7

I set up a VPC using scenario 2 from the AWS Docs: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

I've assigned an Elastic IP to an EC2 instance running in a Public Subnet. SSH works fine and I can access the website running on it. I cannot, however make outgoing HTTP or HTTPS requests ( I noticed this when trying to run yum update ).

I believe all my security settings are correct. Am I not able to make outgoing HTTP/HTTPS requests through the internet gateway? I specifically requested not to have a public IP assigned to this instance when created, because I knew I was going to assign an Elastic IP that gets liked to the website DNS. I have a NAT setup for instances in the Private Subnet, but I currently only have RDS instances running there, so I have not tested outgoing requests from there.

The security group for that EC2 instance has the following outbound rules: enter image description here

The routes table for that subnet has the following settings: enter image description here

The Network ACL has the following settings: enter image description here

The default DHCP Option Set has the following settings:

domain-name = ec2.internal
domain-name-servers = AmazonProvidedDNS

The default /etc/resolv.conf settings are:

search ec2.internal
nameserver 10.0.0.2

The CIDR Blocks for the VPC and Subnets are as follows:

VPC: 10.0.0.0/16
Public Subnet: 10.0.0.0/24
Private DB Subnet in US East 1A: 10.0.1.0/24
Private DB Subnet in US East 1C: 10.0.2.0/24
T. Brian Jones
  • 887
  • 3
  • 17
  • 29
  • Does `curl http://www.google.com/` fail? – ceejayoz Oct 08 '14 at 20:09
  • Yes. I cannot access any sites, curl, wget, ping, etc. -- `curl: (6) Could not resolve host: www.google.com` – T. Brian Jones Oct 08 '14 at 20:09
  • Nameserver issue, perhaps? – ceejayoz Oct 08 '14 at 20:10
  • Interesting ... that does seem to be the problem. I can ping IP Addresses for Google.com. What does this mean for my VPC? What is the problem? – T. Brian Jones Oct 08 '14 at 20:15
  • Check your /etc/resolv.conf and your AWS Console for DHCP Option Sets. – ceejayoz Oct 08 '14 at 20:17
  • The DHCP Options are `domain-name = ec2.internal` AND `domain-name-servers = AmazonProvidedDNS`. The settings in `/etc/resolve.conf` match ( except it's `10.0.0.2` instead of `AmazonProvidedDNS` ) ... Should I change this to use a public DNS server like Google's: 8.8.8.8? Why won't Amazon's DNS resolve anything? – T. Brian Jones Oct 08 '14 at 20:32

1 Answers1

7

STILL WONDERING

Why doesn't the provided AWS DNS Server work in this case?

PROBLEM

The problem was that DNS names weren't resolving via the local DNS server than Amazon provided when originally creating the VPC. I discovered that I could make outgoing HTTP/HTTPS connections to IP addresses, which didn't need to contact a DNS server to resolve.

SOLUTION

I had to create a custom DHCP Option Set within the Amazon VPC AWS Console and set Google's public DNS IPs as domain-name-servers = 8.8.8.8, 8.8.4.4.

Then I had to update /etc/resolv.conf setting the same thing: nameserver 8.8.8.8 nameserver 8.8.4.4

T. Brian Jones
  • 887
  • 3
  • 17
  • 29
  • Like a comment above said, what are your DHCP option sets and the default /etc/resolv.conf settings? Also what are the vpc and subnet cidr blocks? – Jason Floyd Oct 09 '14 at 03:58
  • I added those details to the bottom of the question. – T. Brian Jones Oct 09 '14 at 16:39
  • 1
    After making those changes, did you have to restart something? I've added a DHCP option set, and also changed the lines in resolv.conf, but the `curl http://google.com` still doesn't work. – PKHunter Oct 10 '15 at 02:36