I have an ec2 host in AWS Ireland. I am connecting to a host that is near AWS Tokyo, but not within AWS Tokyo.
I want my TCP packets to enter the AWS network at Tokyo, and then be routed over the AWS network to Ireland. I've noticed that this is both lower latency and higher bandwidth than routing over the open internet. However, it seems that the packets instead flow over the open internet until Ireland.
Is there a way to force the networking route to enter AWS at Tokyo instead of Ireland?
In AWS routing the destination must be the target host, if it is not AWS will discard the packets. The exception to this rule is with NAT routing, which explicitly for a NAT instance you must disable the source/destination check.
If you explicitly want it to join at Tokyo you would need to configure your endpoint in the Tokyo region, then have it receive the payload before it then forwards it to the Ireland VPC (using a peering connection). To forward the payload you would need an application that forwards this to the region.
If you're instead trying to make use of the closest edge location to the user then you would want to either look at using CloudFront or Global Accelerator. Both of these will use local AWS PoP and then forward traffic via the AWS backbone to reach its target.
Related
I need to setup S2S VPN between AWS and GCP clouds. This needs to work in High Availability and use dynamic routing.
On AWS side I have a Transit Gateway with number of VPC networks attached to which I want to attach also the VPN (well, in fact on AWS that will be two VPN connections with 2 tunnels each). Important part is that one of the VPCs advertises route 0.0.0.0/0 and it has to stay the - this is the only exit to the public internet in this setup (other VPCs do not have own Internet Gateways and use this route instead). This route gets advertised to GCP...
Now, on GCP side all the routes received from AWS are registered with priority 100 while default GCP routes have priority=1000. This means that when I establish VPN entire public traffic from GCP starts flowing into AWS first (0.0.0.0/0 from AWS with prio 100 is considered better than default 0.0.0.0/0 through own GCP Internet Gateway with prio 1000). Besides the cost impact it also breaks some functionalities on GCP side (i.e. AppEngine Flex health checks can't get through firewall).
My question is: how can I avoid this?
I can think of number of solutions:
Disable advertisement of public routes on AWS side somehow
Increase priority of advertised routes on AWS side (increase MED value for each route)
Increase all the priorities received from VPN on GCP side (like, "comes from VPN then add X to the MED value).
FIlter some routes received from paired network on GCP side.
Any of these strategies would work for me but I have no idea how to do any of them. I have found filtering of advertised routes and custom MED value in GCP so that I could adjust what GCP advertises to AWS but I need exactly other way around...
You can adjust the priority of dynamic routes in the gcp side.
See https://cloud.google.com/network-connectivity/docs/router/how-to/updating-priority for more details
Please help
We blocked all the outgoing traffic by removing 0.0.0.0/0 and added only our VPC so as our application connects to the EC2
Now the problem is EC2 is not able to communicate with any of AWS Services itself; we are not able to use SSM, update our RPM, etc. ..
we added few of the IP range based on the errors we faced; which we fear not the correct way of blocking the outbound connections
Thank you, appreciate your support in advance
You should actually take a look at using VPC endpoints where possible within your VPC.
If you configure these outbound communication will be via the subnet ranges that the interface endpoints are located in with the exception of S3 and DynamoDB.
If you use either of these services, in the outbound of the security group you can whitelist the source of the prefix list for these services.
By doing this its easier to manage (AWS IP ranges change all the time), and is more secure as the egress stays within the AWS network never connecting to the service endpoints via the public internet.
If this approach is not for you, you would need to subscribe to ip-range changes which would trigger a Lambda function. This Lambda function would access the ip-ranges.json file and retrieve all ranges valid for your application. These IP ranges would then be added to a customer managed prefix list that you define.
The prefix list would be added as an outbound destination allowing port 443 (HTTPS) outbound access, of course this method would require you to build the Lambda function.
This is the first time I've tried to setup the AWS VPN attached to a transit gateway. I've tested using openswan and it worked like a charm. But the issue is now I am trying to set it up for our premise network which is behind a NAT device. I am trying to comprehend why the tunnel are still down and the network people from the onpremise side are not helping much (they said they've configured the customer gateway and that's it) .
Basically they have given me a CIDR range (/30) to where I need to NAT first all traffics before routing them to onprem and with that CIDR range I could not even create a subnet (invalid CIDR range for the subnet). I have also gotten the static routes which I've added to the transit gateway routes.
Is there a way to NAT traffic from a VPC to a specific network (AWS side in my case to 10.x.x.x/30) before sending the traffic over the tunnel to onpremise. I could not find a way to setup that up.
And also the onpremise network people are not helping much since they said they've setup everything on their side and waiting for me to bring the tunnel up. Is there something am I missing, in my previous AWS VPN setup, the initiator to bring the tunnel was always from the customer gateway side.
/palmer
In this case the vpn will be always initiate from the on premise side for completion.
you need to prepare a cgw and create a s2s vpn connection with those cgw and share the config information s2s with your on premise colleague .
Also for nat in vpc you can use the nat gateway for one way nat.
So I have an EC2 instance that has a web server. In the security groups I allowed incoming traffic on 80 and 443 but removed all the outgoing traffic for security reasons.
My application uses AWS SNS and SMTP, and of course whenever it tries to connect to these services it fails since the outbound traffic is blocked. How can I restrict the outbound traffic to just these services without using a proxy? I tried to check VPC endpoints but didn't find SNS and SMTP in the list.
You will need to enable the ports that these services need to receive your requests. Most AWS services use a REST interface which requires HTTPS (443).
For SNS you will need to enable port 443 outbound.
For SMTP you will need to look up the ports that you configured. For SES this is usually ports 465 or 587.
Amazon publishes ip-ranges.json which contains a list of IP addresses for AWS. You can create a Lambda function to automatically update your security groups with these addresses.
I would not block all outbound ports. Instead I would control where the instance can connect to using security groups and ip-ranges.json. Then I would test that you can still install updates, etc. If your instance is Windows based, then you have another can of worms adding the Microsoft sites.
IMHO: Unless you really need this level of control and security and are prepared to spend a lot of time managing everything ...
AWS IP Address Ranges
Example project:
How to Automatically Update Your Security Groups
To add to John's answer,
last month AWS released a product called "AWS PrivateLink" which enables people to advertise services within a VPC much like S3 endpoints do today. AWS will be publishing AWS services the same way in the coming months, so this may only be a short-term problem for you.
More information can be found https://aws.amazon.com/about-aws/whats-new/2017/11/introducing-aws-privatelink-for-aws-services/
I have a server(Java/Tomcat running) which was creating huge outbound traffic. This server can not be accessed from outside world only internal network server can access it. i.e. inbound is allowed only from internal network.
To solve huge outbound traffic we have blocked all outbound traffic via aws security group except internal network servers.
But now it has also stopped aws custom monitoring scripts to send data to cloudwatch.
So what is the ip range that I need to open in outbound rules to send traffic to cloudwatch?
For Singapore region:
The Cloudwatch IP can be found if you ping the end point
monitoring.ap-southeast-1.amazonaws.com
via any AWS server.
For any other region in AWS please refer to the link below.
http://docs.aws.amazon.com/general/latest/gr/rande.html#cw_region
The above page lists the endpoints of All the AWS services.