I am trying out the open source edition of Scalr v5.8.29 on AWS. Specifically, I'm trying out deployment of a farm inside the private subnet of a VPC. For now, I'm limiting all instances launched to us-east-1d.
The VPC has two subnets in the same availability zone (us-east-1d), one public and one private. The CIDRs for these subnets are
172.31.48.0/20 for the public and
172.31.64.0/20 for private.
I already have a VPC Router Farm launched and enabled for the VPC, with a single instance of the router-ubuntu1204-hvm role pointed to a public subnet in that VPC and an elastic IP in that subnet. The VPC router instance launches fine, and I can open an SSH console to it.
The public subnet has no routing table explicitly associated with it, making it implicitly associated with the default routing table that passes all
172.31.0.0/16 local traffic, and with
0.0.0.0/0 pointed to an internet
gateway attached to the VPC. The private subnet has a custom routing
table associated, with
172.31.0.0/16 local traffic allowed and with
0.0.0.0/0 pointed at the eni-*** / i-*** target created by the VPC Router instance mentioned above. That is, all outbound traffic from the private subnet is directed through NAT. These VPC settings were made per this wiki page:
https://scalr-wiki.atlassian.net/wiki/display/docs/Using+VPC+-+External+Scalr+DeploymentI created a second farm with a single base-centos6 role, enabled for the same VPC. The single base-centos6 role has its network pointed at the private VPC subnet, and at the Scalr VPC Router created by the VPC Router instance mentioned above. I can launch the single base-centos6 instance in this farm, and that instance becomes accessible through the running VPC Router instance. (That is, I can open an SSH console on the VPC Router, and from there open a console on the base-centos6 instance.)
The problem is that the VPC Router instance itself doesn't appear to actually perform any NAT. That is, the base-centos6 instance in the private VPC subnet can talk to all machines in the
172.31.0.0/16 address space (including the VPC Router instance), its DNS queries resolve correctly, but it gets no outside connectivity. This prevents that instance from fully launching, since it times out on attempted connections to
http://repo.scalr.net.
Locally on the VPC Router instance, it looks like the the NAT settings are using the wrong address range:
root@ec2-XX-XX-XX-XX:~# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all --
10.0.0.0/8 !
10.0.0.0/8 I can't find anywhere on the Scalr dashboard where this address range can be typed in explicitly. Rather, Scalr just pulls the entries from the AWS security groups it's linked to.
Is it possible the router-ubuntu1204-hvm role (or Scalr itself) is assuming a specific address range for VPC subnets?