Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-58578

Public IP can still be assigned when Associate Public IP is disabled, depending on subnet(s)


    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • ec2-plugin
    • None
    • Master: Docker jenkins:2.176.2 running in Kubernetes, Workers: CentOS EC2 w/ Docker 18.09.6 and OpenJDK 8, EC2 plugin version: 1.43
    • ec-2.46


      When configuring agent templates for the EC2 plugin, if you choose subnet(s) that have "Auto-assign public IPv4 address" enabled (on the AWS side), then agents will be launched with a public IPv4 address whether "Associate Public IP" is enabled in Jenkins or not. I am not sure if this is the intended behavior of the plugin, but I would like a way to be able to not assign a public IP, even if I've chosen a subnet with this setting enabled.

      Observed/expected behavior

      Given a subnet with "Auto-assign public IPv4 address" enabled in AWS but "Associate Public IP" disabled in Jenkins:

      • Observed: Agent launches with public IP
      • Expected: Agent launches without public IP

      How to reproduce

      In an agent template:

      1. Use a subnet that has "Auto-assign public IPv4 address" enabled in AWS
      2. Ensure "Associate Public IP" is unchecked
      3. Launch an agent using the template
      4. Check EC2 instance in the AWS console or other method
      5. Instance will have a public IPv4 address and public DNS


      This issue unsurprisingly does not occur when using a subnet that has "Auto-assign public IPv4 address" disabled. We are doing this as a workaround for now. The subnets I eventually wish to use happen to have this flag enabled (for other purposes), but for Jenkins I'd like to be able to use these subnets while not assigning public IPs to agents.

      Possible fix

      Based on some digging through the code, I believe the possible culprits are here for on-demand instances and here for spot instances, namely:

      if (getAssociatePublicIp()) {

      Here, if associatePublicIp is true, then true will be passed to the network interface. However, if associatePublicIp is false, then it is likely instead defaulting to whatever is set on the subnet. Given this, I would propose something like the following:

      For "Associate Public IP", utilize a drop-down menu similar to the one in the AWS console itself, which has three options: Use subnet setting (default), Yes, and No. When "No" is selected, explicitly pass in false. Perhaps use an enum for this, similar to ConnectionStrategy.

            thoulen FABRIZIO MANFREDI
            andgoldin Andrew Goldin
            0 Vote for this issue
            5 Start watching this issue