Effectively Disable Auto-assigning IP on AWS EC2 instances with it enabled

Image courtesy of https://www.freeimageslive.co.uk/

Our team encountered an interesting issue a little while back where we needed to make sure some critical servers were not exposed to the wider internet. While we could seriously limit the security groups, the situation demanded that a public IP be present under no circumstances.

Sounds easy, simply just set the subnet not automatically to assign a public IP. But here’s the catch, the subnet previously had IP auto-assignment enabled, and current servers don’t play nice with the change to disabling this feature.

In our case, stopping and starting the servers added a new public IP despite having disabled auto-assigning those pesky public IPs.

In other words, an instance created with inherited subnet rules to auto-assign public IPs on restart retains that public IP setting even after the subnet rules are later changed. If that instance needs to be denied public IPs, rule changes using the AWS tools won’t accomplish this.

What to do?

So let’s say you find yourself in a similar brownfield situation. You may consider taking a more deliberate route and creating a brand new server (which is certainly a suitable option).

Though if, for whatever reason, you can’t take a particular server down or don’t want the associated risk, here is a quirky way you could effectively disable public IP assignment without creating a new server:

1. Disable the ability for any new resources on your subnet to be assigned public IPs

Go to the AWS VPC service and select the subnet you wish to restrict, then click on “Modify auto-assign IP settings” under the “Actions” drop-down

Ensure that the “Enable auto-assign public IPv4 address” option is not selected, then click “Save”

Regardless of whether you use the next steps, this should be done to ensure nothing new gets a public IP address.

2. Create a no-ingress/no-outgress security group

Remove all rules, preventing any traffic. Make sure to assign it to the same VPC that the subnet is on!

3. Create a new network interface on the same subnet

Assign the same subnet and attach the Security Group made previously

4. Assign the new network interface to the servers in question

From the “Actions” drop-down, navigate to the “Attach network interface” option

5. Test shutting it off and restarting it to ensure no public IP has been assigned

If you inspect your instance, you will notice it now has two private IPv4 addresses. This is expected

We found this trick a particularly useful time saver compared to creating an image and waiting for it to become available. Not to mention far less risky, not requiring a potential outage or maintenance window to implement. Hope you found this useful.

If you found this valuable, please follow the blog, where I’ll continue to post more tech goodness. Thanks for reading!