i want to start a thrift service in EC2 and which IP should I use in my TThreadPoolServer arguments, should I use private IP or public IP ? I tried the both and non of them works when I send a request from outside Ec2 machine. I have configured the EC2 security group rules but seems its not working.
Related
I set up an OpenVPN EC2 instance on AWS and it has security groups like
I downloaded the client.ovpn file and can successfully connect to it like sudo openvpn --config client.ovpn in Ubuntu (and also via Network Manager after importing the config). All good.
Now I want to make it so my other EC2 instances (that host the actual app) can only be accessed via the VPN, and can't be SSH'd into directly for example. The security group of one of these EC2 instances looks like
where here I'm allowing inbound traffic on port 22 from the Private IPv4 addresses of the OVPN server.
However, if I connect to the VPN and try to SSH to the app EC2 instance it just times out, nor can I access the web when connected to the VPN.
If I allow SSH on port 22 from 0.0.0.0 then I can SSH in and no issues.
Could anyone point me toward what the problem might be?
Could it be because they are on different subnets?
The simple solution: Forward all traffic through OpenVPN. Restrict and connect to your instances with OpenVPN's public IP, connect to your EC2s through their public IPs
The reason why your solution did not work as I understand it
AWS VPC is kind of like a VPN already
You are trying to connect to your EC2 through their public IP which routes through the internet so it makes litte sense allowing OpenVPN's private IP as to talk with EC2's public IP the server that you are installing OpenVPN shall use their public IP
If you must use OpenVPN and does not want the internal (OpenVPN to EC2) connections to surface to the internet, the EC2 instances must join OpenVPN's private network, there, everyone can talk using the private IPs of OpenVPN's range
Or extend AWS VPC with OpenVPN
Or see if split-tunnel work which "May allow users to access their LAN devices while connected to VPN"
I have installed HashiCorp vault in a Linux EC2 machine in AWS. I have unsealed it and allowed all the outbound traffic in Security Group. I am able to access the Vault service within EC2 instance using "http://localhost:8200". But I am unable to use the service when I try to hit the URL using public IPV4 of the EC2 from internet (ex: http://xxx.xxx.xxx.xxx:8200).
Check your network configurations.
There are a few things you can check:
Your Security Group allow connections from your IP to the port 8200
Your EC2 instance is in a public subnet.
The NACL of public subnet allows connections to/from the port 8200 and to/from your IP.
The Route Table of public subnet has attached an Internet Gateway.
If you validate this 4 points and still can't connect with the service, it can be a problem of the service listen-address is 127.0.0.1 (localhost).
https://www.vaultproject.io/docs/commands/server.html#dev-listen-address
In that case, you should start your HashiCorp Vault with the options:
-dev -dev-listen-address="0.0.0.0:8200"
This problem is described here:
Is it possible to start Vault dev server on 0.0.0.0 instead of 127.0.0.1?
I have an EC2 instance running in AWS and here's the scenario I'm trying to achieve. I have a VPC setup with 3 subnets. 2 of them are private with no access to the internet (even using a NAT gateway/NAT instance), and another is a public subnet.
Bastion Host configured with Public IP (55.55.55.55 for example) in the public subnet.
I have ec2 instance launched in a private subnet that hosts my application, and I want my users to be able to access the application from their workstation browsers.
If I set up the SSH connection as discussed here, it works perfectly fine for the web browser page set up on my bastion host. However, for my use case, I need to achieve another level of SSH forward like above as my application is in the private subnet for that application to be accessible from my local machine. Is that possible somehow? I also need to make sure there are no issues with the DNS.
ssh -N <Bastion_IP/HostName> -L<LocalPort>:<Internal_IP_of_Web_Server>:<WebServer_Port>
Then you can access the webserver http://localhost:<LocalPort>/
Assuming you have a web application on ec2 in a private subnet and you want to make it available for access outside AWS.
You can setup port forwarding on your bastion host following this tutorial, but I suggest you use a load balancer (ELB) as described in this guide. To use an ELB you will need another public subnet in a different AZ. If you're application is serving HTTP traffic, then it's even better to use a Application ELB (ALB). Here is more info about ALB.
I am new to AWS environment.I have installed apache Atlas in EC2 instance and from Lambda I am trying to get metadata from glue data catalog and post it in apache atlas(apache atlas uses rest end-points) running on ec2.I am able to get the glue data catalog metadata in lambda function.
How can i access use curl/httpGet call from lambda function to access service running on port 21000 on localhost on my EC2 instance?
Update1 : Resolved by allowing all traffic for inbound on private IP for the EC2 instance in security group.
Update2 : Now I am able to access the rest URL(by its private IP) and glue catalog both within Lambda.What I did is I created a private and public subnet and put my EC2 instance and lambda on same private subnet with NAT configured on a public subnet.
Now my lambda is working but I am not able to ssh on my EC2 instance.Is there a way to get that working also?
"localhost" is relative to each computer. What is "localhost" on your EC2 server is different from what is "localhost" on AWS Lambda, etc. You need to stop trying to access "locahost" and use the server's IP address instead.
To access port 21000 on the EC2 server the Lambda function needs to be placed in the same VPC that the EC2 instance is in, and the EC2 server needs to be listening to external traffic on port 21000, not just localhost traffic. You would assign a security group to the Lambda function, and in the security group assigned to the EC2 server you would open port 21000 for traffic coming from the Lambda function's security group. Finally, the Lambda function would access the EC2 server by addressing it via the server's private IP.
I'm not familiar with Apache Atlas and whether it exposes it's own HTTP endpoints to external clients. What you need is a server running on EC2 for that.
EC2 server doesn't magically accept HTTP calls from external connections and route to the local resources you want (in this case, Atlas). Install Apache Server, nginx or any other server in your EC2 instance. Configure it properly and write some code that takes the data POSTed by your Lambda and submits to the local Apache Atlas API.
The following page contains some instructions in this direction. Search the web if you need more help, there are tons of tutorials for doing this already. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Tutorials.WebServerDB.CreateWebServer.html
I've been looking around, but haven't been able to find much. It all seems to assume that I'm trying to access a single EC2 instance under a VPC.
The scenario: We have one EC2 medium under a VPC which is hosting several websites (running Windows), and we need to launch a Linux EC2 under that same VPC to run a forum for one of the sites. It's going to run at domain.com/forum where domain.com is hosted on the Windows server. I'm going to try using a reverse proxy in IIS to get the forum, but we need to access it first. Would a NAT instance be what I'm looking for?
Any ideas?
You don't need a NAT. You would need a NAT only if you had only one server in the public subnet, and the other servers behind the private subnet. As you have already one server serving websites, I can assume you have a VPC with either public subnet or public subnet + private subnet.
For more info, see http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html
Anyway, just launch your linux instance and make sure to configure your HTTPD (Apache VirtualHost or Nginx location) to respond to requests addressed to your domain subfolder correctly.
Start your linux instance in the same subnet as the windows instance. These two instances will be able to communicate using their local ips. The linux instance will get an IP and default gateway the same way your windows instance does(I'm assuming you are using an Internet Gateway in the VPC). A reverse proxy can be set up in IIS and configured to use the private address of the linux instance.