Guide to Using Elastic IPs to Manage Access to Amazon CloudSearch Domains

Articles & Tutorials>Amazon EC2>Guide to Using Elastic IPs to Manage Access to Amazon CloudSearch Domains
This guide describes how to use elastic IPs to manage access to your document and search endpoints from EC2.

Details

AWS Products Used: Amazon CloudSearch, Amazon EC2
Created On: July 9, 2012 5:27 PM GMT
Last Updated: July 9, 2012 6:57 PM GMT

Topics:

When creating and configuring search domains, you use your AWS credentials for authentication. To control access to a particular search domain's document and search endpoints, you need to whitelist the specific IP addresses or address ranges that can submit document updates and search requests. This guide describes how to use elastic IPs to manage access to your document and search endpoints from EC2.

Elastic IP addresses are static IP addresses designed for dynamic cloud computing. For more information about elastic IPs, see Feature Guide: Amazon EC2 Elastic IP Addresses.

Why Use Elastic IPs?

Changes to a domain's access policies can take around 15 minutes to take effect. This means if you bring up a new EC2 instance and add its IP address to a search domain's access policies, there will be a delay before the instance can start submitting document updates or search requests. If you assign an IP address from a pool of elastic IPs that you have authorized ahead of time, the instance will be able to start submitting requests right away.

Using Preauthorized Elastic IP Addresses

Elastic IP addresses are associated with your account, rather than a particular instance. You control an Elastic IP address until you choose to explicitly release it.

Note: To allocate elastic IP addresses. pre-authorize them to access your search domain, and associate them with EC2 instances as shown below, you need to download and install the Amazon EC2 API Tools and Amazon CloudSearch command line tools.

To use elastic IP addresses for your EC2 instances that need to interact with an Amazon CloudSearch domain:

  1. Use the ec2-allocate-address command to assign EC2 Elastic IP Addresses to your account. The number of IP addresses you need depends on how many EC2 instances you want to simultaneously authorize to access your Amazon CloudSearch domain. By default, accounts are limited to 5 Elastic IP addresses.

    For example, the following request allocates a new Elastic IP address, 75.101.157.145:

    ec2-allocate-address
    ADDRESS 75.101.157.145
  2. Pre-authorize your Elastic IP addresses to access your search domain's document and search endpoints.

    For example, you could run the cs-configure-access command to enable the IP address 75.101.157.145 to access either the document or search endpoint of the song-search domain:

    cs-configure-access-policies --domain-name song-search
      --update --allow 75.101.157.145 --service all
    =========================
    Standardizing ip: 75.101.157.145; using: 75.101.157.145/32
    [song-search] Updating access policy:
    {"Version":"2011-10-11","Id":"34f11d91-88d9-4e15-8ebe-05dffef103c6","Statement": [{"Sid":"1","Effect":"Allow","Action":"*","Resource":"arn:aws:cs:us-east-1: 598352442322:search/song-search","Condition":{"IpAddress":{"aws:SourceIp": ["75.101.157.145/32"]}}},{"Sid":"2","Effect":"Allow","Action":"*","Resource":"arn: aws:cs:us-east-1:598352442322:doc/song-search","Condition":{"IpAddress":{"aws: SourceIp":["75.101.157.145/32"]}}}]}

    You can also modify your access policies through the Amazon CloudSearch console or the UpdateServiceAccessPolicies API.

  3. When you bring up a new EC2 instance, assign it one of your pre-authorized Elastic IP addresses using the ec2-associate-instance command.

    For example, to associate Elastic IP 75.101.157.145 with instance ID i-b2e019da:

    ec2-associate-address -i i-b2e019da 75.101.157.145
     ADDRESS 75.101.157.145 i-b2e019da
  4. For more information about using Elastic IP addresses, see Feature Guide: Amazon EC2 Elastic IP Addresses.

    Summary

    Allocating and preauthorizing Elastic IP addresses to access your Amazon CloudSearch domain enables new EC2 instances to use those addresses to start submitting requests to the domain's search and document endpoints right away.

©2014, Amazon Web Services, Inc. or its affiliates. All rights reserved.