kencochrane
commented
7 years ago I think this may be a duplicate of #17
Open composer22 opened 7 years ago
kencochrane
commented
7 years ago I think this may be a duplicate of #17
composer22
commented
7 years ago I don't think so. This is a fresh install over a pre-defined VPC, not an upgrade over something already generated through this script.
I also received NO error messages. It just fails.
kencochrane
commented
7 years ago @composer22 sorry, I linked to the wrong issue. I meant to link to https://github.com/docker/for-aws/issues/18
composer22
commented
7 years ago Thanks. This appeared closer if not the same.
Still need to have this locked down under a private subnets/ no public IP. any recommendations?
public elb => public proxy nodes == | ==> private elb => private cluster nodes
or
public elb == | ==> private cluster nodes
kencochrane
commented
7 years ago @composer22 ok, because you are providing the subnets (since it is a bring your on VPC setup), those should be the way you want.
You basically just need a way to remove the public IPs from the nodes?
If you download the latest version (https://download.docker.com/aws/edge/Docker-no-vpc.tmpl), and search for "AssociatePublicIpAddress" and edit the "AssociatePublicIpAddress" value so it is false, I think that will get you what you need for now.
netflash
commented
7 years ago public subnets differs from private ones in AWS not only by having public IPs, but also different route tables - via Internet Gateway and/or NAT Gateways.
I have some improvements about public/private approach. Do you guys accept pull-requests ? TBH my CF template will work only in public/private way, but it might help you to make it better
kencochrane
commented
7 years ago @netflash
public subnets differs from private ones in AWS not only by having public IPs, but also different route tables - via Internet Gateway and/or NAT Gateways.
Yes, you are correct. When you are using the "bring your own VPC" template, you are responsible to set that up yourself, and you can set it up how ever you want.
I have some improvements about public/private approach. Do you guys accept pull-requests ? TBH my CF template will work only in public/private way, but it might help you to make it better
We currently do not accept pull requests, but feel free to open an issue and post your suggestions, and we will take them into consideration when building the next version.
Cloudformation script that is supposed to recognize a users VPC and subnets is not designed correctly to pick up IP ranges within these VPC and subnets.
see https://docs.docker.com/docker-for-aws/
and under . . .
Deploy Docker Community Edition (CE) for AWS (edge)
The Enterprise template does the same thing.
Both these templates are supposed to use your existing VPC and subnets hence those IP ranges.
this . . .
https://editions-us-east-1.s3.amazonaws.com/aws/edge/Docker-no-vpc.tmpl
config is hardcoded on line 371 as:
yet prompts for vpc and subnets.
This need to either pick up the CIDR ranges from the subnets or allow the user to edit these variables to match. If not, the CloudFormation run will FAIL because it utilizes these constants.
Also. more importantly none of this allows for private subnets. Should allow managers, workers or both to be hidden under separate private subnet and optionally expose services via a typical public/private proxy layer
public elb => public proxy nodes == | ==> private elb => private cluster nodes
thanks.