Re: AWS-EC2: Why are security groups & subnets mutually exclusive?

[Vineet Saini <sw...@gmail.com>]

This is confusing little bit with Group and Security group. As VPC is like
a group, or more than just group. Also using creatInGroup duplicate that
purpose. Where as with AWS/EC2 it jsut add confusion.

In order to user VPC and Security group, you need to use subnet under the
VPC. That way you can create node in VPC/subnet with security group in that
VPC.


*template.getOptions().as(AWSEC2TemplateOptions.class).subnetId(subnetId).securityGroupIds(securityGroupIdArr);*


*Set<? extends NodeMetadata> nodes =
computeService.createNodesInGroup(GroupName, count, template);*



On Wed, Oct 1, 2014 at 9:28 AM, Yaron Rosenbaum <ya...@gmail.com>
wrote:

> Hi
>
> If I understand correctly, I have to specify a VPC (since I don't have a
> default one), and the only way of doing it is by specifying a subnet. That,
> however, ignores my request for specific security groups - and only adds me
> to the 'default' one.
>
> https://jclouds.apache.org/guides/aws-ec2/
> "To create nodes in a subnet under Amazon VPC add the following option to
> your template options. Note that VPCs and Security Groups are mutually
> exclusive."
>
> Why?
>
> (Y)
>
>
>

Re: AWS-EC2: Why are security groups & subnets mutually exclusive?

[Andrew Phillips <an...@apache.org>]

> What you say makes sense and I think it is an unintentional limitation
> in the current code.

Some additional context here: the "securityGroups" option [1]  
originally (and perhaps still - sorry, can't check the code now :-()  
refers to "old style" security groups, which *were* incompatible with  
VPCs for a long time.

The "new style" security groups are specified using the  
"securityGroupIds" option instead [2]. If the distinction between the  
two types no longer exists, then some code simplification should  
certainly be possible!

See also this thread: http://markmail.org/thread/gmnffrbqibfwqczr

Regards

ap

[1]  
http://jclouds-javadocs.elasticbeanstalk.com/org/jclouds/aws/ec2/compute/AWSEC2TemplateOptions.html#securityGroups(java.lang.String...)
[2]  
http://jclouds-javadocs.elasticbeanstalk.com/org/jclouds/aws/ec2/compute/AWSEC2TemplateOptions.html#securityGroupIds(java.lang.Iterable)

-- 
Andrew Phillips
Apache jclouds

Re: AWS-EC2: Why are security groups & subnets mutually exclusive?

[Ignasi Barrera <na...@apache.org>]

Hi Richard, apologies for the late reply.

What you say makes sense and I think it is an unintentional limitation
in the current code. Changing it should be relatively easy as, if I'm
not wrong, the security group creation logic is all contained in one
single class [1]. It might require some attention running the live
tests, though, to make sure we don't break things.

Do you want to try to come up with a patch?


HTH!

Ignasi

[1] https://github.com/jclouds/jclouds/blob/master/apis/ec2/src/main/java/org/jclouds/ec2/compute/strategy/CreateKeyPairAndSecurityGroupsAsNeededAndReturnRunOptions.java#L163-L186


On 11 May 2015 at 15:30, Richard Downer <ri...@apache.org> wrote:
> Hi all,
>
> Apologies for re-opening an old thread but we've just hit a problem
> with this root cause.
>
> I'm not aware of any reason why security groups and VPCs should be
> mutually exclusive, as the jclouds docs state. VPC instances certainly
> *can* have security groups attached, although there is a difference in
> that security groups have to be specified by ID rather than name when
> creating the instance.
>
> If we are using the "inboundPorts" feature of template options to get
> jclouds to create the security group for us, that should still work
> regardless of whether we're using VPCs or not. However it does not; as
> soon as a subnet ID is given, jclouds seems to not attempt to create a
> security group for inbound ports, nor attach the security group to the
> new instance.
>
> Does this have to be the case? How difficult a task is this to change
> in jclouds?
>
> Thanks,
> Richard.
>
> On 17 November 2014 at 21:48, Andrew Phillips <an...@apache.org> wrote:
>> Hi Yaron
>>
>>>> "To create nodes in a subnet under Amazon VPC add the following option to
>>>> your template options. Note that VPCs and Security Groups are mutually
>>>> exclusive."
>>>>
>>>> Why?
>>
>>
>> From what I understand, "Security Groups" here refers to the "classic"
>> security groups that are referred to as "EC2-Classic" in the AWS docs. These
>> state, for example:
>>
>> "You can't specify a security group that you created for a VPC when you
>> launch an instance in EC2-Classic." and "You can't specify a security group
>> that you created for EC2-Classic when you launch an instance in a VPC." [1]
>>
>> You should be able to specify the security groups *in your VPC* by using the
>> securityGroupIds template builder option on AWSEC2TemplateOptions [2]
>> (rather than the securityGroups option which, if I recall correctly, selects
>> the old-style groups).
>>
>> See also this thread [3].
>>
>> Regards
>>
>> ap
>>
>> [1]
>> http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
>> [2]
>> http://javadocs.jclouds.cloudbees.net/org/jclouds/aws/ec2/compute/AWSEC2TemplateOptions.Builder.html
>> [3] http://apache.markmail.org/thread/7ssdg7ww4c652gyj

Re: AWS-EC2: Why are security groups & subnets mutually exclusive?

[Richard Downer <ri...@apache.org>]

Hi all,

Apologies for re-opening an old thread but we've just hit a problem
with this root cause.

I'm not aware of any reason why security groups and VPCs should be
mutually exclusive, as the jclouds docs state. VPC instances certainly
*can* have security groups attached, although there is a difference in
that security groups have to be specified by ID rather than name when
creating the instance.

If we are using the "inboundPorts" feature of template options to get
jclouds to create the security group for us, that should still work
regardless of whether we're using VPCs or not. However it does not; as
soon as a subnet ID is given, jclouds seems to not attempt to create a
security group for inbound ports, nor attach the security group to the
new instance.

Does this have to be the case? How difficult a task is this to change
in jclouds?

Thanks,
Richard.

On 17 November 2014 at 21:48, Andrew Phillips <an...@apache.org> wrote:
> Hi Yaron
>
>>> "To create nodes in a subnet under Amazon VPC add the following option to
>>> your template options. Note that VPCs and Security Groups are mutually
>>> exclusive."
>>>
>>> Why?
>
>
> From what I understand, "Security Groups" here refers to the "classic"
> security groups that are referred to as "EC2-Classic" in the AWS docs. These
> state, for example:
>
> "You can't specify a security group that you created for a VPC when you
> launch an instance in EC2-Classic." and "You can't specify a security group
> that you created for EC2-Classic when you launch an instance in a VPC." [1]
>
> You should be able to specify the security groups *in your VPC* by using the
> securityGroupIds template builder option on AWSEC2TemplateOptions [2]
> (rather than the securityGroups option which, if I recall correctly, selects
> the old-style groups).
>
> See also this thread [3].
>
> Regards
>
> ap
>
> [1]
> http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
> [2]
> http://javadocs.jclouds.cloudbees.net/org/jclouds/aws/ec2/compute/AWSEC2TemplateOptions.Builder.html
> [3] http://apache.markmail.org/thread/7ssdg7ww4c652gyj

Re: AWS-EC2: Why are security groups & subnets mutually exclusive?

[Andrew Phillips <an...@apache.org>]

Hi Yaron

>> "To create nodes in a subnet under Amazon VPC add the following option to
>> your template options. Note that VPCs and Security Groups are mutually
>> exclusive."
>>
>> Why?

 From what I understand, "Security Groups" here refers to the  
"classic" security groups that are referred to as "EC2-Classic" in the  
AWS docs. These state, for example:

"You can't specify a security group that you created for a VPC when  
you launch an instance in EC2-Classic." and "You can't specify a  
security group that you created for EC2-Classic when you launch an  
instance in a VPC." [1]

You should be able to specify the security groups *in your VPC* by  
using the securityGroupIds template builder option on  
AWSEC2TemplateOptions [2] (rather than the securityGroups option  
which, if I recall correctly, selects the old-style groups).

See also this thread [3].

Regards

ap

[1]  
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
[2]  
http://javadocs.jclouds.cloudbees.net/org/jclouds/aws/ec2/compute/AWSEC2TemplateOptions.Builder.html
[3] http://apache.markmail.org/thread/7ssdg7ww4c652gyj