I am new to networking. And I am trying to route only traffic from one VM traffic to another VM. Therefore, I have done this.
I have two AWS EC2 instances as:
Application Server
Database Server
And they have their own security groups and I have allowed all traffic is permissible. Now I want to Database_server accepts only Application_server traffic not all public traffic. Database_server is MySQL which is running on 3306 port.
Suppose:
Application_server Public IP: 14.233.245.51
Database_server Public IP: 15.233.245.51
So I have allowed on port 3306 like this 14.233.245.51/32 for only Database_server but it did not work. It was before this 0.0.0.0/0 and ::/0.
How can I solve this?
First, the application server should communicate with the database server via private IP address. This will keep all traffic within the VPC and will enable security groups to work correctly.
Second, configure the security groups:
App-SG should be associated with the application server and permit incoming traffic on the appropriate ports for the application (eg 80, 443)
DB-SG should be associated with the database server and permit incoming traffic on port 3306 from App-SG
That is, DG-SG permits inbound traffic from App-SG by referring to the ID of App-SG. There is no need to specify an IP address. The security groups will automatically recognize the traffic and permit the App server to send traffic to the DB server. Return traffic will also be permitted because security groups are stateful.
You MUST communicate with the database server via private IP address for this to work.
Related
Background:
I have a custom VPC with 2 private subnets that contain a Postgres RDS instance within the us-west-2 region and a public subnet that contains an EC2 instance within the us-west-2 region.
Private Subnet ACL:
Allow all inbound IPv4 traffic on port 5432
RDS instance security group:
Allow all inbound IPv4 traffic on port 5432
Public Subnet ACL:
Allow all inbound/outbound traffic on all ports
Public Subnet has an internet gateway within its route table
EC2 instance security group:
Allow inbound SSH traffic from my local IP on port 22
Allow all IPv4 outbound traffic on ports 5432, 443, and 80
After I SSH into the EC2 instance, I export the environment variables associated with the RDS instance's Postgres credentials (e.g. PGDATABASE=testdb, PGUSER=foo_user, PGHOST=identifier.cluster-foo.us-west-2.rds.amazonaws.com, PGPASSWORD=bar) and run the following python script with python version 3.7.10:
import psycopg2
try:
conn = psycopg2.connect(connect_timeout=10)
cur = conn.cursor()
cur.execute("""SELECT now()""")
query_results = cur.fetchall()
print(query_results)
except Exception as e:
print("Database connection failed due to {}".format(e))
I get the following timeout error:
Database connection failed due to connection to server at "foo-endpoint" (10.0.102.128), port 5432 failed: timeout expired
connection to server at "foo-endpoint (10.0.101.194), port 5432 failed: timeout expired
Have you checked if the VPC's DNS Hostnames are enabled? This is more likely the stemming from the failure to resolve the DNS in the same subnet (Knowing that the security group of the RDS welcomes Postgres traffic from anywhere).
Aside from that, I would also recommend whitelisting the security group of the ec2 + the port of Postgres on the security group of the RDS. You can look at this diagram below:
In general, Network Access Control Lists (NACLs) should be left at their default "Allow All Inbound & Outbound" settings unless you have a very specific network requirement (eg creating a DMZ).
NACLs are stateful meaning that they need to permit traffic in both directions. This is different to a Security Group, which is stateless and allows return traffic to go out in response to permitted Inbound traffic. A Security Group could be configured with zero Outbound rules and would still allow users to connect to the resource and receive a response.
The correct security configuration for your scenario should be:
A Security Group on the Amazon EC2 instance (EC2-SG) that permits inbound SSH access (port 22) from your IP address
A Security Group on the Amazon RDS database (DB-SG) that permits inbound PostgreSQL access (port 5432) from EC2-SG
That is, DB-SG should specifically reference the EC2-SG as being permitted for Inbound access. This is the most secure configuration since the database is only reachable from an EC2 instance that is associated with EC2-SG. If the instance is replaced with another EC2 instance, it will still be able to connect if it is associated with EC2-SG.
Please note that EC2-SG does not require any Outbound rules in the Security Group since it can automatically respond to any inbound requests. However, it is normally recommended to leave the default Outbound rules in place so that software running on the instance can access the Internet (eg to install the psycopg2 library). Instances can normally be trusted to have Outbound access to the Internet since since you have installed the software yourself.
I've follow the documentation of I've read https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
and I want to create a security group in AWS which allows only one IP access to ports 80 or 443, but AWS is blocking everything even the IP which should have access when I apply this group.
We are using nginx in the ec2 server and the certificate was created with certbot
What do you mean by "blocking everything"?
From these 2 rules, port 80 and port 443 are only open to the one IP that you had given. If this is a webapp, it is likely that you'll have a loadbalancer setup to receive the traffic.
Check the ELB security group and block traffic there (If there is an ELB setup)
Check the VPC NACL if there are any block for port 80/443 traffic. If that is the case, NACL rule will take precedence here
Make sure you check your outbound rules also. If by "Blocking everything", you meant the outbound traffic
Edit the inbound rule to be only lock out any other port to the instance ip address only, while you open 443 and 80 to everyone.
eg. if ur ec2 instance public ip is 13.255.77.8 and you don't want port 5000 to be accessible to the public, create a custom tcp with your that is only acessible to that port ie mapping port 5000 to this ip - 13.255.77.8/32
I am at my wits end with this, please help.
I am creating EC2 instances in my default public VPC, yet i am not able to ssh or http to my instance or webserver running into the machine. I checked the following
The SG has inbound SSH, HTTP and HTTPS allowed from 0.0.0.0/0 and assigned to my instance
the default VPC, has route tables with 0.0.0.0/0 pointed to IGW
the NACLs are configured to Allow all traffic. i also manually updated to allow only HHTP, HTTPS and SSH
the Key is use has been given the right permission by running chmod 400 filename
Despite all this not able to connect to the EC2 instance, AMI being Amazon Linux 2 AMI
When I try to ssh, i get a connection timeout error after a while, initially, i thought it was my office network but I am also getting the same from my home network with no firewalls in place
To allow an SSH connection, you will need:
An Amazon EC2 instance running Linux launched in a public subnet (defined as having a Route Table that directs 0.0.0.0/0 to an Internet Gateway)
A Security Group permitting Inbound access on port 22 (Outbound configuration is irrelevant)
Network ACLs left at their default settings of Allow All in both directions
A Public IP address associated with the instance
From your descriptions, I would say that the problem is probably with the Outbound NACLs. Return traffic from an SSH session goes back to the source port on the initiating server, which is not port 22. In general, only change the NACLs if you have a specific reason, such as creating a DMZ. I recommend you reset the NACL rules to Allow All traffic in both directions.
I am new to AWS and have been experimenting with NACL rules. I went through Amazon VPC NACL default rules evaluation order to understand how NACL rules work.
I've created a test EC2 instance (with NGINX) in a public subnet with some Elastic IP. I have added EC2 to the default security group, which allows all traffic on all ports. I initially configured NACL to block all traffic. This worked fine because I was not able to SSH into or HTTPS my instance. My goal is to let 0.0.0.0/0 HTTP port 80 into my instance.
Understanding that NACLs are stateless, I added communication to/from 0.0.0.0/0 on all TCP ports. This worked fine.
Now, I thought of restricting inbound and outbound to Port 80. However, using this, I wasn't able to access test NGINX page.
I noticed that if I change the outbound rule to allow all ports, I am able to access the NGINX page. I am not sure why this is happening.
Here's the new config:
Do I need to add ephemeral ports as well? https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports
Yes. You need to open ephemeral ports 1024-65535 (assuming a Linux server is being used)
Your server will receive requests on 80 (or 443) but send the response over one of those ephemeral. Blocking outbound for the ephemeral ports is blocking that response.
You do not need to open 80 (or 443) on the outbound for your web server to work. Your web server would only need port 80 (or 443) outbound open if it needs to make an HTTP request to another web server - which it may well need to do; to call a third party API.
Let's say my home address is 55.55.50.23 and I am currently hosting a Django App. I want that App to only be accessible from my home IP's address, that is working fine. Now, the problem is with the outbound traffic rules. I tried to do:
IP
55.55.50.23/32
PORT
49152-65535
ALLOW
IP
55.55.50.23/32
PORT
443
ALLOW
IP
55.55.50.23/32
PORT
80
ALLOW
And I cannot reach my server. I am not getting anythings back! The only wayt to get some response back is if I do:
IP
0.0.0.0/0
PORT
ALL TRAFFIC
ALLOW
Not sure it's a good idea to restrict outbound traffic as your instance may need to access other IPs than yours. To get system updates for example, resolve DNS requests...
The most important is the inbound traffic as you can't control the incoming requests and you restricted it so that's perfect. The outbound traffic restriction makes sense to me only if your instance has been corrupted and you don't trust the services running on it.
That said, if you want to restrict the outbound traffic to your IP, you should allow all protocols and ports for your IP.