I realize the normal way to do this is use a Bastion Host or a VPN, but I (my boss) would like to know how to connect to a RDS instance in a private subnet via a public NAT instance.
I have a NAT instance with EIP, and wide open inbound rules
I have 2 private subnets with traffic defaulting via the NAT
The DB Security group is set to allow traffic from the NAT SG
I don't know what I'm missing - any tips appreciated.
You'll have to setup a bastion client on the public subnet and then login to that first. Then, once connected to the bastion client, you'll be able to access the RDS instance.
alternatively, you could setup a VPN (check out OpenVPN) in the public subnet, then once you've established a VPN connection, you'll be able to connect to the RDS instance using the private IP.
You can't initiate connection from the outside internet to a private subnet.
Related
Anyone here that have a ec2 instance that is on a private subnet in AWS that is able to connect to outside FTP server? It seems that my ec2 instance cannot connect to 3rd party ftp servers without moving to public subnet and using elastic/public ip.
Private subnet by default have no connectivity to outside world or internet. But there is a resource called NAT Gateway that you can configure in your VPC to provide an outgoing internet connectivity from your private subnets.
You can use a network address translation (NAT) gateway to enable
instances in a private subnet to connect to the internet or other AWS
services, but prevent the internet from initiating a connection with
those instances.
You can follow the link here to setup the NAT gateway.
https://aws.amazon.com/premiumsupport/knowledge-center/nat-gateway-vpc-private-subnet/
Private subnets do not have internet connectivity by default. You need to create a nat gateway on the public subnet. Nat gateways are bit expensive. You can also create a nat instance in that case.
If I have an AWS VPC with a private and public subnet. The public subnet has 1 EC2 instance and the private subnet has 1 EC2 instance as well. If I do a site to site VPN to my VPC from my work location. Can I access my private subnet EC2 instance via ssh using the private ip? Or do I have to do a Bastian host from my public subnet to access my private subnet EC2 instance?
Yes, you will be able to ssh to an e2 instance from your on-premise/work location. You need to configure routing from your work location to reach to the ec2 instance IP. Once that is in place and your security groups allows the incoming connection, then you should be good.
NETWORK:
I have a private subnet and a public subnet. A VPC with IG attached. There is a NAT Gateway in the public subnet. I also have 2 route table, the public route table routes everything to the IG, the private route table routes everything to the NAT Gateway.
EC2:
My EC2 Windows instance is in the private subnet with a EIP and a Public DNS. It has a security group that allows all fron internet inbound/outbound but i cant even ping neither rdp
All the machine or instances in the private subnet cannot be connected externally hence the name private subnet. If you want to connect to your instance externally you must place it in the public subnet (the subnet that is connected to the internet gateway). Eventhough, you attach an elastic ip (which is a public ip) but it is routed through a NAT. The EIP must go through the internet gateway only.
If you really want to connect you need to VPN to your VPC (using AWS VPC VPN) and then RDP to your instance. Or have a gate instance in your public subnet.
Verify that the route table for the subnet has a route that sends all traffic destined outside the VPC to the internet gateway for the VPC. For more information, see Creating a Custom Route Table (Internet Gateways) in the Amazon VPC User Guide.
I am under a vpn an I do not have permission to have any public ip, public subnet, ip gateway etc. all that I have is a private subnet with an ec2 instance and a private ip. Exist a manner to connect to it through SSH?, I am reading about "direct connect" but I do not know if I am in the correct direction.
I suggest you use the site-to-site VPN connection from your on-premise network to AWS VPC.
After site-to-site VPN connection is done, you need to a new route in your Route table to point to the VGW.
Hope it helps.
I have set up below VPC configuration but the SSH to the instance is not happening at the moment:
Created a new VPC
Created a public and private subnet
Launched an ec2 instance to the public subnet updated route tables for internet gateway
Launched ec2 instance to private subnet.
Associated a natgateway to the public subnet with in EIP
Route table updated for private subnet with natgateway
SSH from public instance to private instance is not happening with keypair.
Can you let me know what have I missed here.
First things first:
NAT Gateway in Public Subnet allows Instances from Private Subnet to reach internet for software updates etc via Internet Gateway.
NAT Gateway doesn't play any role in SSHing into an Instance.
Try this to test:
Attach Default NACL(allows all inbound and outbound) on Public and Private Subnet where your EC2 Instances resides.
Create 2 security groups for public(lets say Pub-SG) and private subnets(Prv-SG).
Allow SSH from everywhere/specific ip on Pub-SG.
On Prv-SG allow SSH from Pub-SG as source for better security reasons.
If both instances are launched using same key pair then with SSH-Agent Forwarding You can connect Private Instance through Public Instance.
I suspect you are missing a security group that permits SSH traffic between the instances on the two subnets.
AWS is secure by default - you need to explicitly permit traffic, roles, etc.
So in this case, the easiest thing to do would be to create a security group that spans the CIDR block of the VPC, and assign this to both instances.
Edit: I just noticed you say you added your NAT gateway to the public subnet - I presume you mean private.
This guide covers a similar scenario - public web subnet and private db subnet, and discusses all the routes + ACLs you need.
Also, when you say ssh with the keypair isn't happening - are you connecting at all, or does the connection time out?
When it comes to one EC2 instance communicating with another EC2 instance within a VPC, NAT Gateway has no role.
Make sure that the Security Group to which the private subnet instance belongs, allows SSH protocol from the Security Group to which the public subnet instance belongs.
Also, the NACL associated with the private subnet should allow inbound and outbound SSH traffic from CIDR block to which the public subnet instance belongs.
copy th ssh public key of the private instance to the public instance. open the ssh key material using vscode then use nano or vim to paste the content of the public key the save and exit. Now you can ssh into your private instance given the SG of the private instance allows traffic from the public instance.