I believe that I've successfully setup an EBS instance and RDS instance in a VPC! It is structured like this:
Elastic load balancer: public available to the internet
Elastic instance: in private subnets
RDS instance: in private subnets
What can I do, both in AWS and outside through testing, to verify that my elastic instance is protected in the VPC and my RDS instance is as well?
Thank you so much!
You can verify the following:
ensure that SGs of the instances allow only incoming traffic from the SG of ALB.
ensure that the EB instances are in private subnet, i.e. they don't have public IP.
ensure that RDS has no public IP option enabled and also it is in private subnets.
also ensure that the SG of the RDS allows only incoming connections from the EB instances.
Adding on to #Marcin's comments, I would also do the below to ensure you are following best practises:
Enabling access logs on the ELB to have some sort of logs on who is accessing the ELB. Would definitely help in troubleshooting.
Have your ec2 in ASG.
Create a certificate and terminate the HTTPS connections on ELB or you can pass the HTTPS through and terminate the SSL on the ec2.
Redirect all requests from the http port to https using the redirect feature in ELB.
Now, to answer your question on how to test the security:
try to ssh into your ec2 directly. It should not work as you are only allowing traffic from ELB and your ec2 is in private subnets.
try accessing your RDS. It should not work as it will only allow traffic from EC2 security group
Build a bastion server (a blank ec2) on AWS and try to access the EC2. It should not work as the ec2 should only allow traffic from the ELB security group
using the bastion, try accessing RDS. Same as above, it should not work as it should only allow traffic from ec2 security group.
Related
Using Terraform to setup a VPC with two EC2s in private subnets. The setup needs to SSH to the EC2s to install package updates from the Internet and install the application software. To do this there is an IGW and a NAT-GW in a public subnet. Both EC2s can access the Internet at this point as both private subnets are routing to the NAT-GW. Terraform and SSH to the private subnets is done via Client VPN.
One of the EC2s is going to host a web service so a Classic mode Load Balancer is added and configured to target the web server EC2. Using Classic mode because I can't find a way to make Terraform build Application mode LBs. The Load Balancer requires the instance to be using a subnet that routes to the IGW, so it is changed from routing to the NAT-GW, to the IGW. At this point, the Load Balancer comes online with the EC2 responding and public Internet can access the web service using the DNS supplied End Point for the LB.
But now the web server EC2 can no longer access the Internet itself. I can't curl google.com or get package updates.
I would like to find a way to let the EC2 access the Internet from behind the LB and not use CloudFront at this time.
I would like to keep the EC2 in a private subnet because a public subnet causes the EC2 to have a public IP address, and I don't want that.
Looking for a way to make LB work without switching subnets, as that would make the EC web service unavailable when doing updates.
Not wanting any iptables or firewalld tricks. I would really like an AWS solution that is disto agnostic.
A few points/clarifications about the problems you're facing:
Instances on a public subnet do not need a NAT Gateway. They can initiate outbound requests to the internet via IGW. NGW is for allowing outbound IPv4 connections from instances in private subnets.
The load balancer itself needs to be on a public subnet. The instances that the LB will route to do not. They can be in the same subnet or different subnets, public or private, as long as traffic is allowed through security groups.
You can create instances without a public IP, on a public subnet. However, they won't be able to receive or send traffic to the internet.
Terraform supports ALBs. The resource is aws_lb with load_balancer_type set to "application" (this is the default option).
That said, the public-private configuration you want is entirely possible.
Your ALB and NAT Gateway need to be on the public subnet, and EC2 instances on the private subnet.
The private subnet's route table needs to have a route to the NGW, to facilitate outbound connections.
EC2 instances' security group needs to allow traffic from the ALB's security group.
It sounds like you got steps 1 and 2 working, so the connection from ALB to EC2 is what you have to work on. See the documentation page here as well - https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html
Just created an VPC for EKS Cluster and started RDS PostgreSQL instance with custom VPC.
Custom VPC has Subnets.
My Custom VPC has Internet Gateway attached.
EKS and RDS is in same VPC so they have internal communication.
My problem is that i want to connect to RDS from my local machine and i am unable. Regarding the problem i have created a new Security Group with Inbound Rules for PostgreSQL.
PostgreSQL TCP 5432 0.0.0.0/0 –
Im still unable to connect
UPDATE
RDS is Publicly accessible
Security group allows access to RDS
In order to connect to RDS instances from the internet you need to do these 3 things
Deploy your RDS instance in a "public" subnet. This means the subnet must have an Internet Gateway attached to it so it can respond properly to outbound requests
In your RDS instance under Connectivity, extend the Additional configuration section, and then choose Publicly accessible.
Make sure the security group allows access to your RDS instance.
Note: exposing a database to public access is not secure. What I recommend you to do is create a proxy with haproxy or a VPN.
To be able to connect to the RDS database remotely you need to select "yes" option for the "Public Accessibility" setting for you database. Here are some additional configurations that need to be taken into account (form AWS docs):
If you want your DB instance in the VPC to be publicly accessible, you
must enable the VPC attributes DNS hostnames and DNS resolution.
Your VPC must have a VPC security group that allows access to the DB
instance.
The CIDR blocks in each of your subnets must be large enough to
accommodate spare IP addresses for Amazon RDS to use during
maintenance activities, including failover and compute scaling.
Best,
Stefan
I am having an Amazon RDS Postgres instance which resides in the default VPC.
To connect to it, i am using different EC2 instances (Java Spring Boot and NodeJs) running in ElasticBeanstalk. These instances also reside in the default VPC.
Do these EC2 instances connect to/query the RDS instance through the internet or the calls do not leave the AWS Network?
If they leave the AWS network and the calls go through the internet, is creating a VPC endpoint the right solution? Or my whole understanding is incorrect.
Thanks a lot for your help.
Do these EC2 instances connect to/query the RDS instance through the internet or the calls do not leave the AWS Network?
The DNS of the RDS endpoint will resolve to private IP address when used from within VPC. So communication is private, even if you use public subnets or set your RDS instance as publicly available. However, for connection from outside of AWS, the RDS endpoint will resolve to public IP address if the db instance is publicly available.
If they leave the AWS network and the calls go through the internet, is creating a VPC endpoint the right solution?
There is no VPC endpoint for RDS client connections, only for management actions (creating db-instance, termination, etc). In contrast, Aurora Serverless has Data API with corresponding VPC endpoint.
To secure your DB-Instances communications you need to be sure at least about the following:
locate your RD in private subnet (route table does not contain default outbound route to internet gateway).
RDS security group just accept traffic inbound only from instances security group/groups on TCP port for PostgreSQL which is usually 5432.
In this case Traffice to RDS will go localy in your vpc, for vpc endpoints it can be used to access RDS API operations privatly which is not your case (you just need to connect your app to DB using connection string)
Right now, when I manually enter my EC2 ipv4 address in the browser, I get the webpage back.
How can I restrict the EC2 instance to only receive and send data to the Elastic Load Balancer (ELB) that's attached to it?
Thank you.
1-No one knows your EC2 IP address, so if you put it behind ELB, everyone can see the ELB IP address.
2-You can use the security group to limit access to your EC2 only from ELB.
Edit your EC2 security group and add your ELB security group name, after that, only ELB can access your EC2 directly.
For more info read the following docs:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-groups.html
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-update-security-groups.html
You should limit access to your ec2 to only traffic from ELB unless you have a specific reason not to.
You will have a security group assigned to ELB such as sg-xxxxxx. Make sure that when you create another security group for your ec2, it's ingress for 80/8080/443 (depending on ports you are using) are not CIDRs specific, but use security group assigned to ELB instead. Obiously make sure that this security group account for both, forwarding traffic and health check traffic, as ELB won't send traffic to unhealthy nodes.
Ideally you have both private and public subnets in your VPC, in which case put your ELB in public and EC2 in private subnets.
I am new to AWS and not a network admin, mere a developer, and need your help.
I am unable to connect to my aws RDS (mysql) from my lightsail ubuntu instance. when trying to connect, it just wait for a minute and then fails.
I am unable to ping my RDS either.
here is the setup
the lightsail instance has vpc peering enabled in lon-zone-A
I have created a mysql RDS instance in aws and used default vpc peering. mysql is restricted to VPC and using default security group which has a rule for inbound - All traffic for default security group source
the default VPC have 2 subnets in CIDR 172.31.16.0/20 and 172.31.0.0/16 for two availability zone A and B.
In route table of the subnet, i have
172.26.0.0/16 as destination and target to vpc peering which further has
Requester VPC CIDRs 172.26.0.0/16
Accepter VPC CIDRs 172.31.0.0/16
My lightsail instance has private IP 172.26.15.xxx and in lon-Zone-A
When i ping my mysql intance, i get ip 172.31.10.9
command using to connect mysql -h xxxxxx.xxxxx.eu-west-2.rds.amazonaws.com -P 3306 -u db_master_username -p
To enable access from AWS Lightsail to AWS RDS you can accomplish in two separate ways:
Method 1.
Make RDS publicly accessible.
In RDS pick you instance and click 'Modify'. In section 'Network & Security' choose 'Publicly accessible' to Yes. Apply settings and wait until they are effective. Your RDS has public IP now.
Add your Lightsail public IP to the RDS security group inbound traffic.
Use CIDR: x.x.x.x/32 where x.x.x.x is your Lightsail instance public IP.
Method 2. (better, RDS with no public IP)
Make sure you Lightsail instance is in the same Availability Zone as RDS.
Set up VPC peering beetween Lightsail VPC and Amazon VPC.
Add your Lightsail local IP to the RDS security group inbound traffic.
I managed to solve. it.
I had to add my lightsail instance IP CIDR in the RDS inbound rule as mysql/aurora TCP allowed traffic.
:-)