You have covered the main ways to get a VPC instance in a private subnet to talk to the outside world.
- Have the Internet traffic for the private subnet be routed out of a VPN tunnel connected to your office, which can then provide access to the rest of the internet. Not ideal since it requires an always on VPN tunnel and an extra hop through your office.
I would suggest using NAT instances, this is the recommended setup for getting Internet access to machines inside private subnets. They are configured per subnet, so your machines do not need to have any knowledge of their configuration when being launched. Just be sure to use an m1.large or larger instance to get the higher network throughput (vs m1.small)
If you are deploying a WAR on elastic beanstalk you can install the metrics by creating a configuration file in the .ebextensions folder under WEB-INF. See the following link for more information on configuring and instance using this: - http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers.html
To install disk / memory metrics you need to install the "Amazon CloudWatch Monitoring Scripts for Linux" - see http://aws.amazon.com/code/8720044071969977
files:
"/opt/aws/cwms/CloudWatchMonitoringScripts.zip":
mode: "000777"
owner: ec2-user
group: ec2-user
source: http://ec2-downloads.s3.amazonaws.com/cloudwatch-samples/CloudWatchMonitoringScripts-v1.1.0.zip
container_commands:
01_unzip_cloud_watch_zip:
command: unzip -d /opt/aws/cwms /opt/aws/cwms/CloudWatchMonitoringScripts.zip
ignoreErrors: true
02_update_password_file:
command: sed -i 's/Key=$/Key=<VALUE OF YOUR SECRET KEY>/;s/KeyId=$/KeyId=<VALUE OF YOUR ACCESS ID>/' /opt/aws/cwms/awscreds.conf
03_update_crontab:
command: echo "*/1 * * * * /opt/aws/cwms/mon-put-instance-data.pl --mem-util --disk-path=/ --disk-space-util --from-cron" | crontab - -u ec2-user
Basically what this script does is download the Linux based CloudWatchMonitoringScripts.zip into a folder such as /opt/aws/cwms (this can be anywhere). The commands then unzip the file, update the access / secret key (using the "sed" command) and finally creating the crontab tab.
Be careful of the crontab tab section, as it could potentially wipe you existing crontab entries.
UPDATE (FEB 2016)
Here's an updated script which is working for me quite nicely as of Feb 2016 (see http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers-cw.html).
sources:
/opt/cloudwatch: http://ec2-downloads.s3.amazonaws.com/cloudwatch-samples/CloudWatchMonitoringScripts-v1.1.0.zip
commands:
00-installpackages:
command: yum install -y perl-Switch perl-Sys-Syslog perl-LWP-Protocol-https
container_commands:
01-setupcron:
command: |
echo '* * * * * root perl /opt/cloudwatch/aws-scripts-mon/mon-put-instance-data.pl `{"Fn::GetOptionSetting" : { "OptionName" : "CloudWatchMetrics", "DefaultValue" : "--mem-used --memory-units=megabytes --mem-util --disk-space-util --disk-space-used --disk-space-avail --disk-path=/" }}` >> /var/log/cwpump.log 2>&1' > /etc/cron.d/cwpump
02-changeperm:
command: chmod 644 /etc/cron.d/cwpump
03-changeperm:
command: chmod u+x /opt/cloudwatch/aws-scripts-mon/mon-put-instance-data.pl
option_settings:
"aws:autoscaling:launchconfiguration" :
IamInstanceProfile : "MonitorRole"
"aws:elasticbeanstalk:customoption" :
CloudWatchMetrics : "--mem-used --memory-units=megabytes --mem-util --disk-space-util --disk-space-used --disk-space-avail --disk-path=/"
NOTE: You must have an IAM role called MonitorRule
in place. It's role policy should be as follows (also see http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers-cw.html):-
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudwatch:PutMetricData",
"ec2:DescribeTags"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
]
}
Best Answer
You can use Elastic Beanstalk along with a VPC for your scenario.
All incoming traffic will hit your ELB and funnel to your EC2 instances. When your EC2 instances access the web service API, traffic will go through the NAT, thus appearing to originate from the static IP address.