2

An ec2 instance from a RHEL ami (i havent checked any other) only has the private address assigned to it.

i.e. ip addr yields:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
    valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 02:6d:c3:86:ce:e0 brd ff:ff:ff:ff:ff:ff
    inet 172.39.16.198/20 brd 172.39.31.255 scope global eth0
    inet6 fe80::6d:c2ff:fe86:cee0/64 scope link 
    valid_lft forever preferred_lft forever

the public IP is working and the machine can be reached through it. It can can access the internet via the VPC's gateway.

But how do I make sure the interface has the public IP, so outgoing packages actually contain the correct IP? This is necessary for ipsec to work properly.

Rico
  • 2,185
  • 18
  • 19
aep
  • 135
  • 2
  • 10
  • 1
    As I said in my answer to the dupe question linked above, this is **not** a requirement for IPsec to work correctly. Is that question one you posted as well? – EEAA Apr 14 '14 at 14:57
  • @EEAA , thanks, didn't find that question. Yes it's a dup. No it isnt mine. – aep Apr 14 '14 at 14:59
  • OK, no problem. They were very similar questions, asked within days of each other, so I was suspicious. Well, the answer still stands. Having the public IP actually on your server interface is not a requirement for IPsec. And no, you cannot assign a public IP directly to an EC2 instance, VPC or otherwise. – EEAA Apr 14 '14 at 15:00
  • yep, the other question contained the answer i was looking for. thanks! (should i mark Ricos answer as accepted? It _is_ correct) – aep Apr 14 '14 at 15:04
  • Sure, mark it as accepted. This might eventually be closed as dupe, but that's fine. There's no harm in giving Rico the rep points he deserves. – EEAA Apr 14 '14 at 15:07

1 Answers1

3

Well, you can't explicitly assign public IPs to AWS instance at the OS level. Amazon has their datacenter behind a firewall(s) and the instances all have private IP addresses that are being NATed to a public IP.

So to the outside they look like a public IP but internally they have their private IPs. If you are trying to get to your instance from the outside using the public IP should be enough to get to it as it maps directly to the private IP of your instance.

Now if you have an IPsec tunnel setup directly to your instance I believe the outgoing packets will have the tunnel IP address attached to your instance.

Rico
  • 2,185
  • 18
  • 19