aboutsummaryrefslogtreecommitdiff
path: root/toss-aws-eip/README.md
diff options
context:
space:
mode:
Diffstat (limited to 'toss-aws-eip/README.md')
-rw-r--r--toss-aws-eip/README.md85
1 files changed, 85 insertions, 0 deletions
diff --git a/toss-aws-eip/README.md b/toss-aws-eip/README.md
new file mode 100644
index 0000000..caa0355
--- /dev/null
+++ b/toss-aws-eip/README.md
@@ -0,0 +1,85 @@
+# Ranged AWS EIP Allocator
+When you request an EIP address, the AWS randomly allocates an EIP address from
+one of their IPv4 address pools. The list of the IPv4 pools the AWS uses for
+their service is publicly available from the following.
+
+https://ip-ranges.amazonaws.com/ip-ranges.json
+
+I also made the tool for converting the JSON data to CSV so you can use it in
+spreadsheets.
+
+https://ashegoulding.github.io/aws-ipblocks-csv
+
+This is the script you're after if you're trying to get an EIP within a specific
+range or block to get away from the lousy neighbours who constantly degrade the
+reputation of the address block or just to get a series of contiguous EIP for
+your EC2 fleet.
+
+I recommend running it on an EC2 instance rather than on the local machine to
+save the trip to the internet. The request process time from the EC2 endpoint is
+already over few hundred milliseconds so you definitely want to reduce the trip
+through the internet.
+
+Please check the pricing rules before considering using this. If they charge for
+allocation/release of EIPs, you're screwed and the script is basically useless.
+
+## This is a Bad Idea!
+The script has to be used as a last resort after you have failed to get support
+from the AWS in getting the EIP's you want. If you're a corporate user, you can
+probably get the support you need.
+
+The big issue with this approach is that there's no way of knowing how saturated
+the EIP block you're trying to get addresses from. You may use tools like nmap,
+but there's still the problem of unassociated EIP addresses.
+
+## How to
+Make sure you have done your `aws configure` and given allocate_address and
+release_address permissions to the IAM account. You may test the permissions
+using `-d` option. You'll get an error and the script will exit with code 1 if
+the account lacks the necessary permissions.
+
+Choose the block you wish to get an EIP address from. Multiple ranges can be
+specified and the script will exit if an address from any of the ranges is
+allocated.
+
+```bash
+./toss-aws-eip.py \
+ -r us-west-1 \ # not required if the default region is set in the profile
+ -l "tosser" \ # resource name for identification purposes
+ 52.94.249.80/28 \ # range
+ 52.95.255.96/28 \ # range
+ 52.94.248.128/28 # range
+```
+
+In the example, the script will allocate and release EIP addresses until one
+from any of the three blocks is acquired. The name tag on the address will be
+"tosser".
+
+You can even run the script in several processes. The process returns 0 when
+successful and it also handles `SIGINT` and `SIGTERM` gracefully without leaving
+a "residue" EIP. If you want multiple EIP's, simply count the number of
+processes that returned 0.
+
+Run with `-h` option for more.
+
+## Why?
+I was having issues with the reputations of IP addresses allocated for EC2. It
+is a known fact that many EC2 instances are hacked and used as bots for
+nefarious activities like SSH brute forcing and sending junk mails. The
+reputation is especially important for sending mails because companies take
+aggressive measures to combat junk mails.
+
+I started with an EIP without knowing this and getting my EIP already set for
+all my self-hosted services was a long and hard process. Companies like Google
+and Microsoft keep a public channel via which sysadmins can file complaints to
+get their addresses off their blacklist. But Outlook(Microsoft) has the stronger
+measure of blacklisting the entire IP address blocks attacks and junk mails
+originate from. There is no way that was legal, but I decided to get a clean EIP
+from a clean block this time instead of dealing with AWS and Microsoft Support
+because I'd never get anything good out of them.
+
+My idea is that I could be better of having an EIP from a relatively small
+block. Even if I end up getting a dirty EIP, I can go through the support
+channels again to delist the EIP and there will be less chance of the entire
+block getting blacklisted because of the small size. You can only do this in
+trial and error. This is where the script comes in.
generated by cgit (git 2.34.1) at 2025-02-23 22:08:46 +0000