Received: by 10.224.215.194 with SMTP id hf2mr368652qab.0.1337985541660;
Fri, 25 May 2012 15:39:01 -0700 (PDT)
X-BeenThere: uvawsug@googlegroups.com
Received: by 10.224.193.195 with SMTP id dv3ls4082837qab.3.gmail; Fri, 25 May
2012 15:39:01 -0700 (PDT)
Received: by 10.224.105.205 with SMTP id u13mr537344qao.3.1337985541346;
Fri, 25 May 2012 15:39:01 -0700 (PDT)
Received: by 10.224.101.138 with SMTP id c10msqao;
Fri, 25 May 2012 15:32:42 -0700 (PDT)
Received: by 10.101.84.11 with SMTP id m11mr279643anl.11.1337985161977;
Fri, 25 May 2012 15:32:41 -0700 (PDT)
Received: by 10.101.84.11 with SMTP id m11mr279641anl.11.1337985161956;
Fri, 25 May 2012 15:32:41 -0700 (PDT)
Return-Path: <blowm...@gmail.com>
Received: from mail-gh0-f175.google.com (mail-gh0-f175.google.com [209.85.160.175])
by gmr-mx.google.com with ESMTPS id w40si1673115anp.3.2012.05.25.15.32.41
(version=TLSv1/SSLv3 cipher=OTHER);
Fri, 25 May 2012 15:32:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of blowm...@gmail.com designates 209.85.160.175 as permitted sender) client-ip=209.85.160.175;
Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of blowm...@gmail.com designates 209.85.160.175 as permitted sender) smtp.mail=blowm...@gmail.com; dkim=pass header...@gmail.com
Received: by mail-gh0-f175.google.com with SMTP id z2so880999ghb.34
for <uvawsug@googlegroups.com>; Fri, 25 May 2012 15:32:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:in-reply-to:references:date:message-id:subject:from:to
:content-type;
bh=o98ZpkDs7WjD4qZ47jTNmQj+DOG/zVmHJPRQzWoM+MI=;
b=jAY6A5YaAjDeCoxhHI8LaRx13iuVc2EDnGbj9oDO9pvq5s4HxGPf8UfNTKb2nWhhmV
BeUHa6L7A9zxbgh4ouFz1I6Z1RQJ+UJGu/3NXQEP4oKKBaQ8Pgt88PF4HFhaav6UGhRQ
mHXPmmQLr1UxZfPoaszAHuBWTM7FDqFWSX6JvZnPAfIMhDYqpMJzyUR7PYGAnu1ucEqm
kwQJmFeTpwQJJhHKdsRCMLXYdi+5O3vMm0VHZHAeL07cgHMxeWH0Ow6rOVXyMtKBD4pX
HsAUiQbHYOc6ORDMAfBzYuJTbH4o5RVNlabMZ+MpPr5wsBjhPVxgMO3Gr2P8w25U6kd3
Nd7g==
MIME-Version: 1.0
Received: by 10.236.115.163 with SMTP id e23mr496387yhh.95.1337985161789; Fri,
25 May 2012 15:32:41 -0700 (PDT)
Received: by 10.236.154.99 with HTTP; Fri, 25 May 2012 15:32:41 -0700 (PDT)
In-Reply-To: <b2b0c8a8-4eec-4df4-b0e3-dd134ac0f...@s9g2000pbc.googlegroups.com>
References: <b2b0c8a8-4eec-4df4-b0e3-dd134ac0f...@s9g2000pbc.googlegroups.com>
Date: Fri, 25 May 2012 16:32:41 -0600
Message-ID: <CAG_VBhPXxN7RD6DTqvSFecROYWP0vu=uS_bg0TdvH8K=BSH...@mail.gmail.com>
Subject: Re: VPC and Load Balancer
From: Mike Moore <blowm...@gmail.com>
To: uvawsug@googlegroups.com
Content-Type: multipart/alternative; boundary=20cf302d49be487f0b04c0e3f27f
--20cf302d49be487f0b04c0e3f27f
Content-Type: text/plain; charset=ISO-8859-1
What load balancer are you using? We used ELB and only wanted those
instances accessible, so only our ELBs were in the public subnet. Our web,
database, and utility boxes were all in the private subnet(s). We used the
NAT router for all private to external connections. Because ELBs get a
public IP by default it all worked out.
We did have one other server in our public subnet: a SSL bastion that we
could connect to and then connect to the private boxes. So because of our
use of ELB we only needed ElasticIPs for the bastion and the NAT.
On Thu, May 24, 2012 at 1:52 PM, Kenneth <kenneth.burge...@gmail.com> wrote:
> Hi all. I am working on moving all of my EC2 instances into a VPC,
> but I am running some general outbound Internet access issues, and was
> wondering if anyone else has figured it out...
>
> 1) If I create an Instance in a "public" subnet, it can only access
> the Internet if it has an Elastic IP address associated with it. Is
> there any way to allow a "public" subnet to access outbound Internet
> like a non VPC Instance can, without Elastic IP addresses?
>
> I need outbound internet access to run system updates such as yum, and
> communicate with required external 3rd party services.
>
> I tried playing around with a "private" subnet which uses a NAT router
> instance, which works for most of our backend/internal servers, but
> then you run into two problems: a) routing doesn't seem to work for
> Elastic IP assigned addresses in the NATed subnet and b) the load
> balancer doesn't appear to work with NATed subnets (which is a problem
> for #2).
>
> Elastic IP addresses would seem to help with the "public" subnet, but
> with a limit of 5, after you add a NAT, Load Balancer and soon to be
> OpenVPN instance my limit is nearly exhausted, which leaves nothing
> left for the actual web instances.
>
> 2) Which leads to the primary issue - Load Balancer. If I point the
> load balancer to instances in the "public" subnet, they work fine, as
> far as load balancer routing and web access, but these instances are
> unable to communicate with the external 3rd party online services.
> (and I do not have sufficient remaining Elastic IP addresses to cover
> these instances for "public" internet access).
>
> If I point the load balancers to instances in the "private" subnet,
> where the instances can communicate with the external 3rd party
> services fine, it breaks the load balancer's routing back to my client
> browser.
>
> I just can't seem to find a combination that will work for this setup.
>
> Thoughts? Suggestions?
>
>
--20cf302d49be487f0b04c0e3f27f
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
What load balancer are you using? We used ELB and only wanted those instanc=
es accessible, so only our ELBs were in the public subnet. Our web, databas=
e, and utility boxes were all in the private subnet(s). We used the NAT rou=
ter for all private to external connections. Because ELBs get a public IP b=
y default it all worked out.<div>
<br></div><div>We did have one other server in our public subnet: a SSL bas=
tion that we could connect to and then connect to the private boxes. So bec=
ause of our use of ELB we only needed ElasticIPs for the bastion and the NA=
T.<br>
<br><div class=3D"gmail_quote">On Thu, May 24, 2012 at 1:52 PM, Kenneth <sp=
an dir=3D"ltr"><<a href=3D"mailto:kenneth.burge...@gmail.com" target=3D"=
_blank">kenneth.burge...@gmail.com</a>></span> wrote:<br><blockquote cla=
ss=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;pa=
dding-left:1ex">
Hi all. =A0I am working on moving all of my EC2 instances into a VPC,<br>
but I am running some general outbound Internet access issues, and was<br>
wondering if anyone else has figured it out...<br>
<br>
1) If I create an Instance in a "public" subnet, it can only acce=
ss<br>
the Internet if it has an Elastic IP address associated with it. =A0Is<br>
there any way to allow a "public" subnet to access outbound Inter=
net<br>
like a non VPC Instance can, without Elastic IP addresses?<br>
<br>
I need outbound internet access to run system updates such as yum, and<br>
communicate with required external 3rd party services.<br>
<br>
I tried playing around with a "private" subnet which uses a NAT r=
outer<br>
instance, which works for most of our backend/internal servers, but<br>
then you run into two problems: a) routing doesn't seem to work for<br>
Elastic IP assigned addresses in the NATed subnet and b) the load<br>
balancer doesn't appear to work with NATed subnets (which is a problem<=
br>
for #2).<br>
<br>
Elastic IP addresses would seem to help with the "public" subnet,=
but<br>
with a limit of 5, after you add a NAT, Load Balancer and soon to be<br>
OpenVPN instance my limit is nearly exhausted, which leaves nothing<br>
left for the actual web instances.<br>
<br>
2) Which leads to the primary issue - Load Balancer. =A0If I point the<br>
load balancer to instances in the "public" subnet, they work fine=
, as<br>
far as load balancer routing and web access, but these instances are<br>
unable to communicate with the external 3rd party online services.<br>
(and I do not have sufficient remaining Elastic IP addresses to cover<br>
these instances for "public" internet access).<br>
<br>
If I point the load balancers to instances in the "private" subne=
t,<br>
where the instances can communicate with the external 3rd party<br>
services fine, it breaks the load balancer's routing back to my client<=
br>
browser.<br>
<br>
I just can't seem to find a combination that will work for this setup.<=
br>
<br>
Thoughts? =A0Suggestions?<br>
<br>
</blockquote></div><br></div>
--20cf302d49be487f0b04c0e3f27f--
Message from discussion VPC and Load Balancer
| Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy |
| ©2013 Google |