[Bug 824947] Re: EC2 apt repository DNS resolution on VPC instances

Clint Byrum clint at fewbar.com
Sun Aug 14 20:27:02 UTC 2011 

Excerpts from Eric Hammond's message of Fri Aug 12 23:42:37 UTC 2011:
> Amazon recommends fixing this through DNS instead of through software on
> the instance.
> 
> Instead of resolving eu-west-1.ec2.archive.ubuntu.com directly to an A
> record of the internal IP address starting with "10.", Canonical should
> change it to resolve to a CNAME of the external elastic IP address
> hostname (e.g., ec2-NNN-NNN-NNN-NNN.compute-1.amazonaws.com)
> 
> This will resolve to the internal "10." IP address for normal EC2
> instances saving performance and cost, and will resolve to the external
> elastic IP address for VPC EC2 instances.

OH! I didn't realize that this was the case.

I'll open a case with our ops team to look into this, thanks for the
extra info!

> 
> Making this change not only clears up the issue with VPC, but any other
> future situation where an EC2 instance cannot access "10." IP addresses
> and EC2 DNS points it to the external IP address of the apt repository.
> 
> This approach also makes it easier for Canonical when the apt repository
> instance gets a new internal IP address (e.g., stop/start, failure).
> Canonical would simply reassociate the elastic IP address with the
> new/restarted instance and all DNS would resolve to the correct new IP
> address without Canonical making any changes to their DNS servers.
> 
> If Canonical is concerned about the EC2 apt repositories being accessed
> from outside of EC2 (I wouldn't be, but it's your choice), Amazon
> recommends the following:
> 
> "To protect the rep from being accessed outside of AWS, lockdown the
> security group rules to allow only traffic from the public AWS IP ranges
> (https://forums.aws.amazon.com/ann.jspa?annID=1097) and to the 10.
> network."
> 
> Here is a github repository that keeps up to date lists of the EC2 IP
> address ranges in a format that is easy to parse:
> 
>   https://github.com/garnaat/missingcloud
> 
> -- 
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/824947
> 
> Title:
>   EC2 apt repository DNS resolution on VPC instances
> 
> Status in “cloud-init” package in Ubuntu:
>   Confirmed
> 
> Bug description:
>   DNS names like eu-west-1.ec2.archive.ubuntu.com (apt repository for
>   eu-west-1 on EC2) are currently resolving to private IP addresses
>   (e.g., "10.").
> 
>   An EC2 instance running in VPC cannot access these repositories.
> 
>   More details and possible fixes at:
> 
>     https://forums.aws.amazon.com/thread.jspa?threadID=73379
> 
>   ProblemType: Bug
>   DistroRelease: Ubuntu 11.04
>   Package: cloud-init 0.6.1-0ubuntu8
>   ProcVersionSignature: User Name 2.6.38-8.42-virtual 2.6.38.2
>   Uname: Linux 2.6.38-8-virtual i686
>   Architecture: i386
>   Date: Fri Aug 12 03:19:39 2011
>   Ec2AMI: ami-06ad526f
>   Ec2AMIManifest: (unknown)
>   Ec2AvailabilityZone: us-east-1a
>   Ec2InstanceType: m1.small
>   Ec2Kernel: aki-407d9529
>   Ec2Ramdisk: unavailable
>   PackageArchitecture: all
>   ProcEnviron:
>    LANG=en_US.UTF-8
>    SHELL=/bin/bash
>   SourcePackage: cloud-init
>   UpgradeStatus: No upgrade log present (probably fresh install)
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/824947/+subscriptions

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cloud-init in Ubuntu.
https://bugs.launchpad.net/bugs/824947

Title:
  EC2 apt repository DNS resolution on VPC instances

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/824947/+subscriptions

More information about the Ubuntu-server-bugs mailing list