I need all of my instances in AWS auto scaling group to be configured with (known) static IP's. I will be whitelisting all of these IPs in a mail server later (that's why need all of them to be static). Is it possible using the regular cloudformation approach? May be assigning a second NIC and assigning it an IP from a static IP range? Any ideas?

Unfortunately, you can't gain access to any custom IP range for your autoscaling group.

You could get the IP range for the region you are working in, and whitelist all IPs from that region, but this wouldn't blacklist an instance from another AWS account. You can get these ranges here.

You can configure static IPs in AWS - They're called Elastic IPs. An Elastic IP address will persist with an instance between a stop/start. Elastic IPs are also "elastic" in that they can be detached from one network interface or instance and attached to another.

Unfortunately, there is no way to make autoscaling automatically assign an Elastic IP address to newly launched instances. You'd need to write a script that runs when a new instance is launched. You could run this script using EC2 user data.

You could then use the CLI or an SDK. The script would need allocate a new Elastic IP address to your account, and then associate that Elastic IP with the instance.

Alternatively, you could use Lambda to run a script to do the same thing, but in response to an autoscaling event.

Other problems you might have:

1. By default, you can only have 5 Elastic IPs in your account per region. You'll need to submit a limit increase to get more - and this could end up being an ongoing problem.
2. What happens when an instance is terminated in the ASG? That Elastic IP will become disassociated - you get charged for disassociated Elastic IPs. You could always write a Lambda function that runs in response to an autosclaing events that releases any disassociated Elastic IPs - but thats even more overhead.

Unfortunately, there is no nice solution to this problem. The easiest method would be to whitelist all Amazon IPs for that region, but you will still have potential security issues.

EDIT: You could also just create a proxy instance. You could configure all the instances in your ASG to direct traffic through the proxy instance. Then you could give the proxy instance an Elastic IP and allow it in your firewalls.

The only potential problem is your proxy server getting overloaded. You'd need to make sure the instance type you used for it could handle the max number of instances allowed in your ASG at full capacity.

A workaround is making your instances use a NAT gateway to connect to the mail server. You'll have to put them in a subnet where requests for the email server get routed to the NATGW.

You will just have to whitelist the elastic IP of the NATGW.

Check the cost first though: NAT gateways have a fixed cost of about $2/day + small cost per GB of traffic.

It sounds like what you're looking for is an Elastic IP

An Elastic IP address is a static IP address designed for dynamic cloud computing. With an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account. Your Elastic IP address is associated with your AWS account, not a particular instance, and it remains associated with your account until you choose to release it explicitly.

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html

We achieved this by assigning the static IPs using the cloud formation and the IP's were picked up from the VPC subnet.

the @Saboo solution it's valid. You need to map the public ip when launch the subnet.

Here is the script in Terraform, for this:

Attaching an EIP to an Instance with a pre-assigned private IP (VPC Only):

resource "aws_vpc" "default" {
  cidr_block           = "10.0.0.0/16"
  enable_dns_hostnames = true
}

resource "aws_internet_gateway" "gw" {
  vpc_id = "${aws_vpc.default.id}"
}

resource "aws_subnet" "tf_test_subnet" {
  vpc_id                  = "${aws_vpc.default.id}"
  cidr_block              = "10.0.0.0/24"
  map_public_ip_on_launch = true

  depends_on = ["aws_internet_gateway.gw"]
}

resource "aws_instance" "foo" {
  # us-west-2
  ami           = "ami-5189a661"
  instance_type = "t2.micro"

  private_ip = "10.0.0.12"
  subnet_id  = "${aws_subnet.tf_test_subnet.id}"
}

resource "aws_eip" "bar" {
  vpc = true

  instance                  = "${aws_instance.foo.id}"
  associate_with_private_ip = "10.0.0.12"
  depends_on                = ["aws_internet_gateway.gw"]
}