I've been looking around, but haven't been able to find much. It all seems to assume that I'm trying to access a single EC2 instance under a VPC.
The scenario: We have one EC2 medium under a VPC which is hosting several websites (running Windows), and we need to launch a Linux EC2 under that same VPC to run a forum for one of the sites. It's going to run at domain.com/forum where domain.com is hosted on the Windows server. I'm going to try using a reverse proxy in IIS to get the forum, but we need to access it first. Would a NAT instance be what I'm looking for?
Any ideas?
You don't need a NAT. You would need a NAT only if you had only one server in the public subnet, and the other servers behind the private subnet. As you have already one server serving websites, I can assume you have a VPC with either public subnet or public subnet + private subnet.
For more info, see http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html
Anyway, just launch your linux instance and make sure to configure your HTTPD (Apache VirtualHost or Nginx location) to respond to requests addressed to your domain subfolder correctly.
Start your linux instance in the same subnet as the windows instance. These two instances will be able to communicate using their local ips. The linux instance will get an IP and default gateway the same way your windows instance does(I'm assuming you are using an Internet Gateway in the VPC). A reverse proxy can be set up in IIS and configured to use the private address of the linux instance.
Related
Well, I am almost giving up on aws it is really hard to do simple things here. My problem is I am following this link to setup cpanel for commercial use,
https://blog.cpanel.com/part-2-how-i-built-a-cpanel-hosting-environment-on-amazon-aws/
I set up my VPC, Subnet, Internet Gateways, Elastic IPs and Route Tables and still can not connect to my ec2. it is frustrating that I am wasting time over an ssh problem which can be solved in a matter of seconds in OVH and here AWS ruining my day any ideas?
I set up my VPC, Subnet, Internet Gateways, Elastic IPs and Route Tables
I really expect to connect to my ec2 with ease and be able to add more ec2/s to the service
To be able to SSH into an Amazon EC2 instance, you'll need the following:
An Amazon VPC (the default one is fine, or create your own)
An Internet Gateway attached to the VPC (to connect it to the Internet)
A public subnet, which is defined as a subnet that has a route table where the route table sends traffic destined for 0.0.0.0/0 to the Internet Gateway
An Amazon EC2 instance in the public subnet, presumably a Linux instance since you want to SSH to it
When launching the instance, nominate a Keypair. If you launch from an Amazon-provided AMI (eg Amazon Linux 2), the keypair will be copied to /users/ec2-user/.ssh/authorized_keys at startup.
The instance should either be launched with Auto-assign Public IP to receive a random public IP address, or associate the instance with an Elastic IP address to associate a static IP address
A security group attached to the EC2 instance permitting inbound SSH access (port 22) either from 0.0.0.0/0 or your own IP address
Don't play with the Network Access Control List (NACL) settings - they default to allowing all traffic in/out
To connect to the instance:
ssh -i YOUR-KEYPAIR.pem ec2-user#IP-ADDRESS
If the connection is immediately rejected, it suggests a problem with the keypair.
If the connection takes some time before failing, it suggests a network-related problem because it is unable to contact the instance. Some corporate networks block outbound SSH access, so try again from a different network (home vs office, or even tethered via your phone) to try and identify the issue.
I have an EC2 instance running in AWS and here's the scenario I'm trying to achieve. I have a VPC setup with 3 subnets. 2 of them are private with no access to the internet (even using a NAT gateway/NAT instance), and another is a public subnet.
Bastion Host configured with Public IP (55.55.55.55 for example) in the public subnet.
I have ec2 instance launched in a private subnet that hosts my application, and I want my users to be able to access the application from their workstation browsers.
If I set up the SSH connection as discussed here, it works perfectly fine for the web browser page set up on my bastion host. However, for my use case, I need to achieve another level of SSH forward like above as my application is in the private subnet for that application to be accessible from my local machine. Is that possible somehow? I also need to make sure there are no issues with the DNS.
ssh -N <Bastion_IP/HostName> -L<LocalPort>:<Internal_IP_of_Web_Server>:<WebServer_Port>
Then you can access the webserver http://localhost:<LocalPort>/
Assuming you have a web application on ec2 in a private subnet and you want to make it available for access outside AWS.
You can setup port forwarding on your bastion host following this tutorial, but I suggest you use a load balancer (ELB) as described in this guide. To use an ELB you will need another public subnet in a different AZ. If you're application is serving HTTP traffic, then it's even better to use a Application ELB (ALB). Here is more info about ALB.
I want to connect my (OSX) laptop to a VPC in AWS but I couldn't find a way to do this since I don't have a static IP.
Azure has managed P2S VPN: https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about. Is there something like this in AWS?
You can stand up a virtual device (such as a CheckPoint firewall) in the VPC on an EC2 instance that has point to site VPN functionality. There are a number of AMI’s and quick starts for this available. You would also need a VPN client running on your laptop.
As an alternative, you can set up a bastion server and whitelist your IP. You can create a shell script that gets your IP and makes an AWS CLI call to update the security group with that value if it doesn’t exist. Then, log into the bastion and you’re in the VPC.
You can setup a client VPN under the VPC menu:
https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-endpoints.html
It will require to have server cert, as well as client certificates or a link to managed AD for authentication.
I've been learning about Amazon AWS EC2/VPCs and after multiple videos and articles I've got a VPC up an running with private/public subnets, however, I find myself confused on one key point... how do I connect to new instances deployed in a private subnet, in order to set them up? If I deploy it to the private subnet straight away, I cannot connect to it and setup the instance.
There are multiple ways this can be achieved. A lot of people use a bastion host. This provides an instance you can SSH or RDP in to then SSH or RDP to your target instance in a private subnet from there. You could also set up a VPN server. This is going to be highly dependent on what type of setup works best for you.
This has probably been answered elsewhere but I can't seem to find it!
I have a number of AWS EC2 instances that I am using as part of a project being built and I am now looking into securing the setup a bit. I want to lock down access to some of the ports.
For example I want to have one of the instances act as a database server (hosting mysql). I want this to be closed to public access but open to access from my other EC2 instances on their private IP's.
I also use the AWS auto-scaler to add/remove instances as required and need these to be able to access the DB server without having to manually add its IP to a list.
Similarly if possible I want to lock down some instances so that they can only accept traffic from an AWS Load Balancer. So port 80 is open on the instance but only for traffic coming from the Load Balancer.
I've looked at specifying the IP's using CIDR notation but can't seem to get it working. From the look of the private IP's being assigned to my instances the first two octets remain the same and the last two vary. But opening it to all instances with the same first two octets doesn't seem that secure either?!
Thanks
What you want to do is all pretty standard stuff, and is extensively documented in the AWS VPC documentation for Virtual Private Clouds. If your EC2 instances are not running in a VPC, they should be.
The link below should help, it seems to be your scenario:
Scenario 2: VPC with Public and Private Subnets (NAT)
The configuration for this scenario includes a VPC with a public
subnet and private subnet, and a network address translation (NAT)
instance in the public subnet. A NAT instance enables instances in the
private subnet to initiate outbound traffic to the Internet. We
recommend this scenario if you want to run a public-facing web
application, while maintaining back-end servers that aren't publicly
accessible. A common example is a multi-tier website, with the web
servers in a public subnet and the database servers in a private
subnet. You can set up security and routing so that the web servers
can communicate with the database servers.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html