Provision Amazon EC2 instance with salt-cloud from a machine w/o public IP

Question

Ok, I am quite a newbie of the salt-stack world, but after 2 days being stuck with this issue I'm starting to feel a bit stupid too.

I would like to have a simple 1:1 configuration:

• [Master] Vagrant/VirtualBox/Ubuntu with salt & salt-cloud installed

• [Minion] Amazon EC2 machine, conveniently provisioned with state files I have in [Master].

I have reached the step where I am able to create the Minion instance thanks to salt-cloud, but I am stuck at the next step: I don't know how I can

• Transfer .sls files to the Minion

• Run the top.sls at Minion side to perform the provision

The fact is that any salt-cloud command seems to work (I am able to create, list, delete the Amazon EC2 instance by command line), but I cannot connect to the Minion with any salt command, I just get timeout ("Minion did not return").

Moreover I am not comfortable with this architecture because the Minion could receive Master's requests, but on the other end it doesn't have visibility of the Master, since the Master is not publicly reachable (and I don't want to).

What am I missing to be able to have an architecture as simple as this?

Answer 1

The problem you're running into is that the Salt Minion probably can't find a route back to your laptop. Your laptop is most likely behind a nat firewall.

Your Salt Minion must be able to reach your Salt Master on ports 4505 and 4506. Once you've got that working, you should be fine. You're probably going to want to have your Salt Master on EC2 or somewhere that can be reached easily by your minion on EC2.