Does anyone has any idea as to where the endpoint address of AWS EC2 IaaS service is stored in the WSO2 Private PaaS install package?
The question seems strange, normally we do not set this information because the world is using the "Same" AWS EC2 service, and the WSO2 Private PaaS knows endpoint address and can do it automatically for us.
Yet in order to conform with the Chinese government's internet censure, Amazon has to logically totally segregate the AWS EC2 service provided within China mainland.
So, you are actually using a totally "different" AWS EC2 service in China; you had to replace the "global" service endpoint with that of the china.
please advise
thanks
You can try to set the following system property: aws-ec2.endpoint
https://jclouds.apache.org/guides/aws-ec2/
Related
I can't figure out how to make them talk using API calls. Previously I used API Gateways which would trigger lambdas and that lambdas would interact with dynamodb and other services and send me back json response. Now I want to shift to EC2 instances and totally skip API gateway usage. And let a server I run in ec2 do the computation for me. Do I need to deploy a web service(DJango RESTFUL) in EC2 instance and then use it to call in my frontend? If yes I need little guidance how
And Suppose I want to access s3 storage from my DJango restufl in EC2. Can I do it without having to enter the access key and ID and use roles instead just like how I would access s3 from the ec2 instance without access key and ID. Traditionally with SDK we have to use access key and secret keys to even get authorized to use services in SDK so I was wondering if there was a way to get over this since the program will be running in EC2 instance itself. One really inefficient way will be to run a batch command that makes the EC2 interact with services I need without SDK and with roles instead but It is really inefficient and too much work as far as I can see.
As you are familiar with API Gateway, you can use the same to connect to your EC2 instance, its private integration, with the use of VPC Links.
You can create an API Gateway API with private integration to provide your customers access to HTTP/HTTPS resources within your Amazon Virtual Private Cloud (Amazon VPC). Such VPC resources are HTTP/HTTPS endpoints on an EC2 instance behind a Network Load Balancer in the VPC.
You can go though this document for step by step integration.
If you do not want to use API gateway any more, then you can simply use Route53 to route traffic to EC2 instance, all you need is the IP address of the EC2 instance and a hosted zone created using Route53.
Here is a tutorial for your reference.
I'm working with AWS and need some support please.
My team provisioned Direct Connect and we can now enjoy private connectivity from our corporate network to VPC on AWS.
Management is asking if it's possible that aws cli commands are executed through Direct Connect and not through the public internet. Indeed, we have a lot of scripts with a lot of commands like aws ec2 describe-instances and so on. I guess these calls the public REST API of EC2 service that AWS exposes.
They're asking if it's possible that these calls do not go through the public internet.
I've seen VPC endpoints? Are they the solution?
See How can I access my Amazon S3 bucket over Direct Connect? for how to do this with S3.
Basically:
After BGP is up and established, the Direct Connect router advertises all global public IP prefixes, including Amazon S3 prefixes. Traffic heading to Amazon S3 is routed through the Direct Connect public virtual interface. The public virtual interface is routed through a private network connection between AWS and your data center or corporate network.
You can extend this to other Amazon services, per the AWS Direct Connect FAQs:
All AWS services, including Amazon Elastic Compute Cloud (EC2), Amazon Virtual Private Cloud (VPC), Amazon Simple Storage Service (S3), and Amazon DynamoDB can be used with Direct Connect.
Refer to #jarmod's answer below for the answer to the question but read on for why I think this sounds like an XY problem.
There is no reason at all why management should be concerned.
Third-party auditors assess the security and compliance of AWS services as part of multiple AWS compliance programs. Using the AWS CLI to access a service does not alter that service's compliance - AWS has compliance programs which pretty much cover every IT compliance framework out there globally.
Compliance aside, the AWS CLI does not store any customer data (there should be no data protection concerns) & transmits data securely (unless you manually override this).
The user guide highlights this:
The AWS CLI does not itself store any customer data other than the credentials it needs to interact with the AWS services on the user's behalf.
By default, all data transmitted from the client computer running the AWS CLI and AWS service endpoints is encrypted by sending everything through a HTTPS/TLS connection.
You don't need to do anything to enable the use of HTTPS/TLS. It is always enabled unless you explicitly disable it for an individual command by using the --no-verify-ssl command line option.
As if that's not enough, you can also add increased security when communicating with AWS services by enforcing a minimum version of TLS 1.2 to be used by the CLI.
There should be targeting of much much bigger attack vectors, like:
The physical accessibility of the device storing the credentials
Permanent access tokens vs. temporary credentials
IAM policies associated with the credentials
The AWS CLI is secure.
We have an elasticsearch service deployment at elastic.co. During the creation of the deployment "AWS" was chosen as the cloud platform. We are given an endpoint URL that resolves to a public IP address.
Also, we have an AWS account that has multiple ec2 instances running. When we access elasticsearch service from ec2 instances, the traffic goes through the internet.
Is it possible to make elasticsearch service visible to ec2 instances, as if both are in the same network?
If you want to use a secure connection, you have to use a special subscription called Elasticsearch Service Private. It is mentioned in the FAQs [1]:
We support secure peering using AWS Private Link. To run Elasticsearch Service in a dedicated VPC with a secure connection from your environment, use the Elasticsearch Service Private subscription. For more information, see Set up Elasticsearch Service Private.
There is a guide which outlines all the steps you need to take. [2]
I do not know the pricing details though. In the guide, they state that you need to contact their team in order to get more information. After you get in touch with them and order the Elasticsearch Service Private subscription, they set up a VPC inside their account for you. Next, they create a VPC PrivateLink Endpoint Service and whitelist your account. Finally, they give you the Elasticsearch Service Private Endpoint Service name which you can use to create an Interface VPC Endpoint (powered by PrivateLink). [3]
You should create an interface endpoint in each of the subnets used by your EC2 instances.
After creating the interface endpoints, you are able to access the Elasticsearch endpoint via a DNS name which is added to the AWS DNS servers automatically by PrivateLink. You just have to make sure that your EC2 instances are using the VPC's DNS servers. It should be the default configuration if you did not change the VPC's default DHCP option set.
References
[1] https://www.elastic.co/guide/en/cloud/current/ec-faq.html (see question: "Do you support VPC peering to Elasticsearch Service?")
[2] https://www.elastic.co/guide/en/cloud/current/ec-getting-started-private.html
[3] https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html
So we are starting to explore AWS Glue service as an ETL service. The largest outstanding question in our org. is "How will we be able to develop these scripts without console access?" Enter development endpoints. I fully understand how we can use the repl/zeppelin notebooks to develop our scripts and test them in our development VPC on AWS.
My only question is, does AWS allow you to keep those development endpoints inside of a private subnet? It seems that the endpoint has a public DNS. We have a policy of not allowing an instance to have a public DNS endpoint. Are we screwed here? Any help is appreciated! Thanks!
Is there a way to use AWS CLI to call different services such as SQS, EC2, SNS from EC2 linux instance?
The EC2 instance from where the AWS CLI command are invoked does not have access to internet. It is in private subnet. It is not using internet gateway or NAT.
Thanks,
Not possible. The CLI has to access the API endpoints for all the services you mentioned. For that the CLI needs internet access. Only service it can access without internet is the internal metadata server.
AWS Regions and Endpoints
VPC endpoints create a private connection between your VPC and an AWS service. However, currently the only supported service is S3 and none of the services listed in your question.
Currently, we support endpoints for connections with Amazon S3 only.
We'll add support for other AWS services later. Endpoints are
supported within the same region only.