Multiple subnets on a single interface in EC2

amazon ec2routingsubnet

I'm currently working on setting up a QA environment on EC2 along side our production environment. All of the instances are within a VPC setup, with the following subnets:

10.0.83.0/24 - Production
10.0.81.0/24 - QA

I have a EC2 instance running as a gateway machine that is already has 2 NICs, which seems to be the limit (One NIC for the external IP, the other for internal). My initial plan was to just add another NIC in the 10.0.81.0/24 subnet, but that seems to be impossible.

So, my next plan was to add the new IP to the existing internal NIC, which results in this config:

eth1      Link encap:Ethernet  HWaddr 06:84:b1:68:6a:72
          inet addr:10.0.83.10  Bcast:10.0.83.255  Mask:255.255.255.0   

eth1:0    Link encap:Ethernet  HWaddr 06:84:b1:68:6a:72
          inet addr:10.0.81.10  Bcast:10.0.81.255  Mask:255.255.255.0

And then insuring the virtual NIC is in the correct security groups. The routing table appears correct:

10.0.83.0       *               255.255.255.0   U     203    0        0 eth1
10.0.81.0       *               255.255.255.0   U     0      0        0 eth1

I then set up shorewall for the new address, and restarted it:

/etc/shorewall/interfaces:
#ZONE   INTERFACE       BROADCAST       OPTIONS
....
-       eth1            10.0.83.255,10.0.81.255 logmartians
....

/etc/shorewall/hosts
#ZONE   HOST(S)                                 OPTIONS
loc     eth1:10.0.83.0/24
qa      eth1:10.0.81.0/24

/etc/shorewall/policy
#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
#                               LEVEL   BURST           MASK
qa      net     ACCEPT
$FW     qa      ACCEPT

The generated iptables rules appear sane, however, I do not have connectivity to the 10.0.81.0/24 subnet (either pinging or nmap)

Anyone have experience with a setup like this in EC2, that can hopefully point out something obvious I'm missing?

Best Answer

I dont think you can just alias an Elastic Network Interface (ENI) into another subnet. Have you tried adding another private IP to it through the AWS console (right click the instance and click manage network interfaces, or something like that)?

Also, different instances have limits on the number of interfaces they can have. Heres a table: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI

Related Solutions

Openvpn for client/server in same subnet

Your default route metric value is lower than the 10.22.0.0/16 route and it gets routed to the default route. In resolving routes, if more than one route matches destination, the lower metric value route takes precedence.

Either push a default route through VPN or lower metric for 10.22.0.0/16 (increase metric for default route).

It should look like this:

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
      0.0.0.0          0.0.0.0    192.168.1.254     192.168.1.23    1000
    10.22.0.0      255.255.0.0        10.22.8.1       10.22.8.10     30
    10.22.8.0    255.255.255.0         On-link        10.22.8.10    286
   10.22.8.10  255.255.255.255         On-link        10.22.8.10    286
  10.22.8.255  255.255.255.255         On-link        10.22.8.10    286

Centos 6.2 Fresh ‘Basic Server’ install networking issues

Your routes and configuration look fine.

$: route -n
Destination // Gateway // Genmask // Flags // Metric // Ref // Use // Iface
66.*.*.0       0.0.0.0    255.255.255.248   U   1003      0   0     0  em2
0.0.0.0        66.*.*.1   0.0.0.0           UG     0      0   0     0  em2

The first route, 66.*.*.0/29 with gateway 0.0.0.0 tells your computer to use interface em2 and then make an arp request to find the hardware address of the host you're trying to reach. This is a "connected" route.

The second one is the default route, pointing at your default gateway through em2. If you need to send a packet in another network than 66.*.*.0/29, your computer will make an arp request to find 66.*.*.1 and then send the packets to it.

The only thing in your configuration that could be an issue is the NM_CONTROLLED=yes statement in /etc/sysconfig/network-scripts/ifcfg-em2. This tells the system that this interface is controlled by NetworkManager. This could interfere with your static configuration.

However, even without any default gateway you should be able to ping and ssh from the 66.*.*.0/29 subnet to your machine.

Check layer 1 first, and ensure that the cable is plugged on each side. Use leds on nic and switch, and check if the system sees it correctly:

# mii-tool
eth0: negotiated 1000baseT-FD flow-control, link ok

Then verify if any iptables are dropping the packets. Use iptables -L or iptables-save to check for any rules, and iptables -D <rule> to delete them. Pay attention to the default policy.

Also, on some systems, NetworkManager can configure ufw automatically, and I've had issues with static interface configuration that wasn't seen by NM and hence blocked by ufw.

Best Answer

Related Solutions

Openvpn for client/server in same subnet

Centos 6.2 Fresh ‘Basic Server’ install networking issues

Related Topic