1

I setup an auto scaling group on EC2 along with an RDS Postgres instance. I am not using ELB. Maybe I should be...

The challenge is that every time a new EC2 instance is created it assigns a unique public IP address. This means that a new inbound rule needs to be applied to the security group for RDS that allows this new EC2 instance to connect to RDS via port 5432 (postgresql).

I also run into a Route 53 issue since the new ip address needs to be added to the DNS "A Record" in order to properly resolve the url.

Is there a way to setup AWS to do this for me, or do I need to write some python code using boto?

nu everest
  • 957
  • 3
  • 14
  • 27
  • You can authorize the EC2 instances' security group to RDS rather than relying on IP addresses. – ceejayoz Dec 20 '14 at 02:49
  • Why do you need a DNS record for each EC2 instance? – Matt Houser Dec 20 '14 at 21:30
  • @MattHouser So that the URL to the site running on EC2 resolves. – nu everest Dec 22 '14 at 19:12
  • Why does the URL need to resolve to each instance individually? – Matt Houser Dec 22 '14 at 19:34
  • @MattHouser Each instance is running nginx. Doesn't that imply the need for DNS? Is there a better / different way with which I am not familiar? – nu everest Dec 23 '14 at 14:17
  • Just because it's running nginx does not mean it needs a unique URL. It depends on how users will access your web server(s). If it's from a single URL and your multi-servers is to handle load, then no, you don't need individual URLs, you need a load balancer, such as ELB. But if your users access via www1.x.com, www2.x.com, etc., then yes. But if so, the question then is, why? – Matt Houser Dec 23 '14 at 16:04
  • @MattHouser Sounds like I need to learn more about the Elastic Load Balancer – nu everest Dec 23 '14 at 16:25
  • Elastic Load Balancer is a front-end to a cluster of EC2 instances. It is the entry point for your users to access your web servers. Each instance does not need it's own public IP nor does it need it's own URL. That's ELB's job. It's the standard way to architect an auto-scaling group of web servers. Now, it's possible your use-case does not lend itself toward ELB, and that's what I was asking you to clarify. – Matt Houser Dec 23 '14 at 16:51
  • @MattHouser What use cases or conditions would not lend themselves to the use of ELB? Currently I am only running nginx, django, gunicorn, python on the instance and nothing more. – nu everest Dec 24 '14 at 03:21
  • Are you just using a single instance? Why are you using auto-scaling? You can use auto-scaling in a min/max = 1 configuration to keep your single instance alive. When using a single instance, you can still benefit from ELB. ELB becomes your safety net and it avoids the need to do DNS changes. Another thing you can do is use an Elastic IP address to keep your IP constant. – Matt Houser Dec 24 '14 at 03:32
  • The simplest thing though is to use Elastic IP addresses for single instances that need to be reached from the outside world. – Matt Houser Dec 24 '14 at 03:34

2 Answers2

3

This means that a new inbound rule needs to be applied to the security group for RDS that allows this new EC2 instance to connect to RDS via port 5432 (postgresql).

Rather than using public IPs for your security group rules, I suggest using private IPs. Run both EC2 and RDS in the same VPC, then allow the entire VPC subnet IP range containing your EC2 instances in your security group rules for RDS.

I also run into a Route 53 issue since the new ip address needs to be added to the DNS "A Record" in order to properly resolve the url.

You basically have 3 options:

  1. Use ELB
  2. Write a setup script that runs on each instance and updates the DNS automatically
  3. Use OpsWorks which allows you to make a HAProxy instance with an EIP, then automatically adds new application server instances to that HAProxy instance when they start
thexacre
  • 1,849
  • 13
  • 14
2

Don't individually add each EC2 instance's IP address to your inbound security group. Instead allow inbound traffic from the security group of the EC2 instances. Then any EC2 instance which uses that security group will be permitted access from the same rule.

Generally speaking, auto-scaling groups are best used behind Elastic Load Balancers if outside access is required. This is because auto-scaling groups are usually used when instances need to start and stop dynamically based on load or other metrics. When a client connects to your group, normally, it shouldn't care which one it actually is connecting to. By assigning individual IP addresses to each instance, the outside world needs to keep track of all these instances.

Matt Houser
  • 10,053
  • 1
  • 28
  • 28
  • "Instead allow inbound traffic from the security group of the EC2 instances." How do I do that on RDS? In the security group I have for my RDS instance (which is different than the security group for my EC2 instance) it only allows me to associate an IP Address with an inbound port. – nu everest Dec 25 '14 at 17:48
  • 1
    I answered this over here: http://serverfault.com/questions/655042/how-do-i-link-a-security-group-to-my-aws-rds-instance – Matt Houser Dec 28 '14 at 18:22