By using AWS re:Post, you agree to the Terms of Use
/Networking & Content Delivery/

Questions tagged with Networking & Content Delivery

Sort by most recent
  • 1
  • 90 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Encrypted VPN Connectivity from VMC on AWS SDDC to On-Premise DC

Dear Team, I have the following setup requirements between VMware on AWS SDDC and on-Premise DC. 1. Need an encrypted VPN Solution between SDDC and On-Premise DC. 2. Need an Encrypted VPN Solution between SideCar VPC and On-Premise DC. 3. We have direct connect setup between DC and AWS. 4. Protected firewall sitting behind the edge device in on-Premise DC , encrypted VPN setup on DX need two set of public. Firewall sitting behind edge devise VPN connectivity but that firewall could not configured with public ip. The last hop where the public ip could be configured is the edge devise on the customer site. As per my understanding, I can use the public VIF on direct connect to setup the encrypted VPN connection between the client edge devise and AWS router. But the problem statement in this case is 1. How to setup the encrypted VPN solution for both SDDC and sidecar VPC? Can we route the traffic from SDDC to VTGW to TGW(of the sidecar account) and then leverage public VIF to setup encrypted VPN from TGW to customer edge devise? 2. Do we need the DX gateway to setup the encrypted VPN connectivity? 3. Encrypted VPN on DX would need to set of public IPS. What if the customer firewall is not having the option to configure the public IP for encrypted VPN ? 4. Can I use the DX setup in one OU to create the public VIF for another account in separate OU. This is required because I am looking to create the encrypted VPN connection from two OUs to the DC. Please advise with your comments or if there is any reference architecture available with VMC/AWS. Many Thanks Rio
1
answers
0
votes
4
views
asked 5 days ago

My ECS tasks (VPC A) can't connect to my RDS (VPC B) even though the VPCs are peered and networking is configured correctly

Hi, As mentioned in the question, my ECS tasks cannot connect to my RDS. The ECS tasks try to resolve the rds by name, and it resolves to the RDS public IP (RDS has public and private IPs). However, the security group on RDS doesn't allow open access from all IPs so the connection fails. I temporarily allowed all connections and could see that the ECS tasks are routing through the open internet to access the RDS. Reachability Analyzer checking specific tasks' Elastic Network Interface to the RDI ENI is successful, using internal routing through the peering connection. At the same time I have another server on VPC C that can connect to the RDS. All the config is similar between these two apps, including the peering connection, security group policies and routing tables. Any help is appreciated Here are some details about the VPCs VPC A - 15.2.0.0/16 [three subnets] VPC B - 111.30.0.0/16 [three subnets] VPC C - 15.0.0.0/16 [three subnets] Peering Connection 1 between A and B Peering Connection 2 between C and B Route table for VPC A: 111.30.0.0/16 : Peering Connection 1 15.2.0.0/16: Local 0.0.0.0/0: Internet Gateway Route table for VPC C: 111.30.0.0/16: Peering Connection 2 15.2.0.0/16: Local 0.0.0.0/0: Internet Gateway Security groups allow traffic to RDS: Ingress: 15.0.0.0/16: Allow DB Port 15.2.0.0/16: Allow DB Port Egress: 0.0.0.0/0: Allow all ports When I add the rule: 0.0.0.0/0 Allow DB Port to the RDS, then ECS can connect to my RDS through its public IP.
1
answers
2
votes
5
views
asked 16 days ago

Issues getting split-tunnel in client VPN endpoint to work correctly.

I'm setting up a company VPN using AWS Client VPN endpoints, I have everything working so far however all client internet traffic is being routed through the VPN and out through the NAT gateway (and therefore incurring NAT gateway costs). I'm trying to enable split-tunnel however I'm still getting 0.0.0.0/0 routes to the vpn added to my route table. If I try: - Split tunnel enabled - Routes to local vpc and peered networks - Authorized access to these routes - Fairly open security group And then connect to the VPN I still get this in my route table: ``` > ~/d/i/vpn on branch ◦ netstat -nr 11:03:22 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.0.2.161 0.0.0.0 UG 0 0 0 tun0 0.0.0.0 192.168.4.1 0.0.0.0 UG 0 0 0 enp0s20f0u2 0.0.0.0 192.168.4.1 0.0.0.0 UG 0 0 0 wlp0s20f3 10.0.2.160 0.0.0.0 255.255.255.224 U 0 0 0 tun0 10.10.0.0 10.0.2.161 255.255.0.0 UG 0 0 0 tun0 ------- 10.0.2.161 255.255.0.0 UG 0 0 0 tun0 ``` (With some redaction above, I'm using 10.0.0.0/22 as the vpn cidr) I'm connecting from a Fedora laptop using the built in vpn client, I'm creating a vpn file based off the one you can download and importing it after adding in certs & keys). This all means that when I'm trying to connect to the VPN I can access my private resources, but I lose all general internet connectivity. For our use case it's not workable to us to keep having to hop on and off the VPN.
1
answers
0
votes
6
views
asked 18 days ago

Horizontal Scaling concerns, SSL issue with NLB

note: I'm new to scaling and firstly seeking advice on the best practices for horizontal scaling **I have the following setup:** *EC2 Instances <-> ASG(created from Launch template) -> TG <-> ALB <-> TG <-> NLB* Traffic flows through NLB to ALB and finally to EC2 instances configured via ASG. note: I'm assuming the above setup is the best one to go with horizontal scaling, if not please let me know. the above setup works fine for HTTP whereas when I try to configure HTTPS, I don't see options to do so. Issue1: Target Group(TG) doesn’t allow to create one with Load Balancer type with TLS port: 443 but allows only TCP: port 80, **Question1: **how else should I redirect HTTPS traffic to ALB? note: I need NLB because ALB doesn't provide Static IPs **Question2:** wrt Static IPs: NLB doesn't allow <2 AZs which means I need to have 2 Static IPs linked to my domain? any inputs would be really helpful! **Update1:** I've configured like below: In ALB listeners: HTTP(80) gets redirected to HTTPS HTTPS(443) gets forwarded to ASG In NLB listeners: HTTP(80) gets forwarded to ALB note: ALB's public URL is added to my domain(sample-alb.domain.com) NLB's public URL is added to my domain(sample-nlb.domain.com) SSL works fine if the user enters by hitting sample-alb.domain.com whereas if the user enters by hitting sample-nlb.domain.com, it always fails with "ERR_CERT_INVALID" any inputs on why this fails? **Update2:** I've got the answer to my Issue1/Question1 on how to redirect HTTPS traffic to ALB from here: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/application-load-balancer-target.html#configure-application-load-balancer-target > **Listeners and routing** > For Listeners, the default is a listener that accepts TCP traffic on port 80. Only TCP listeners can forward traffic to an Application Load Balancer target group. Keep the listener protocol set to TCP, but you can modify the port as required. > > This setup allows you to use HTTPS listeners on the Application Load Balancer to terminate the TLS protocol. so, I created a TG with TCP port 80 and listener to NLB, which redirects to ALB. (say for ex my NLB's public URL is 'nlb34323.amazonaws.com') now, when I hit my NLB's public URL with 'http://nlb34323.amazonaws.com', it does get redirected to 'https://nlb34323.amazonaws.com', but eventually fails with a timeout error. note: whereas when I hit ALB's public URL, it is working fine does it have anything to do with TLS termination as mentioned in the above documentation: > This setup allows you to use HTTPS listeners on the Application Load Balancer to terminate the TLS protocol. what am I doing wrong here?
2
answers
0
votes
7
views
asked a month ago

Linux OS networking bug in Elastic Beanstalk AMI with Tomcat & Corretto

We use AWS Elastic Beanstalk with an Amazon AMI with Tomcat & Corretto running on Amazon Linux 2 (`aws-elasticbeanstalk-amzn-2.0.20220316.64bit-eb_tomcat85corretto8_amazon_linux_2-hvm-2022-03-29T20-48`) and are running into an [OS networking bug](https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1924298) when Tomcat is under load. The result of this bug are that TCP connections from clients connect but timeout while the server is under load. The networking bug is due to a race condition in the TCP stack which is fixed in Linux 5.10 kernels. A description and diff of the bug can be found in [this commit](https://github.com/torvalds/linux/commit/01770a166165738a6e05c3d911fb4609cc4eb416). From the description of this bug it looks like this race condition affects all TCP networking and is not specific to Tomcat, but manifests more often under load. Currently, as far as I can tell, all the latest Amazon AMIs for Elastic Beanstalk for Tomcat or Corretto are using a 4.14 kernel. The AMI which we are using has a kernel of `4.14.268-205.500.amzn2.x86_64`. I have been able to reproduce the bug on this AMI using the sample server code in the Ubuntu bug report, which is independent of Tomcat. I have also tried reproing the bug on newer versions of Amazon Linux 2 (AMI `amzn2-ami-kernel-5.10-hvm-2.0.20220419.0-x86_64-gp2`) which are using a `5.10.109-104.500.amzn2.x86_64` kernel, but have not been able to repro the bug on this kernel. We would prefer not to have to create our own AMI for using Elastic Beanstalk, but were wondering if and when there will be an update to the Amazon Elastic Beanstalk AMI's which incorporate this OS bug fix since this is affecting the reliability of networking under load?
0
answers
2
votes
6
views
asked a month ago

EC2 BYOIP: signature couldn't be verified

**The goal** I am trying to bring my /46 IPv6 prefix to EC2. It is part of a /44 IPv6 assigned to my ASN with the status "ASSIGNED" within the RIPE database. The ROA records have been set which I could also verify under https://rpki.cloudflare.com/. **What I did so far** I have basically followed this doc, yet provisioning fails: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html#prepare-for-byoip When I send the `aws ec2 provision-byoip-cidr` request, the status is `failed-provision` with the message "The CidrAuthorizationContext signature could not b e verified with the X509 certificates in the RIR records". The command `whois -r -h whois.ripe.net abcd:efab:cde::/46 | grep descr | grep BEGIN` delivers my certificate succesfully. My request looks like this: ``` # ! bin/sh text_message="1|aws|123456789012|abcd:efab:cde::/46|20230101|SHA256|RSAPSS" signed_message=$(echo $text_message | tr -d "\n" | openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -sign private-key.pem -keyform PEM | openssl base64 | tr -- '+=/' '-_~' | tr -d "\n") aws ec2 provision-byoip-cidr --cidr abcd:efab:cde::/46 --cidr-authorization-context Message="$text_message",Signature="$signed_message" --region eu-central-1 ``` So, I checked the signature: ``` $ echo "1|aws|123456789012|abcd:efab:cde::/46|20230101|SHA256|RSAPSS" > file.txt $ cat file.txt | openssl dgst -sha256 -sign private-key.pem -keyform PEM > rsasign.txt $ openssl sha256 -verify certificate.pem -signature rsasign.txt file.txt unable to load key file ``` It only works when I use the public key instead of the certificate: ``` $ openssl sha256 -verify public-key.pem -signature rsasign.txt file.txt Verified OK ``` I also tried adding just the public key to the inet6num object's descr in the RIPE database, but that results in "No X509 certificate could be found in the Whois remarks", so that won't do it. **Question: Any ideas on how to bring my IPv6 prefix to AWS?** The linked documentation alone is of no help at this moment..
0
answers
0
votes
6
views
asked a month ago

Security group appears to block certain ports after google-authenticator mis-entries

I run a small server providing web and mail services with a public address. I was planning on upgrading from a t2 small to a t3 small instance so I began testing the new environment using ubuntu 20.04. The new instance is running nginx, postfix, dovecot and has ports 22,25,80,443,587 and 993 open through two security groups assigned. I wanted to test a user which used only google-authenticator with pam/sshd to log in (no pubkey, no password). What I discovered was that after two sets of failed login attempts (intentional), my connection to the server would be blocked and I would receive a timed out message. Checking the port status with nmap shows that ports 22,80 and 443 were closed. and the remaining still open. I can still reach all the ports normally from within my vpc, but from outside, the ports are blocked. Restarting the instance or reassigning the security groups will fix the problem. Also, after about 5 minutes, the problem resolves itself. It appears that the AWS security group is the source of the block, but I can find no discussion of this type of occurrence. This isn't critical, but a bit troubling, because it opens a route for malicious actions that could block access to my instance. I have never experienced anything like this in about 7 years of running a similar server, though I never used google-authenticator with pam/sshd before. Do you have any ideas? I'd be happy to provide the instance id and security groups if needed.
1
answers
0
votes
5
views
asked a month ago

[EC2] Why no Public IPv4, but can go to the Internet?

[ec2-user@ip-10-16-60-224 ~]$ **route** Kernel IP routing table ``` Destination Gateway Genmask Flags Metric Ref Use Iface default ip-10-16-48-1.a 0.0.0.0 UG 0 0 0 eth0 10.16.48.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0 instance-data.a 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 ``` [ec2-user@ip-10-16-60-224 ~]$ [ec2-user@ip-10-16-60-224 ~]$ **ip add** 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000 link/ether 06:bf:f7:bd:36:52 brd ff:ff:ff:ff:ff:ff inet 10.16.60.224/20 brd 10.16.63.255 scope global dynamic eth0 valid_lft 3109sec preferred_lft 3109sec inet6 2406:da18:e26:a403:977:a307:147f:a413/128 scope global dynamic valid_lft 437sec preferred_lft 127sec inet6 fe80::4bf:f7ff:febd:3652/64 scope link valid_lft forever preferred_lft forever [ec2-user@ip-10-16-60-224 ~]$ [ec2-user@ip-10-16-60-224 ~]$ **traceroute 1.1.1.1** traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets 1 ec2-18-141-171-15.ap-southeast-1.compute.amazonaws.com (18.141.171.15) 8.342 ms ec2-175-41-128-177.ap-southeast-1.compute.amazonaws.com (175.41.128.177) 7.433 ms ec2-18-141-171-1.ap-southeast-1.compute.amazonaws.com (18.141.171.1) 19.818 ms 2 100.65.32.224 (100.65.32.224) 3.347 ms 100.65.33.240 (100.65.33.240) 13.093 ms 100.65.34.176 (100.65.34.176) 23.462 ms 3 100.66.16.74 (100.66.16.74) 7.746 ms 100.66.16.202 (100.66.16.202) 7.773 ms 100.66.16.38 (100.66.16.38) 3.531 ms 4 100.66.19.190 (100.66.19.190) 5.059 ms 100.66.19.180 (100.66.19.180) 7.843 ms 100.66.18.228 (100.66.18.228) 16.918 ms 5 100.66.7.249 (100.66.7.249) 12.221 ms 100.66.6.247 (100.66.6.247) 10.830 ms 100.66.6.113 (100.66.6.113) 21.846 ms 6 100.66.4.89 (100.66.4.89) 80.326 ms 100.66.4.159 (100.66.4.159) 18.434 ms 100.66.4.9 (100.66.4.9) 11.122 ms 7 100.65.11.1 (100.65.11.1) 0.604 ms 100.65.9.97 (100.65.9.97) 0.322 ms 0.358 ms 8 203.83.223.30 (203.83.223.30) 1.243 ms 150.222.108.77 (150.222.108.77) 1.575 ms 52.93.10.76 (52.93.10.76) 1.316 ms 9 52.93.8.160 (52.93.8.160) 2.001 ms 150.222.108.66 (150.222.108.66) 1.870 ms 150.222.108.68 (150.222.108.68) 2.114 ms 10 52.93.11.127 (52.93.11.127) 1.386 ms 52.93.11.115 (52.93.11.115) 1.350 ms 52.93.11.125 (52.93.11.125) 1.338 ms 11 99.83.90.55 (99.83.90.55) 4.053 ms 4.046 ms 99.83.68.227 (99.83.68.227) 4.297 ms 12 172.70.140.3 (172.70.140.3) 2.673 ms * 172.70.144.5 (172.70.144.5) 2.274 ms 13 one.one.one.one (1.1.1.1) 1.755 ms 1.795 ms 1.771 ms Thank you very much.
1
answers
0
votes
9
views
asked a month ago

Problem adding nodegroup in EKS cluster with GW NAT

Hello I am having difficulties in bringing an EKS cluster back into compliance **Cluster:** I have an eks cluster with : - 6 EKS Plane Control Networks (network 1-6) i. Network 1/2/3 are in a RA routing table with a 0.0.0.0/0 which refers to an Internet Gateway ii. Network 4/5/6 are in an RB routing table with a 0.0.0.0/0 that refers to a NAT Gateway (+ other routes to my company network) - 4 cluster nodegroupe with networks 4/5/6 used for worker nodes - My EKS cluster has a Public and Private API ( => From a node, when I do a DNS resolution I do see a private IP) **Target:** EKS cluster with : - 6 EKS Plane Control Networks (network 1-6) i. Network 1/2/3 in a RA routing table with a 0.0.0.0/0 that refers to an Internet Gateway ii. Network 4/5/6 also in the RA routing table - 4 cluster nodegroupe i. Nodegroupe 1 : Use networks 10 and should be in the RC routing table with 0.0.0.0/0 which refers to a new NAT Gateway (+ other routes to my company network) ii. Nodegroupe 2 : Use networks 11 and should be in the RC routing table with 0.0.0.0/0 which refers to a new NAT Gateway (+ other routes to my company network) iii. Nodegroupe 3 : Use networks 12 and should be in the RC routing table with 0.0.0.0/0 which refers to a new NAT Gateway (+ other routes to my company network) iiii. Nodegroupe 4 : Use networks 13 and should be in the RC routing table with 0.0.0.0/0 which refers to a new NAT Gateway (+ other routes to my company network) **Problem** When creating a new nodegroup to replace an existing one, I indicate network 10/11/12 or 13 The RC routing table is OK with the NAT Gateway Problem: the node can't join the cluster (error message: **Instances failed to join the kubernetes cluster**) I can see the EC2 instance being created in the right network 10/11/12 or 13 I don't understand the problem, why the nodes in this network 10/11/12 or 13 can't join the API cluster through the ENI in network 1-6? When I create a new nodegroup and I indicate a network 1-6 (network on route table RA or RB) it works without problem Sincerely
0
answers
0
votes
1
views
asked a month ago

Problem receiving IP 127.0.0.1 at service startup instead of local IP

**Context:** We've got a number of load balanced web servers running on Windows OS in AWS using C# .NET (5). We have a web server application as well as a Windows Service running on the same machine and we have problems with logging from the Windows Service. **Problem Description**: Since we have many servers running load balanced, we name the log stream with the private IP number in order to distinguish which machine that potentially has problems. This private IP is extracted at startup of the application (for both the Windows Service and the Web Server.) This is usually sucessfull, but yesterday we had an incident when one Windows Service log stream was labeled with 127.0.0.1 instead of the local IP number. Eventually I was able to pinpoint which server it was, restarted the windows service, which made the private IP number appear instead in the new log stream name. **?: Suggested reason with possible solution:** I'm guessing this is a race condition error. The machine has not received it's private IP number yet by AWS network before our service asked for it. **If so we can wait for the real IP to appear just to make sure we get the right IP number in our log. ** I have three question related to this: **Questions:** 1. **Do you see any other reason than the one I suggested why the IP number 127.0.0.1 appears? ** 2. ** Is there a better solution available than the one I suggested?** 3. **Is there a way, using an AWS API of some sort to get hold of the public IP for the server?** Here's the code how we extract the private IP address in this context: ``` var hostName = System.Net.Dns.GetHostName(); var ipAddresses = System.Net.Dns.GetHostAddresses(hostName); var ipv4Address = ipAddresses.FirstOrDefault(ip => ip.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork); ```
2
answers
0
votes
14
views
asked a month ago

Client VPN on Linux : Connection failed - sql lite error ?

The only clue is in /var/log/syslog which says > Mar 23 11:55:17 lego AWS VPN Client: SQLite error (5): database is locked in "PRAGMA max_page_count = 5000" The AWS client logs says ``` 2022-03-23 12:03:03.870 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_GENERAL_ERROR 0 to MetricsTable 2022-03-23 12:03:03.870 +00:00 [DBG] Starting OpenVpn process 2022-03-23 12:03:04.150 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_ATTEMPT 1 to AnalyticsTable 2022-03-23 12:03:04.151 +00:00 [DBG] Shutting down metrics agent 2022-03-23 12:03:04.151 +00:00 [DBG] Metrics agent shut down 2022-03-23 12:03:04.157 +00:00 [DBG] OvpnGtkServiceClient connected. Calling StartVpnAsync 2022-03-23 12:03:04.178 +00:00 [DBG] OvpnGtkServiceClient received OpenVPN process PID: -1 2022-03-23 12:03:04.178 +00:00 [DBG] DeDupeProcessDiedSignals: Unknown error caused OpenVPN process to not start: -1 2022-03-23 12:03:04.178 +00:00 [WRN] Acs did not stop correctly! 2022-03-23 12:03:04.178 +00:00 [ERR] Process died signal sent ACVC.Core.OpenVpn.OvpnProcessFailedToStartException: Unknown error caused OpenVPN process to not start: -1 at ACVC.Core.OpenVpn.OvpnGtkProcessManager.Start(String openVpnConfigPath, String managementPortPasswordFile, Int32 timeoutMilliseconds) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnProcessManager.cs:line 696 at ACVC.Core.OpenVpn.OvpnConnectionManager.Connect(OvpnConnectionProfile configProfile, GetCredentialsCallback getCredentialsCallback, Int32 timeout) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnConnectionManager.cs:line 861 2022-03-23 12:03:04.180 +00:00 [DBG] Received exception for connection state Disconnected. Show error message to user 2022-03-23 12:03:04.180 +00:00 [ERR] Exception received by connect window view model ACVC.Core.OpenVpn.OvpnProcessDiedException: The VPN process has stopped unexpectedly. 2022-03-23 12:03:04.539 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_GENERAL_ERROR 1 to MetricsTable 2022-03-23 12:03:04.856 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_GENERAL_ERROR 1 to AnalyticsTable 2022-03-23 12:03:05.212 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_ATTEMPT_FAIL_VPN_PROCESS_DIED 1 to MetricsTable 2022-03-23 12:03:05.497 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_ATTEMPT_FAIL_VPN_PROCESS_DIED 1 to AnalyticsTable 2022-03-23 12:03:05.497 +00:00 [DBG] Clean up connections. Connection state: Connecting 2022-03-23 12:03:05.498 +00:00 [INF] Validating schema for OpenVPN config: /home/falken/.config/AWSVPNClient/OpenVpnConfigs/AWS JumpCloud 2022-03-23 12:03:05.801 +00:00 [DBG] Inserted event CONNECTION_PROFILE_TYPE 1 to AnalyticsTable 2022-03-23 12:03:06.500 +00:00 [DBG] Caught exception when getting connection status. Exception information: System.TimeoutException: The message did not respond within the expected timeframe or was cancelled at ACVC.Core.OpenVpn.OvpnConnectionManager.SendMessage(String message, Int32 timeout, CancellationToken cancellationToken) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnConnectionManager.cs:line 1140 at ACVC.Core.OpenVpn.OvpnConnectionManager.GetConnectionStatus() in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnConnectionManager.cs:line 1228 at ACVC.Core.Metrics.MetricsClient.RecordBytesMetricsAndAnalytics(IConnectionManager connectionManager) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/Metrics/MetricsClient.cs:line 136 ``` /var/log/aws-vpn-client/falken/gtk_service_aws_client_vpn_connect_20220301.log ``` 2022-03-23 12:19:36.142 +00:00 [DBG] [TI=9] Start method called: OpenVPN validation file: /home/falken/.config/AWSVPNClient/OpenVpnConfigs/current_connection.txt, management password file: /home/falken/.config/AWSVPNClient/acvc-8096.txt 2022-03-23 12:19:36.146 +00:00 [ERR] Drive type Network not supported. 2022-03-23 12:19:36.146 +00:00 [ERR] [TI=9] Unhandled exception ACVC.Core.OpenVpn.ReferencedFilePathInvalidException: File: /home/falken/.config/AWSVPNClient/OpenVpnConfigs/current_connection.txt may be a path to an unsupported drive type, which is not allowed for security reasons at ACVC.Core.OpenVpn.OvpnConfigParser.CheckSupportedDriveType(String path) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnConfigParser.cs:line 795 at ACVC.Core.OpenVpn.OvpnConfigParser.ValidateReferencedFilePath(String path, String flag) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnConfigParser.cs:line 689 at ACVC.GTK.Service.DBus.OvpnGtkService.StartVpnAsync(String ovpnConfigValidationFile, String managementPortPasswordFile) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.GTK.Service/DBus/OvpnGtkService.cs:line 46 ``` How can I find out what's up or what DB this is ? v2 seemed to work fine. I've purged and reinstalled the package, and renamed ~/.config/AWSVPNClient to no avail. Ubutn 20.04 LTS, all updated.
1
answers
0
votes
22
views
asked 2 months ago

Built a dynamic website using Wordpress hosted on a 3-tier architecture

I created my presentation-tier ( Web layer) with 3 public subnets containing one EC2 each and use an internet facing ELB to distribute traffic to all of them. I also install Apache to all of the instances. The Elb healthcheck is healthy and so far everything is working. On my Application layer, I created 3 private subnets containing one EC2 each and use an internal facing ALB to distribute traffic to all of them. My Alb receives traffic only from my Web-servers, and I installed Wordpress on all 3 of them ( The script to install Wordpress also include Apache and MySQL). The Alb HealthCheck says that healthcheck failed and the reason being " unhealthy threshold 2 consecutive health check failures". I also created a NAT gateway for these application-servers. I created my dababase on the batabase-layer with its security group that allow traffic only from App-servers through port 3306. From my understanding of a 3-tier architecture, they are all connected to one another through the security group and even the route table. Since I can use session manager to connect to all my Web-servers and App-servers, I would like to believe that my security groups ports are "ok". Here is their flow: INTERNET-->Internet facing ELB-SG-->Web-SG--> Internal facing ALB-SG-->App-SG-->DB-SG. The flow is unsecure using Http (80). 1-How do I troubleshoot "Unhealthy threshold 2 consecutive health check failures?" 2- How do I built my application so that it will be accessible using only the DNS name of the Internet facing ELB?
2
answers
0
votes
6
views
asked 2 months ago

EC2 instance can’t access the internet

Apparently, my EC2 instance can’t access the internet properly. Here is what happens when I try to install a Python module: `[ec2-user@ip-172-31-90-31 ~]$ pip3 install flask` `Defaulting to user installation because normal site-packages is not writeable` `WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7fab198cbe10>: Failed to establish a new connection: [Errno 101] Network is unreachable')': /simple/flask/` etc. Besides, inbound ping requests to instances the Elastic IP fail (Request Timed Out). However, the website that is hosted on the same EC2 instance can be accessed using both http and https. The security group is configured as follows: the inbound rules are | Port range | Protocol | Source | | -------- | -------- | ---- | | 80 | TCP |0.0.0.0/0 | | 22 | TCP |0.0.0.0/0 | | 80 | TCP |::/0 | | 22 | TCP |::/0 | | 443 | TCP |0.0.0.0/0 | | 443 | TCP |::/0 | the outbound rules are | IP Version | Type | Protocol | Port range | Source | | ----------- | --------- | -------- | ------- | ------ | | IPv4 | All traffic | All | All | 0.0.0.0/0 | The ACL inbound rules are: | Type | Protocol | Port range | Source | Allow/Deny | | -------- | -------- | ---- | -------- | ---------- | | HTTP (80) | TCP (6) | 80 |0.0.0.0/0 | Allow | | SSH (22) | TCP (6) | 22 |0.0.0.0/0 | Allow | | HTTPS (443)| TCP (6) | 443 |0.0.0.0/0 | Allow | | All ICMP - IPv4 | ICMP (1) | All | 0.0.0.0/0 | Allow | | All trafic | All | All |0.0.0.0/0 | Deny | and the outbound rules are: | Type | Protocol | Port range | Source | Allow/Deny | | -------- | -------- | ------- | -------- | ---------- | | Custom TCP | TCP (6) | 1024 - 65535 | 0.0.0.0/0 | Allow | | HTTP (80) | TCP (6) | 80 |0.0.0.0/0 | Allow | | SSH (22) | TCP (6) | 22 |0.0.0.0/0 | Allow | | HTTPS (443) | TCP (6) | 443 |0.0.0.0/0 | Allow | |All ICMP - IPv4 | ICMP (1) | All | 0.0.0.0/0 | Allow | | All trafic | All | All |0.0.0.0/0 | Deny | This is what the route table associated with the subnet looks like: | Destination | Target | Status | Propagated | | ---------- | -------- | -------- | ---------- | | 172.31.0.0/16 | local | Active | No | | 0.0.0.0/0 | igw-09b554e4da387238c | Active | No | (no explicit or edge associations). As for the firewall, executing `sudo iptables –L` results in `Chain INPUT (policy ACCEPT)` `target prot opt source destination` `Chain FORWARD (policy ACCEPT)` `target prot opt source destination` `Chain OUTPUT (policy ACCEPT)` `target prot opt source destination` and `sudo iptables -L -t nat` gives `Chain PREROUTING (policy ACCEPT)` `target prot opt source destination` `Chain INPUT (policy ACCEPT)` `target prot opt source destination` `Chain OUTPUT (policy ACCEPT)` `target prot opt source destination` `Chain POSTROUTING (policy ACCEPT)` `target prot opt source destination` What am I missing here? Any suggestions or ideas on this would be greatly appreciated. Thanks
2
answers
0
votes
20
views
asked 2 months ago

Lightsail Ubuntu PPTP connection not working

I have a lightsail ubuntu 20.04 instance that I am trying to connect to a PPTP VPN as a client. I have setup the PPTP peers file, and I am connecting successfully. However despite this, I find that the resources that should be accessible via the VPN are not available to me. Below is my peers file: pty "pptp xxx --nolaunchpppd --debug" name xxx password xxx remotename PPTP require-mppe-128 require-mschap-v2 refuse-eap refuse-pap refuse-chap refuse-mschap noauth debug persist maxfail 0 defaultroute usepeerdns below is the results of an ifconfig -a call eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001 inet 172.26.2.212 netmask 255.255.240.0 broadcast 172.26.15.255 inet6 2a05:d01c:b79:700:52ac:439:5044:4157 prefixlen 128 scopeid 0x0<global> inet6 fe80::491:a1ff:fefd:c3e8 prefixlen 64 scopeid 0x20<link> ether 06:91:a1:fd:c3:e8 txqueuelen 1000 (Ethernet) RX packets 176016 bytes 90486122 (90.4 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 116473 bytes 12944080 (12.9 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 834 bytes 72479 (72.4 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 834 bytes 72479 (72.4 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1396 inet 192.168.122.116 netmask 255.255.255.255 destination 192.168.122.118 ppp txqueuelen 3 (Point-to-Point Protocol) RX packets 17 bytes 806 (806.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 8 bytes 116 (116.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 is there a routing setup that I need to configure within lightsail, or is there any issue with setup? I would have thought once connected to the VPN successfully I would be able to access resources on the remote network. I have attempted this using my personal windows machine and pinging/creating curl requests to the remote resources which works ok, so I can only assume there is some setup on my end that is incorrect. Any advice would be appreciated, if there is something i can do to provide additional information please let me know. Dino
1
answers
0
votes
9
views
asked 2 months ago

Advice on creating VPC for EC2 to use IPSec connection

I am currently working on the integration of 2 platforms which need to communicate to each other via https requests. However one of these platforms' endpoints is only accessible via a VPN into their own network. I therefore want to use AWS to establish an intermediary app that will receive https communications from platform 1, and send it to platform 2, which is the one behind the VPN. To this end, I have been looking at documentation on AWS, and it looks like the best solution is to create a VPC on which I'd create a Site-to-Site VPN Connection using IPSec. Then I would create a new EC2 instance on this VPC which I will use to forward requests from platform 1 to platform 2. The questions I have are as follows: 1) Once the IPSec Site to site connection is established, will my EC2 instance (deployed to the same VPC that hosts the Site-to-Site connection) immediately be able to communicate with platform 2 which is behind their VPN based solely on the fact that it is on the same VPC, or will there be further routing setup required to allow to communicate via the tunnel established? 2) The VPN we wish to connect to has a process through which they must whitelist any given entities they connect with. A) They ask for an IPSec Gateway IP; I have looked at the documentation at https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html , and assume this is referring to the IP of what is in the document called the Virtual Private Gateway. I have created a VPG in my VPC but I cannot see an IP address associated with it. Is this something that only appears once the VPG is associated with site to site connection (and is no longer in a state of detached)? B) They require the IP addresses of the applications they will be interacting with, which in this case I assume will be my EC2 instance. However they require that subnet /29 or higher is required. How can I enforce that subnet on the EC2 public IPs? When creating a VPC I have the option of specifying the IPv4 CIDR block, however I cannot specify a netmask that is not between /16 and /28. I'm looking for advice on the above so I can make sure that the solution I wish to undertake with the VPC is not flawed, and that I am on the right track. Any guidance is appreciated.
1
answers
0
votes
5
views
asked 2 months ago
  • 1
  • 90 / page