For those of you, like me, still learning as you go with Amazon Web Services, hopefully this will help you out.
The goal:
- When we reboot a Windows instance we would like to keep the same IP address.
- Stop being dependent on HOST files in Windows.
How the problem came about:
Our web app boxes were setup with a HOST file pointing to the SQL DB Server. However, each time we rebooted the SQL instance we would have to go in and possibly change the HOST file. In addition, in our connection strings were referencing the name assigned in the HOST file (i.e., DBSERVER). This has its disadvantages as we are not using a fully qualified domain name for this. This would limit us in the future for maintenance and in case we needed to scale out the backend side.
The first step we did was assign an elastic IP address to the DB Server. Next we created an A record in Route 53 to point to the new elastic IP (i.e., dbserver.yourname.com).
Next, we opened up port 1433 between the internal EC2 security groups. This way we are not opening up port 1433 to the outside world in anyway. We are simply saying “Ok web app servers in the web security group, you can now talk to db servers in the sql security group on port 1433”.
At first, I thought that would work…it didn’t. The reason I thought this would work is because when I went to the AWS re:invent conference I chatted with an engineer there regarding how routing works for the elastic IP’s and Route 53 records. He mentioned that AWS notices that the IP belongs to them and routes it right back, without going outside its network…pretty cool!
The solution to the problem was to make a CNAME record for the DB Server. So now I have attached an elastic IP of x.x.x.x to the instance. Now AWS creates a public DNS record of ec2-x-x-x-x….. Then I created a CNAME that was setup as dbserver.yourname.com pointing to ec2-x-x-x-x……
Now when the web security group goes to access the sql security group, it knows dbserver.yourname.com is inside the AWS network and will be able to access it by its private IP address within AWS.
Here are some sample outputs from nslookup confirming the solution works as expected:
This was an nslookup response for dbserver.yourname.com from my box outside of EC2
Name: ec2-x-x-x-x.compute-1.amazonaws.com
Address: x.x.x.x -> (public IP)
Aliases: dbserver.yourname.com
This was an nslookup response from a web app box inside EC2 for dbserver.yourname.com
Name: ec2-x-x-x-x.compute-1.amazonaws.com
Address: 10.x.x.x
Aliases: dbserver.yourname.com
References
http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/using-instance-addressing.html
http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html