Creating a bridge on EC2 causes connectivity loss

Question

I'd like to create a bridge in my EC2 instance and to associate an IP address to it.

Given the default /etc/network/interfaces file:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

I simply add to the end of it:

auto br0
iface br0 inet static
  address 10.0.3.1
  netmask 255.255.255.0
  bridge_ports eth0
  bridge_stp off
  bridge_maxwait 0
  post-up brctl setfd br0 0

As soon as I restart the network or simply run ifup br0, I lose connectivity to the EC2 instance (i.e. I cannot SSH into it anymore).

What could be the reason?

I'm not using a VPC. I need a bridge to setup a pool of LXC containers. — Roberto Aloi, Mar 14 '13 at 18:31
You really should use a VPC any time you're working with EC2 with more than one server. — ceejayoz, Mar 14 '13 at 18:45
It's just one single server. Containers are inside the same instance. — Roberto Aloi, Mar 14 '13 at 18:56

mgorven · Accepted Answer · 2013-03-14T18:42:05.417

When you add an interface to a bridge, the real interfaces should not have IP addresses associated anymore -- they should be moved to the bridge. Your configuration should look something like this:

auto eth0
iface eth0 inet manual

auto br0
iface br0 inet dhcp
    bridge_ports eth0

This should result in the IP address provided by EC2 being attached to br0.

Running a bridge in EC2 isn't really useful however (not sure about VPCs, but definitely if you're not on a VPC), since you don't have full layer 2 access to the network, and can't expose multiple, arbitrary IPs onto the network. The EC2 network will reject packets from your LXC containers if the source IP doesn't match the IP of the instance.

What you probably want to do is create a bridge for the LXC containers, but without eth0 in it. Then configured IP forwarding between eth0 and the bridge, with SNAT on outgoing connections so that EC2 only sees the instance's IP.

I'm currently using a different approach, where I run my instance inside a VPC and attaching a second NIC to the instance. If your solution works, it will be much simpler. I'll give this a try and let you know if it works. — Roberto Aloi, Mar 14 '13 at 18:33
I've started the instance inside a VPC. That allows me to add a second NIC (for `eth1`). I'm then using your hint to get the IP address attached to `br0`. I still have a problem, though: http://serverfault.com/questions/488190/managing-lxc-containers-in-ec2 — Roberto Aloi, Mar 15 '13 at 15:08

Creating a bridge on EC2 causes connectivity loss

1 Answers1