I have a Lambda in my VPC that needs to access DynamoDB. I have a VPC Endpoint setup for this, finally got it to work, but am questioning the setup.
Lambda is running in my private subnet.
The subnet has a route table:
Destination: 10.153.32.0/21 Target: local
Destination: pl-02cd2c6b (com.amazonaws.us-east-1.dynamodb, 52.94.0.0/22, 52.119.224.0/20) Target: (my VPC Endpoint)
Destination: 0.0.0.0/0 Target: (my NAT Gateway)
My VPC Endpoint is associated with the above route table (and a few others), hence the #2 route.
And I added the following Network ACL Inbound Rule
Port range 1024 - 65535
CIDR blocks 52.94.0.0/22 and 52.119.224.0/20
ALLOW
What concerns me is that Network ACL rule. I added it after reading this comment.
I'm wondering if I need that rule, or if maybe something else is wrong? I was surprised I had to add it because that SO comment was the only place that mentioned it.
It feels fairly safe to add since those CIDRs should be safe to allow since they are specifically for DynamoDB. But I'm assuming I'll have to keep an eye out for changes to those ranges.
EDIT: I also tried updating my lambda's security group outbound rules, to allow all ports with a destination of pl-02cd2c6b, but that didn't work.
You would only need that rule if you decided to use a customized Network ACL. By default, NACLs allow all, leaving network access control in the hands of security group settings... so you don't use the default rules, you have to manually allow everything in both directions since, unlike security groups, NACLs don't track IP flow states.
What you are doing looks correct (assuming you need a custom NACL).
The IP addresses from the prefix list are necessary for allowing reply traffic in the inbound direction, and the unusually-broad ephemeral port range comes from the VPC documentation:
AWS Lambda functions use ports 1024-65535.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports
There is a documented caveat about treating the prefix list as static:
The range of public IP addresses for a service may change from time to time. Consider the implications before you make routing or other decisions based on the current IP address range for a service.
https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html#vpc-endpoints-routing
Using the default "allow all" NACL is probably a better alrernative. If you really feel the need to lock down your Lambda function's access, you should be able to create an outbound security group rule referencing the pl-xxxx directly. This will work once your NACL is set back to allow all.
Related
I'm using an ion-sfu (and signaling) on a AWS instance running on its private network 10.0.0.160
This instance also have an elastic IP address 207.61.171.104
We access that SFU with a VPN that have access to the private network and also through a carrier gateway the elastic IP address.
To make it work on the elastic IP network, we add its IP in the setting:
nat1to1=["207.61.171.104"]
but when we do this the other network 10.0.0.x are no more able to establish a peer connection.
and when adding both to the list like this:
nat1to1 = ["10.0.0.160","207.61.171.104"]
then both are not working.
I'm wondering if it's possible to have both network peers to be able to connect to the sfu
This setting is exposing SetNAT1To1IPs from pion/webrtc.
SetNAT1To1IPs comes with two modes. ICECandidateTypeHost which replaces all your private IPs with one of your choosing (what it is doing right now) or ICECandidateTypeSrflx which just appends an IP of your choosing.
I think we should add a nat1to1_mode to ion-sfu. Where you can choose ICECandidateTypeHost or ICECandidateTypeSrflx. If you are interested would love to help you make that PR! You can try changing the code easily today here
If you have more questions happy to chat here or on Pion Slack
I have 2 EC2 instances (one window and one linux) in same subnet. I am trying to access one instance from another via private IP but I am not able to do so.
In security groups, both instances belong to same security groups and security group allows all traffic from the same security group.
I am not even able to ping one instance from another using private IP address.
Any pointers what could be wrong here.
By default the Windows firewall will deny all inbound requests (including ping), but the firewall also contains a list of Exceptions (otherwise it would block everything!). Those Exceptions are a set of rules that describe what connections should be allowed in out-of-the-box.
To allow any additional connections, you just add a new rule to the firewall. There is a Wizard in the Windows Firewall GUI for viewing and creating rules, but i find it easier to use a PowerShell one-liner like this to allow ping:
New-NetFirewallRule -DisplayName "Inbound LAN Ping" -Direction Inbound -Protocol ICMPv4 -IcmpType 8 -RemoteAddress 192.168.1.0/24 -Action Allow
Above will allow any IP's between 192.198.1.1 ... 192.168.1.255 to send ping requests to your Windows host (all other RemoteAddress will still be ignored). I'm assuming here your Linux machine's IP is for example 192.168.1.1 and your Windows machine's IP is 192.168.1.123.
As a rule of thumb, you should only open up the minimal number of ports, to as few IP/IP ranges as possible.
This will likely be the result of Windows firewall being enabled, with default settings it will block ping access (among other things).
Disabling it should enable inbound/outbound access to work for ping. This is a temporary measure and should not be considered a permanent workaround.
You should enable whitelisting in the Windows firewall to allow the ports you would like inbound or outbound to have network access to/from other resources within the network.
More information is available in this link.
I have an EC2 instance (running kafka) which needs to access itself via public IPs, but I would like to not open the network ACLs to the whole world.
The rationale is that when a connection is made to a kafka broker, the broker advertises which kafka nodes are available. As kafka will be used inside and outside EC2, the only common option is for the broker to advertise its public IP.
My setup:
an instance, with public IP (not an elastic IP)
a vpc
a security group, allowing access to the kafka ports from my work network
an internet gateway
a route allowing external access via the gateway
The security group is as follow:
Custom TCP Rule, proto=TCP, port=9092, src=<my office network>
Custom TCP Rule, prtot=TCP, port=2181, src=<my office network>
In short, all works fine inside the instance if I use localhost.
All works fine outside the instance if I use the public IP.
What I now want is to use kafka from inside the instance with the public IP.
If I open the kafka ports to the whole world:
Custom TCP Rule, proto=TCP, port=9092, src=0.0.0.0/0
Custom TCP Rule, prtot=TCP, port=2181, src=0.0.0.0/0
It works, as expected, but it does not feel safe.
How could I setup the network ACL to accept inbound traffic from my local instance/subnet/vpv (does not matter which) without opening too much?
Well, this is not clean, but it has the added advantage of not having to pay for external bandwidth.
I did not find a way as I expected (via the security groups), but just by updating the /etc/hosts on my ec2 instance, and actually using a hostname instead of an IP, all works as expected.
For instance, if I give the instance the hostname kafka.example.com, then by having the following line in /etc/hosts:
127.0.0.1 kafka.example.com
I can use the name kafka.example.com everywhere, even if it actually points to a different IP depending on where the call is made.
I would like that outgoing web service calls from different EC2 instances will have the same origin IP address. Is there any proper solution for this problem which is not defining a NAT within the Amazon VPC?
All the questions I found over the www (see below) related always end-up with a NAT recommendation and I am wondering is there another solution but the NAT solution?
https://serverfault.com/questions/530783/multiple-outgoing-ip-on-one-amazon-ec2-instance
https://forums.aws.amazon.com/message.jspa?messageID=430341
http://engineering.silk.co/post/31923247961/multiple-ip-addresses-on-amazon-ec2
To have requests come from a single IP address, then the machine with that IP address needs to send all the requests (obvious, I know). Therefore, it either needs to be the source of those requests, or requests from other machines need to route through that machine.
The easiest way to route requests through a single machine is to treat it as a NAT. This involves:
Modifying route tables so that traffic destined for the Internet routes to the NAT server
Configuring the NAT server to forward the traffic to the Internet and pass back responses
This could be done via a proxy rather than a NAT, but the result is effectively the same.
It is not possible to give the same IP address to multiple machines, since the return traffic won't know where to go. (Actually, it is possible -- see Anycast on Wikipedia, but this is only for incoming traffic to stateless services.)
Here's the scenario. I'm currently running a Mikrotik RB433AH for my router here at my office. I have several firewall rules setup and all is good. I am also configured for NAT. I'm at a point now where I need to retrieve data from a host located on the inside network "192.168.0.10", protocol TCP and port 502. I will be accessing this internal host from a server that is located in a remote location with a static IP address. I need to allow this IP and everything else will need to be denied.
I add my dst-nat rule and once again all is fine there. However, since adding a dst-nat rule I can access this internal host from the outside where I need to have this internal host only accessible from my equipment that is located at a datacenter.
From what I've read so far I do believe that NAT rules are processed first and then the firewall filter rules. So this explains why I'm able to access this device from the outside. How do I filter the outside world from accessing this device?
Do I need to add another rule perhaps on the filter rule for chain=forward ? I've read a lot of documentation thus far and now things are quite hazy so any help would be awesome at this point.
Thanks in advance!
T
Yes, you need to make a firewall rule, from a specific address, to your host, and accept it, and drop everything else... That can be done in a single rule, using the ! option.
/ip firewall filter
add chain=forward src-address=!EXTERNALSERVERIP dst-address=192.168.0.10 action=accept
After that change only your external server can access your local host.
you need to put this rule on top
/ip firewall filter add chain=forward src-address=yourexternalipaddress dst-address=192.168.0.10 action=accept
below that rule you need to do this block
/ip firewall filter add chain=forward dst-address=192.168.0.10 action=drop
the explaination
when the connection goes through firewall filter rule, it will be checked by first rule.. if it match then it will be executed... if not matched it will be pass to the next rule..