I have tried everything, I can get to my application using the ec2-x-x-x-x.compute-1.amazonaws.com, I cannot ping the address.
However, when I do ping the amazon DNS, it identifies with the IP address of but does not respond to ping.
When I put the IP address in the browser, it times out and gives me the Chrome "Oops", I have went through the Security vgroup several times.
I have checked the server, including the IPtables and the ports that Apache is listening to.
I don't have a lot of knowledge in this area, But I tried everything in the forum and more.
I even created another Elastic IP and associated it with the instance.
Please help.
By default, you cannot ping an EC2 instance, since it is blocked by the firewall (see why can't I ping my instance):
Ping uses ICMP ECHO, which by default is blocked by your firewall.
You'll need to grant ICMP access to your instances by updating the
firewall restrictions that are tied to your security group.
ec2-authorize default -P icmp -t -1:-1 -s 0.0.0.0/0
Check out the latest developer guide for details.
Section: Instance Addressing and Network Security -> Network Security
-> Examples
As for HTTP requests - your instance is available and looks fine (I suggest you remove the real DNS name from your post though)...
For ec2 best options is
1) open port 5060 and 10000-20000 udp on firewall(security group)
2) order and attach elastic IP.
3) in sip.conf add
externhost=elastic_ip_her
localnet=10.0.0.0/255.0.0.0
Every time you start/stop that instance attach same elastic IP.
For web access you also need open port 80 in security group
Related
the Terminal just says:
ssh: connect to host xxx.xxx.xxx.xxx port 22: Connection timed out
Here are the firewall rules.
I can't ssh into the VM so I cant change the firewall rules on the VM
Please Help.
First, double-check your IP address: it must match your Oracle Virtual Cloud Public IP Address, assuming it is a reserved one (meaning it is a fixed one)
Second, check your local firewall: you cannot change the remote ones, but the local rules might still block your SSH traffic.
As mentioned here:
ust by opening the port through firewall and security lists will not allow new incoming connections. Ex: unless there is a service listening on port 443 (Tomcat etc), you will be unable to connect. Same with SSH daemon for port 22.
So make sure the SSH daemon is up and running.
Check also Default Security List
Unlike other security lists, the default security list comes with an initial set of stateful rules, which should in most cases be changed to only allow inbound traffic from authorized subnets relevant to the region that homes that VCN or subnet.
A list of authorized subnet ranges relevant to each region can be found here .
In particular:
Stateful ingress: Allow TCP traffic on destination port 22 (SSH) from authorized source IP addresses and any source port.
This rule makes it easy for you to create a new cloud network and public subnet, launch a Linux instance, and then immediately use SSH to connect to that instance without needing to write any security list rules yourself.
You can mount your machine drive to some other machine, edit sshd config and mount it back.
That helped me :D
See this ref: https://blogs.oracle.com/cloud-infrastructure/post/recovering-opc-user-ssh-key-on-oracle-cloud-infrastructure
I created a simple web application on AWS ec2 ubuntu instance, but was unable to access the webpage by ip and port from other machines. The application binds on 0.0.0.0:80, and this port has been added into ufw allowing list. Within the aws control panel, I also added 80 to the rule lists.
Currently, I could access the port 22 by telnet ip 22 but no way to get responses from ping ipaddress, it shows request timeout. It also blocks on telnet ip 80 without any responses.
Any ideas? Really appreciate it
here are some troubleshooting tips.
Check if the web application is actually running
you can do this simply by doing a telnet ip 80 from the instance itself
disable the internal firewall
try disabling the firewall inside the instance, see whether it's working.
ping
In order for ping to work, enable ICMP protocol in your AWS security group
I'm unable to join an EC2 instance to my Directory Services Simple AD in Amazon Web Services manually, per Amazon's documentation.
I have a Security Group attached to my instance which allows HTTP and RDP only from my IP address.
I'm entering the FQDN foo.bar.com.
I've verified that the Simple AD and the EC2 instance are in the same (public, for the moment) subnet.
DNS appears to be working (because tracert to my IP gives my company's domain name).
I cannot tracert to the Simple AD's IP address (it doesn't even hit the first hop)
I cannot tracert to anything on the Internets (same as above).
arp -a shows the IP of the Simple AD, so it appears my instance has received traffic from the Simple AD.
This is the error message I'm receiving:
The following error occurred when DNS was queried for the service
location (SRV) resource record used to locate an Active Directory
Domain Controller (AD DC) for domain "aws.bar.com":
The error was: "This operation returned because the timeout period
expired." (error code 0x000005B4 ERROR_TIMEOUT)
The query was for the SRV record for _ldap._tcp.dc._msdcs.aws.bar.com
The DNS servers used by this computer for name resolution are not
responding. This computer is configured to use DNS servers with the
following IP addresses:
10.0.1.34
Verify that this computer is connected to the network, that these are
the correct DNS server IP addresses, and that at least one of the DNS
servers is running.
The problem is the Security Group rules as currently constructed are blocking the AD traffic. Here's the key concepts:
Security Groups are whitelists, so any traffic that's not explicitly allowed is disallowed.
Security Groups are attached to each EC2 instance. Think of Security Group membership like having a copy of an identical firewall in front of each node in the group. (In contrast, Network ACLs are attached to subnets. With a Network ACL you would not have to specify allowing traffic within the subnet because traffic within the subnet does not cross the Network ACL.)
Add a rule to your Security Group which allows all traffic to flow within the subnet's CIDR block and that will fix the problem.
The question marked as the answer is incorrect.
Both of my AWS EC2 instances are in same VPC, same subnet, with same security group.
I have the same issue. Here are my inbound rules on my security group:
Here is the outbound rules:
I can also ping from the between the dc and the other host, bi-directional with replies on both side.
I also have the DC IP address set as the primary and only DNS server on the other EC2 instance.
AWS has some weird sorcery preventing a secondary EC2 instance from joining the EC2 domain controller, unless using their managed AD services which I am NOT using.
The other EC2 instance has the DC IP address set as primary DNS. And bundled with the fact I can ping each host from each other, I should have ZERO problems joining to domain.
I had a very similar problem, where at first LDAP over UDP (and before that, DNS) was failing to connect, even though the port tests were fine, resulting in the same kind of error (in network traces, communication between standalone server EC2 instance and the DC instance stopped at "CLDAP 201 searchRequest(4) "" baseObject", with nothing being returned). Did all sorts of building and rebuilding, only to find out that I was inadvertently blocking UDP traffic, which AWS needs for both LDAP and DNS. I had allowed TCP only, and the "All Open" test SG I was using was also TCP only.
D'oh!!!
I am having trouble connecting to an Amazon Elastic Cloud Computer Instance via a browser.
I attempted going to ********.compute-1.amazonaws.com , but the browser returns that the connection has timed out.
I can connect via ssh and winscp. That is how I uploaded a web app I developer. I have also created a security group and added rules to open ports 22 and 80.
Do I have to assign the security group to the instance somehow?
The security group's rules also do not have a source IP, well they do its 0.0.0.0/0
I would really appreciate any and all help in getting this site ' viewable ' via a browser.
By default, your instances will only be in the default security group. If it's an EC2 instance you cannot change security groups while the instance is running, you'll have to specify them in advance. If it's a VPC instance you can change security groups at runtime.
Add the rule to the default group
You can however add the rule to allow port 80 to that default security group; just don't create a new security group as it can not be associated with the running instance.
Is the web server up?
Also, make sure that your web server is up and running. From your instance (using SSH shell access), check if the right process is listening on port 80, using the command netstat -lnp. You should then see a row with proto tcp and a Local Address ending in :80. The IP Address listed should be either 0.0.0.0 (meaning 'any IP') or a specific IP of a listening network interface.
Web server not up
If you are in need of a web server, take a look at Apache or Nginx. They both support PHP.
Hope this helps.
I had also faced similar issue with ec2 micro instance. I was using Red-Hat AMI. Despite of opening ports 8081 in security group, I was not able to a telnet to the host port. Disabling the iptable did the trick for me:
sudo /etc/init.d/iptables stop
Do not forget to disable firewall if you use windows for your server.
I faced the same issue while setting up redash AMI image on AWS. Inbound security rules should be changed when instance is not running. Let's say if the instance is running (meaning it's active and started); If you change the inbound rules of that machine you'll still face firewall issue. So Stop the machine on which you want to change the inbound rules on. Change the inbound rules. Start the machine now. Now you can hit the machine url from the ip you just opened the access to the machine to.
The EC2 instance firewall is maybe enabled.
Check it with this command:
sudo systemctl status firewalld
if enabled you can disable it with :
sudo systemctl disable firewalld
or setup rules to allow port 80 trafic
I tried putting my IP from whatismyip.com in the urlbase of Bugzilla but it did not work. I wasn't able to create a new account for my team mate, and he wasnt able to access the server by typing the my ip address in his browse. And surely, when I connect again, my IP address will change. Do we have to buy a www address to host Bugzilla?
You can setup a dynamic dns service, for example via http://www.dyndns.com or http://www.no-ip.com or http://freedns.afraid.org to solve the changing ip problem without buying a domain (or buying a domain as well, but it's not a requirement).
But the real problem is that your team mate cannot access the server via the current IP address which points to either a misconfiguration of the webserver (listening only on localhost?), to a firewall in between, or most likely, that port forwarding isn't set up in your router for requests coming to your external IP address to be forwarded to the machine where you have Bugzilla set up. Additionally, you must set the urlbase to your local IP address, not to the external IP address, as blak3r says.
Check http://www.portforward.com for instructions on how to do port forwarding. But don't forget that everything mentioned has to be working:
Web server listening to outside requests: This can be tested from the same internal network via the local network IP address (what you see typing in a command line console ipconfig in Windows and ifconfig in Linux). If you can connect from a different machine on the same network via the local IP address, this is solved.
Firewalls (in router and the webserver machine) accepting connections to the web server port: For firewalls in the web server, the same test as above covers it.
Port forwarding so the router forwards the requests received on the web server port to the web server machine: This gets tested in the same way as firewalls in the router, that is, you must have your friend (or yourself from the house of your friend) try to connect to the dyn dns name set up or to the external IP as reported by whatsmyip.org.
This is all assuming your test mate is not on your same network, if he is, just using the local IP address (shown via ipconfig or ifconfig) instead of the external IP address and making sure the first step is covered (web server listening to outside requests) should be enough and nothing else is needed!
You most likely do not have your port 80 forwarded to your machine which is the reason he cannot connect when using the IP that was returned from whatismyip.com.
Assuming you're on a windows box... do
Start->Run->cmd then type
ipconfig
If your address starts with 192...* or 10...* this is your Local Area Network (LAN) IP. If this is the case, then your isp provided you with a router. Look for a setting called port forwarding or "application setting" which allows you to forward all incoming traffic on your router to a particular IP address. Go into your router's configuration settings and make sure port 80 (and maybe 443 if you're using ssl are forwarded to your local ip).
The other problem you mentioned is you do not have a static IP. This is a common problem and no you do not need to buy an address. There are several sites which can provide you a free dynamic dns host. Try no-ip.org.