I have a website which is running on ec2 windows instance. I want to expose that to a public endpoint without opening any port on the ec2 instance. Only outbound connections are allowed on ec2 instance.
How can hook some cloud resource/application in front of my website so that it can be accessed by someone in public internet? What i am looking for is a tcp relay functionality that a call from public internet browser is just routed to my local website on ec2 with minimal effort. Something like what is explained here: https://serverfault.com/questions/760129/what-is-a-tcp-relay-and-when-is-it-used/760142
Can someone suggest something? Or if AWS doesnt expose such a relay functionality, can something be done using websockets in AWS-iot?
I found ngrok as a 3rd party tool, but I want to stick to AWS options only.
This is exactly what a Classic Elastic Load Balancer does. Usually, there's more than one instance (hence, "load balancer") but this works exactly as you describe with just one instance.
The ELB is globally-accessible, and then it forwards the traffic to the instance. Nobody connects directly to your instance.
Of course, you have to open a port on the instance for the ELB to access it, but you would have to do that with any "relay" solution. This access can be limited only to the ELB itself.
Related
I am trying to get a Windows Server EC2 instance to communicate with a running Kubernetes Service. I do not want to have to route through the internet, as both the EC2 Instance and Service are sitting within a private subnet.
I am able to get communication through when using the private IP address of the Service, but because of the nature of Kubernetes when the Service goes down, for whatever reason, the private IP can change. I want to avoid this if possible.
I either want to communicate with the service using a static private DNS name or some kind of static private IP address I can create and bind to the Service during creation. Is either of this possible to do?
P.S. I have tried looking into internal LoadBalancers, but I can't get it to work. Don't even know if this is the right direction. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/service/annotations/#traffic-routing. Currently I am using these annotations for EIP binding for some public-facing services.
Why not create a kubeconfig to access the EKS services through kubectl?
See documenation: https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html
or you want to send traffic to the services?
I am making a Slackbot on my AWS EC2, and I need to open port 3000 for public to listen post requests from Slack whenever users do some actions because Slack doesn't provide their IP range.
I wonder if there are any security issues with my EC2 if I open a port publicly ? I also use this EC2 to run Airflow.
Open ports can be dangerous when the service listening on the port is misconfigured, unpatched, vulnerable to exploits, or has poor network security rules.
Attackers use open ports to find potential exploits. To run an exploit, the attacker needs to find a vulnerability.
AWS works on Shared Responsibility Model - means AWS is responsible for “Security of the Cloud” and Customer is responsible for “Security in the Cloud”
It is suggested to put your EC2 instance in the private subnet and place a load balancer in the public subnet.
The public internet traffic shall only talk to the load balancer rather than the instance itself.
Then you can create a WAF and attach it to the load balancer to avoid the attack ( such as DDoS etc.)
I have an issue in AWS where my remote direct connect sites unfortunately have over lapping address space and they both need access to an application running on a EC2 instance. I have the ability to NAT the remote sites and advertise the SNAT addresses over the private VIF, but I there a way to hide the EC2 instance behind NAT as well? So I have NAT both sides (in AWS hiding the EC2 instance hosting the APP and on my remote site) My application sources TCP to the remote sites and also receives TCP sessions sourced from the remote sites so I need bidirectional.
As your design, you need to do NAT traversal or the two sides behind NAT can not connect to each other. So maybe you need to build to do something like NAT-PMP or Upnp to realise it.
I am fairly new to AWS and I'm setting up an app on AWS that uses WebSockets.
I have an ECS Cluster sitting on an EC2 Instance in AWS. I can externally ping my instance and I can connect to it via plain ws:// however, I cannot connect to it through wss://.
I have allowed All Traffic (Plus all TCP) from Anywhere on my Security Group and Network ACL.
I have also set up an SSL certificate and set up an A record to point the domain to my instances public IP address in Route 53.
I had read a bit about load balancers and I've tried setting one up to get it working however this didn't work either.
Is there any way to achieve this without a Load Balancer?
I know I am probably missing something simple, however, I can't find any straight forward information on setting up wss:// on AWS.
If anyone could walk me through the steps or point me to some applicable instructions that would be greatly appreciated!
Let me know if you need more information.
Thanks
Here are my Security Group Rules:
I have a tomcat app deployed onto multiple ec2 instances behind ELB ... Is there any way to access each instance using jmx? AWS provides any service for it??
Thanks.
Is there any way to access each instance using jmx?
If each instance has a public IP or Elastic IP, and the appropriate port in the Security Group is open, then you could connect directly, bypassing the ELB. You'll have to go around the ELB somehow in order to connect via JMX. I suggest using a bastion host and SSH forwarding.
AWS provides any service for it??
AWS does not provide any service specifically for this. This is just general networking, which is provided by the VPC service.