I've created a new environment for my beanstalk app under a vpc.
I created a vpc with private and public subnets.
I've configured the security groups as outlined here:
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo-vpc-basic.html
The environment seemed to setup correctly but the status is red.
Clicking on monitor reveals no data for latency or requests.
The website url returns error code 503.
Not sure what to do
This is almost certainly an issue with not being able to communicate with the NAT. The documentation is a little ambiguous when it comes to configuring your .ebextensions config files.
Don't mess with the Network ACLs for the VPC. The infrastructure needs to be able to talk to itself.
The NAT instance & Beanstalk ELB need to be in the Public subnet (10.0.0.0/24)
The Beanstalk instances themselves need to be in the Private subnet (10.0.1.0/24)
The Security Group that you apply to the instances needs to also apply to the NAT. That Security Group also needs to be on its own Inbound list so that everything inside that SG can talk to each other.
Using curl, try to make outbound calls. First on the Bastion Host, then on the NAT, then on a Beanstalk instance. Are any of them unable to make outbound calls?
I just recently spent a couple of weeks trying to develop a CloudFormation template that handles this stuff. I think that most of it is still in my brain. I think.
If these troubleshooting steps don't help, let me know and I'll dig a little deeper.
When you created the VPC, I assume you did it using the wizard. In this situation, the NAT is configured to accept calls from "default" security group.
When you created the Elastic beanstalk environment, did you specify that you want the new instances to be on "default" security group?
Check if the new instance belongs to the VPC's default security group in EC2 management area. If it is not a member of default Security group, add this security group to your NAT's inbound connections.
There is a good AWS CloudFormation template example to create VPC with public and private subnets and the NATs:
https://github.com/awsdocs/elastic-beanstalk-samples/blob/9720e38e9da155752dce132a31d8e13a27364b83/cfn-templates/vpc-privatepublic.yaml
May be very useful for those having issues with such VPC configuration.
To deploy it to your AWS using cli:
aws cloudformation deploy --stack-name mystackname --template-file path/to/vpc-privatepublic.yaml
Or you can deploy from CloudFormation UI dashboard.
Related
I have a few Lambda that are executed from a Jenkins installed on a EC2 instance. I could successfully run a curl command from Jenkins to request any of a my Lambda using the URL.
I'd like to secure this architecture with a VPC. My EC2 instance already under the VPC vpc-001f4912569686a89 so I've put my Lambda under the same one.
I have also created a security group (sg-0de1a07dd602450f7) for my Lambda to allow only traffic from my EC2 instance. See the following (sg-0f62df4def386f83a) is my EC2 instance's security group) :
And here is my Lambda VPC configuration:
From what I understand, this should be enough to get my EC2 to communicate with my Lambda but my curl isn't returning me anything (probably a timeout).
EDIT
Here is my VPC route table :
Your security group setup seems correct.
Please address the following items:
Could you elaborate on the subnet that your EC2 Instance is running in?
Your Lambda function's container(s) can spawn in either of the two subnets
subnet-053af8185c4f6bbc7
subnet-0ac074c5b63e6db9b
Please check the VPC's route table and ensure traffic can flow between the potential subnets
Please check the Lambda function's subnets' ACLs to ensure they're not blocking traffic coming from the Jenkins instance
I've spend about a full day trying to solve this, but have no luck so far. I'm also open to alternative suggestions than my current setup.
I have an RDS instance inside of a VPC. I am trying to make CodeBuild be able to access this RDS instance for a testing step.
Currently, I setup a VPC endpoint for the CodeBuild service, with all 3 subnets of the VPC. I know that if I allow all inbound traffic for the security group on the RDS, it works. I don't want to allow all inbound traffic though- and given this, have been unsuccessful.
I have tried the following to no avail:
Taking the private IPv4's of the ENI's created by the VPCE, adding them as inbound rules to the security group on the RDS
Creating a separate VPC for CodeBuild, and setup VPC peering (this seemed overly complex, and I'm not sure if the peering would even allow CodeBuild traffic to hit an RDS; it also makes things complicated down the road for CodeDeploy).
Putting CodeBuild inside the VPC of the RDS instance. When doing this, I created a new subnet in the VPC, assigned it to a NAT in the routes table (and this NAT was on the VPC of the RDS instance); put CodeBuild kept telling me it had no internet access.
setup a VPC endpoint for the CodeBuild service,
VPC endpoints are not used for inbound traffic from CB to VPC. They are used for your applications in VPC to interact with CB service without the internet.
Putting CodeBuild inside the VPC of the RDS instance.
This is the correct way. Sadly you haven't provided any details of your VPC, subents, NAT, route tables, security groups, NACLs setup, thus its difficult to speculate why it does not work.
Thanks Marcin for pointing me in the right direction to make CodeBuild in the same VPC. When I was able to focus on that, I saw this post again:
CodeBuild cannot find the 0.0.0.0/0 destination for the target internet gateway
which I had the same issue; my NAT was also on the private subnet. Now, it's on the public subnet, and it's working.
I made and deployed my Django application in AWS Elastic Beanstalk. It has a connection to a Postgres DB in RDS, through the EBS console.
When I click configuration -> network in EBS, I see: "This environment is not part of a VPC."
How can I make it a part of a VPC? Thanks!
NOTE: very new to this ;)
You have to recreate the Elastic Beanstalk environment and pick the VPC during the creation. It is not possible to move an existing environment into a VPC.
But, unless you have access to EC2-Classic, the EC2 servers that were launched are already be in a VPC. They are just in the default VPC. But as far as Elastic Beanstalk is concerned, it seems oblivious to this.
I am not sure if there are any features that are exclusively available to VPC environments. My suggestion is to try to use your current environment, and if you happen to recreate the environment later for some other reason, then you can try picking a VPC and see if it offers anything new.
As already explained by #stefansundin you can't move existing EB into a custom VPC. You have to create new one.
These are general steps to consider:
Create a custom VPC with public and private subnets as described in the docs: VPC with public and private subnets (NAT). NAT is needed for instances and rds in private subnet to communicate with internet, but no inbound internet traffic will be allowed. This ensures that your instances and rds are not accessible from the outside.
Create new RDS, external to EB. This is good practice as otherwise the lifetime of your RDS is coupled with EB environment. Starting point is the following AWS documentation: Launching and connecting to an external Amazon RDS instance in a default VPC
Create new EB environment and ensure to customize its settings to use the VPC. Pass the RDS endpoint to the EB instances using environmental variables. Depending on how you want to handle password to the RDS, there are few options, starting from using environmental variables (low security) through SSM Parameter Store (free) or AWS Secrets Manager (not free).
Setting this all up correctly can be difficult for someone new to AWS. But with patience and practice it can be done. Thus, I would recommend with starting with default VPC, as you have now. Then once you are comfortable with how to work with external RDS, think on creating custom VPC as described.
I'm trying to make beanstalk instances not connect outside the VPC to public internet.
The problem is that, when I clear the outbound security group and actually block the internet access, it makes the instances not start properly and throw error "502 Bad Gateway", also the health status in beanstalk change to "unknown".
When I checked the system log I saw that the instance is trying to connect outside the VPC in the user data script.
How can I solve this problem?
Using EB environment in a private subnet (no internet) is not that straight forward. The general consideration of how to do this are described in the AWS docs:
Using Elastic Beanstalk with Amazon VPC
For example, EB uses Network Time Protocol (NTP) thus you have to have internet connectivity. Without that, as docs describe, there are issues with Elastic Beanstalk health reporting.
You also need to setup VPC endpoints for Elastic Beanstalk as well as the endpoints for other services (e.g. S3):
Using Elastic Beanstalk with VPC endpoints
If you .ebextenstions install any packages from the internet, you need to ensure that you have properly setup NAT gateway or NAT instance.
The docs also provide example in CloudFormation vpc-private.yaml with exemplary setup for Internet gateway, NAT gateway, and route table.
I have an RDS database running (postgres) that I'm now trying to connect to an Elastic Beanstalk application. The connection times out.
I am guessing this has something to do with the VPC and security groups, but AWS continues to confuse me here and I'm kind of new to this. I'm trying follow this guide: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.RDS.html?icmpid=docs_elasticbeanstalk_console
When I try to add the rds_launch_wizard security group to the EB instance, it tells me that the security group is not found. rds_launch_wizard is in a VPC, whereas the EB application is not.
I have tried going into the EB configuration, choosing Instance and trying to add a security group:
By name, this pops up an error saying that "I cannot add groups by name".
By group ID, this tells me group sg-xxxxx not found.
Similarly, I can't add the EB security group to RDS, as this is also not found
How do I get the two talking to each other?
You have two options:
Move the EB environment into the VPC
Enable ClassicLink so that your EC2 Classic instances inside your EB environment can talk to the VPC.
ClassicLink is the obvious quick fix, but I think you will eventually want to move everything into a VPC. The VPC is more secure and there are quite a few features and services now on AWS that require a VPC.