https://pulumi.com logo
Powered by
Title
h

high-grass-3103

01/21/2022, 12:56 AM
I'm trying to create a bastion host:EC2 instance with two subnets - one public and one private. My public subnet is: 
export const infra_public = new awsn.ec2.Subnet('infra_public', {
    tags: nativeTags({ ...tags, Name: `infra_pub` }),
    cidrBlock: '10.0.0.16/28',
    vpcId,
    availabilityZone,
    mapPublicIpOnLaunch: true,
});
But when I launch an instance: 
const nic0 = new aws.ec2.NetworkInterface('nic0', {
    subnetId: infra_public.id,
    tags,
    securityGroups: [sg_ssh.id],
});

const nic1 = new aws.ec2.NetworkInterface('nic1', {
    subnetId: infra_private.id,
    tags,
    securityGroups: [sg_priv.id],
});


const bastion_node = new aws.ec2.Instance('bastion', {
    keyName,
    tags: { ...tags, Name: `${pulumi.getStack()}-bastion` },
    instanceType: aws.ec2.InstanceType.T4g_Nano,
    ami: ami.id,
    networkInterfaces: [
        {
            deviceIndex: 0,
            networkInterfaceId: nic0.id,
        }, {
            deviceIndex: 1,
            networkInterfaceId: nic1.id,
        }
    ],
    creditSpecification: { cpuCredits: 'standard' },
    monitoring: true,
    availabilityZone,
});
the AWS console reports NO public IPv4 address. Am I missing something?
l

little-cartoon-10569

01/21/2022, 1:12 AM
Yes. The property you're looking at is on the EC2 instance. It's not derived from ENIs or similar. Just set the 
associatePublicIpAddress
property and EC2 will look after it for you. https://www.pulumi.com/registry/packages/aws/api-docs/ec2/instance/#associatepublicipaddress_nodejs
Aside: are you sure you need two manually-configured ENIs like that? Normally, an EC2 instance doesn't need to specify any ENIs, and the one that EC2 creates automatically can be used for all traffic.
If I understand what you're trying to do, you should end up with simpler code if you leave out the ENI code, and add the appropriate routes in you public subnet to allow your instances talk to the private subnet.
Aside-aside: 
associatePublicIpAddress
will create a DHCP-style public IP address (that will change when you destroy/recreate the instance). If you want a fixed public IP address, you'll want to add an elastic IP on top of the instance.
h

high-grass-3103

01/21/2022, 1:30 AM
Thanks for your answer. The idea is that my other nodes have ssh port open only in that private subnet. the use case is that I connect to bastion over ssh and then, using the private subnet, I connect to other hosts I couldn't use 
associatePublicIpAddress
in this scenario, with two NICs attached. How do I route traffic between subnets?
OK, I've figured it out. I only need one subnet and the 
assignIpv6AddressOnCreation
is just a default for the option in Instance. Thank you for your help @little-cartoon-10569
👍 1
2 Views
#awsJoin Slack
Powered by