AWS Active Directory Connector and Azure Active Directory Domain Services - amazon-web-services

I am trying to replicate the steps in this post. However, When I get to the step where I create the ad connector, it fails with the following error:
Connectivity issues detected: DNS unavailable (TCP Port 53) for IP 10.0.0.4, DNS unavailable (TCP Port 53) for IP 10.0.0.5. Please ensure that the listed ports are available and retry the operation
I am very proficient with AWS. However, I'm struggling with Azure and feel I may have misconfigured something. I have carried out the following steps thus far:
In Azure, I used an existing resource group and created "Azure AD Domain Services" instance using default configuration
Basics
Name: sy******k.com
Subscription: Pay-As-You-Go
Resource Group:
Default Region: UK South
SKU: Standard Forest type: User
Network
Virtual network: (new) aadds-vnet
Subnet: (new) aadds-subnet
Subnet Address: 10.0.0.0/24
Network Security Group: (new) aadds-nsg
I created a site to site vpn connection with azure virtual network. However, I am not sure about this step in the post: "The tunnels must be configured to allow traffic from your AADDS endpoints and the Subnets" How exactly do I do this?
In AWS VPC cidr is 10.1.0.0/16 and both tunnels between AWS VPC and Azure Virtual Network are up and connected. I tried to contact the post author: "Justin Stokes" directly but can't find any emails for him. I cannot find a single online guide on how to set this up step by step along with the site to site ipsec setup. It would be very very helpful if someone can provide a video tutorial for this step by step from A-Z instead of leaving a chunk of the steps out of the guide.
The troubleshooting guide here suggest that the firewall i.e. network security group is not allowing port 53TCP/UDP inbound for AD Connector. But I updated the networks security group as a test with a rule to allow any source, any destination and any port and still I'm getting the same error.

I am not the expert in both AWS and Azure but succeeded to setup VPN using this guide.
Then set up AD Connector and had to take tip of creating DHCP Option set from this post.
AD Connector created successfully now. EC2 instances launch with correct DNS server and suffix however they are not joined to AD, that's where I am now. If you have anything or completed this setup, please share.

Related

AWS App Runner service cannot access Internet when added to a VPC

I've set up an AWS App Runner service, which works fine. Currently for networking it's configured as public access, but I'd like to change this to a VPC so that I can connect the service to an RDS instance without having to open the database up to the world.
When I change the networking config to use my default security group, the service is unable to access the Internet. Cloning a git repo from Bitbucket brings up the error: ssh: Could not resolve hostname bitbucket.org: Try again
... and trying to run npm install brings up:
npm ERR! network request to https://registry.npmjs.org/gulp failed, reason: connect ETIMEDOUT 104.16.24.35:443
My security group has an outgoing rule allowing all traffic out to any destination. My RDS instance is in the same VPC/security group and I'm able to connect to this without issue (currently I've opened up port 3306 to the world). Everything else I've read from a bunch of Googling seems fine: route tables, internet gateways, firewall rules, etc.
Any help would be much appreciated!
Probably too late to be really helpful but moving the App Runner to a VPC sends all outgoing traffic to the VPC.
The two options given in the docs are
Adding NAT gateways to each VPC
Setting up VPC endpoints
Documented within the first bullet point of the Considerations when selecting a subnet section
https://docs.aws.amazon.com/apprunner/latest/dg/network-vpc.html

Tableau cannot connect to redshift server

Tableau cannot connect to the redshift server.
It displayed:
An error occurred while communicating with Amazon Redshift
Unable to connect to the server. Check that the server is running and that you have access privileges to the requested database.
Error Code: BC42EF73
could not connect to server: Operation timed out
Is the server running on host "redshift-cluster-1.cncrnka9xarv.us-east-2.redshift.amazonaws.com" (3.143.87.206) and accepting TCP/IP connections on port 5439?
I just followed the setup in AWS Redshift Connection with Tableau - YouTube but it fails. What's the reason?
The first thing you should check is the Security Group associated with the Amazon Redshift database, since the video did not reference it.
The Security Group should permit Inbound access from 0.0.0.0/0 on port 5439. Note that this makes your database accessible to anywhere on the Internet, which is not good from a security perspective. However, I couldn't find a reference to the range of IP addresses that Tableau Online uses.
If that doesn't help, then confirm that the Redshift database is in a public subnet. A public subnet is defined as having a Route Table entry pointing to an Internet Gateway.
Solving this error contains 2 steps:
download the AWS redshift ODBC drive from here
Follow what is given in this answer by #JohnRotenstein.
For doing that follow the following steps:
Go to the cluster with which you want to establish the connection.
Then go to "Properties" tab.
Then below there is a section named "Network and security settings" which has "VPC security group" tab and below that there is a link that will redirect you to Security group of the VPC.
Select the VPC and then select the "inbound rules" tab.
There will be a security group where under "source" there will be something starting with "sg-" which means all the connections to redshift from the internet is blocked and only the addressed with this origin will be able to connect with AWS which are EC2 instances.
There click on "Edit Inbound rules".
In the window that opened up, click the "Add rule" button.
Security group rule ID - This you do not need to set
Type - All traffic
Protocol - All
Port range - All
Source - Anywhere Ipv4(not recommended) so it will be set to "0.0.0.0/0".
Description[optional]
Here set the Source to the IPaddress from where the connection request is going to be made and not the above one.
For all other connection queries can be solved by following this link

AWS IP address to use in terraform IPSec tunnels (via Transit Gateway)

I'm trying to build an AWS terraform IPSec VPN config. However, I can't remember where to find the AWS IPSec IP address; the terraform cgw documentation says the ip_address field is required.
The answer should assume the VPN will be attached to my AWS Transit Gateway.
My terraform:
resource "aws_customer_gateway" "cgw-abbv-for-local-and-remote" {
bgp_asn = 65001
ip_address = "A.B.C.D" #<-- I need this IP before terraform apply
type = "ipsec.1"
tags = {
Name = "insert-cgw-name-here"
}
}
resource "aws_vpn_connection" "vpn-abbv-for-local-and-remote" {
customer_gateway_id = aws_customer_gateway.cgw-abbv-for-local-and-remote.id
transit_gateway_id = aws_ec2_transit_gateway.my-tgw-name.id
type = aws_customer_gateway.cgw-abbv-for-local-and-remote.type
tags = {
Name = "insert-vpn-name-here"
}
}
Seems like OP already found the answer, but let me add my two cents since I spent a lot of time figuring things out when it comes to AWS VPN two years ago in order to pass the AWS Advanced Networking cert. This could potentially turn out useful for folks that are new to VPN - especially in the AWS ecosystem:
There is a fantastic book called AWS Certified Advanced Networking Official Study Guide which I would recommend everyone in a cloud network engineer role to read. [1]
It points out the following:
After you create a VPN connection, the VPN tunnel activates when traffic is generated
from your side of the VPN connection. The VGW is not the initiator; your customer gateway must initiate the tunnels. If your VPN connection experiences a period of idle time (usually
10 seconds, depending on your configuration), the tunnel may go down. This is because
AWS uses an on-demand DPD mechanism. If AWS receives no traffic from a VPN peer for
10 seconds, AWS sends a DPD “R-U-THERE” message. If the VPN peer does not respond
to three successive DPDs, the VPN peer is considered dead and AWS closes the tunnel. [pp. 100, 101]
At the non-AWS end of a VPN connection, the VPN is terminated on a customer gateway.
A customer gateway is the AWS term for the VPN termination device at the customer’s onpremises end. A customer gateway can also be hosted in AWS as an EC2 instance running
VPN software that meets the requirements given in the next section.
Most customers don’t require the purchase of an additional device and can reuse an
existing on-premises VPN termination device to create a tunnel to a VPC. [p. 110]
You can use any third-party VPN device that supports Layer 3 VPN technologies. AWS
does not support Layer 2 VPN technologies.
IPsec is used for the VGW at the AWS end of VPN termination, and so the IPsec protocol must be supported by your VPN device. You will set up two VPN tunnels per VGW.
Support for BGP routing protocol is optional but recommended for advanced routing capabilities. Other routing protocols like Open Shortest Path First (OSPF) are not supported by
AWS. You must ensure that you have opened the right ports in your on-premises firewall
for the IPsec traffic to flow. [p. 111]
That is in particular: both ends of the VPN connection must possess a public IP address!
If you didn't already, I really really recommend skipping through these pages to be aware of best-practices and the AWS-way of thinking when it comes to (hybrid) cloud architectures. You avoid getting confused afterwards if things didn't go the way you wanted to. IPSec (i.e. Layer-3) VPNs are harder to get right then most people think. One should be aware of all the routing and security relevant stuff such as: IKE, SAs, Policy-based routing, NAT-Traversal, ISAKMP etc. [see also p. 97: VPN Features -> Security & Routing sections].
Another good reference is the AWS Site-to-Site VPN guide (PDF). [2]
Also good to know: Many terraform attributes can also be found in the AWS CloudFormation docs. The docs for the AWS::EC2::CustomerGateway resource's IpAddress attribute state [3]:
The Internet-routable IP address for the customer gateway's outside interface. The address must be static.
[1] https://www.programmer-books.com/wp-content/uploads/2019/04/AWS-Certified-Advanced-Networking-Official-Study-Guide.pdf
[2] https://docs.aws.amazon.com/vpn/latest/s2svpn/s2s-vpn-user-guide.pdf
[3] https://docs.aws.amazon.com/de_de/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-customer-gateway.html#cfn-ec2-customergateway-ipaddress
This is not very clear in the terraform documentation, but I found an example on the internet that clarified this question.
In short, the aws_customer_gateway config is not on the AWS side of the IPSec tunnel... these resources are "remote" with respect to AWS:
So in this case, the ip_address will be the destination ip address of AWS IPSec packets leaving the AWS Transit Gateway; the aws_customer_gateway ip_address is not owned by AWS.
The ip_address for the Customer Gateway is the IP of the physical appliance/router sitting on-premise in the customer's data center. You need this ip_address to establish a VPN connection. The AWS docs help when you get lost in terraform as well.

Cannot connect to AWS RDS

I am trying to create a AWS RDS Sql Server database and connect to it from a local machine using SSMS. Later I'll be connecting from a web application (locally, then hosted somewhere eventually.) I am currently failing to connect to my instance (the instance is configured and running.) The error I'm getting is the network/instance related (not login.) Tried telnet and I can't even hit it that way.
Looking on the web, there seems to be a setup for network connections but it talks about EC2, VPC and things I don't think I need (or do I?)
Tried (nothing worked so far): Using the IP instead of hostname, explicitly specifying the port (1433), changing user/password, crying.
Speaking of things I hope I don't need to configure, there's also IAM authentication - didn't touch that yet.
Any input is appreciated before I open a ticket with Amazon.
UPDATE:
My scenario: Scenario
Solution - add the Inbound Rule to default Security Group: Security Groups
When you work with RDS, you need to set inbound rules; otherwise, you are unable to connect to the database. This concept is covered in this AWS tutorial. In this AWS tutorial, the database is MySQL and the app is a Java web app. However, the same concepts apply with respect to inbound rules:
Creating the Amazon Relational Database Service item tracker
One tip -- when you set an inbound rule to let your development machine connect, you can select MyIP...
Also - when you host your app (for example Elastic Beanstalk), you need to set an inbound rule for that as well (as discussed in that tutorial)

How connect a client to a remote Windows Server 2019 AWS EC2

We have a very difficult problem here, we have a Windows Server 2019 Base x64 on Amazon EC2, connected through RDP and setup-ed forest and activated AD DS , also activated DNS. But whenever we try to connect we are not allowed to.
We have opened all the relevant ports on inbound traffic rules.
We have added users.
We have tried searching internet and various tutorials.
In Server Manager=:
Added the public ipv4 address to our ipv4 settings of the adapter.
Went to the computer setting in computer domain entered the domain but no fun.
Disabled the firewall in server manager.
We want to connect our clients on different network to connect to the server hosted else-where on AWS.
We are really new into this can some one guide through this?
Please make sure there is network connectivity between your client and you DC which is set up on EC-2 Instance.
[1] In case your clients are on AWS (meaning different EC-2 Instances), and in a different network, you need to create VPC peering or use Transit Gateway, so that it has proper network connectivity.
[2] In case your clients are not on AWS, and in an On-prem Environment, you need to have a VPN connection between your client and your DC.
So in Summary, you need to have network connectivity between your client and DC so that clients can join your Domain.
What do you mean whenever we try to connect we are not allowed to?
What are you trying to connect to, the Windows EC2 instance?
Are you saying that the instance is joined to AWS Directory Service domain but you can't connect to the instance using one of the users in your AWS directory?
Edit: This should have been a comment but couldn't post comments at the time of answering.