EdwardIIIhey you absolute heroes of AWS
EdwardIIIi'm trying to install a certificate chain for an LB in AWS, but no matter what i try things in it's saying "Unable to validate certificate chain. The certificate chain must start with the immediate signing certificate, followed by any intermediaries in order."
EdwardIIImy cert provider has given me: a ca bundle, a cross-certificate, and a intermediate ca certificate
EdwardIIIis a Intermediate CA Certificate the same as an "immediate signing certificate"?
OliverMTScript at specified location: install_dev.sh run as user root failed with exit code 1 - /opt/codedeploy-agent/lib/instance_agent/plugins/codedeploy/hook_executor.rb:153:in `execute_script' <-- anyone got a hint at what could be wrong? ./install_dev.sh works just fine from bash
OliverMTis there anywhere to get more detailed logs?
never2farhello, how can i modify an existing aurora db instance to use multi-az ? ...i can't find the option :(
never2farTo convert an existing standard (single AZ) DB Instance to Multi-AZ, modify the DB Instance in the AWS Management Console (https://aws.amazon.com/rds/faqs/) but i can't find an option
aframeGood morning folks, question to the channel: I'm looking for a way to detect when a user changes the default gateway of an EC2 instance. I need to alert on it and either change it back or terminate the instance and restart. Any suggestions?
Suzumiyasounds like you need to secure the priv'ed user(s) so they can't do it at all
Suzumiyaotherwise, nothing another AWS service could do really; more just a script or something that watches it and executes some aws-cli
aframethanks Suzumiya that's what I thought
neuro_sysIs it enough to terminate an EC2 instance to stop billing?
Lloydstopping an instance will cease the hourly instance costs, but you are still paying for the EBS storage
neuro_sysalright, so terminating it (this removing it completely) will stop billing altogether, right?
neuro_sysI had a g2.2xlarge, I had only stopped it, and terminated it after a week or so.
selckincheck if you have anything still under volumes
neuro_sys0 volumes
neuro_sys1 key pairs, 1 elastic IPs, 2 security groups
selckinelastic ip cost money too
neuro_sysremoved that too. I wonder if there's a billing details page. got $154 for this month. I wonder how much of it is wasted due to my negligence.
neuro_sysgot billed*
selckinyou can request a list, but ebs/elastic ip is fairly cheap
neuro_sysI think two weeks ago I just stopped the g2.2xlarge, and not terminated it.
neuro_sysit might have costed despite the instance not having run.
selckinno, you only keep p aying the ebs volumes i believe
neuro_sysso: $0.650 per On Demand Linux g2.2xlarge Instance Hour 236 Hrs $153.40
selckindid you start stop it many times?
selckinevery start is a full hour
neuro_sysI'd been using this for two months
neuro_sysand this month it's got $154 billed
neuro_sysanyway I think it's fine
neuro_sysI must have stopped it last week, which is 9th. And 236 / 24 ~= 9 days
uictamaleHey all, can you make route 53 only respond to queries for internal EC2 hostnames and not forward your DNS queries to any external DNS servers?
uictamaleWe're trying to make DNS work for internal hostnames in our locked-down VPC without letting anyone query for external DNS ... not finding any good out-of-the-box solution for this...
wyuI know AWSTask says you can chain instead of nest
wyubut is nesting okay?
DoyleHey. If a spot bid spikes just for a moment, say to $4 from $1, does that hour cost $4, or is it granular enough to just charge $4 for the time the price was spiked?
selckinhttps://aws.amazon.com/ec2/faqs/#spot-instances ctrl-f Will the price I’m charged for a running Spot instance change during its instance-hour as the Spot price changes
r3v3r3Does anyone know when EC2 is going to open in India?
r3v3r3They announced about a year ago that they'll be expanding to India sometime in 2016 , but I haven't heard anything since.
r3v3r3Curious if anyone had an inside scoop
Lloydif you’ve an account manager they’ll probably let you know the date under NDA
cochii doubt that. except if you're on a big enterprise that aws is interested in.
Suzumiyayeah; we have an NDA; they didn't give us a date, just planned features.
Suzumiyaand we aren't that big; just ask and see.
uictamalehey all, can route53 work in a private VPC?
imperalixuictamale: yes
gholmsIt sure can.
uictamaleand only return your internal private hostnames (and maybe a few white-listed domains like s3.amazonaws.com, repo.us-east-1.amazonaws.com, etc)
uictamaleOur use case is we're trying to make sure there is no external name resolution except to domains we control / allow
uictamalewhich means we want to turn off the VPC "dns resolution" feature and have no routes to the internet
uictamalewhy'd you both get so quiet all of a sudden :D
imperalixuictamale: you would probably want to run your own resolver then, if you want to do filtering of what records get returned
cochiyup, route53 can't do that. it'd resolve the internal + all external zoones
cochiinstead of maintaining you own resolver infrastructure, you could also use some UTM software like eg trendmicro to whitelist certain URLs. would be connected to a management server (eg SaaS offering) though
cochithat one'd also include a firewall tamperproofed from the instance OS level
uictamaleSo to be clear - route53 can blacklist domains but it can't work with a whitelist?
cochiblacklist? only by placing "overriding" entries i'd say. or it's a feature i don't know about
uictamaleyah by overriding
uictamale"google.com" => ""
cochithat's a hack. not a feature ;)
uictamalefair enough :)
uictamaleOK - time to ask a more direct question... we're trying to use EMR in private VPCs from a rather strictly-locked down internet network
uictamalewe're peered with the private VPC, so we can route to the internal IP addresses of the VMs (they don't get a public IP)
uictamaleMy question is - can I use a SOCKS proxy to give people access to the EMR applications WITHOUT publishing all those DNS names into the on-prem network?
uictamaleI think the answer probably lies in exactly how software like foxyproxy works - if my browser thinks it needs to send a request to ip-172-20-1-1.ec2.internal - does it try to resolve that first or does it just pass along the request to the proxy first
cochithat depends on the software and whether it has a proxy setting i'd say. not too much experience there though
jordanmis there no easy way via the ECS api to get a list of tasks for a task definition? the only way I see is doing list_tasks -> describe_task\ on all of them
cloudbudwhat are vpc endpoints
cochishortcut instances in private subnets -> s3, which is usually just accessible via public ip
dtxhey there guts
dtxhas anyone ever addressed the issue of having a more than 50-100 routes for a VPC?
cochithat seems a bit excessive
dtxMy scenario: I am working on getting a container cluster manager on AWS. the cluster manager gives an IP per container. These IPs are in a different network (Not VPC or aws Subnets).
dtxmy hosts are spread across AZs (i.e. different subnets), I want to enable the system so that any host/container knows how to get to any other container
cochiso some sort of overlay network?
cochiwell, aws wasnt designed to handle so many routes. that'll severely slow down everything and in the end hit a limit (50 routes per table soft, 100 hard).
cloudbudcochi : if i have a NAT gateways i need to have natgateway_ID in route table that points to target Internet_gateway_ID ??
dtxnow, an immediate option is propagating routes, letting my infrastructure know that if you want to go to Container IP-X then you need to go through EC2 IP-Y.
cochicloudbud: need a route to (everwhere) via nat gw
cloudbudcochi : ok so how nat will sent traffic to internegt ??
dtxI tried to leverage Route Tables for this, but they seem to have a limit.
cloudbudit uses igw to route traffic na
cochicloudbud: nat gw is in a public net, thus has direct connection via igw
cloudbudoh ok
cochi"public" and "private" are informal terms. does a subnet have a route table with to igw := "public". same to nat instance / nat gw := "private". no := "protected"
cloudbudcochi : one nAT gateway are limited to per AZ ??
cloudbudmeans one subnet can have one NAT ?
cochione nat gw per az is right. a subnet is in an az too. so you make one route table per "side" from subnet to nat gw
cochi(at least if you care about high availability)
cloudbudcochi : can a subnet iuse nat gw in other AZ for routing ?
cochiyes. but that will result in cross-az traffic charges. best practice is some "symmetric" setup
cloudbudcochi : what is symmteric setup1?
cochisame subnet structure on each az. eg 1 public subnet, 1 private subnet, 1 nat gw, routing table (private->nat gw)
cloudbudcochi : can i ping the nat gw from internet or any machine ?
cochii doubt icmp (=ping) is responded to
uictamalecochi: Played around with squid and it looks like I can do exactly what I'm looking for. Instead of an ssh tunnel we'll just run squid on the emr master and tell foxyproxy to connect to squid.
uictamaleso instead of browser => local ssh tunnel => remote ssh tunnel => local emr services it'll be browser => remote squid proxy => local emr services
cloudbudcochi: what is iptables IP masquerading
cloudbudwhat is disable source/destination checking in ec2 instance ?
thomasreggiI'm looking for a way to use AWS Certificate Manager cert with API Gateway?
thomasreggiThis seems so silly...
abfermHey guys, I have a VPN setup through one of my EC2 instances rather than AWS's VPN in preparation to interface with a 3rd party that does not support the AWS VPN. Is there a way I can advertise routes that need to traverse my VPN dynamically? I'd prefer BGP, as it is already running on my instances for them to advertise routes across the VPN.
unholycrabanyone figure out how to implement modify-id-format in boto? http://docs.aws.amazon.com/cli/latest/reference/ec2/modify-id-format.html
unholycrabim generating new credentials every time my script runs, so id need to run this every time
gholmsabferm: You can only advertise routes to EC2 with BGP when you're using their VPN gateways. You'll have to add them statically to the VPC's routing tables.
gholmsunholycrab: Can't you opt in at the account level?
imperalixgholms: "These settings apply to the IAM user who makes the request; they do not apply to the entire AWS account. If you’re logged in as the root user or as an IAM role that has permissions to use these actions, then these settings apply to the entire account, unless an IAM user logs in and explicitly overrides these settings for themselves. Resources created with longer IDs are visible to all IAM users, regardless of individual
imperalixsource: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/resource-ids.html
gholmsSounds like a yes, then! :D
unholycrabgholms: im not sure thats possible
gholmsWhat makes you say that?
user_corruptI've found a tutorial for installing laravel forge on AWS... my goal is to install my laravel site on AWS.. I don't know what forge is.. can I use this guide?
user_corruptoops, wrong channel
hobosteauxDoes anyone know a way (with the default amzn AMI) to configure the key id and secret so that aws cmd line items can be used in the user data?
hobosteaux* without putting the key id / etc in the user data
gholmsRun the instance with an instance profile.
gholmsThe metadata service will have STS credentials for a role that stuff like aws-cli pick up automatically.
hobosteauxawesome thanks gholms - the hardest part is trying to find the right keywords to seacrch for
gholmsYeah, no kidding.
user_corruptI've installed Ubuntu, created a user group set to my virtual server (SSH, HTTP, MySQL - all set to and successfully SSHd into my server.. installed apache and tried browsing via the provided URL, but server is "taking too long to respond"
user_corruptwhat might I be missing?
user_corruptthe security group that I have created does not appear to be associated with the ECS instance
user_corruptI mean within its own settings it does
user_corruptit's just not included in the instance description, and I've tried rebooting the instance
user_corruptok, I see that I need to do this BEFORE I create launch the instance
user_corruptwhat should the source of MySQL be set to?
user_corruptwhy is it that doing ls from ssh shows nothing in my instance?