i am implementing a system which uses amazon ec2.
I need a mechanism which allows a callbacl from ec2 machine to my office.
ec2 machines have no connectivity to my office so i need to find an alternative way.
In the office i have a grape API and, and the callback should use that grape API.
I thought about using SQS in the ec2 machine and to put a little agent in the office that will listen on a certain queue and than it will forward the requests to the API, but it sounds too sloppy.
Is there a better way of doing it ?
Thanks !
What about establishing a VPN connection between your office and EC2?
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario4.html
Related
Can an Amazon EC2 instance process requests from and return results to an external client which may a browser or non-browser application? (I know that the EC2 instance will require a IP address and must be able to create a socket and bind to a port in order to do this.)
I'm considering an Amazon EC2 instance because the server application is not written in PHP, Ruby or any other language that conventional web hosting services support by default.
Sure it will. Just setup the security group the right way to allow your clients to connect.
Take a look at this guide: Amazon Elastic Compute Cloud - Security Groups
Also keep in mind: It's not possible to change the policy group after you created the EC2 instance. This feature is available for VPC instances only. See http://aws.amazon.com/vpc/faqs/#S2 for more information.
I sell a product that runs on Amazon EC2. A company now wants to purchase and install it within their perimeter... This also implies the use of a VPN connection to the EC2 datacenter.
I want to test my product using Amazon VPN (VPC) before handing over the code. Must I change my code to make it work across VPC? If I run on Windows, then wants the quickest and easiest desktop VPN client avaialable that will allow me to connect across VPN to the Amazon datacenter?
Make sure you setup NAT servers and set your routes in the AWS console. Your client can have some security infrastructure for extending their data center to the cloud - firewall rules at the VPC level etc. Disable firewall rules on the server you deploy to since your VPC already takes care of this. As root execute the following command. service iptables stop (you probably already know this I am guessing)
Is it important for your app to run across VPCs?
Depending on how large the company you are selling to is, their security team may give them the run around to have VPC to VPC communication. Is it important for your software to span across VPCs?
I'm trying to create a personal/professional website within a college-domain. From the university I've requested a static-IP address which is directed to a website-name "http://lastname.someuniversity.edu". I would like to setup an Amazon EC2 instance to host a website.
I know how to create/administer the website on the EC2 instance I just don't know how to get the EC2 instance to talk to the university (and vice-versa). The IT person at the university wasn't terribly helpful.
i know how to setup a local machine to run as the webserver just not how to get the Amazon EC2 instance to 'sit inside" the university.
Thanks for the help,
Will
If you want the Amazon EC2 instance "to sit inside your university" you may want to establish a VPN connection by using the Amazon Virtual Private Cloud service.
This service is still in beta, but it has been publicly available for about a year. A connection currently costs $0.05 per hour (circa $36.5 per month) and you also pay for data transfer.
Check out Amazon Virtual Private Clouds. I think it is exactly what you are asking for.
You will need to work with your "IT person" to setup a VPN connection between your premises and the EC2 cloud. In practice you will likely need to:
1) Define a subnet for your EC2 connections (ie. 10.10.10.x).
2) Build a VPN tunnel between your university and Amazon (Virtual Private Cloud).
3) Enable any routing or firewall changes at the university.
You know you've got it working when you can 'ping' the EC2 host from within your premises.
BTW, I have recently released a new service that specifically runs on Amazon EC2. About 20% of people are now asking for VPC in order to use our service (Virtual Lab Management), and so I can attest that it's a solution that has raised interest in a lot of large organizations.
Can you install and run your own windows services on ec2? Does it have MSMQ?
Yes, you can. You can also install MSMQ, and I can confirm that it works perfectly.
First you need to create an EBS volume, using a snapshot of the appropriate Windows installation media:
Install windows services on EC2 http://img515.imageshack.us/img515/9644/aws.png
Then simply attach the EBS volume to your Windows instance. At this stage, you would be able to install any Windows service, such as MSMQ and IIS, that did not come pre-installed with the original AMI.
You could also take advantage of Amazon Simple Queue Service. It's exposed as a webservice so you could easily communicate with it from your Windows Service or virtually any other platform/technology.
Yes, you can install any software that you like.
I don't know for sure if MSMQ is available or not. If you don't get a specific answer here you could post on the AWS forums, or if you have an account, fire up an instance and test it out (e.g. using this AMI).
We usually blacklist IPs address with iptables. But in Amazon EC2, if a connection goes through the Elastic Load Balancer, the remote address will be replaced by the load balancer's address, rendering iptables useless. In the case for HTTP, apparently the only way to find out the real remote address is to look at the HTTP header HTTP_X_FORWARDED_FOR. To me, blocking IPs at the web application level is not an effective way.
What is the best practice to defend against DoS attack in this scenario?
In this article, someone suggested that we can replace Elastic Load Balancer with HAProxy. However, there are certain disadvantages in doing this, and I'm trying to see if there is any better alternatives.
I think you have described all the current options. You may want to chime in on some of the AWS forum threads to vote for a solution - the Amazon engineers and management are open to suggestions for ELB improvements.
If you deploy your ELB and instances using VPC instead of EC2-classic, you can use Security Groups and Network ACLs to restrict access to the ELB.
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/USVPC_ApplySG.html
It's common to run an application server behind a reverse proxy. Your reverse proxy is layer you can use to add DoS protection before traffic gets to your application server. For Nginx, you can look at the rate limiting module as something that could help.
You could set up an EC2 host and run haproxy there by yourself (that's what Amazon is using anyways!). Then you can apply your iptables-filters on that system.
Here's a tool I made for those looking to use Fail2Ban on aws with apache, ELB, and ACL: https://github.com/anthonymartin/aws-acl-fail2ban