I have an issue in AWS where my remote direct connect sites unfortunately have over lapping address space and they both need access to an application running on a EC2 instance. I have the ability to NAT the remote sites and advertise the SNAT addresses over the private VIF, but I there a way to hide the EC2 instance behind NAT as well? So I have NAT both sides (in AWS hiding the EC2 instance hosting the APP and on my remote site) My application sources TCP to the remote sites and also receives TCP sessions sourced from the remote sites so I need bidirectional.
As your design, you need to do NAT traversal or the two sides behind NAT can not connect to each other. So maybe you need to build to do something like NAT-PMP or Upnp to realise it.
Related
I have a private RDS instance that I want to connect to using bastion host.
I've found a couple of tutorial on how to set it up which doesn't seem too advanced, but I struggle to understand what a bastion host actually is.
All the tutorials I've seen just creates an empty ec2 instance (bastion host) and edit the RDS security group to allow incoming traffic from it and voila, connection from local machine is working.
What I struggle to understand is that there's no configuration on the ec2 instance that enables this behaviour.
Wouldn't that mean that any server that have access to RDS could be used as a bastion host?
For example, I have an EKS cluster where I host a couple of services.
Some of these services are supposed to have access to RDS.
So in order for the services to access RDS I put RDS in the same VPC and Security Group as eks-nodegroups.
Even though the services that need access to RDS aren't publicly accessible, there are publicly accessible services that are running in the same VPC and Security Group.
Would I then be able to use one of the publicly accessible services as a bastion host in order to gain access to RDS from anywhere, thus making it public?
From Bastion - Wikipedia:
A bastion or bulwark is a structure projecting outward from the curtain wall of a fortification, most commonly angular in shape and positioned at the corners of the fort:
It 'sticks out' from the walled portion of the city and provides added security by being able to target attackers attempting to scale the wall. In a similar way, a bastion host 'sticks out' from a walled computer network, acting as a secure connection to the outside world.
When using an Amazon EC2 instance as a Bastion Host, users typically use SSH Port Forwarding. For example, if the Amazon RDS database is running on port 3306, a connection can be established to the Bastion server like this:
ssh -i key_file.pem ec2-user#BASTION-IP -L 8000:mysql–instance1.123456789012.us-east-1.rds.amazonaws.com:3306
This will 'forward' local port 8000 to the bastion, which will then forward traffic to port 3306 on the database server. Thus, you can point an SQL client to localhost:8000 and it would connect to the Amazon RDS server. All software for making this 'port forward' is part of the Linux operating system, which is why there is no configuration required.
Yes, you can use anything as a Bastion Host, as long as it has:
The ability to receive incoming connections from the Internet
The ability to (somehow) forward those requests to another server within the VPC
A Security Group that permits the inbound traffic from the Internet (or preferably just your IP address), and the target resource permits incoming traffic from this security group
I'm wondering if I need port forwarding compatible Vpn given my tasks below:
Ill be connecting to aws services such as documentDB and RDS while travelling.
As a result, I plan on purchasing a dedicated IP VPN, so I can work while travelling, and add my VPN's static IP address to AWS to grant me access.
I'm working with a java spring boot backend. It connects to the documentDB and RDS and performs CRUD operations.
Does my VPN need to be port forwarding compatible?
I'm planning to purchase NordVPN with a dedicated IP, but might have to look into other VPNs port forwarding is required.
Some AWS services are VPC only, i.e. accessible only from the same VPC network. One of those services is DocumentDB, in order to connect directly from your laptop you'll have to create an ssh tunnel and port forward.
Having said that, you could have a bastion host in AWS configured with the right access, ssh (Linux) or RDP (Windows) to it and connect from that host.
The other option is https://aws.amazon.com/vpn/
I have a application on EC2 Instance which connects to a website (github.com) to download application repository (say thrice a week or bit more frequently).
I like to block the access to my VPC using NACL; So no traffic other than from this website github.com (keeping in view that NACL are stateless) can go through.
The issue i am facing is that i cannot whitelist a website using NACL; since the IP based approach is not workable (the IP's are always changing).
Can someone suggest a better solution or a fix that we can apply here.
NACL cannot resolve DNS as this requires further OSI layer that has information about the HTTP protocol details.
One option you can do here is to place your EC2 instance behind a NAT gateway, thus effectively placing it in a private subnet and it would translate to an IP that will not change when facing the public internet such as an Elastic IP. In this way, you will be able to protect your EC2 instances while referencing a consistent IP address.
Another option is to use ssh-keygen to generate a public and private key pair which you will then copy over to the respective git repo (SSH key), then block any other protocols and traffic after establishing that one-to-one trust. A more secured version of this is tackled nicely in this post: EC2 can't SSH into github
I have a website which is running on ec2 windows instance. I want to expose that to a public endpoint without opening any port on the ec2 instance. Only outbound connections are allowed on ec2 instance.
How can hook some cloud resource/application in front of my website so that it can be accessed by someone in public internet? What i am looking for is a tcp relay functionality that a call from public internet browser is just routed to my local website on ec2 with minimal effort. Something like what is explained here: https://serverfault.com/questions/760129/what-is-a-tcp-relay-and-when-is-it-used/760142
Can someone suggest something? Or if AWS doesnt expose such a relay functionality, can something be done using websockets in AWS-iot?
I found ngrok as a 3rd party tool, but I want to stick to AWS options only.
This is exactly what a Classic Elastic Load Balancer does. Usually, there's more than one instance (hence, "load balancer") but this works exactly as you describe with just one instance.
The ELB is globally-accessible, and then it forwards the traffic to the instance. Nobody connects directly to your instance.
Of course, you have to open a port on the instance for the ELB to access it, but you would have to do that with any "relay" solution. This access can be limited only to the ELB itself.
I have two vnets that are connected using a gateway. VnET1 and VNET2. VNET2 has a VM which hosts a mongodb instance. I have a webjob running within an App service environment which is deployed into a subnet within VNET1. From this subnet i am able to access the VM in VNET2 with its DNS. But i am unable to access the VM's internal IP. Any suggestions are welcome.
An internal IP address is internal to a VNET, and VNETs are isolated from one another by design. See this site for a good overview.. https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-overview/. If you want to connect internally you might want to consider having multiple subnets within the same VNET instead.
At present, connecting two vnets using a gateway allows IP communication but doesn't allow DNS name resolution. In this scenario we recommend managing a local DNS server. This page shows the requirements for using your own DNS server in Azure.
Hth, Gareth