ROS Resources: Documentation | Support | Discussion Forum | Index | Service Status | ros @ Robotics Stack Exchange
Ask Your Question

ROS_MASTER_URI for amazon EC2 server

asked 2017-03-14 17:34:36 -0500

dan gravatar image

I have ROS Indigo working well on an Amazon EC2 server. I can ping the server OK, although I had to setup the amazon security group to allow that. However, I am unable to get a response to rostopic list.

On the amazon server, if I set ROS_IP to the public IP address, then different terminal windows do not communicate ROS messages, or even see the master, so I have to set ROS_IP to the local IP address.

I tried setting the remote ROS_MASTER_URI to the public IP address (that I can ping OK) and port 11311 but ROS does not respond. rostopic list does not return at all, not even with "unable to find master."

What do I need to do for ROS networking to access the Amazon EC2?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2017-03-15 01:07:12 -0500

ahendrix gravatar image

tl;dr: Don't. Use a VPN instead.

Running a ROS master on a public IP isn't really a good idea, since anyone can discover it and poke around in your system. Someone at Defcon a few years back had a ROS robot on an open network and was inviting people to hack it, and I was able to inspect and take control of it in about 30 minutes.

Instead, I would recommend that you set up a VPC and connect remote clients to it over VPN. I haven't done this much but this guide looks like a good starting point:

EC2's network setup is a bit like being behind a NAT firewall, since the public IP isn't actually bound on the local machine. External nodes need to use one IP and on-machine nodes need to use the local IP, so when I've had to do this I used the machine's hostname in the ROS_MASTER_URI and ROS_HOSTNAME; and then make sure that the DNS record for the hostname resolves to the public IP, and then add an override for it in the EC2 instance's /etc/hosts that resolves to

edit flag offensive delete link more


re: defcon hacking a ROS robot: at ROSCon16 Ian Chen talked about running Gazebo 'in the cloud'. Part of his talk was to show the current state of gazebo web client, etc. As the GAZEBO_MASTER_URI was visible, attendees started connecting to his gzserver and spawning objects in the simulation ..

gvdhoorn gravatar image gvdhoorn  ( 2017-03-15 02:41:33 -0500 )edit

.. which was all rather funny, but a good example of why you don't want to do this (video around 12:35). ROS (1) delegates security of your node graph to other systems, and a VPN is a good example of one.

gvdhoorn gravatar image gvdhoorn  ( 2017-03-15 02:43:34 -0500 )edit

Thanks for the detailed answer Austin. Those are excellent points. I'm going through the process of setting up a VPN on the AWS EC2 machine.

dan gravatar image dan  ( 2017-03-15 14:41:59 -0500 )edit

Got the VPN working. I can send ROS topics one way but not the other. Running roscore on my local machine, with ROS_MASTER_URI on both the local machine and the amazon machine set to the local machine's VPN IP, all OK. But if the amazon machine is master, the local machine cannot see ROS topics.

dan gravatar image dan  ( 2017-03-15 16:12:45 -0500 )edit

In both cases, I set the local machine's ROS_IP to its VPN IP and the amazon machine's ROS_IP to its VPN IP. They each can ping the other's VPN IP. netcat works if the local machine is the listener, it fails if the amazon machine is the listener.

dan gravatar image dan  ( 2017-03-15 16:13:32 -0500 )edit

It seems like the local machine can't connect to a listening socket on the amazon server. Perhaps the listening process on the amazon machine is binding to an IP instead of listening on all addresses; netstat -tlp will show the address that each listening port/process is bound to.

ahendrix gravatar image ahendrix  ( 2017-03-15 19:03:08 -0500 )edit

I tried putting the VPN server on my local machine and making the amazon machine the client. The VPN works, I can ping, but netcat fails when the amazon machine listens, same as before. I tried netstat and got lines of results, mostly localhost:port_number. I don't know how to interpret that.

dan gravatar image dan  ( 2017-03-16 00:16:21 -0500 )edit

A bit more data. With the VPN, I can ping the VPN IPs ( host, client) from both machines. I can ping the amazon machine local IP address (172.31...) from my machine. However, the amazon machine cannot ping my local IP address (192.168....) , it can ping only the VPN IP (

dan gravatar image dan  ( 2017-03-16 11:48:07 -0500 )edit

Question Tools



Asked: 2017-03-14 17:34:36 -0500

Seen: 1,922 times

Last updated: Mar 15 '17