#aws (2022-05)

aws Discussion related to Amazon Web Services (AWS)

aws Discussion related to Amazon Web Services (AWS)

Archive: https://archive.sweetops.com/aws/

2022-05-01

2022-05-02

jonjitsu avatar
jonjitsu

Years ago when I was using ECS on EC2 I used the ASG TERMNATING lifecycle hook to setup a “graceful” termination operation which would drain the ec2 container instance of containers before terminating it. Is this still required with ECS on EC2 in 2022? Or is there more integration between ECS and ASG now?

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

Yes, this is still required using drain hooks

RB (Ronak) (Cloud Posse) avatar
RB (Ronak) (Cloud Posse)

I havent set this up in a while but these are my notes from then

https://github.com/nitrocode/awesome-aws-lifecycle-hooks

things could have changed since but i havent noticed anything. please let me know if there is an easier way than asg lifecycle hooks

nitrocode/awesome-aws-lifecycle-hooks

Awesome aws autoscaling lifecycle hooks for ECS, EKS

managedkaos avatar
managedkaos

TLDR: How do you achieve static IPs for a Root Domain hosted behind CloudFront without using Route53 Aliases?

Details: I am working with a client that started with a website running on a single EC2 instance. An Elastic IP (EIP) was associated with the instance. The IP was used to create A records in a third-party DNS for routing the root and the “www” endpoints to the instance.

[root.com](http://root.com), [www.root.com](http://www.root.com) → 3rd-party DNS (A) → EIP → EC2

After much refactoring, the site is now running behind CloudFront and an ALB. The CloudFront endpoint is published as a CNAME for the “www” endpoint and works great. The root, however, is still using the old EIP as a A record because you can’t use CNAMEs with the root.

[www.root.com](http://www.root.com) → 3rd-party DNS (CNAME)→ CloudFront → ALB [root.com](http://root.com) → 3rd-party DNS (A)→ EIP → EC2 (Redir to www with NGINX)

Of course, the “easiest” (!) way to get the root domain pointed at CloudFront is to create an ALIAS record in Route53. Ha! I say “easiest” because moving the zone from the third-party DNS hosting into Route53 would take far too much effort for this one little redirect. For example, retraining people to use AWS instead of the DNS tool they have been using for years among many, many other potential snares and time sinks.

So I’ve looked at a couple solutions.

The current one works but I don’t want to have to run/manage an NGINX server for redirects. It’s also not highly available; if the server goes offline then redirects will fail. So use an ALB, right?

Since the IPs for ALBs change, but NLBs can have an EIP assigned to them, I tried assigning an EIP to a Network Load Balancer backed by an ALB that listens on ports 80 and 443. The listeners have a rule that redirects the request to “www”. I should add, content doesn’t need to be served from the root domain; it should all come from “www”.

[root.com](http://root.com) → 3rd-party DNS (A)→ EIP -> NLB -> ALB -> Redirect to WWW

This works for the most part but I feel like an NLB and and ALB for redirecting a request is overkill. I figure there has to be a better, cheaper solution. (this one is about $30/month not including traffic which should be pretty minimal)

So I looked at AWS Global Accelerator. This provides static IPs that can be pointed at a few different AWS resources; ALBs are there but sadly not CloudFront (AFAICT).

[root.com](http://root.com) → 3rd-party DNS (A)→ Global Accelerator -> ALB (live site!)

In my early exploration of this, its only working for HTTP requests… not for HTTPS requests. So if someone enters “https://root.com”, the redirect won’t ever happen. Bummer! This one is about $18/month not including traffic.

So before I settle on the EIP->NLB->ALB approach, I ask the question: How do you achieve static IPs for a Root Domain hosted behind CloudFront without using Route53 Aliases?

AWS Global Accelerator - Amazon Web Services

AWS Global Accelerator is a networking service that simplifies traffic management and improves performance by up to 60%.

jose.amengual avatar
jose.amengual

the same old problem

AWS Global Accelerator - Amazon Web Services

AWS Global Accelerator is a networking service that simplifies traffic management and improves performance by up to 60%.

jose.amengual avatar
jose.amengual

in the old days we used to have a nginx redirector for this kind of stuff

jose.amengual avatar
jose.amengual

you can do GA-ALB with a redirect rule and that should work as a redirector

jose.amengual avatar
jose.amengual

but if you have a very huge network 2 nginx servers with private ips can do the job ( as we did for 100s of millions of request back in the day)

managedkaos avatar
managedkaos

yeah as much as i don’t want to mange it, an EIP pointed at an NLB with EC2s running NGINX attached to it is still a simple, elegant solution.

managedkaos avatar
managedkaos

After thinking for a bit i ended up using the Global Accelerator (which provides 2 static IPs) as a front end for an ALB with listeners doing the forward: [root.com](http://root.com) -> 3rd-party DNS (A) -> Global Accelerator -> ALB -> [www.root.com](http://www.root.com)

after i implemented this, I google a bit and came across this article. they did the exact same thing I did almost line-for-line of TF code

https://www.cloud2.fi/blogi/naked-domain-nightmare

Naked Domain Nightmare! — cloud2

Since the release of AWS Elastic Load Balancer (ELB) in 2009, system administrators have struggled with the fundamentals of Internet: zone apex and DNS. If you are not that familiar with Domain Name System, let’s start by looking at the internals of domain names: Fully qualified domain name www.

2022-05-03

idan levi avatar
idan levi

Hi all! im trying to create self managed node groups on EKS using Terraform eks module and terragrun. I want to add toleration ,taints and labels to each node group, so i tried to use bootstrap_extra_args = "--node-labels=[node.kubernetes.io/lifecycle=spot,node/role=os-client](http://node.kubernetes.io/lifecycle=spot,node/role=os-client)" and

bootstrap_extra_args = <<-EOT
      [settings.kubernetes.node-labels]
      ingress = "allowed"
      EOT 

but none of them create the node group with the labels/taint . someone know what is the right way to do it ? Thanks !!

2022-05-05

momot.nick avatar
momot.nick

Having a strange issue with AWS SSM where I am unable to copy paste into their RDP client - CTRL-V, CTRL-SHIFT-V, and Right-clicking doesn’t seem to work. Has anyone encountered this issue before? For reference, I’m using PopOS 21.10 and the instance is running Windows Server 2022

Chandler Forrest avatar
Chandler Forrest

Any chance the AMI that you are running for Windows is one of the STIG hardened images from AWS?

Chandler Forrest avatar
Chandler Forrest

Effectively RDP clipboard can be disabled by the destination machine

momot.nick avatar
momot.nick

Doesn’t seem to be one of the STIG images but I hadn’t though about that possibility

momot.nick avatar
momot.nick

Is possible to re-enable manually?

Looking though the running processes, I see rdpclip running - restarting it unfortunately doesn’t work

momot.nick avatar
momot.nick

For reference its Microsoft Windows Server 2022 Base

jose.amengual avatar
jose.amengual

Have anyone seen this before : CannotPullContainerError: ref pull has been retried 5 time(s): failed to copy: httpReadSeeker: failed open: failed to do request: Get https://prod-us-east-1-starport-layer-bucket.s3.us-east-1.amazonaws.com/

jose.amengual avatar
jose.amengual

Account with no internet using vpc endpoints

jose.amengual avatar
jose.amengual

that bucket is amazon managed bucket that stores the ERC images

    keyboard_arrow_up