I am running Django on AWS Lambda with Zappa. I have AWS Lambda set in a VPC and I have an EC2 NAT Instance in the same VPC. The NAT Instance security group takes inbound connections from by Lambda subnets (through HTTPS and HTTP) and outbounds to the public internet. This way, my Django app can communicate with the public internet if it needs to send Push Notifications to Apple Push Notification services.
One thing that does not work is sending emails from Django. It works in development but not on AWS Lambda. I send emails with SMTP using port 587, and I use TLS.
I figured I had to add Inbound rules to my NAT Instance security group. The problem is I can't add inbound SMTP with port 587.
Here are screenshots to show this.
When I select SMTP, the port number is fixed at 25 and greyed out so I can't modify the port to 587.
I looked at other options in the list but none of them set the port number to 587.
I even tried 'Custom TCP Rule' and setting the port to 587 but that does not work. Emails are not sending!
Related
We have EC2 instances in private subnet and the traffic is routed via the NAT Gateway to reach Internet.
EC2 instances are not able to send emails to relaycloud.xyz.com
All the inbound and outbound traffic is allowed in NSG and NACLs.
Error Message says
"A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed connected host has failed to respond."
Security Group and NACL have all the traffic allowed both inbound and outbound.
From Remove port 25 restriction from your EC2 instance:
AWS blocks outbound traffic on port 25 (SMTP) of all EC2 instances and Lambda functions by default. If you want to send outbound traffic on port 25, you can request for this restriction to be removed.
It should work fine if you contact your SMTP server on a different port. Otherwise, you'll need to request for the restriction to be removed.
I'm trying to deploy a web with Laravel Forge and AWS. I created an EC2 instance using Laravel Forge control panel. I created a security group for this instance.
Outbund rules
Inound rules v1
Inbound rules v2
All SHH connections allowed are described in this Laravel Forge guide:
https://forge.laravel.com/docs/1.0/servers/providers.html
So, the problem is when I try to install the repository I get this error into EC2 instance.
SHH error
I also checked that my instance's SHH public key is registered in my github account
Your Outbound rules are permitting connections on port 80 (HTTP) and port 443 (HTTPS).
However, SSH uses port 22. This is causing the connection to fail.
You should add port 22 to the Outbound rules.
However, it is generally considered acceptable to Allow all outbound connections from an Amazon EC2 instance since you can 'trust' the software running on the instance. I would recommend allowing all outbound connections rather than restricting it to specific ports.
I have successfully configured an AWS Client VPN connection to a box running OpenVPN. I can access any devices on my VPC, which I've allowed access to.
Can I configure my VPC instances (an EC2 for example) to route traffic (SSH for example) to a client connected to the VPN?
Currently I cannot ssh to a client connected. I don't see any options to add a route to the Client VPN network. I've allowed all traffic in the Client VPN security group.
Is this a limitation of the Client VPN? If I want my VPN clients to be accessible from the VPC, will I need to configure a site to site connection?
Thanks a lot.
Per the recommendation of #James Dean, I configured a site to site between the devices which needed two way communication.
So I have an EC2 instance that has a web server. In the security groups I allowed incoming traffic on 80 and 443 but removed all the outgoing traffic for security reasons.
My application uses AWS SNS and SMTP, and of course whenever it tries to connect to these services it fails since the outbound traffic is blocked. How can I restrict the outbound traffic to just these services without using a proxy? I tried to check VPC endpoints but didn't find SNS and SMTP in the list.
You will need to enable the ports that these services need to receive your requests. Most AWS services use a REST interface which requires HTTPS (443).
For SNS you will need to enable port 443 outbound.
For SMTP you will need to look up the ports that you configured. For SES this is usually ports 465 or 587.
Amazon publishes ip-ranges.json which contains a list of IP addresses for AWS. You can create a Lambda function to automatically update your security groups with these addresses.
I would not block all outbound ports. Instead I would control where the instance can connect to using security groups and ip-ranges.json. Then I would test that you can still install updates, etc. If your instance is Windows based, then you have another can of worms adding the Microsoft sites.
IMHO: Unless you really need this level of control and security and are prepared to spend a lot of time managing everything ...
AWS IP Address Ranges
Example project:
How to Automatically Update Your Security Groups
To add to John's answer,
last month AWS released a product called "AWS PrivateLink" which enables people to advertise services within a VPC much like S3 endpoints do today. AWS will be publishing AWS services the same way in the coming months, so this may only be a short-term problem for you.
More information can be found https://aws.amazon.com/about-aws/whats-new/2017/11/introducing-aws-privatelink-for-aws-services/
I have three relay server instances that are currently sitting behind and ELB. The clients send their emails via postfix to the ELB, and the traffic is load balanced between the three relay servers before going outbound. I want to set up encryption between the ELB and the relay servers, so that the ELB listens on port 25 but forwards traffic on port 587 for example. How do I go about setting this up in AWS? Thanks for the help!
Best,
Ahmed