Pages

Saturday, 16 August 2014

Cooking with Chef: Create private and public subnet EC2 instances in a VPC with Knife

In order to access your AWS instance in a VPC private subnet you need a bastion host ( NAT instance). The setup of a bastion is quite easy as described here.

One important remark: don’t forget to add an outbound (egress) rule to the NAT security group (NATSG) to allow SSH traffic.

As soon as you have your bastion in place you probably want to create or bootstrap new instances in your private subnet. Knife gives you the possibility to create EC2 instances in both private and public subnets, you only have to specify the right options to the knife command.

Create an instance in a private subnet

knife ec2 server create --flavor t2.micro --image ami-d44193a3  \
--security-group-ids sg-abcd1234 --tags Name=instance-name      \
--node-name instance-name  --environment staging                \
--region eu-west-1 --availability-zone eu-west-1a               \
--subnet subnet-1122aabb --ssh-gateway ec2-user@1.2.3.4         \
--server-connect-attribute private_ip_address                   \
--ssh-user ubuntu --ssh-key staging-key                         \
--run-list 'role[nosql]' --ebs-size 24                          \
--ebs-volume-type gp2
  • ssh-key staging-key: the key pair to access you bastion host
  • ssh-gateway ec2-user@1.2.3.4: refers to your bastion host
  • server-connect-attribute private_ip_address: tell knife to access your newly created instance on its private ip through your bastion host.
Remark: this only works if you add the private key (here staging-key) to your authentication agent! Specifying it as identity_file (-i option) does NOT work!
ssh-add staging-key.pem  

SSH access to an instance in a private subnet.

In order to access your instance in a private subnet you need to tunnel your connection. Edit your .ssh/config and add the following lines:
Host sbastion
    HostName 1.2.3.4
    User ec2-user
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null
    IdentityFile ~/.ssh/staging-key.pem
    LogLevel quiet

Host 10.0.0.*
    User ubuntu
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null
    IdentityFile ~/.ssh/staging-key.pem
    ProxyCommand ssh -W %h:%p sbastion
    LogLevel quiet
This config allows you to access any instance in your private subnet (10.0.0.*) via a simple command.
Here’s an example:
ssh 10.0.0.23

Create an instance in a public subnet

You have two options to create an instance in a public subnet:
  • Associate the instance with an Elastic ip (here: 55.77.1.1)
    knife ec2 server create --flavor t2.micro --image ami-fd6cbd8a  \
    --security-group-ids sg-abcd1234 --tags Name=instance-name      \
    --node-name instance-name --environment staging                 \
    --region eu-west-1 --availability-zone eu-west-1a               \
    --subnet subnet-2233ccdd --associate-eip 55.77.1.1              \
    --server-connect-attribute public_ip_address                    \
    --run-list 'role[webserver]' --ebs-size 24                      \
    --ebs-volume-type gp2 -x ubuntu -S GP-Staging  
    
  • Associate the instance with a public ip:
    knife ec2 server create --flavor t2.micro --image ami-fd6cbd8a \
    --security-group-ids sg-abcd1234 --tags Name=instance          \
    --node-name instance-name --environment staging                \
    --region eu-west-1 --availability-zone eu-west-1a              \
    --subnet subnet-2233ccdd --associate-public-ip                 \
    --server-connect-attribute public_ip_address                   \
    --run-list 'role[webserver]' --ebs-size 24                     \
    --ebs-volume-type gp2 -x ubuntu -S GP-Staging   
    



Happy cooking!