I'm currently working on setting up a QA environment on EC2 along side our production environment. All of the instances are within a VPC setup, with the following subnets:
10.0.83.0/24 - Production
10.0.81.0/24 - QA
I have a EC2 instance running as a gateway machine that is already has 2 NICs, which seems to be the limit (One NIC for the external IP, the other for internal). My initial plan was to just add another NIC in the 10.0.81.0/24
subnet, but that seems to be impossible.
So, my next plan was to add the new IP to the existing internal NIC, which results in this config:
eth1 Link encap:Ethernet HWaddr 06:84:b1:68:6a:72
inet addr:10.0.83.10 Bcast:10.0.83.255 Mask:255.255.255.0
eth1:0 Link encap:Ethernet HWaddr 06:84:b1:68:6a:72
inet addr:10.0.81.10 Bcast:10.0.81.255 Mask:255.255.255.0
And then insuring the virtual NIC is in the correct security groups. The routing table appears correct:
10.0.83.0 * 255.255.255.0 U 203 0 0 eth1
10.0.81.0 * 255.255.255.0 U 0 0 0 eth1
I then set up shorewall for the new address, and restarted it:
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
....
- eth1 10.0.83.255,10.0.81.255 logmartians
....
/etc/shorewall/hosts
#ZONE HOST(S) OPTIONS
loc eth1:10.0.83.0/24
qa eth1:10.0.81.0/24
/etc/shorewall/policy
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
qa net ACCEPT
$FW qa ACCEPT
The generated iptables rules appear sane, however, I do not have connectivity to the 10.0.81.0/24
subnet (either pinging or nmap)
Anyone have experience with a setup like this in EC2, that can hopefully point out something obvious I'm missing?
Best Answer
I dont think you can just alias an Elastic Network Interface (ENI) into another subnet. Have you tried adding another private IP to it through the AWS console (right click the instance and click manage network interfaces, or something like that)?
Also, different instances have limits on the number of interfaces they can have. Heres a table: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI