I am trying to run ntopng on an AWS instance (centos) to monitor my local network
So my questions are:
How to connect my local network to aws ntopng located in aws instance.
how to integrate n2disk, nprobe cento and ntopng together.
You have two issues: 1) Connecting an Amazon VPC to your local network 2) snooping on network traffic.
You can setup a VPN to connect your networks together. Consider using OpenSwan or Windows Server setup on each side of the network.
Network Snooping: This is not possible in Amazon VPCs. Network interfaces cannot be put into promiscuous mode. Also, this is FORBIDDEN by Amazon policies.
Note: You can monitor your own traffic using VPC Flowlogs. This will show you higher level packet information, but will not include the data portion.
Related
I'm wondering if I need port forwarding compatible Vpn given my tasks below:
Ill be connecting to aws services such as documentDB and RDS while travelling.
As a result, I plan on purchasing a dedicated IP VPN, so I can work while travelling, and add my VPN's static IP address to AWS to grant me access.
I'm working with a java spring boot backend. It connects to the documentDB and RDS and performs CRUD operations.
Does my VPN need to be port forwarding compatible?
I'm planning to purchase NordVPN with a dedicated IP, but might have to look into other VPNs port forwarding is required.
Some AWS services are VPC only, i.e. accessible only from the same VPC network. One of those services is DocumentDB, in order to connect directly from your laptop you'll have to create an ssh tunnel and port forward.
Having said that, you could have a bastion host in AWS configured with the right access, ssh (Linux) or RDP (Windows) to it and connect from that host.
The other option is https://aws.amazon.com/vpn/
We are moving from AWS to the GCP. I used Client VPN Endpoint in AWS to get into the VPC network in the AWS. What is the alternative in GCP which I can quickly setup and get my laptop into the VPC network? If there is no exact alternative, what's the closest one and please provide instructions to set it up.
AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS resources and resources in your on-premises network. With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client.
Currently there is no managed product available on GCP to allow VPN connections from multiple clients to directly access resources within a VPC as Cloud VPN only supports site-to-site connectivity, however there is an existing Feature Request for this.
As an alternative a Compute Engine Instance can be used instead with OpenVPN server manually installed and configured following the OpenVPN documentation, however this would be a self managed solution.
We have a special on-premise router in our office, which connects to a VPN.
In this VPN there is a special IBM MQ server which we want to poll. The server provider
demands the usage of a special client for polling which only works on windows. Since the rest of our IT-infrastructure is #AWS, we want to have the windows machine, which is supposed to poll the queues, as an EC2 instance.
To enable the connection our idea was that we set up a Raspberry Pi in our office, which connects via OpenVPN to a Client VPN Endpoint. The traffic from the Raspi is getting routed into the subnet, where the EC2 instance lives. All the traffic that the Raspi is receiving on a specific port, gets forwarded to the in-house router.
Unfortunately, we are not able to send anything from the EC2 instance to the Raspi. Is it even possible to route traffic from a subnet back to a Client VPN Endpoint?
It's entirely possible; this problem is probably in your subnetting and routing.
Ensure that there is no overlap between the subnet CIDRs in your VPC, the VPN and the on-prem network.
Ensure the EC2 instance has an entry in its routing table that routes traffic for the on-prem network back via the client VPN endpoint. You can do this at VPC level by configuring the VPC's routing tables, so it applies to all instances in the VPC.
Ensure the Pi has IP forwarding enabled (echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward)
Ensure the Pi doesn't firewalling forwarded traffic (iptables-save or iptables -L -v)
Ensure the Pi has a route to get traffic up to the VPC, though it sounds like you have this in place already.
I looked for in the documentation in the official AWS page to find out what are the differences between Amazon Connect, Amazon Direct Connection, AWS Managed VPN and Amazon Connect . Each time I get the question with this 4 options i am not sure which one should i use. Could anyone give me advice how to easily distinguish how to recognise correct use of this services ?
Amazon Connect
This is very different to either of the other services, it is a service that operates as a Cloud based call centre replacing on-premise software solutions that would have done this in the past.
Amazon Managed VPN
A VPN (otherwise known a virtual private network) allows a connection to be established over the internet to your AWS VPC(s). AWS has 2 versions of this, a site-to-site VPN and a client VPN.
The site-to-site VPN offers a fixed VPN connection between your AWS VPC and an on-premise location. This will require a static IP to maintain the connection, with all traffic routed over the public internet via IPSec and IKE.
The client VPN is similar to the site-to-site but will allow the client connection from anywhere. Using OpenVPN software you establish the connection with AWS which is maintained for as long as the connection is alive. This again uses the internet for all communication.
Direct Connect
With Direct Connect you can maintain a dedicated connection between AWS and your on-premise. This means you will no longer be using the public internet to connect which improves the performance between your on-premise and AWS. It supports both connections to VPC and connections to the public services of AWS (those not in a VPC such as S3 and DynamoDB).
There are a range of network speeds to choose from upto 10GB, to establish this it has specific hardware requirements and will require the hardware to be hosted at a authorized site. Alternatively you can use a hosted connection from a partner who will provide this hardware for you.
is there a way to open ICMP on an Azure Pipeline vm? my CI unit tests are expected to send ping requests to the google DNS (8.8.8.8)
According to your description, you are trying to access one external IP through Azure VM endpoint with Ping. This does not allowed.
Please due to this official blog which written by our Azure VM team engineer: HOW TO ALLOW PING FUNCTIONALITY TO WINDOWS AZURE MACHINES?
The Ping functionality on Windows Azure VM is blocked by default for
security reasons.
As we all know, the ICMP protocol which used by Ping can measure the latency of the connection between a local machine and a remote machine. Any connections exceeding a default latency are deemed to be unavailable. See the pic shown below, the only possible connection to that Azure virtual machine is via the Internet. Any internet traffic which trying to enter the virtual network must pass through the load balancer, and this balancer is filtering ICMP traffic, allow UDP and TCP traffic.
By default, Azure denies and blocks all public inbound traffic to an
Azure virtual machine, includes ICMP traffic. This is a good thing
because it can improve security by reducing the attack surface.
Note: This restrict only apply to the network traffic which going through the external IP through configured endpoints. But if the network traffic occurred between internal IPs of VMs which in the same virtual network or in the same cloud service, ICMP would be allowed.
This restrict does not limited permanently. We can set firefall or azure security group to allow this. But, unfortunately, for Azure Devops Pipeline, the hosted agent is using the VM DS2_V2 and DS3_V2, which are all could not be configured\modified with firefall and security group by external users. If build\release with private agent, ICMP will not be limit. You can set a private agent, and execute ping test in it.
(Sometimes, can use VPN or ExpressRoute to skip the load balancer filter and limit. But I don't recommend to use this way)
Since Ping is a very convenient and critical tool for troubleshooting connectivity, we are reviewing and considering to expand this feature in Azure VM. There has a such suggestion ticket raised in our uservoice forum: Enable ICMP traffic to Azure VMs over the Internet. You can vote for it as well to push it faster into the development queue.