Questions tagged with Amazon VPC
Content language: English
Sort by most recent
Using DataSync, unable to transfer files from one FSx for Lustre to another in separate VPC's
Hello, I am trying to use AWS DataSync to transfer files from one FSx for Lustre setup in the original default VPC to a new VPC with another FSx for Lustre that's already setup. I am copying from "/" on the source to "/" on the destination. When I try to run the task, I get the following error: Task failed to access location loc-sourcelocation:x40017: Mount command timed out. Both FSx for Lustre setups are in the same region. I copied the settings for the 2nd one to match the first one. They both have security groups that have the All traffic rule for all protocols, ports and the source being the security group it's in. They also have rules for ports 988 and 1021-1023 with the source also being the security group. VPC Peering has been setup as well between the two VPC's. I have been looking at the steps here: https://docs.aws.amazon.com/fsx/latest/LustreGuide/migrating-fsx-lustre.html and am not sure what I'm missing. I look in the FSx console and it shows the status for both as available. I've tried looking around on the internet, but have not had any success finding anybody who's done this before. No videos or anything like that. It feels like I'm missing something, but I'm not sure what it is.
Can we only have ONE Network Firewall per VPC? Is Net Firewall the only service with the naming convention vpce-<id> for it's endpoints?
I have a few questions for Network Firewalls. 1. Can we onlyhave one per vpc? 2. Is Net Firewall the only service with the naming convention vpce-<id> for it's endpoints?
Connection Timeout Issue with DocumentDB
I created an EC2 instance and a DocumentDB cluster, they belong to different VPC ID, from the document https://docs.aws.amazon.com/documentdb/latest/developerguide/connect-from-outside-a-vpc.html , to directly connect to DocumentDB (access port 27017), I need to use the EC2 instance running in the same VPC as DocumentDB cluster, there's no way to do it because the VPN running DocumentDB is not showing up in my VPC list, can anyone tell me how resolve this issue? ncat ( nc -zv <documentdb hostname> 27017) returned timeout error
How to create a no-internet access (private) subnet?
**Points of My Scenario:** 1. I tried to create 3 private subnets (subnets without an internet gateway) so that EC2 instances would be unable to access Internet 2. I used the procedure in AWS document https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html 3. Upon completion, I checked the route table for each subnet... 4. Alas! Each one had destination 0.0.0.0/0 associated with the default igw-<GUID>: just like the other system-generated subnets. **Question:** why is this happening and how can I create truly private subnets?
Questions about session time in AWS Client VPN
Hi, First of all, Thank you for reading my question. When I screen lock my laptop or When I away from my laptop about 1 hour, and come back to laptop, aws client vpn is disconnected. The session timeout setting is 12 hours, but in reality, even if I leave the seat for about 1 hour, the connection is lost. Does it automatically disconnect when there is no network traffic? If yes, How do I disable it?
What are the benefits of using Redshift Managed VPC Endpoints vs. VPC Peering?
Hi, If I want to connect a Quicksight instance in Account A, to a private Redshift cluster (i.e. located in a private VPC subnet) in Account B, what reasons would I have to use a (more expensive from the looks of it) Redshift Managed VPC Endpoint to provide this cross-account, cross-VPC connectivity, over using VPC peering? Is this simply a case of "less management overhead", or is there a technical reason why VPC peering would not be suitable in this case?
How to check application's health api in private ec2 with No NAT Gateway.
I run the application in private ec2 with No NAT Gateway. this application has health check api. In this situation, I want to call health check api with EventBridge and Lambda. and Lambda sends data to another application(On Internet) but Lambda in private subnet can't send data to the application. How can I solve this problem?
Client VPN Connection to Route 53 Private Hosted Zone
I have one privately hosted zone in my vpc using Route 53. I also have one client vpn connection to that vpc, which is functioning normally. I have also enabled \"DNS Configuration\" in the Client VPN Settings. But my client is not able to access the hostname of the webitse hosted in the private hosted zone. Though they are able to access the website using client vpn connection but by using ip address. I want them to access it using hostname. I have tried defining the DNS ip in client vpn settings as 1. AWS Provided DNS (VPC CIDR + 2) 2. 2.Route 53 inbound endpoint ips. Both did not work. Help me out on this.
User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:**xxxx
I have a lamdba function at **account A** that requests a private API at **account B**. There is a VPC Peering between VPC account A and VPC account B. At account A I created a VPC endpoint (com.amazonaws.us-east-1.execute-api). The API Gateway at account B, was created as Private, bonded to VPC at account B, created resource and method without any type of authentication and the method points to a Lambda function (account B) that does an insert on QLDB table. The lambda is configured as proxy. When I execute the test of API Gateway (account B), it executes with sucess the lambda function and inserts a document at QLDB table. When I execute the lambda (at account A) requesting the API Gateway, I get this error message: ``` User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:**xxxx ``` I've been trying to overcome this issue without success. Thanks in advance, Fernando Possebon
Silent failure in CloudFormation Lambda VpcConfig
I'm trying to add a VPC to a lambda, via CloudFormation. We're using SAM, so it's a "AWS::Serverless::Function". I have added the VpcConfig section of the CF template as per the docs, but the VPC is never attached to the lambda. No error, successful deploy, but no VPC. I can then add the VPC (and later EFS) config via the console. Drift detection shows no discrepancy between actual and expected, either before or after I manually add the VPC. Deploying again later, using "sam deploy", silently removes the VPC config. Below is a minimal CloudFormation template displaying the behavior. I've tried everything I can think of, including a "DependsOn" clause referencing the VPC and subnets. What am I missing? ``` AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: Test template for VPC/Lambda config Resources: MyVPC: Type: AWS::EC2::VPC Properties: CidrBlock: "10.0.0.0/24" EnableDnsHostnames: true EnableDnsSupport: true MyVPCSubnetMaster: Type: AWS::EC2::Subnet Properties: VpcId: !Ref MyVPC AvailabilityZone: !Select [0, !GetAZs ""] CidrBlock: "10.0.0.0/28" MapPublicIpOnLaunch: true MyVPCSubnetBackup: Type: AWS::EC2::Subnet Properties: VpcId: !Ref MyVPC AvailabilityZone: !Select [ 1, !GetAZs "" ] CidrBlock: "10.0.0.16/28" MapPublicIpOnLaunch: true MyLambda: Type: AWS::Serverless::Function VpcConfig: SecurityGroupIds: - !GetAtt MyVPC.DefaultSecurityGroup SubnetIds: - !GetAtt MyVPCSubnetMaster.SubnetId - !GetAtt MyVPCSubnetBackup.SubnetId Properties: FunctionName: "MyLambda" Runtime: "python3.8" Handler: "index.handler" CodeUri: test/MyLambda ```
Network traffic within a VPC
What would cause intermittent network disruptions between servers in the same VPC? For testing purposes I setup a Windows Active Directory server (10.0.0.190) and Web Server (10.0.0.133) in the same VPC (for testing purposes). The web server has joined the AD domain. I real all internal traffic is by default disabled in a VPN and so I allowed all inbound traffic on the intranet (10.0.0.0/16) with this security group rule: **IP version = IPv4; Type = All Traffic; Protocol = All; Port Range = All; Source = 10.0.0.0/16** Windows Firewall is turned off on both servers. DNS server is installed on the AD server. Web server has its DNS set to the IP of the AD Server. It is set manually in the network adapter for IPv4. IPv6 is disabled on both servers. Sometimes the web server can not ping the AD server by name or by IP address. Sometimes the web server can ping by name (in domain's DNS) and by IP address. What am I missing? Thanks, Mike