on AWS can someone enlist step to support IPV6? does AAAA record is enough? our app works on NAT64 network we have just AAAA record which is mapped to classic loadbalancer it is not resolving does they check connectivity also while reviewing app?
it has be asked here but no proper reesponse
IPv6 App Store Rejection
The best solution I found is to use Cloudfront. Cloudfront supports IPV6. Just use your ELB as a source for Cloudfront.
A must read to configure it
Related
So, I've encountered a weird situation and am wondering whether you may have some suggestions as to how to investigate it...
I have a C# app that connects to Azure Blob Services using the latest SDK and TLS 1.2. When I am at home and on the Internet, I am able to upload files to blob storage without any issues. However, when I go into our office, using the same app on an office computer, I get a connection failure. I am able to access the Internet through a browser.
The networking is as simple as at my home... ISP connection, router/firewall, my computer.
I cannot imagine why enabling TLS1.2 would suddenly make my app not work in the office, but still work at home. Based on these tests, it seems like a NIC issue or an infrastructure issue at the office, but I have never heard of a NIC or router blocking TLS 1.2 outside of a VPN connection. There is no VPN involved.
I am planning on directly connecting my computer to the company's Internet connection, configuring the nic for the wan, and see what happens. If it works, then there must be something strange going on with the company's router (nothing elaborate; netgear, or such).
Has anyone encountered this issue? Seems really odd to me...
Thanks for your time and interest,
Mike
• It is not an issue with enabling of TLS 1.2 on your office network or your home network or even your Azure blob storage, it is basically related to the communication over SMB TCP port 445 from your local system to the mapped Azure blob storage on your system.
On your home network, you were able to access the blob storage and able to upload files in it because your ISP has enabled outbound communication over SMB TCP port 445 on his firewall and gateway server over the internet and thus, you were able to access the mapped Azure blob storage and upload files in it. But the same case is not valid for in your office network as it being a protected one, outbound communication over SMB TCP port 445 is restricted and not allowed.
• To test whether communication over TCP SMB port 445 can happen or not, I would request you to execute the below powershell command and check the results thereafter: -
Test-NetConnection -Port 445 -ComputerName somestoragexxx.file.core.windows.net
If this TCP 445 connectivity fails, then you could check with your ISP or your on-premises office network security is blocking communication over outbound port 445. Please note that you should open the outbound port instead of inbound port 445.
Kindly refer to the documentation link below for details to know the different ways to access files in Azure files: -
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-faq#general
Also, refer to the link below for knowing the Azure routing mechanism to reach the resources hosted on Azure: -
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#default
I’m trying to use HTTPS on my EC2 instance.
Currently, my URL looks like this: 192.168.0.1:8443 and works great.
However, due to HTTPS requirements by Stripe and other applications, I need the url to look like this: https://dev.domain.com
I should add that I am using Cloudflare as my DNS Manager.
I’ve tried Googling how to set this up with no luck. Maybe I’m searching for the wrong thing.
Can someone help me achieve this setup?
Thank you in advance!
You need to configure route53 to create a hosted zone for your website and then you need to add record set where you will point your ec2 server's ip for the particular website request.please follow the link for detailed instructions to setup website with ec2
AWS link
Which web server (httpd/IIS) you enabling on this EC2 instance?
try these steps if it is Linux box
SSL-on-an-instance
I ended up adding rules for ports 80 and 443 to my EC2 instance, and then telling Apache to listen on port 80 instead of 8443. This allowed me to remove the appended :8443 in the URL and I was able to copy the DNS info into Cloudflare as a CNAME and begin using my domain name. Before, I wasn’t able to use my server info as it had to have :8443 appended to the URL which Cloudflare doesn’t like.
I have already migrated my app but there still are users that use the old parse url, which then sends the traffic to my self-hosted databse. I need to whitelist parse's IP range so that my MongoDB is not exposed to anyone.
I have already found an answer here that mentions:
you can try whitelisting the IP addresses currently published by Amazon for AWS US-East
I need to know whether this answer is still relevant.
Thanks.
We are using CloudFlare service for CDN, Security and other services. And we are using Ajaxsnapshot for creating snapshots for Search Bots. The problem is we are getting Error 1000 - DNS points to incorrect IP. When we switch off CLoudFlare settings, Ajaxsnapshot API works and is able to create snapshots.
How to solve it so we can use both the services?
You should contact CloudFlare support so we can look at your DNS zone file. It sounds like something isn't set properly in DNS, or you're pointing to an IP that it shouldn't be.
We usually blacklist IPs address with iptables. But in Amazon EC2, if a connection goes through the Elastic Load Balancer, the remote address will be replaced by the load balancer's address, rendering iptables useless. In the case for HTTP, apparently the only way to find out the real remote address is to look at the HTTP header HTTP_X_FORWARDED_FOR. To me, blocking IPs at the web application level is not an effective way.
What is the best practice to defend against DoS attack in this scenario?
In this article, someone suggested that we can replace Elastic Load Balancer with HAProxy. However, there are certain disadvantages in doing this, and I'm trying to see if there is any better alternatives.
I think you have described all the current options. You may want to chime in on some of the AWS forum threads to vote for a solution - the Amazon engineers and management are open to suggestions for ELB improvements.
If you deploy your ELB and instances using VPC instead of EC2-classic, you can use Security Groups and Network ACLs to restrict access to the ELB.
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/USVPC_ApplySG.html
It's common to run an application server behind a reverse proxy. Your reverse proxy is layer you can use to add DoS protection before traffic gets to your application server. For Nginx, you can look at the rate limiting module as something that could help.
You could set up an EC2 host and run haproxy there by yourself (that's what Amazon is using anyways!). Then you can apply your iptables-filters on that system.
Here's a tool I made for those looking to use Fail2Ban on aws with apache, ELB, and ACL: https://github.com/anthonymartin/aws-acl-fail2ban