Browse through the questions and answers listed below or filter and sort to narrow down your results.
EC2s Development and Production Environments, Isolation, VPN, API GW, Private and Public Endpoints with RDS and Data Sanitization
Hi Everyone, I have the following idea for an infrastructure architecture in AWS but I believe that I need some help with clarifying several issues which I believe, the best answers to will come from here. I am thinking about the following layout: In production: 1. an EC2 with Apache that provides service portal for web users 2. an RDS for the sake of the portal 3. another EC2 with Apache and business-logic php application as CRM 4. the same RDS will be used by the CRM application as well In development: The same layout, with 1 EC2 for web client services, 1 EC2 for the sake of developing the CRM and an RDS for the data I thought about using two different VPCs for the sake of this deployment. I need data replication with sanitization from the production RDS to the development RDS (thinking either by SQL procedures or other method, didn't think about that yet, but I know I need it to be like that since I have no desire to enable my developers to work with real client data). Both the production and development CRM EC2s are exposing Web APIs Both the production and development service portals are exposing Web APIs Both the production and development CRM and service portal are web accessible For the development environment I want to enable access (Web and Web APIs) only through VPN, hence, I want my developers to connect with VPN clients to the development VPC with VPN and work against both EC2s on-top of that connection. I also want them to be able to test all APIs and thinking about setting an API Gateway on that private endpoint. For the production environment, I want to enable access (Web and Web APIs) to the CRM EC2 through VPN, hence, I want my business units to connect with their VPN clients to a production VPN gateway, and work against the CRM on-top of that connection. I don't want to expose my CRM to the world. For the production environment, I want to enable everyone on the internet (actually, not everyone, I want to Geo-Block access to the service portal, hence, I do believe I need Amazon CDN services enabled for that cause) to access the service portal, still, I want to enable an API Gateway for the Web APIs that are exposed by this service portal EC2. I've been reading about Amazon API gateway (and API Gateway Cache) and it's resource policy and VPC endpoints with their own security groups and Amazon Route 53 resolver for the sake of VPN connections. I also been reading lots about Amazon virtual private gateway and a private and public endpoints, but, I still can't figure-out with element comes to play where and how the interactions should be design for those elements. I believe I also need Amazon KMS for the keys, certificates and passwords, but, I'm still trying to figure out the right approach for the above, so, I'm leaving the KMS part for the end. of course I'm thinking about security at the top of my concerns, so, I do believe all connectivity's should be harden in-between the elements, is only using ACLs is the right way to go!? I would really appreciate the help
AWS VPN with Private IP address
Good new with this release yesterday, https://aws.amazon.com/about-aws/whats-new/2022/06/aws-site-vpn-introduces-private-ip-security-privacy/ So wanted to confirm the steps to set this up. 1. Create DXG 2. Create Transit VIF - associate with DXG. https://docs.aws.amazon.com/directconnect/latest/UserGuide/create-vif.html#create-transit-vif The ASN can be private ASN, correct? 3. Create TGW 4. Create VPN attachement https://docs.aws.amazon.com/vpn/latest/s2svpn/create-tgw-vpn-attachment.html All ASN can be private. All need to be unique.
Routing internet traffic via VPC from remote Site-to-Site VPN Network
Is it possible to route internet traffic from a remote on-premise network, via an AWS site-to-site VPN into a VPC, and out through the VPC's Internet Gateway as a means of providing the remote network with Internet access? I'm using a StrongSwan customer gateway on the remote network, and a Transit Gateway into the VPC.
AWS Site-to-Site VPN authentication failing for Customer Gateway behind NAT device
We are creating an AWS Site-to-Site VPN connection between a client's on-premise network and our AWS VPC. The client receives an authentication error when attempting to establish a connection (using a pre-shared key). In order to debug this, we ran strongSwan on an EC2 instance to be able to inspect the logs and traffic. While doing this, we could see that they were attempting to connect from IP address 1 (e.g. 188.8.131.52) but using IP address 2 (e.g. 184.108.40.206) as an ID. When we setup strongSwan to authenticate against IP address 2 (e.g. 220.127.116.11), the connection was established successfully. We have since learned that IP address 1 (e.g. 18.104.22.168) is their NAT device, and IP address 2 (e.g. 22.214.171.124) is their customer gateway device. To my question: how can I setup the AWS Site-to-Site VPN connection and customer gateway so that they can be authenticated successfully? If I create the customer gateway with IP address 1 (e.g. 126.96.36.199, NAT device) they can connect but can't authenticate. If I create the customer gateway with IP address 2 (e.g. 188.8.131.52, customer gateway device) they can't connect at all.
AWS Site-to-Site VPN ping working, TCP not
I want to establish a site-to-site IPsec VPN connection between an AWS EKS-Kubernetes-Cluster and a server from a different provider using AWS Site-to-Site VPN. Pings get through the VPN, but TCP traffic does not. The server on the other end runs Ubuntu 20.04 and uses libreswan. The configuration file from AWS for the VPN for openswan has been altered in two ways (that I think should not matter): - `auth=esp` has been commented out as libreswan would not start otherwise (libreswan 3.29) - The VPN has been configured to use VTI. When sending a HTTP request from the AWS site: `tcpdump` on the libreswan-site shows SYN arriving and SYN-ACK being sent back while `tcpdump` on the EC2-instance (and in a pod as well) only registers SYN. All incoming traffic has been allowed in security groups and ACLs etc. I have set up SNAT as recommended [here](https://repost.aws/questions/QUqB4R9dc7TG6TBQe-H2IjiA/aws-site-to-site-vpn-ping-working-tcp-not-ec-2-networking-details) and have confirmed that SNAT works using `traceroute`. I think because of SNAT it should not matter anymore that EKS is used in this VPC for this issue.
Secured ISP to Lambda?
Hi, I was wanting to "securely" stream data from a rack i have in an ISP to my AWS Lambda instance. I was wondering what the best solution might be? I thought of something sort of vpn and perhaps kinesis to lambda but not sure how i would initiate that from the on premises rack and that was a shot in the dark. Would appreciate any input. Thank you.
How to connect Workspace (Windows 10) to L2TP/IPSec VPN server
I'm trying to connect to a remote corporate NAS from my Workspace instance through a VPN. Whenever I attempt to do so - using Windows 10 VPN client configuration, the Workspace freezes. I can see there is successful authentication with the NAS device if I look at the NAS's logs. But on the Workspace, the connection attempt stops - and the Workspace completely freezes - at the "Completing connection" stage. While troubleshooting, I've disabled Windows Firewall, and modified the AWS Directory security group rules to open up the relevant ports - to no avail. Any ideas?
Client VPN slowness
I have Client VPN set up on AWS, which connects to a business web app on EC2. I access it from a Windows 10 computer using OpenVpn GUI. The web app runs very slowly at times, where a page takes 5-10 seconds to load. Previously, when it was accessed directly and not through the VPN, the web app loaded pages in under 1 second. Is there any way to improve the speed of Client VPN?
AWS Site-to-Site VPN ping working, TCP not (EC2 networking details)
I want to establish a site-to-site IPsec VPN connection between an AWS EKS-Kubernetes-Cluster and a server from a different provider using AWS Site-to-Site VPN. Pings get through the VPN, but TCP traffic does not. The server on the other end runs Ubuntu 20.04 and uses libreswan. The configuration file from AWS for the VPN for openswan has been altered in two ways (that I think should not matter): * `auth=esp` has been commented out as libreswan would not start otherwise (libreswan 3.29) * The VPN has been configured to use VTI. When sending a HTTP request from the AWS site: `tcpdump` on the libreswan-site shows SYN arriving and SYN-ACK being sent back while `tcpdump` on the EC2-instance (and in a pod as well) only registers SYN. All incoming traffic has been allowed in security groups and ACLs etc. From my understanding of the flow logs, the problem occurs within an EC2 instance: * The pod runs on the instance with its own ip address. * Network traffic of the pod passes through the network interfaces of the underlying EC2 instance. * Pings are processed correctly, but other traffic is not forwarded from the pod to the network interfaces of the EC2 instance. Is my understanding correct? How does networking work inside an EC2 instance with EKS pods?
Inbound network traffic blocked
Hi, all. I'm using AWS as an extension of my on premise data center, and has been running this successfully for quite some time. Now I'm in process of migrating my on premise network to new infrastructure, and have enabled a new on premise firewall to connect to AWS using site-to-site VPN. This works in parallell with my old infrastructure, so both the old and new firewalls are connected. The old firewall (Sonicwall) connects a LAN with 192.168.20.0/24. The new firewall (Fortigate) connects a LAN with 192.168.40.0/24. I have added these subnets into the corresponding site-to-site VPN static routes. I have also added inbound rules (open for all TCP, UDP, ICMP) for the new x.x.40.0 subnet to the existing security group. From a server in the VPC, I am now able to ping resources both on x.x.20.0 and x.x.40.0. If I ping from the .x.x.20.0 network I get a response. However, I cannot get an echo response when pinging the aws server from the x.x.40.0 network. I can see the ICMP packets being sent from a packet trace on the VPN interface of the Fortigate. I have looked at this pretty much from every angle, and is a little stuck. Any hints on how to analyze this further is much appreciated. Regards, Lars