I am trying to set up SSM on Windows.
I have an ASG in a private subnet (absolutely 0 internet access). I can not use NAT, only VPC endpoints.
In the instance launch configuration, I have a PowerShell script that uses Set-DnsClientServerAddress so that the instance can find and join an AWS Managed MS AD service. I would also like to set up the instance so it can be fully managed with SSM.
The problem comes with the DNS Client Server Address.
When I set it to match the address of the AD service SSM will not work.
When I leave the DNS Client Server Address default, SSM works but I can not join the AD.
I tried forcing the SSM Agent to use the endpoints by creating a amazon-ssm-agent.json file and setting all three endpoints in there. This allowed the instance to show on the Managed Instance list, but its status never changed from pending and requests from within the instance still timed out.
Does anyone know the magic sauce to get these things all working at the same time?
EDIT 1:
I also tried adding a forward as described in this thread, however I'm either missing somethign or it is not working for my case:
https://forums.aws.amazon.com/thread.jspa?messageID=919331󠜣
It turns out that adding the forwarder as described in the link above worked. The part I was missing was joedaws comment, "I would also remove the existing 169.254.169.253 entry so that only the 10.201.0.2 ip address is in the list".
Of course, my IPs are different, but once I removed the preexisting forward so that my x.x.x.2 IP was the only one in the list (I did this for both of the AD DNS servers) the instance was discoverable by SSM.
So, I would make a minor change to the list that saugy wrote:
On a domain joined windows instance, log in with AD domain Admin user
Open DNS manager
Connect to one of the DNS IP addresses for the AWS AD
Select forwarders
Add the VPC's DNS IP (x.x.x.2 from you VPC's CIDR range)
Remove the existing IP (so you VPCs IP is the only one)
Click Apply
Repeat from step 3 with the other DNS IP address for the AWS AD (not 1
Also, as mentioned in the other post. This only has to be done once and the settings persist in the AD DNS.
I have two machines in different accounts.
I'm trying to make a connection between them.
So I added a rule that allows all traffic from the external and internal one.
Outbound allows all traffic for both machines but there's no connection at all.
one machine : 172.31.43.115
second machine : 172.31.26.95
I pinged. No response.
I also tried Trace route, but also no response
I searched for a guide on Google, but had no luck.
I understand that I have to do Route.
How can I do that? Is there any solution for that?
it looks like (based off the IPs) you are mistaking the private IP with the public IP. Check your EC2 console again, and click on the instance and look at the bottom metadata. On the right column nearish to the top there should be public IP.
If you want to communicate them externally, you should attache an EIP ( elastic ip ) to them and allow in Security group. If you need to communicate internally , you should create vpc peering.
I launched an Amazon Web Service (AWS) EC2 Instance, t2.micro, which must be launched into a VPC.
The VPC has Auto-assign Public IP set to Yes.
DNS resolution: Yes
DNS hostnames: Yes
But on the EC2 Dashboard, the instance still has a blank Public DNS and Public IP. I have tried to restart the instance several times, but it still has not been assigned a Public IP. The 5 Elastic IPs that came with our AWS account have already been used. Is it possible to get a Public IP assigned to a t2.micro instance without using Elastic IP?
I have read the post: EC2 instance has no public DNS,
but I do not have reputation points to be able to add a comment, so I am posting this as new question.
Rightclick on the VPC row in the VPC management console page and select "EDIT DNS Hostname". Set it to "Yes". It´s necessary to allow all the instances with the same VPC.
When you create the new instance in the "Step 3: Configure Instance Details", you need to enable "Auto-assign Public IP".
That´s it! :-)
The most common cause of no public IP address for your EC2 instance is that you're launching your EC2 instance in a private subnet. A private subnet means that any EC2 instances located in that subnet are not directly addressable from the public Internet. In other words, by definition, EC2 instances in a private subnet cannot have a public IP address.
This would explain why checking "public IP address" has no effect, and why you're unable to assign an Elastic IP address.
You can't just relocate an instance from one subnet to another. If you need to do that, you can create an AMI of your instance (right-click on the EC2 instance and click create image), and then launch a new instance from that AMI in a different subnet.
To determine if your subnet is private, look at the Route Table and see if you have an Internet Gateway route. Go to VPC > Subnets > Select a Subnet > Route Table tab. Look for an entry that has something like igw-***. If you see this, it's a public subnet. If you see something like eni-*** / i-***, it's a private subnet.
Also check:
VPC -> Subnets -> Subnet Actions -> Modify Auto-Assign Public IP
Face the same issue today. My EC2 instance has no public DNS thus I'm unable to connect via ssh.
I tried and success with these steps:
Go to VPC > Internet Gateways: make sure an Internet Gateway is created and attached to the EC2's VPC
Goto VPC > Route Tables, select a VPC route, navigate to Routes tab: add a new rule with
++ Destination: 0.0.0.0/0
++ Target: select the created Internet Gateway
Goto VPC > Subnet > Route Table tab: click edit, change to the Route Table with destination 0.0.0.0/0 above
Done.
Hmm. So many responses. All of them on the order of "you did something wrong."
Newsflash: AWS doesn't always work correctly. I've used AWS for a very long time. I've personally witnessed instances that do not start, instances that do not stop, disk corruptions on deployed instances and network failures on running instances.
I've never seen a case where a public IP was not created. Until this morning. Now I can add that to the list.
For the record - here's what I verified :)
Three identical instances in the cluster
All instances are in the same availability zone
All instances have same VPC
VPC DNS settings are correct (resolution / hostnames enabled)
All instances have same subnet
Subnet has: a) public routing table; b) option enabled to create public IP
Plenty of IP space available in the subnet
Two of the three instances receive a public IP. The third does not.
So for any others in the future getting to this post: No, you are not insane. Yes, it is possible that AWS screws up.
In our case, manually terminating the problem instance and issuing a new cluster up..."fixed" the problem.
And - I upvoted the answer that indicated a "launch more like this" from a STOPPED instance had an impact on public IP. Not because it is the correct answer (it is not) but because it demonstrates an admirable response to an otherwise inexplicable situation: trial and error / experimentation. The good old "Gee, what happens if I try this...". As cloud professionals: If all other standard troubleshooting steps fail and the only alternative is to blow away the instance (or subnet, or Lambda function, or DynamoDb, or SNS queue; whatever the failing resource) then it's wise to think outside the box and try other actions.
In other words: keep an open mind.
Go to VPC -> Subnets
And make sure that the Auto-assign public IPv4 address is set to YES
There are many possible reasons. Check the follow.
You need to have a VPC created.
The DNS resolution and DNS hostnames should be enabled.
Choose your VPC -> Actions -> Edit DNS resolution -> enable
Choose your VPC -> Actions -> Edit DNS hostnames -> enable
Into the VPC maybe you need a private and public subnet.
In the private subnet, you need to have a NAT Gateway associate to this.
In the public subnet, you need to have an Internet Gateway associate to this.
You need to enable the auto-assign IP for your public subnet.
Choose the public subnet -> Actions -> Modify auto-assign IP settings -> enable
Later when you launch a new instance in
Step 3: Configure Instance Details.
You should choose your VPC and your public subnet. And in the "Auto-assign Public IP" section choose "Use subnet setting (Enabled)"
I think that that should solve your problem...
I had the same issue. The reason of my issue turned out to be that I was using a route table which was not associated with a subnet.
enter image description here
After I changed my subnet, my instances were assigned public ips.
After creating a Subnet - make sure the Auto-assign public IPv4 setting is set to Yes or Enabled.
After making sure the above setting is turned on - then launch the EC2 instance.
If the above setting is not enabled after Subnet creation - the EC2 instance will be treated as Private and won't have a public IPV4 address.
When I use "launch more like this" option from a STOPPED instance, I'll get a new instance without a public ip. But if I "launch more like this" from a running instance, the new instance has a public ip.
Most likely, the public subnet has no enabled feature for "Auto-assign IPv4". It is selected as "No". And during your instance creation process the default option is "Use subnet setting (Enabled)". That's why newly issued instances cannot get public IP address.
Go VPC dashboard and click Subnets. Select a public subnet and select Modify auto-assign IP settings from Actions list and check Auto-assign IPv4. After saving your changes, your instances will get public IP automatically.
My big "gotcha" on this was when creating a VPC & Subnets from a CloudFormation stack, my Subnets were missing the Property "MapPublicIpOnLaunch" : true.
My Observation :
You need to enable the auto-assign IP for your public subnet. Choose the public subnet -> Actions -> Modify auto-assign IP settings -> enable
Only after the above is done, then launch an EC2 instance and you will start seeing public IP assigned.
Once an EC2 instance created without above setting enabled, that EC2 will not have public IP assigned even after reboot , it already considered that subnet to be private.
Hope this helps!
My Answer:
Please check if you attached a secondary network interface with the instance.
As per AWS Documentations, If you attach another network interface to your instance, your current public IP address is released when you restart your instance. Please read the third point from below.
You cannot manually associate or disassociate a public IP (IPv4) address from your instance. Instead, in certain cases, we release the public IP address from your instance, or assign it a new one:
We release your instance's public IP address when it is stopped,
hibernated, or terminated. Your stopped or hibernated instance receives a
new public IP address when it is started.
We release your instance's public IP address when you associate an
Elastic IP address with it. When you disassociate the Elastic IP address
from your instance, it receives a new public IP address.
If the public IP address of your instance in a VPC has been released, it
will not receive a new one if there is more than one network interface
attached to your instance.
If your instance's public IP address is released while it has a secondary
private IP address that is associated with an Elastic IP address, the
instance does not receive a new public IP address.
AWS Documentation Link for more reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html?icmpid=docs_ec2_console#concepts-public-addresses
I am trying to use the amazon free tier instance. I got the free fedora server running. I installed a web server in there as well. Now how can I access that server from outside. What domain name to use. I don't have my own domain name now. Doesn't amazon itself give me something to access it?
Amazon EC2 assigns a default public DNS to each instance you spin up. Be warned, its not a user friendly name. To view your public DNS:
Login to the Amazon EC2 service and access your console
Click the gear icon in the top right hand corner, this will display a 'Show/Hide Columns' dialog.
Under 'EC2 Instance Attributes' select Public DNS.
Click Apply to close dialog and save options
Your public DNS now shows up under a column of the same name, copy the value from this column and fire away.
Note that to do anything useful with your instance (as far as accessing it remotely), that you should have enabled one or more security groups for it.
I am facing a few issues.
I initially had assigned an elastic IP to my micro instance i-38cbc940, but for some reason, after I did that the webpages I had uploaded were not functioning properly (images not loading correctly, etc).
I tested this prior to the elastic IP assignment and such problems were not occurring. So I dissociated the elastic IP address and released it. Then, I reboot my instance.
The problem is, now I cannot view my site in a browser using the public DNS address listed (ec2-23-23-18-52.compute-1.amazonaws.com) or any of its sub-directories.
Things I Know:
My security settings have not changed - I still have the same security group identified with the instance.
httpd.conf file still shows "/var/www/html" as the DocumentRoot.
Every time I navigate to the public DNS address listed...it shows "could not connect" but if I ping it, it works.
If I SSH into the instance in the var/www/html directory, everything is still there, including an index.html file that was viewable before. Also, I can get into the instance through PuTTY.
Also, no sure if it's important, but this is an AmazonEC2-AMI/Apache/MySQL server with Wordpress CMS installed.
Any ideas on what could be going on here?
you need to check the apache conf for any hardocoded dns entries of your instance amazon dns and also check your code for any referrals to the amazon dns of your instance.