I have a VPC with 2 public subnets in different availability zones (public subnet-2a and public-subnet-2b). I have two private subnets (private-2a-EB-Instance, private-2b-EB-Instance), and two other private subnets for Elasticache (private-2a-EB-Instance, private-2b-EB-Instance), these two subnets for elasticache are part of a subnet group that I use when creating my Elasticache clusters.
I have create a security group for my ElastiCache(redis) and I have changed its inbound rules so it can accept connection from the security group of my ElasticBeanstalk environment. Didn't solve the problem.
I have followed the instructions on AWS' website, and I can't get it to work. I wonder what I am doing wrong. I am using socket-io-redis and I am wondering if that may be part of the problem.
I have used the .config file offered here , but I get an error when deploying the app. It says there was an error creating it.
I created the cluster from the console and tried to connect it to my EB app using the "Primary Endpoint", but I get the error:
Error: Redis connection to https://myelasticache.xxxxxxxxx.cache.amazonaws.com:6379 failed - getaddrinfo ENOTFOUND https://myelasticache.xxxxxxxxx.cache.amazonaws.com
What am I doing wrong? What am I missing?
I think the problem is that you have included https:// in what is supposed to be the hostname. Redis does not connect over HTTP, it uses its own protocol. The error message getaddrinfo ENOTFOUND https://myelasticache.xxxxxxxxx.cache.amazonaws.com indicates that it is trying to resolve https://myelasticache.xxxxxxxxx.cache.amazonaws.com when you want it to use myelasticache.xxxxxxxxx.cache.amazonaws.com.
So try removing https:// and see if it works or if you get another error.
Related
So the current issue I have is that before I was able to connect properly to my rabbitMQ cluster that was hosted on AWS MQ. After I changed its IP visibility to private I had to create some configuration to access the cluster from outside the VPC.
Current example of how the cluster is accessed:
mq.example.com -> Load balancer (w/target group to cluster host IP & TLS port 5671) in public VPC -> Cluster in private VPC.
I've done the same thing for the web console. Now the web console works perfectly, so the issue isn't necessarily with the load balancing or a certificate issue. I then checked out if the issue could be with the code I wrote, but that is also not the case since sometimes from inside the services it connects, but sometimes it then doesn't. It throws the error: "Socket closed abruptly during opening handshake".
I think I believe where the issue may arise from, however I don't really have a proper view on how to solve it. I believe the issue has to do with the fact that the service has go through the load balancer first before it can connect to the rabbit cluster. I just don't know what to do about it and most documentation on amqplib is obscure as it is. I haven't found any (documented) similar issue with AWS MQ & a load balancer.
So my question, specifically is: How would I be able to resolve the fact that sometimes my services connect and don't connect to the cluster when they go through the load balancer?
Good to know: I use AWS MQ for rabbit, amqplib for the client connection, amqps as the protocol, web console works with the same setup but services don't.
For people who run into this issue later on I have found a solution:
When creating a Network Load Balancer to route traffic to your cluster you have to assign it a target group. Make sure to NOT DO THIS: Do not register both port 5671 (amqps) and 443 (web console) to the same target group. During routing issues will arise like this.
Instead do the following:
Create two target groups on aws EC2:
TG1: Register: TLS - 443 (web console)
TG2: Register: TLS - 5671 (amqps)
Your NLB that is configured to simple routing & alias for IPV4 connections then needs the following listeners:
Listener 1: TLS - 443 and assign it to TG1
Listener 2: TLS - 5671 and assign it to TG2
This should then make sure whenever you connect there is no confusion for the microservice you're trying to connect to the cluster.
You can then connect to your web console with your subdomain:
eg. webconsole.example.com
and to your services: eg. amqps://cluster.example.com:5671 as host (how your host is formatted depends on the library you're using for the clientside)
I have set up an EKS cluster and I am trying to connect application pod to ElastiCache endpoint. I put both in same VPC and configured in/out security groups for them. Unfortunately while trying to telnet from pod to cache endpoint, it says "xxx.yyy.zzz.amazonaws.com: Unknown host". Is it even possible to make such a connection?
Yes, if the security groups allow connectivity then you can connect from EKS pods to Elasticache. However, be aware that the DNS name may not resolve for some time (up to around 15 minutes) after you launch the Elasticache instance/cluster.
I found an answer in the issue from cortexproject(monitoring tool based on Grafana stack).
Solved it using "addresses" instead "host" with the address of my memcached. It worked.
PS: "addresses" option isn't documented in the official documentation.
It has to view like this:
memcached_client:
addresses: memcached.host
I have deployed a Django website on AWS Elastic Beanstalk - the environment is green and website available via the url provided. However, I have set an application load balancer with the EC2 instance of the ELB application as the target group, and this is returning Bad Request (400). When trying to access the instance via the public DNS I get the same Bad Request (400).
I have checked the security groups and all required ports (80 for http, 443 for https and 22 for ssh) are open on the instances security group and the target groups security group.
I am unsure what else could be causing this as the django app is available and the instance has status running and I can ssh into it. Have checked the AWS docs and other similar questions on SO but can't find any possible solutions.
So, the answer to this was 'check the logs' facepalm. Logs clearly showed there was a disallowed host error which was easily fixed. Credit to Iain Shelvington who reminded me to check the logs.
I have an AWS Lambda function for an API. I have a test function inside of the API that returns a "Success" string so I know that I can hit the API from my machine (Postman).
The Lambda API is inside of my VPC. I have public and private subnets. The API is living in the public subnets. I also have a RDS database that's living in the private subnets. I can connect to the database through a Bastion host so I know the database is connected and working.
When I try an API call that connects to the database, I can see an error in CloudWatch that says:
[Error] Amazon.Lambda.AspNetCoreServer.APIGatewayProxyFunction: Unknown error responding to request: MySqlException:
MySql.Data.MySqlClient.MySqlException (0x80004005): Unable to connect to any of the specified MySQL hosts. ---> System.InvalidOperationException: Sequence contains more than one matching element
There's a lot of references to that error message that talks about the Linq SingleOrDefault() method, but I don't have any references to that method.
I think that error has something to do with the security groups. I have an RDS security group that has an inbound rule on port 3306 from my internal VPC ip addresses.
The security group for my Lambda function should be ok since I can successfully hit the test route.
Finally, I tried connecting to the database through the API in debug on my machine and I get an error "The requested name is valid, but no data of the requested type was found"
Does anyone have any other ideas or places to look?
Can you check your this setting is enable or not for RDS Security group ?
Disclaimer : Allowing inbound traffic on DB from internet is not recommended and should always be avoided
My RDS database (that I was trying to connect to and read from using AWS Lambda) was also a MySQL database.
When I tested the Lambda function I was getting 'Unable to connect to any of the specified MySQL hosts' (after waiting -- like it was timing-out).
I reviewed the answer from #aviboy2006, which helped me. I tried all the Security Group rules shown in that answer. I found I was able to successfully connect-to and read from the RDS MySQL database when I defined both an Inbound and Outbound rule for the associated VPC Security Group as
Type: MYSQL/Aurora
Protocol: TCP
Port Range: 3306
Source: Custom: 0.0.0.0/0
I am deploying a laravel installation in AWS, everything runs perfectly when I allow it to recieve all inbound traffic (EC2>Network&Security>Security Groups>Edit inbound rules.), if I turn off inbound traffic and limit it to an IP it doesnt load the webpage it gives me this error:
PDO Exception SQLSTATE[HY000] [2002] Connection timed out
However for security reasons I dont want this setup like this, I dont want anyone being able to even try to reach my webapp. Everything is being hosted in AWS, I dont have any external entities, its running in RDS and EC2. I added en elastic IP address and whitelisted it, but that didnt work either. I followed every step in this tutorial : http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/php-laravel-tutorial.html#php-laravel-tutorial-generate
Environmental variables are working as well as dependencies, well.. pretty much everything unless I restrict inbound traffic as I mentioned.
How do I whitelist AWS own instance then to make this work with better security?
Thank you!
I think part of this answer is what you may be looking for.
You should enable inbound access from the EC2 security group associated with your EC2 instance, instead of the EC2 IP address.
More than just adding an elastic IP address to your AWS instance you need to do two more things.
Assign the elastic IP to your AWS instance ( yes is not the same as just adding it to the instance, you must specify )
White list the internal IP that it generates once you link it to your app.
?????
Profit