By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

2nd Elastic IP access via SSH

0

Hi, i added 2nd Elastic IP to EC2 with Ubuntu 20.

  • the ip is associated with the instance
  • both ips are in the same subnet and zone and associated with the same instance, they share the same security group
  • two interfaces are attached to separate elastic IPs ( none of them to the instance itself
  • eth0 and eth1 on ubuntu are enabled and correct private ip is associated to eth1 and dhcp is disabled
  • So i access server on first elastic ip, but not on the second Do i miss something?
Topics
Compute
Tags
Amazon EC2Network Security
Language
English
bgbs
asked 8 months ago221 views
2 Answers
1

Hello.
Are you correct in my understanding that you have followed the steps in the following document?
If routing and other settings are not properly configured, the ENI cannot be used even if it is added.
https://repost.aws/knowledge-center/ec2-ubuntu-secondary-network-interface

profile picture
EXPERT
Riku_Kobayashi
answered 8 months ago
profile picture
EXPERT
Gary Mclean
reviewed 8 months ago
  • Riku_Kobayashi EXPERT
    8 months ago

    I have tried it in my environment, and if it is configured correctly, SSH is possible even with a secondary ENI. In my environment, I configured the following settings.

    ubuntu@ip-172-31-33-116:~$ cat /etc/netplan/51-eth1.yaml
network:
  version: 2
  renderer: networkd
  ethernets:
    eth1:
      addresses:
       - 172.31.41.120/20
      dhcp4: no
      routes:
       - to: 0.0.0.0/0
         via: 172.31.32.1 # Default gateway
         table: 1000
       - to: 172.31.41.120
         via: 0.0.0.0
         scope: link
         table: 1000
      routing-policy:
        - from: 172.31.41.120
          table: 1000
0

The following isn't completely clear:

both ips are in the same subnet and zone

This suggests to me these are private IPs within the same subnet of the VPC. But ....

i access server on first elastic ip, but not on the second

An Elastic IP address is a public IPv4 address https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#ip-addressing-eips and the two that are assigned to your EC2 instance are unlikely to be in the same subnet (though it's not impossible).

Are you trying to SSH to public IPs or private IPs ? (Or it could be a BYOIP).

Separately, can you expand on what you mean by:

they share the same security group

When you initially create the EC2 and give it a security group, you're actually associating the security group with the network interface that's provisioned with the instance (the one you call eth0 so let's stick with that) and not the EC2. So when you create and attach the next interface eth1 it won't automatically be associated with any security groups.

Check that eth1 is associated with the same security group as eth0.

If this looks correct then go back one step to the host that is able to SSH to eth0 and check its outbound rules allow SSH to the IP of eth1, e.g. is the outbound rule tightly defined and only allowing egress over port 22/tcp to the IP of eth0 or something like that?

profile picture
EXPERT
Steve_M
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content