-1

I have created an EC2 instance behind an ELB and the hostname is 

mysubdomain.domain.com

The instance is reachable via the internet from my local workstation (have opened all connections from My IP --> to the instance in the security group it belongs to);

However, when performing

curl mysubdomain.domain.com

from within the instance, it times out;

Do I need to assign a public (I assume I want it to be elastic so that I don't have to change it every now and then in my security group inbound rules) and add an allow rule in my security group (that the instance belongs to) from that specific IP?

Is there another way to go about it, given that I have reached the limit of Elastic IPs?

pkaramol
  • 16,451
  • 43
  • 149
  • 324

1 Answers1

0

For an Amazon EC2 instance to access the Internet, it must either be:

  • In a public subnet with a public IP address, or
  • In a private subnet with a NAT Gateway or similar NAT service

By default, security groups allow all outbound traffic, so you will not need to modify the security groups.

Even if you have reached the limit of your Elastic IP addresses, you can launch the EC2 instance with a Public IP address via Auto-assign Public IP — this is different to an Elastic IP address, in that it is assigned when the instance is Started and might change when the instance is Stopped/Started. However, it will work perfectly fine to obtain Internet access.

If an instance is behind a load balancer, there is no reason to want to reach that instance directly from the Internet. Thus, there is no need for an Elastic IP address. In fact, in best-practice architectures, the instances should be in a Private Subnet so that they are better protected from the Internet. This will then require a NAT Gateway or NAT Instance to enable the instance to access the Internet.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • yes I was just referring to the special case where the instance needs to reach via internet __itself__; e.g. say I perform (for some reason) `curl mysubdomain.domain.com` from __within__ the instance; in such a case I need an explicit allow rule in my SGs with the instance's public IP (therefore the need for permanent/static/elasticIP which doesn't ever change so I do not have to keep updating my SG rules) – pkaramol Jul 20 '18 at 14:35
  • If you are trying to reach the load balancer via `curl mysubdomain.domain.com`, then you just need default Security Group settings and, as described above, either a public IP address in a public subnet, or a NAT Gateway/instance. If your instance is trying to reach _itself_ via a public name, then you've designed your architecture badly. – John Rotenstein Jul 21 '18 at 06:04