AWS EC2 VPC CLI

There's just something about the fresh start you get with a new job. Both my previous job and my new one began with the opportunity to build a new infrastructure from scratch. In both cases, as is common with startup infrastructure in its early stages, everything was to be built using Amazon Web Services (AWS), specifically using its Elastic Cloud Computing (EC2) infrastructure. Two significant things had changed in the years between the two jobs that led me to a fresh approach to the infrastructure, and those are the things I'm going to explore in this article: Amazon's Virtual Private Cloud (VPC) and the AWS command-line tools.

VPC has been around for some time, and it was around back when I started work on my previous infrastructure, but it was an extra feature. At the time, you defaulted to what Amazon now calls "EC2 Classic", which meant you essentially were sharing an internal IP space with everyone else on EC2. With VPC, you can define different subnets, including ones that have only non-Internet-routable RFC1918 IP addresses. You get to choose which hosts get external IPs and which don't, and you can define not only what subnet a host is in, but you also even can assign it a specific internal IP if you want. Additionally, you have more control over Security Groups (which allow you to assign firewall rules to groups of hosts), and you can filter not only incoming (ingress) traffic but also egress (outgoing) traffic. You even can add or remove security groups from a host after it has spawned—something just not possible in EC2 Classic.

Today, new Amazon accounts are VPC only. It's clear that Amazon is phasing out EC2 Classic not just by calling it "Classic" and making VPC the default, but also by creating new lower-cost instance types that are available only on VPC. Even though by default the subnets that come with a VPC behave much like on EC2 Classic with public and private IPs, there still are enough differences and potential once you consider private subnets that it forces you to take a fresh approach to how you build things.

The Amazon Command-Line Interface

It may not come as any surprise at all to my regular readers that when I initially got started with Amazon infrastructure, I avoided the Web interface whenever possible and stuck with command-line tools. Although back then there were a number of different libraries (such as the boto library for Python) that you could use to interact with Amazon's API with software, the main command-line interface for Amazon EC2 was known as EC2 API Tools (or the ec2-api-tools package in Ubuntu). It was Java based and provided a way to perform all of the common functions you might perform on the Web interface via commands named ec2-<some function>. It wasn't so bad once you got used to it. The primary complaint I had with EC2 API tools was how slow it was between issuing a command and getting a response back.

A year or so ago I discovered that Amazon had developed a new Python-based command-line tool called AWS CLI and made a mental note to try it when I had a chance. Since I already had scripts in place that took advantage of the EC2 API tools, and they worked, I didn't have any compelling reason at the time to switch. Now that I was faced with building new scripts for a new infrastructure, however, it seemed as good a time as any to try it out.

Using AWS CLI

I'm going to skip the details of how to install and configure AWS CLI since that's already well documented on the main page for Amazon CLI, and it's probably already packaged for your Linux distribution (and if not, you can do pip install awscli to get it). Although you can use AWS CLI for a number of different AWS APIs, I'm going to stick to how it compares to EC2 API tools. Instead of every command starting with ec2-, every command starts with aws ec2 followed by the command. Fortunately, most of the commands match in both environments, so where before you might have typed:


$ ec2-describe-instances

Now you type:


$ aws ec2 describe-instances

Unfortunately, the similarities pretty much end there. Where with ec2-describe-instances you could just append a list of IDs, with AWS CLI, you need to use the --instance-ids argument first:


$ aws ec2 describe-instances --instance-ids i-someid

Another difference between the two tools is the output. You can select between a table, text and JSON output with AWS CLI; however, the text output ends up being quite different from the format in EC2 API tools. This means if, like me, you have tools that parse through that output, you'll need to rework them.

Check Whether a Host Exists

For instance, I wrote a wrapper script to spawn new EC2 hosts that captures all of the common options I might pass along the command line based on a host's name. One check I perform before I spawn a host though is to test whether I already have an instance tagged with that host's name. So something like this:


ec2-describe-tags --region $REGION | cut -f5 | 
 ↪egrep -q "^$MYHOST$"

becomes something like this:


aws ec2 describe-tags --region $REGION | grep Name | 
 ↪grep instance | cut -f5 | egrep -q "^$MYHOST$"
Find the Security Group ID by Name

I had to make another change to my script when it came to assigning security groups. With EC2 Classic, you could refer to security groups by name when spawning a host by passing multiple -g options to ec2-run-instances. Once you use VPCs though, you must refer to a security group by its ID when spawning a host. What I do is assign all of the security groups that belong to a host to a variable like so:


SEC_GROUPS='default foo'

Then I iterate through that list to pull out the IDs:


for g in ${SEC_GROUPS}; do
  SGID=$(aws ec2 describe-security-groups --filters 
   ↪"Name=group-name,Values=$g" |
grep ^SECURITYGROUPS | cut -f3)                                            
  SGIDS="$SGIDS $SGID"
done

Then I can pass --security-group-ids $SGIDS to my aws ec2 run-instances command.

Find the Subnet ID by Name

Another difference I ran across was in handling VPC subnets. With EC2 Classic, you didn't have to worry about subnets at all, and although you can label subnets with names in a VPC, when you spawn a host, it wants you to specify the ID. Again, I put the subnet label into a variable and use the AWS CLI to pull out the ID:


SUBNETID=$(aws ec2 describe-subnets --filters 
 ↪"Name=tag:Name,Values=${SUBNET}" | grep ^SUBNETS | cut -f8)
Pull Data about a Specific Host

Back with EC2 API tools, it was easy to get the information about a specific host:


$ ec2-describe-instances | grep myhostname

Or the shorthand form:


$ ec2din | grep myhostname

Unfortunately, things aren't quite as easy with AWS CLI due to how the text output is formatted. Instead, you should use the --filters option to limit your search only to instances that have a Name tag that matches your hostname:


$ aws ec2 describe-instances --filters 
 ↪"Name=tag:Name,Values=myhostname"

I ended up turning the previous command into a quick script called ec2dingrep:


#!/bin/bash

HOSTNAME=$1
aws ec2 describe-instances --filters 
 ↪"Name=tag:Name,Values=${HOSTNAME}"
~

All in all, it really took me only part of a day to climb the learning curve of interacting with VPCs with AWS CLI and rewrite the script I use to spawn servers. Although so far it does take me a bit longer to string together the commands, much of that is muscle memory, and the much better speed of AWS CLI over EC2 API tools makes it worth it.

Resources

Amazon CLI Documentation: https://aws.amazon.com/cli

Kyle Rankin is a Tech Editor and columnist at Linux Journal and the Chief Security Officer at Purism. He is the author of Linux Hardening in Hostile Networks, DevOps Troubleshooting, The Official Ubuntu Server Book, Knoppix Hacks, Knoppix Pocket Reference, Linux Multimedia Hacks and Ubuntu Hacks, and also a contributor to a number of other O'Reilly books. Rankin speaks frequently on security and open-source software including at BsidesLV, O'Reilly Security Conference, OSCON, SCALE, CactusCon, Linux World Expo and Penguicon. You can follow him at @kylerankin.

Load Disqus comments