Outward internet access behind a load balancer

Question

I am experimenting with putting our AWS EC2 instances behind a load balancer. This works well but I have an issue that I am unsure how to resolve.

The instances that are behind the load balancer don't have a public IP address assigned and have no direct access to the internet other than via the load balancer.

The issue is that this means that I cannot update the instance using yum as you get the following:

Loaded plugins: priorities, update-motd, upgrade-helper
Could not retrieve mirrorlist http://repo.eu-west-1.amazonaws.com/latest/main/mirror.list error was
12: Timeout on http://repo.eu-west-1.amazonaws.com/latest/main/mirror.list: (28, 'Connection timed out after 10000 milliseconds')

Similarly I cannot download the latest code from git to the instance for the same reason.

I have done a search but I cannot find a solution to this. How do others resolve this? What is the best practice for this? Is the only way to assign a public IP to every instance behind the load balancer?

Answer 1

You don't need a public IP address for each and every instance, you just need to provide internet access to those instances.

One method is with a NAT gateway but you can also set up a NAT instance or roll your own by assigning one instance a public IP address and installing a (HTTP) proxy server there that the other servers connect to.

Answer 2

@HBruijn described what is probably the most common way to do this.

You could also use EC2 Systems Manager (full documentation here) if all you want to do is run OS updates. This is more work, but can be automated.

You can still assign Elastic IPs to your instances, either temporarily or permanently. It's not standard practice, but it's a way around this if you want to do your updates manually.