I'm currently learning AWS and I'm stuck. I created Amazon Elasticsearch Service domain in my VPC, in subnet A (one of 3 default subnets). The access is available through VPC, not from the Internet. I wanted to connect to it from my computer (to create indexes, mappings, etc.) I've read that one of the ways to do that is to connect to VPC using VPN.
So, I configured AWS Client VPN Endpoint using subnet A and connected from my computer (openVPN). I'm connected, I see my connection in AWS console. Connection looks ok.
I used Kibana url from AWS console: https://vpc-blablabla.eu-central-1.es.amazonaws.com/_plugin/kibana/ and there is no connection ('ERR_CONNECTION_TIMED_OUT').
AES domain uses security group with ALL income/outcome traffic allowed. The DNS resolves domain from the Kibana url properly (It's from subnet A). Should my IP in VPN match subnet's A CIDR? Now it's completely different.
Subnet A CIDR: 172.31.0.0/20
VPN Client IPv4 CIDR: 10.5.0.0/20
VPN current IP: 10.5.0.2
Is that a cause of the problem?
Thank you #jordanm it was caused by wrong routing on my local machine.
To indicate the network to use I had to add route:
sudo ip route add 172.31.0.0/20 via 10.5.0.2 dev tun0
Now it works perfectly.
Related
I have one privately hosted zone in my vpc using Route 53. I also have one client vpn connection to that vpc, which is functioning normally.
I want the client to get access to my website hosted using private zone in private subnet through their browser when they are connected to the VPN Client.
I have enabled "DNS Configuration" in the Client VPN Settings. But my client is not able to access the hostname of the webitse hosted in the private hosted zone. Though they are able to access the website using client vpn connection but by using ip address. I want them to access it using hostname.
I have tried defining the DNS ip in client vpn settings as
AWS Provided DNS (VPC CIDR + 2)
2.Route 53 inbound endpoint ips.
Both did not work. Help me out on this.
Take a look at this guide, it might be useful for you, but as far as I understand you need to use direct connect or AWS VPN. Cause even if your client is inside the VPC by your custom VPN it still does not use the same DNS resolver https://aws.amazon.com/premiumsupport/knowledge-center/route53-resolve-with-inbound-endpoint/
I have an AWS VPC with Private Hosted Zone (PHZ) setup so all machines launched within the VPC can resolve my console-defined domains, for example a1.mydomain.
I would like for on-site machines at the end of my VPN (not in VPC but connected to a VPN server machine in the VPC) to be able to resolve these PHZ domains as well.
Is this possible?
In order to resolve PHZ, the request must come from the DNS resolver of the VPC:
Setup a DNS server on the VPN instance that forwards queries of a1.mydomain to the VPC DNS resolver which is the third address of your VPC network (.2)
Make sure to setup the DNS server to forward other queries to a public DNS server like Google (8.8.8.8/8.8.4.4) or CloudFlare (1.1.1.1)
Setup the VPN to push its own private IP as a DNS server to users
On-premise machines connected to the VPN will be able to resolve records in PHZ
Using a bind9 + OpenVPN works quite well
I have a server running on ec2 but I cant connect to the localhost 8085. Any suggestions ?
Check to make sure your setup has the following:
There is an elastic IP attached to the instance, or it has a public IP address.
The security group allows incoming traffic on the correct port.
The network ACL of the subnet that allow for the needed inbound and outbound traffic, or you're using the non-existent/default ACLs, which allow all inbound/outbound traffic.
An Internet Gateway is in the same VPC as the instance.
There is a rule in the subnet's route table that sends internet-bound traffic to the Internet Gateway.
You may also find this AWS article helpful for using the Internet Gateway in your VPC.
I have set up a EC2 micro instance and installed Consul, but I can't seem to connect via Curl. I can connect to the instance from itself with curl http://localhost:8500/v1/agent/self for a test. However when I try to use the AWS public ipv4 from my local machine like so http://34.230.X.X:8500/v1/agent/self I get a connection refused. On the security group I have configured inbound port 8500 open to everyone. Everything seems to be in place and correctly configured is there something I'm missing?
The AWS VPC documentation has some steps for allowing EC2 instances to be reachable from the internet:
Attach an Internet gateway to your VPC.
Ensure that your subnet's route table points to the Internet gateway.
Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
Ensure that your network access control and security group rules allow the relevant traffic to flow to and from your instance.
It sounds like you have the public IPv4 address and have verified that the security groups are good; now just make sure you don't have any network ACLs set (or set appropriately if you have them), the internet gateway, and the route table.
It sounds like you need to set consul's client address to that of the public facing IP. You can do this with the -client option.
consul agent -server -bootstrap -bind="<Your private IP>" -client="<Your public IP>" -data-dir="<Your data dir>"
Disclaimer: This would allow anyone on the internet access to this consul agent's API. So take appropriate actions to secure this thing.
I have this current Cloudformation config setup:
PasteBin example here
This runs a web app, there's also some networking config in there which routes outbound traffic through a nat gateway with an elastic ip.
--
Separately we have a manually created site-to-site VPN setup in AWS
screenshot, elastic ip created by cloudformation :
The other side of the VPN specified that our private ip range for the connection to work has to be in 192.168.242.0/24.
Also they have specifically whitelisted 192.168.242.230 at their end. Which is the private ip of the elasticip which the Cloudformation above created.
How can I establish a connection from my EBS ec2 instance to a server protected by this VPN? At the moment the connection just times out.
You would need to add a route table rule to allow traffic to X.X.X.X/X flow via the Virtual Private Gateway(vgw-xxxxxx)
Destination Target
x.x.x.x/x vgw-xxxxxx