0

AWS EC2 instance uses the link-local address (169.254.169.254) in order to distribute user-data. So, I booted a Linux instance to experiment the same with some initial network setup scripts to get the data. Following is the setup before I requested to pull the information.

iptable: 
Chain INPUT (policy ACCEPT)
target prot opt source destination 
Chain FORWARD (policy ACCEPT)
target prot opt source destination 
Chain OUTPUT (policy ACCEPT) 
target prot opt source destination 

eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 06:43:0f:bf:cd:6c brd ff:ff:ff:ff:ff:ff
inet 169.254.169.15/16 brd 169.254.255.255 scope global eth0
 valid_lft forever preferred_lft forever 
inet6 fe80::443:fff:febf:cd6c/64 scope link 
 valid_lft forever preferred_lft forever 

route
169.254.0.0/16 dev eth0 proto kernel scope link src 169.254.169.15

Requested: wget http://169.254.169.254 REQUEST TIME OUT

tcpdump 
00:00:00.000000 ARP, Request who-has 169.254.169.254 tell 169.254.169.15, length 28
00:00:00.000115 ARP, Reply 169.254.169.254 is-at <MAC REMOVED>, length 42
00:00:00.000119 IP 169.254.169.15.60712 > 169.254.169.254.80: Flags [S], seq 2929127779, win 29200, options [mss 1460,sackOK,TS val 2525905560 ecr 0,nop,wscale 7], length 0 
00:00:01.048018 IP 169.254.169.15.60712 > 169.254.169.254.80: Flags [S], seq 2929127779, win 29200, options [mss 1460,sackOK,TS val 2525906608 ecr 0,nop,wscale 7], length 0 
00:00:03.096020 IP 169.254.169.15.60712 > 169.254.169.254.80: Flags [S], seq 2929127779, win 29200, options [mss 1460,sackOK,TS val 2525908656 ecr 0,nop,wscale 7], length 0 
00:00:07.128021 IP 169.254.169.15.60712 > 169.254.169.254.80: Flags [S], seq 2929127779, win 29200, options [mss 1460,sackOK,TS val 2525912688 ecr 0,nop,wscale 7], length 0 
00:00:15.192051 IP 169.254.169.15.60712 > 169.254.169.254.80: Flags [S], seq 2929127779, win 29200, options [mss 1460,sackOK,TS val 2525920752 ecr 0,nop,wscale 7], length 0 
00:00:31.576027 IP 169.254.169.15.60712 > 169.254.169.254.80: Flags [S], seq 2929127779, win 29200, options [mss 1460,sackOK,TS val 2525937136 ecr 0,nop,wscale 7], length 0 
00:00:36.696009 ARP, Request who-has 169.254.169.254 tell 169.254.169.15, length 28 
00:00:36.696189 ARP, Reply 169.254.169.254 is-at <MAC REMOVED>, length 42 
00:01:03.832035 IP 169.254.169.15.60712 > 169.254.169.254.80: Flags [S], seq 2929127779, win 29200, options [mss 1460,sackOK,TS val 2525969392 ecr 0,nop,wscale 7], length 0 
00:01:08.952026 ARP, Request who-has 169.254.169.254 tell 169.254.169.15, length 28 
00:01:08.952182 ARP, Reply 169.254.169.254 is-at <MAC REMOVED>, length 42

Something is blocking Acknowledgement packets. What am I missing? Please advise!

If you need any other information, please let me know!

Gaurav Minocha
  • 706
  • 1
  • 5
  • 10
  • Why does your instance have a link-local address on eth0? `inet 169.254.169.15/16 brd 169.254.255.255 scope global eth0` – Michael - sqlbot Nov 18 '17 at 00:11
  • I configured it myself, what's wrong with it? I can remove it if that is a problem according to you! AFAIK I tried without assigning any address it didn't work! Will give another try. – Gaurav Minocha Nov 18 '17 at 00:22
  • You can't just change the IP address of an EC2 instance. It needs to be the address assigned by the infrastructure via DHCP. The seamless intra- and inter-availability zone networking of EC2 is made possible by the fact rhat the entire network is virtual and software-defined. Yes, that would be why the network is ignoring your IP-layer traffic. ARP works because ARP is all simulated on the SDN -- there are no actual broadcasts, and the ARP `is-at` response comes from the network, itself, and not the remote node. – Michael - sqlbot Nov 18 '17 at 00:31
  • Okay, but my machine doesn't have a DHCP client and I want to read the IP address from metadata. So, according to you, it is not possible? – Gaurav Minocha Nov 18 '17 at 01:33
  • How did you manage to get an instance running and log into it without a DHCP client on it to give it an address in the first place... and why? – Michael - sqlbot Nov 18 '17 at 01:43
  • :) So, these logs are before the actual network is setup (statically). Above setup script (experimental) configures network and tries to connect to 169.254.269.254 (logs everything in background) and then resumes usual network configuration. Is it clear now? FYI, DHCP is not required if you know the IP beforehand! – Gaurav Minocha Nov 18 '17 at 01:51
  • You don't configure the first network interface statically in EC2... that isn't how the platform works. Each host is only allowed to use the assigned addresses, which are automatically assigned via DHCP. Changing that will break things. You can configure it statically, if you use the same settings provided by DHCP, but there is no purpose to be served by doing so. – Michael - sqlbot Nov 18 '17 at 01:55
  • Yes, I configure the instance to use the same IP and then statically assign it to the machine. Anyways, I am looking for a walk around for the same problem without DHCP. So, I read the IP from the user-data and assign it to the machine. Question is how to reach 169.254.169.254 without knowing the IP assigned to the instance! – Gaurav Minocha Nov 18 '17 at 02:01
  • I'm afraid that doesn't make logical sense. Use DHCP. That's how the platform is designed to work. The DHCP implementation is secure, fault tolerant, and redundant, and there is no meaningful justification for doing otherwise. – Michael - sqlbot Nov 18 '17 at 02:10
  • I'm going to be a little bit more explicit than _Michael_: don't muck with EC2 networking. If you have a problem to solve, _ask a question about that problem_. But don't muck with the network and then ask why it doesn't work. – kdgregory Nov 18 '17 at 11:21
  • Yes, after a long conversation with AWS support it was concluded, it isn't possible to do what I was trying to achieve. Thanks for your help! – Gaurav Minocha Nov 22 '17 at 22:32

0 Answers0