Recover ssh access to amazon EC2 instance after ufw firewall activation by accident

There are two solutions to resolve this problem:

  • Solution 1 
  1. Stop your instance
  2. Go to User Data (Action > Instance Settings > View/Change User Data)
  3. Add following line then start instance again
 #cloud-config bootcmd:
- cloud-init-per always fix_broken_ufw_1 sh -xc "/usr/sbin/service ufw stop >> /var/tmp/svc_$INSTANCE_ID 2>&1 || true"
- cloud-init-per always fix_broken_ufw_2 sh -xc "/usr/sbin/ufw disable>> /var/tmp/ufw_$INSTANCE_ID 2>&1 || true"

  • Solution 2

    1. Stop your instance
    2. Attach your EBS volume to another instance. if you don't have one, create a micro instance.
    3. Mount yor EBS volume somewhere ie. /opt/recover
    4. List item
    5. Edit {your-ebs-mount}/etc/ufw/ufw.conf and change enabled=yes to enabled=no
    6. Umount the EBS
    7. Detach from the temp instance
    8. Reattach to the original instance. (make sure to attach as root)
    9. Restart the instance

Log in to Google Compute Engine instance if ssh port is disabled by firewall

One of our developers forgot to add port 22 into allow list of firewall (Ubuntu Ufw). There are 2 way to resolve this problem:

  1. If you still have user/password of that VM, connect to the VM via Serial Port then login to open ssh port again.  
  2. If you don't have user/password (My case), add a Startup Script to that VM then restart it. Start up script responsible is open port when the VM starts.  
Then ... You have your VM back, Cheer!

[GCP] Why I choose Google Cloud Platform over Aws or Azure

My cloud story began with an EC2 instance of Aws Free Tier five years ago, at the first time, it's cool, it's shining, it's cheap without any infrastructure initial cost, it's easy to manage. Then I go deep dive with more components S3, Route 53, Lambda, Load balancing, Redshift to build my first cloud-based system. These days so beautiful !!!

Then my system gets bigger rapidly, it's slow down and stuck with performance issues. I remember that my EC2 instances were really slow in disk IO (40-60 MB/s) and internal network speed.

I asked myself where to go now? Switch to SSD disk? Increase instance size (burn more thousands dollar)? Migrate back to Digital Ocean? Give other cloud providers a try?

The second try with Azure does not bring any light-at-the-end-of-the-tunnel. Very high price, complicated admin dashboard which still shows everything in one page web app, poor document.

Finally,  I felt in love with GCP, it's simple, good enough, blazing fast and much cheaper, besides some pros including global fiber network, server-less compute framework, terabyte big data processing, ... It's cut off my 40% cost, increase performance (x2 to x3) on internal services.

Disclaimer: From 2016, I am GCP expert qualified by Google. 

[GCP] How to move google compute engine between projects

Question: I have 2 dedicate Google cloud project A and B, one day I want to move instance call "Rolling" from project A to project B, how can I do that?

Prerequisite: My account must have right to access to all projects
1 - Go to project A admin
1 - Create snapshot of Rolling in Compute Engine / Snapshots
2 - Create new Compute Engine instance from Rolling's snapshot
3 - Uncheck "delete boot disk when deleting instance" and delete the new instance
4 - Go to in Compute Engine / Images then create an image from this disk.
5 - Go to project B admin then create new Compute Engine instance with boot disk is image from project A

Add multi IPv4 address in Ubuntu 16.04

  • Check current ip config
    • root@test:~# ifconfig
      ens3      Link encap:Ethernet  HWaddr 56:00:00:47:7f:96
                inet addr:  Bcast:  Mask:
                inet6 addr: fe80::5400:ff:fe47:7f96/64 Scope:Link
                UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                RX packets:59627 errors:0 dropped:0 overruns:0 frame:0
                TX packets:57037 errors:0 dropped:0 overruns:0 carrier:0
                collisions:0 txqueuelen:1000
                RX bytes:7648404 (7.6 MB)  TX bytes:8769103 (8.7 MB)
      lo        Link encap:Local Loopback
                inet addr:  Mask:
                inet6 addr: ::1/128 Scope:Host
                UP LOOPBACK RUNNING  MTU:65536  Metric:1
                RX packets:0 errors:0 dropped:0 overruns:0 frame:0
                TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
                collisions:0 txqueuelen:1
                RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

  • Add ip address
    • root@test:~# ip addr add dev ens3

  • Ping your server new ip
    • ~ ping
      PING ( 56 data bytes
      64 bytes from icmp_seq=0 ttl=50 time=105.808 ms
      64 bytes from icmp_seq=1 ttl=50 time=112.308 ms
      64 bytes from icmp_seq=2 ttl=50 time=103.794 ms
      --- ping statistics ---
      3 packets transmitted, 3 packets received, 0.0% packet loss
      round-trip min/avg/max/stddev = 103.794/107.303/112.308/3.633 ms

  • To keep that ip after reboot, add below config at the end of file /etc/network/interface
      auto ens3:0
      iface ens3:0 inet static
        address fff.fff.fff.fff

  • Check ip address of your server
      root@test:~# ip address list
      1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
          link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
          inet scope host lo
             valid_lft forever preferred_lft forever
          inet6 ::1/128 scope host
             valid_lft forever preferred_lft forever
      2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
          link/ether 56:00:00:47:7f:96 brd ff:ff:ff:ff:ff:ff
          inet brd scope global ens3
             valid_lft forever preferred_lft forever
          inet brd scope global ens3:0
             valid_lft forever preferred_lft forever
          inet brd scope global ens3:0
             valid_lft forever preferred_lft forever
          inet scope global ens3
             valid_lft forever preferred_lft forever
          inet scope global ens3
             valid_lft forever preferred_lft forever
          inet brd scope global secondary ens3:0
             valid_lft forever preferred_lft forever
          inet6 fe80::5400:ff:fe47:7f96/64 scope link
             valid_lft forever preferred_lft forever
      3: ens7: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
          link/ether 5a:00:00:47:7f:96 brd ff:ff:ff:ff:ff:ff