Tuesday, July 31, 2012

How to allow AWS EC2 servers in an VPC public subnet accessing external resources without having an Elastic IP Address assigned to it

Amazon's EC2 Virtual Private Cloud feature is very useful, it allows for much more control of the network architecture and provides additional features such as the possibility to add more IP addresses per instance.

Typically, a VPC consists of at least a public subnet, hosting publicly accessible servers and one or more private subnets hosting more sensitive servers such as a database server. The servers in the private subnet are obviously not accessible from the outside, but they still can communicate with external resources through a NAT instance.

Servers in the public subnet are only accessible when they are assigned an Elastic IP Address or through a load balancer (e.g. AWS ELB service).

So far so good. Something less obvious is that if a server in the public subnet does NOT have an elastic IP address assgned (e.g. it is connected to a load balancer) it also loses the capability of accessing external resources. This would be a show stopper, as for instance it is much more difficult to allow these servers to auto-configure themselves upon launch.

Well, wait, we have this NAT service, haven't we? Yes, we have but by default it is not possible for servers in the public subnet to use this NAT instance. Changing the VPC route tables is not going to work, as it will break the connectivity of the EIP-attached servers in the public subnet.

In order to still allow EIP-less public servers to use the NAT instance, the network configuration of these instances must be modified to point the default gateway to this NAT instance. This requires a static IP configuration of course, and to avoid running into all kind op IP conflicts it is possible to let AWS hand out the IP address using DHCP and then convert upon launch time (e.g. using a cloud-init script) to a static configuration with the desired default gateway.

4 comments:

  1. It seems the life would be easier if the Nat instance was configured with the 10.0.0.1 private IP address. As other instances have 10.0.0.0/16 10.0.0.1 as a default.

    ReplyDelete
  2. That is also a creative solution, but I doubt it will work. The default gateway will take care of routing between all subnets, and unless you'll instruct the NAT how to do that I presume it won't work. Have you tried it? Can you post your findings?

    ReplyDelete
  3. Having the exact same problem... How did you solve it?
    Thanks

    ReplyDelete
  4. Well, first of all you could consider putting your servers in a private subnet, and use the nat. This the default of course. But if you really need it: launch the server, it will get an ip by dhcp and then change the default gateway to be the ip of the nat instance. For this, I used a cloudinit script

    ReplyDelete