What could explain why an EC2 instance running Windows 10 does not consistently have access to its own metadata or userdata?
I know the userdata is set correctly because the exact same script was used for about thirty launches of t2.nano and c4.xlarge instances: the t2.nano never encountered any issue reading the metadata, but out of three attempts with a c4.xlarge only one had access to it. The script only differed by the name of instance (as per git history at least).
I followed the instructions below, and even from a Powershell, the Uri fails to load (cf. Figure 2).
Any hint is appreciated.
There is a script call InitializeInstance.ps1 that resets some configuration information.
For example, if the instance has changed subnets it might not work correctly due to cached routing rules. The InitializeInstance.ps1 can correct this.
We experienced the same issue on a Windows 2016 server on EC2. We noticed that the default gateway on the 169 IPs routes (persistent) where pointing at a non-existing (old?) gateway IP.
We changed the routes to the default gateway of the primary adapter, after that Instance Metadata started to work and AmazonSSMAgent service is running again.
Old situation:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.3.129 172.16.3.152 15
....
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
169.254.169.254 255.255.255.255 172.16.0.129 15
169.254.169.250 255.255.255.255 172.16.0.129 15
169.254.169.251 255.255.255.255 172.16.0.129 15
Notice the gateway on the persistent routes for 169 to point at an IP, which is not the default for 0.0.0.0. This 172.16.0.129 is also not pingable.
After changing the routes using route CHANGE:
route CHANGE 169.254.169.254 MASK 255.255.255.255 172.16.3.129 METRIC 15 IF 4 /P
route CHANGE 169.254.169.250 MASK 255.255.255.255 172.16.3.129 METRIC 15 IF 4 /P
route CHANGE 169.254.169.251 MASK 255.255.255.255 172.16.2.129 METRIC 15 IF 4 /P
Where:
172.16.3.129 is the default gateway on the primary network interface. This will be different on each instance.
And 4 at then end METRIC 15 IF 4 is the interface ID of primary adapter, listed in interface list on route PRINT, this could also be different on each instance.
We now have:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.3.129 172.16.3.152 15
....
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
169.254.169.254 255.255.255.255 172.16.3.129 15
169.254.169.250 255.255.255.255 172.16.3.129 15
169.254.169.251 255.255.255.255 172.16.3.129 15
===========================================================================
This is basically what the for mentioned ProgramData/Amazon/EC2-Windows/Launch/Module/Scripts/Add-Routes.ps1 script does.
Can't edit John Rotenstein so I'll add it here,
This issue was solved at my end by initialise the instance again,
it happen when you created an image in one subnet or vpc and launch it in a different one.
Warning this would change the admin password, make sure you have access to the required key to get the new password at console.
In order to initialise the instance only once run:
C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 -Schedule
in order to initialise it every boot run
C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 -SchedulePerBoot
the docs: https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2launch.html
after running it, reboot the instance, get a new password from the console, rdp inside and you can get metadata and use aws s3 cli / powershell with the attached instance IAM role
Related
I have a strange problem wherein I am able to connect to an EC2 instance in a public subnet in AWS VPC using RDP and HTTP. However after successfully connecting to the instance through RDP, i am not able to connect to Internet (from the instance).
a) I created a non-default AWS VPC and associated an IGW to it. The address range of VPC is 10.0.0.0/16. A subnet with the address space 10.0.5.0/24 was created
c) In order to make the subnet public, i decided to retain the Main Route Table as it is and created an additional Route table with the following entries
10.0.0.0/16 local
0.0.0.0/0 igw
d) This route table was associated with the subnet 10.0.5.0/24. This makes it a public subnet
e) The NACL is set to allow:
INBOUND traffic HTTP(80),HTTPS(80),SSH(22), RDP(3389) for IPV4 and NACL
outbound traffic ALL TRAFFIC ALL PROTOCOL ALL PORT Range Destination 0.0.0.0/0
f) The security group settings are:
Inbound All traffic All All 0.0.0.0/0
Outbound All traffic All All 0.0.0.0/0
g) I created a single EC2 instance in the public subnet and assigned a Elastic EIP to it. I am able to connect to this using RDP and able to access the IIS Welcome page by typing the public DNS name of the EC2 in my local browser. However, from the instance when i open IE and try accessing any popular websites i am not able to access the Internet. I always get a 'Can't reach this page'
h) I disabled Windows Firewall and tried accessing Internet. But still it didnt work.
i) The tracert output just shows Request timed Out in all the lines.
Any help would be appreciated.
Thanks and Regards
Govind
First, verify that the following conditions are met:
The route table in the instance’s subnet has a default route to an
internet gateway. The security group attached to the instance’s
elastic network interface must allow outbound traffic on the following
ports: Port 80 for HTTP traffic Port 443 for HTTPs traffic Identify
the network access control lists (ACLs) that are associated with the
subnet that the instance is located on. These network ACLs must have
rules to allow inbound and outbound traffic on ports 80 and 443.
You don't need to open all the ports to enable outgoing web traffic.
https://aws.amazon.com/premiumsupport/knowledge-center/ec2-connect-internet-gateway/
Finally i was able to fix this issue. I added
ALL TCP TCP (6) 0 - 65535 0.0.0.0/0 ALLOW
as an INBOUND rule in NACL. Immediately i was able to access the Internet from the browser in Ec2 instance.
However i am not convinced that all the ports should be opened to use browser on an EC2 instance in the public subnet. Is there a better way to do this ?
Can i consider setting up a Forward Proxy server as a solution for browser based outgoing traffic as in this case ? Please suggest
Let me first describe my operational steps:
I set up a VPC with CIDR 10.20.0.0/16 (and I created and attached to it an IGW, igw-14ed6f75).
And then I set up a subnet subnet_A 10.20.1.0/24. This subnet's route table is 10.20.0.0/16 -->local (NOTE: I did not set route of 0.0.0.0/0 --> igw-14ed6f75 in this route table)
I started an instance instance_A in subnet_A, and its automatically created public IP is 52.53.245.253. (BTW, the key pair used for this instance is bastion_box)
I wanted to ssh to instance_A by ssh -i ~/.ssh/bastion_box.pem ec2-user#52.53.245.253
Result/Observation: I can't ssh into instance_A
Now I added one route 0.0.0.0/0 --> igw-14ed6f75 into the route-table associated with subnet_A, and then I do the ssh operation again ssh -i ~/.ssh/bastion_box.pem ec2-user#52.53.245.253
Result/Observation: I can successfully ssh into instance_A now
Here is my question: why do we need the route of 0.0.0.0/0 --> igw-14ed6f75 to be able to successfully ssh into the instance? I thought this rule is for the instance connect out to Internet, but not for the outside machines to connect in the subnet.
TCP connections are two-way connections. The server needs to be able to send traffic to the client (and once the initial handshake is done, the two are indistinguishable). Without an egress route, the server could not send any packets back to the client to establish the connection.
From http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html (bold added):
To enable access to or from the Internet for instances in a VPC
subnet, you must do the following:
Attach an Internet gateway to your VPC.
Ensure that your subnet's route table points to the Internet gateway.
Ensure that instances in your subnet have public IP addresses or Elastic IP addresses.
Ensure that your network access control and security group rules allow the
relevant traffic to flow to and from your instance.
I have a macbook, connected with ethernet, and wifi.
A site (lets call it facebook) is blocked on one of the interface (ethernet)
but is open on the other (wifi), on the other hand eth is better (fastest and more reliable than the wifi) so I use eth as a priority interface (on top of network preferences), but in this way there is no access to the blocked site.
I would know if there is a way to say to the operating system or browser or other
software components that it must use the connection of wifi if and only if a connection on :80 over eth fail. this would be perfect...or any other means to solve the problem..
It's a matter of configuring a proper proxy?
Thanks in advance.
You could modify routing table to pass traffic to given host or network through chosen gateway.
List your routing table:
$ netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 10.0.0.1 UGSc 15 0 en0
default 192.168.0.1 UGScI 1 0 en1
[...]
In this case en1 is wifi. So to use wifi connection to a host x.x.x.x, route traffic to this host through 192.168.0.1 gateway:
sudo route add -host x.x.x.x 192.168.0.1
Or better add routing to entire network used by given service:
sudo route add -net x.x 192.168.0.1
The downside is that it may be difficult to determine an ultimate list of IPs, networks used by the service.
See man route.
Newbie alert with no TCP/IP knowledge... I am trying to set up a production test rig for testing an embedded 6-way ethernet switch by populating an XP PC with 6 NIC cards. I've started with two NICs just to prove the point, both on the same subnet, manual IP addresses of 172.16.0.1 / 172.16.0.2. The routing table (route print) shows (I believe) two loopback entries :
=====================================================
172.16.0.0 255.255.255.0 172.16.0.1 172.16.0.1
172.16.0.0 255.255.255.0 172.16.0.2 172.16.0.2
172.16.0.1 255.255.255.255 127.0.0.1 127.0.0.1
172.16.0.2 255.255.255.255 127.0.0.1 127.0.0.1
172.16.255.255 255.255.255.255 172.16.0.1 172.16.0.1
172.16.255.255 255.255.255.255 172.16.0.2 172.16.0.2
=====================================================
I would like to remove the loopback entries and replace them with "always external" routing entries.. i.e. if you ping 172.16.0.1 the packets use adapter 172.16.0.2, and are routed by the switch back to 172.16.0.1 and if you ping 172.16.0.2 the packets leave 172.16.0.1, and get routed by the switch back to 172.16.0.2, thereby doing a rudimentary connectivity test of the cables, the switch IC, magnetics etc.
A command of :
route add 172.16.0.1 mask 255.255.255.255 172.16.0.2 (which seems to me to be uniquely specifying the use of 172.16.0.2 to send packets to a destination 172.16.0.1) fails with "The route addition failed: The route parameter is incorrect"
While : route add 172.16.0.2 mask 255.255.255.255 172.16.0.1 is accepted but I can't then ping 172.16.0.2
I did find some really good explanations in your old posts of meanings of each line in the table, but I'm obviously not quite understanding what is going on. I'm slightly concerned that the auto-generate route table has specified two adapters as gateways, but I don't know enough to understand the implications.
Ultimately, with 6 NICs in the box, I'd like to be able to make a table that will enable me to exercise every port on the switch.
many thanks
David
You can use ping to do this. First setup the NICs to have static IP addresses. I'll give you an example with 2 NICs. NIC1 is set to 192.168.0.2 and NIC2 is 192.168.0.1. Then run the command:
ping 192.168.0.2 –s 192.168.0.1 –t
I think you'll find that if you unplug the external loopback cable the test will fail and if you plug it back in again, it will pass. For more help on ping, type ping -?
You may have to disable Windows Firewall to let the ping traffic through.
After connecting to the business network I have no internet access.
route print shows:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.132.222 192.168.132.166 121
0.0.0.0 0.0.0.0 On-link 10.100.10.26 31
<... snip ...>
Through these commands:
route delete 0.0.0.0 mask 0.0.0.0 192.168.132.222
route add 0.0.0.0 mask 0.0.0.0 192.168.132.222 metric 1
I am able to then access both internet AND the business network.
I am wondering: Is there a way to define that via Shrew Settings?
The answer given by user416930 is correct, but a little unclear, so here it is spelled out a little better.
In Shrew Soft VPN Access Manager, go to Edit > Properties > Policy > Select.
Uncheck "Obtain Topology Automatically or Tunnel All".
Click "Add". Add the network used by your VPN.
If you are unclear what VPN your network is using:
Open command prompt and type "ipconfig /all".
Look for the entry with "Screw Soft Virtual Adapter".
Shrew Soft VPN Acess Manager>Edit>Properties>Policy>Select(Maintain Persistent Security Assosiacations),Add(10.0.0.0,/255.0.0.0)