I have problems using AWS CLI from an IPv6 address on Ubuntu 20.04.2 LTS.
Simple commands like aws lambda get-account-settings run idle indefinitely.
When switching to an IPv4 address, everythings works fine.
Same behavior when using Python's boto3 library.
Any ideas?
I think Lambda service does not have IPv6 (dual-stack) endpoints. Only some services in some regions support IPv6, such as S3 or EC2.
Even if they support IPv6 you have to make extra settings to use this as explained in the linked docs for S3 and EC2.
Lambda now has IPv6 endpoints as of early December 2021. It joins the list of about 8-10 AWS services which do support IPv6 (depending on how you count).
So for example:
aws lambda list-functions --endpoint https://lambda.us-west-2.api.aws
If you are also looking for other services, I have a blog post here showing all APIs with known IPv6-capable endpoints. Realistically speaking though, IPv4 will be necessary to interact with most AWS services for some time. If you are just trying to not interact with the IPv4 Internet, VPC Endpoints can help get internal IPv4s for many AWS services.
Related
My team is using AWS on on-premise server at clients HQ.
Client is asking IP adresses to set networking restrictions (outbound).
I found that AWS provides currently used ip ranges for their services.
For example:
S3 in eu-west-1 region has 8 ip prefixes
Rabbit MQ (mq.eu-west-1...) - seems doesn't have any specific ip ranges?
We could send ip prefixes from json file but I see few problems:
How to avoid ip ranges changes and clients network reconfiguration each time?
List of used ip ranges for each service is quite large
I'm having a stupid idea that maybe there is a way to have one ip for each AWS service? For example route all S3 traffic (by using other AWS services) through one endpoint?
Additionally, how to find Amazon MQ ip ranges? In the end we're using something like this: amqps://{username}:{password}#{url}.mq.eu-west-1.amazonaws.com:5671
Thanks in advance!
EDIT:
RabbitMQ broker seems to have static IP
I'm trying to access lambda functions from a Windows VM I have created in EC2 for dev purposes but even a simple 'list functions' command fails to connect
I have tried using the AWS CLI through PowerShell, the dotnet sdk and the VS AWS Toolkit but each of these times out after a long waiting period. I can, however, list other services such as my databases and S3 buckets.
aws cli failure message
VS toolkit failure message
I have tried creating a new VM with the same results. I've disabled windows firewall altogether, allowed all traffic through the security group and have VPC endpoints for my subnet (ssm, ec2messages, lambda, ec2).
I have no trouble connecting to the lambda service through my own computer. On the VM, I have modified the .aws/credentials file to match the one on my computer for both the admin and current user but I still can't connect. This tells me that the problem isn't related to my access key credentials.
I'm reaching the end of the troubleshooting options I can think of so any help would be very much appreciated!
Update: using telnet, I cannot connect to lambda.ap-southeast-2 but I can connect to s3.ap-southeast-2 and lambda.ap-southeast-1. It seems lambda.ap-southeast-2 is being blocked somewhere but it isn't windows firewall because it's off and the same problem happens on Ubuntu VMs.
In the VPC Management Console, I haven't set up any firewalls under network or dns filewalls and my network ACL allows all traffic.
I am trying to setup AWS Systems manager to use Session manager. In Systems manager setup guide, one of the steps to allow HTTPS traffic to SSM endpoints. Documentation tells 2 ways of doing this, one using VPC end points and other by allowing traffic to ssm endpoints as mentioned here. I don't want to create VPC endpoints, so I am trying to use other option.
Setup guide mentions following:
Security groups don't allow URLs, so how can i allow HTTPS outbound traffic to some URLs as mentioned in screenshot.
You can't create security group rules for URLs. You need to figure out a reliable way of figuring out the IP address (or range) for your URL and then create security group rules for them.
For AWS services, you can get the IP addresses using the following URL:
https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
You can also filter the IP address using the APIs. I am sharing one such example for filtering with power shell:
Get-AWSPublicIpAddressRange -ServiceKey AMAZON -Region ap-south-1 | where {$_.IpAddressFormat -eq "Ipv4"} | select IpPrefix
This lists the IPv4 addresses for amazon service name "AMAZON" for ap-south-1 region.
For supported list of services, please refer the ULR above.
we have an application that runs on different client systems which sends data to Amazon Kinesis Data firehose. But the client has firewall which restricts outbound traffic only to whitelisted IP addresses and does not allow domain names in their firewall regulation. I am not that familiar with aws but read that the amazon IP keeps changing. Because of this we are having problem to whitelist the IP address in the client firewall.
I came across following pages tha mentions that aws public IP address ranges available in JSON Format.
https://aws.amazon.com/blogs/aws/aws-ip-ranges-json/
https://ip-ranges.amazonaws.com/ip-ranges.json
It's a huge list and multiple entries for the same region. can you suggest a way to somehow extract IP range that our service will use so that we can whitelist them in the client's firewall? Any other alternative is also welcomed.
Thanks in advance for any help and/or suggestions.
Firehose has regional endpoints that are listed on this page:
https://docs.aws.amazon.com/general/latest/gr/rande.html
Using the us-east-2 endpoint as an example...
Right now, firehose.us-east-2.amazonaws.com resolves, for me, to 52.95.17.2 which currently features in the ip-ranges.json document as:
service: AMAZON region: us-east-2 ip_prefix: 52.95.16.0/21
If you wanted to know which ranges to whitelist on the firewall, you'd need to get all of the ranges for AMAZON in us-east-2 (currently 34 if you include IPv6 addresses). Note: That assumes all of the endpoints fall under the AMAZON service marker and you'll be whitelisting far more services than just firehose if you whitelisted that.
Previous contact with AWS support suggests that ranges can be added without warning, so you'd need to frequently check the published ranges and update the firewall to avoid a situation where the endpoint resolved to a new IP address that wasn't whitelisted.
If you did want to go the route of frequent checks and whitelisting, then a python script like this could be used to retrieve the relevant IP ranges:
#!/usr/bin/env python
import requests
aws_response = requests.get('https://ip-ranges.amazonaws.com/ip-ranges.json')
response_json = aws_response.json()
for prefix in response_json.get('prefixes'):
if prefix.get('service') == 'AMAZON' and prefix.get('region') == 'us-east-2':
print(prefix.get('ip_prefix'))
Noob question here but my google-fu is failing me.
I'm working with an app that uses the aws java SDK to talk to aws and scrapes some info about the instances and other information. We are not hitting the instances directly, just the sort of stuff you can get from aws cli console etc....
things like describe-instances...
The app is hosted inside an internal network and traffic currently is going out via a proxy server.
I can request to have some firewall rules opened but for the life of me I can't find which ports needs to be opened and the amazon urls... is it just standard https 443 and http 80? and what are the urls, are they the same as the amazon endpoints published for the API gateway?
I can't access or modify the code, this is a vendor product that uses the latest aws java SDK (I download the sdk, unzip and put int a specified folder)
any help would be greatly appreciated!
I assume the normal http(s) endpoints are all you need to be able to access.
They are all described here and run on standard http and https ports.