0

I have an environment with a public and a private subnet. One of the servers in the private subnet requires both an Elastic IP address that resides on a network interface that is connected to the public subnet and a second network interface that connects the EC2 instance to the private subnet. Before associating the EIP, I was able to SSH to the EC2 instance on its private ip from the NAT instance. After associating the EIP, I am no longer able to SSH using the private ip address via the NAT. By private IP above, I'm referring to the IP address associated with the original network interface, and not the private IP that shows up along with the EIP. Any idea whatI might be missing here?

Gary Sharpe
  • 103
  • 5
  • 1
    *"One of the servers in the private subnet requires both..."* I have great difficulty imagining a scenario that "requires" this in VPC; initial impression is that you are thinking in conventional networking terms rather than cloud, so you might want to clarify your motivation. Still, some questions come to mind: Is this Amazon Linux, Ubuntu, or another OS? Is the instance accessible over the new private IP, the one associated with the EIP, just not the old one, or neither? Does the instance begin failing either of its basic health checks? Does removing the 2nd ENI undo the brokenness? – Michael - sqlbot Oct 18 '16 at 11:40
  • I might be going about this all wrong. I have a separate 'private' subnet for all of the replica nodes for a mongo cluster. Each node has a network interface and private ip, and communicate with a NAT that is in a separate 'DMZ', the public subnet. I also wanted to make one of the replica nodes accessible on the public subnet with an Elastic IP. It's entirely possible that I am thinking about this from a traditional networking point of view. When I remove the network interface with the EIP, I am able to SSH to this server again via it's other private IP. – Gary Sharpe Oct 18 '16 at 19:11

1 Answers1

0

You should not (cannot) assign a Elastic IP to a private subnet. A private subnet has a route table that specifies a NAT instance to get to the public Internet. If you assign an Elastic IP to a private subnet, then your routing will not work. To make routing work you would have to add a route to the IGW (Internet Gateway) and that would convert your private subnet into a public subnet.

The correct procedure is to setup a Bastion Host or a VPN for accessing instances in a private subnet from the public Internet.

You do not need the second interface for an EC2 instance in a public subnet to communicate to the private subnet. All subnets within a VPC can communicate with each other provided you have not deliberated blocked this via custom routes, security groups, etc.

John Hanley
  • 4,754
  • 1
  • 11
  • 21