Stay up to date with the latest from the Knowledge Center. See all new and updated Knowledge Center articles published in the last month and re:Post’s top contributors.
How aws fetch public ip in the private vpc
Hi My vpc has no internet gateway and their is two private subnet I have created 2 ec2 instances with public ip I want to know if whole vpc is private then how it is assigns public ip to the resources.
- Newest
- Most votes
- Most comments
Even if your VPC has no Internet Gateway (IGW), AWS can still assign public IPs to the instances based on the subnet settings. However, without an IGW, these instances cannot communicate with the internet using the public IP. The public IP will be assigned but will be non-functional for internet traffic because there's no route to the internet.
Why Public IPs Are Assigned: Subnet Settings: If the subnets are configured to auto-assign public IPs, then any instance launched within those subnets will be assigned a public IP by default. Instance Launch Settings: During the launch of an EC2 instance, there is an option to enable or disable the assignment of a public IP address. This can override the subnet setting.
If you are not going to go to the internet from EC2 instances, it's better to create those instances without public IP addresses because Public IP addresses are not free (~3$ per IP per month)
Hello,
The assignment of public IP addresses to EC2 instances in AWS is controlled at the subnet level, not at the VPC level. If you've enabled auto-assign public IPv4 address at the subnet level or allow instances to have public IP addresses if configured during instance launch, the EC2 instances will be assigned with a Public IPv4 address.
Note that since you don't need the public IPs, and because AWS charges a fee for each public IPv4 address, and since there is the risk that an IGW and routes would later be added and the instances with the public IPs might be exposed to the public internet by accident, it's best to remove the public IPs.
Removing an automatically assigned public IP wasn't previously possible without terminating and recreating the instance (or detaching and recreating a secondary network interface), but it recently became possible to do simply by modifying the network interface (ENI, elastic network interface) options. The procedure is explained here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#managing-network-interface-ip-addresses
Technically, the way all public IPv4 addresses are implemented for EC2 instances is that when traffic arrives to the public IPv4 address, AWS translates the destination IP of the packet to the primary private IPv4 address of the network interface. Return traffic is treated the same way in reverse. That's why also in your current situation, your VPC flow logs would likely show port scans and probes trying to reach your instances with public IPs, despite there being no IGW and even if security groups or network ACLs are dropping the incoming packets. That's because every packet that is received at the public IP first gets its destination IP translated to the private IP of the corresponding ENI and only then evaluated against security group rules, network ACLs, and so on.
The solution is to ensure your subnets are not configured to assign public IPs, as Oleksii Bebych advised earlier. For your existing instances not having public IPv4 addresses but not needing them, I advise you follow the instructions in the documentation article above to remove the public IPs. It will also save you a few dollars per month per public IPv4 address.
Relevant content
- asked 6 years ago
- asked 8 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
