On demand instances are registered directly with the SUSE operated update infrastructure which provides updates.
Indeed, we can limit traffic in using configured NAT gateway only reaches SUSE trusted servers in AWS regions.
IPs can be retrieved thanks to the Public cloud INformation Tracker e.g.: pint amazon servers --region=eu-west-1 --smt
The problem here is that IP is statically configured on the /etc/hosts such as w.x.y.z smt-ec2.susecloud.net smt-ec2.
On-demand instances send requests via an HTTP proxy (Squid).
Squid send DNS request to DNS server
Squid doesn’t receive any DNS answer because smt-ec2.susecloud.net cannot be resolved.
Are IPs static over time? How to fix this?
Yes the SMT IPs are static and if we loose one of them and have to allocate a new one we have a whole bunch of trouble. Meaning if you operate in only one region you can create your own entries in your name resolution chain as you see fit. However, if you operate across regions that obviously doesn’t work as VMs in one region would then point to update servers in another region, meaning you’d potentially pull updates across the world. Something explicitly being avoided by the design and implementation of the SUSE update infrastructure.
Would you consider to use the AWS PrivateLink which allows to enables us to securely pass data directly to SUSE SMT without ever leaving the AWS Network.
It will be a great enhancement for AWS customers.
Here more information:https://aws.amazon.com/marketplace/saas/privatelink