I setup an AWS ClientVPN in our company and it is working fine when connecting to our internal AWS resources. However I'm having issue with RDS.
I have an RDS instance which is set to Public (this need to be public as some public resources needs to connect to this RDS). We can connect to the RDS instance from any of our ec2 instance, but when connecting to the rds locally while connected to ClientVPN, we simply can't.
If I nslookup the RDS while inside on one of my ec2-instance, it is resolving to private IP.
If I nslookup from local, it will resolve to the public IP.
If I nslookup from local while connected to AWS ClientVPN, it will still resolve to the public IP. I think this is where the problem is, it should resolve to the private IP address?
Anyone can give me some tips regarding this?
Thanks!
Related
I'm working with an EC2 instance running Ubuntu 20.04 and RDS; both are in the same VPC. I've added security groups to allow connections to the RDS from the EC2 instance.
I am having an issue where a ping to the RDS instance from the EC2 resolves to the the public IP instead of the private IP and so the mysql connection fails; the connection succeeds if I use the inernal IP so its not an issue of not being accessible.
I am assuming this is related to some DNS cache but I've tried flushing and still down't work. The commands I've tried are below:
sudo systemd-resolve --flush-caches
sudo /etc/init.d/dns-clean start
Any ideas how we can solve this issue? How can the rds endpoint to resolve to the internal IP?
For improved security, it is better to use PubliclyAccessible = No. This will cause the DNS Name to resolve to a private IP that is only accessible from within the VPC. It will also assist with using Security Groups to control access to the database.
I have a RDS instance on my VPC which has Public accessibility = No
I have an OpenVPN Access Server on an EC2 instance. And I have configured two users:
First one using NAT on my OpenVPN AS to access my private networks. Using NAT, OpenVPN translate my IP, therefore when I connect to AWS RDS, I'm using a local VPC IP address. This one connects without problems to my RDS instance.
Second one uses Routing on my OpenVPN AS to access my private networks. In this case, I use a VPN IP (different to the private IPs on my VPC). This one can not connect to my RDS instance. I think is because it doesn't resolve the DNS of the endpoint.
For example: VPC -> 172.24.0.0/16
First scenario is like I use: 172.24.1.10 (a local VPC IP) to connect to RDS.
Second scenario is like I use: 172.47.224.100 (an IP from my VPN) to connect to RDS.
Is it possible to access the RDS instance through the VPN using Routing (which is the second scenario)? And how to do it? Thanks.
Update
I just confirmed the following:
If use the first scenario, I can ping an EC2 instance using Private IP and Private DNS.
If I use the second scenario, I can ping using Private IP, but I can't ping using the Private DNS.
I've deployed an AMI from Community as an instance. I've configured an elastic ip to it but I can't connect to the instance through public or private ip. I've checked the security group & network acl attached to it and all traffic has been allowed.
I'd really appreciate some troubleshooting advice or solution.
I am hosting a SIP server in EC2 using elastic IP. However, I read that SIP server doesn't really work well if the server is not public facing (using NAT), because from what I read at AWS site, elastic IP is using 1:1 NAT.
The Elastic IP address is mapped to the instance using 1:1 NAT. The
instance itself is not aware of the public address.
Is there any public facing non-NAT static IP address that I can buy from Amazon and assign to my server? Or, this action is actually useless?
Thanks!
You can't have EC2 instance with public IP without NAT. Nevertheless all major PBX, proxy server or SIP server should work well with NAT. Freeswitch for example even have manual for running it in EC2:
https://freeswitch.org/confluence/display/FREESWITCH/Amazon+EC2
If you still want to get rid of NAT, you can try Digitalocean, it is similar to Amazon but without NAT.
Is there any difference in using private and public IPs for communicating with other AWS instances? Do private IPs provide any more functionality(or security) as compared to using public IPs?
A few differences:
Instances launched in a VPC, the private IP address remains associated with the network interface when the instance is stopped and restarted. The public IP would get released when you stop and restart unless you use Elastic IP.
If you have a pure backend-service, you could give it only a private IP and create a VPN connection into your VPC. That way, an attacker would not be able to even contact your backend-service unless he gained access to your VPN.
Using the private IP doesn't result in bandwidth charges.
So deploy your EC2 instance in the VPC, so that it gets a static internal IP. If you like, set up an Elastic IP. If you resolve the Elastic IP from the internal network, you will get the private IP and the public IP when resolved from externally. https://alestic.com/2009/06/ec2-elastic-ip-internal/