I have a RDS instance on my VPC which has Public accessibility = No
I have an OpenVPN Access Server on an EC2 instance. And I have configured two users:
First one using NAT on my OpenVPN AS to access my private networks. Using NAT, OpenVPN translate my IP, therefore when I connect to AWS RDS, I'm using a local VPC IP address. This one connects without problems to my RDS instance.
Second one uses Routing on my OpenVPN AS to access my private networks. In this case, I use a VPN IP (different to the private IPs on my VPC). This one can not connect to my RDS instance. I think is because it doesn't resolve the DNS of the endpoint.
For example: VPC -> 172.24.0.0/16
First scenario is like I use: 172.24.1.10 (a local VPC IP) to connect to RDS.
Second scenario is like I use: 172.47.224.100 (an IP from my VPN) to connect to RDS.
Is it possible to access the RDS instance through the VPN using Routing (which is the second scenario)? And how to do it? Thanks.
Update
I just confirmed the following:
If use the first scenario, I can ping an EC2 instance using Private IP and Private DNS.
If I use the second scenario, I can ping using Private IP, but I can't ping using the Private DNS.
Related
we want to our RDS outside VPC openly access, but it is not secure to do so.
Is there any solution to help us connect the RDS securely ?
You have two basic options to access an Amazon RDS database. Which you choose depends on your Risk appetite.
Option 1: RDS database in public subnet
For this option, the database is launched in a Public Subnet, with Publicly Available = Yes.
To secure the database, you would configure the Security Group to only permit inbound access from your IP address.
Option 2: RDS database in private subnet
For this option, the database is launched in a Private Subnet, with Publicly Available = No.
You will need some way to 'connect' to the VPC, and then connect to the RDS database. Options for connecting to the VPC could be:
Create an AWS Client VPN, which allows you to connect to the VPC from any location using an OpenVPN-based VPN client, or
Launch an Amazon EC2 instance in the public subnet and connect to it using SSH and Port Forwarding (See: How to use SSH Tunnel to connect to an RDS instance via an EC2 instance?)
When you set up an EC2 instance in a private subnet to access the internet through a NAT gateway (with all the necessary routing and association through route table), how do you go about SSH'ing into the private EC2?
For example, EC2 in the NAT Gateway public subnet and making a connection through the public EC2 to the private EC2.
NAT Gateway is for outgoing traffic only.if you have to access the private EC2 instance then you need bastion on public subnet in same VPC.
OR VPN to connect or AWS system manager.
There are three options that are commonly used:
Use a bastion host in a public subnet. First you ssh to the bastion, and then ssh from the bastion to the private ec2. This usually requires copying private ssh key to the bastion so that you can use it there to ssh to the private subnet.
Use a SSM session manager. This probably would be the easiest option to setup as you already are using NAT and it requires special instance role.
Use a VPN. Probably the most complex solution but also used nevertheless.
As the instance is in a private subnet you will need to use a method to connect to this privately. There are many options to choose from, they will vary in cost and complexity so ensure you read each one first.
Site-to-site VPN - Using this method a managed VPN is added to your VPC and connected to your on-premise via hardware configuration. Your security groups will need to allow your on-premise CIDR range(s) to allow connection.
Client VPN - Using either AWS solution, or a third party from the marketplace (such as OpenVPN) you can establish a connection using either a local program or HTTPS in your browser.
SSM Sessions Manager - Access your EC2 instance via the AWS console or using the CLI, portrayed as a bash interface without using SSH to authenticate. Instead IAM is used to control permissions and access.
Bastion host - A public instance that you can connect to as an intermediary either using SSH to connect to before accessing your hsot, or as a proxy for your commands.
I've created an EC2 instance inside a public subnet (so that I can access it from my home network) and I have created some Lambda's inside the private subnets of my VPC.
My 1st lambda can freely access the internet (through a NAT Gateway) and do its job. Which is to fetch a file from the internet and upload it to S3, once per day.
My 2nd lambda is supposed to retrieve this file from S3 (which it does without issue) read the file & then upload the data to MySQL running on the EC2 instance. It is unable to connect to the Database (using either the EC2's public or private IP's) and the Cloudwatch logs show that the session times out, making me think this is a networking issue.
I have a 3rd lambda that will also need to interact with the EC2/DB instance.
My security group allows for all incoming traffic from my home network IP, the NAT gateway & the VPC IP range. All outbound traffic is allowed.
I appreciate its not usual to have an EC2/DB set up this way, in a public subnet, but its my preference to interact it with it this way from home using Sequel Pro.
However, is my set up even possible? Eg can my private subnet lambdas interact with a public subnet ec2 instance? if so, does anybody have any ideas how I can make this happen?
It appears that your situation is:
An Amazon EC2 instance running in a public subnet, with MySQL
The EC2 instance has a Security Group allowing all incoming traffic from your home network IP, the NAT gateway and the VPC IP range
An AWS Lambda function connected to a private subnet of the same VPC
A NAT Gateway allowing private subnets to connect to the Internet
The Lambda function is unable to connect with the MySQL database running on the EC2 instance
The normal security configuration for this scenario would be:
A Security Group on the Lambda function (Lambda-SG) that allows all Outbound access (no Inbound required)
A Security Group on the EC2 instance (EC2-SG) that allows inbound access from Lambda-SG on port 3306, plus whatever inbound permissions you want for accessing your instance via SSH, etc.
Given that your Security Group includes "the VPC IP range", this should be sufficient to permit inbound access.
The Lambda function should reference the EC2 instance via its private IP address to keep traffic within the VPC. By default, all subnets within a VPC can communicate with each other unless the Network ACLs have been modified (and they should generally be left at default values).
This means that the only remaining explanation would be that the MySQL database is not accepting traffic from the VPC IP range. (I'm not a MySQL person, but I know that PostgreSQL requires incoming IP ranges to be defined, so this might be true for MySQL too.)
To diagnose what might be happening in your network, I recommend:
Launch another Amazon EC2 instance in the public subnet
Connect to the new instance and try to connect to the MySQL database via the private IP address
If that works, repeat the process but from an EC2 instance in the private subnet. To use this you will need to connect to the 'public' EC2 instance, and from there connect to the 'private' EC2 instance. Then, try and connect to MySQL from that private instance.
These steps will progressively let you identify where the network problem might lie. Let us know what you find!
I have a database running on AWS EC2 and I want it to NOT be accessible via any public IPs or DNS. I only want it to be accessible via a private IP address, so that a Node.JS within the same AWS zone could connect to it via an internal IP address (not a public one). So something like localhost but an AWS version of it.
Is this at all possible? How to do that? I didn't find anything online about it.
Generally speaking an instance is private as long as a
public IPv4 address is not assigned.
Instances with public IPv4 addresses but no Internet Gateway attached as a route will not allow inbound traffic as long as an internet gateway is not attached, although this should not be used to make an instance private as it is easy to be reversed.
The best approach is to create private subnets for where the private instances should exist, ensure that the setting for auto assign public IPv4 is not enabled.
Create a separate route table for the subnets and if you want the instances to be able to connect to the internet create either a Nat gateway or Nat instance for IPv4 traffic and add a route to the internet in your route table to use these as the target.
If you want ipv6 traffic outbound too you will need perform the above with an egress only gateway.
Check out this AWS documentation for a further breakdown of public and private network configuration.
I've created a VPC with IPv4 CIDR 172.16.0.0/16, next I've created three subnets:
subnet_1 172.16.0.0/20
subnet_2 172.16.16.0/20
subnet_3 172.16.32.0/20
Next I created an Internet Gateway attached to the VPC.
At this point I've created an EC2 instance and I attached to it an Elastic IP. On this instance I have installed an OpenVPN access server.
I then created a second EC2 instance that only has a private IP address. In my mind I thought that once connected via VPN I should able to ssh into the second EC2 instance with a private IP, but I'm not able to connect. What might I have done wrong?
EDIT: I edit the post with some additional information
This is how I configured my VPC
My subnets attached to the VPC
The internet gateway attached to VPC
This is my EC2 instance with OpenVpn access server, with his Elastic Ip so that I can access from my browser
Inbound rules for security group of vpn instance
And the outbund rules
The second and private instance (the instance to which I want to connect via VPN)
Inbound rules
And outbund rules
In OpenVpn access server I do this configurations
And when I connect to the VPN I receive this address 172.16.128.2 (for example)