I have created n1-standard-1 (1 vCPU, 3.75 GB memory) VM and installed LAMP on it with a static IP address. When I am trying to hit the static IP address in browser, it says This site can’t be reached However I have checked firewall rules and port 80 is opened.
Below is the output of gcloud compute firewall-rules list command -
And the output of telnet is as -
Is there anything else I need to do to open port 80 and 443?
Please help, thank you!!
This could be the VM's configuration. You'll want to check that the machine is actually listening on that port. You may have installed LAMP but are the services started, for instance? Best way to do that is SSH into the system and curl localhost. If the curl fails, you know the services are not listening on that port.
After that check that you can access the system from the VPC if you can, for example via another system in the same VPC, run curl <machine>. If that doesn't work, you may find the system is only listening on 127.0.0.1 or has other settings blocking connections from other machines.
If those steps succeed then your firewall rules are indeed to blame - check that your system is in the correct VPC (default you listed above).
Finally, you haven't specified how you assigned the static IP address but make sure that the address is created and assigned to that instance.
Related
I want to connect my instance with another instance through sockets and i can choose the port on which my instance build up the connection. It does not matter what port i take between 1024 and 65535, i get the information that the port is busy and i should choose another port.
Does somebody know what to do ?
If i take the internal ip address, it works, but the other instance can not contact my instance.
First, You can check your VM instance if there’s an active firewall.
For Debian/Ubuntu you can run the command:
‘sudo ufw status’
For Centos/Redhat you can run the command:
‘sudo firewall-cmd --state’
Basically if there are no active firewalls inside your two VM instances and within the same VPC it should be able to connect to each other.
In addition, you can install “Nmap” to scan the open ports to the other VM instance.
I've got some questions about ip's from Digital Ocean and Google Cloud, I have little knowledge about IP's and networks, i have two apps, one is running on a DigitalOcean server (dropplet) and the other is running on a VM Instance of Google Cloud, i was trying to setup code-server on each server.
In the droplet of DigitalOcean I configure successfully code-server, when i was running the command code-server code server got online on the address: http://127.0.0.1:8080 so i couldn't get into the app 'cause it was the local IP of the droplet, so i couldn't write that IP on my browser for obvious reasons, doing a little research i found the flag --bind-addr for code-sever, then i tried this command: code-server --bind-addr=192.231.24.04:8080 (That IP is an IP example) and it works, i was able to access code server writing in my navigator http://192.231.24.04:8080 and also i can access with mydomain.com:8080
In Google Cloud i tried to do the same, but i couldn't, i configured succesfully code-server on the VM Instance, when i run code-server code server got online on the address: http://127.0.0.1:8080 (As in DigitalOcean) obviously, that's the local IP
of the VM Instance, then i proceeded to do the same thing that i did in DigitalOcean, use the ---bind-addr flag, so i wrote this on the console: code-server --bind-addr=104.652.18.64:8080 (That IP is an IP example) and the console put this: error listen EADDRNOTAVAIL: address not available 104.652.18.64:8080, I thought Google Cloud was blocking the port 8080, so i unlock it, but still wasn't working, doing a little research i found that i had to use the IP 0.0.0.0:8080, so i wrote this command: code-server --bind-addr=0.0.0.0:8080 and i tried to access on my browsing using http://104.652.18.64:8080 and it works... i don't know why, i also tried using myseconddomain.com:8080 and also works
So i don't know what's the difference, What does IP 0.0.0.0 mean?
I returned to DigitalOcean droplet and i tried to do the same, i wrote: code-server --bind-addr=0.0.0.0:8080 and in the digital ocean droplet says: error listen EADDRINUSE: address already in use 0.0.0.0:8080
So... what's the difference?
Why does DigitalOcean work in a way that Google Cloud does not work and Google Cloud works in a way that DigitalOcean does not work?
I appreciate your responses
Google Cloud's networking has a distinction between internal and external IP addresses. In particular, a GCE VM won't actually have an interface with the externally visible IP address. Instead, Google Cloud Networking will transparently route from the external IP address to the internal IP address, assuming such routing is allowed by the firewall for that port. Thus, when you tried to start code-server listening to the external IP address specifically, the VM didn't know what that was referring to, as the interface did not exist inside the VM.
Generally on a host (in the context of starting a service on a given interface), 0.0.0.0 refers to any/all of the IP addresses on the machine. In your case, it means that you have started code-server listening to the internal IP address, and since you have removed the 8080 block in the GCP firewall, GCP networking will route requests to the external address to the VM.
I am not certain about DigitalOcean, but I presume that they do not have a different internal and external IP address, and thus when you start code-server listening to the external IP address directly, it attaches to the correct address. The error you are getting when trying 0.0.0.0 indicates something else is already listening on port 8080. Check that you stopped all the prior code-server process first, as well as anything else that may be listening on 8080 on any IP already.
I am currently overseas and I am trying to connect to my EC2 instance through ssh but I am getting the error ssh: connect to host ec2-34-207-64-42.compute-1.amazonaws.com port 22: Connection refused
I turned on my vpn to New York but still nothing changes. What reasons could there be for not being able to connect to this instance?
The instance is still running and serving the website but I am not able to connect through ssh. Is this a problem with the wifi where I am staying or with the instance itself?
My debugging steps to EC2 connection time out
Double check the security group access for port 22
Make sure you have your current IP on there and update to be sure it hasn't changed
Make sure the key pair you're attempting to use corresponds to the one attached to your EC2
Make sure your key pair on your local machine is chmod'ed correctly. I believe it's chmod 600 keypair.pem check this
Make sure you're in either your .ssh folder on your host OR correctly referencing it: HOME/.ssh/key.pem
Last weird totally wishy washy checks:
reboot instance
assign elastic IP and access that
switch from using the IP to Public DNS
add a : at the end of user#ip:
Totally mystical debugging sets for 6 though. That's part of the "my code doesn't work - don't know why. My code does work - don't know why." Category
Note:
If you access your EC2 while you are connected to a VPN, do know that your IP changes! So enable incoming traffic from your VPN's IP on your EC2 security group.
In AWS, navigate to Services > EC2.
Under Resources, select Running Instances.
Highlight your instance and click Connect.
In Terminal, cd into the directory containing your key and copy the command in step 3 under "To access your instance."
In Terminal, run: ssh -vvv -i [MyEC2Key].pem ec2-user#xx.xx.xx.xx(xx.xx.xx.xx = your EC2 Public IP) OR run the command in the example under step 4.
Just check if your public ip that you get when you are on VPN is configured as a source address in the SG inbound entry that opens up port 22.
You can check your ip using https://www.google.co.in/search?q=whats+my+ip, when connected to your VPN.
I tried everything in this and several other answers, also in some aws youtube videos. Lost perhaps five hours over a few sessions trying to solve it and now finally..
I was getting the exact same error message as the OP. I even rented another EC2 instance in a nearer data centre for twenty minutes to see if that was it.
Then I thought it might be the router or internet provider in the guest house where I am staying. Had already noticed that some non-mainstream news sites had been blocked - and that was it!
You can check if the router is blocking port 22:
https://superuser.com/questions/1336054/how-to-detect-if-a-network-is-blocking-outgoing-ports
cardamom#neptune $ time nmap -p 22 portquiz.net
Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-03 20:43 CET
Nmap scan report for portquiz.net (27.39.379.385)
Host is up (0.028s latency).
rDNS record for 27.39.379.385: ec2-27-39-379-385.eu-west-3.compute.amazonaws.com
PORT STATE SERVICE
22/tcp closed ssh
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
real 0m0,212s
user 0m0,034s
sys 0m0,017s
Then, the question of why someone would want to block the ssh port 22 is addressed in at length here:
https://serverfault.com/questions/25545/why-block-port-22-outbound
Had the same problem after creating some instances on a new VPC. (If internet SSH worked before this solution may not work for you)
When creating a new VPC, make sure you create an internet gateway (VPC -> Internet Gateways)
And also make sure that your VPC's routing table (VPC -> Route Tables) has an entry which redirects all IPs (or just your IP) to the internet gateway you just created.
For me, it was because of this:
NOT ec2-user#xx.xx.xx.xx
BUT THIS =>>> ubuntu#xx.xx.xx.xx
Watch the image of EC2 instance!
Instead of
ssh -i "key.pem" ubuntu#ec2-161-smth.com
use
ssh -i "key.pem" ec2-user#ec2-161-smth.com
Created an AWS AMI instance.
I can telnet from the instance itself
telnet [Pv4 Public IP] 9200
But not from my pc.
This is my security group
What am I doing wrong?
You can check your Network ACL configurations.
It looks like there is some other firewall in between your PC and server which is blocking you on 9200.
If you can access port 80 via telnet or you're able to SSH in it's likely you have a network ACL in place. If you can not access port 80 via telnet but you can via a browser it's like a local config - maybe AV or a firewall.
EC2 instances use security groups for their firewall
Another test to narrow down the the issue would to see if you could telnet from another instances in the same subenet in the same AZ. Being in the same subnet you should not be affected by a network ACL.
You can have a look at this telnet-to a cloud instance from outside
The solution to problem was "Open the services and make the telnet manual and right click on it and chose start"
As well make sure that the instance is residing in a public VPC
Based on what you've described, there isn't really much else to work with. Your ability to telnet the public IP from the instance implies the server is listening on the external interface and your security group is already set to have the port open to all incoming connections.
Aside from the trivial overlooking of not actually having the instance under the listed security group, the only possibility I can think of now is an active firewall on the instance. In the case of iptables or ufw (which is an interface to iptables), it's trivial to verify whether they are indeed getting in the way:
// List iptables access rules
sudo iptables -L -v
// List access rules via ufw
sudo ufw status
You said: "This is my SG", but...which way? Inbound or outbound?
It can simply be that your host can't reply to your PC.
Try to add a rule which adds outbound TCP ranging from ports 32768 to 65535 (ephemeral ports), so that the telnet server response packets can travel back to your PC.
Otherwise, like the others said, look at one level up, VPC-level (network ACL).
You might have your acceptor process running on 127.0.0.1:9000 which means only local clients can connect. This is not related to your Security Group which could be wide open.
Run lsof -i:9000 if on unix.
If you see something like this under NAME then host IP used to start your acceptor will needs to change from 127.0.0.1 to 0.0.0.0 (and secure via SG/FW).
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 2777 ubuntu 148u IPv6 26856 0t0 TCP localhost:afs3-callback (LISTEN)
A Telnet service is not installed by default on an Amazon Linux AMI.
If you wish to use it, you will need to install it yourself, eg: Install and Setup Telnet on EC2 Amazon Linux or CentOS.
However, these days it is recommended to use ssh instead of telnet because it is more secure. See: Telnet on wikipedia
Just a thought, check firewall of your PC.
Need to ensure your SSH key you generated via IAM and attached to the EC2 at launch is added to the login:
ssh-add -K <yourkeyname>.pem
ssh ubuntu#<yourdns or ip>.com == or == ssh ec2-user#<yourdns or ip>
I had been trying to establish a MongoDB database with an exposed REST API (through Crest, then Sleepy Mongoose), but neither of these had been working. I tried to do a minimal sanity test of "Can I connect to that AWS machine or not?", so here's what I tried:
1) I set up a new Amazon instance (Ubuntu 14.04), and I made sure that all incoming TCP connections were accepted.
2) I tried running sudo python -m SimpleHTTPServer 80.
3) This worked when logged into the machine and doing curl http://localhost:80/ and curl http://XX.XX.XX.XX:80/ (the machine's IP address substituted of course). However, on my local machine, the command just timed out.
I'm really looking forward to any guidance here, so I can hopefully go back to what I was originally doing (MongoDB, exposing a REST API, etc.). Really thankful for any suggestions since this has been driving me crazy!!
This is probably a security group issue.
When doing the curl http://XX.XX.XX.XX:80/ on the machine itself, did you try the internal ip (172.x.x.x / 10.x.x.x / 192.x.x.x) or the external ip?
Also, does the machine have an external ip assigned? (I'm guessing it does, otherwise ssh'ing to it would only be possible from another machine in the same subnet.)
Go to the AWS console, open the instance details and check the instance's security groups. Is port 80 open for the world (0.0.0.0/0) ?