Questions tagged with Amazon VPC

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Global Accelerator Network Interface Appears in Network Insight Analysis From Different Ip Address

I have a Network Insight Analysis that runs daily. The analysis is fairly basic. It runs a check between any two network interfaces on our network. I have noticed that there is a finding that keeps appearing that we do not expect. (note I have replaced ids with unique letters). The source of the finding is a network interface associated with a global accelerator we have. However, the network interface is in a subnet with CIDR `10.48.161.64/28` but the source header indicates it is sending from a different CIDR range which allows it through security groups that should explicitly not allow traffic from that subnet. Hypothetically, these resources have security groups separating blocking ingress from one into the other. However, since the apparent source is different, it does not seem to be the case. I have not been able to replicate this network traffic outside of the network analysis tools. My suspicion is something to do with global accelerator being able to preserve client IP or change headers? Below is the first entry into the analysis. ``` { "SequenceNumber": 1, "Component": { "Id": "eni-BBB", "Arn": "arn:aws:ec2:us-west-1:yyy:network-interface/eni-BBB", }, "OutboundHeader": { "DestinationAddresses": ["10.48.129.197/32"], "DestinationPortRanges": [{"From": 8334, "To": 8334}], "Protocol": "6", "SourceAddresses": ["10.32.129.192/27"], "SourcePortRanges": [{"From": 0, "To": 65535}], }, "Subnet": { "Id": "subnet-AAA", "Arn": "arn:aws:ec2:us-west-1:xxx:subnet/subnet-AAA", }, "Vpc": { "Id": "vpc-yyy", "Arn": "arn:aws:ec2:us-west-1:xxx:vpc/vpc-", }, }, ``` I am aware that there are better ways to do what I am doing potentially. Right now I am just trying to understand why this behavior occurs or maybe some places to look for answers. Alternatively, if this is a false positive for whatever reason, understand how I can update my configurations to handle it. Also interesting to note, we have an identical setup in another region and that does not trip these same rules If there is any more information I can provide, please let me know! Network Analysis JSON below. ``` { "matchPaths": [ { "source": { "packetHeaderStatement": { "sourceAddresses": [ "0.0.0.0/0" ], "destinationAddresses": [ "10.48.0.0/12", "172.16.0.0/13" ] }, "resourceStatement": { "resourceTypes": [ "AWS::EC2::NetworkInterface" ] } }, "destination": { "packetHeaderStatement": { "sourceAddresses": [ "0.0.0.0/0" ], "destinationAddresses": [ "10.48.0.0/12", "172.16.0.0/13" ] }, "resourceStatement": { "resourceTypes": [ "AWS::EC2::NetworkInterface" ] } } } ] } ```
1
answers
1
votes
57
views
asked a month ago

Cannot resolve host of RDS endpoint in private subnet via VPN client endpoint

I have an AWS VPC VPN client endpoint setup to connect to 2 private subnets. Inside these private subnets is a RDS instance and an EC2 instance running an application server (aka "control plane server"). The private subnets are provided access to the external internet (So servers can download packages and such) via a public subnet with a NAT -> internet gateway. ![Network topology diagram](/media/postImages/original/IMmq5arvCkQbu7gwTh99Wpqg) I have successfully connected to the VPN from my laptop and even SSH-ed into the "control plane server". However from my laptop, connected to the VPN, I cannot connect to the RDS endpoint. I get the error: ``` lookup <rds instance ID>.<random>.us-east-2.rds.amazonaws.com on [2600:4040:5710:9100::1]:53: no such host ``` This seems to be an error related to looking up the RDS endpoint's IP address. To debug this I used the `dig` tool from my laptop and from within an SSH session of the "control plane server". I found that from my laptop, whether or not I'm connected to the VPN, `dig <rds instance ID>.<random>.us-east-2.rds.amazonaws.com` returns 0 answers. However my laptop isn't completely clueless about this URL. I can ask for the name servers and `dig` returns the name servers `ns-573.awsdns-07.net. awsdns-hostmaster.amazon.com.`. If I SSH into the "control plane server" I actually get an `A` record back for the RDS endpoint URL. It's an IP address in the `10.1.2.0/24` subnet. I also get back the same name server results. I have tried disabling split-tunnel mode on the VPN and I get the same `dig` results from my laptop. I cannot exactly give my entire network configuration with all the security groups and such, but I followed [this RDS over VPN official AWS guide](https://aws.amazon.com/blogs/database/accessing-an-amazon-rds-instance-remotely-using-aws-client-vpn/) almost exactly. The only modifications were adding a public subnet with a NAT -> IGW and the modification described in the following paragraph. I had one question about the guide however, to me the security group rules laid out regarding VPN client CIDRs didn't make sense. ![Screenshot from AWS guide highlighting IP mismatch](/media/postImages/original/IMaGX05IK_Q3aAPYWMEpA8Ag) The guide says the CIDR in the security group rule is the CIDR which VPN clients will get IPs from. The security group uses `122....`. However the VPN configuration uses `192....`. So I changed the security group rule to match the actual VPN CIDR. Was this a mistake? Am I missing anything about how I can get the AWS DNS servers to give my private subnet IPs when connected via the VPN? My hypothesis is that when my laptop makes a request to the AWS DNS server for RDS it sees I am connecting from an external network, and not the private subnet from which the RDS endpoint IP is allocated. So it refuses to leak information and says there are no results.
1
answers
0
votes
38
views
Noah
asked a month ago