Excerpts from Eric Hammond's message of Fri Aug 12 23:42:37 UTC 2011: > Amazon recommends fixing this through DNS instead of through software on > the instance. > > Instead of resolving eu-west-1.ec2.archive.ubuntu.com directly to an A > record of the internal IP address starting with "10.", Canonical should > change it to resolve to a CNAME of the external elastic IP address > hostname (e.g., ec2-NNN-NNN-NNN-NNN.compute-1.amazonaws.com) > > This will resolve to the internal "10." IP address for normal EC2 > instances saving performance and cost, and will resolve to the external > elastic IP address for VPC EC2 instances.
OH! I didn't realize that this was the case. I'll open a case with our ops team to look into this, thanks for the extra info! > > Making this change not only clears up the issue with VPC, but any other > future situation where an EC2 instance cannot access "10." IP addresses > and EC2 DNS points it to the external IP address of the apt repository. > > This approach also makes it easier for Canonical when the apt repository > instance gets a new internal IP address (e.g., stop/start, failure). > Canonical would simply reassociate the elastic IP address with the > new/restarted instance and all DNS would resolve to the correct new IP > address without Canonical making any changes to their DNS servers. > > If Canonical is concerned about the EC2 apt repositories being accessed > from outside of EC2 (I wouldn't be, but it's your choice), Amazon > recommends the following: > > "To protect the rep from being accessed outside of AWS, lockdown the > security group rules to allow only traffic from the public AWS IP ranges > (https://forums.aws.amazon.com/ann.jspa?annID=1097) and to the 10. > network." > > Here is a github repository that keeps up to date lists of the EC2 IP > address ranges in a format that is easy to parse: > > https://github.com/garnaat/missingcloud > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/824947 > > Title: > EC2 apt repository DNS resolution on VPC instances > > Status in “cloud-init” package in Ubuntu: > Confirmed > > Bug description: > DNS names like eu-west-1.ec2.archive.ubuntu.com (apt repository for > eu-west-1 on EC2) are currently resolving to private IP addresses > (e.g., "10."). > > An EC2 instance running in VPC cannot access these repositories. > > More details and possible fixes at: > > https://forums.aws.amazon.com/thread.jspa?threadID=73379 > > ProblemType: Bug > DistroRelease: Ubuntu 11.04 > Package: cloud-init 0.6.1-0ubuntu8 > ProcVersionSignature: User Name 2.6.38-8.42-virtual 2.6.38.2 > Uname: Linux 2.6.38-8-virtual i686 > Architecture: i386 > Date: Fri Aug 12 03:19:39 2011 > Ec2AMI: ami-06ad526f > Ec2AMIManifest: (unknown) > Ec2AvailabilityZone: us-east-1a > Ec2InstanceType: m1.small > Ec2Kernel: aki-407d9529 > Ec2Ramdisk: unavailable > PackageArchitecture: all > ProcEnviron: > LANG=en_US.UTF-8 > SHELL=/bin/bash > SourcePackage: cloud-init > UpgradeStatus: No upgrade log present (probably fresh install) > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/824947/+subscriptions -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/824947 Title: EC2 apt repository DNS resolution on VPC instances To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/824947/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
