Should an AWS EC2 instance connect using only IPv4 Public IP? - amazon-ec2

If I put the "IPv4 Public IP" of my EC2 instance in the browsers address shouldnt it connect and return an error message instead of just giving time out ?

So, it sounds like you are attempting to connect to the instance via SSH.
Things to check:
The Security Group associated with the instance needs to have port 22 open to either your Public IP address, or to 0.0.0.0/0 (which is not a good security practice)
You are on a network that is not blocking SSH traffic. Some corporate network prohibit such access (so try it from home).
The instance is running an SSH server. This is standard on Linux distributions, such as the Amazon Linux AMI. (Believe it or not, some people wonder why they can't SSH to a Windows instance.)
You should be trying to connect to a public IP address associated with the instance
The instance needs to be in a Public Subnet (which means the Route Table associated with the Subnet is pointing 0.0.0.0/0 traffic to an Internet Gateway). If you are using the Default VPC, then this is done for you.
You have the private half of the keypair that was nominated when the instance was launched. If you are using an Amazon Linux instance, the private half of the keypair would have been automatically copied to: /home/ec2-user/.ssh/authorized_keys
The fact that your connection is timing-out, as opposed to receiving an error message, most likely makes it an incorrectly configured Security Group. (Trust me, it's almost always the Security Group!)

Related

Unable to SSH into ec2 from MacOSx

I have been trying to connect to my ec2 instance which was working a few hours ago. After I terminated my bash terminal abruptly, it refuses to work now. I'm getting a constant ssh: connect to host ec2-xx-xxx-xx-xx.compute-1.amazonaws.com port 22: Operation timed out error.
It worked on my friend's ubuntu system but fails to work even on my ubuntu.
I've allowed all the inbound and outbound routes too.
Have also used the correct command, made my .pem key private and all. Still doesn't work. What do I do
Check if the instance is turned on or its ip changed. Each ec2 instance has a private IP and a public IP, we should use the public IP of the ec2 to ssh to it. Find the public IP in the aws console.
Verify your attached EC2 security group, and check if the port ssh is open from your network. (with nmap for example).
In the security group validates that the source port is wide open or just open from your current public ip. (the last is more secure / recommended)

Why can't I join my AWS EC2 instance to Active Directory?

I'm unable to join an EC2 instance to my Directory Services Simple AD in Amazon Web Services manually, per Amazon's documentation.
I have a Security Group attached to my instance which allows HTTP and RDP only from my IP address.
I'm entering the FQDN foo.bar.com.
I've verified that the Simple AD and the EC2 instance are in the same (public, for the moment) subnet.
DNS appears to be working (because tracert to my IP gives my company's domain name).
I cannot tracert to the Simple AD's IP address (it doesn't even hit the first hop)
I cannot tracert to anything on the Internets (same as above).
arp -a shows the IP of the Simple AD, so it appears my instance has received traffic from the Simple AD.
This is the error message I'm receiving:
The following error occurred when DNS was queried for the service
location (SRV) resource record used to locate an Active Directory
Domain Controller (AD DC) for domain "aws.bar.com":
The error was: "This operation returned because the timeout period
expired." (error code 0x000005B4 ERROR_TIMEOUT)
The query was for the SRV record for _ldap._tcp.dc._msdcs.aws.bar.com
The DNS servers used by this computer for name resolution are not
responding. This computer is configured to use DNS servers with the
following IP addresses:
10.0.1.34
Verify that this computer is connected to the network, that these are
the correct DNS server IP addresses, and that at least one of the DNS
servers is running.
The problem is the Security Group rules as currently constructed are blocking the AD traffic. Here's the key concepts:
Security Groups are whitelists, so any traffic that's not explicitly allowed is disallowed.
Security Groups are attached to each EC2 instance. Think of Security Group membership like having a copy of an identical firewall in front of each node in the group. (In contrast, Network ACLs are attached to subnets. With a Network ACL you would not have to specify allowing traffic within the subnet because traffic within the subnet does not cross the Network ACL.)
Add a rule to your Security Group which allows all traffic to flow within the subnet's CIDR block and that will fix the problem.
The question marked as the answer is incorrect.
Both of my AWS EC2 instances are in same VPC, same subnet, with same security group.
I have the same issue. Here are my inbound rules on my security group:
Here is the outbound rules:
I can also ping from the between the dc and the other host, bi-directional with replies on both side.
I also have the DC IP address set as the primary and only DNS server on the other EC2 instance.
AWS has some weird sorcery preventing a secondary EC2 instance from joining the EC2 domain controller, unless using their managed AD services which I am NOT using.
The other EC2 instance has the DC IP address set as primary DNS. And bundled with the fact I can ping each host from each other, I should have ZERO problems joining to domain.
I had a very similar problem, where at first LDAP over UDP (and before that, DNS) was failing to connect, even though the port tests were fine, resulting in the same kind of error (in network traces, communication between standalone server EC2 instance and the DC instance stopped at "CLDAP 201 searchRequest(4) "" baseObject", with nothing being returned). Did all sorts of building and rebuilding, only to find out that I was inadvertently blocking UDP traffic, which AWS needs for both LDAP and DNS. I had allowed TCP only, and the "All Open" test SG I was using was also TCP only.
D'oh!!!

I suddenly cannot connect to my EC2 instance. Why? How can I mitigate this?

I had a running instance, and then I became unable to connect to it via http(80) and ssh(22). I tried to reboot the instance, but nothing went up. This has happened to me twice in the past month.
Why does it happen? Can I do anything to fix and/or prevent it from happening?
If I launch a new instance in same region, and it works.
Things to check when trying to connect to an Amazon EC2 instance:
Security Group: Make sure the security group allows inbound access on the desired ports (eg 80, 22) for the appropriate IP address range (eg 0.0.0.0/0). This solves the majority of problems.
Public IP Address: Check that you're using the correct Public IP address for the instance. If the instance is stopped and started, it might receive a new Public IP address (depending on how it has been configured).
VPC Configuration: Accessing an EC2 instance that is launched inside a Virtual Private Cloud (VPC) requires:
An Internet Gateway
A routing table connecting the subnet to the Internet Gateway
NACLs (Network ACLS) that permit through-traffic
If you are able to launch and connect to another instance in the same subnet, then the VPC configuration would appear to be correct.
The other thing to check would be the actual configuration of the operating system on the instance itself. Some software may be affecting the configuration so that the web server / ssh daemon is not working correctly. Of course, that is hard to determine without connecting to the instance.
If you are launching from a standard Amazon Linux AMI, ssh would work correctly anytime. The web server (port 80) would require installation and configuration of software on the instance, which is your responsibility to maintain.

Access to public IP - Amazon instance

I'm running some node services on an Amazon instance (EC2), the service were deployed using ssh over the instance, but for some reason, I can't access to the service using the public IP, but all the services are running. Is necessary enable the public IP in the configuration of my EC2 setting or something like that?
Make sure your security group has the proper ports opened up. In the EC2 console, go to Security Groups (on the left side of the page). Find the security group of the EC2 instance.
There is a tab called Inbound. Make sure you have a row with the type = SSH, protocol = TCP, port = 22, and source = 0.0.0.0/0

Connection to amazon-ec2 VPC instance fails

I have the following setup:
- a VPC, with several subnets, and an access gateway and a NAT instance having public addresses that I can connect to,
- I create a Linux instance in a subnet of the VPC, that has NO public IP address or DNS name (I want that only the Load Balancer be known on the internet).
I want to connect to my Linux instance to install and configure software.
How do you connect to that instance? All the documentation I have seen mentions that you connect using "ec2-user#".
Since I have no public DNS, i have tried to connect from the access gateway via putty with the private DNS of my linux instance but it fails ("host does not exist").
I am obviously missing something ... in the NAT?
Thanks, Laurent
You need to have a hosts in the public subnet which you can access. Once you access this host, then you can connect to your other hosts in VPC using their private IP address.
Your instance in question has only private IP address so connecting it from your workstation is not going to work.
The host I am referring to is usually called Bastion Host. read the Tip in Scenario 2: VPC with Public and Private Subnets documentation.
Also, read first few results of this Google Search to gain overall understanding on use-cases for Bastion hosts.

Resources