I have an application and api running/hosted in same aws ec2 instance . I have enabled ssl cert using acm via load balancer for application domain . However , my api is exposing via ec2 public ip i.e http://ec2ip. In such scenario how can I bind ssl cert in IP address i.e https://ec2ip ?
You ideally don't want to have a public IP on your load-balanced EC2. You can achieve this by placing the EC2s in a private subnet. This will need bastion server in order to SSH though.
If you absolutely want HTTPS on an IP address, this SO page is the answer. If you do set that up, make sure that it is an elastic IP address.
If you have load balance you shouldn't directly access your instance using public IP. As per AWS documentation you shouldn't even have a public IP address for your instance.
someday if you run security assessment to your aws environment, AWS Foundational Security Best Practices v1.0.0 will be failed because of public IP.
EC2 instances should not have a public IPv4 address
This all about security concerns. Typically, only a Load Balancer is exposed to the Internet.
Back to Basics: Protecting Your Network in the Cloud
Related
Using Terraform to setup a VPC with two EC2s in private subnets. The setup needs to SSH to the EC2s to install package updates from the Internet and install the application software. To do this there is an IGW and a NAT-GW in a public subnet. Both EC2s can access the Internet at this point as both private subnets are routing to the NAT-GW. Terraform and SSH to the private subnets is done via Client VPN.
One of the EC2s is going to host a web service so a Classic mode Load Balancer is added and configured to target the web server EC2. Using Classic mode because I can't find a way to make Terraform build Application mode LBs. The Load Balancer requires the instance to be using a subnet that routes to the IGW, so it is changed from routing to the NAT-GW, to the IGW. At this point, the Load Balancer comes online with the EC2 responding and public Internet can access the web service using the DNS supplied End Point for the LB.
But now the web server EC2 can no longer access the Internet itself. I can't curl google.com or get package updates.
I would like to find a way to let the EC2 access the Internet from behind the LB and not use CloudFront at this time.
I would like to keep the EC2 in a private subnet because a public subnet causes the EC2 to have a public IP address, and I don't want that.
Looking for a way to make LB work without switching subnets, as that would make the EC web service unavailable when doing updates.
Not wanting any iptables or firewalld tricks. I would really like an AWS solution that is disto agnostic.
A few points/clarifications about the problems you're facing:
Instances on a public subnet do not need a NAT Gateway. They can initiate outbound requests to the internet via IGW. NGW is for allowing outbound IPv4 connections from instances in private subnets.
The load balancer itself needs to be on a public subnet. The instances that the LB will route to do not. They can be in the same subnet or different subnets, public or private, as long as traffic is allowed through security groups.
You can create instances without a public IP, on a public subnet. However, they won't be able to receive or send traffic to the internet.
Terraform supports ALBs. The resource is aws_lb with load_balancer_type set to "application" (this is the default option).
That said, the public-private configuration you want is entirely possible.
Your ALB and NAT Gateway need to be on the public subnet, and EC2 instances on the private subnet.
The private subnet's route table needs to have a route to the NGW, to facilitate outbound connections.
EC2 instances' security group needs to allow traffic from the ALB's security group.
It sounds like you got steps 1 and 2 working, so the connection from ALB to EC2 is what you have to work on. See the documentation page here as well - https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html
I configured load balancer/autoscaling in AWS.
I want that my instances in the autoscaling group use the same IP for outgoing trafic. So I configured a NAT gateway.
Good, it works well.
But, now, I cannot SSH directly to the instances in the autoscaling group using their public IP address.
So, is there a way to use at the same time a NAT gateway for outgoing traffic and IP public instance address for SSH ingoing traffic ?
Thank you for your help !
If your target is to just ssh into the system then best approach is via AWS Systems Manager. Your servers remain in private network and you don't have to manage complex networking in order to achieve this.
If you use SSM then you don't have to worry about the Public IP of your system at all. No need for Elastic IP as well.
Here's a documentation which shows how to use Systems Manager to ssh into the EC2 instances. https://aws.amazon.com/premiumsupport/knowledge-center/systems-manager-ssh-vpc-resources/
So, is there a way to use at the same time a NAT gateway for outgoing traffic and IP public instance address for SSH ingoing traffic ?
Since you are using NAT, your instances are in private subnet, which means there is no direct access to them through Internet. However, you can use ssh through SSM Session Manager:
How can I use an SSH tunnel through AWS Systems Manager to access my private VPC resources?
The other way is to setup a bastion host in a public subnet, and jump through it. But SSM is the newer and more sequire way of accessing resources in private subnets.
I have set up a EC2 micro instance and installed Consul, but I can't seem to connect via Curl. I can connect to the instance from itself with curl http://localhost:8500/v1/agent/self for a test. However when I try to use the AWS public ipv4 from my local machine like so http://34.230.X.X:8500/v1/agent/self I get a connection refused. On the security group I have configured inbound port 8500 open to everyone. Everything seems to be in place and correctly configured is there something I'm missing?
The AWS VPC documentation has some steps for allowing EC2 instances to be reachable from the internet:
Attach an Internet gateway to your VPC.
Ensure that your subnet's route table points to the Internet gateway.
Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
Ensure that your network access control and security group rules allow the relevant traffic to flow to and from your instance.
It sounds like you have the public IPv4 address and have verified that the security groups are good; now just make sure you don't have any network ACLs set (or set appropriately if you have them), the internet gateway, and the route table.
It sounds like you need to set consul's client address to that of the public facing IP. You can do this with the -client option.
consul agent -server -bootstrap -bind="<Your private IP>" -client="<Your public IP>" -data-dir="<Your data dir>"
Disclaimer: This would allow anyone on the internet access to this consul agent's API. So take appropriate actions to secure this thing.
I am hosting a SIP server in EC2 using elastic IP. However, I read that SIP server doesn't really work well if the server is not public facing (using NAT), because from what I read at AWS site, elastic IP is using 1:1 NAT.
The Elastic IP address is mapped to the instance using 1:1 NAT. The
instance itself is not aware of the public address.
Is there any public facing non-NAT static IP address that I can buy from Amazon and assign to my server? Or, this action is actually useless?
Thanks!
You can't have EC2 instance with public IP without NAT. Nevertheless all major PBX, proxy server or SIP server should work well with NAT. Freeswitch for example even have manual for running it in EC2:
https://freeswitch.org/confluence/display/FREESWITCH/Amazon+EC2
If you still want to get rid of NAT, you can try Digitalocean, it is similar to Amazon but without NAT.
I need the static IP to allow access to a firewalled network not on the AWS network.
Is it possible to get a static IP for a load balanced app using Elastic Beanstalk? I'm following the AWS docs regarding using Route 53 to host my app with a domain name, but from what I've read, this does not ensure a static IP because it is essentially using a CNAME allowing the IP behind the scenes to change. Is that the right understanding? Is it possible at all?
This post helped me get a static IP for outgoing requests by using a NAT Gateway, and routing specific requests through it.
I needed this static IP in order to be whitelisted from an external API provider.
I found this way much easier than the provided by AWS, without the need of creating a new VPC and a private and public subnets.
Basically, what I did was:
Create a new subnet to host the NAT Gateway.
Create the NAT Gateway in the above subnet, and assign a new Elastic IP. This one will be our outgoing IP for hitting external APIs.
Create a route table for the NAT subnet. All outbound traffic (0.0.0.0/0) should be routed through the NAT Gateway. Assign the created subnet to use the new route table.
Modify the main route table (the one that handles all our EC2 instances requests), and add the IP(s) of the external API, setting its target to the NAT Gateway.
This way we can route any request to the external API IPs through the NAT Gateway. All other requests are routed through the default Internet Gateway.
As the posts says, this is not a Multi AZ solution, so if the AZ that holds our NAT Gateway fails, we may lose connection to the external API.
Update:
See #TimObezuk comment to make this a Multi-AZ solution.
Deploy your beanstalk environment in VPC, and with the right configuration, a static IP for outbound traffic is easy.
In this setup, your instances all relay their outbound traffic through a single machine, which you can assign an elastic IP address to. All of the inside-originated, Internet-bound traffic from all of the instances behind it will appear, from the other network, to bw using that single elastic IP.
The RDS portion of the following may be irrelevant to your needs but the principles are all the same.
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo-vpc-rds.html
Deploy your beanstalk environment in VPC, and with the right configuration, a static IP for outbound traffic is easy.
In this setup, your instances all relay their outbound traffic through a single machine, which you can assign an elastic IP address to. All of the inside-originated, Internet-bound traffic from all of the instances behind it will appear, from the other network, to bw using that single elastic IP.
The RDS portion of the following may be irrelevant to your needs but the principles are all the same.
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo-vpc-rds.html