AWS Instance Security Group to give access to itself via TCP - amazon-web-services

I have an Apache server running the front end (Angular) which relies on an API which is hosted on the same instance as the Apache. I don't want my API (Express) open to public yet but need access to it with my front end which shares the same IP. Things I've tried,
Setting API base url as 'localhost' doesn't seem to work.
Adding a security rule in AWS security groups to allow connections only to the same IP (to itself) doesn't work.
Is there any workaround for this?

Connections to same IP are always open by default. You may need to add private IP of the ec2 instance as your api base URL. (Port you know better). Cors too should be enabled for that private IP.

First of all, using Angular as the front-end means needing an API that can access publicly you just need to implement securities, because you just serve the UI to the client user and their browsers are the one accessing the API not the server of the angular.
You can setup another API which can be deploy on the same server of your UI and same url which will serve as controller of your "Private API" that you can manage using Security groups in AWS

Replaced ${IP} to 172.17.0.1 so it can connect to the same EC2 after restarting. Add a rule for the inbound connection from the same SG

Related

VPC SSL/HTTPS environment

I have the following VPC setup with AWS Elastic Beanstalk:
Web App Public Load Balancer pointed to by my domain (proxied through cloudflare) with EC2 instances in private subnet.
Private internal API Load Balancer with inbound access granted to EC2 instances above via Security Group
Database within the private subnet, accessible by EC2 instances behind the API Load Balancer.
I would like to enable end to end HTTPS, AWS has good documentation here (https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-endtoend.html).
I have followed this, albeit with my free Cloudflare domain certs. This seemed ok until I get the following error: 'SELF_SIGNED_CERT_IN_CHAIN' when my web app tries to connect to the internal API via https://internal-aweseb-dns.amazonaws.com (DNS for internal API Load Balancer).
Questions
Is this the correct way get end to end HTTPS?; and
How do I resolve the above error? (returned by Node JS)
Thanks
In the end I came to this conclusion: I don't need end to end HTTPS when my instances are in a private subnet because:-
Once HTTPS is terminated at the Load Balancer, the internal requests are over HTTP but are not over the public internet. They requests cannot be seen by anyone outside the AWS network.
The data I am transmitting is not overly sensitive (just emails and user preferences) so there is no Compliance/Regulatory reason to enforce end to end HTTPS in a private network.
There is a small performance hit when using HTTPS as an SSL handshake must occur, which is an overhead.
I have additional security via Security Groups, only allowing internal traffic originating from the Load Balancer.
There are many suggestions that would guide you to configure your application to ignore the certificate when connecting via HTTPS... but that defeats the whole point of HTTPS (secure encrypted connection). You may as well just HTTP instead of doing this.
After much research and discussion with AWS, I think using HTTP over an internal network is secure enough for 99% of use cases and is pretty standard with a lot of setups and so unless you actually need end-to-end encryption for your use case, I would advise doing this instead.
Hope this helps.

How to use SSL for a backend EC2 instance without a domain

I have an AWS EC2 instance set up running my back-end, and it's able to communicate with my front-end (locally), but not with front-end deployed (on Netlify).
Is it necessary to create a domain name for my EC2 instance so I can use SSL? There's no point to have a domain name to my back end since it's just there for the API calls.
How do I use SSL for my backend server without a domain name? Every video and blog I've found requires a domain name. If anyone can point me to the right resource, would appreciate it.
You can enable SSL on an EC2 instance without a domain using a combination of Caddy and nip.io.
nip.io is allows you to map any IP Address to a hostname without the need to edit a hosts file or create rules in DNS management.
Caddy is a powerful open source web server with automatic HTTPS.
Install Caddy on your server
Create a Caddyfile and add your config (this config will forward all requests to port 8000)
<EC2 Public IP>.nip.io {
reverse_proxy localhost:8000
}
Start Caddy using the command caddy start
You should now be able to access your server over https://<IP>.nip.io
I wrote an in-depth article on the setup here: Configure HTTPS on AWS EC2 without a Custom Domain
Sadly yes to use SSL-certificates you need to have a valid DNS name so it can process it when you are calling it, anyways if what you want to encrypt is the info you could just use your own encryption method and send the data encrypted to frontend, then use something like crypto.js to use it once decrypted, but the best practice would be giving the backend it's own DNS, that way if at some point the API grows to the point it can be used by others for business you can have them point at something named (and also you don't need to deal with the whole manual encryption/decryption).

How to set up a front end for AWS DBs without using the Internet

On AWS, I know how to set up a web server with inbound rules allowing HTTP and HTTPS and a database security group that only connect to the web server. The issue is I need to create a front end to manage the databases without using Internet access - this will be internal only and precludes the use of a public IP / public DNS. Does anyone know how I would do this?
To further elaborate, some of our AWS accounts are for internal use only - we can log in to the console, use CygWin to SSH in, see what's there, etc. But these accounts are for development purposes, and in a large enterprise such as this one, these are not allowed an IGW. So - no inbound Internet access is allowed. How do I create an app (e.g., phpMyAdmin type) in which our manager can easily view and edit the data in the database given the restriction that this must be done without inbound Internet access?
Host your database on RDS inside a VPC and create a VPN connection between your client network and your VPC.
host your database on one EC2 and also upload your front end there. your database will be running on locally on EC2 and you can connect front end to database. where database will not have public DNS it will running locally you can access only using SSH and front end script.
you check this official documentation from aws : https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html
for frontend script you can use https://www.adminer.org/ which is one file database management system. one simple file is there using this make connection to locally running database on EC2

AWS Elasticsearch & VPC - configuring network access from my fixed IP

I am unable to access AWS Elasticsearch Kibana with a browser.
I have set up an Elasticsearch instance within my VPC exactly as described here;
https://aws.amazon.com/blogs/aws/amazon-elasticsearch-service-now-supports-vpc/
I used the default IAM access policy template which is basicaly all current IAM profiles (*)
My EC2 webapp (xenforo forum) is happily connected and chugging away.
I would like to access my elasticsearch domain kibana endpoint via browser from my home PC.
The security group I attached to the cluster configuration includes a rule to allow ALL TCP inbound from my home broadband fixed IP address.
I log into the AWS console, click the Kibana link from the elasticsearch domain overview and... nothing, times out.
I have read everything I can find on the matter. No joy - except perhaps I should be signing my https requests as well which seems crazy complicated and my understanding is that IP access should be configurable with security groups?
Can anyone clarify?
to access Kibana, it seems the only way is pass proper header with your requests to.
We solved it by using https://github.com/abutaha/aws-es-proxy - its not niciest, but works for us.
requires to have aws-cli installed
requires to do bit of setup, but works well afterwards
hope it helps
Hi There are many ways to access Kibana here are some of them that I found:-
Use an SSH tunnel. For information on how to do this :- https://aws.amazon.com/premiumsupport/knowledge-center/kibana-outside-vpc-ssh-elasticsearch
Advantages: Provides a secure connection over the SSH protocol. All connections use the SSH port.
Disadvantages: Requires client-side configuration and a proxy server.
Use an NGINX Proxy. For information on how to do this, please visit reference :- https://aws.amazon.com/premiumsupport/knowledge-center/kibana-outside-vpc-nginx-elasticsearch
Advantages: Setup is easier, because only server-side configuration is required. Uses standard HTTP (port 80) and HTTPS (port 443).
Disadvantages: Requires a proxy server. The security level of the connection depends on how the proxy server is configured.

Accessing amazon ec2 windows instance web server from public ip

I am new to amazon web services and i want to access amazon windows instance from public-ip. I have created ec2 instance with windows server r2 2012 and add a load balancer to listen HTTP requests and also add a elastic ip to that instacne. It also has been assigned to a security group which has all-tcp, all-udp, http and HTTPS from anywhere(0.0.0.0). There is a carbon web server started as a windows service inside with (http://localhost:9443/). what i want is to access it from my web browser. i tried it with this public ip http://:9443/ but it is not accessible from browser. connection timed out,
Allowing All Traffic in EC2 Instance is not recommended.
I Suggest You Allow Specific Ports Only According to your Application Needs.
I think You have not allowed the Windows Firewall to allow traffic , Turning it off is not recommended.
Try to Create a Rule in Firewall that will allow you to Bypass the Port in the Windows Firewall.
Refer: https://technet.microsoft.com/en-us/library/cc753558.aspx