3

If an EC2 instance has been set up to retrieve a Public IP (not Elastic IP) and it is currently stopped, what can I look at to see that it will get a Public IP when it starts up? Let's assume the subnet it is on is not set up give Public IPs to all instances. When the instance is running I can see the public IP information when I retrieve the instance with client.describe_instances() but I don't see anythihng when it is stopped. Thanks.

Fred Snertz
  • 591
  • 1
  • 4
  • 5
  • 2
    I feel like this is an XY problem. What are you trying to achieve here? – jellycsc Jan 28 '21 at 20:12
  • 1
    I've been searching through the API docs and comparing various EC2 instances for a while now, it doesn't seem like that attribute is exposed... - very weird. I'm with @jellycsc - what you want to achieve can probably be done a different way, but I would have bet money this could be found out through the API without launching the instance. – Maurice Jan 28 '21 at 20:19
  • There has been a discussion on this topic [here](https://stackoverflow.com/a/41727588/6485881) - seems like at least back in 2017 it wasn't possible either... – Maurice Jan 28 '21 at 20:21
  • I am attempting to audit security groups but I don't want to look at systems that will never have a public ip as there are many – Fred Snertz Jan 28 '21 at 22:44

2 Answers2

2

After looking through lots of documentations I came to the conclusion that it can't be done reliably with the information that is exposed through the APIs. The answer by John covers important details on the factors that determine if an EC2 instance will be assigned a public IP on first boot.

Given that information it's possible to determine if a newly launched EC2 instance will get a public IP, which is essentially controlled by the AssociatePublicIpAddress parameter. This can be set explicitly while starting an instance (see doc1 - Example 5, doc2) and will have a default value that depends on the subnet the instance is launched in.

If the instance is launched in a subnet that has MapPublicIPOnLaunch set to true, this defaults to true and if MapPublicIPOnLaunch is set to false, it defaults to false. However, you can overwrite this default.

The information if a public IP is supposed to be associated is retained on the ENI, if the docs are to be believed (emphasis mine).

When you create a network interface, it inherits the public IPv4 addressing attribute from the subnet. If you later modify the public IPv4 addressing attribute of the subnet, the network interface keeps the setting that was in effect when it was created. If you launch an instance and specify an existing network interface as the primary network interface, the public IPv4 address attribute is determined by this network interface.

Unfortunately it doesn't seem like any API exposes the value of this internal Flag - neither the DescribeInstances nor the DescribeNetworkInterfaces API-call include it in the response.

As a result of that, you can make an educated guess based on the subnet the instance lives in, but however educated, it is still a guess, because this only works, if the default for AssociatePublicIpAddress hasn't been changed. The only way to determine that reliably is to turn the instance on, to a DescribeInstances on it and check if it has received a public IP.

Maurice
  • 11,482
  • 2
  • 25
  • 45
  • thank you so much for looking into this. I am trying to audit security groups to ensure nothing has been left wide open and I only need to look at systems with a public IP. Unfortunately we have a few instances that override the subnet default to get a public IP and they aren't always running. – Fred Snertz Jan 28 '21 at 22:22
  • In that case you might want to activate AWS Config, this records changes to your infrastructure and you can then go ahead and create a custom rule to alert you based on instances starting with a public IP address. – Maurice Jan 30 '21 at 12:43
  • @FredSnertz Please consider accepting this answer if it helped you, that way other users know this question is solved ;-) – Maurice Feb 10 '21 at 15:30
-1

Public IP addresses can be assigned to instances in 3 ways:

  • An Elastic IP address is assigned to the instance, or
  • The instance is launched with AssociatePublicIpAddress set to True on an ENI, or
  • The subnet has MapPublicIpOnLaunch set to True

To know whether the subnet will automatically attach a public IP address, call DescribeSubnets() and check the MapPublicIpOnLaunch attribute.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • 2
    Is there a way to query the `AssociatePublicIpAddress` setting on existing instances? I couldn't find one. If I launch an instance in a private subnet with the `AssociatePublicIPAddress` config and then stop it, there seems no way for me to find out if it will receive a public ip once I start it, without starting it. – Maurice Jan 28 '21 at 20:32
  • Hi @john, this may not be true. An instance can get launched **before** `MapPublicIpOnLaunch` is turned on at the subnet level. In this case, the ENI of the instance won't get a public IP even after `MapPublicIpOnLaunch` is turned on. – jellycsc Jan 28 '21 at 20:35