I have a UserData script (in python) in an AWS Launch Configuration that’s associated with an AutoScale group. When new (ubuntu) instances are spun up this script is run on them to do whatever setup is needed.
Until now, I had the security groups configured more loosely. Outbound traffic to anywhere on the internet was allowed from these instances. The UserData script was working fine. But I just shut down that outbound rule to increase security. Now that UserData script randomly won’t execute at all or sometimes when it does execute, it fails. I can see this by examining the /var/log/cloud-init-output.log
file. Has anyone seen this behavior? Any suggested solutions?
When the script fails, I can tell that it is failing on certain Boto calls that do network discovery such as boto.vpc.VPCConnection().get_all_vpcs()
. It seems reasonable that this would fail if the outbound traffic rules prevent it from querying for this information. But what CIDR and port should I add to the security group rules that will allow Boto to do it's thing?
Below is what my Security Group's Egress rules look like when it doesn't work. The IP addresses are sensitive so I have blacked them out.
Below is what my Security Group's Egress rules look like when it works. As you can see I have allowed it to be open to the entire world. I feel like that's insecure. I want to lock it down.
You can see the /var/log/cloud-init-output.log
file here when it fails.
You can see the associated /var/log/cloud-init.log
file here.
Copyright Notice:Content Author:「Saqib Ali」,Reproduced under the CC 4.0 BY-SA copyright license with a link to the original source and this disclaimer.
Link to original article:https://stackoverflow.com/questions/30769355/why-wont-boto-commands-run-in-userdata-when-outbound-traffic-permissions-are-lo