I'm trying to add a IPv6 address to the security group of an EC2 instance, but I need to specify it as a CIDR block. It's a full IPv6 address, like this fake address: 2600:1003:c10c:b42c:1956:fed1:db13:ff42. How can I convert this to a CIDR block/range?
As vcsjones said, AWS security groups do not support IPv6 - primarily because EC2-VPC does not support IPv6.
See this thread on the AWS forums for some relevant info.
This thread has more info on Amazon's lack of support for IPv6 on EC2.
Related
I have successfully assigned an IPv6 block to my VCN. When I try to assign a block to my subnet within the same VCN, it asks me to choose an IPV6 CIDR block.
The IPv6 assigned to my VCN: 2603:c020:4002:6c00::/56
I am trying to assign the following to my subnet:
2603:c020:4002:6c91::/64
The GUI lets me edit only the '91' part in there, as demonstrated above.
When I confirm the change, it fails with an error (image attached). I have tried destroying the resources and recreating the VCN, subnet, etc., for troubleshooting. IPv4 works fine, and I can create resources without any hiccups.
Is that a bug in OCI? I have been assigned 2603:c020:4002:6c00::/56 to my VCN. I cannot use 2603:c020:4002:6c91::/64 in my subnet because it belongs to 2603:c020:4002:6c91::/56. I can use 2603:c020:4002:6c00:91::/64 in my subnet. But then, Oracle is not letting me do this and giving me the error "NotAuthorizedOrNotFound". The error is inevitable as 2603:c020:4002:6c91::/64 does not belong to my VCN.
I may be wrong here; my IPv6 skills are not top-notch.
In any case, please help. I am a free tier subscriber and cannot raise a ticket directly.
I used a wizard to create the VCN. The wizard is not IPv6 aware, and I assigned an IPv6 manually to it later via the web GUI. The same wizard creates two subnets - one public and one private. I was trying to attach an IPv6 range to those subnets. But it was giving me an error. I created a new subnet in the VCN and was able to assign IPv6 to that subnet.
The solution was - manually create a new subnet in the VCN and add IPv6 to it.
I'm trying to have the dnsmasq of a server only listen to and respond to queries within a local network using their private IP addresses. All of the hosts needed are already on the /etc/host file, so all I need to do is configure the dnsmasq.conf file so that it only responds to local-only domains.
While researching, I've only found documents for "How to create a DNS/DHCP server using dnsmasq" but not much on routing to only certain IP addresses.
I've tried the instructions from this link:
https://www.linux.com/training-tutorials/dnsmasq-easy-lan-name-services/
and it put dnsmasq in a failed state.
When I used listen-address=[private ip] in the dnsmasq.conf file, I did nslookup for the servers that are supposed to be on the private network but it been showing the public ip for the server and address.
You should consult the official dnsmasq man page. In particular the local-service and localise-queries options:
--local-service
Accept DNS queries only from hosts whose address is on a local subnet, ie a subnet for which an interface exists on the server. This option only has effect if there are no --interface, --except-interface, --listen-address or --auth-server options. It is in tended to be set as a default on installation, to allow unconfigured installations to be useful but also safe from being used for DNS amplification attacks.
-y, --localise-queries
Return answers to DNS queries from /etc/hosts and --interface-name which depend on the interface over which the query was received. If a name has more than one address associated with it, and at least one of those addresses is on the same subnet as the interface to which the query was sent, then return only the address(es) on that subnet. This allows for a server to have multiple addresses in /etc/hosts corresponding to each of its interfaces, and hosts will get the correct address based on which network they are attached to. Currently this facility is limited to IPv4.
The first option local-service addresses your first concern, so that dnsmasq will only answer queries from hosts on the same subnet. The second option localise-queries will return answers with IP addresses from the same subnet if there are multiple IP addresses for a given name known to dnsmasq.
As Apple starts rejecting applications which are not able to communicate in ipv6 only network, it is required to also have a public ipv6 address for my web service which uses TCP and UDP.
The web service is hosted in Amazon EC2 VPC, I have followed instructions on Amazon docs to enable ipv6 routing in VPC. But I don't have any public domain or static-ipv6 to connect to EC2 instance.
After searching I came to know about route53 service which can register a domain and point it to some ipv6 / ipv4.
Is the correct solution? Can a single domain map to both ipv4 & ipv6?
for example, mywebservice.amazon-ec2.com points to same ec2 instance having ipv4 and ipv6.
Will requesting the mywebservice.amazon-ec2.com from ipv6 only network work?
If I misunderstood something please help.
You are correct.
You can create a two Record Sets in Amazon Route 53:
One A record pointing to the IPv4 address
One AAAA record pointing to the IPv6 address
For the IPv4 address, first allocate an Elastic IP Address to the instance because it is a static address that will not change when the instance is stopped/started. Then, point the A record to the Elastic IP Address.
There is no Elastic IP Address available for IPv6. Instead, just point to the instance's normal IPv6 address, which will always stay the same for that instance.
You don't actually need to use Amazon Route 53 -- any DNS service will provide the same functionality.
See Amazon Route 53 documentation: Values for Basic Resource Record Sets
I have a 4 node hadoop cluster on ec2. We have configured Hortonworks Hadoop (HDP version 2.4) through Ambari.
I have opened all traffic for our all four instances internally and the office external IP.
Whenever I do telnet within the cluster using internal IP:
telnet <internal_ip> 2181
It is able to connect to the specific port I have my service(zookeeper) running on.
When I use public IP of the same instance(Elastic IP) instead of internal IP, I am not able to telnet either within the cluster or from my office IP:
telnet <elastic_ip> 2181
I have already configured security group to allow all traffic. I am using Ubuntu 14.04. We are not using any other firewall except AWS security group.
Please suggest how can I connect using Elastic IP/Public IP of my instance on this port.
Please find the screenshot of Security Group of EC2:
Do you use the default VPC ?
If not, check if the VPC has an Internet Gateway, the Route table (you need a route to the Internet Gateway) and the Networks ACLs.
The Route table and Network ACLs are applied to a subnet.
The default VPC is configured to allow outside traffic, not a new VPC.
Or, the Elastic IP is linked to the same network interface ? The Elastic IP is linked to a network interface of an instance.
EDIT: you can take a look on AWS doc for a better explanation:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html
In my Amazon EC2 instance I am configuring the firewall to allow access from an IP address 1.2.3.4. The autocomplete feature is completing the addresses to 1.2.3.4/32. I'm not sure why, and I don't see any mention of this in the AWS documentation.
I think that this might make sense if I were configuring an address of the type 1.2.3.0 to allow connections from the entire C block, but I am configuring a specific address. It this some usage of the CIDR notation that I am unfamiliar with? What is the autocomplete trying to suggest with this notation?
The /32 specifies a single address. A c block's CIDR would be 1.2.3.0/24, which would include 254 usable addresses.
Here's a nice little "cheat sheet" for CIDR stuff: http://www.oav.net/mirrors/cidr.html