Effectively Disable Auto-assigning IP on AWS EC2 instances with it enabled
Our team came across an interesting issue a little while back where we needed to make sure some critical servers did not get exposed to the wider internet. While we could seriously limit the security groups, the situation demanded that under no circumstances should a public IP be present.
Sounds easy, simply just set the subnet where the servers live to not automatically assign a public IP. But here’s the catch, the subnet previously had IP auto-assignment enabled, and current servers don’t play nice with the change to disabling this feature. In our case, stopping and starting the servers added a new public IP despite having disabled auto-assigning those pesky public IPs.
In other words, an instance created with inherited subnet rules to auto-assign public IPs on restart retains that public IP setting even after the subnet rules are later changed. If that instance needs to be denied public IPs, rule changes using the AWS tools won’t accomplish this.
So let’s say you find yourself in a similar brownfield situation. You may consider taking a more deliberate route and creating a brand new server, which is a certainly suitable option, though if for whatever reason you can’t take a particular server down, or don’t want the associated risk here is a quirky way you could effectively disable public IP assignment without creating a new server:
- Disable the ability for any new resources on your subnet to be assigned public IPs
Regardless of whether you use the next steps, this should be done to ensure nothing new gets a public IP address.
2. Create a no-ingress/no-outgress security group
3. Create a new network interface on the same subnet
4. Assign the new network interface to the servers in question
5. Test shutting it off and restarting it to ensure no public IP has been assigned
We found this trick a particularly useful time saver compared to creating an image and waiting for it to become available. Not to mention far less risky, not requiring a potential outage or maintenance window to implement. Hope you found this useful.
If you found this valuable please give the Athennian Dev Life blog a follow where I’ll be continuing to post more tech goodness and keep an eye out on our careers page for more updates. Thanks for reading!