated into the public IP address when it goes through the Internet Gateway.
So, an Amazon EC2 instance is never actually aware of its public IP address. It only sees traffic via its private IP address. This has the benefit that the Elastic IP address can be reassociated with another EC2 instance and no configuration changes are required on the old or new instances. It's magic!
I'm not familiar with the command you are using. When I run it on an Amazon Linux instance that has an Elastic IP address, the command does not show the public IP address of the instance. Perhaps this is different on Ubuntu, so somebody has configured it somewhere on the instance (which they should not do, since it could change through reassociation).
The question is: How to expose DNS names pointing to the EKS cluster. DNS should only available inside our subnets and accessible with our VPN connection (which essentially means that DNS should point to addresses inside our VPC)
I have an EKS cluster which runs in the 10.0.0.0/16 VPC. Nodes are located inside private subnets, and services are exposed externally with ELB and Ingress Controller.
Since some of the services inside the VPC are only accessible inside of our company we have decided to runa OpenVPN server configured with routing to the 10.0.0.0/16 through the VPN and rest of the traffic going directly to the Internet. Currently public DNS configured in Route53 points to our private addresses which is not ideal. (ex A record for privateservice.example.com -> 10.0.1.1). It is not ideal (existence of the privateservice shouldn't be available in a public DNS) but worked for now.
To resolve the problem of private services in a public DNS I though about running Bind DNS server and configuring our OpenVPN to push this configuration to clients (couldn't get it to work on some client machines but I assume it will work).
However I have no idea how to expose some private services running inside EKS cluster. As mentioned before there are some services in the cluster which are available publicly through ELB. But in the same cluster I have a subset of services which should be available only inside our subnet.
Use private hosted zone of route 53 for private DNS resovling. It should be better using internal ELB to expose services in EKS.
Use route53 resovler for resolving aws managed DNS in on-perms.
we have an active-passive server setup.So we want to allocate a public ip to active server. We are able to do this in AWS using eip .Is there any feature which we can use in azure just like eip in aws?
You could use static Public IPs in Azure. You could associate a Public IP to a VM's NIC then change the IP address assignment to static. Also, Azure DNS allows you to reach this IP via a Public custom DNS name.
We do support Static Public IPs in Azure today that is equivalent to
Elastic IP in AWS. Static Public IPs can be mapped to a VM’s NIC
(elastic IP equivalent) or to a load balancer’s Front end IP.
More details from the Azure feedback.
Apart for the Azure Load balancer, you may have interested in Azure traffic manager which is a DNS-based traffic load balancer that enables you to distribute traffic optimally to services across global Azure regions, while providing high availability and responsiveness.
I have an EC2 node, node1 (security group SG1) which should be accessible from another EC2 node, node2 (security group SG2) on port 9200. Now, when I add an inbound rule in SG1 with port 9200 and specify SG2 as source in Custom IP section, I can't access node1 from node2. On the other hand, if I specify an inbound rule in SG1 with source as 0.0.0.0/0 or IP of node2, it works fine. What is wrong in my approach?
Are you attempting to connect to node1's public or private address? From the documentation:
When you specify a security group as the source or destination for a
rule, the rule affects all instances associated with the security
group. For example, incoming traffic is allowed based on the private
IP addresses of the instances that are associated with the source
security group.
I've been burned on this before by trying to connect to an EC2 instance's public address... sounds very similar to your setup, actually. When you wire up the inbound rule so that the source is a security group, you must communicate through the source instance's private address.
Some things to be aware of:
In EC2 Classic, private IP addresses can change on stop/start of an EC2 instance. If you're using EC2 classic you may want to look into this discussion on Elastic DNS Names for a more static addressing solution.
If you set up your environment in VPC, private IP addresses are static. You can also change security group membership of running instances.
Reason: Inter security-group communication works over private addressing. If you use the public IP address the firewall rule will not recognise the source security group.
Solution: You should address your instances using the Public DNS record - this will actually be pointed at the private IP address when one of your instances queries the DNS name.
e.g. if your instance has public IP 203.0.113.185 and private IP 10.1.234.12, you are given a public DNS name like ec2-203-0-113-185.eu-west-1.compute.amazonaws.com.
ec2-203-0-113-185.eu-west-1.compute.amazonaws.com will resolve to 203.0.113.185 if queried externally, or 10.1.234.12 if queried internally. This will enable your security groups to work as intended.
This will enable you to use an elastic IP as you simply use the Public DNS entry of the elastic IP. Also, having the DNS resolve to the internal IP means that you are not incurring bandwidth charges for your data between instances:
Instances that access other instances through their public NAT IP
address are charged for regional or Internet data transfer, depending
on whether the instances are in the same region.
The Public DNS didn't work for me.
What I did instead was create a custom inbound rule using the security group of the other instance.
The details of Amazon EC2 mentions Public DNS, private DNS and private IP. I know public DNS can be used to reach the instance after configuring the security group.
I am not able to understand
What is private DNS?
What is private IP?
Why do we need these number these two when we have public DNS to reach the instance?
EC2 instances are connected to a private local area network and given IP addresses on that network. Those are the 10.x.x.x addresses you see as the "private IP". Amazon provides a DNS service that associates names with those private IP addresses. That's the private DNS.
Unless you are on a VPC, Amazon also connects those private IP addresses to regular routable IP addresses, and gives DNS names that resolve to those public IPs. As near as I can tell, this is pretty much just like an Elastic IP address except that each time you shut the machine down and restart it, you'll get a different one instead of the same one each time.
A neat trick with the public DNS is that the same name will resolve to different addresses depending on who is asking. Machines on Amazon's private network (that is, other EC2 machines in the same AZ, maybe the same region) will have the public DNS resolve to the private IP. That way, traffic between machines inside EC2 stays inside EC2. Machines on the regular internet will have the public DNS resolve to the public IP.