5

I have multiple Amazon EC2 instances which need to communicate using private IPs. However, so far I've been unable to ping one instance's private IP from another instance.

I can ping external addresses, such as their Elastic IPs and other sites (yahoo, google, etc), so it seems there's nothing wrong with the instances' network configuration.

Also, they are all in the same zone, so that shouldn't be an issue.

Does anyone have any idea what I could be doing wrong? Could this related to the Security Group settings?

ks78
  • 849
  • 2
  • 10
  • 20

4 Answers4

7

It turns out the problem was the Security Group settings after all.

I had been IP-restricting traffic, so only my external IP could communicate with the instances. I assumed the Security Groups didn't apply to communication between instances, but they do.

The solution was to also allow traffic from 10.0.0.0/8, which covers all possible EC2 private IPs. It would be more secure, to only allow traffic from specific private IPs, but that's a hassle since they can change.

This solves my problem for now. Probably the best solution would be to utilize Amazon's API to automatically tweak the Security Group IP-restrictions when instances are stopped and started.

ks78
  • 849
  • 2
  • 10
  • 20
  • 9
    This is really bad. The better way is to allow your own security group to communicate with itself. – Amala Oct 10 '12 at 16:09
2

According to AWS FAQs as long as you don't stop your instance... your private IP will stay the same.

Q: Do I need one Elastic IP address for every instance that I have running? No. You do not need an Elastic IP address for all your instances. By default, every instance comes with a private IP address and an internet routable public IP address. The private address is associated exclusively with the instance and is only returned to Amazon EC2 when the instance is stopped or terminated. The public address is associated exclusively with the instance until it is stopped, terminated or replaced with an Elastic IP address. These IP addresses should be adequate for many applications where you do not need a long lived internet routable end point. Compute clusters, web crawling, and backend services are all examples of applications that typically do not require Elastic IP addresses.

Al Serize
  • 21
  • 1
1

The statement "Security Group settings do not affect internal IPs " is incorrect. You have to add the inbound traffic to the security group for the private IP, just like an external IP.

I had to add entries from a specific private IP so that I could allow one instance to conenct to another using subversion, CouchDB, map a network drive, etc.

However, ping is different... Check that the security settings are set to ICMP, or just to "All Traffic".
Not just TCP. Because PING is an ICMP message. Don't think that because you turned on "All TCP" that it will work.

Hope that helps.

SpacemanScott
  • 111
  • 2
0

Security Group settings do not affect internal IPs since they're enforced on the cluster gateway.

As the instances are on the same zone you can check that your instances firewall if activated is accepting ping requests (ICMP echo)

Otherwise try spawning a third instance and ping both of them, if that succeeds then it could be due to a problem on the host server of one of the instances

lynxman
  • 9,397
  • 3
  • 25
  • 28
  • I've tried spawning a third instance, but none of them seem to be able to ping any of the others using private IPs. I haven't setup the firewalls on any of the instances either, so I don't think that's the problem. I'll try setting them up (which I need to do anyway), but set them to allow all traffic. – ks78 Feb 06 '11 at 15:20
  • Nope, setting up the firewall and allowing all traffic through had no effect. – ks78 Feb 06 '11 at 21:16