Add no-public-ip option to instance groups

[justinsb]

We should be able to configure instance groups to not get a public IP.

This won't work for the master unless users have a VPC or bastion host though. But it is a good idea for the nodes.

[RXminuS]

I think this should then co-incide with how nodes are put into (public/private) subnets as well to follow AWS best practices. That way we could have all our backend services in a private subnet and only frontend services on nodes in a public subnet

[ProTip]

We would be looking to run all nodes in private subnets including master nodes(which might actually be the only nodes depending on the deployment size). Any API or other traffic coming into the cluster from outside would be proxied through ELB's or or some other means.

I can see the need to run an instance group in a public subnet for providing public services depending on the type of infrastructure being run. However, I would say this would be the exception in use cases for many AWS users who are trying to run some services in a VPC setup that won't raise red flags during security reviews. In that use case the bog standard minimal DMZ with bastions + private subnets for everything else is going to raise the fewest eyebrows..

[chrislovecnm]

@kris-nova here is another one for you :)

[justinsb]

This is implemented: we have topologies & a no-public-ip option on the instance group. If anything, we shouldn't have both options, but this is fixed.