If I have an AWS VPC with a private and public subnet. The public subnet has 1 EC2 instance and the private subnet has 1 EC2 instance as well. If I do a site to site VPN to my VPC from my work location. Can I access my private subnet EC2 instance via ssh using the private ip? Or do I have to do a Bastian host from my public subnet to access my private subnet EC2 instance?
Yes, you will be able to ssh to an e2 instance from your on-premise/work location. You need to configure routing from your work location to reach to the ec2 instance IP. Once that is in place and your security groups allows the incoming connection, then you should be good.
Related
I have a private EC2 instance in a public subnet. I am not able to run apt-get update or ping google or do anything internet facing.
I see that the security group for this instance has outbound rules set to "all traffic" to 0.0.0.0/0. Also, the route table has an entry for 0.0.0.0/0 to IGW. So, looks like it should work.
Not sure what I am missing here.
No public IP address
Without a public IP, an instance in a public subnet, can't connect to the internet. Public IP is required to communicate with services outside of a VPC.
If you don't want to add public IP to your instance, you have to place it in a private subnet, and correctly setup NAT gateway in a public subnet and route tables to it. This way your instance will connect to the internet through NAT. NAT will be your proxy which will have public IP. But your instance will not need to have it.
NETWORK:
I have a private subnet and a public subnet. A VPC with IG attached. There is a NAT Gateway in the public subnet. I also have 2 route table, the public route table routes everything to the IG, the private route table routes everything to the NAT Gateway.
EC2:
My EC2 Windows instance is in the private subnet with a EIP and a Public DNS. It has a security group that allows all fron internet inbound/outbound but i cant even ping neither rdp
All the machine or instances in the private subnet cannot be connected externally hence the name private subnet. If you want to connect to your instance externally you must place it in the public subnet (the subnet that is connected to the internet gateway). Eventhough, you attach an elastic ip (which is a public ip) but it is routed through a NAT. The EIP must go through the internet gateway only.
If you really want to connect you need to VPN to your VPC (using AWS VPC VPN) and then RDP to your instance. Or have a gate instance in your public subnet.
Verify that the route table for the subnet has a route that sends all traffic destined outside the VPC to the internet gateway for the VPC. For more information, see Creating a Custom Route Table (Internet Gateways) in the Amazon VPC User Guide.
I have set up below VPC configuration but the SSH to the instance is not happening at the moment:
Created a new VPC
Created a public and private subnet
Launched an ec2 instance to the public subnet updated route tables for internet gateway
Launched ec2 instance to private subnet.
Associated a natgateway to the public subnet with in EIP
Route table updated for private subnet with natgateway
SSH from public instance to private instance is not happening with keypair.
Can you let me know what have I missed here.
First things first:
NAT Gateway in Public Subnet allows Instances from Private Subnet to reach internet for software updates etc via Internet Gateway.
NAT Gateway doesn't play any role in SSHing into an Instance.
Try this to test:
Attach Default NACL(allows all inbound and outbound) on Public and Private Subnet where your EC2 Instances resides.
Create 2 security groups for public(lets say Pub-SG) and private subnets(Prv-SG).
Allow SSH from everywhere/specific ip on Pub-SG.
On Prv-SG allow SSH from Pub-SG as source for better security reasons.
If both instances are launched using same key pair then with SSH-Agent Forwarding You can connect Private Instance through Public Instance.
I suspect you are missing a security group that permits SSH traffic between the instances on the two subnets.
AWS is secure by default - you need to explicitly permit traffic, roles, etc.
So in this case, the easiest thing to do would be to create a security group that spans the CIDR block of the VPC, and assign this to both instances.
Edit: I just noticed you say you added your NAT gateway to the public subnet - I presume you mean private.
This guide covers a similar scenario - public web subnet and private db subnet, and discusses all the routes + ACLs you need.
Also, when you say ssh with the keypair isn't happening - are you connecting at all, or does the connection time out?
When it comes to one EC2 instance communicating with another EC2 instance within a VPC, NAT Gateway has no role.
Make sure that the Security Group to which the private subnet instance belongs, allows SSH protocol from the Security Group to which the public subnet instance belongs.
Also, the NACL associated with the private subnet should allow inbound and outbound SSH traffic from CIDR block to which the public subnet instance belongs.
copy th ssh public key of the private instance to the public instance. open the ssh key material using vscode then use nano or vim to paste the content of the public key the save and exit. Now you can ssh into your private instance given the SG of the private instance allows traffic from the public instance.
I setup and am using a NAT Gateway per these instructions:
AWS Lambda: How to setup a NAT gateway for a lambda function with VPC access
The Lambda functions using the private subnet with the NAT Gateway now seem to be able to access the Internet. So that's good.
However, I launched an EC2 micro-instance with a public IP address into the private subnet, and I cannot connect to it via SSH. There is some reference to this issue in the question I linked aboved, namely that it is technically a misconfiguration, but I was hoping someone could explain in detail why this is the case and why the EC2 instance is inaccessible.
You cannot SSH into a EC2 instance which is in Private Subnet even if you assign a public IP address to it. Follow this procedure for SSH into the EC2 instance that is in Private Subnet.
https://cloudpages.wordpress.com/2013/08/05/ssh-to-an-instance-in-private-subnet/
Or create a bastion host in Public subnet which has access to your Private Subnet Ec2 instance and then SSH to the EC2 instance from the Bastion host.
I realize the normal way to do this is use a Bastion Host or a VPN, but I (my boss) would like to know how to connect to a RDS instance in a private subnet via a public NAT instance.
I have a NAT instance with EIP, and wide open inbound rules
I have 2 private subnets with traffic defaulting via the NAT
The DB Security group is set to allow traffic from the NAT SG
I don't know what I'm missing - any tips appreciated.
You'll have to setup a bastion client on the public subnet and then login to that first. Then, once connected to the bastion client, you'll be able to access the RDS instance.
alternatively, you could setup a VPN (check out OpenVPN) in the public subnet, then once you've established a VPN connection, you'll be able to connect to the RDS instance using the private IP.
You can't initiate connection from the outside internet to a private subnet.