Athennian Dev Life
Published in

Athennian Dev Life

Effectively Disable Auto-assigning IP on AWS EC2 instances with it enabled

Image courtesy of https://www.freeimageslive.co.uk/

Our team came across an interesting issue a little while back where we needed to make sure some critical servers did not get exposed to the wider internet. While we could seriously limit the security groups, the situation demanded that under no circumstances should a public IP be present.

Sounds easy, simply just set the subnet where the servers live to not automatically assign a public IP. But here’s the catch, the subnet previously had IP auto-assignment enabled, and current servers don’t play nice with the change to disabling this feature. In our case, stopping and starting the servers added a new public IP despite having disabled auto-assigning those pesky public IPs.

In other words, an instance created with inherited subnet rules to auto-assign public IPs on restart retains that public IP setting even after the subnet rules are later changed. If that instance needs to be denied public IPs, rule changes using the AWS tools won’t accomplish this.

What to do?

So let’s say you find yourself in a similar brownfield situation. You may consider taking a more deliberate route and creating a brand new server, which is a certainly suitable option, though if for whatever reason you can’t take a particular server down, or don’t want the associated risk here is a quirky way you could effectively disable public IP assignment without creating a new server:

  1. Disable the ability for any new resources on your subnet to be assigned public IPs
Go to the AWS VPC service and select the subnet you wish to restrict, then click on “Modify auto-assign IP settings” under the “Actions” drop-down
Ensure that the “Enable auto-assign public IPv4 address” option is not selected, then click “Save”

Regardless of whether you use the next steps, this should be done to ensure nothing new gets a public IP address.

2. Create a no-ingress/no-outgress security group

Remove all rules, preventing any traffic. Make sure to assign to the same VPC that the subnet is on!

3. Create a new network interface on the same subnet

Assign the same subnet and attach the Security Group made previously

4. Assign the new network interface to the servers in question

From the “Actions” drop-down, navigate to the “Attach network interface” option

5. Test shutting it off and restarting it to ensure no public IP has been assigned

If you inspect your instance, you will notice that it will now have two private IPv4 addresses. This is expected

We found this trick a particularly useful time saver compared to creating an image and waiting for it to become available. Not to mention far less risky, not requiring a potential outage or maintenance window to implement. Hope you found this useful.

If you found this valuable please give the Athennian Dev Life blog a follow where I’ll be continuing to post more tech goodness and keep an eye out on our careers page for more updates. Thanks for reading!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Shane Fast

Shane Fast

Co-founder of Athennian @athennian. Always interested in hearing from entrepreneurs, colleagues, and self-driven people.