James's questions

So we are setting up and testing new internal systems, using Docker to deploy OpenVPN, Jenkins, and bind all on the same host. We want to restrict access to only come from traffic that originates from our VPN.

For our other internal systems (on different hosts), this works as expected. We can configure ufw to restrict based on the IP of our VPN server, and it works as expected, meaning we can't access when off the VPN, and we can when on the VPN.

However, for the services running within Docker on the same host as our OpenVPN server, traffic never appears to come from the VPN. Connected or not, it always appears to be from the actual IP address of the remote (connecting) client.

OpenVPN is setup using the popular Docker OpenVPN image. We're using the defaults, which means all traffic is supposed to be routed over the VPN connection.

What am I missing/forgetting?

I've recently made a new Ubuntu EBS image on Amazon EC2 and since what I am running isn't of the utmost importance, have decided to run it as a spot instance to take advantage of the lower pricing. What I have come to notice though is that from the time you request the instance to the time it actually starts can be quite lengthy. In the past I've seen it start in a few minutes, but recently it seems to take forever. By forever, I mean earlier today I waited over an hour and then gave up and started a normal instance, and just now I've again been waiting over 30 minutes. The entire time it just sits with a status of "Open", which indicates it hasn't even accepted the spot request.

Even when I'm setting my bid price 50% higher than the current running price history, it still won't start up right away. Does anyone know if this is intended, or am I just missing out on something? Due to this and a variety of other reasons, I'm steadily losing faith in AWS.