Static IP for Auto Scale in AWS

Question

I need all of my instances in AWS auto scaling group to be configured with (known) static IP's. I will be whitelisting all of these IPs in a mail server later (that's why need all of them to be static). Is it possible using the regular cloudformation approach? May be assigning a second NIC and assigning it an IP from a static IP range? Any ideas?

Answer 1

Unfortunately, you can't gain access to any custom IP range for your autoscaling group.

You could get the IP range for the region you are working in, and whitelist all IPs from that region, but this wouldn't blacklist an instance from another AWS account. You can get these ranges here.

You can configure static IPs in AWS - They're called Elastic IPs. An Elastic IP address will persist with an instance between a stop/start. Elastic IPs are also "elastic" in that they can be detached from one network interface or instance and attached to another.

Unfortunately, there is no way to make autoscaling automatically assign an Elastic IP address to newly launched instances. You'd need to write a script that runs when a new instance is launched. You could run this script using EC2 user data.

You could then use the CLI or an SDK. The script would need allocate a new Elastic IP address to your account, and then associate that Elastic IP with the instance.

Alternatively, you could use Lambda to run a script to do the same thing, but in response to an autoscaling event.

Other problems you might have:

1. By default, you can only have 5 Elastic IPs in your account per region. You'll need to submit a limit increase to get more - and this could end up being an ongoing problem.
2. What happens when an instance is terminated in the ASG? That Elastic IP will become disassociated - you get charged for disassociated Elastic IPs. You could always write a Lambda function that runs in response to an autosclaing events that releases any disassociated Elastic IPs - but thats even more overhead.

Unfortunately, there is no nice solution to this problem. The easiest method would be to whitelist all Amazon IPs for that region, but you will still have potential security issues.

EDIT: You could also just create a proxy instance. You could configure all the instances in your ASG to direct traffic through the proxy instance. Then you could give the proxy instance an Elastic IP and allow it in your firewalls.

The only potential problem is your proxy server getting overloaded. You'd need to make sure the instance type you used for it could handle the max number of instances allowed in your ASG at full capacity.