Auto Scaling with Static IPs in AWS

Untitled-21 With the proliferation of the AWS infrastructure as code model, saying that a system follows a standard deployment model can be a loaded statement. True, the basis for the system architecture can be found in one or more standard models. However, the flexibility afforded by using AWS allows for a high degree of variation in the implementation.

One recent case from a client involved Auto Scaling. A standard deployment in AWS can include an Auto Scaling Group where new instances get assigned an IP in the VPCs subnet. However, the client model required a static IP on at least one Data Center Node in AWS. This was used to allow traffic from a sub-network that had specific whitelisted IPs in the environment.

The solution we developed included auto-mounting a second network interface with the user data script. After deploying the Data Center application, here are the steps in the process:

1. Create a Network Interface with the name: atlassian-jira-prod-standalone. (Note: make sure it exists in one of the subnets assigned to your Auto Scaling Group)

2. Create a tag in your Auto Scaling Group called eni_friendly_name.

3. Create an IAM policy with the following permissions and add it to the instances IAM role:


{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:AttachNetworkInterface"
],
"Resource": "*"
}
]
}

4. Add the following to your user data script:


if [ -n ${eni_id+x} ]; then
# if 'in-use' then check every 30 seconds for 10 minutes to see if status changes. If no change, skip. If 'available' attach on current node.
n=0
until [ $n -ge 20 ] ; do
eni_status=$(aws ec2 describe-network-interfaces --region ${region} --query NetworkInterfaces[*].Status --network-interface-ids ${eni_id} --output text)
if [[ "${eni_status}" == "available" ]] ; then
echo "ENI available, attaching..."
aws ec2 attach-network-interface --network-interface-id ${eni_id} --instance-id ${instance_id} --device-index 1 --region ${region}
break
else
echo "ENI in-use, sleeping and then checking again"
n=$[$n+1]
sleep 30
fi
done
else
echo "ERROR: no elastic network interface is available in ${availability_zone} with eni_friendly_name tagged as ${eni_friendly_name}."
fi

That’s it! Now every time a new instance comes up in the cluster, it will check if the application-specific network interface is already attached, and if it’s unattached, it mounts it on the new instance. There will be some downtown for any traffic pointed at this node, but it provides automatic healing.