I have created a VPC with public and private subnets on AWS. All app servers are in private subnets and all outbound requests have to be through an internet-facing NAT instance.
At the moment, our project requires the app servers to access a ftp server provided by a service provider.
I have tried several ways to manage that, but all no luck. What I have done was to open a port range, let's say (40000 - 60000) on both NAT and APP security groups, also standard ftp ports 20 - 21 as well.
The user authentication can be passed, but I could not list contents from app servers.
I am able to access the ftp server from NAT, not problem at all.
So what should I do to make it work?
#JohnRotenstein is absolutely correct that you should use Passive FTP if you can. If, like me, you're stuck with a client who insists that you use Active FTP because their FTP site that they want you to connect to has been running since 1990 and changing it now is completely unreasonable, then read on.
AWS's NAT servers don't support a machine in a private subnet connecting using Active FTP. Full stop. If you ask me, it's a bug, but if you ask AWS support they say it's an unsupported feature.
The solution we finally came up with (and it works) is to:
Add an Elastic Network Interface (ENI) in a public subnet on to your EC2 instance in the private subnet
So now your EC2 instance has 2 network adapters, 2 internal IPs, etc.
Let's call this new ENI your "public ENI"
Attach a dedicated elastic IP to your new public ENI
Let's assume you get 54.54.54.54 and the new public ENI's internal IP address is 10.1.1.10
Add a route in your operating system's networking configuration to only use the new public ENI
In windows, the command will look like this, assuming the evil active ftp server you're trying to connect to is at 8.1.1.1:
route add 8.1.1.1 mask 255.255.255.254 10.1.1.1 metric 2
This adds a route for all traffic to the FTP server at 8.1.1.1 using subnet mask 255.255.255.254 (ie. this IP and only this IP) should go to the internet gateway 10.1.1.1 using ethernet adapter 2 (your second NIC)
Fed up yet? Yeah, me too, but now comes the hard part. The OS doesn't know it's public IP address for the public EIN. So you need to teach your FTP client to send the PORT command with the public IP. For example if using CURL, use the --ftp-port command like so:
curl -v --ftp-port 54.54.54.54 ftp://8.1.1.1 --user myusername:mypass
And voila! You can now connect to a nightmare active FTP site from an EC2 machine that is (almost entirely) in a private subnet.
Try using Passive (PASV) mode on FTP.
From Slacksite: Active FTP vs. Passive FTP, a Definitive Explanation:
In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20.
Thus, the traffic is trying to communicate on an additional port that is not passed through the NAT. Passive mode, instead, creates an outbound connection, which will then be permitted through the NAT
Related
I'll make this quick.
I have created a virtual network by setting several VMs to use HostOnly VMnet1 as their network adapter.
I then added a pfsense virtual machine firewall into that same network and configured it to allow traffic to the internet but block to/from my real home network.
That way - my virtual network can connect to the internet even though it is in host only mode.
The thing is, I need to manually set the DNS and Gateway of each machine in VMNet1 to the VM firewall to allow them to communicate since all communications must flow through it.
I was trying to figure out if I can do this automatically. When I go into Virtual Network settings in VMWare Workstation 16, the only options I can set are the subnet and available IP Scope. There is no option for default gateway or DNS here. Can this be done?
Do you have the ability to run a DHCP server on the PFSense firewall which is connected to the VMNetwork? If so, either Windows and Linux VMs that have their NICs set to DHCP, would get the IP, DNS and GW from the DHCP.
We have a site to site VPN connection from our AWS cloud to the customer's on site network. Our web application login requires the authentication from the customer's active directory and hence the need for VPN connection.
When our application is not being used for a while the VPN tunnel goes down, due to which when a user tries to log into the application he is unable to due to downed tunnel. It takes some time for the tunnel to get up after which everything works properly.
I had a call with the customer's IT people and it seems they have set up a keep alive bit (DPD settings) on their end but still the tunnel keeps going down. AWS support isn't much of a help either.
I google around and discovered that one way we can keep the tunnel alive is by "sending a ping to the target from the device sourced from the outside interface. A possible destination for the ping is an instance within the VPC"
AWS documentation also suggests "to create a host that sends ICMP requests to an instance in your VPC every 5 seconds."
I already have an private subnet EC2 instance (with only private IP) in my VPC.
My question is, do I need to create another ec2 instance in my VPC private subnet and ping the first one from the other every 5 seconds?
Would I need to write a shell script for this?
I am basically confused about from where to ping, whom to ping and how to ping.
Ping any remote AWS instance from your on-premise site, thereby causing traffic over the vpn. Just schedule it in windows task scheduler, and use the basic command line ping.
We have a very difficult problem here, we have a Windows Server 2019 Base x64 on Amazon EC2, connected through RDP and setup-ed forest and activated AD DS , also activated DNS. But whenever we try to connect we are not allowed to.
We have opened all the relevant ports on inbound traffic rules.
We have added users.
We have tried searching internet and various tutorials.
In Server Manager=:
Added the public ipv4 address to our ipv4 settings of the adapter.
Went to the computer setting in computer domain entered the domain but no fun.
Disabled the firewall in server manager.
We want to connect our clients on different network to connect to the server hosted else-where on AWS.
We are really new into this can some one guide through this?
Please make sure there is network connectivity between your client and you DC which is set up on EC-2 Instance.
[1] In case your clients are on AWS (meaning different EC-2 Instances), and in a different network, you need to create VPC peering or use Transit Gateway, so that it has proper network connectivity.
[2] In case your clients are not on AWS, and in an On-prem Environment, you need to have a VPN connection between your client and your DC.
So in Summary, you need to have network connectivity between your client and DC so that clients can join your Domain.
What do you mean whenever we try to connect we are not allowed to?
What are you trying to connect to, the Windows EC2 instance?
Are you saying that the instance is joined to AWS Directory Service domain but you can't connect to the instance using one of the users in your AWS directory?
Edit: This should have been a comment but couldn't post comments at the time of answering.
I have just started with aws ec2.
I have deployed a simple web app on ec2 which listens on port 12345.
After SSH-ing into the instance from my windows machine using putty and once connected using curl for the apps endpoint and using either localhost, private IP address as well as public Dns (IPv4) it works fine.It does not work with IPv4 public ip though.
I now want to make that app accessible from the internet via browser. But, when I use public Dns or even Ipv4 Public ip along with the port , and try to access , it is not accessible. I only get the message , "This site can’t be reached" from chrome.
I have Inbound rule setup for the security group associated with the instance,
which allows ,
all trafic, via all protocol , via all ports (0-65535), and also I have given the Source as Custom, with IP range of 0.0.0.0/0.
I also have added another rule with same attributes, except for Source a Custom with IP range of , ::/0.
Can someone advise me on the right way to do this.
I'm studying AWS.
But I have a problem that I cannot connect to my web server on my AWS instance
AWS instance is Windows Server 2012
this is my instance status
I want to connect my web server via public ip 52.78.47.142 outside the AWS instance
if I connect to the private ip 172.31.15.206 inside the instance, home page showed up.
But if I connect to the public ip 52.78.47.142 inside the AWS instance and outside the AWS instance, home page didn't show up both.
although I set a new rule for http protocol at port 80, it doens't work
any helps? thanks a lot...
open up tcp:80 port in the security group(Inbound) for the IP address of the machine from where your accessing the website( In this case your Desktop or Laptop IP address).
If you are trying to access the web server from another AWS Instance open the port for that particular Instance IP. For troubleshooting case you can open up All traffic and test it(Though this is not recommended)