AWS - Access instances inside private subnets through wireguard instance inside public subnet - amazon-web-services

I am new to StackOverflow, please let me know if I need to edit this post to make it clearer.
Objective: Access through HTTP/HTTPS web app instances inside private subnet via wireguard vpn located inside public subnet (These subnets are all inside the same VPC).
Situation:
I have a VPC with:
1 public subnet containing an ec2 instance running wireguard VPN
4 private subnets individually containing ec2 running individual web apps (based on bitnami images)
The wireguard instance has its own security group and the other instances share the same security group as the VPC.
There is a NAT gateway inside the public subnet and all outbound connections from private subnets are routed to that NAT.
I've setup a private hosted zone and added records to point domain names to instances inside the private subnets. (i.e. sub.test.com points to 10.0.1.1, etc.).
I've enabled port forward and unchecked 'source/destination' on the wireguard ec2 instance.
Result: I can connect to the wireguard instance through SSH and wireguard client, but cannot access web apps ec2 inside private subnets.
Question: How can I access the instances inside the private subnets through the wireguard instance inside the public subnet ? (Is it a wireguard config issue or a route table issue ?)

Take a look at this tutorial that walks through each step of how to set up WireGuard with AWS private subnets -- it includes some troubleshooting suggestions for issues like this. Here are four things from it in particular to check if you're having trouble reaching apps in the private subnet from the WireGuard server:
make sure the AllowedIPs setting in your WireGuard client config includes your private subnets (if the IPv4 CIDR block for your entire VPC is 10.0.0.0/16, that's probably what you want to set the client's AllowedIPs to)
make sure the web app's security group allows inbound access from the WireGuard server's security group on the port range used by the web app (likely TCP port 80 and 443)
make sure the WireGuard server's security group allows outbound access to the web app -- the default outbound rules allow everything, which is fine -- but if you've customized the outbound rules, make sure they allow access to the web app security group on the port range used by the web app (likely TCP port 80 and 443)
make sure your network ACLs aren't blocking traffic between the public and private subnets -- the default ACL allows everything, which again is fine -- but if you've customized the ACLs for your subnets, you need to make sure traffic can flow from the public subnet to the private subnets on the port range used by the web app (likely TCP port 80 and 443), and from the private subnets back to the public subnet on the ephemeral port range used by the OS that the WireGuard server is running (TCP 1024-65535 to be safe)

You need to allow HTTP/HTTPS ports (80/443) using your console and this document.
You enter in your security group and incoming rules
PS: If you could acces via ssh, that means that SSH (port 22) has already been authorized in your machine's security group. Simply add other rules HTTP and HTTPS

Related

AWS EC2 Internet access from behind Load Balancer

Using Terraform to setup a VPC with two EC2s in private subnets. The setup needs to SSH to the EC2s to install package updates from the Internet and install the application software. To do this there is an IGW and a NAT-GW in a public subnet. Both EC2s can access the Internet at this point as both private subnets are routing to the NAT-GW. Terraform and SSH to the private subnets is done via Client VPN.
One of the EC2s is going to host a web service so a Classic mode Load Balancer is added and configured to target the web server EC2. Using Classic mode because I can't find a way to make Terraform build Application mode LBs. The Load Balancer requires the instance to be using a subnet that routes to the IGW, so it is changed from routing to the NAT-GW, to the IGW. At this point, the Load Balancer comes online with the EC2 responding and public Internet can access the web service using the DNS supplied End Point for the LB.
But now the web server EC2 can no longer access the Internet itself. I can't curl google.com or get package updates.
I would like to find a way to let the EC2 access the Internet from behind the LB and not use CloudFront at this time.
I would like to keep the EC2 in a private subnet because a public subnet causes the EC2 to have a public IP address, and I don't want that.
Looking for a way to make LB work without switching subnets, as that would make the EC web service unavailable when doing updates.
Not wanting any iptables or firewalld tricks. I would really like an AWS solution that is disto agnostic.
A few points/clarifications about the problems you're facing:
Instances on a public subnet do not need a NAT Gateway. They can initiate outbound requests to the internet via IGW. NGW is for allowing outbound IPv4 connections from instances in private subnets.
The load balancer itself needs to be on a public subnet. The instances that the LB will route to do not. They can be in the same subnet or different subnets, public or private, as long as traffic is allowed through security groups.
You can create instances without a public IP, on a public subnet. However, they won't be able to receive or send traffic to the internet.
Terraform supports ALBs. The resource is aws_lb with load_balancer_type set to "application" (this is the default option).
That said, the public-private configuration you want is entirely possible.
Your ALB and NAT Gateway need to be on the public subnet, and EC2 instances on the private subnet.
The private subnet's route table needs to have a route to the NGW, to facilitate outbound connections.
EC2 instances' security group needs to allow traffic from the ALB's security group.
It sounds like you got steps 1 and 2 working, so the connection from ALB to EC2 is what you have to work on. See the documentation page here as well - https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html

EC2 open port for only private IP address

My Linux based EC2 instances have both public and private IPs. I am hosting two servers on it:
S3 server, which will be accessible over both internet/private network and
NFS server, which should be accessed only via private IPs/internal network.
I want to open NFS port in the Security Group but only allow the access over the EC2 instances's private IP. I don't think this can be achieved by using only security groups as when the request reaches EC2 node, the Internet Gateway has already replaced the public IP with the private IP of the EC2 instance and the instance is not even aware that there is an extra public IP associated with it.
Instead what can be done is to choose the sources and selectively allow NFS access only to the VPCs and on-premises network (in case there is a VPN connectivity) but that would also mean that every time a new VPC is created OR a new VPN endpoint is established, someone has to modify the Security Group to accommodate new IP addresses.
What I ideally need is a way to apply port and IP based rules on the Internet Gateway which is currently not available/exported. Looking for alternatives.
The simplest method would be to add an Inbound rule to the Security Group where the Source is the CIDR range of the VPC.
For example, if your VPC is 172.31.0.0/16, then use this as the Source in the security group. It would permit any inbound connection from that IP address range.

AWS EC2 not accessible from public IP

My application is working fine on the Amazon EC2 Windows Server. But when I am trying to access the same through the elastic public IP, it is not accessible. I have seen the inbound configurations and the ports(HTTP,HTTPS,SSH) are enabled. Infact, I added a rule to All Traffic from Anywhere. But no success.
Firewall ports are open in host server. The URL is accessible from private IP from other EC2 machines in same network
http://3.45.54.89:8080/My-App/ ----> Public IP- Not Working
http://10.0.2.23:8080/My-App/ ----> Private IP - Working
Please guide. Stuck Badly in this
The fact that you can access the port from within the network points out that you indeed have a rule somewhere in the VPC that is blocking the connection from outside the network.
Here are the components you need to access a resource inside a VPC from outside the VPC:
Internet Gateway: This is the entry point into the VPC. Seems like this is already working as expected as you can access the instance in the first place.
(optionally) Bastion host: If the resource you are trying to connect to is in a private subnet you need a bastion host in the public subnet. Read more about it here.
NACL: If you have not changed the defaults, this should allow the requests to flow through. Note that NACL are stateless i.e. you need to allow both inbound and outbound.
Security Group: As the final layer, the security group should allow the traffic on the ports, to the appropriate cidr block.
Based on the scenario you have described, my guess is that your instance is in a private subnet. If it is, then you need to route the requests through something in the public subnet.
Edit the firewall ports for an IIS website in Windows Server. if the iis apps are not in the inbound list please add them and try again.
https://www.youtube.com/watch?v=YQcklFuWrcw

Run Filezilla Client in private subnet

I have a VPC with one public subnet and one private.
The public subnet has an OpenVpn Server (worked also as NAT) and a public IP
The private subnet has a Win 2012R2 Server with an Oracle 11g server.
My set up:
1. VPC:
2. Public Subnet:
3. Private Subnet:
4. Internet gateway
5. Security Groups:
5a: For the VPN server:
5b: For the Win Server (with the oracle server)
So, I've set up the OpenVPN server and I am able to connect to the server from my laptop. Everything is fine.
Now I want to run FileZilla in my Win Server to download some files from ftp sites.
I add more security groups to my Win Server with inbound and outbound rules but it doesn't work. I think that I have to add a route table for my private subnet to connect to outside world, but I have no idea how to implement that.
Rules that I have tried (inbound and outbound):
Route table that I tried:
Any ideas?
Can you open a browser on the Windows server and view Internet sites? I'd start by getting that working before moving on to FileZilla. If you truly have your OpenVPN server also working as a NAT server then it should be providing internet access for the instances in the private subnet. You shouldn't need to open any inbound rules in the security group (because you aren't running an FTP/SFTP server, just a client), and you should be able to leave the outbound rules as default (which allow all outbound traffic).
It appears that you are missing a route table entry for your NAT gateway, so your OpenVPN server is not currently acting as a NAT gateway. You will have to configure a NAT Instance or an AWS managed NAT Gateway in order to allow instances in your private subnet to access the Internet. You should read the documentation.
You will have to create a Bastion Server in your Public Subnet to make that File Zilla to work. Check below guide.
https://blogs.aws.amazon.com/security/post/Tx3N8GFK85UN1G6/Securely-connect-to-Linux-instances-running-in-a-private-Amazon-VPC

Setting up NAT / WAF in Amazon AWS

I have the following issue:
I want to setup a NAT or WAF in the following scenario:
Internet->VPC->IGW->Rotuer->Subnet1->EB1
->Subnet2->EB2
->Subnet3->EB3
in short words, my scenario is: VPC, Internet Gateway, Route table (Default from VPC) and subnets with EB into.
I tried some steps where I have to create another route table, set NAT instanc as target to 0.0.0.0/0 in this second one and attach the EB subnets to this one; attach the NAT subnet to the main route table and this seems not work.
Tried to Amazon AWS scneario 1 example that is my current configuration without results.
What can be missing to setup correctly it?
Thanks in advance.
I'm not entirely clear about what you are wanting to achieve, but I think you want your subnets to access the Internet, and prevent the Internet from having a direct access to the instances the reside in your private subnet(s).
It's hard to visualize your workflow that way. But i think I follow:
(AWS VPC Internet Gateway) --> Internet
AWS VPC CIDR range contains:
a) public/private subnet #1
b) private subnet #2. private subnet #3.. etc.
A typical set up of achieving requires the following Amazon entities:
1) IGW - internet Gateway
2) VPC with CIDR range of how big or small you want.
for the VMs that you want to protect, while still having internet access, you need them to be assign subnets. The subnets have to be WITHIN the VPC CIDR range. But do not make the subnet to be the same CIDR of the VPC, if you do this, then it essentially makes your private subnet a public accessible one since you have consumed all of the IP range and in which case you must assign it to the IGW which is not what you want.
3) A bastion server - what is a bastion server? This is a server that you purposely put to take internet incoming requests, which protect your private subnets. This can be in the form of a server that acts as a router or NAT. This can be either
3a) a homebrew install of Ubuntu (my fave distro) with iptables and ipv4 packets forwarded, or you can do
3b) a Nat gateway in your amazon VPC, or
3c) a vpc-nat AMI that you can find in the AMI Community. So just chose what method you wish.
4)Create Security group #1 - create a security group for the Bastion Server. I usually call it "NAT SG" and have inbound 0.0.0.0/0 and outbound to TCP 80, 443, 22 and etc, according to your outbound port needs determined by whatever you are running.
5) Security group #2 - create a security group for the private subnet. This is for traffic that will allow all within the subnet(s) and to funnel all outbound non private data to 0.0.0.0/0 to the bastion server.
To implement this is a simplified conceptual order of operations you need to do:
1) Create a VPC with the CIDR range (let's say 10.0.0.0/16)
1.5) create an Internet Gateway and assign it to the VPC (10.0.0.0/16)
2) Create private subnets with CIDR range that's in the VPC CIDR (10.0.1.0/24, 10.0.2.0/24, 10.0.2.0/24, etc).
3) Create a public subnet that will contain the bastion server, or whatever you want the Internet to see. (10.0.254.0/24 (this is huge, allowing 256 servers in the subnet. You will most likely only have the bastion server consuming only 1 server, so it will probably auto assign 10.0.254.2)
4) create 2 routing tables - one called private and one called public. For the private routing table, edit, then add a new Route for 0.0.0.0/0 goes to the bastion server ID. For the public routing table, edit , then add a new route for 0.0.0.0/0 to the Internet Gateway ID (see step 1.5)
5) Either launch your own server and set it up to become a NAT router (if you know how to do that), or start up the vpc-nat AMI (amzn-ami-vpc-nat-hvm-2016.03.0.x86_64-ebs - ami-311a1a5b) is the latest one, so use that. When you create the instance, select the public subnet, the VPC, and assign it a public IP (don't wait and give it an Elastic IP, you will want the public IP),select the "NAT SG" security group, and then Launch it. After it is launched you will select it and select Network --> src/dest. check and DISABLE it. This allows all traffic to funnel in. You only need 1 bastion server, I'm not stating to do all 3.
6) Launch your AMI or custom VM that you want private, and be within the private subnets (10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24... etc). And assign it a private security group, and the same VPC. If it is linux or windows you may want to generate a new private key (pem) for future login. Convert the pem to a ppk using puttygen.
Testing, in order to ensure you have internet connectivity:
the bastion server must be able to reach the world
the VM instance in the private subnet (if the routing was done accurately), should reach the internet by flowing packets to the 0.0.0.0/0 rule to pass through the bastion server, and the bastion server will allow resolution and flow to the internet for outbound requests.
I usually do a ping to google since they do not block ICMP requests and are quite reliable. So ssh into the bastion server, ping google.com. If you get the IP but it cannot get a reply then it means your Internet gateway or the Security group did not all all outbound traffic 0.0.0.0/0, so double-check that.
Now SSH into the private server (assuming linux) and ping the bastion server (10.0.254.X) and you should be able to get a response. That's a good sign. now ping google.com and see if you get a reply. I hope you do. If you get DNS resolution but it is stuck at get any responses, then you forgot to disable Src/Dest checking on the bastion server. Then go to your ec2 console, locate the bastion server and select, then actions, networking, and select src/dest check and confirm DISABLE and save.
That should make your private network resolve and hit the world, while still being protected from the internet.
I hope this helps.
Richard.