So I have two instances, instance A is part of a security group sg-1 and instance B is part of another security group sg-2.
sg-1 has settings to allow all outbound traffic
sg-2 has settings to allow traffic from sg-1 on port 80, 9200 and 9300:
Yet, when I SSH onto instance A and try to curl instance B on port 9200, I get an error: Failed to connect to <Instance B Private IP> port 80: Connection refused
Not sure what I am doing wrong here?
Related
I have a database on a remote Google Cloud (GCP) machine. On GCP, I edited the firewall rules to allow access from my desktop and from an AWS EC2 instance. However, the following happens:
From desktop:
netcat -zv 35.198.56.213 27017
Connection to 35.198.56.213 27017 port [tcp/*] succeeded!
From EC2:
netcat -zv 35.198.56.213 27017
netcat: connect to 35.198.56.213 port 27017 (tcp) failed: Connection timed out
I don't understand why I can connect from my desktop but not from the EC2. Both IPs are allowed (using the instance public address). The outbound rules for the EC2 instance are allowing all traffic.
Any tips?
Edit: I am trying to connect to a mongo instance that is running on port 27017. The bindIp on /etc/mongod.conf is correctly set to 0.0.0.0.
I have my Elasticsearch cluster in a VPC, I'd like to access this EC cluster from my local Macbook.
I have set up a bastion host that uses the same VPC and the same security group, and I was able to ssh into this bastion host from my Macbook.
But somehow, my code just cannot connect to my ES cluster through this bastion host, here's my command to run port forwarding:
ssh -i ~/Downloads/keypairs/20210402-02.pem ubuntu#ec2-123-456.us-west-2.compute.amazonaws.com -N -L 9200:vpc-es-domain-20210331-abc123def.us-west-2.es.amazonaws.com:443
Here's my timeout exception when accessing the ES cluster in the VPC:
java.net.ConnectException: Timeout connecting to [vpc-es-domain-20210331-abc123def.us-west-2.es.amazonaws.com/10.0.47.182:443]
at org.elasticsearch.client.RestClient.extractAndWrapCause(RestClient.java:823) ~[elasticsearch-rest-client-7.6.1.jar:7.6.1]
at org.elasticsearch.client.RestClient.performRequest(RestClient.java:248) ~[elasticsearch-rest-client-7.6.1.jar:7.6.1]
at org.elasticsearch.client.RestClient.performRequest(RestClient.java:235) ~[elasticsearch-rest-client-7.6.1.jar:7.6.1]
at org.elasticsearch.client.RestHighLevelClient.internalPerformRequest(RestHighLevelClient.java:1514) ~[elasticsearch-rest-high-level-client-7.6.1.jar:7.6.1]
at org.elasticsearch.client.RestHighLevelClient.performRequest(RestHighLevelClient.java:1484) ~[elasticsearch-rest-high-level-client-7.6.1.jar:7.6.1]
at org.elasticsearch.client.RestHighLevelClient.performRequestAndParseEntity(RestHighLevelClient.java:1454) ~[elasticsearch-rest-high-level-client-7.6.1.jar:7.6.1]
at org.elasticsearch.client.RestHighLevelClient.bulk(RestHighLevelClient.java:497) ~[elasticsearch-rest-high-level-client-7.6.1.jar:7.6.1]
Here are the rules of my SG:
Inbound:
All TCP TCP 0 - 65535 0.0.0.0/0
All traffic All All sg-abc123 / default
SSH TCP 22 0.0.0.0/0
Outbound:
All traffic All All 0.0.0.0/0
When I've ssh'ed into my bastion host, and run curl vpc-es-domain-20210331-abc123def.us-west-2.es.amazonaws.com, I got this response:
{
"name" : "abc123",
"cluster_name" : "abc123097:es-domain-beta-20210331",
"cluster_uuid" : "abc123def",
"version" : {
"number" : "7.8.0",
"build_flavor" : "oss",
"build_type" : "tar",
"build_hash" : "unknown",
"build_date" : "2021-01-15T06:15:47.944536Z",
"build_snapshot" : false,
"lucene_version" : "8.5.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
I'm suspecting my command to do port forwarding is not correct? But after research, this looks the most legit option to me.
Any insight would be greatly appreciated!
The code running on your local computer is trying to connect directly to the Elasticsearch server without going through the SSH tunnel. The SSH command is opening a tunnel from your local port 9200 to the remote server. The local software trying to connect to Elasticsearch should be connecting to localhost:9200 not vpc-es-domain-20210331-abc123def.us-west-2.es.amazonaws.com/10.0.47.182:443.
The endpoint vpc-es-domain-20210331-abc123def.us-west-2.es.amazonaws.com/10.0.47.182:443 doesn't look valid anyway. It has a hostname and an IP address in there.
You mentioned in the comments:
"I actually launched my bastion host using the same SG as my ES"
However just placing two resources in the same security group does nothing unless that security group also has a rule specifically allowing traffic between the resources within it. Security groups do not have this rule by default, except for the default security group in the default VPC that is created automatically when you first create your AWS account.
So please make sure that the security group has a rule that will allow the bastion host to connect to the Elasticsearch server over port 443.
I am trying to ssh into an EC2 instance (1.1.1.1) from another EC2 instance (2.2.2.2) and yet another EC2 instance (3.3.3.3).
In the instance 2.2.2.2, I can successfully connect to 1.1.1.1
~$ ssh ubuntu#1.1.1.1 -i mykey.pem
###########################################################
# WARNING: UNPROTECTED PRIVATE KEY FILE! #
###########################################################
Permissions 0664 for 'mykey.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
However, in instance 3.3.3.3, the connection fails with a time out.
~$ ssh ubuntu#1.1.1.1 -i mykey.pem
ssh: connect to host 1.1.1.1 port 22: Connection timed out
The 2.2.2.2 and 3.3.3.3 instances are both Ubuntu 18.04.4. They have the exact same inbound and outbound rules.
Why does the ssh connection fail in 3.3.3.3?
###############################################################
Edits(2021-02-18):
The instance 1.1.1.1 and instance 3.3.3.3 are in the same VPC.
SSH connection from 1.1.1.1 to 3.3.3.3 had a timeout.
SSH connection from 3.3.3.3 to 1.1.1.1 had a timeout.
SSH connection from either 1.1.1.1/3.3.3.3 to 2.2.2.2 works and vice versa.
I have tried to launch a new instance 4.4.4.4 in the same VPC as 2.2.2.2. The connection between them works.
So, there must be some problems with the VPC of 1.1.1.1 and 3.3.3.3.
Below are the security rules of the network of that VPC:
Inbound Rules
Outbound Rules
I have installed elasticsearch in one instance and kibana in another instance.
Both the services are running and I can connect elasticsearch using curl and its instance public ip with port 9200
version: 7.9.2 both
Assume: Public ips
elasticsearch - x.x.x.x
kibana - y.y.y.y
Issue:
Cant connect kibana instance with its curl and public ip with port 5601
Error: Failed to connect to y.y.y.y port 5601: connection refused
Query:
Correct config for elasticsearch.yml and kibana.yml
` kibana.yml:
port: 5601
server.host: "y.y.y.y"
elasticsearch.hosts: ["http://x.x.x.x:9200"]
elasticsearch.yml:
network.host: 0.0.0.0
http.port: 9200 `
It is extremely likely you have not configured the correct security group rules on the kibana instance to permit you to access the service. You need an ingress rule permitting tcp to port 5601 from whatever your ingress range is.
Likewise, it is extremely likely you have not granted access to elasticsearch (x.x.x.x:9200) from y.y.y.y
Check your security group rules.
Also, please ensure your elasticsearch public ip does not permit access from 0.0.0.0 - publically accessible elasticsearch clusters are a prime target for naughty people.
I am setting up a new EC2 with Ubuntu, but I am getting a weird error and it is that I can not access to the public ip, it says refused connection.
My security group has these ports enabled:
HTTP TCP 80 0.0.0.0/0 -
HTTP TCP 80 ::/0 -
SSH TCP 22 0.0.0.0/0 -
SSH TCP 22 ::/0 -
My public is: http://3.16.154.123/
The EC2 interface is running, it's in green and that is the public ip which it gives me... so I wonder what is the problem? why can I not access to the public ip? why does it say refused connection? or more clear this error ERR_CONNECTION_REFUSED
Thanks.
telnet 3.16.154.123 22
Trying 3.16.154.123...
Connected to 3.16.154.123.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
^]
Your ssh is working as expected but on port 80 it fails.
telnet 3.16.154.123 80
Trying 3.16.154.123...
telnet: Unable to connect to remote host: Connection refused
Can you check if there is any service running on the host itself using telnet localhost 80 - If this works then it will be worth to check the NACL at the vpc level for any block on port 80.