I tried to connect Amazon Redshift to my local computer using pycopg2. However, I got an error message:
psycopg2.OperationalError: could not connect to server: Operation timed out. Is the server running on host xxx and accepting TCP/IP connecitons on posrt 5439
I have done two guides with searching google:
Changed the Publicly Accessible setting as enable, and
Add 0.0.0.0/0 and ::/0 to VPC route as gateway.
It still doesn't work. Please let me know if you know what the problem is.
Things to check:
Check the Security Group associated with the Redshift cluster and confirm that it permits access on port 5439 from your IP address
Check that the Redshift cluster was launched in a Public Subnet (with the Route Table for that subnet pointing to 0.0.0.0/0 to the Internet Gateway)
Make sure you are connecting by using the DNS Name (If you ping the DNS Name, does it resolve to an IP address?)
Try going via a different network (eg home vs office vs tethered via your phone)?
Related
I'm trying to set up an SFTP server managed by AWS that has a fixed IP address which external clients can whitelist in a firewall. Based on this FAQ this is what I should do:
You can enable fixed IPs for your server endpoint by selecting the VPC endpoint for your server and choosing the internet-facing option. This will allow you to attach Elastic IPs (including BYO IPs) to your server’s endpoint, which is assigned as the endpoint’s IP address
So I followed the official instructions here under "Creating an Internet-Facing Endpoint for Your SFTP Server". The creation settings look like this:
The result looks like this:
Compare with the result screenshot from the docs:
(source: amazon.com)
My result is almost the same, except that under the table "Endpoint Configuration" the last column says "Private IPv4 Address" instead of 'Public'. That's the first red flag. I have no idea why it's a private address. It doesn't look like one, it's the IP address of the Elastic IP that I created, and the endpoint DNS name s-******.server.transfer.eu-west-1.amazonaws.com resolves to that IP address on my local machine.
If I ping the endpoint or the IP address, it doesn't work:
451 packets transmitted, 0 received, 100% packet loss, time 460776ms
If I try connecting with sftp or ssh it hangs for a while before failing:
ssh: connect to host 34.****** port 22: Connection timed out
Connection closed
The other potential problem is security groups:
At this point, your endpoint is assigned with the selected VPC's default security group. To associate additional or change existing security groups, visit the Security Groups section in the https://console.aws.amazon.com/vpc/.
These instructions don't make sense to me because there's nowhere in the Security Groups interface that I can assign a group to another entity such as a transfer server. And there's nowhere in the transfer server configuration that mentions security groups. How do I set a new security group?
I tried changing the security group of the Network Interface of the Elastic IP, but I got a permission error even though I'm an administrator. Apparently I don't actually own ENIs? In any case I don't know if this is the right path.
The solution was to find the endpoint that was created for the server in the "Endpoints" section of the VPC console. The security groups of the endpoint can be edited.
The "Private IPv4 address" seems to be irrelevant.
The default security group controls access to the internet-facing endpoint for the new sftp server in a vpc. Mess around with the default security group ingress rules for the vpc selected for the sftp server. Or, white list the exact ip address connecting to the sftp endpoint in the default security group.
If the admin says ho hum, create a second vpc for the sftp server if isolation is absolutely necessary. Fiddle with the default group in the new, isolated vpc.
Link:
Creating an Internet-Facing endpoint for Your sftp server
Happy transferring!
Cannot ssh into Amazon EC2 instance, this seems to be very common problem but I have tried everything suggested in all available documents, anyone else have any idea what is missing from below?
Created new EC2 instance and downloaded the .pem file
Created a new inbound rule in EC2 instance Security group allow my local IP
Created a new inbound rule in EC2 instance Network ACL to allow my local IP
Created a new outbound rule in EC2 instance Network ACL to reach my local IP
Made sure the VPC route is attached to internet gateway
Made sure EC2 instance is attached to correct security group
After all this when I try to ssh from my local machine I'm getting connection timed out ,is there anything else I have to do
I have also disabled firewall and tested just incase
ssh -vvv -i key.pem ec2-user#********
OpenSSH_7.1p2, OpenSSL 1.0.1g 7 Apr 2014
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to ec2-instance [********] port 22.
debug1: connect to address ****** port 22: Connection timed out
ssh: connect to host ******* port 22: Connection timed out
A timeout is normally an indication that there is no network connectivity. This is almost always related to the Security Group. It the error returns immediately, it means that the instance received, but rejected, the connection. If it takes a long time to respond, it typically means that the request is not reaching the instance.
Some suggestions:
Confirm that the instance has been assigned a Public IP address
Confirm that the security group is permitting Inbound Port 22 (SSH) for your IP address. In fact, for testing purposes, temporarily allow it from 0.0.0.0/0 just to eliminate one potential cause of the problem.
Remove your NACL entries. The default NACL entries permit ALL inbound and outbound access. Your changes might have negatively impacted this.
Confirm that the it is a Linux instance (Windows does not support SSH by default)
Confirm the instance is in the Public Subnet (the one with your route to the Internet Gateway)
It is possible that your network is rejecting the connection (eg due to firewall rules). Try using a different computer and/or a different network (eg home vs office) to eliminate this as a cause.
I am setting up a redshift database on AWS and I've followed the instructions on this article - https://chartio.com/resources/tutorials/connecting-to-a-database-within-an-amazon-vpc/
I am unable to connect to the database.
Here's my setup -
I have a PostgreSQL database instance that I spun up with Amazon RDS. That is connected to an Amazon VPC with two subnets.
Subnet A is set in us-east-2c. It is associated with a Route Table that has two routes. The first has destination 10.0.0.0/16, target 'local', status 'active' and propogated 'no'. The second has destination 0.0.0.0/0 and is targeted to an Internet Gateway associated with the VPC.
Subnet B is set in us-east-2b. It has destination 10.0.0.0/16 and target 'local'.
The PostgreSQL db is associated with a Security Group with this inbound rule: Type: Custom TCP Rule, Protocol: TCP, Port Range: 5432 and Source: 10.0.0.0/32. There are no outbound rules.
Other details on the database:
-Publicly Accessible is set to No
-It is running in us-east-2b
Additionally, there is an instance on EC2. It is on us-east-2c.
It is associated with a Security Group with these inbound rules:
First- Type: Custom TCP Rule, Protocol: TCP, Port Range: 5432, Source: 10.0.0.0/32
Second- Type: SSH, Protocol: TCP, Port Range: 22, Source: (my-ip-address)/32
Third- Type: SSH, Protocol: TCP, Port Range: 22, Source: (group id for the security group)
Both of the Security Groups are associated with the same VPC that has the following settings: IPv4 CIDR: 10.0.0.0/16, IPv6 CIDR: (blank).
My understanding of the set up is that the EC2 instance is public and I can SSH into that from my SQL client (Postico). And then, the EC2 instance will connect privately to the Redshift Database.
Here's my problem-
a) I've never set this up before and I may have done something completely wrong without knowing it.
b) I am attempting to create an SSH connection from Postico. I do not know what value to fill in for 'Host' or 'Port'. Additionally, I do not know whether 'User' and 'Password' refer to the user and password for the account on my computer or whether it refers to something else altogether.
My goal is simply to be able to have a PostgreSQL database that is unavailable to the public, but allows me to access it from my SQL client (Postico).
I've attempted to research this problem, but there is a surprising lack of content that I was able to find to address these needs. I'm new to this, so if I'm missing required pieces to post this or if I've messed up in some way, please alert me and I will update accordingly.
Your inbound security group has "Source: 10.0.0.0/32" This means only 10.0.0.0 can connect to it, which is an invalid host address. Change the /32 to match your network (/16).
Redshift's port is usually 5439. You are referencing 5432.
I don't understand your "b" question. What are you trying to connect to?
[Update with new information]
I just realized an issue with what you are trying to do.
Your goal is to connect to EC2 from your desktop using SSH and then connect to RDS. This won’t work.
The solution is to setup a VPN such as OpenVPN that allows you to connect to your VPC in AWS and then OpenVPN will forward your client requests to RDS (VPN routing).
What I do is setup an EC2 instance using OpenVPN. I then turn on and off this instance when I need VPN access into AWS. I have batch scripts that do this from my desktop (start and stop an EC2 instance).
The other choice is to allow Internet access to RDS. You can use Security Groups to lock down Internet access to only your home/work IP address. Depending on your Internet provider your IP may change which means updating your security group with the new IP address, but this is simple to do.
This page will show you your public IP address that is put into the Security Group: What is my IP
I am currently overseas and I am trying to connect to my EC2 instance through ssh but I am getting the error ssh: connect to host ec2-34-207-64-42.compute-1.amazonaws.com port 22: Connection refused
I turned on my vpn to New York but still nothing changes. What reasons could there be for not being able to connect to this instance?
The instance is still running and serving the website but I am not able to connect through ssh. Is this a problem with the wifi where I am staying or with the instance itself?
My debugging steps to EC2 connection time out
Double check the security group access for port 22
Make sure you have your current IP on there and update to be sure it hasn't changed
Make sure the key pair you're attempting to use corresponds to the one attached to your EC2
Make sure your key pair on your local machine is chmod'ed correctly. I believe it's chmod 600 keypair.pem check this
Make sure you're in either your .ssh folder on your host OR correctly referencing it: HOME/.ssh/key.pem
Last weird totally wishy washy checks:
reboot instance
assign elastic IP and access that
switch from using the IP to Public DNS
add a : at the end of user#ip:
Totally mystical debugging sets for 6 though. That's part of the "my code doesn't work - don't know why. My code does work - don't know why." Category
Note:
If you access your EC2 while you are connected to a VPN, do know that your IP changes! So enable incoming traffic from your VPN's IP on your EC2 security group.
In AWS, navigate to Services > EC2.
Under Resources, select Running Instances.
Highlight your instance and click Connect.
In Terminal, cd into the directory containing your key and copy the command in step 3 under "To access your instance."
In Terminal, run: ssh -vvv -i [MyEC2Key].pem ec2-user#xx.xx.xx.xx(xx.xx.xx.xx = your EC2 Public IP) OR run the command in the example under step 4.
Just check if your public ip that you get when you are on VPN is configured as a source address in the SG inbound entry that opens up port 22.
You can check your ip using https://www.google.co.in/search?q=whats+my+ip, when connected to your VPN.
I tried everything in this and several other answers, also in some aws youtube videos. Lost perhaps five hours over a few sessions trying to solve it and now finally..
I was getting the exact same error message as the OP. I even rented another EC2 instance in a nearer data centre for twenty minutes to see if that was it.
Then I thought it might be the router or internet provider in the guest house where I am staying. Had already noticed that some non-mainstream news sites had been blocked - and that was it!
You can check if the router is blocking port 22:
https://superuser.com/questions/1336054/how-to-detect-if-a-network-is-blocking-outgoing-ports
cardamom#neptune $ time nmap -p 22 portquiz.net
Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-03 20:43 CET
Nmap scan report for portquiz.net (27.39.379.385)
Host is up (0.028s latency).
rDNS record for 27.39.379.385: ec2-27-39-379-385.eu-west-3.compute.amazonaws.com
PORT STATE SERVICE
22/tcp closed ssh
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
real 0m0,212s
user 0m0,034s
sys 0m0,017s
Then, the question of why someone would want to block the ssh port 22 is addressed in at length here:
https://serverfault.com/questions/25545/why-block-port-22-outbound
Had the same problem after creating some instances on a new VPC. (If internet SSH worked before this solution may not work for you)
When creating a new VPC, make sure you create an internet gateway (VPC -> Internet Gateways)
And also make sure that your VPC's routing table (VPC -> Route Tables) has an entry which redirects all IPs (or just your IP) to the internet gateway you just created.
For me, it was because of this:
NOT ec2-user#xx.xx.xx.xx
BUT THIS =>>> ubuntu#xx.xx.xx.xx
Watch the image of EC2 instance!
Instead of
ssh -i "key.pem" ubuntu#ec2-161-smth.com
use
ssh -i "key.pem" ec2-user#ec2-161-smth.com
http://imgur.com/a/kzeVm
I have followed the guide, disabled my firewall, verified my security group allows access to everything (initially set to public). Still, 2 installs of mysql won't let ssms connect. No idea why this doesn't work
ACL
100
ALL Traffic
ALL
ALL
0.0.0.0/0
ALLOW
*
ALL Traffic
ALL
ALL
0.0.0.0/0
DENY
Security Group that my db is using
All traffic
All
All
sg-23ae465c (default)
postgres gives me
could not connect to server: Connection timed out (0x0000274C/10060) Is the server running on host "posttest.cnmcgcqc8rkx.us-east-1.rds.amazonaws.com" (52.2.0.231) and accepting TCP/IP connections on port 5432?
mysql can connect, might have to go with that
ecurity groups are not under RDS, they are under EC2's console. ACL's options are under VPC's console. This is not even mentioned in the guide. Seen someone connect on youtube with my exact settings...
This could be one of many things with the given information. The first thing I would check if you know your security groups are set up correctly is to open the port on the Network ACL Inbound Rules.