I have a AutoScaling Group Setup and AWS Code Deploy Setup for VPC having 1 public subnet. The VPC instance is capable of accessing all AWS services through IAM Role.
The base AMI is ubuntu with CodeDeploy Agent installed on it.
Whenever the scaling event triggers, the AutoScaling Group launches an instance and the instance goes into "Waiting for Lifecycle Event"
AWS Code Deploy triggers deployment and is "In Progress" state, it remains in that state for more than an hour and then it fails.
If, within that hour, I manually assign Elastic IP, the Code deploy succeeds immediately.
Is having public/Elastic IP a requirement for CodeDeploy to succeed on VPC instances?
How can I get Code Deploy succeeded without the need of Public IP.
Have you set up a NAT instance so that the instances can access the internet without a public facing IP address? The EIP doesn't matter if the instance has access to the internet otherwise. Your code is deployed from the CodeDeploy agent polling the endpoint, thus if it can't hit the end point, it will never work.
The endpoint that CodeDeploy agent talks to is not the public domain name like codedeloy.amazonaws.com. Agent talks to command control endpoint, which is "https://codedeploy-commands.#{cfg.region}.amazonaws.com", according to https://github.com/aws/aws-codedeploy-agent/blob/29d4ff4797c544565ccae30fd490aeebc9662a78/vendor/gems/codedeploy-commands-1.0.0/lib/aws/plugins/deploy_control_endpoint.rb#L9. So you'll need to make sure private instance can access to this command control endpoint.
To connect your VPC to CodeDeploy, you define an interface VPC endpoint for CodeDeploy. An interface endpoint is an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported AWS service. The endpoint provides reliable, scalable connectivity to CodeDeploy without requiring an internet gateway, network address translation (NAT) instance, or VPN connection.
https://docs.aws.amazon.com/codedeploy/latest/userguide/vpc-endpoints.html
Related
If I peer two Bastion VMs via VNet, and run a web application on one VM, will I be able to access its REST url from the other VM? Is there a charge involved for this type of access?
Sorry that I couldn't find it in me to understand all that jargon about ingress, egresss and gateways. I just want the simple answer to my question.
Followed this tutorial to setup two ec2 instances: 12 . Creation of two EC2 instances and how to establish ping communication - YouTube
The only difference is I used a linux image.
I setup a simple python http server on a machine (on port 8000). But I cannot access this from my other machine; whenever I curl, the program kind of waits. (It might eventually timeout but I wasn't patient enough to witness that).
However, the workaround, I figured, was that you have to add a port rule via the security group. I do not like this option since it means that that port (for the machine that hosts the web server) can be accessed via the internet.
I was looking for an experience similar to what people usually have at home with their routers; machines connected to the same home router can reach out to other machines on any port (provided the destination machine has some service hosted on that port).
What is the solution to achieve something like this when working with ec2?
The instance is open to the internet because you are allowing access from '0.0.0.0/0' (anywhere) in the inbound rule of the security group.
If you want to the communication to be allowed only between the instances and not from the public internet. You can achieve that by assigning the same security group to both the instances and modifying the inbound rule in the security group to allow all traffic or ICMP traffic sourced from security group itself.
You can read more about it here:
AWS Reference
The use case is the following:
a Compute Engine instance with a private IP only ( no external IP)
The project has policies to not create external IPs
The goal is to be able to send HTTP requests to the Private Compute Engine Instance from Cloud Build
What are the best practices in Networking to ensure that communication?
Thank you
For now, you can't plug Cloud Build in your VPC and thus connect private resources from there.
A new feature is coming and named Worker Pool. The principle is to provision Compute Engine instances in your project, and thus in your VPC to run Cloud Build pipeline. Because the pipeline will run in your VM in your VPC, you will be able to reach the private IPs of your VPC.
Have you explored Private Google Access? It allows resources that do not have external IP to access Google's APIs and Services. Private Google Access is enabled on a subnet by subnet basis.
https://cloud.google.com/vpc/docs/private-access-options
Can someone let me know if its possible to connect or PING a Databricks Cluster via its public ip address?
For example I have issued the command ping --all-ip-addresses and I get the ip address 10.172.226.115.
I would like to be able to PING that ip address(10.172.226.115) from my on-premise PC (or connect to the cluster with an application using the ip address?
Can someone let me know if that is possible?
That public IP is not guaranteed to be your cluster; unless somehow you've installed Databricks into your own cloud provider account, where you fully control the network routes, it would be connecting to Databricks managed infrastructure where the public ip would likely be an API gateway or router that serves traffic for more than one account
Note: just because you can ping Google DNS with outbound traffic doesn't mean inbound traffic from the internet is even allowed through the firewall
connect to the cluster with an application
I'd suggest using other Databricks support channels (i.e their community forum) to see if that's even possible, but I thought you're just supposed to upload and run code within their ecosystem. At least, for the community plans
Specifically, they have a REST API to submit a remote job from your local system, but if you want to be able to send data back to your local machine, I think you'd have to write and download from DBFS or other cloud filesystem
We are currently using Openstack newtown. We can access the API using client on public endpoint from any computer, but the vm don't have access to it, they can ping the IP and dns name but can't curl or access using openstack-client. How can we allow connection from VM to API ?
Assuming your public API endpoint is externally accessible, the network on which your virtual machine resides will need external access. This can be achieved in a few different ways, depending on your current configuration. You can create a Neutron provider network/subnet which will provide access to a physical network and gateway to the outside world. You can then boot your instance directly on the provider network. More information on Neutron provider networks can be found at docs.openstack.org.
The problem is that floating IP don't give the route of my external network.
I add route using neutron and now all is working perfectly. for info the command is:
neutron router-update demo-routeur --routes type=dict list=true destination=192.168.0.27/27,nexthop=10.0.0.1