as described in the image below, I have a Route53 record that calls an ALB that triggers a Lambda, and this Lambda function will clone some code from a git repository to an S3 bucket.
the Route53 is in a private hosted zone, so I can't find a way to send a POST request to the A record of Route53 to trigger the whole process.
is there any way I can test it ?
Private Hosted Zone (HZ) can't be accessed directly from the internet. They are only usable within VPC. Fron docs:
A private hosted zone is a container that holds information about how you want Amazon Route 53 to respond to DNS queries for a domain and its subdomains within one or more VPCs that you create with the Amazon VPC service.
This means that your POST or GET to www.bla-bla-amazon.com will not get resolved over the internet, thus you can't call the dns from the internet. For that, as docs write, you need public HZ:
If you want to route traffic for your domain on the internet, you use a Route 53 public hosted zone. For more information
However, if you want to access the private HZ from outside of a VPC, you can do it indirectly, using VPN or ssh tunnel. SSH tunnel is easier to use and setup for testing and development purposes. For that to work, you need a public EC2 instance in the VPC where your HZ is. From outside of AWS, e.g. home/work, you can setup SSH tunnel with local port forwarding to your EC2, e.g.:
ssh -L -i priavte_ssh_key local_port:private_dns_of_your_service:remote_port ec2-user#ec2-instance-ip
This way, you will be able to use http://localhost:local_port on your home/work computer to access private resources in the VPC.
By the way, if the setup should be private, the ALB should be internal, not internet-facing.
Related
I've created a javascript lambda function that is triggered by an API gateway request. I've tested it from my frontend and it works fine (hosted outside AWS).
However, from my function I need to call an HTTP service from my on-prem network as an API call. I've tested the service through a local VPN connection in my machine and it works like a charm. Reading through the AWS documentation, I reached to the conclusion that I needed to configure my lambda to run inside a VPC and to connect that VPC to a site-to-site VPN.
I created the site-to-site VPN and the tunnels are up without issues. I created the client gateway for my on-prem network and also a Virtual Private Gateway for my AWS network. I checked the box to propagate to the routing table the on-prem IP prefixes I declared while creating the VPN. (I understand the IP prefixes are the on-prem IP endpoints I need to reach. For example let's say my services are hosted in 172.31.0.2 and 172.31.15.22, so I declared them as /32 since they're a single IP address and AWS asked me for a CIDR.)
I also created my VPC, associated it to the VPN and declared a subnet. The network admin gave me a CIDR range as routing option for our AWS services (let's say 172.31.50.160/29) so I declared the VPC CIDR as 172.21.0.0/16 and the subnet as 172.31.50.160/28. I also made sure lambda configurations specified my newly created VPC and subnet as well a security group.
While my frontend can still call the lambda without problems, I can't seem to reach the on-prem network. I always receive an ENOTFOUND error, so I assume this means the API call isn't going through the VPN tunnel, as the service is only reachable through the tunnel. So I'm guessing it's most likely a routing error. However, I'm not sure how to solve it.
My routing table shows the propagated IPs and the Virtual Private Gateway as their destination, as well as the 172.31.0.0/16 with the destination as Local. I imagine it could be a routing error, maybe I made a mistake setting that CIDR range as the VPC range.
I also tried adding cloudwatch logging to the VPC to check the traffic but nothing is logged, it always comes up empty. I made sure the IAM role I used for this had cloudwatch permissions, thinking that might be the issue, but even after that the logs are empty.
As you can see I have only very basic knowledge about networks, so any help is appreciated!
TL;DR
Goal: To allow my lambda function to access an on-prem service in a local machine.
Expected results: After connecting the lambda to a VPC that's associated to a running VPN, my lambda would be able to reach the local machine.
Actual results: The lambda is unable to locate the local machine (getaddrinfo ENOTFOUND error), seems as if the traffic is not going through the VPN tunnel.
Turns out that the same way that lambda cannot directly access the internet without a public NAT gateway and the right routing, lambda cannot access on-prem machines through the VPN without a private NAT gateway.
So I created a private subnet in my VPC, using the CIDR range the on-prem network administrator gave me. Then I routed my requests to the on-prem machines to the private NAT gateway. The routing table for this private subnet directed my traffic flow to the Virtual Private Gateway and in this way I was able to reach the on-prem machines.
Summary
Create a private subnet in your VPC (do not associate it to lambda)
Create a private NAT gateway and associate it with your new subnet
On the route table that manages the subnets associated with lambda, route your requests to the on-prem machines to the private NAT gateway you created on step 2
On the private NAT's routing table, route requests to your Virtual Private Gateway associated with your VPN
And done, you should be able to send HTTP requests from your lambda to your on-prem servers.
I have a static website setup in S3 with a bucket policy that denies access to the website (simple index.html) unless it is from a VPC Endpoint. I configured the VPC Endpoint as com.amazonaws.us-east-1.s3 service: Gateway. If I add 0.0.0.0/0 into my AWS Client VPN route table, I am able to access the website, only when connected to the VPN as expected, but I want to prevent using the VPN for general website traffic, essentially removing 0.0.0.0/0. I think I can do this with split traffic enabled on the VPN, but I don't want to keep 0.0.0.0/0 in the vpn route table if I dont need to.
So in short, is there an ip address for the vpc endpoint or which ip could I use to explicitly direct traffic to the private website?
Sadly you can't do this. S3 buckets in website mode are only available through internet. You can't make S3 website endpoint private and accessible from withing a VPC. The connections must come from the internet.
If you really want a private website, you have to host it yourself, on tiny instance or ecs container. Then you will be able to access it from within VPC only.
When I configure an AWS Gateway VPC endpoint, a route table entry is created that points to the Gateway. Here, Gateway can be thought of performing the routing to AWS service (over private network).
However, for an AWS Inteface VPC endpoint, all that is visible is a Network interface that has a private IP address of the subnet. By default, a private IP can send traffic within the subnet or entire VPC provided Security Group and NACL allows the traffic. & it appears in this case there is no Route table entry to a Gateway or a Router for allowing traffic outside VPC.
How / Where is the interface routing the traffic to i.e. How does traffic leave the customer VPC?
Of course I understand that the traffic finally reaches the intended AWS service over private network but here I am trying to find out where is the Gateway or Router? Does AWS hide this implementation?
I cannot get my head around the fact that a simple Network Interface can accept traffic and route it to a service all by itself i.e. performing routing by itself? Clearly, in this case the traffic appears not flowing through the VPC router or another Gateway device.
I am aware this might be an AWS confidential implementation but any thoughts / idea on how they might have designed this feature?
It doesn't provide routing at all, by default a VPC interface endpoint when created will create an ENI per subnet in the VPC for you. It will also provide you a DNS name per each AZ and a global name that you can use within your applications.
In addition it supports the ability to have the AWS service domain name for the VPC interface endpoint be resolvable to the private IPs of the endpoint. As long as your VPC has DNS enabled it will first check the VPC private DNS resolver and then resolve it to the private IP rather than the public one.
This is done by adding an additional private hosted zone to your VPC which resolves service domains in your region such as ec2.us-east-1.amazonaws.com.
From the AWS side this is just an ENI created in your AWS VPC that is connected to one of AWS internal VPCs. It's actually possible to implement this for your own services too to share with another organisations VPCs, this is implemented using AWS PrivateLink.
For more information take a look at the Private DNS for interface endpoints page.
I would like to create a lambda(vpc) which would access resources in vpc and make a request to services(REST API) via public application load balancer. I found out that vpc end point is better solution than creating a nat gateway.
I have created a vpc endpoint for elasticloadbalancing(by following steps at https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#create-interface-endpoint) and given full access in the policy. I could not find how to access it from the lambda, what would be the URL to make the request?
Edit:
Thanks to John for the info that vpc endpoint is used to connect to ELB API. So Vpc endpoint would not solve our issue.
We have our infra in vpc which includes database(accessible within vpc only) and application servers running behind the ELB. For certain tasks we want to run lambda which will read database(for this reason lambda has to be inside vpc) and make API calls to our application using ELB. Since ELB is accessible from public dns only, lambda is not able to connect to ELB.
I have read that setting up NAT gateway is a solution. Are there other is simpler ways?
Yes, a NAT Gateway would allow the traffic from a private subnet to go out of the VPC and come back in to the Load Balancer's public IP addresses (via its Public DNS Name).
Alternatively, you could create an additional Internal Load Balancer that could accept traffic from within the VPC and send it to the Amazon EC2 instances.
I've read through all the white papers for Route53, Private Hosted Zones, and Workspaces and I'm too the point of banging my head on the wall. :p
I'm having trouble getting an EC2 instance and an Amazon Workspace within a private cloud to communicate using a Fully Qualified Domain Name. I need them to communicate with a FQDN instead of an IP address so that I can have an encrypted connection with an SSL.
Here is my configuration:
Setup a VPC with two public subnets, a route table, and internet gateway.
VPC is setup with DNSResolution and DNSHostnames enabled.
Setup a Simple AD for the workspace within the private VPC.
Setup an EC2 instance within the private VPC with a public subnet.
Setup the EC2 instance with a security group that allows port 80,443, and 5003 open to 0.0.0.0/0.
Setup a workspace within the private VPC with no security group.
Disabled the firewall within the EC2 instance and Workspace.
Setup a Hosted Zone on Route53 configured for Private and linked to the VPC.
Setup an A Record pointing the private IP of the EC2 instance.
If I run a ping from the Workspace to the DNS record that was setup in Route53, I get a successful connection.
If I try to reach the EC2 server using a Web browser on Port 80 or Port 443 using the DNS record, it fails.
If I try to reach the Ec2 server using an application that runs on Port 5003 using the DNS record, it fails.
If I try to reach the EC2 server with either web browser or application by referencing the IP, it is successful. So I know that my ports aren't being blocked.
Did I configure the route53 record incorrectly or am I missing a particular IAM Role permission set?
Thanks and let me know if I need to elaborate on any of the configuration.
SimpleAD DNS is being used instead of Route53. If the zone is the same then only one or the other can be used I'm afraid.
For example if you have host.com DNS zone in SimpleAD then the workspace won't use R53 for any *.host.com resolution. Try a different private zone in R53 and therefore fqdn for the EC2 instance private IP address.
https://forums.aws.amazon.com/thread.jspa?threadID=215126