Is it a good practice to create CNAME of my domain to point to ec2 instances ?
For example, if my own the domain mydomain.com and I have this ec2 instance whith a public host : ec2-aa-bb-cc-dd.eu-west-1.compute.amazonaws.com
Can I create a CNAME prod-database.mydomain.com to ec2-aa-bb-cc-dd.eu-west-1.compute.amazonaws.com and use that subdomain instead of the ec2 public host ?
It is good practice, that way you don't have to remember odd dns names when configuring future applications and architectures.
Related
I need to transfer DNS management to AWS Route53 so I can host multiple Wordpress sites with different domains on a Lightsail instance using Plesk Obsidian. I've already set up one domain and its website. The next domain I need to setup for a Wordpress site that'll run on the Lightsail instance has an existing subdomain that's used for an app running on an EC2 instance. That EC2 instance's URL doesn't use a Route53 zone, i.e., it just has an A record that associates the subdomain to the EC2's static IP address.
My question is whether I need to create a Route53 zone for the subdomain after I move DNS record management to Route53, or is just keeping the A record for the subdomain in the Route53 DNS records sufficient without creating a separate Route53 zone?
Hopefully my question/concern makes sense. My concern stems from whether Route53 behaves like any other DNS manager or if it has peculiarities I need to be aware of for what I want to do.
I figured I'd just have to learn by trial and error since no one answered.
I created the A record on Route53 to point to the subdomain and switched to AWS nameservers ... and voila, it worked without having to add the subdomain as a Route 53 zone. My security certificate even resumed working on the subdomain after a 10 minute period in which it couldn't find the CNAME record of the certificate issuer.
So long story short, Route53 works just fine for pointing to subdomains outside of the Route53 zone. One A record does the trick.
I have a test application running at
http://ec2-34-215-196-193.us-west-2.compute.amazonaws.com/
(This is a Test application, it wont be live for long. When I try to add a CNAME to this, like the screenshot below
. is added by the DNS system.
However, my app seems to be accessible only via us-west-2.compute.amazonaws.com or us-west-2.compute.amazonaws.com.
I can make it to resolve it either one of them.
But adding anything, does not seem to resolve with a CNAME. It gives 503 Service Unavailable.
I am using AWS EC2 to host the app with a HAProxy Load Balancer.
Using Google Domains for DNS Name.
Any suggestions for troubleshooting this problem?
All dns entries have a dot in the end like subdomain.domain.com.
It's not suggested to create CNAMEs to your ec2 instance because that IP may vary in time and it's not reassignable, that's what elastic ip's are made for, just create an elastic IP, assign it to your ec2 instance and assign it as an A record on your DNS provider.
Amazon AWS documentation
First create elastic IP and assign to your instance. Then create A record and point IP. Your site should work normal.
Following the instructions here :
https://github.com/deis/deis/tree/master/contrib/ec2
to deploy Deis to EC2 into a VPC, Cloudformation stack start up and creates the instances, however the instances does not have public IP's, the subnet the instances are launched into does have auto assign public IP's enabled.
So, without the public IP's I am not sure how to connect to the instances with fleet.
Anyone have any idea's on what I am missing?
By default, the provision scripts don't assign public IP addresses because the assumption is that the VPC you're provisioning into is internal to your network and that you have other means of access (like VPN).
However, you can easily provision your instances with public IPs by changing this line to True and redeploying.
We know this is confusing, and we're working to rewrite our EC2 provisioning scripts. Thanks for sticking with us!
You need to get your computer connected into the VPC somehow, try this and see if you can VPN into your VPC using it.
We're using Amazon EC2, and we want to put an ELB (load balancer) to 2 instances on a private subnet. If we just add the private subnet to the ELB, it will not get any connections, if we attach both subnets to the ELB then it can access the instances, but it often will get time-outs. Has anyone successfully implemented an ELB within the private subnet of their VPC? If so, could you perhaps explain the procedure to me?
Thanks
My teammate and I just have implemented ELB in a VPC with 2 private subnets in different availability zones. The reason you get timeouts is that for each subnet you add to the load balancer, it gets one external IP address. (try 'dig elb-dns-name-here' and you will see several IP addresses). If one of these IP address maps a private subnet, it will timeout. The IP that maps into your public subnet will work. Because DNS may give you any one of the IP addresses, sometimes it works, sometimes it times out.
After some back and forth with amazon, we discovered that the ELB should only be placed in 'public' subnets, that is subnets that have a route out to the Internet Gateway. We wanted to keep our web servers in our private subnets but allow the ELB to talk to them. To solve this, we had to ensure that we had a corresponding public subnet for each availability zone in which we had private subnets. We then added to the ELB, the public subnets for each availability zone.
At first, this didn't seem to work, but after trying everything, we recreated the ELB and everything worked as it should. I think this is a bug, or the ELB was just in an odd state from so many changes.
Here is more or less what we did:
WebServer-1 is running in PrivateSubnet-1 in availability zone us-east-1b with security group called web-server.
WebServer-2 is running in PrivateSubnet-2 in availability zone us-east-1c with security group called web-server.
Created a public subnet in zone us-east-1b, we'll call it PublicSubnet-1. We ensured that we associated the routing table that includes the route to the Internet Gateway (ig-xxxxx) with this new subnet. (If you used the wizard to create a public/private VPC, this route already exists.)
Created a public subnet in zone us-east-1c, we'll call it PublicSubnet-2. We ensured that we associated the routing table that includes the route to the Internet Gateway (ig-xxxxx) with this new subnet. (If you used the wizard to create a public/private VPC, this route already exists.)
Created a new ELB, adding to it PublicSubnet-1 and PublicSubnet-2 (not the PrivateSubnet-X). Also, picked the instances to run in the ELB, in this case WebServer-1 and WebServer-2. Made sure to assign a security group that allows incoming port 80 and 443. Lets call this group elb-group.
In the web-server group, allow traffic from port 80 and 443 from the elb-group.
The key here is understanding, that you are not "Adding subnets/availability zones" to ELB, but rather specifying what subnets to put ELB instances into.
Yes, ELB is a software load balancer and when you create ELB object, a custom loadbalancing EC2 instance is put into the all subnets that you specified. So for the ELB (its instances) to be accessible, they have to be put into the subnets that have default route configured via IGW (most likely you classified these subnets as public).
So as already was answered above, you have to specify "public" networks for ELB, and those networks should be from the AZs where your EC2 instances are running. In this case ELB instances will be able to reach your EC2 instances (as long as security groups are configured correctly)
We've implemented ELB in a private subnet so the statement that all ELB's need to be public isn't completely true. You do need a NAT. Create a private subnet for the private ELB's, turn on VPC DNS and then make sure the private routing table is configured to go through the NAT. The subnet security groups also need to be setup to allow traffic between ELB and App, and App to DB subnets.
Beanstalk health checks won't work as they can't reach the load balancer, but for services that need to be outside of the public reach this is a good compromise.
Suggested reading to get your VPC architecture started: http://blog.controlgroup.com/2013/10/14/guided-creation-of-cloudformation-templates-for-vpc/.
You must add the following settings.
Public subnet zone b = Server NAT
Private subnet zone c = Server Web
Public subnet zone c = ELB
The trick is routing:
The router to NAT is attach with gateway A.
The router to Server Web is attach to NAT.
The router to Public subnet is attach with gateway A.
ELB details:
1.Zone: Public subnet zone c
2.Instance: Server Web
3.Security Groups: enable ports
http://docs.amazonaws.cn/en_us/ElasticLoadBalancing/latest/DeveloperGuide/UserScenariosForVPC.html
Adding a diagram to Nathan's answer. Full medium post here: https://nav7neeet.medium.com/load-balance-traffic-to-private-ec2-instances-cb07058549fd
I'm trying to set up an EC2 instance with a public domain name that I bought from 123-reg.
Aside from associating the elastic IP with the instance that's running, and changing the DNS at 123-reg, is there anything else I need to do to access the site?
Any ideas or tutorial links would be greatly appreciated.
You just need to set an A record on your DNS entry for the domain to point at the Elastic IP, that's it.