Reputation: 18790
Can only use ec2 private address in AWS Security Group
The EC2 instance I have launched has two addresses 1 private address and 1 public address.
I have a single node Redshift cluster running, and want to specify it, so that it can be accessed from EC2.
so I put the public address of ec2 into security group,
like
Customized TCP/IP port 5439 Source: private-ip-address
it doesn't work. If I use the private address, it works.
Why is that ? I want to use public ip address, namely elastic ip address. so that it can stay unchanged, if my instance is stopped.
Upvotes: 0
Views: 850
Answers (3)
Reputation: 34427
Inside your VPC the addresses are in the "private" range. They are RFC-1918 (see https://www.rfc-editor.org/rfc/rfc1918) private address range ip numbers
In order to access "public" addresses such as the public address on your server you need to do one of these things for the client within VPC that is sending the request to the redshift cluster
- set up a NAT EC2 instance
- set up VPC NAT Gateway on your VPC
- attach a public ip
All these things are well described in AWS documentation so I won't explain them here. Once they are set up with appropriate routing they will allow the client end to talk to the server. You will also need correct Security Group rules on the servers configuration
Upvotes: 0
Reputation: 109
Assuming that you are using VPC (not ec2-classic) private IP will remain same even if you have stop and start again.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html
For instances launched in a VPC, a private IP address remains associated with the network interface when the instance is stopped and restarted, and is released when the instance is terminated.
Its hard to say why EIP mapping isnt working without checking your Redshift subnet configuration, you may not have correct routing, or you're hitting redshift by private IP, so it wont use external interface/EIP to reach redshift, but rather its internal IP and being refused connection because SG only has EIP allowed.
Upvotes: 0
Reputation: 201088
It works that way because all the traffic is staying in the VPC instead of going out to the internet and back. That's how you want it to happen, for both security and performance purposes. All traffic internal to the VPC will use the private IP address.
You can think of it like this:
Private IP Address = IP Address Inside the VPC
Public IP Address = IP Address Outside the VPC
Upvotes: 2
Related Questions
- You may not specify a referenced group id for an existing IPv4 CIDR rule. prompt when editing the Inbound rule in AWS Security Group
- AWS Security Group Private IP spoofing
- EC2 open port for only private IP address
- AWS - Cannot ping EC2 instance on private subnet in VPC
- Memcached running but ec2 security group settings need to be checked
- AWS get security group ids from private IP
- cannot access AWS redshift (EC2-classic) from SQL workbench in local computer despite all open Security Group
- AWS EC2 and Redshift Security group connection error