29

I need the static IP to allow access to a firewalled network not on the AWS network.

Is it possible to get a static IP for a load balanced app using Elastic Beanstalk? I'm following the AWS docs regarding using Route 53 to host my app with a domain name, but from what I've read, this does not ensure a static IP because it is essentially using a CNAME allowing the IP behind the scenes to change. Is that the right understanding? Is it possible at all?

Seth
  • 659
  • 2
  • 7
  • 21

3 Answers3

15

This post helped me get a static IP for outgoing requests by using a NAT Gateway, and routing specific requests through it.

I needed this static IP in order to be whitelisted from an external API provider.

I found this way much easier than the provided by AWS, without the need of creating a new VPC and a private and public subnets.

Basically, what I did was:

  • Create a new subnet to host the NAT Gateway.
  • Create the NAT Gateway in the above subnet, and assign a new Elastic IP. This one will be our outgoing IP for hitting external APIs.
  • Create a route table for the NAT subnet. All outbound traffic (0.0.0.0/0) should be routed through the NAT Gateway. Assign the created subnet to use the new route table.
  • Modify the main route table (the one that handles all our EC2 instances requests), and add the IP(s) of the external API, setting its target to the NAT Gateway.

This way we can route any request to the external API IPs through the NAT Gateway. All other requests are routed through the default Internet Gateway.

As the posts says, this is not a Multi AZ solution, so if the AZ that holds our NAT Gateway fails, we may lose connection to the external API.

Update:

See @TimObezuk comment to make this a Multi-AZ solution.

SebaGra
  • 2,801
  • 2
  • 33
  • 43
  • 3
    Author of the post you referenced here. I'm glad to hear it helped you :) It's simple to make this a Multi-AZ solution by creating a NAT Gateway within each Subnet / Availability Zone and adding a route to each rather than the Main Route Table in the VPC. The drawback is you would need to whitelist many Elastic IP addresses as each NAT Gateway has a unique IP address, as well as the additional cost of many NAT Gateways. – Tim Obezuk Mar 12 '18 at 03:53
  • Yeap @TimObezuk, I figured that setting that for each AZ would make your solution a Multi-AZ one. I will have to try it though. Thanks for the awesome post! – SebaGra Mar 12 '18 at 14:32
  • This only works if you know the IP address of the external service, and if the service themselves have a static IP. See my question here: https://stackoverflow.com/questions/49994240/why-cant-i-find-the-ip-address-of-mongodb-net – CodyBugstein Apr 24 '18 at 05:50
  • @CodyBugstein exactly it only works if you know the IP address of the external service or at least it it is static. How do you solve it with a dynamic IP ? Issue here : https://stackoverflow.com/questions/52697134/create-static-ip-for-google-places-api-keys-restrictions-on-aws-elasticbeanstalk – Paganel Oct 22 '18 at 07:34
  • Any idea how to do this for an API with doesn't expose IP? I want to request a domain which white lists my IP address. – Abhyudit Jain Feb 28 '19 at 12:43
  • @TimObezuk on step 5, where do you get the number 54...(blurred out) from - also how where can i find the new (static) IP to enable myself to be whitelisted. – raklos Oct 09 '19 at 14:36
  • Hey @raklos, that one is the destination server that you are trying to reach (the one that should whitelist your IP). On the other hand, the IP to be whitelisted (your outgoing IP) is the elastic IP that AWS gives you in step 2 when you create the NAT gateway. – SebaGra Oct 10 '19 at 02:34
13

Deploy your beanstalk environment in VPC, and with the right configuration, a static IP for outbound traffic is easy.

In this setup, your instances all relay their outbound traffic through a single machine, which you can assign an elastic IP address to. All of the inside-originated, Internet-bound traffic from all of the instances behind it will appear, from the other network, to bw using that single elastic IP.

The RDS portion of the following may be irrelevant to your needs but the principles are all the same.

http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo-vpc-rds.html

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
  • I'm going to read into this, but just a quick follow-up, can the beanstalk environment still be load balanced using this setup? – Seth Oct 16 '14 at 15:39
  • 1
    @Seth yes. This setup only impacts the way the servers access the Internet, outbound, when they originate traffic. Inbound traffic still goes through the load balancer, as before. The main application servers in one of our platforms use almost exactly this setup, behind ELB. The machine with the static address is not one of your beanstalk machines, it's a new instance, always on... but it can be a very small instance (even a micro) and still not give you any performance grief. The ELB traffic is completely independent of this machine and the related configuration. – Michael - sqlbot Oct 16 '14 at 19:39
-3

Deploy your beanstalk environment in VPC, and with the right configuration, a static IP for outbound traffic is easy.

In this setup, your instances all relay their outbound traffic through a single machine, which you can assign an elastic IP address to. All of the inside-originated, Internet-bound traffic from all of the instances behind it will appear, from the other network, to bw using that single elastic IP.

The RDS portion of the following may be irrelevant to your needs but the principles are all the same.

http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo-vpc-rds.html

dang
  • 1,549
  • 1
  • 20
  • 25