Amazon EC2 autoscaling instances with elastic IPs

Question

Is there any way to make new instances added to an autoscaling group associate with an elastic IP? I have a use case where the instances in my autoscale group need to be whitelisted on remote servers, so they need to have predictable IPs.

I realize there are ways to do this programmatically using the API, but I'm wondering if there's any other way. It seems like CloudFormation may be able to do this.

Answer 1

There are 3 approaches I could find to doing this. Cloud Formation will just automate it but you need to understand what's going on first.

1.-As @gabrtv mentioned use VPC, this lends itself to two options. 1.1-Within a VPC use a NAT Gateway to route all traffic in and out of the Gateway. The Gateway will have an Elastic IP and internet traffic then whitelist the NAT Gateway on your server side. Look for NAT gateway on AWS documentation.

1.2-Create a Virtual Private Gateway/VPN connection to your backend servers in your datacenter and route traffic through that. 1.2.a-Create your instances within a DEDICATED private subnet. 1.2.b-Whitelist the entire subnet on your side, any request from that subnet will be allowed in. 1.2.c Make sure your routes in the Subnet are correct.

(I'm skipping 2 on purpose since that is 1.2)

3.-The LAZY way: Utilize AWS Opsworks to do two things: 1st: Allocate a RESOURCE Pool of Elastic IPs. 2nd: Start LOAD instances on demand and AUTO assign them one elastic ip from the Pool. For the second part you will need to have the 24/7 instances be your minimum and the Load instances be your MAX. AWS Opsworks now allows Cloud Watch alarms to trigger instance startup so it is very similar to ASG. The only disadvantage of Opsworks is that instances aren't terminated but stopped instead when the load goes down and that you must "create" instances beforehand. Also you depend on Chef solo to initiate your instances but is the only way to get auto assigning EIPs to your newly created instances that I could find.

Cheers!

Answer 2

You can associate an Elastic IP to ASG instances using manual or scripted API calls just as you would any other instance -- however, there is no automated way to do this. ASG instances are designed to be ephemeral/disposable, and Elastic IP association goes against this philosophy.

To solve your problem re: whitelisting, you have a few options:

1. If the system that requires predictable source IPs is on EC2 and under your control, you can disable IP restrictions and use EC2 security groups to secure traffic instead
2. If the system is not under your control, you can set up a proxy server with an Elastic IP and have your ASG instances use the proxy for outbound traffic
3. You can use http://aws.amazon.com/vpc/ to gain complete control over instance addressing, including network egress IPs -- though this can be time consuming