0

We have an auto-scaling group which spins up multiple instances as required. All instances in auto-scaling group take their data from separate EC2 instance (running NFS) so they can all share the same data.

Following are the settings for NFS server which allows everyone access to it via wildcard

/var/nfs *(rw,sync,no_root_squash,no_subtree_check)

Now, when server auto-scales it assigns it's own private/public IP address randomly to EC2 instances running under auto-scaling group, now I have to assign these private/public IP addresses to NFS instance security group like this

enter image description here

Or else I have security weak option to allow all traffic on all port from any source, ie: security group with all access to all ports from all sources which would be disaster.

Without these 2 options my EC2 instances running under auto-scaling group does not connect to NFS instance.

I have tried many options like allow all traffic from all port to auto-scaling security group ‘Group ID’ OR allow all traffic from all port to default security group ‘Group ID’ like this

enter image description here

But none of this works and I have been in weird situation!

PS: There is no port issue since I have been trying with all tarffic.

Farmi
  • 379
  • 1
  • 4
  • 17
  • 1
    Opening the NFS security group to allow your EC2 instances should be simple. You either allow access to the security group the EC2 instances are in, or you could manually allow access via the EC2 subnet CIDR. Suggest you do this again, using pings, or even temporarily install a one page web server on the NFS server so you can curl. I suspect you'll need to use a really methodical process of elimination on this one. – Tim Dec 19 '16 at 01:02
  • @Tim actually my NFS instance has elastic IP associated and when I try to connect to NFS share like `sudo mount -t nfs 111.11.8.23:/var/nfs /var/web/` it does not connect, while it works fine with private IP of NFS instance. Now, the reason to use public IP is just that if NFS instance gets restarted or rebooted it will gain other private IP and all of instances in my auto-scaling group will fail to connect and I have to bake the AMI again. – Farmi Dec 19 '16 at 12:53

1 Answers1

1

You shouldn't be using the elastic IP, it's public and you'll be charged internet traffic rates, whereas internal traffic is free.

Instances keep their IP on restart, but it can change on stop / start. However I have one instance on a subnet that has been stopped and started many times and has kept the same private IP.

The best solution, I think, is to use an ENI (Elastic Network Interface). You can create an ENI and specify a private fixed IP address, which you can do from the API or console. You then attach your ENI to your EC2 instance, and there may be some fiddling around to get the OS / software to recognise it, but I imagine you can search for that.

enter image description here

You could just put the NFS instance in the same subnet as the EC2 instances, but if the EC2 instances are public web server that's less secure than using a DMZ.

Tim
  • 31,888
  • 7
  • 52
  • 78
  • I had never heard before about ENI (Elastic Network Interface) and this should be the best way of what I am trying to achieve. – Farmi Dec 21 '16 at 21:56
  • Google is your friend :) The AWS certification courses would give you a good background too. – Tim Dec 22 '16 at 02:31