Topics tested
Create a new VPC to host secure production Windows services.
Create a Windows host connected to a subnet in the new VPC with an internal only network interface.
Create a Windows bastion host (jump box) in with an externally accessible network interface.
Configure firewalls rules to enable management of the secure Windows host from the Internet using the bastion host as a jump box.
Setup
this is a qwiklabs problem
Create a VPC network with one subnet(custom)
Create a FW rule with a 'RDPtag' and protocol (TCP:3389) in the subnet created
Create a Windows VM-(vm-bastionhost) with 2 network interfaces
a. with custom subnet created. Select External IP to be Ephemeral.
b. with Default network. Select External IP to be none.
Add the network tag -'RDPtag'
Create a Windows VM (vm-securehost) with 2 network interfaces
a. with custom subnet created. Select External IP to be none.
b. with Default network. Select External IP to be none.
Add the network tag -'RDPtag'
Reset the credentials for both the VM's. Use
gcloud compute reset-windows-password vm-bastionhost --user app_admin --zone us-central1-a
gcloud compute reset-windows-password vm-securehost --user app_admin --zone us-central1-a
RDP in the vm- bastionhost using the new credentials.
From the vm-bastionhost machine, mstsc to the vm-securehost using new credentials.
Install IIS in vm-securehost.
Related
I have two private IP VMs, each are in two different projects, each have their own VPC with Private Google Access enabled and no VPC peering or a VPN tunnel between the two.
I am attempting to establish an SSH connection between each VM and cannot use gcloud commands since I am in a chroot. I can only use ssh commands. Since these VMs aren't in the same VPC, attempting to SSH to the IP address of the other instance would not work.
Could I somehow setup DNS records in Project A linking to the VM hostnames/private IPs in project B?
The easiest way to do this is by creating a Shared VPC network or a Cloud VPN. VPC peering won't work in this use-case because transitive peering is not supported.
https://cloud.google.com/vpc/docs/shared-vpc
https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview
I have set up Windows Machine in Azure in newly created VNET. After that I set up Virtual Network Gateway on this VNET. The gateway is in different subnet as instructed by Microsoft. I am able to connect to to this VPN from my desktop however I am unable to connect to VM.
VM's private IP is 10.0.0.4. It sits on "default" subnet with address range 10.0.0.0/24. VNET address range is defined as 10.0.0.0/24, and default gateway address range is 10.67.0.0/24.
What have I did wrong? Is there any chance to alter the setup or it requires building VNET from scratch and then VMS?
When you connect to your Azure VM from the desktop via a VPN connection, you could connect to VM with its private IP. If you have set GatewaySubnet address range 10.67.0.0/24, I guess that you should have address space in your VNet like this or you need to expand your address space.
To configure your VPN, you could refer to example values or this step-by-step blog. For windows VPN clients, you could select SSTP(SSL) or IKEv2 and SSTP(SSL) tunnel type.
When you modify your configuration on the Azure portal, you could re-download the VPN client package to re-connect the VPN connection. Let me know if you need further assistance in this case.
I have installed HashiCorp vault in a Linux EC2 machine in AWS. I have unsealed it and allowed all the outbound traffic in Security Group. I am able to access the Vault service within EC2 instance using "http://localhost:8200". But I am unable to use the service when I try to hit the URL using public IPV4 of the EC2 from internet (ex: http://xxx.xxx.xxx.xxx:8200).
Check your network configurations.
There are a few things you can check:
Your Security Group allow connections from your IP to the port 8200
Your EC2 instance is in a public subnet.
The NACL of public subnet allows connections to/from the port 8200 and to/from your IP.
The Route Table of public subnet has attached an Internet Gateway.
If you validate this 4 points and still can't connect with the service, it can be a problem of the service listen-address is 127.0.0.1 (localhost).
https://www.vaultproject.io/docs/commands/server.html#dev-listen-address
In that case, you should start your HashiCorp Vault with the options:
-dev -dev-listen-address="0.0.0.0:8200"
This problem is described here:
Is it possible to start Vault dev server on 0.0.0.0 instead of 127.0.0.1?
Is there anyway I can connect the Cloud Functions with a VPC connector on default network to a GCE instance with multiple network interfaces where nic0 is someother network and nic1 is default network?
So I have a GCE instance with multiple network interfaces.
nic0 is someother network
nic1 is default network
I made a serverless VPC connector on default network. And used that connector with Google Cloud functions to connect to the GCE instance.
The problem is that when network interfaces are swapped i.e. nic0 is default network and nic1 is someother network, then VPC connector connects successfully and cloud functions can reach the GCE but when nic0 is someother network and nic1 is default network then cloud functions cannot reach GCE.
I tried the following things:
I tried swapping the network interfaces i.e. default to nic0 and it works but i need nic0 for someother network to connect to another external server and so default is on nic1.
I tried making firewall rules but apparently they are not needed in this scenario as I already have the necessary rules setup.
I tried making a VPC connector on the someother network so it could connect to nic0 but that does not work too. VPC connector should be on default network.
Note: I have the correct IAM permissions setup as I've successfully connected Cloud functions to GCE instance with only default network.
Without further configuration, secondary network interfaces only provide access to the immediate subnet they are attached to, this includes serverless VPC connectors, as they are by their very nature a different subnet than the one your instance is attached to.
To get around this, you need to create a static route in the operating system on the instance where the secondary interface is located. This will obviously vary based on your operating system, but on Debian-9 you can set this up with this command:
sudo ip route add [MY_CONNECTOR_SUBNET] via [ETH1_DEFAULT_ROUTER] dev eth1
Where ETH1_DEFAULT_ROUTER is the .1 address of your ETH1 subnet, and MY_CONNECTOR_SUBNET is the CIDR-format /28 subnet the connector is configured to use (e.g. something like 10.50.1.0/28, but it will depend on how you set up your connector).
Of course, this doesn't persist it at boot, as that is also an OS-specific configuration, but it should give you an idea if this is the problem for you.
Also, there isn't really anything special about the 'default' network -- its just an auto-created auto-mode network, and there isn't any reason this shouldn't have worked when you had the connector attached to the nic0 "someother" network. The only thing happening here that is 'special' is that nic0 gets the default route for all traffic out of the VM, and therefore won't need a static route added to access a Serverless VPC Connector on the same network.
I'm trying to create a realistic network setup for a multi-tiered web application. I've created a new VPC within AWS with 1 x public subnet & 2 x private subnet. I then created a Postgres instance within the private subnet and set it to not publicly accessible. This adds an extra layer of security around the database, but how do I then access the database from my local IP?
I created a security group & assigned my IP to the inbound rules & assigned that to the DB instance during creation:
But I still have no way of connecting to it? Do I need to create a VPN and connect to my VPC via the VPN and then connect to the DB instance? Within the proposed architecture, how do you connect to the DB?
What I'm trying to achieve is an architecture which will allow me to create Lambda functions which communicate with the DB via the API Gateway and serve data to a web frontend. So I want the DB protected via the private subnet. But I also want to be able to connect directly to the DB from my local laptop.
At the moment - the RDS instance is running in the VPC, but I don't know how to connect to it. DoI need to set up an Internet Gateway / VPN / EC2 instance and jump to the DB?
You have implemented excellent security by placing the Amazon RDS database into a private subnet. This means it is not accessible from the Internet, which blocks off the majority of potential security threats.
However, it also means that you cannot connect to it from the Internet.
The most common method to achieve your goals is to launch an Amazon EC2 instance in the public subnet and use it as a Bastion or Jump Box:
You SSH into the Bastion
The Bastion can then connect you to other resources within the VPC
Since you merely wish to connect to a database (as opposed to logging into another server), the best method is to use SSH with port forwarding.
In Windows, this can be done using your SSH client -- for example, if you are using PuTTY, you can configure Tunnelling. See: How to Configure an SSH Tunnel on PuTTY
For Mac/Linux, use this command:
ssh -i YOUR-KEYPAIR.pem -L 5555:RDS-ENDPOINT:5432 ec2-user#YOUR-BASTION-SERVER
You then point the SQL client on your laptop to: localhost:5555
The 5555 can be any number you wish. It is merely the "local port" on your own computer that will be used to forward traffic to the remote computer.
The RDS-ENDPOINT is the Endpoint of your RDS database as supplied in the RDS console. It will be similar to: db.cnrffgvaxtw8.us-west-2.rds.amazonaws.com
BASTION-SERVER is the IP address or DNS name of the Jump Box you will use to connect
Then, any traffic sent to localhost:5555 from your SQL client will be automatically sent over the SSH connection to the Bastion/Jump Box, which will then forward it to port 5432 on the RDS database. The traffic will be encrypted across the SSH connection, and establishment of the connection requires an SSH keypair.
I referred a lot of articles and videos to find this answer.
yes, you can connect to rds instances in private subnets
we have two ways to connect
With server: By using ec2 in the public subnet and using it as a bastion host. we can connect to pg admin by ssh tunneling
Serverless: By using client VPN endpoint. create a client VPN endpoint and associate the subnets and allow the internet to the private subnets. and then download the configuration file and install open VPN GUI and import the configuration file and add the keys and then connect the open VPN. Now try to connect to pgadmin, it will connect.
for steps: https://docs.google.com/document/d/1rSpA_kCGtwXOTIP2wwHSELf7j9KbXyQ3pVFveNBihv4/edit )