|
Discussion Forums
|
Thread: One EC2 instance cannot access another
|
|
|
Replies:
12
-
Pages:
1
-
Last Post:
Nov 5, 2007 11:14 AM
by: Quinton@AWS
|
|
|
Posts:
159
Registered:
8/24/06
|
|
|
|
One EC2 instance cannot access another
Posted:
Nov 1, 2007 8:01 PM PDT
|
|
|
I am having a strange problem where one of my servers cannot connect to another in a different account via http. I can surf to it from outside no problem. Also, I can wget a different server in a third EC2 account no problem, but not this particular one.
Please help! Thanks.
|
|
Posts:
278
Registered:
6/22/06
|
|
|
|
Re: One EC2 instance cannot access another
Posted:
Nov 1, 2007 9:05 PM PDT
in response to: T. Reeder
|
|
|
Hi,
If instances are launched using different accounts, they will be launched in different default groups and hence will not be able to talk to each other unless the groups are specifically configured to allow this.
Regards,
Ben
|
|
Posts:
159
Registered:
8/24/06
|
|
|
|
Re: One EC2 instance cannot access another
Posted:
Nov 1, 2007 10:16 PM PDT
in response to: Ben@AWS
|
|
|
Even if the port is open to the public? ie: 80
|
|
Posts:
281
Registered:
7/13/06
|
|
|
|
Re: One EC2 instance cannot access another
Posted:
Nov 1, 2007 11:38 PM PDT
in response to: T. Reeder
|
|
|
Hi
Please provide the standard set of info we require for network trouble diagnosis, and we can take a look into this:
<pre> * Instance-ID(s)Involved
* Is connection being made from within or outside EC2?
* Source IP address from which connection was attempted
* Was DNS name or the IP address used to connect
* Which destination port/service failed?
* Provide timestamp and timezone of failure(s)
* Provide traceroute from source->destination and destination->source</pre>
Thanks
Quinton
|
|
Posts:
633
Registered:
3/24/06
|
|
|
|
Re: One EC2 instance cannot access another
Posted:
Nov 1, 2007 11:53 PM PDT
in response to: T. Reeder
|
|
|
You're not by any chance trying to access the external IP address from another EC2 instance?
Thorsten - www.rightscale.com
|
|
Posts:
159
Registered:
8/24/06
|
|
|
|
Re: One EC2 instance cannot access another
Posted:
Nov 1, 2007 11:57 PM PDT
in response to: Thorsten von Ei...
|
|
|
Thorston, yes I am using the external dns name.
|
|
Posts:
281
Registered:
7/13/06
|
|
|
|
Re: One EC2 instance cannot access another
Posted:
Nov 2, 2007 7:26 AM PDT
in response to: T. Reeder
|
|
|
Hi Travis
To repeat what I communicated to you via private message for the benefit of others, you are trying to connect from a direct-addressed instance to the public IP of a NAT-addressed instance, which is an unsupported operation (as detailed in the release notes). You can connect to the private address of the NAT-addressed instance though.
If you resolve the dns name (either public or private) of the NAT addressed instance from within EC2 (against the EC2 dns servers we supply via DHCP), you will get the private address, to which you canc onnect, e.g:
-bash-3.1# host domU-12-31-35-00-35-F4.z-2.compute-1.internal
domU-12-31-35-00-35-F4.z-2.compute-1.internal has address 10.255.58.6
-bash-3.1# host ec2-72-44-45-214.z-2.compute-1.amazonaws.com
ec2-72-44-45-214.z-2.compute-1.amazonaws.com has address 10.255.58.6
-bash-3.1# ssh 10.255.58.6
root@10.255.58.6's password:
[ssh succeeds]
But if you resolve the external address against a different dns server (outside of EC2), you will receive the public address, to which you will not be able to connect from a direct-addressed EC2 instance,e.g.
-bash-3.1# host ec2-72-44-45-214.z-2.compute-1.amazonaws.com 204.74.115.1
Using domain server:
Name: 204.74.115.1
Address: 204.74.115.1#53
Aliases:
ec2-72-44-45-214.z-2.compute-1.amazonaws.com has address 72.44.45.214
-bash-3.1# ssh 72.44.45.214
[ ssh timeout ]
We strongly recommend that all users migrate from direct to NAT addressed instances, as the former are deprecated.
Regards
Quinton
|
|
Posts:
159
Registered:
8/24/06
|
|
|
|
Re: One EC2 instance cannot access another
Posted:
Nov 2, 2007 10:39 AM PDT
in response to: Quinton@AWS
|
|
|
Ok, thanks. I just found it strange that it works when connecting to a third server on a different account from within ec2.
In any case, how would you recommend doing this if you can only rely on the public dns name of the server(s) you plan to connect to. For instance, lets say I need to connect to www.somesite.com without having any further knowledge of that instance. How would you get the internal IP from that?
I'm using Java so anything java specific would be a bonus.
|
|
Posts:
633
Registered:
3/24/06
|
|
|
|
Re: One EC2 instance cannot access another
Posted:
Nov 2, 2007 11:09 PM PDT
in response to: T. Reeder
|
|
|
Good question. I don't think there's a good answer. When we connect to servers internally, we assign the private address to the DNS entry. So for example, db-master.mysite.com would be a 10.x.x.x address such that the app servers can connect to it. For convenience we often allocate a db-master-ext.mysite.com DNS entry with the external address so we can SSH in without having to look up the EC2 hostname. Another trick you could play is to use a CNAME to the EC2 hostname in your DNS entry. This way you will get the correct external or internal resolution depending on from where you resolve it. But if these two work-arounds are not an option, well.. I can't think of any trick.
Thorsten - www.rightscale.com
|
|
Posts:
281
Registered:
7/13/06
|
|
|
|
Re: One EC2 instance cannot access another
Posted:
Nov 3, 2007 4:48 AM PDT
in response to: T. Reeder
|
|
|
Yes, Thorsten's right. We recommend the use of DNS CNAME records to achieve what you're after.
|
|
Posts:
159
Registered:
8/24/06
|
|
|
|
Re: One EC2 instance cannot access another
Posted:
Nov 3, 2007 12:30 PM PDT
in response to: Thorsten von Ei...
|
|
|
Thanks for the response Thorsten.
It would be nice to have an internal service provided by Amazon to translate from external IP to internal IP. For example, if I have external IP 1.2.3.4, I could call:
http://ec2.amazonaws.com/translate/1.2.3.4
And get a response with the internal ip: 5.6.7.8
Or better yet, take a domain name: www.somesite.com and translate it to the internal ip. A sort of mini-dns service.
|
|
Posts:
159
Registered:
8/24/06
|
|
|
|
Re: One EC2 instance cannot access another
Posted:
Nov 5, 2007 10:42 AM PST
in response to: Quinton@AWS
|
|
|
Quinton, is there an internal service that can do the public to private translation?
|
|
Posts:
281
Registered:
7/13/06
|
|
|
|
Re: One EC2 instance cannot access another
Posted:
Nov 5, 2007 11:14 AM PST
in response to: T. Reeder
|
|
|
Hi T
A reverse DNS lookup of a public IP address will yield the public DNS name, thus:
# host 72.44.34.39
39.34.44.72.in-addr.arpa domain name pointer ec2-72-44-34-39.z-2.compute-1.amazonaws.com.
... and a forward lookup of the public IP address, from within EC2, will yield the private address you're after, thus:
# host ec2-72-44-34-39.z-2.compute-1.amazonaws.com
ec2-72-44-34-39.z-2.compute-1.amazonaws.com has address 10.255.6.49
... or in a single, cunning step:
# host `host 72.44.34.39 | awk '{print $5}'`
ec2-72-44-34-39.z-2.compute-1.amazonaws.com has address 10.255.6.49
Who needs internal services when you have 1982 vintage open standards?
Regards
Quinton
|
|
|
|
Sign in to the AWS Management Console
Create an AWS Account
