Today I spent time dealing with an issue that may have been avoided by sticking to best practices. Don't do that it. It's just not worth it.
I had locked myself out of an EC2 instance. I ran an iptables rule on the machine last night and checked that everything was working as expected. I knew that iptables was not the right tool for the job because I've used security zones, but I was "just testing something" and didn't think that the rule was appropriate for the zone so I went ahead. Everything seemed fine.
This morning I discovered that I could no longer access that instance. In fact, I could not access a single open port. This was not OK. I did not need to deal with data loss here(the image was brought up before EBS existed and it wasn't originally being used for much....). Anyhow, I rebooted the box and everything was accessible again. I'm not convinced that the iptables rule was what broke access to the machine, but there was no reason to even be considering it. It's easy enough to add another security group and bring up another instance that there was no reason to even have a question about this.
In summation, just stick to best practices and spend the 15 minutes up front doing it right; don't spend half an hour in a panic fixing it tomorrow. At least tools like EC2 exist that make the right thing easy and cheap by design.
I had locked myself out of an EC2 instance. I ran an iptables rule on the machine last night and checked that everything was working as expected. I knew that iptables was not the right tool for the job because I've used security zones, but I was "just testing something" and didn't think that the rule was appropriate for the zone so I went ahead. Everything seemed fine.
This morning I discovered that I could no longer access that instance. In fact, I could not access a single open port. This was not OK. I did not need to deal with data loss here(the image was brought up before EBS existed and it wasn't originally being used for much....). Anyhow, I rebooted the box and everything was accessible again. I'm not convinced that the iptables rule was what broke access to the machine, but there was no reason to even be considering it. It's easy enough to add another security group and bring up another instance that there was no reason to even have a question about this.
In summation, just stick to best practices and spend the 15 minutes up front doing it right; don't spend half an hour in a panic fixing it tomorrow. At least tools like EC2 exist that make the right thing easy and cheap by design.
Comments for Don't ever use iptables on EC2 instances
Leave a comment