By using AWS re:Post, you agree to the Terms of Use

Unanswered Questions tagged with Amazon VPC

Sort by most recent
  • 1
  • 2
  • 12 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Problem Setting up EC2 as Airgap Server with Client VPN Endpoint

Afternoon All, I'm a (very) inexperienced user who's keen to learn and appreciate I might have bitten off far more than I can chew with this. I'm working on a project where we need to share UDP packets between two companies with the packets going in both directions. I want to setup an airgap server where exchange of data could take place. I have an EC2 server with an external IP address (that I SSH into) as the airgap machine and a VPN client endpoint linked to the subnet the EC2 instance is in. My intent was to send UDPs from my company system to the airgap on a particular port say 3005, for example and then listen on a different port, say 4005, for example, on the same EC2 instance for UDP packets from the other company. And use socat to send packets from 4005 to the client IP on my Windows machine (currently set in the Endpoint to 16.10.0.0/16 (yes I know the subnet is probably far too big for this)). I have successfully created the VPN client endpoint, downloaded the configuration file and can connect in from my Windows10 laptop using OpenVPN client. I can send packets from my Windows10 machine to the Airgap EC2 instance and see that it arrives on port 3005 as expected using tcpdump. I can also ping from the Windows machine to the Airgap server... so the connection is working in one direction. The issue I have is that the connection does not work sending packets from the Airgap EC2 instance to my machine via the VPN... If I run socat with various options of udp-recvfrom or udp-listen and udp-sendto or udp-datagram I get no packets arriving at my Windows machine. Neither can I ping the Windows machine from the EC2 Airgap instance (I have tried this with Windows Firewall turned off to test whether the FW was getting in the way) My questions then: 1. Is it possible to do what I want? 2. WHat am I doing wrong and how can I fix? 3. Is my assumption about an EC2 instance being a good way of setting up an airgap server like this correct? Many Thanks G
0
answers
0
votes
63
views
asked 2 months ago

AWS S3 port 444 is open to the public internet

Hi, So I got a security assesment from my customer stating a port 444 is open on their S3 buckets. I checked and it is common for all buckets created. The https port 443 is open with bucketname.s3.region.amazonaws.com and the SSL certificate is correct. ![https 443 access is fine](https://repost.aws/media/postImages/original/IMtvcHr-CGTOir32EBcPe3qQ) Now lets see the access on 444 port ![https 444 is SSL error](https://repost.aws/media/postImages/original/IMmU4ewSkpTjy647q55H0gGQ) As you can see, its SSL cert is for *.s3.region.vpce.amazonaws.com So I tried to access the bucketname.s3.region.vpce.amazonaws.com domain and it isn't publicly resolved which is understood since it only needs to be resolved inside a VPC since it is for the VPC endpoint service. ![vpce domain is not resolved](https://repost.aws/media/postImages/original/IMRkVbkp-RRkev2vKmPx0t_g) So I checked the IP with hosts command and apparently my bucket domain name is an alias of s3-r-w.ap-south-1.amazonaws.com with the IP 52.219.156.130 I added it to my hosts file and the SSL for the 444 port with vpce domain works (expected) ![SSL issue is fixed after using vpce domain](https://repost.aws/media/postImages/original/IMt_lIGZ4ERymiPXmpxdHiLQ) Now my question is why does this port exist. While we access it via the VPC endpoint we still access 443 port. So is there a port forwarding while going through VPCE or is this port open for something else. Since S3 has gateway VPC endpoint, does that mean all the publc IPs need to be open? We don't put vpce also in the domain when we call S3 endpoint with VPCE, so does that means there is a domain rewrite also? If someone can let me know how this works, it will be really great. I can also inform my customer as such. Thank you.
0
answers
1
votes
158
views
profile picture
asked 2 months ago

AWS EKS - EIA attached on node not reachable by Pod

I'm using a standard **AWS EKS** cluster, all cloud based (K8S 1.22) with multiple node groups, one of which uses a Launch Template that defines an Elastic Inference Accelerator attached to the instances (eia2.medium) to serve some kind of Tensorflow model. I've been struggling a lot to make our Deep Learning model working at all while deployed, namely I have a Pod in a Deployment with a Service Account and an **EKS IRSA** policy attached, that is based on AWS Deep Learning Container for inference model serving based on Tensorflow 1.15.0. The image used is `763104351884.dkr.ecr.eu-west-1.amazonaws.com/tensorflow-inference-eia:1.15.0-cpu` and when the model is deployed in the cluster, with a node affinity to the proper EIA-enabled node, it simply doesn't work when called using /invocations endpoint: ``` Using Amazon Elastic Inference Client Library Version: 1.6.3 Number of Elastic Inference Accelerators Available: 1 Elastic Inference Accelerator ID: eia-<id> Elastic Inference Accelerator Type: eia2.medium Elastic Inference Accelerator Ordinal: 0 2022-05-11 13:47:17.799145: F external/org_tensorflow/tensorflow/contrib/ei/session/eia_session.cc:1221] Non-OK-status: SwapExStateWithEI(tmp_inputs, tmp_outputs, tmp_freeze) status: Internal: Failed to get the initial operator <redacted>list from server. WARNING:__main__:unexpected tensorflow serving exit (status: 134). restarting. ``` Just as a reference, when using the CPU-only image available at `763104351884.dkr.ecr.eu-west-1.amazonaws.com/tensorflow-inference:1.15.0-cpu`, the model serves perfectly in any environment (locally too), of course with much longer computational time. Along with this, if i deploy a single EC2 instance with the attached EC2, and serve the container using a simple Docker command, the EIA works fine and is accessed correctly by the container. Each EKS node and the Pod itself (via IRSA) has the following policy attached: ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elastic-inference:Connect", "iam:List*", "iam:Get*", "ec2:Describe*", "ec2:Get*", "ec2:ModifyInstanceAttribute" ], "Resource": "*" } ] } ``` as per documentation from AWS itself, also i have created a **VPC Endpoint for Elastic Inference** as described by AWS and binded it to the private subnets used by EKS nodes along with a properly configured **Security Group** which allows **SSH**, **HTTPS** and **8500/8501 TCP** ports from any worker node in the VPC CIDR. Using both the **AWS Reachability Analyzer** and the **IAM Policy Simulator** nothing seems wrong and the networking and permissions seem fine, while also the *EISetupValidator.py* script provided by AWS says the same. Any clue on what's actually happening here? Am i missing some kind of permissions or networking setup?
0
answers
0
votes
56
views
asked 4 months ago

Encrypted VPN Connectivity from VMC on AWS SDDC to On-Premise DC

Dear Team, I have the following setup requirements between VMware on AWS SDDC and on-Premise DC. 1. Need an encrypted VPN Solution between SDDC and On-Premise DC. 2. Need an Encrypted VPN Solution between SideCar VPC and On-Premise DC. 3. We have direct connect setup between DC and AWS. 4. Protected firewall sitting behind the edge device in on-Premise DC , encrypted VPN setup on DX need two set of public. Firewall sitting behind edge devise VPN connectivity but that firewall could not configured with public ip. The last hop where the public ip could be configured is the edge devise on the customer site. As per my understanding, I can use the public VIF on direct connect to setup the encrypted VPN connection between the client edge devise and AWS router. But the problem statement in this case is 1. How to setup the encrypted VPN solution for both SDDC and sidecar VPC? Can we route the traffic from SDDC to VTGW to TGW(of the sidecar account) and then leverage public VIF to setup encrypted VPN from TGW to customer edge devise? 2. Do we need the DX gateway to setup the encrypted VPN connectivity? 3. Encrypted VPN on DX would need to set of public IPS. What if the customer firewall is not having the option to configure the public IP for encrypted VPN ? 4. Can I use the DX setup in one OU to create the public VIF for another account in separate OU. This is required because I am looking to create the encrypted VPN connection from two OUs to the DC. Please advise with your comments or if there is any reference architecture available with VMC/AWS. Many Thanks Rio
0
answers
0
votes
91
views
asked 4 months ago
  • 1
  • 2
  • 12 / page