Browse through the questions and answers listed below or filter and sort to narrow down your results.
Route table not routing to Site-to-Site VPN's Inside Ipv4 CIDR
I have a VPC with private subnet (NAT) that has a routing table wich redirects traffic of a given IP range(Data center) to a vgw(virtual private gateway), then I have this site-to-site vpn configured with this vgw and a customer gateway, on its static routes I also had the IP range for the Data center. But can't seem to get my ec2 running ubuntu to traceroute to the corresponding VPN's Inside Ipv4 CIDR when trying to reach Data center's range. What could be wrong? VPN tunnels are up so even if I couldn't reach the Data Center, it should at least hop on the VPN IP address. Thanks in advance for any ideas!
AWS Client VPN - Notification of new client connection to another AWS service (e.g. Lambda)?
Hi, I'd like a Lambda function to be notified when a new client connects to our AWS Client VPN endpoint so that it can take some action to update our private hosted zone in Route53. Is there any way to send a notification from our AWS Client VPN endpoint to Lambda either via SNS or Eventbridge? Many thanks in advance.
S2S VPN tunnels up but no communication.
Hi, I'm trying to get a VPN running between my on premises site, and a VPC. I think I've followed all the instructions on the AWS guide, and created VPG, CGW, and attached them to a VPN on my VPC. I have used the generic config file to setup the IPSec VPN settings on the router here, Draytek 3900 on Static Routing. Added Network ACL and security group rules to allow traffic between the private IP range on prem, and the VPC subnet range. Both tunnels show as up in the console, but I can't ping between the on prem machines and an Instance I created in the subnet. From the router I can ping the inside IP of both tunnels, but not from the Instance. I must be missing something, but I can't see what it is. I have setup route tables to point traffic from my subnets to my internal IP range to go to the VPG. I'm also getting confused by the tunnel IP ranges which don't match anything at either end. Information from config file: Outside IP Addresses: - Customer Gateway : xx.xx.xx.xx Public IP of my router set in CGW - Virtual Private Gateway : yy.yy.yy.yy Public IP of AWS tunnel Inside IP Addresses - Customer Gateway : 169.254.x/30 (This doesn't match my internal IP range) - Virtual Private Gateway : 169.254.y/30 (This doesn't match VPC internal range) - Next Hop : 169.54.y (Pingable from my end) My Router config - Local IP/Subnet Mask: 192.168.a/24 (My internal range). - Local next hop: 0.0.0.0 (also tried next hop from config file, but that didnt work either). - Remote Host: yy.yy.yy.yy Public IP of AWS tunnel from config file). - Remote IP/Subnet Mask: 169.254.x/30 (169.254.y/30 VPG from config file). I've also added the IP range of my VPC into the 'More Remote Subnet' but that doesn't make any difference Ping to keep alive is enabled and set to the VGW public IP. - CGW is attached to my VPC. - VPN settings - VPC: My VPC. - Local IP CIDR: my internal IP range (192.168.a). - State: Available. - Customer gateway: xx.xx.xx.xx Public IP of my router. - Routing: Static. - Remote IP CIDR: 0.0.0.0/0 (also tried subnets and entire VPC range). - VPG: My VPG. - Type: ipsec1. - Acceleration: False. - CGW: My CGW. Can anyone point me in the right direction for the correct settings I need?
Issues getting split-tunnel in client VPN endpoint to work correctly.
I'm setting up a company VPN using AWS Client VPN endpoints, I have everything working so far however all client internet traffic is being routed through the VPN and out through the NAT gateway (and therefore incurring NAT gateway costs). I'm trying to enable split-tunnel however I'm still getting 0.0.0.0/0 routes to the vpn added to my route table. If I try: - Split tunnel enabled - Routes to local vpc and peered networks - Authorized access to these routes - Fairly open security group And then connect to the VPN I still get this in my route table: ``` > ~/d/i/vpn on branch ◦ netstat -nr 11:03:22 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.0.2.161 0.0.0.0 UG 0 0 0 tun0 0.0.0.0 192.168.4.1 0.0.0.0 UG 0 0 0 enp0s20f0u2 0.0.0.0 192.168.4.1 0.0.0.0 UG 0 0 0 wlp0s20f3 10.0.2.160 0.0.0.0 255.255.255.224 U 0 0 0 tun0 10.10.0.0 10.0.2.161 255.255.0.0 UG 0 0 0 tun0 ------- 10.0.2.161 255.255.0.0 UG 0 0 0 tun0 ``` (With some redaction above, I'm using 10.0.0.0/22 as the vpn cidr) I'm connecting from a Fedora laptop using the built in vpn client, I'm creating a vpn file based off the one you can download and importing it after adding in certs & keys). This all means that when I'm trying to connect to the VPN I can access my private resources, but I lose all general internet connectivity. For our use case it's not workable to us to keep having to hop on and off the VPN.
tDBConnection_1 IO Error: The Network Adapter could not establish the connection\njava.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection
Getting this error when trying to connect from AWS to on-prem Oracle DB using VPN tunnel: tDBConnection_1 IO Error: The Network Adapter could not establish the connection\njava.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection. Thanks in advance and appreciate any inputs/ideas on this. Thanks, Srini
Does VPC need to be updated if client is changing VPN settings?
Currently, a Lambda function uses a VPC to connect to client's server and fetch data. The client will be updating their VPN, and thus, do the VPC settings need to be updated as well? For example, the client is changing the encryption scheme, but I don't see anything related to encryption in VPC?
Wanted VPN tunnel between elastic ip and on prem static IP?
I'm new to AWS, and I have one Elastic IP on my account that I'd like to use to establish a VPN connection between my on-premises and AWS accounts. I tried setting up an OPNsense firewall instance and connecting my elastic IP to form a tunnel, but it didn't work? I also tried connecting Elastic IP to a network interface, but it didn't work. I also changed the security groups to allow everything, including all tcp/udp/icmp traffic. I also added routes tables as required.But packet from on prem is ever showed up at aws end. Is there anything I'm missing?
AWS Client VPN Self Service Page intermittently returns a 400
I have an AWS VPN Client integrated with Azure AD using SAML. The VPN works fine but the self service page is often inaccessible to anyone in the organisation typically returning a 400. This is extremely annoying. Is there any reason why this would be happening?
Cannot reach EC2 Instance over client to site VPN
I am somewhat new to AWS admin, but have built several EC2 Instances for customers with both site to site VPNs as well as client to site, using OpenVPN for the latter. I am successfully connected to the VPN, but cannot ping or RDP to my instance's internal IP address. I have created firewall rules in Windows allowing ICMPv4 in/out, and even disable the Windows Defender Firewall. I have applied a security group on the instance allowing all traffic from the subnet range of my VPN (10.0.0.0/16) as source , my VPN client has an IP of 10.0.1.34 currently while connected. On the Route Table under VPC, i have the local route showing 172.31.0.0/16 (server's IP is 172.31.14.231) as a destination, as well as 0.0.0.0/16 as a destination. Both are showing as propagated as No. ( i have no site to site for this customer), not sure if the propagation is an issue here? Subnet association under route tables has all the subnets listed, including the 172.31.16.0/20 which i checked does include my server's IP of 172.31.14.231 Under VPN > Client VPN Endpoint>Associations, i have the network ID associated status with the network ID of the subnet 172.31.16.0/20, security group is the allow all traffic to VPC that i listed above. Authorization tab has access all is true, destination CIDR is 172.31.0.0/16 and state is Active. Route table tab has Destination CIDR of 172.31.0.0/16, target subnet is the one that includes my server ( 172.31.0.0/20) .Connections shows the status of active with IP of 10.0.1.34 I am running a continuous ping from the server to my VPN client IP of 10.0.1.34, as well as a ping from my workstation connected via VPN, both timing out. RDP cannot find the server. I know this is a lot of information, but i really could use some help here. I would think it is a routing or firewall issue, but cannot seem to find the issue. Thank you in advance.