Problem with VPC Router role using wrong address range
20 views
Skip to first unread message
Ben West
Oct 6, 2015, 1:09:10 PM10/6/15
to scalr-discuss
I am trying out the open source edition of Scalr v5.8.29 on AWS. Specifically, I'm trying out deployment of a farm inside the private subnet of a VPC. For now, I'm limiting all instances launched to us-east-1d.
The VPC has two subnets in the same availability zone (us-east-1d), one public and one private. The CIDRs for these subnets are 172.31.48.0/20 for the public and 172.31.64.0/20 for private.
I already have a VPC Router Farm launched and enabled for the VPC, with a single instance of the router-ubuntu1204-hvm role pointed to a public subnet in that VPC and an elastic IP in that subnet. The VPC router instance launches fine, and I can open an SSH console to it.
The public subnet has no routing table explicitly associated with it, making it implicitly associated with the default routing table that passes all 172.31.0.0/16 local traffic, and with 0.0.0.0/0 pointed to an internet gateway attached to the VPC. The private subnet has a custom routing table associated, with 172.31.0.0/16 local traffic allowed and with 0.0.0.0/0 pointed at the eni-*** / i-*** target created by the VPC Router instance mentioned above. That is, all outbound traffic from the private subnet is directed through NAT. These VPC settings were made per this wiki page:
https://scalr-wiki.atlassian.net/wiki/display/docs/Using+VPC+-+External+Scalr+Deployment
I created a second farm with a single base-centos6 role, enabled for the same VPC. The single base-centos6 role has its network pointed at the private VPC subnet, and at the Scalr VPC Router created by the VPC Router instance mentioned above. I can launch the single base-centos6 instance in this farm, and that instance becomes accessible through the running VPC Router instance. (That is, I can open an SSH console on the VPC Router, and from there open a console on the base-centos6 instance.)
The problem is that the VPC Router instance itself doesn't appear to actually perform any NAT. That is, the base-centos6 instance in the private VPC subnet can talk to all machines in the 172.31.0.0/16 address space (including the VPC Router instance), its DNS queries resolve correctly, but it gets no outside connectivity. This prevents that instance from fully launching, since it times out on attempted connections to http://repo.scalr.net.
Locally on the VPC Router instance, it looks like the the NAT settings are using the wrong address range:
root@ec2-XX-XX-XX-XX:~# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.0.0.0/8 !10.0.0.0/8
I can't find anywhere on the Scalr dashboard where this address range can be typed in explicitly. Rather, Scalr just pulls the entries from the AWS security groups it's linked to.
Is it possible the router-ubuntu1204-hvm role (or Scalr itself) is assuming a specific address range for VPC subnets?
The VPC has two subnets in the same availability zone (us-east-1d), one public and one private. The CIDRs for these subnets are 172.31.48.0/20 for the public and 172.31.64.0/20 for private.
I already have a VPC Router Farm launched and enabled for the VPC, with a single instance of the router-ubuntu1204-hvm role pointed to a public subnet in that VPC and an elastic IP in that subnet. The VPC router instance launches fine, and I can open an SSH console to it.
The public subnet has no routing table explicitly associated with it, making it implicitly associated with the default routing table that passes all 172.31.0.0/16 local traffic, and with 0.0.0.0/0 pointed to an internet gateway attached to the VPC. The private subnet has a custom routing table associated, with 172.31.0.0/16 local traffic allowed and with 0.0.0.0/0 pointed at the eni-*** / i-*** target created by the VPC Router instance mentioned above. That is, all outbound traffic from the private subnet is directed through NAT. These VPC settings were made per this wiki page:
https://scalr-wiki.atlassian.net/wiki/display/docs/Using+VPC+-+External+Scalr+Deployment
I created a second farm with a single base-centos6 role, enabled for the same VPC. The single base-centos6 role has its network pointed at the private VPC subnet, and at the Scalr VPC Router created by the VPC Router instance mentioned above. I can launch the single base-centos6 instance in this farm, and that instance becomes accessible through the running VPC Router instance. (That is, I can open an SSH console on the VPC Router, and from there open a console on the base-centos6 instance.)
The problem is that the VPC Router instance itself doesn't appear to actually perform any NAT. That is, the base-centos6 instance in the private VPC subnet can talk to all machines in the 172.31.0.0/16 address space (including the VPC Router instance), its DNS queries resolve correctly, but it gets no outside connectivity. This prevents that instance from fully launching, since it times out on attempted connections to http://repo.scalr.net.
Locally on the VPC Router instance, it looks like the the NAT settings are using the wrong address range:
root@ec2-XX-XX-XX-XX:~# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.0.0.0/8 !10.0.0.0/8
I can't find anywhere on the Scalr dashboard where this address range can be typed in explicitly. Rather, Scalr just pulls the entries from the AWS security groups it's linked to.
Is it possible the router-ubuntu1204-hvm role (or Scalr itself) is assuming a specific address range for VPC subnets?
Reply all
Reply to author
Forward
0 new messages