Unable to ping local IP address back from Alibaba ECS - alibaba-cloud

I have an ECS instance running in alibaba. My ECS is in a VPC that has a SSL server. I have downloaded the SSL client certificate which allows me to connect to openVPN and to ping the ECS instance from my local box while connected to openVPN.
However, when I login to the ECS instance, I am unable to ping back my local box. My security group is a basic one which allows all connections. I didn't touch the outbound connection.
Here are the details of my SSL Server, and successful ping screenshot (My ECS Primary Private IP Address is 192.168.0.201)
Here is a screenshot of my unsuccessful attempt to ping my local home IP address (The IP, 192.168.10.190,in the screenshot below is an arbitrary one for illustration purpose) from the ECS instance.

When you connect to VPN, you're assigned a private client IP of 192.168.2.0/24 as per your SSL VPN settings. This is the network that will be used for your VPN connection. From your screenshot I see that you're pinging to your local 192.168.10.190. Your cloud server does not have access to this network.
You can try pinging to your client 192.168.2.0/24 IP from your ECS. You probably will need to a the route to your VPC > Route Tables. I haven't tried connecting cloud server via SSL VPN myself, but I've used IPSec for two-way site-to-site connection, which is more suitable for this situation.

Related

How to establish a VPN connection without using my DNS

Is there any way for me to connect to a VPN without having it use my DNS? My internet provider where im connected can only use the DNS to connect to a separate server, which then connects to the internet as the router only interacts with that server, so if I change my DNS, my connection instantly stops working.
Is there any service that connects to a server without DNS as a VPN, or even some way to set up a proxy to go to another server after it interacts with my DNS?
Tried Changing DNS, no connection using cloudflare or google DNS servers (1.1.1.1, 8.8.8.8), Hotspot Shield VPN wouldn't connect, VPN from my home network wouldn't connect.
So, your ISP allows DNS traffic only to its server. And you want to by-pass this limitation.
Solution 1: SSH Proxy
ssh -D 5000 user#host
Now, you can set your applications to use proxy on socks5://localhost:5000
You must set "Proxy DNS on socks5"
This proxy goes throught the SSH server
Of course you need SSH server somewhere to connect to.
Solution 2: DNS over HTTPS
https://en.wikipedia.org/wiki/DNS_over_HTTPS
https://manpages.ubuntu.com/manpages/bionic/man1/dnss.1.html
It should work because your DNS packages go as HTTPS packages.
Solution 3: VPN or other services like nordvpn
It should work also since packages go encrypted to the VPN.
Actually, VPN should work without your ISP DNS as long as you connect to the VPN IP address instead the hostname.
Finally
Solution 2 seems to be the only one you are able to perform without external services.

Able to ping EC2 from on-premises through VPN. But, unable to ping DMS replication instance

I have setup a VPN and able to ping the Private IP of EC2 instance from on-premises and vice versa. However, I am unable to the ping the Private IP of DMS Replication Instance.
I have created an endpoint pointing DB in EC2. Endpoint test connection succeeds. However, endpoint test connection fails for DB in on-premises.
The EC2 and DMS Replication Instance use the same Subnet, Security Group etc., The details are given in the image below.
May I know
1) why the DMS instance is not communicating with on-premises (and vice-versa)
2) why EC2 works fine in VPN but not DMS instance?
EDIT:
Details of Security Group associated with the DMS instance:
vpc - the same default vpc used by EC2
inbound rules - all traffic, all protocol, all port range, source = 192.168.0.0/24
outbound rules - all traffic, all protocol, all port range, source = 0.0.0.0/0
Route table:
destination - 10.0.0.0/16, target = local
destination - 0.0.0.0/0, target = internet gateway
destination - 192.168.0.0/24, target = virtual private gateway used in VPN
This is the error message I get when I try to test the DMS DB endpoint connection:
Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to connect Network error has occurred, Application-Detailed-Message: RetCode: SQL_ERROR SqlState: HYT00 NativeError: 0 Message: [unixODBC][Microsoft][ODBC Driver 13 for SQL Server]Login timeout expired ODBC general error.
You might need to describe/provide your full network topology for a more precise answer, but my best guess, based on AWS' documentation on "Network Security for AWS Database Migration Service", is that you're missing source and target database configuration:
Database endpoints must include network ACLs and security group rules that allow incoming access from the replication instance. You can achieve this using the replication instance's security group, the private IP address, the public IP address, or the NAT gateway’s public address, depending on your configuration.
Also, is this EC2 you mentioned a NAT instance? Just in case:
If your network uses a VPN tunnel, the Amazon EC2 instance acting as the NAT gateway must use a security group that has rules that allow the replication instance to send traffic through it.

Configuring OpenVPN to Amazon EC2

I am trying to configure OpenVPN to my Amazon EC2 Ubuntu instance. I have opened up both TCP and UDP ports on both the load balancer and the VPC instance. I can connect if I open my putty session to the server and set a SSH tunnel on port 1194, and then connect OpenVPN on localhost 1194, but I am trying to figure out how to set my DNS entry so that I can just connect through the VPN using UDP without setting a SSH tunnel. Any advice? I have tried so many combinations and read everything I can find...
Ok, I finally worked it out. The cname has to match the actual address of the vpc directly, it cannot go through the load balancer and the aname matches the IP of the OpenVPN.

How to add a route to Amazon VPC into an instance's OpenVPN connection?

I want to setup a render farm in EC2 (all Win2012r2) with several slaves an one instance with a OpenVPN connection to our office LAN (all OSX).
What I have done so far:
setup VPC 10.42.0.0/16
setup OpenVPN 10.8.0.0/24, one instance as client, the server is in our office 192.168.1.0/24, the connection is working flawlessly
added 10.8.0.0/24 and 192.168.1.0/24 to the VPC Route Tables/Routes Tab with target: VPN client instance
Source/dest checks turned off for the VPN client instance
What is working:
I can ping around in the VPC
I can ping around the VPN
What doesn't work:
ping from VPN server to the clients VPC-address
ping from a slave node to the VPN net
some debugging:
wireshark on the VPN client 10.8.0.14 shows a ping echo 'no response' when trying to ping 10.8.0.14 from 10.42.243.30, so the return route seems to be broken
So how do get the VPC working that every instance can ping to the VPN server and additionally our office lan?
Regards,
Dennis
I suspect you need to configure your Network ACLs (Security Groups) to allow all inbound and outbound traffic between your VPC nodes.
I figured out the Windows service Routing and Remote Access didn't run as suspected.
No everything works like a charm!
--Dennis
Please check your VPN Settings from OpenVpn Admin Page. Specify the private subnets to which all clients should be given access at Rooting section from the VPN Settings Tab on OpenVPN Admin Page.

Amazon RDS Endpoint internal

How can I make ec2 instance communicate with rds instance on aws by internal ip address or dns?
I only see public dns like xxx.cehmrvc73g1g.eu-west-1.rds.amazonaws.com:3306
Will internal ipaddress will be faster than public dns?
Thanks
A note for posterity, ensure that you enable DNS on the VPC Peering link!
Enabling DNS Resolution Support for a VPC Peering Connection
To enable a VPC to resolve public IPv4 DNS hostnames to private IPv4
addresses when queried from instances in the peer VPC, you must modify
the peering connection.
Both VPCs must be enabled for DNS hostnames and DNS resolution.
To enable DNS resolution support for the peering connection
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Peering Connections.
Select the VPC peering connection, and choose Actions, Edit DNS
Settings.
To ensure that queries from the peer VPC resolve to private IP
addresses in your local VPC, choose the option to enable DNS
resolution for queries from the peer VPC.
If the peer VPC is in the same AWS account, you can choose the option
to enable DNS resolution for queries from the local VPC. This ensures
that queries from the local VPC resolve to private IP addresses in the
peer VPC. This option is not available if the peer VPC is in a
different AWS account.
Choose Save.
If the peer VPC is in a different AWS account, the owner of the peer
VPC must sign into the VPC console, perform steps 2 through 4, and
choose Save.
You can use the "Endpoint" DNS name. It will resolve to the internal IP when used within the VPC and resolves to a public ip when used outside of your AWS network. You should never use the actual IP address because the way the RDS works it could possibly change in the future.
If you ping it from your EC2 (on the same VPC) server you can verify this.
It is amazing to see the amount of down votes I've got given that my answer is the only correct answer, here is 2 other sources:
https://forums.aws.amazon.com/thread.jspa?threadID=70112
You can use the "Endpoint" DNS name. It will resolve to the internal IP when used within EC2.
https://serverfault.com/questions/601548/cant-find-the-private-ip-address-for-my-amazon-rds-instance2
The DNS endpoint provided in the AWS console will resolve to the internal IPs from within Amazon's network.
Check out the AWS EC2 docs: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-private-addresses.
It doesn't appear that this necessarily applies to RDS, however.
When resolving your RDS instance from within the same VPC the internal IP is returned by the Amazon DNS service.
If the RDS instance is externally accessible you will see the external IP from outside the VPC. However, if the EC2 instance NOT available publiclly the internal IP address is returned to external and internal lookups.
Will internal ip address will be faster than the external address supplied by public dns?
Most likely as the packets will need to be routed when using the external addresses, increasing latency.
It also requires that your EC2 instances have a public IP or NAT gateway along with appropriate security groups and routes, increasing cost, increasing complexity and reducing security.
its pretty easy, telnet your RDS endpoint using command prompt on windows or through unix terminal
for example: telnet "you RDS endpoint" "Port"
trying to connect "You get your RDS internal IP here"

Resources