ACM.104 Sustaining a static IP handle when it’s worthwhile to delete and recreate an EC2 occasion
It is a continuation of my collection on Automating Cybersecurity Metrics.
We ran right into a snag within the final submit and we’re going to repair it on this submit. In that submit, we used an AWS-managed prefix record ot add guidelines to our safety group as an alternative of including each CIDR utilized by the S3 service.
Updating safety teams on an EC2 occasion in CloudFormation apparently requires it to delete and recreate an EC2 occasion. I don’t know why as a result of you possibly can change safety teams within the AWS console with an EIP assigned and haven’t any such points. It looks like AWS might repair no matter is inflicting that (#awswishlist).
CloudFormation denied deleting and recreating the AWS EC2 occasion as a result of the truth that one other stack was relying on an output of our EC2 stack. That different stack was our EIP (Elastic IP Handle) created this submit:
If we delete the EIP, we lose the IP handle assigned to us and we have to create a brand new one. And if we have now to create a brand new IP handle than we have now to return and repair all our native community guidelines right here that was setup on this submit:
To make sure we didn’t lose our EIP however might redeploy our VM, we eliminated the output dependency in our EIP stack. We needed to truly change our EIP template code. That’s not a great long run answer. We don’t wish to have to vary code to create, delete, and redeploy sources. There are numerous options to that downside however the one we’re going to use is a CloudFormation EIP affiliation:
Leveraging the EIPAssociation useful resource
Once we create an EIP affiliation, we move in an EIP handle and an Occasion ID.
The EIPAssociation CloudFormation documentation says we have now to move in an allocation ID:
Effectively, the place will we get that, for the reason that output returned by an EIP is an IP handle? We will glean how one can get the allocation ID from the code on the backside of the web page.
The pattern code deploys an EIP:
Then it deploys an EIPAssociation and will get the ID utilizing GetAtt and [EIP].AllocationId.
So apparently that’s the way you get the ID and we have to add that to our outputs in our EIP template:
Since our EIP has no dependencies now, we will deploy it in our main deploy script. Recall that we eliminated the Occasion ID dependency.
Check that out and we now have an output with the EIP ID within the CloudFormation stack:
Check the EIPAssociation
Now we will reference that in our EIPAssociation template. We will additionally reference the export worth for the EC2 occasion to which we wish to affiliate the IP handle.
With the above useful resource we will delete and recreate it with out dropping our EIP or mounted IP handle that we’re utilizing in our firewall guidelines.
Rename deploy_eips.sh to deploy_eip_alloc.sh and add the code there to deploy an EIP Affiliation.
Deploy the EIP affiliation and confirm it really works.
Examine to see we have now the identical IP related along with your EC2 occasion that you just had earlier than. I Do. Meaning I gained’t have to vary any community guidelines.
Now we must always have the S3 prefix record within the safety group assigned to our EC2 occasion in that final submit.
That rule permits our EC2 occasion to hook up with S3 on port 443. That, in flip, permits us to name yum instructions on AWS since yum on AWS shops packages in S3. Let’s attempt it.
SSH into the Developer EC2 occasion we created on this collection. Do not forget that for the reason that underlying host modified you’ll need to delete your identified hosts file as I defined in a previous submit.
Run this command:
sudo yum set up git
Success!
Whereas we’re at it you also needs to run the next command to replace any old-fashioned software program on the system:
sudo yum replace
Now that we have now put in git on an EC2 occasion, let’s use it. In our subsequent submit I’ll present you how one can add networking guidelines to permit your EC2 occasion to contact GitHub to retrieve code.
Observe for updates.
Teri Radichel
In the event you favored this story please clap and comply with:
Medium: Teri Radichel or Electronic mail Listing: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests providers through LinkedIn: Teri Radichel or IANS Analysis
© 2nd Sight Lab 2022
All of the posts on this collection:
____________________________________________
Creator:
Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration check or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Assets by Teri Radichel: Cybersecurity and Cloud safety courses, articles, white papers, shows, and podcasts
