By using AWS re:Post, you agree to the Terms of Use
/Amazon VPC/

Questions tagged with Amazon VPC

Sort by most recent
  • 1
  • 90 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Encrypted VPN Connectivity from VMC on AWS SDDC to On-Premise DC

Dear Team, I have the following setup requirements between VMware on AWS SDDC and on-Premise DC. 1. Need an encrypted VPN Solution between SDDC and On-Premise DC. 2. Need an Encrypted VPN Solution between SideCar VPC and On-Premise DC. 3. We have direct connect setup between DC and AWS. 4. Protected firewall sitting behind the edge device in on-Premise DC , encrypted VPN setup on DX need two set of public. Firewall sitting behind edge devise VPN connectivity but that firewall could not configured with public ip. The last hop where the public ip could be configured is the edge devise on the customer site. As per my understanding, I can use the public VIF on direct connect to setup the encrypted VPN connection between the client edge devise and AWS router. But the problem statement in this case is 1. How to setup the encrypted VPN solution for both SDDC and sidecar VPC? Can we route the traffic from SDDC to VTGW to TGW(of the sidecar account) and then leverage public VIF to setup encrypted VPN from TGW to customer edge devise? 2. Do we need the DX gateway to setup the encrypted VPN connectivity? 3. Encrypted VPN on DX would need to set of public IPS. What if the customer firewall is not having the option to configure the public IP for encrypted VPN ? 4. Can I use the DX setup in one OU to create the public VIF for another account in separate OU. This is required because I am looking to create the encrypted VPN connection from two OUs to the DC. Please advise with your comments or if there is any reference architecture available with VMC/AWS. Many Thanks Rio
1
answers
0
votes
4
views
asked 6 days ago

`RequestTimeout`s for S3 put requests from a Lambda in a VPC for larger payloads

# Update I added a VPC gateway endpoint for S3 in the same region (US East 1). I selected the route table for it that the lambda uses. But still, the bug persists. Below I've included details regarding my network configuration. The lambda is located in the "api" subnet. ## Network Configuration 1 VPC 4 subnets: * public &nbsp;&nbsp;&nbsp;&nbsp;IPv4 CIDR: 10.0.0.0/24 &nbsp;&nbsp;&nbsp;&nbsp;route table: public &nbsp;&nbsp;&nbsp;&nbsp;Network ACL: public * private &nbsp;&nbsp;&nbsp;&nbsp;IPv4 CIDR: 10.0.1.0/24 &nbsp;&nbsp;&nbsp;&nbsp;route table: private &nbsp;&nbsp;&nbsp;&nbsp;Network ACL: private * api &nbsp;&nbsp;&nbsp;&nbsp;IPv4 CIDR: 10.0.4.0/24 &nbsp;&nbsp;&nbsp;&nbsp;route table: api &nbsp;&nbsp;&nbsp;&nbsp;Network ACL: api * private2-required &nbsp;&nbsp;&nbsp;&nbsp;IPv4 CIDR: 10.0.2.0/24 &nbsp;&nbsp;&nbsp;&nbsp;route table: public &nbsp;&nbsp;&nbsp;&nbsp;Network ACL: - 3 route tables: * public &nbsp;&nbsp;&nbsp;&nbsp;Destination: 10.0.0.0/16 &nbsp;&nbsp;&nbsp;&nbsp;Target: local &nbsp;&nbsp;&nbsp;&nbsp;Destination: 0.0.0.0/0 &nbsp;&nbsp;&nbsp;&nbsp;Target: igw-xxxxxxx &nbsp;&nbsp;&nbsp;&nbsp;Destination: ::/0 &nbsp;&nbsp;&nbsp;&nbsp;Target: igw-xxxxxxxx * private &nbsp;&nbsp;&nbsp;&nbsp;Destination: 10.0.0.0/16 &nbsp;&nbsp;&nbsp;&nbsp;Target: local * api &nbsp;&nbsp;&nbsp;&nbsp;Destination: 10.0.0.0/16 &nbsp;&nbsp;&nbsp;&nbsp;Target: local &nbsp;&nbsp;&nbsp;&nbsp;Destination: 0.0.0.0/0 &nbsp;&nbsp;&nbsp;&nbsp;Target: nat-xxxxxxxx &nbsp;&nbsp;&nbsp;&nbsp;Destination: pl-xxxxxxxx &nbsp;&nbsp;&nbsp;&nbsp;Target: vpce-xxxxxxxx &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(VPC S3 endpoint) 4 network ACLs * public &nbsp;&nbsp;&nbsp;&nbsp;inbound rules: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;All traffic (allow) &nbsp;&nbsp;&nbsp;&nbsp;outbound rules: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;All traffic (allow) * private &nbsp;&nbsp;&nbsp;&nbsp;inbound rules: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;100: PostgreSQL TCP 5432 10.0.0.48/32 (allow) &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;101: PostgreSQL TCP 5432 10.0.4.0/24 (allow) &nbsp;&nbsp;&nbsp;&nbsp;outbound rules: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;100: Custom TCP TCP 32768-65535 10.0.0.48/32 (allow) &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;101: Custom TCP TCP 1024-65535 10.0.4.0/24 (allow) * api &nbsp;&nbsp;&nbsp;&nbsp;inbound rules: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;All traffic (allow) &nbsp;&nbsp;&nbsp;&nbsp;outbound rules: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;All traffic (allow) * \- &nbsp;&nbsp;&nbsp;&nbsp;inbound rules: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;All traffic (allow) &nbsp;&nbsp;&nbsp;&nbsp;outbound rules: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;All traffic (allow) # Update # I increased the timeout of the lambda to 5 minutes, and the timeout of the PUT request to the S3 bucket to 5 minutes as well. Before this the request itself would timeout, but now I'm actually getting a response back from S3. It is a 400 Bad Request response. The error code is `RequestTimeout`. And the message in the payload of the response is "Your socket connection to the server was not read from or written to within the timeout period." This exact same code works 100% of the time for a small payload (on the order of 1KB), but apparently for payloads on the order of 1MB it starts breaking. There is no logic in _my code_ that does anything differently based on the size of the payload. I've read similar issues that suggest the issue is with the wrong number of bytes being provided in the "content-length" header, but I've never provided a value for that header. Furthermore, the lambda works flawlessly when executed in my local environment. The problem definitely appears to be a networking one. At first glance it might seem like this is just an issue with the lambda being able to interact with services outside of the VPC, but that's not the case because the lambda _does_ work exactly as expected for smaller file sizes (<1KB). So it's not that it flat out can't communicate with S3. Scratching my head here... # Original # I use S3 to host images for an application. In my local testing environment the images upload at an acceptable speed. However, when I run the same exact code from an AWS Lambda (in my VPC), the speeds are untenably slow. I've concluded this because I've tested with smaller images (< 1KB) and they work 100% of the time without making any changes to the code. Then I use 1MB sized payloads and they fail 98% percent of the time. I know the request to S3 is the issue because of logs made from within the Lambda that indicate the execution reaches the upload request, but — almost — never successfully passes it (times out).
1
answers
0
votes
32
views
asked 10 days ago

My ECS tasks (VPC A) can't connect to my RDS (VPC B) even though the VPCs are peered and networking is configured correctly

Hi, As mentioned in the question, my ECS tasks cannot connect to my RDS. The ECS tasks try to resolve the rds by name, and it resolves to the RDS public IP (RDS has public and private IPs). However, the security group on RDS doesn't allow open access from all IPs so the connection fails. I temporarily allowed all connections and could see that the ECS tasks are routing through the open internet to access the RDS. Reachability Analyzer checking specific tasks' Elastic Network Interface to the RDI ENI is successful, using internal routing through the peering connection. At the same time I have another server on VPC C that can connect to the RDS. All the config is similar between these two apps, including the peering connection, security group policies and routing tables. Any help is appreciated Here are some details about the VPCs VPC A - 15.2.0.0/16 [three subnets] VPC B - 111.30.0.0/16 [three subnets] VPC C - 15.0.0.0/16 [three subnets] Peering Connection 1 between A and B Peering Connection 2 between C and B Route table for VPC A: 111.30.0.0/16 : Peering Connection 1 15.2.0.0/16: Local 0.0.0.0/0: Internet Gateway Route table for VPC C: 111.30.0.0/16: Peering Connection 2 15.2.0.0/16: Local 0.0.0.0/0: Internet Gateway Security groups allow traffic to RDS: Ingress: 15.0.0.0/16: Allow DB Port 15.2.0.0/16: Allow DB Port Egress: 0.0.0.0/0: Allow all ports When I add the rule: 0.0.0.0/0 Allow DB Port to the RDS, then ECS can connect to my RDS through its public IP.
1
answers
2
votes
5
views
asked 17 days ago

Instances can't reach classic ELB in VPC after ENI change

Four or five times in the past 6-8 weeks, we've had situations where one of our ec2 instances (running CentOS) cannot reach the private IP address of a classic ELB. I believe this is due to scaling events (or something else causing replacement of ELB components) happening on the ELB. From what I see in cloud trial, the network interface is replaced with one having the same ip address but a different mac address. Sometimes, but not all the time, the old mac address gets stuck in the instance's arp cache (in REACHABLE state), preventing the instance from communicating with the ELB causing drastic issues for our application. If I manually delete the entry from the arp cache, things start working again. This is happening across different environments, so multiple subnets, multiple ELBs and multiple ec2 instances. These environments and components have been running for years without seeing this issue before. The only network config change we've recently made is to disable jumbo frames earlier this year, but don't see how that would impact this. Any ideas how to fix this? Thanks EDIT: this happened again today and I was able to more closely examine things. The new ENI is actually re-using an ip address that had been used over a month prior. The old entry for said ip address is still listed in the arp cache with the prior MAC address, despite not being used for about four weeks. This explains why it's starting to happen more frequently, as the chance that an ip address gets re-used increases as new ENIs are created for the ELBs. It's a /26 subnet so not a lot of addresses to choose from.
1
answers
0
votes
2
views
asked a month ago
1
answers
0
votes
9
views
asked a month ago

Security group appears to block certain ports after google-authenticator mis-entries

I run a small server providing web and mail services with a public address. I was planning on upgrading from a t2 small to a t3 small instance so I began testing the new environment using ubuntu 20.04. The new instance is running nginx, postfix, dovecot and has ports 22,25,80,443,587 and 993 open through two security groups assigned. I wanted to test a user which used only google-authenticator with pam/sshd to log in (no pubkey, no password). What I discovered was that after two sets of failed login attempts (intentional), my connection to the server would be blocked and I would receive a timed out message. Checking the port status with nmap shows that ports 22,80 and 443 were closed. and the remaining still open. I can still reach all the ports normally from within my vpc, but from outside, the ports are blocked. Restarting the instance or reassigning the security groups will fix the problem. Also, after about 5 minutes, the problem resolves itself. It appears that the AWS security group is the source of the block, but I can find no discussion of this type of occurrence. This isn't critical, but a bit troubling, because it opens a route for malicious actions that could block access to my instance. I have never experienced anything like this in about 7 years of running a similar server, though I never used google-authenticator with pam/sshd before. Do you have any ideas? I'd be happy to provide the instance id and security groups if needed.
1
answers
0
votes
5
views
asked a month ago

Problem adding nodegroup in EKS cluster with GW NAT

Hello I am having difficulties in bringing an EKS cluster back into compliance **Cluster:** I have an eks cluster with : - 6 EKS Plane Control Networks (network 1-6) i. Network 1/2/3 are in a RA routing table with a 0.0.0.0/0 which refers to an Internet Gateway ii. Network 4/5/6 are in an RB routing table with a 0.0.0.0/0 that refers to a NAT Gateway (+ other routes to my company network) - 4 cluster nodegroupe with networks 4/5/6 used for worker nodes - My EKS cluster has a Public and Private API ( => From a node, when I do a DNS resolution I do see a private IP) **Target:** EKS cluster with : - 6 EKS Plane Control Networks (network 1-6) i. Network 1/2/3 in a RA routing table with a 0.0.0.0/0 that refers to an Internet Gateway ii. Network 4/5/6 also in the RA routing table - 4 cluster nodegroupe i. Nodegroupe 1 : Use networks 10 and should be in the RC routing table with 0.0.0.0/0 which refers to a new NAT Gateway (+ other routes to my company network) ii. Nodegroupe 2 : Use networks 11 and should be in the RC routing table with 0.0.0.0/0 which refers to a new NAT Gateway (+ other routes to my company network) iii. Nodegroupe 3 : Use networks 12 and should be in the RC routing table with 0.0.0.0/0 which refers to a new NAT Gateway (+ other routes to my company network) iiii. Nodegroupe 4 : Use networks 13 and should be in the RC routing table with 0.0.0.0/0 which refers to a new NAT Gateway (+ other routes to my company network) **Problem** When creating a new nodegroup to replace an existing one, I indicate network 10/11/12 or 13 The RC routing table is OK with the NAT Gateway Problem: the node can't join the cluster (error message: **Instances failed to join the kubernetes cluster**) I can see the EC2 instance being created in the right network 10/11/12 or 13 I don't understand the problem, why the nodes in this network 10/11/12 or 13 can't join the API cluster through the ENI in network 1-6? When I create a new nodegroup and I indicate a network 1-6 (network on route table RA or RB) it works without problem Sincerely
0
answers
0
votes
1
views
asked a month ago

Clientvpn, error on linux client when adding route number 63

Hi, we have a very rare problem with aws clientvpn, we have 62 routes/authorizations and the service works fine, we have windows clients with clientvpn software and linux clients with openvpn software. But, when we add the route number 63, windows clients go fine, but linux clients (all of them) fails with messages like this: ... ``` 55.0,route 10.53.4.0 255.255.255.0,route 10.1.124.0 255.255.255.0,route 10.105.0.0 255.255.0.0,route 172.25.246.0 255.255.255.0,route 172.24.191.0 255.255.255.0,route 172.25.182.0 255.255.255.0,route 10.55.36.0 255.255.255.0,route 10.53.132.0 255.255.255.0,route 172.25.196.0 255.255.255.0,route 172.25.76.0 255.255.255.0,route-gateway 10.200.0.129,topology subnet,ping 1,ping-restart 20,ifconfig' 2022-03-24 09:14:12 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:68: ifconfig (2.5.6) 2022-03-24 09:14:12 OPTIONS IMPORT: timers and/or timeouts modified 2022-03-24 09:14:12 OPTIONS IMPORT: --ifconfig/up options modified 2022-03-24 09:14:12 OPTIONS IMPORT: route options modified 2022-03-24 09:14:12 OPTIONS IMPORT: route-related options modified 2022-03-24 09:14:12 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 2022-03-24 09:14:12 Using peer cipher 'AES-256-GCM' 2022-03-24 09:14:12 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2022-03-24 09:14:12 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2022-03-24 09:14:12 net_route_v4_best_gw query: dst 0.0.0.0 2022-03-24 09:14:12 net_route_v4_best_gw result: via 192.168.0.1 dev enx000ec675f0d5 2022-03-24 09:14:12 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=enx000ec675f0d5 HWADDR=00:0e:c6:75:f0:d5 2022-03-24 09:14:12 TUN/TAP device tun0 opened 2022-03-24 09:14:12 WARNING: OpenVPN was configured to add an IPv4 route. However, no IPv4 has been configured for tun0, therefore the route installation may fail or may not work as expected. 2022-03-24 09:14:12 net_route_v4_add: 10.203.0.0/16 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 10.204.0.0/16 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 10.202.0.0/16 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 10.52.12.0/24 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 10.24.0.0/24 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 10.201.0.0/16 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 10.53.8.0/24 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 172.24.224.0/24 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 10.1.28.0/24 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed 2022-03-24 09:14:12 net_route_v4_add: 172.24.0.0/24 via 10.200.0.129 dev [NULL] table 0 metric -1 2022-03-24 09:14:12 sitnl_send: rtnl: generic error (-101): Network is unreachable 2022-03-24 09:14:12 ERROR: Linux route add command failed ``` ... Any help is welcome, thanks in advance! Bye,
1
answers
0
votes
4
views
asked 2 months ago

Client VPN on Linux : Connection failed - sql lite error ?

The only clue is in /var/log/syslog which says > Mar 23 11:55:17 lego AWS VPN Client: SQLite error (5): database is locked in "PRAGMA max_page_count = 5000" The AWS client logs says ``` 2022-03-23 12:03:03.870 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_GENERAL_ERROR 0 to MetricsTable 2022-03-23 12:03:03.870 +00:00 [DBG] Starting OpenVpn process 2022-03-23 12:03:04.150 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_ATTEMPT 1 to AnalyticsTable 2022-03-23 12:03:04.151 +00:00 [DBG] Shutting down metrics agent 2022-03-23 12:03:04.151 +00:00 [DBG] Metrics agent shut down 2022-03-23 12:03:04.157 +00:00 [DBG] OvpnGtkServiceClient connected. Calling StartVpnAsync 2022-03-23 12:03:04.178 +00:00 [DBG] OvpnGtkServiceClient received OpenVPN process PID: -1 2022-03-23 12:03:04.178 +00:00 [DBG] DeDupeProcessDiedSignals: Unknown error caused OpenVPN process to not start: -1 2022-03-23 12:03:04.178 +00:00 [WRN] Acs did not stop correctly! 2022-03-23 12:03:04.178 +00:00 [ERR] Process died signal sent ACVC.Core.OpenVpn.OvpnProcessFailedToStartException: Unknown error caused OpenVPN process to not start: -1 at ACVC.Core.OpenVpn.OvpnGtkProcessManager.Start(String openVpnConfigPath, String managementPortPasswordFile, Int32 timeoutMilliseconds) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnProcessManager.cs:line 696 at ACVC.Core.OpenVpn.OvpnConnectionManager.Connect(OvpnConnectionProfile configProfile, GetCredentialsCallback getCredentialsCallback, Int32 timeout) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnConnectionManager.cs:line 861 2022-03-23 12:03:04.180 +00:00 [DBG] Received exception for connection state Disconnected. Show error message to user 2022-03-23 12:03:04.180 +00:00 [ERR] Exception received by connect window view model ACVC.Core.OpenVpn.OvpnProcessDiedException: The VPN process has stopped unexpectedly. 2022-03-23 12:03:04.539 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_GENERAL_ERROR 1 to MetricsTable 2022-03-23 12:03:04.856 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_GENERAL_ERROR 1 to AnalyticsTable 2022-03-23 12:03:05.212 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_ATTEMPT_FAIL_VPN_PROCESS_DIED 1 to MetricsTable 2022-03-23 12:03:05.497 +00:00 [DBG] Inserted event UI_APP_VPN_CONNECT_ATTEMPT_FAIL_VPN_PROCESS_DIED 1 to AnalyticsTable 2022-03-23 12:03:05.497 +00:00 [DBG] Clean up connections. Connection state: Connecting 2022-03-23 12:03:05.498 +00:00 [INF] Validating schema for OpenVPN config: /home/falken/.config/AWSVPNClient/OpenVpnConfigs/AWS JumpCloud 2022-03-23 12:03:05.801 +00:00 [DBG] Inserted event CONNECTION_PROFILE_TYPE 1 to AnalyticsTable 2022-03-23 12:03:06.500 +00:00 [DBG] Caught exception when getting connection status. Exception information: System.TimeoutException: The message did not respond within the expected timeframe or was cancelled at ACVC.Core.OpenVpn.OvpnConnectionManager.SendMessage(String message, Int32 timeout, CancellationToken cancellationToken) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnConnectionManager.cs:line 1140 at ACVC.Core.OpenVpn.OvpnConnectionManager.GetConnectionStatus() in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnConnectionManager.cs:line 1228 at ACVC.Core.Metrics.MetricsClient.RecordBytesMetricsAndAnalytics(IConnectionManager connectionManager) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/Metrics/MetricsClient.cs:line 136 ``` /var/log/aws-vpn-client/falken/gtk_service_aws_client_vpn_connect_20220301.log ``` 2022-03-23 12:19:36.142 +00:00 [DBG] [TI=9] Start method called: OpenVPN validation file: /home/falken/.config/AWSVPNClient/OpenVpnConfigs/current_connection.txt, management password file: /home/falken/.config/AWSVPNClient/acvc-8096.txt 2022-03-23 12:19:36.146 +00:00 [ERR] Drive type Network not supported. 2022-03-23 12:19:36.146 +00:00 [ERR] [TI=9] Unhandled exception ACVC.Core.OpenVpn.ReferencedFilePathInvalidException: File: /home/falken/.config/AWSVPNClient/OpenVpnConfigs/current_connection.txt may be a path to an unsupported drive type, which is not allowed for security reasons at ACVC.Core.OpenVpn.OvpnConfigParser.CheckSupportedDriveType(String path) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnConfigParser.cs:line 795 at ACVC.Core.OpenVpn.OvpnConfigParser.ValidateReferencedFilePath(String path, String flag) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.Core/OpenVpn/OvpnConfigParser.cs:line 689 at ACVC.GTK.Service.DBus.OvpnGtkService.StartVpnAsync(String ovpnConfigValidationFile, String managementPortPasswordFile) in /home/ubuntu/Jenkins/workspace/GtkBuild/SecureConnectClient/ACVC.GTK.Service/DBus/OvpnGtkService.cs:line 46 ``` How can I find out what's up or what DB this is ? v2 seemed to work fine. I've purged and reinstalled the package, and renamed ~/.config/AWSVPNClient to no avail. Ubutn 20.04 LTS, all updated.
1
answers
0
votes
22
views
asked 2 months ago

AWS Elastic Beanstalk Running in Private VPC without internet access

My objective is to deploy a web application in a VPC **without internet access **and using Elastic Beanstalk as the platform. A single AZ deployment will be sufficient and the load balancer will be "**internal**" facing where we will access it from a windows client in the same subnet. I have created a private subnet in a VPC without internet gateway. Added a bunch of VPC endpoint interface such as `S3, SSM, ElasticBeanstalk, ElasticBeanstalk-health, sqs, cloudformation, logs` etc. Used the default security group for each endpoint. I have created EC2 instance profile with the 2 managed policy [`AWSElasticBeanstalkWebTier` and `AmazonSSMManagedInstanceCore`] and also allows sts:AssumeRole by "EC2" service. This instance profile will be used for the EB environment EC2 intance launch. I have created Elastic Beanstalk service role with the 2 managed policy [`AWSElasticBeanstalkEnhancedHealth` and `AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy`] and also allows sts:AssumeRole by elasticbeanstalk service if sts:ExternalId StringEquals elasticbeanstalk. I have used a simple Nodejs.zip example file from AWS website to test. I created an environment where I have put ELB and EC2 in the same subnet without any public IP address assigned to. Used "loadbalancer" environment with min and max number of instances set to "1" (auto-scaling not needed). EBL set to "internal". Health reporting chose "Enhanced". When the environment get created, it reports error saying that "Instance has not sent any data since launch" and "None of the instances are sending data". I searched online and some answer indicate that NTP UDP port 123 should be allowed in the security group so that the EC2 instance will have a valid time sync and the health reporting will become valid. However my VPC has no internet access and does that mean I have to setup my own NTP server in the VPC and write a bootstrap script in the EC2 instance to change the NTP server from the internet NTP to the intranet NTP? That sounds a lot of work, is the NTP access the real cause for my deployment to be a failure in the private VPC? Thank you.
1
answers
0
votes
55
views
asked 2 months ago

EC2 instance suddenly unreachable via SSH

I was working on one of many instances (i-0023be12dc6bc88dd) in us-east-1a yesterday when the SSH session stopped responding. Attempting to reconnect timed out. This has happened occasionally before on other instances after a large spike/load of network traffic and usually recovers with an instance restart. This did not work in this case, and all others are unable to reach it as well. tried so far: 1) Instance restart 2) Instance stop-start 3) remove-readd security groups 4) reset my local VPN connection, we have a (VPN/route table to reach VPC instances) 5) checked the flow logs of the ENI, does not show traffic from my internal VPN IP during new attempts 6) `iptables -F && systemctl restart sshd` What works: 1) If I SSH into another instance in the VPC (same or different subnet), I can then SSH into the problem instance immediately, everything is running and it behaves normally. Info: ``` ~$ ssh -v -i mykey.pem ubuntu@172.31.128.87 OpenSSH_7.2p2 Ubuntu-4ubuntu2.10, OpenSSL 1.0.2g 1 Mar 2016 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to 172.31.128.87 [172.31.128.87] port 22. debug1: connect to address 172.31.128.87 port 22: Connection timed out ssh: connect to host 172.31.128.87 port 22: Connection timed out ``` From the instance when connected through another instance: ``` ubuntu@ip-172-31-128-87:~$ sudo systemctl restart sshd ubuntu@ip-172-31-128-87:~$ sudo ss -tpln | grep -E '22|ssh' LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=4467,fd=3)) LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=4467,fd=4)) ``` I'm at a loss for what's next.
2
answers
0
votes
10
views
asked 2 months ago

Advice on creating VPC for EC2 to use IPSec connection

I am currently working on the integration of 2 platforms which need to communicate to each other via https requests. However one of these platforms' endpoints is only accessible via a VPN into their own network. I therefore want to use AWS to establish an intermediary app that will receive https communications from platform 1, and send it to platform 2, which is the one behind the VPN. To this end, I have been looking at documentation on AWS, and it looks like the best solution is to create a VPC on which I'd create a Site-to-Site VPN Connection using IPSec. Then I would create a new EC2 instance on this VPC which I will use to forward requests from platform 1 to platform 2. The questions I have are as follows: 1) Once the IPSec Site to site connection is established, will my EC2 instance (deployed to the same VPC that hosts the Site-to-Site connection) immediately be able to communicate with platform 2 which is behind their VPN based solely on the fact that it is on the same VPC, or will there be further routing setup required to allow to communicate via the tunnel established? 2) The VPN we wish to connect to has a process through which they must whitelist any given entities they connect with. A) They ask for an IPSec Gateway IP; I have looked at the documentation at https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html , and assume this is referring to the IP of what is in the document called the Virtual Private Gateway. I have created a VPG in my VPC but I cannot see an IP address associated with it. Is this something that only appears once the VPG is associated with site to site connection (and is no longer in a state of detached)? B) They require the IP addresses of the applications they will be interacting with, which in this case I assume will be my EC2 instance. However they require that subnet /29 or higher is required. How can I enforce that subnet on the EC2 public IPs? When creating a VPC I have the option of specifying the IPv4 CIDR block, however I cannot specify a netmask that is not between /16 and /28. I'm looking for advice on the above so I can make sure that the solution I wish to undertake with the VPC is not flawed, and that I am on the right track. Any guidance is appreciated.
1
answers
0
votes
5
views
asked 2 months ago

Benefits to S3 cross-region access with VPC peered interface endpoints vs. public internet using NAT gateways?

My team is looking to setup EMR clusters in private VPCs in all regions while having our main storage as S3 buckets in us-east-1. We will need cross-region access to S3 and have been looking at different ways of accomplishing it. We have considered two approaches: 1. Setting up isolated VPCs with no internet access, one in us-east-1 for the S3 bucket access and one in every region to launch our EMR clusters in. We will pair each of the VPCs with the one in us-east-1 and then setup an interface endpoint in the us-east-1 VPC to allow S3 access through the interface endpoint with VPC peering. This utilizes AWS PrivateLink. 2. Setting up a private VPC with internet gateway and NAT gateways in public subnets while launching EMR clusters in the private subnets. We will access S3 across regions through public internet. For both solutions, we will utilize gateway endpoints when the compute and storage is in the same region as we found this should yield the same benefits as interface endpoints but with no additional cost. Through my research, I have found that AWS PrivateLink is more secure due to no public internet usage and has a significant latency advantage of up to 70% according to this experiment: https://blogs.vmware.com/security/2020/03/performance-testing-justifying-cost-and-performance-improvements-part-2.html I am wondering if we will still see this latency benefit if we are using VPC peering or if it would be better to go with the internet route.
2
answers
1
votes
12
views
asked 2 months ago

Configured VPC NAT instances stopped working yesterday (03.03.2022, eu-central-1)

Hi, I'm confronted with a really annoying problem currently. My custom VPC (3 public subnets, 3 private subnets -> internet access through NAT instances) broke out of the blue yesterday. My infrastructure is deployed via CloudFormation and yesterday I updated a stack where three NAT instances for my VPC are located (for each public subnet there is one NAT instance deployed in it). They have worked flawlessly before yesterday and as a new Amazon Linux 2 version was released (I reference the AMI ID via /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-arm64-gp2), these instances got updated to use the newest AMI. Since then I have problems routing traffic from private subnets to the internet as things are not working as expected anymore. The current primary point of failure is that my CodePipeline fails because a CodeBuild action fails. The temporary CodeBuild instance is deployed in one of the three private subnets and then has to download a CodePipeline artifact from S3 through the internet. This step fails with the following error: `CLIENT_ERROR: RequestError: send request failed caused by: Get "https://s3.eu-central-1.amazonaws.com/<S3-bucket-name>?location=": dial tcp 52.219.170.173:443: connect: no route to host for primary source and source version arn:aws:s3:::<S3-prefix>` The thing is: before yesterday's last stack update which altered the NAT instances, everything was working as expected and CodePipeline succeeded. CodeBuild was able to download the necessary artifacts from S3 and the VPC and NAT instances were set up correctly. Then the update came in and CodeBuild fails now. The only thing that was changed was the AMI ID for the NAT instances (and I replaced absolute strings for "ProjectName" in my CodeBuild actions in CodePipeline with !Ref to the AWS::CodeBuild::Project resources which should have nothing to do with my current problem). After the updated NAT instances were not working anymore, I set their AMI IDs to explicit older versions as I assumed that there is a problem with the newest Amazon Linux 2 version. However, even with the older AMIs I'm not able to get the NAT instances working again (at least not for CodeBuild, but I noticed that ECS services running on an EC2 instance (which is also deployed in a private subnet) lost connection to the internet as well). I even redeployed the whole infrastructure to check if there is a problem on the side of AWS but the problem persists. The problem got me really frustrated now as everything was working fine. Then a small update was applied and now the NAT instances fail even if I havn't changed anything in the VPC and NAT configuration. Where should the problem be now if not on the side of AWS? My currently deployed NAT instances are configured as described by AWS and as they have worked before, they are reachable via SSH and can access the internet via the VPCs internet gateway. Still, CodeBuild continues to fail with the mentioned error and the internet seems not to be accessible from private subnets as it was the case before yesterday. I would be more than glad if anyone has suggestions how this problem can be resolved now. Thanks in advance!
3
answers
0
votes
4
views
asked 3 months ago
  • 1
  • 90 / page