ECS service is using EC2 instances and ENIs are attached to EC2 instances. Is there any way to prevent the default Security group to be not attached to those ENIs and just the custom Security groups attached?
Related
I'm having trouble communicating with EC2 and ECS.
When I send a request to ECS from EC2 that has the same security group as ECS, I get a Timeout error.
However, the request can be received from ECS from outside.
Security group A allows all its own traffic.
EC2 Instance
private subnet A
security group A
ECS Load Balancer(internet facing)
public subnet A
security group A (for internal communication)
security group B (for external communication)
ECS Container
private subnets A and B
security group A
When you send traffic to a public facing load balancer it exits the VPC and comes back in. When the traffic exits the VPC it is no longer associated to a security group. Thus the security group no longer sees the traffic as coming from "itself" and it blocks the request.
I have a database server on a EC2 instance, I want it to accessible by Elastic Load Balancer cluster.
I tried adding the subnet of the Load Balancer security groups of database EC2.
There must be some way to give whole cluster of EC2 instance created ELB and autoscalling, access to single EC2.
Your question isn't too clear, but it appears your scenario is:
Internet -> ELB -> EC2 fleet -> Database (on EC2 instance)
You have a database running on a single EC2 instance
You have multiple EC2 instances running an application that connect to the database
You have an Elastic Load Balancer that accepts traffic from the Internet and distributes it to the EC2 instances running the application
You should configure the following Security Groups:
ELB-SG: Configure this security group to allow incoming web traffic from the Internet (0.0.0.0/0). Associate the security group to the Load Balancer.
App-SG: Configure this security group to allow incoming web traffic from ELB-SG. Associate the security group with every instance in the application fleet. If the EC2 instances are launched via Auto Scaling, then associate the security group with the Launch Configuration.
DB-SG: Configure this security group to allow incoming traffic from App-SG. Associate the security group to the EC2 instance running the database.
When I say "allow incoming traffic from xxx-SG", I mean that you should enter the name of the incoming security group in the Source field when configuring the security group. This will automatically insert the unique name of the security group (sg-xxxx). It means that any resource associated with the referenced security group will be allowed incoming access on the nominated port.
You should avoid using an IP address or CIDR range in a security group, because they can change (eg if you launch another EC2 instance). By referencing a security group by name, it will automatically update as instances are added/removed.
We are using AWS CodePipeline and at the build step we want to call an API hosted on an EC2 instance. That EC2 instance has a security group with some inbound rules. Is there any way to find out CIDR of the CodeBuild docker fleet, so we can add it to EC2 security group inbound rules, so that every stage from CodePipeline can call that API?
The range of public IP addresses used by the AWS CodeBuild build fleet is published here: http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
You can use the published range for each region in your security group rules.
Looking for advice on the recommended way of setting up autoscaling for a pair of EC2 instances running a Nginx-based web service behind an ELB.
I understand that I'll need to use CloudWatch to monitor my EC2 instances - is it sufficient to save my EC2 instance as an AMI image and then have CloudWatch fire up new instances using that image (with ELB automatically routing requests in round-robin fashion to available instances)?
You can attach your load balancer to your Auto Scaling Group (ASG). When attached, the load balancer automatically registers the newly launched instances in the group and distributes the traffic across them. For adding health checks to the ASG with a load balancer attached to it, you need to:
Go to EC2 console
Choose Auto Scaling Group under Auto Scaling
Select your group and click Actions and then Edit
Select ELB for Health Check Type and set the period (e.g. 300)
Save
Note that an ASG with EC2 health check type will not automatically replace the unhealthy instances. Read more here.
ec2 = boto.ec2.connect_to_region(regionName)
gets hung in a instance in VPC.
boto ec2 connect to region is not working in a EC2 instance in Amazon VPC but the same thing works outside Amazon VPC.
What are the things I need to check ?
Thank you
The VPC adds egress rules to Security Groups. It also adds a new feature called Network ACLs that adds stateless ingress and egress rules. Check both your Network ACLs and Security Groups to make sure that you aren't blocking anything with egress rules.