Issue with Accessing Websites Through AWS VPN Client and Bastion Host
I have recently set up the AWS VPN client on my account to pre-test the AWS VPN environment. During this testing phase, I successfully accessed a bastion host in the public subnet using SSH. I performed several ping tests to verify the connections, but unfortunately, I encountered an issue when trying to open web pages in a browser.
Despite ensuring that all traffic was allowed, I attempted to enhance the connectivity by adding ports 80 and 443. However, I am still unable to access any websites through the browser. Could you kindly assist me in resolving this matter?
AWS Cloud Diagram
Ping Test
Security Inbound configuration
- Newest
- Most votes
- Most comments
The diagram is helpful, although why are you trying to ping-test the internet gateway and NAT gateway?
To boil it down, user A (on Windows) and user B (on Mac) are both able to SSH onto bastion 10.10.10.40.
From the bastion an SSH connection can be made to the host in the private subnet on 10.10.20.190. Is it correct that this host is also running a webserver, and you're finding that is not accessible?
The bastion would need a security group with outbound rules for 80/tcp and 443/tcp for target 10.10.20.190, and likewise the private host will need a security group with inbound rules for 80/tcp and 443/tcp from source 10.10.10.40.
Once this is in place, check connectivity to the web server with by running (on the bastion host) curl http://10.10.20.190/ and curl https://10.10.20.190/ (if you get a cert error then use the --insecure option, you just want to get it working to begin with).
Your screengrabs show that ping test of internet sites is working from the bastion hosts, so the routing table is likely to be correct, and you have a security group rule associated that has the ICMP port open. Enure ports 80/tcp and 443/tcp are open similarly, and then use something like curl http://www.google.com/ and curl https://www.google.com/ to verify the bastion can access websites on the internet.
I hope this puts you on the right track, although I'm not at all clear what your target state is.
Hey, Riku, I have attached the route table and VPN endpoint configuration for your reference. The VPN endpoint was tired to run from the private subnet to the public subnet as part of the testing process, but I changed to tied it to publice subneet for now. My expectation was that connecting through the public subnet would result in fewer issues compared to using the private subnet.
You will not be able to access the internet with the above setup I am afraid if that route table is matching the 2 screen shots
@Gary I thought "Destination 0.0.0.0/0 will send all trafic to IGW"
Hello.
Can you show me the route table of the subnet that the Client VPN endpoints are tied to?
Probably, public websites cannot be displayed unless a route to the NAT Gateway is set here.
Routes and authorisation rules and DNS settings from VPN client endpoint settings will also be beneficial.
Relevant content
asked a year ago- asked 2 years ago
- Accepted Answerasked 2 months ago
- asked 2 months ago
AWS OFFICIALUpdated 9 months ago- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
@Steve M Thanks for replying. Q. why are you trying to ping-test the internet gateway and NAT gateway? A: I believe performing these tests is crucial to validate the network connection from the source to the internet.
Additionally, I encountered HTML code when using the 'curl' command and recevided HTML code from CLI prompt. However, the browser has yet to respond.
How did you find out the IP address of the Internet Gateway, so you would know what to ping?
So you can successfully
curl google.comfrom the command line of the EC2 in the public zone, is the browser (that's failing) also running on the EC2?