We have our VPCs not directly connected to internet. So we need CLI --endpoint-url option to send commands to the custom VPC endpoints instead of standard AWS service endpoints
e.g.
aws sns publish --message $MESSAGE --target-arn $SNSTARGET --region $REGION --endpoint-url 'https://vpce-xxxx-xxxxx.sns.ap-southeast-1.vpce.amazonaws.com/'
For autoscaling though:
I can't find any vpc endpoint interface option and the EC2 endpoint is not accepted.
aws autoscaling complete-lifecycle-action --lifecycle-hook-name $LIFECYCLEHOOKNAME --auto-scaling-group-name $ASGNAME --lifecycle-action-result $HOOKRESULT --instance-id $INSTANCEID --region $REGION
Could not connect to the endpoint URL: https://autoscaling.ap-southeast-1.amazonaws.com/
If I try to use the closest endpoint i.e. EC2
aws autoscaling complete-lifecycle-action --lifecycle-hook-name $LIFECYCLEHOOKNAME --auto-scaling-group-name $ASGNAME --lifecycle-action-result $HOOKRESULT --instance-id $INSTANCEID --region $REGION --endpoint-url 'https://vpce-xxxx-xxx.ec2.ap-southeast-1.vpce.amazonaws.com/'
An error occurred (InvalidAction) when calling the CompleteLifecycleAction operation: The action CompleteLifecycleAction is not valid for this web service.
AWS will be adding EC2 autoscaling VPC endpoint in the coming weeks, the rumor is before Re:Invent.
Related
I have difficulty to get a Lambda function consistently to talk to a VPC peered to the VPC that the lambda function is connected. I believe my configuration is identical to https://aws.amazon.com/premiumsupport/knowledge-center/lambda-dedicated-vpc/ , so I think this is a supported situation, and I will describe.
I have a lambda function connected to VPC A (us-east-1).
VPC A and VPC B (us-west-2) are peered.
A RDS database resides in VPC B and I need the lambda function to talk to it.
The current situation is sometimes they talk (port is open), and sometimes they cannot (port is not open). I do not know what causes one situation or the other, but I have a reproducer and can freely reproduce either scenario by redeploy the lambda, or simply wait after the deployment.
The reproducer lambda function:
import socket
def lambda_handler(event, context):
host = "aurora-xxx.cluster-xxx.us-west-2.rds.amazonaws.com"
ip=socket.gethostbyname(host)
port = 5432
a_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
location = (ip, port)
a_socket.settimeout(10)
result_of_check = a_socket.connect_ex(location)
a_socket.settimeout(None)
if result_of_check == 0:
print(f'Host {host}({ip}) port {port} is open.')
else:
print(f'Host {host}({ip}) port {port} is NOT open.')
And the AWS CLI that deploys the lambda is:
aws --region us-east-1 lambda delete-function --function-name test-2
aws --region us-east-1 lambda create-function --function-name test-2 --zip-file fileb://../lambda/lambda_function.zip --handler lambda_function.lambda_handler --runtime "python3.7" --role <role_arn> --vpc-config SubnetIds=subnet1,subnet2,SecurityGroupIds=sg-xxx --timeout 120
PS: The VPC A and VPC B are peered correctly and port is always open, because I can use psql on an instance in VPC A to connect to the RDS in VPC B. I need the lambda function talks to the RDS outside of its own VPC, because the RDS is part of global database which can be failed over to either VPC.
I have a private VPC with private subnets a private jumpbox in 1 private subnet and my private RDS aurora MySql serverless instance in another private subnet.
I did those commands on my local laptop to try to connect to my RDS via port forwarding:
aws ssm start-session --target i-0d5470040e7541ab9 --document-name AWS-StartPortForwardingSession --parameters "portNumber"=["5901"],"localPortNumber"=["9000"] --profile myProfile
aws ssm start-session --target i-0d5470040e7541ab9 --document-name AWS-StartPortForwardingSession --parameters "portNumber"=["22"],"localPortNumber"=["9999"] --profile myProfile
aws ssm start-session --target i-0d5470040e7541ab9 --document-name AWS-StartPortForwardingSession --parameters "portNumber"=["3306"],"localPortNumber"=["3306"] --profile myProfile
The connection to the server hangs.
I had this error on my local laptop:
Starting session with SessionId: myuser-09e5cd0206cc89542
Port 3306 opened for sessionId myuser-09e5cd0206cc89542.
Waiting for connections...
Connection accepted for session [myuser-09e5cd0206cc89542]
Connection to destination port failed, check SSM Agent logs.
and those errors in /var/log/amazon/ssm/errors.log:
2021-11-29 00:50:35 ERROR [handleServerConnections # port_mux.go.278] [ssm-session-worker] [myuser-017cfa9edxxxx] [DataBackend] [pluginName=Port] Unable to dial connection to server: dial tcp :3306: connect: connection refused
2021-11-29 14:13:07 ERROR [transferDataToMgs # port_mux.go.230] [ssm-session-worker] [myuser-09e5cdxxxxxx] [DataBackend] [pluginName=Port] Unable to read from connection: read unix #->/var/lib/amazon/ssm/session/3366606757_mux.sock: use of closed network connection
and I try to connect to RDS like this :
I even tried to put the RDS Endpoint using ssh Tunnel, but it doesn't work:
Are there any additional steps to do on the remote server ec2-instance?
It seems the connection is accepted but the connection to the destination port doesn't work.
Thank you for your help on this!!
The start-session command tunnels the port from the target EC2 instance to localhost. The RDS instance is on another host, so you must use SSH tunneling.
Send your public key to the EC2 instance. Fill in the region and availability zone parameters.
aws ec2-instance-connect send-ssh-public-key --region us-west-2 --instance-id i-0d5470040e7541ab9 --availability-zone us-west-2a --instance-os-user ec2-user --ssh-public-key file://~/.ssh/id_rsa.pub
Forward the SSH port 22 from the EC2 instance to 9999 locally.
aws ssm start-session --target i-0d5470040e7541ab9 --document-name AWS-StartPortForwardingSession --parameters "portNumber"=["22"],"localPortNumber"=["9999"] --profile myProfile
SSH into the instance with tunneling (in another terminal). Fill in rds-instance-dns with the DNS of your RDS instance.
ssh ec2-user#localhost -L 6606:rds-instance-dns:3306 -i ~/.ssh/id_rsa -p 9999
Access RDS
mysql -h localhost -p 6606
You also need to ensure that your EC2 instance has the correct permissions to access the RDS instance by configuring the security group.
I have an instance that I start through aws cli:
aws ec2 start-instances --instance-ids i-00112223333444445
Instance does not have a static public IP. How can I get instance public ip through CLI knowing the ID i-00112223333444445?
Try the following command:
aws ec2 describe-instances --instance-ids $instance_id \
--query 'Reservations[*].Instances[*].PublicIpAddress' \
--output text
If the EC2 instance has a public IP address, this command will return it.
Links:
Details about the query parameter can be found here.
Details about the describe-instances command can be found here.
I am going to automate AWS EC2 instance creation. I have a yaml file which built using cloud formation template. I want to know how do i run this using command line interface.
first you have to upload your template to S3.
create bucket
aws s3api create-bucket --bucket cloud-formation-stacks --region us-east-1
upload to S3
aws s3 sync --delete <template> s3://cloud-formation-stacks
create stack
aws cloudformation create-stack --stack-name mystack
--template-url <template url>
--parameters ParameterKey=KeyName,ParameterValue=YOUR_KEY_NAME
add your parameters as shown. (vpc, security group, subnet id, tags etc etc)
OR. you can do this viva AWS management console, Services->Cloudformation and upload your template.
I am using the below Script to attach and detach the server from load balancer
#!/bin/bash
aws elb register-instances-with-load-balancer --load-balancer-name Load-BalancerLoadBalancer --instances i-a3f1446e
aws elb deregister-instances-from-load-balancer --load-balancer-name Load-BalancerLoadBalancer --instances i-a3f1446e
When I am running the script I am getting the error as below
Service elasticloadbalancing not available in region ap-southeast-1b
Service elasticloadbalancing not available in region ap-southeast-1b
Is there any changes I want to make the script working or Is there any alternate script to do the work.
The error says region ap-southeast-1b, but ap-southeast-1b is an Availability Zone, not a Region.
The Region should be ap-southeast-1.
Run aws configure and confirm that your Region is set correctly.
Seems your ELB is set in other regions, add --region in your command, for example, if the ELB is created at us-east-1:
aws elb register-instances-with-load-balancer --load-balancer-name Load-BalancerLoadBalancer --instances i-a3f1446e --region us-east-1
aws elb deregister-instances-from-load-balancer --load-balancer-name Load-BalancerLoadBalancer --instances i-a3f1446e --region us-east-1