Botocore firewall ports - amazon-web-services

I have a docker image running on EC2 instance that tries to issue an AWS command when I get this error
botocore.exceptions.ConnectTimeoutError: Connect timeout on endpoint URL: "https://ec2.us-east-2.amazonaws.com/"
If I give the EC2 instance Security Group that can access everything it works. But I look for a more limited set of rules. I already tried to give it only ports 443 and 80 (both ingress and outgress) but it doesn't work.
Any other configuration I should try?
Thanks,

Related

Can't reach to an AWS EC2 instance website

I just launched a instance on AWS and I'm trying to open the website. So I copy the Public IPv4 address and paste it on my page. But it always returns This site can’t be reached 35.78.183.239 took too long to respond.
I've changed my firewall setting to access google chrome and set security groups HTTP, HTTPS. I can't figure out where the problem is. Any suggestions?
You didn't specify what webserver or AMI is on your EC2 instance.
You need to setup an AMI or manually install and setup a webserver for anything to show, otherwise the EC2 instance, while reachable, will not respond.
Make sure that ssh access is enabled and try ssh into the machine. If you can successfully login, then you know the instance is reachable and the problem is with your webserver software. This will help you debug.
What port is your application running on? When you enable HTTP and HTTPS it only allows ports 80 and 443 on the security group. This won't help if your application runs on a different port, so you'll need to add that to your security group to allow inbound traffic.

ALB results in 504 gateway time out error with ECS

I have an httpd container with ECS service along with ALB.
Container with ALB are using a dynamic port feature which means host port is set to 0.
if i try to ssh in an instance container and try to curl localhost:port number it works.
But when i try to use ALB DNS name it turns out to 504.
ALb security group allows HTTP 80 connections from anywhere and instance sg allows any connection on any port from alb sg.
Interestingly
when I try to check the target group associated with alb all the instances are unhealthy.
Update:- i tried to open a security group of ecs container to public and yet the instance were not healthy
you need to check the events of the ECS service and see what is the exact error message. If it states something like port 45675 is unhealthy then you need to check your security group configuration, it should get rid of 504 error message. If it states health check failed (this should give 502) then you should ssh into the container and check on which port the application is running and create a new service with the modification.
Assuming, you have configured the health check for traffic port and haven't modified it.
httpd service generally works on port 80. So I'll suggest use the container port as 80.
504 is Gateway Timeout error, if the above information doesn't help you can provide look at the AWS link here - https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-http-5xx/
If you can share the error message from the ecs events that will help in narrowing down the issue.
Adding the screenshots of the changes I made to fix the issue, I hope it helps. I am assuming you are using the default httpd image -

EC2 status unhealthy in Target Groups

I am using AWS application load balancer to connect to a target group that has an EC2 instance with docker installed using cloud init scripts. I am executing an Nginx dockercontainer inside EC2.
I am getting a request time out exception as an information.
I connected to the target and checked if the service is available. I received nginx default page. Performing a curl -I on the internal IP also gives a response code as 200.
Please help me in understanding how I can troubleshoot this to get the root cause.
Thanks in advance
The configuration should be:
A security group on the Application Load Balancer (ALB-SG) permitting inbound traffic from, presumably, the whole Internet (0.0.0.0/0) on the appropriate ports (80, 443?)
A security group on the EC2 instance (App-SG) that permits inbound access from ALB-SG on the appropriate ports (80, 443?)
That is, App-SG should specifically reference ALB-SG. (Type in the name, it will resolve to a sg-xxx ID.)

Accessing Tensorboard on AWS

I'm trying to access Tensorboard on AWS. Here is my setting :
Tensorboard : tensorboard --host 0.0.0.0 --logdir=train :
Starting TensorBoard b'39' on port 6006 (You can navigate to
http://172.31.18.170:6006)
AWS Security groups (in):
HTTPS TCP 443 0.0.0.0/0
Custom_TCP TCP 6006 0.0.0.0/0
However connecting to ec2-blabla.us-west-1.compute.amazonaws.com:6006 I can't see anything, I basically can't connect.
Do you have any idea?
You can use ssh tunneling technique.
In your terminal:
ssh -i /path/to/your/AWS/key/file -NL 6006:localhost:6006 user#host
where:
user and host: your aws ec2 user and instance specific.
-N: don't execute a remote command (just forward ports)
-L: [bind_address:]port:host:hostport
After that, browse to http://localhost:6006/
Run tensorboard in your ec2 terminal (you can custom logdir and port)
tensorboard --logdir=data/model --port=8080
Find your workstations public ip (a.b.c.d) address by visiting http://ip4.me/
Access the security group configuration assigned to your EC2 and add a custom TCP rule to your inbound traffic.
Outbound should be set to allow traffic from tensorboard port. (In this case 8080). Or you just allow all outgoing traffic from your EC2 instance
Protocol Port Range Destination Description
All traffic All All 0.0.0.0/0
Use your public DNS to access tensorboard from your workstation
http://ec2-xx-xxx-xx-xx.compute-1.amazonaws.com:8080/
Fast (but unsecure) solution:
Run:
tensorboard --logdir=/training --host=0.0.0.0 --port=8080
on your AWS instance.
Make sure that both your inbound and outbound rules on AWS console (control center) are as unrestricted as possible (allow all types, all ports etc.). However, keep in mind that this solution is not recommendable for environments requiring security (in our case, we didn't consider security for training an NN).
An attempt to explain why this works: when the policy is set as described, AWS still seems to prohibit inbound/outbound connections on the standard tensorboard port 6006. This does not seem to apply to the port 8080.
Long (but more secure) solution:
See: https://blog.altoros.com/getting-started-with-a-cpu-enabled-tensorflow-instance-on-aws.html
(provides explanations for setting ports correctly on AWS)
I managed to set it up like this:
Go to security groups in your ec2 console:
Choose the relevant security group in the table, click edit.
Add a rule like this:
Start tensorboard: tensorboard --logdir tf_summary/ --port 8080
Find out the URL of your instance and visit http://yourURL:8080
Simply run the tensorboard without the host parameter (which poses restrictions)
tensorboard --logdir XXX --port 6006
I suffered from the same problem for several days.
Fortunately I solved this issue by adding rule on "AWS Outbound rule" as if I had added "AWS Inbound rule".
Regardless of this setting, it works at home.
The same error is still happening only in the company.

AWS Command Line: What "Outbound connections on 443 must be enabled" means?

Network Newbie here.
Background
I am trying to use the AWS Command Line utility to connect to my instances on the AWS cloud.
Problem
When I try a simple command (from either local machine or EC2) such as...
aws ec2 describe-instances
I get...
Could not connect to the endpoint URL: "https://ec2.sa-east-1a.amazonaws.com/"
Which is fine and dandy because according to the AWS Command Line User Manual I should take note of:
The AWS CLI makes API calls to services over HTTPS. Outbound connections
on TCP port 443 must be enabled in order to perform calls.
But what that is suppose to mean in the first place? I find the above statement as clear as a glass of muddy water.
1) Should I go to the 'Security Group' of my instance and set inbound rules to 'HTTPS TCP 443 0.0.0.0/0'? (Doesn't work)
2) Or set outbound rules and set 'HTTPS TCP 443 0.0.0.0/0' ? (Doesn't work)
3) Does the above statement has anything to do with the 'Security Groups'?
4) If it doesn't has to then, what should I do in my machine in order to 'enable the port 443. That being said...
5) Should I RUN the AWS Command Line utility from my local machine or from my EC2 remote server?
I'd appreciate some guidance so I can start solving my problem.
Thanks in advance!
You have your region configured as "sa-east-1a", but the region is actually "sa-east-1". Your availability zones are sa-east-1a, sa-east-1b, etc.