I'm using a AWS EC2 instances on VPC with an Internet Gateway and I need to connect my companies network which only accept connections from specific IP addresses(Firewall). The Outbound Traffic of my IP Address is the Internet gateway's IP Address. I have tried using a NAT Gateway, but the NAT Gateway Still uses an Internet Gateway.Is it possible to have Elastic IP for all outgoing traffic on AWS?
If you have as a destination a set of static IP addresses (the ones of your company), I solved the same by doing the following (based on this post):
Create a new subnet to host the NAT Gateway.
Create the NAT Gateway in the above subnet, and assign a new Elastic IP. This one will be our outgoing IP for hitting external APIs.
Create a route table for the NAT subnet. All outbound traffic (0.0.0.0/0) should be routed through the NAT Gateway. Assign the created subnet to use the new route table.
Modify the main route table (the one that handles all our EC2 instances requests), and add the IP(s) of the external API, setting its target to the NAT Gateway.
This way you can route any request to your company IPs through the NAT Gateway. All other requests are routed through the default Internet Gateway.
Related
I Setup a AWS VPC
There are different subnet such as publics subnet and private subnet
My target is created a demo that Windows Server from private subnet access public internet through third party's EC2-Firewall in AWS-VPC
I create a EC2-Firewall with different interface into different subnet (with Allow all policy and allow interface ping)
I also create a EC2-windows server into private subnet, but it cannot access outside network
The issue observed:
EC2-windows can ping local network (/24) include firewall's interface
EC2-windows cannot access (web-browsing/ping) outside network
EC2-windows tracert 8.8.8.8, all response "* * * * request timeout" (default gateway cannot be shown too)
EC2-windows's Ethernet changed to DHCP or changed to static with firewall's interface IP as a default gateway, issue also occurred
Background Information:
Network ACLs is default setting (Allow All)
Security groups is allow all traffic in both direction
AWS subnet - Routing table with two record: Destination: VPC subnet, Target: Firewall's interface & Destination: 0.0.0.0/0, Target: Firewall's interface
Firewall's interface (same subnet) can ping & RDP to EC2-Windows
Firewall has no traffic record "source with EC2-windows, destination: outside network"
EC2-Windows's internal firewall is turn off
Any setting am I missing to check? what should I check to found the root cause related to AWS or Windows setting?
More information after Wireshark on Windows and package capture on firewall:
EC2-Windows sent the "ping 8.8.8.8" & "ping firewall's interface IP" to Firewall's Interface MAC address (shown in Wireshark)
Firewall's interface packet capture only "ping firewall's interface IP" be shown
Is it mean that AWS-VPC drop my outside traffic? How can I fix it?
I found the answer. The root cause is "source/destination checks" of interface.
Since firewall will be able to send and receive traffic the source or destination is not itself when EC-Windows access outside network, AWS "source/destination checks" drop the packet of it.
After Disable source/destination checks, the issue is solved.
I have a strange problem wherein I am able to connect to an EC2 instance in a public subnet in AWS VPC using RDP and HTTP. However after successfully connecting to the instance through RDP, i am not able to connect to Internet (from the instance).
a) I created a non-default AWS VPC and associated an IGW to it. The address range of VPC is 10.0.0.0/16. A subnet with the address space 10.0.5.0/24 was created
c) In order to make the subnet public, i decided to retain the Main Route Table as it is and created an additional Route table with the following entries
10.0.0.0/16 local
0.0.0.0/0 igw
d) This route table was associated with the subnet 10.0.5.0/24. This makes it a public subnet
e) The NACL is set to allow:
INBOUND traffic HTTP(80),HTTPS(80),SSH(22), RDP(3389) for IPV4 and NACL
outbound traffic ALL TRAFFIC ALL PROTOCOL ALL PORT Range Destination 0.0.0.0/0
f) The security group settings are:
Inbound All traffic All All 0.0.0.0/0
Outbound All traffic All All 0.0.0.0/0
g) I created a single EC2 instance in the public subnet and assigned a Elastic EIP to it. I am able to connect to this using RDP and able to access the IIS Welcome page by typing the public DNS name of the EC2 in my local browser. However, from the instance when i open IE and try accessing any popular websites i am not able to access the Internet. I always get a 'Can't reach this page'
h) I disabled Windows Firewall and tried accessing Internet. But still it didnt work.
i) The tracert output just shows Request timed Out in all the lines.
Any help would be appreciated.
Thanks and Regards
Govind
First, verify that the following conditions are met:
The route table in the instance’s subnet has a default route to an
internet gateway. The security group attached to the instance’s
elastic network interface must allow outbound traffic on the following
ports: Port 80 for HTTP traffic Port 443 for HTTPs traffic Identify
the network access control lists (ACLs) that are associated with the
subnet that the instance is located on. These network ACLs must have
rules to allow inbound and outbound traffic on ports 80 and 443.
You don't need to open all the ports to enable outgoing web traffic.
https://aws.amazon.com/premiumsupport/knowledge-center/ec2-connect-internet-gateway/
Finally i was able to fix this issue. I added
ALL TCP TCP (6) 0 - 65535 0.0.0.0/0 ALLOW
as an INBOUND rule in NACL. Immediately i was able to access the Internet from the browser in Ec2 instance.
However i am not convinced that all the ports should be opened to use browser on an EC2 instance in the public subnet. Is there a better way to do this ?
Can i consider setting up a Forward Proxy server as a solution for browser based outgoing traffic as in this case ? Please suggest
I have created a EC2 instance with ASG and attached a eni . Third party service we invoke will accept traffic only if it got initiated from the eni IPs.
ASG won’t allow us to assign eni as primary ip . Is there a work around for this ?
It sounds like you need a NAT with a static IP so that all outbound connections from your ASG come from the NAT IP rather than the IP of the hosts in the ASG.
See this question https://serverfault.com/questions/625166/static-ip-address-for-outgoing-traffic-from-aws-autoscaling-group
Let me first describe my operational steps:
I set up a VPC with CIDR 10.20.0.0/16 (and I created and attached to it an IGW, igw-14ed6f75).
And then I set up a subnet subnet_A 10.20.1.0/24. This subnet's route table is 10.20.0.0/16 -->local (NOTE: I did not set route of 0.0.0.0/0 --> igw-14ed6f75 in this route table)
I started an instance instance_A in subnet_A, and its automatically created public IP is 52.53.245.253. (BTW, the key pair used for this instance is bastion_box)
I wanted to ssh to instance_A by ssh -i ~/.ssh/bastion_box.pem ec2-user#52.53.245.253
Result/Observation: I can't ssh into instance_A
Now I added one route 0.0.0.0/0 --> igw-14ed6f75 into the route-table associated with subnet_A, and then I do the ssh operation again ssh -i ~/.ssh/bastion_box.pem ec2-user#52.53.245.253
Result/Observation: I can successfully ssh into instance_A now
Here is my question: why do we need the route of 0.0.0.0/0 --> igw-14ed6f75 to be able to successfully ssh into the instance? I thought this rule is for the instance connect out to Internet, but not for the outside machines to connect in the subnet.
TCP connections are two-way connections. The server needs to be able to send traffic to the client (and once the initial handshake is done, the two are indistinguishable). Without an egress route, the server could not send any packets back to the client to establish the connection.
From http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html (bold added):
To enable access to or from the Internet for instances in a VPC
subnet, you must do the following:
Attach an Internet gateway to your VPC.
Ensure that your subnet's route table points to the Internet gateway.
Ensure that instances in your subnet have public IP addresses or Elastic IP addresses.
Ensure that your network access control and security group rules allow the
relevant traffic to flow to and from your instance.
I would like that outgoing web service calls from different EC2 instances will have the same origin IP address. Is there any proper solution for this problem which is not defining a NAT within the Amazon VPC?
All the questions I found over the www (see below) related always end-up with a NAT recommendation and I am wondering is there another solution but the NAT solution?
https://serverfault.com/questions/530783/multiple-outgoing-ip-on-one-amazon-ec2-instance
https://forums.aws.amazon.com/message.jspa?messageID=430341
http://engineering.silk.co/post/31923247961/multiple-ip-addresses-on-amazon-ec2
To have requests come from a single IP address, then the machine with that IP address needs to send all the requests (obvious, I know). Therefore, it either needs to be the source of those requests, or requests from other machines need to route through that machine.
The easiest way to route requests through a single machine is to treat it as a NAT. This involves:
Modifying route tables so that traffic destined for the Internet routes to the NAT server
Configuring the NAT server to forward the traffic to the Internet and pass back responses
This could be done via a proxy rather than a NAT, but the result is effectively the same.
It is not possible to give the same IP address to multiple machines, since the return traffic won't know where to go. (Actually, it is possible -- see Anycast on Wikipedia, but this is only for incoming traffic to stateless services.)