Given:
instance-1: us-east-1c (not in a VPC)
instance-2: us-east-1c (inside my VPC)
Is there any way to configure a route between the two such that instance-2 communicates with instance-1 via the private IP?
I currently have them communicating via the internet gateway using instance-1's public address.
In short, the answer is NO. You cannot have such communication route in AWS. The way you are doing it right now via Internet Gateway is the only way.
Related
I could use some advice… I think I might be missing something obvious here but I’m trying to understand how microservices communicate when using the API gateway or BFF networking pattern. Each of the microservices will obviously have an API as well, so how are they any less accessible than the API gateway? Surely they have HTTP endpoints as well? How does a virtual network limit the microservices to only being accessible from the API gateway? Does that make sense? All the tutorials I find online seem to assume I understand! I’m confused.
Microservices network diagram
Microservices in your VPC have private IP addresses that are only directly routable within that VPC. They are not available on the internet at all, unless you explicitly provide them with a public IP, or via another way in, like an API gateway, load balancer with an assigned public IP, transit gateway, etc.
Resources in your VPC can also be assigned to security groups that provide fine control over which IP addresses are allowed to communicate with them on which ports.
I have a fairly simple architecture with only two subnets: Public and private. In the same Public Subnet with Internet Gateway configured, I have two EC2 instances:
Linux EC2 instance (Where I run a REST API)
OpenVPN Access Server
https://i.stack.imgur.com/2MHco.png
The problem is, from the Linux EC2 instance, I cannot
ping for example cnn.com
aws ecr docker login (To pull docker images)
Python scripts sitting on the Linux EC2 instance also need call REST APIs from outside world
Thru trial and errors, I found out if I add a Inbound Rule to allow all traffic from 0.0.0.0/0, then I can ping and do those aws/docker commands. This approach is of course a security hole and less than ideal. Any suggestion please?
Thanks in advance.
I'm not clear if this is possible, but here is what I'd like to do:
Goal:
Set up a VPN between my home network and my AWS VPC. A use case I'd like to have working:
Have a Lambda function write to a database, e.g. Postgres running on my home network behind my router. Think of some machine with 192.168.. address on my home network running Postgres
I have read the documentation and I wanted to confirm what it would require to make this happen. Assume I have a VPC with a Lambda deployed to it.
Create a Virtual Private Gateway for the VPC
Create a Customer Gateway for my home network.
Configure the Customer Gateway machine in my home network (e.g. Raspberry PI) after downloading the vpn connection file from AWS.
I'm looking at this article for reference:
setup raspberry PI3 as AWS VPN Customer Gateway
Is this all that I would need to do? Do I need to use some 3rd party software in addition to this? Or is this not even possible?
Thanks
You can setup an OpenVPN server on an EC2 instance and change your SG inside your VPC resources to only allow access from your VPC CIDR block.
AWS provide an AMI for OpenVPN server : https://aws.amazon.com/marketplace/pp/B00MI40CAE/ref=mkt_wir_openvpn_byol
we whitelist client IPs on our server. We have a new client and the client is telling us they use AWS servers and they said "you'll need to whitelist their (AWS) IPs list from the us-east-1 region". They provided us a spreadsheet of these IPs (164 ips).
Does this seem reasonable that a customer would use all IPs from a AWS region ?
Thanks
It doesn't make sense that they would use ALL the IPs. It does make sense that they don't know the IP they will be using ahead of time, and can only tell you that it will be from that list of IPs. If that's a problem then you could ask your customer to create a NAT Gateway with a static IP address (AWS Elastic IP), which you could then whitelist. However that will require added monthly costs, and added complication to your user.
A NAT gateway is NOT REALLY MANDATORY for meeting this requirement.
There are 2 possibilities:
Your Client will be accessing your service from a single server which has a public static IP (Elastic IP)
Your Client will be accessing your service from a single server/multiple servers that don't have a public static IP
In first case, you can simply white-list the clients elastic IP.
In second case, all their traffic will be routed via an AWS internet gateway which definitely will have an IP address associated to it. You will just need to white list that internet gateway IP instead of white-listing all the IPs
I have some instances with an EC2 VPC (using only ip addresses from RFC 1918) that need to use some services of EC2 via CLI interface (ec2-describe-instances, ec2-run-instances, etc)
I can't get it to work : my understanding is that the service point of the CLI interface is located somewhere in AWS cloud and my requests originating from an RFC1918 address are not routable in the AWS cloud between EC2 service point and my instance.
Is that correct ?
Is my only solution to install a NAT instance within my VPC (I would like to avoid it) ? Or could I get a way to remap this Ec2 service point within my VPC on a RFC1918 address
Any help welcome !
Thanks in advance
didier
You can give the instance an elastic IP address and get outbound access to other publicIPs, like the EC2 API endpoint. Make sure your security group doesn't allow any inbound traffic from the Internet.
Alternatively, if you don't want to use an EIP, you can launch an instance in a VPC with a publicIP address. more here: http://aws.typepad.com/aws/2013/08/additional-ip-address-flexibility-in-the-virtual-private-cloud.html