About Amazon VPC on Engine Yard

This document provides info about VPC on Engine Yard. Amazon Virtual Private Cloud (VPC) enables you to launch Amazon Web Services (AWS) resources into a virtual private network, which, by being logically isolated from other such networks provides greater security and functionality when compared to EC2-Classic.

VPC is required for most recent AWS offerings, including:

This document describes:

Default VPC vs Custom VPC

Any Engine Yard account created since the beginning of 2014 will have a Default VPC in each of the AWS Regions of the backing AWS account. Similarly any accounts dating from before 2014 will have Default VPCs in Regions launched since 2014 (for example London), whilst still utilising EC2-Classic in older Regions.

  • A Default VPC is a VPC created by Amazon automatically (one per Region) on account/region creation, and utilised by the Engine Yard Platform by default, thus requiring little-to-no work by the customer to use.
    • To tell if a Region is Default VPC please check the AWS Usage table on the Account -> Account Settings page. VPC Enabled stating Yes means that there is a Default VPC in the Region.
    • It should be noted that all Default VPCs have the same CIDR and as such you cannot peer two Default VPCs, so in the case of needing to peer two regions under the same account, two different EY accounts, or an external AWS account, a Custom VPC would be needed on at least one end.
  • A Custom VPC is a VPC created specifically by the customer. In most cases this is useful if the region is EC2-Classic and features limited to VPC are required. It has the same functionality as a Default VPC, but allows the definition of the CIDR of the VPC, thus avoiding clashes with Default VPCs. You can also create multiple Custom VPCs per account/region should you require the additional security of having your EY Environments separated from each other at the network level rather than just by AWS Security Groups.

History lesson: Whilst Engine Yard have supported Default VPCs since 2014, we only introduced support for Custom VPCs in 2017. Traditionally VPC and EC2-Classic supported the same features, but as new VPC-only features have been introduced it has been required that the EY Platform be able to distinguish between Default VPC and EC2-Classic Accounts/Regions. This has been achieved via the introduction of Networks.

Networks

Within the Engine Yard Platform we refer to VPCs as Networks, and in general usage the two terms are interchangeable. You can view all available Networks/VPCs on the Tools -> Networks page. Default VPCs will be named Default network, whilst Custom VPCs will show the name given on creation. 

Caveat: There may be cases where a Default VPC has not been imported as a Network. If you see a region as Default-VPC on the Account -> Account Settings page, but the VPC does not show on the Networks page, please contact Support.

Creating a Network

New Networks can be created in either Default-VPC or EC2-Classic Accounts/Regions.

To create a new Network:

  • Navigate to the Tools -> Networks page.
  • Ensure the Account is correct in the breadcrumb trail if your EY User has access to more than one Account.
  • Click the Add Network button.
  • Give the network a use-related name.
  • Select the required location/region (matching this to any existing Environment's Region if you plan to attach the Network to said Environment).
  • Leave Tenancy as Default unless you always provision dedicated instances.
  • Enter a CIDR, ensuring this is does not clash with the CIDR of any other VPCs or VPNs that may wish to link to in future. If you are unsure just accept the default.
  • Enable ClassicLink if you intend to use this Network with an existing Environment running under EC2-Classic. Such an environment would be a running environment, which has no Network: stated below Firewall: on the environment page, and be running in a region marked as "VPC Enabled - No" on the Account -> Account Settings page.

Viewing Networks

To view existing Networks and their usage:

  • Navigate to the Tools -> Networks page.
  • Click on the AWS Name.
  • This page will show you the Subnets of the Network, along with any Environments that are attached to it.

Deleting Networks

Note: You cannot delete Default networks, only Custom networks (and then only those which are not attached to any Environments).

To delete a Network:

  • Navigate to the Tools -> Networks page.
  • Click on the AWS Name.
  • Click the Delete button.

Environments and Networks

As per the History Lesson above, since 2014 AWS accounts have been provisioned with Default VPCs, so the majority of customers have Default VPCs in some or all of their AWS Regions. However, as we only introduced Networks in 2017 there are many Environments that are running under Default VPC, but do not have a Network associated with them, so the platform cannot distinguish if the Environment is Default VPC or EC2-Classic, resulting in some features, such as ALBs, not being available. To resolve this the Environment must have a Network associated with it.

Associating Environments with Networks

Each Environment now has a Network option that is set or set-able. If an existing Environment has a Network associated with it this will be displayed as Network: beneath Firewall:, found between the Alerts and Instances sections on the Environment page of the Dashboard.

To associate a new Environment with a Network:

  • Select the required Network from the Networks dropdown when selecting the Environment settings on the Create New Environment page.

To associate an existing Environment with a Network:

  • Use the Edit Environment page and select the required Network from the Networks dropdown, then click Update Environment.

Caveat: Amazon do not allow the change of VPC for existing resources, so VPC-based resources must be associated with the correct VPC at the time of creation. This leads to the following cases for associating Networks with already running Environments:

  • Associating an existing Environment running under E2-Classic at AWS (by way of the Region not having a Default VPC) with a Custom Network/VPC in EY:
    • Possible.
    • ClassicLink must have been enabled for the new Network.
    • Existing instances will be ClassicLinked to the new VPC, so as to be able to talk to VPC provisioned resources.
    • All new resources (instances/xLBs) will be provisioned into the VPC - EC2-Classic will no longer be useable for new resources.
    • A new Security Group will be created in the VPC - if you had custom rules on your previous Security Group please ask Support to replicate these.
    • Existing EC2-Classic ELBs will be able to communicate with the existing EC2-Classic instances, but not any new VPC instances. For this reason you must create a new VPC provisioned ELB and repoint DNS to it, which will be able to communicate with both new VPC and old EC2-Classic ClassicLinked instances.
    • We also recommend replacing the old EC2-Classic instances with native VPC instances as soon as practical to avoid dependency on ClassicLinking. For example, EY's ALB implementation does not allow routing of traffic to ClassicLinked instances.
  • Associating an existing Environment running under Default VPC at AWS (but that has no Network set in the EY Dashboard) with the Default Network/VPC in EY:
    • Possible.
    • If the Environment is already associated with the Default VPC at AWS then the Edit Environment Networks dropdown will only display the Default Network.
    • If you see no Networks available, check that the Default Network for the Region is shown on the Tools -> Networks page. If not, contact Support.
    • Select the Network and click Update Environment.
    • This process makes no changes at AWS (as the resources already run under the VPC), it just updates the EY Platform records to associate the resources with the Network.
  • Associating an existing Environment running under Default VPC at AWS (but that has no Network set in the EY Dashboard) with a Custom Network/VPC in EY:
    • Not possible.
    • As above, the VPC for running resources cannot be changed, so no Network other than the Default will be offered.
  • Associating an existing Environment running under Default or Custom VPC at AWS (and that has that Network set in the EY Dashboard) with a different Custom Network/VPC in EY:
    • Not possible.
    • As above, the VPC for running resources cannot be changed, so the Networks dropdown will be greyed out.
    • If you require to change the VPC of an Environment you will need to either Stop the Environment, or Clone or Copy it.
  • Note: Due to the no-VPC-change rule, you cannot use the same xLB if you change the VPC of an Environment. You must create a new ELB or ALB under the new VPC.

 

 

 


If you have feedback or questions about this page, add a comment below. If you need help, submit a ticket with Engine Yard Support.

Comments

Article is closed for comments.