I need to create an internal website for a company accesible only through company's VPN. I have an EC2 instance with a webserver and I was able to access the website through instance's private IP. Now I'm trying to connect the instance to internal ELB and I'm facing a problem with ELB's DNS name.
Instance is added to ELB's target group, they are on the same subnet, it passes the health check, I'm able to send a request from browser to ELB using its IPs addresses but when I try to do the same with ELB's DNS name I don't get any response. Security groups are also correct.
I'm also unable to ping ELB's DNS name from EC2 instance.
Why internal ELB's DNS name does not work in the browser/postman? And how I can fix it?
Related
I registered a domain name with AWS Route 53 as mydomain.com. Is there anyway that I can assign e.g. ns1.mydomain.com as a public hostname to an EC2 which does NOT have a Elasti IP?
Thanks
You can assign the domain name to any IP address of an instance. However be aware of the following limitations:
If a domain name is assigned to a private IP, it will not be connectable without network access to that IP
If the domain is assigned to a non-elastic public IP if the instance stops and starts you would lose the public IP so would need to update the DNS resolution.
If you have a public facing application, but want to keep network traffic that directly connects to the instance private you should look at using an ELB in front of the application to provide a security boundary between the internet and your application.
Utilize a load balancer in front of the instance and assign the public hostname to the load balancer.
Use S3 webpage redirect and assign the hostname to the S3 URI.
If the problems is that you don't have any elastic IP's left, you can request for more. This should be resolved within about 15 minutes.
I have multiple EC2 instances connected to a load balancer and the traffic is routed to load balancer using Route53.
Suddenly, I can longer access my website if I type my domain name "www.domain.com". I tried to debug the problem by directly typing the load balancer DNS in the browser and it worked.
To investigate the problem further, I created a single instance and directed the traffic using route53 to the current public IP of the instance. If I use the domain name "www.domain.com" in the browser, I get an error stating that the site can't be reached. If I use the public IP of the instance I can reach the page. I think that means that Route 53 is not directing the traffic to instance.
How can I check that because I have been in this problem for almost two days. Is there is a way to check whether Route 53 routes traffic or not? I am sure my security group of allows traffic For HTTP, HTTPS, SSH and the port numbers are correct.
I deployed a simple website on EC2 instance, and created an elastic load balancer, routing traffic to this EC2 instance.
I also created a CNAME record on my DNS registrar, pointing my domain (www.example.com) to the load balancer DNS name (load-balancer-1234567890.us-east-1.elb.amazonaws.com).
I can successfully reach my site in the browser in 3 different ways:
EC2 instance public IP (Eg: 54.89.99.99)
ELB public DNS name (Eg: load-balancer-1234567890.us-east-1.elb.amazonaws.com)
My domain DNS (Eg: www.example.com)
But, for security reasons, I want my EC2 instance to be accessible on port 80 only from the load balancer.
So, I changed the security group for the EC2 instance:
removed the rule that allowed traffic on port 80 from all sources (0.0.0.0/0)
added a rule to allow traffic on port 80 from my VPC (172.31.0.0/16)
added a rule to allow traffic on port 80 from the ELB security group (sg-xxxxxxxx)
After that, I still can access my website from the ELB DNS name, but now I can't access from my domain anymore (www.example.com). I get the error: ERR_CONNECTION_TIMED_OUT.
What's wrong?
This seems like a DNS caching issue in your machine or in DNS servers.
To clear the cache in your machine flush the DNS using ipconfig /flushdns
If the issue persisted try traceroute www.example.com (Or tracert www.example.com in Windows) to see whether it reaches the ELB. If the source IP is different that the current DNS configurations,
It can be due to a misconfiguration (Double check)
If latest DNS modification is not propagated (If its points to a previous configuration) then wait for some time till the DNS servers clears the cache based on the TTL value.
When you create a load balancer, you select the AZs that the load balancer is located within. This means that your load balancer is located within your VPC and not outside of it (this is normal and expected).
Since your Security Group allows traffic from within your VPC (which duplicates the ELB security group as both are allowing traffic), then there is something wrong with either your Security Group settings or your Load Balancer is configured wrong. Also double check the load balancer security group settings.
I've read through all the white papers for Route53, Private Hosted Zones, and Workspaces and I'm too the point of banging my head on the wall. :p
I'm having trouble getting an EC2 instance and an Amazon Workspace within a private cloud to communicate using a Fully Qualified Domain Name. I need them to communicate with a FQDN instead of an IP address so that I can have an encrypted connection with an SSL.
Here is my configuration:
Setup a VPC with two public subnets, a route table, and internet gateway.
VPC is setup with DNSResolution and DNSHostnames enabled.
Setup a Simple AD for the workspace within the private VPC.
Setup an EC2 instance within the private VPC with a public subnet.
Setup the EC2 instance with a security group that allows port 80,443, and 5003 open to 0.0.0.0/0.
Setup a workspace within the private VPC with no security group.
Disabled the firewall within the EC2 instance and Workspace.
Setup a Hosted Zone on Route53 configured for Private and linked to the VPC.
Setup an A Record pointing the private IP of the EC2 instance.
If I run a ping from the Workspace to the DNS record that was setup in Route53, I get a successful connection.
If I try to reach the EC2 server using a Web browser on Port 80 or Port 443 using the DNS record, it fails.
If I try to reach the Ec2 server using an application that runs on Port 5003 using the DNS record, it fails.
If I try to reach the EC2 server with either web browser or application by referencing the IP, it is successful. So I know that my ports aren't being blocked.
Did I configure the route53 record incorrectly or am I missing a particular IAM Role permission set?
Thanks and let me know if I need to elaborate on any of the configuration.
SimpleAD DNS is being used instead of Route53. If the zone is the same then only one or the other can be used I'm afraid.
For example if you have host.com DNS zone in SimpleAD then the workspace won't use R53 for any *.host.com resolution. Try a different private zone in R53 and therefore fqdn for the EC2 instance private IP address.
https://forums.aws.amazon.com/thread.jspa?threadID=215126
Background: A PowerDNS is deployed on an EC2 inside a VPC. From PDNS, I added a master zone and a record CNAME pointing to ELB's DNS name.
Now from within the VPC, when I ping the ELB's DNS name, I got a private IP, but when I ping the PDNS record, I got an external IP.
Question: Is there anyway I can make the PDNS record to give me a private IP just like what the ELB does?
Normally the public IP of ELB changes over time by AWS, so adding an A record wont help you much here. If you really want to do that however, you can use the PowerDNS API to add an A record.