I had EC2 server where I was running my existing application. The EC2 instance was on private subnet and ELB was created in public subnet with access to particular VPN IP. So whenever I was on VPN, I was able to access my application and if I am outside that VPN IP then I wasn't able to access the application.
Now I have created EKS cluster and I am deploying my application using kubectl with docker image of the application. Weird thing is the application works fine whenever I am NOT on VPN (I tweaked security group to allow all traffic from all IPs) and whenever I am on VPN, I receive "ERR_CONNECTION_RESET" in chrome and curl shows - empty response received from server.
Till now I have tried below things. As I am relatively new with EKS, I am not able to find much.
1. Same security group applied - Not resolving
2. Checked logs of all pods - whichever pods I received from "kubectl get po --all-namespaces" - No issues showing up
3. Checked /var/log/messages
4. Tried to change application port
5. kubectl get events not showing anything on why server is sending back empty response.
6. Tried to SSH to node and tried to curl localhost:30080 and it works fine, but when tried to curl from my machine (which is on VPN), it fails with empty response.
Please again note that, the application runs totally fine when I am outside VPN. Further my old application (that is on EC2) runs fine with VPN.
Thanks in advance!
Finally found the issue was with the corporate VPN which was blocking all ports other than 80 and 443. When I was creating the service, I wanted to have ELB to expose port 5000. So I was thinking elb-host:5000 will point to dev service nodeport which was 30080. This was perfectly working when I was NOT on the VPN. But when I was connecting the site using VPN, corporate traffic was blocking port 5000 on ELB. After I changed the port to 80, it started working as expected.
While using nginx, it was creating ELB with port 80 instead of my intended port 5000. I didn't notice that port change and thought that this is happening due to IP blocking.
Related
I am just testing out Apis in my local and they all seem to work pretty good with localhost:8080. So i just uploaded the whole application to ec2 instance.
I uploaded my Local Springboot Application to the Ec2 instance, got the vpc, public & private subnets, got proper route tables, and when i try java -jar demoApplication-SNAPSHOT.jar from my SSH terminal, it seems to be running on port 8081 in the server. But when i try to click on the public ipv4 DNS address on ec2 instance, it says the site is not reachable.
I have allowed the chrome browser through firewall too but even that isn't working. Any help on this will be gladly appreciated!
below is the snippet from postman for the reference.
enter image description here
I am running a webserver on an Ubuntu ec2 instance. The service accepts http connections over port 8080.
The next step is to allow the service to be e accessible using public_DNS:8080. I've modified the security group to accept all incoming traffic on 8080. However, I get connection refused when I try it on my browser. I am guessing it is something to do with the Ubuntu firewall.
I have very little idea about it. Any suggestions on how I can proceed to resolve this?
I have Windows EC2 instance I use for my public-facing C# API. The VPC(and related Internet Gateway, subnets, etc) are all default.
I've now setup an AWS ElasticSearch service using their more secure VPC Endpoint option (instead of public-facing) and I've associated it to the same subnet and vpc as my above Windows EC2 instance.
I'd like to get them to talk to each other.
Reading from https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html
It seems what you'd do is ssh tunnel / port forward traffic from localhost:9200 on the EC2 instance to the actual Elastic Search service (via that VPC endpoint).
It seems this command is where the magic happens:
ssh -i ~/.ssh/your-key.pem ec2-user#your-ec2-instance-public-ip -N -L 9200:vpc-your-amazon-es-domain.region.es.amazonaws.com:443
but that is for a Linux EC2 instance.
If I am Remote Desktopped into my Windows EC2 instance (the API), how can I make it so when I go to a browser, http://localhost:9200
will send traffic to my VPC Endpoint:
vpc-your-amazon-es-domain.region.es.amazonaws.com:443
Thanks!
Alright, so I'll answer my two questions:
First, it's actually quite easy, just RDP to your box and access the instance directly via the VPC endpoint. You don't need to do anything wacky like port forwarding using the netsh command or anything like that. Simply make sure the server (in my case my API) is on the same VPC and you're fine. I just had an error in my connection string that's why it didn't connect. To confirm, I RDP'D in and was able to hit the endpoint directly in a browser on port 80. While it's true the actual Elasticsearch runs on port 9200, you don't need to forward to localhost:9200 --> vpc:9200.
Now, regarding the second question, about hitting it locally, I think the problem is that because this service lacks a public IP address and you can't access it, that you can go through some complicated setup on AWS, or easier is just set it up to run locally for now until you are ready to use the VPC one (and thus your code will just run). Another option is to use security groups and make a publicly accessible cluster for now, and then when your code is done, search service/layer done, etc, you can start anew with a VPC/secure Elasticsearch service and that should be it.
Another thing that many mention is that it is cheaper/you have more control of things if you setup your own Elasticsearch on your local machine, and then set one up on EC2 (this is just reading blogs and seeing people mention how much frustration they had with it).
Despite ElasticSearch and Kibana both running on my production server, I'm unable to visit the GUI over the public IP: http://52.4.153.19:5601/
Localhost curls return 200 but console errors on the browser report timeouts after a few images are retrieved.
I've successfully installed, run, and accessed Kibana on my local (Windows 10) and on my staging AWS EC2 Ubuntu 14.04 environment. I'm able to access both over port 5601 on localhost and the staging environment is accessible over the public IP address and all domains addressed accordingly. The reverse proxy also works and all status indicators are green on the dashboard.
I'm running Kibana 4.5, ElasticSearch 2.3.1, Apache 2.4.12
I've used the same exact volume from the working environment to attach to the production instance, so everything is identical on the two volumes, except that the staging environment's apache vhost uses a subdomain while the production environment's servername is the base domain. Both are configured for SSL wildcards. Both are in separate availability zones at Amazon. I've tried altering the server block to use a subdomain on the production server, just to see if the domain was impactful but the error remains.
I also tried running one instance individually, in case EC2 had some kind of networking error with 0.0.0.0 but I'm unable to come to a resolution. All logs and configurations are identical between the two servers for ElasticSearch and Kibana.
I've tried deleting and re-creating the kibana index, tried alternate settings inclusive of the host, elasticsearch url, extending the max ping and timeout, max retries, extended the apache limits, http.cors to allow different origins. I've tried other ports but both servers are indicating that 5601 is listening in the same way.
I also had the same problem on a completely different volume that was previously attached to this instance.
The only difference I can see is that the working version pings fine while the non-working version has a 100% packet loss when pinging the IP, although I can't imagine why that would be, as I'm able to reach the website on 80, just fine. I can also access various other tools running on other ports. I assume there might be some kind of networking conflict. Any ideas?
May be port 5601 is blocked by firewall
Allow incoming connections to port 5601 by:
sudo iptables -I INPUT -p tcp --dport 5601 -j ACCESS
For security:
Modify above mentioned command and accept connection only from specific address. (See man iptables)
or use Shield plugin for elasticseach
Sorry, forgot to update this question. The answer turned out being that I simply needed to deploy a new instance. Simply by creating a clone of the instance, I was able to resolve the issue. I've had networking problems at AWS, before, with their internal dns/ip conflicts, so I've had to do so, in the past and this turned out to be the quickest and cleanest solution, albeit not providing any definitive insight into the cause.
I am having trouble connecting to an Amazon Elastic Cloud Computer Instance via a browser.
I attempted going to ********.compute-1.amazonaws.com , but the browser returns that the connection has timed out.
I can connect via ssh and winscp. That is how I uploaded a web app I developer. I have also created a security group and added rules to open ports 22 and 80.
Do I have to assign the security group to the instance somehow?
The security group's rules also do not have a source IP, well they do its 0.0.0.0/0
I would really appreciate any and all help in getting this site ' viewable ' via a browser.
By default, your instances will only be in the default security group. If it's an EC2 instance you cannot change security groups while the instance is running, you'll have to specify them in advance. If it's a VPC instance you can change security groups at runtime.
Add the rule to the default group
You can however add the rule to allow port 80 to that default security group; just don't create a new security group as it can not be associated with the running instance.
Is the web server up?
Also, make sure that your web server is up and running. From your instance (using SSH shell access), check if the right process is listening on port 80, using the command netstat -lnp. You should then see a row with proto tcp and a Local Address ending in :80. The IP Address listed should be either 0.0.0.0 (meaning 'any IP') or a specific IP of a listening network interface.
Web server not up
If you are in need of a web server, take a look at Apache or Nginx. They both support PHP.
Hope this helps.
I had also faced similar issue with ec2 micro instance. I was using Red-Hat AMI. Despite of opening ports 8081 in security group, I was not able to a telnet to the host port. Disabling the iptable did the trick for me:
sudo /etc/init.d/iptables stop
Do not forget to disable firewall if you use windows for your server.
I faced the same issue while setting up redash AMI image on AWS. Inbound security rules should be changed when instance is not running. Let's say if the instance is running (meaning it's active and started); If you change the inbound rules of that machine you'll still face firewall issue. So Stop the machine on which you want to change the inbound rules on. Change the inbound rules. Start the machine now. Now you can hit the machine url from the ip you just opened the access to the machine to.
The EC2 instance firewall is maybe enabled.
Check it with this command:
sudo systemctl status firewalld
if enabled you can disable it with :
sudo systemctl disable firewalld
or setup rules to allow port 80 trafic