With WMI filter on GPO, we can target specific IP range for example. But how can I target user's computer IP into a RDS user session?
Indeed, if I use WMI request like that
Select * FROM Win32_IP4RouteTable WHERE (Mask='255.255.255.255' AND (Destination Like '10.10.10.%'))
IP is that of the session, i.e. of the RDS host, not that of the user's computer.
So, is there a WMI request or anything else I can use to target this IP?
Thanks.
Related
I have an AWS Client VPN set up using certificate auth. I'm setting this up for a client-client access system, essentially as is described in this AWS scenario/example. It's all working, and I can ping from one client to another if I know their IP address.
My question is: in actual use, what use is this system if clients get assigned a random IP address every time they connect to the VPN, and there's no way to tell which clients are connected or what their IP addresses are without checking the AWS console or using the describe-client-vpn-connections CLI (which requires IAM credentials)?
Is there any way to:
Assign static IP addresses to specific clients, so they receive the same one every time they connect to the VPN?
Get a list of connected clients (with their CommonName and IP address)?
Use a connected client's host name / computer name instead of their random VPN IP address?
Any other way to connect from one client to another without having to use the AWS Console or describe-client-vpn-connections CLI to get a list of connected clients?
Much of what you're asking for is not possible. In many organizations, client-to-client communication is not the norm. For client-to-server communication, AWS Client VPN works well.
There is no way to assign static IP addresses to specific clients.
You can get a list of current connections and client IP addresses with the following AWS CLI command:
aws ec2 describe-client-vpn-connections --client-vpn-endpoint-id (endpoint ID)
You might be able to get your clients to register via a shared DNS server to get their VPN IP address.
I suspect you'll have better luck rolling your own VPN solution with something like OpenVPN, which much of the AWS Client VPN is built off of.
I created a new SQL Server Express with 'admin' username & password.
I added inbound rules in Security Groups to allow all traffic from my laptop's IP address & default gateway (Do I need to do both Ipv4 address & also the gateway for connectivity to go thru?)
When I tried to connect to the newly created SQL Server via SSMS using SQL Server authentication with username admin & password that I used while creating the Instance. The connection fails with the error message below. What am I doing wrong?
TITLE: Connect to Server
Cannot connect to sql-xxxxxxxxxxxxx.rds.amazonaws.com.
A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) (Microsoft SQL Server, Error: 53)
Check Public access for RDS Instance: You are trying to access the RDS instance from your laptop - means trying to access RDS from outside VPC that is hosting the instance. In that case you must enable public access to the RDS instance. This would assign a public IP. You can modify this feature after creating the RDS instance too.
Security Group rules: Port 1433 must be opened for the IP address you would like to access from - your home/work IP address. You can select 'My IP' on source when creating Security Group rules, this will set your IP automatically as source.
PS: Please make sure the subnet where RDS instance is hosted does not have any blocks at NACL level and subnet's route table has route to internet traffic, through Internet Gateway.
I'm trying to set up an SFTP server managed by AWS that has a fixed IP address which external clients can whitelist in a firewall. Based on this FAQ this is what I should do:
You can enable fixed IPs for your server endpoint by selecting the VPC endpoint for your server and choosing the internet-facing option. This will allow you to attach Elastic IPs (including BYO IPs) to your server’s endpoint, which is assigned as the endpoint’s IP address
So I followed the official instructions here under "Creating an Internet-Facing Endpoint for Your SFTP Server". The creation settings look like this:
The result looks like this:
Compare with the result screenshot from the docs:
(source: amazon.com)
My result is almost the same, except that under the table "Endpoint Configuration" the last column says "Private IPv4 Address" instead of 'Public'. That's the first red flag. I have no idea why it's a private address. It doesn't look like one, it's the IP address of the Elastic IP that I created, and the endpoint DNS name s-******.server.transfer.eu-west-1.amazonaws.com resolves to that IP address on my local machine.
If I ping the endpoint or the IP address, it doesn't work:
451 packets transmitted, 0 received, 100% packet loss, time 460776ms
If I try connecting with sftp or ssh it hangs for a while before failing:
ssh: connect to host 34.****** port 22: Connection timed out
Connection closed
The other potential problem is security groups:
At this point, your endpoint is assigned with the selected VPC's default security group. To associate additional or change existing security groups, visit the Security Groups section in the https://console.aws.amazon.com/vpc/.
These instructions don't make sense to me because there's nowhere in the Security Groups interface that I can assign a group to another entity such as a transfer server. And there's nowhere in the transfer server configuration that mentions security groups. How do I set a new security group?
I tried changing the security group of the Network Interface of the Elastic IP, but I got a permission error even though I'm an administrator. Apparently I don't actually own ENIs? In any case I don't know if this is the right path.
The solution was to find the endpoint that was created for the server in the "Endpoints" section of the VPC console. The security groups of the endpoint can be edited.
The "Private IPv4 address" seems to be irrelevant.
The default security group controls access to the internet-facing endpoint for the new sftp server in a vpc. Mess around with the default security group ingress rules for the vpc selected for the sftp server. Or, white list the exact ip address connecting to the sftp endpoint in the default security group.
If the admin says ho hum, create a second vpc for the sftp server if isolation is absolutely necessary. Fiddle with the default group in the new, isolated vpc.
Link:
Creating an Internet-Facing endpoint for Your sftp server
Happy transferring!
I have created a Database using SQL Server in Visual Studio. I have an Azure account where I want to store my datasabe. The problem is that I need to get the IP Address from the Azure account to write it in the code line.
This is the line I am refering to
(SQLDriverConnect(SQLConnectionHandle, NULL, (SQLCHAR*)"DRIVER=(SQL Server); SERVER=, ; DATABASE= projectBD; UID= myID; PWD= myPW", SQL_NTS, retConString, 1024, NULL, SQL_DRIVER_NOPROMPT))
In the SERVER part I need to write the IP of the server but I do not really know how to get it.
Help is much appreciated
By default, you use the DNS Name for the SQL Server to connect to. That's something like yourservername.database.windows.net.
For more information on Azure SQL connectivity, see Azure SQL Connectivity Architecture.
Taken from that article:
Connection Policy Proxy: all connections are proxied via the Azure SQL Database gateways. To enable connectivity, the client must have outbound firewall rules that allow only the Azure SQL Database gateway IP addresses (usually two IP addresses per region).
And
If you are connecting from outside Azure, your connections have a connection policy of Proxy by default. A policy of Proxy means that the TCP session is established via the Azure SQL Database gateway and all subsequent packets flow via the gateway.
The article also holds a list of all Azure SQL Database gateway IP addresses you could use to determine the IP address to use.
I have a domain that I own. I will say is example.com. I added SSO.example.com as a Type A record on GoDaddy with a value of 37.89.245.2(example).
The IP address is a elastic IP on a Windows AWS server.
I can ping the IP address but I can't ping the URL. Do I need to do something with the IP address on the AWS Windows server to be able to ping the URL?
This is pretty much one of my first web based projects so any help would be appreciated!
Ping is not a reliable test method in AWS because most security groups do not permit inbound ICMP protocol, which is used by Ping. So, if you really want to test connectivity, do it on a port that you actually need your application to support, such as HTTP (80) or trying an SSH/RDP connection.
Another common use for a Ping is to resolve the domain name to an IP address, since it displays the result on-screen. This can be a good way to check that your Amazon Route 53 configuration is correct. (Same as a dnslookup.)
I was jumping the gun a bit and the new NameServers I was using had not replicated completely yet. After replication completed everything was able to be pinged successfully.