3

I'm learning AWS and how to configure networking for EC2 instances and have a few questions. I'm using CentOS 7 in t2.micro instances.

  1. The private IP is tied to the NIC in the instance as shown by ifconfig -a. The purpose seems to be a single point of contact for the server. Adding another network interface does NOT add another NIC as shown by ifconfig -a. Since the primary network interface cannot be a static IP, a secondary network interface is necessary for most configurations. For example, to connect the application to the database server, use the static IP assigned to the second network interface. Am I understanding this correctly?

  2. The public IP is shown in the AWS console and provides a means to connect to the instance via SSH, assuming you configure the SG. The public IP also provides a means to access the internet for system updates. This seems to contradict the AWS documentation for NAT. If the public IP already provides internet access, why is a NAT (instance or gateway) needed? This is in reference to system updates which the documentation references.

You can use a NAT device to enable instances in a private subnet to connect to the Internet (for example, for software updates) or other AWS services, but prevent the Internet from initiating connections with the instances. A NAT device forwards traffic from the instances in the private subnet to the Internet or other AWS services, and then sends the response back to the instances.

  1. Is a public IP and private IP are always assigned to each instance? I haven't walked through the process of creating an [new] AMI to verify if there's an option to not have a public IP. If the instance doesn't have a public IP, will the AWS console Connect button still allow you to connect to it to administer the server? Under what scenario will an instance NOT have a public IP? How do you connect to that instance to administer it?

I have read the NAT Gateway documentation and understand much of it. I'm having trouble understanding the pieces that state a NAT gateway or internet gateway is necessary to enable internet access, when it seems this is enabled by default. What am I missing?

Nice Guy IT
  • 87
  • 1
  • 7
  • 1
    You may also find some useful information in my answer to [Why Do We Need Private Subnets in VPC](http://stackoverflow.com/a/22212017/1695906)? – Michael - sqlbot Mar 17 '17 at 23:52

1 Answers1

10

I think your confusion stems from your third question. A public IP is not always assigned to an instance. Public IP is an option that you can enable or disable in public VPC subnets, and in private VPC subnets public IP isn't an option at all. For EC2 instances without a public IP a NAT gateway (or NAT instance) is required in order to access anything outside of the VPC.

You may want to place something like a database server in a private subnet so that nothing outside your VPC can ever access it. However you might want the database server to be able to access the Internet to download patches or something, or you may want it to access the AWS API in order to copy backups to S3 or something, in which case you would need a NAT Gateway to provide the server access to resources outside your VPC.

Mark B
  • 139,343
  • 19
  • 240
  • 237
  • That's exactly what I was missing. I see the Auto-assign Public IP is in step 3 of launching the instance. Looking through the documentation again, the Testing the Internet Connection section clarifies it. An instance with a public IP is in the public subnet while an instance without a public IP is in the private subnet. The public/private IP can only be assigned when launching the instance. The tutorials I've read don't seem to make this clear. Thanks @Mark-B! – Nice Guy IT Mar 17 '17 at 14:57
  • Also, regarding your first question, I think you are overcomplicating things. You definitely don't need to add a second network interface for most configurations. I'm not sure what "static-ip" you are assigning to the second network interface, but that is not needed. In a VPC a private IP is static. For connecting to other resources inside your VPC you should always use the private IP, and you should use security group IDs instead of IP addresses to open Security Groups to other VPC resources. – Mark B Mar 17 '17 at 14:59
  • RE: "_Private IP is an option that you can enable or disable in public VPC subnets_" Where is this option located? Can it be changed after the VPC is created? I know from walking through the VPC wizard that I have a public VPC without a private subnet. – Nice Guy IT Mar 17 '17 at 15:24
  • Sorry, that was a typo. It was supposed to be "Public IP is an option". I've corrected the typo in my answer. Private IP is not an option, all VPC resources must have a Private IP. – Mark B Mar 17 '17 at 15:46
  • RE my 2nd question, I didn't make the connection that all new instances are associated with the VPC by default. When reading the Instance IP Addressing docs, I took "For instances launched in EC2-Classic, we release the private IPv4 address when the instance is stopped or terminated. If you restart your stopped instance, it receives a new private IPv4 address." to mean that I needed to provide another IP that will not change across reboots. However, that doesn't apply because I now understand I'm using VPC and instances using a VPC keep the same private IP until that instance is destroyed. – Nice Guy IT Mar 17 '17 at 15:51
  • To wrap this up for future visitors, the [Supported Platforms](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-platforms.html) explains how to determine if your account is EC2-VPC only or EC2-Classic and EC2-VPC. The [VPC Introduction](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html) explains that EC2-VPC only accounts have several defaults that are configured automatically without any action from you. Some of these defaults (private subnet for example) cannot be changed and requires another "nondefault VPC" created. – Nice Guy IT Mar 17 '17 at 16:47