Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Turning On "Preserve client IP addresses" for a specif Target Group makes it so that I can no longer access an SFTP server

0

I have the need to turn On the "Preserve client IP addresses" for a specif Target Group related to an EC2.

In this EC2 I have an SFTP server running where one can put files in it and they appear in an S3 bucket, and when I turn On the "Preserve client IP addresses" it makes so that I can no longer access my SFTP server and do to that.

To check that I can access the SFTP I use FileZila to connect to it, doing the "Logon type" Key file

I have the configurations for the SFTP server, in the EC2 machine, in /etc/ssh/sshd_config.

We are putting a Load Balancer in front of an STFP server because I need to host this server in an EC2 machine, and due to company policy, I need to have all EC2 machines created inside a private subnet in the VPC. The Load Balancer is so that we have a way the SFTP can be accessed from, in this case, it is usually accessed using FileZilla, and the way to access it is by doing the login using Key file, but the server is also accessible via SSH. The Target Group we have set up to use TCP: 22

When looking around for potencial solutions, I saw that adding UseDNS no to the config file in /etc/ssh/sshd_config could be a potencial solution, but it did not work.

Argomenti
Networking e distribuzione di contenutiComputazionali
Tag
Amazon VPCAmazon EC2Equilibratore di carico rete
Lingua
English
tomsantos
posta 6 mesi fa449 visualizzazioni
3 Risposte
0
Risposta accettata

What is in the security group for your EC2 instance? When you turn on "Preserve client IP address" the EC2 instance will receive connections from the source IP address - not the NLB. So you need to change the inbound rules to allow connections from the networks that you want to be able to connect to your application (SFTP in this case). If the SFTP server is public (i.e. accessible from the internet) and you want clients to connect from the internet then you need from all IP addresses (0.0.0.0/0).

profile pictureAWS
ESPERTO
Brettski-AWS
con risposta 6 mesi fa
profile picture
ESPERTO
Gary Mclean
verificato 2 mesi fa
  • tomsantos
    6 mesi fa

    The current Security Group that only allows all traffic from inside our VPC, and TCP connections from the port 22 in some specific IP addresses, but the Network Load Balancer forwards to the target group where the the target is the EC2 machine is connected.

    This set up used to work without a problem, the client could connect to the SFTP server and put the files there so they were stored in the S3 without a problem, and I could connect to the SFTP, using FileZila, without any problem, but when I turned on "Preserve client IP addresses" it no longer was possible to do this, so I that setting is the problem, but I need to have it "On"

  • Brettski-AWS ESPERTO
    6 mesi fa

    When you turn on "Preserve client IP" the targets will see connections from the client IP address. That's what the setting means. Your security group needs to allow connections from the client IP address, not IP addresses within the VPC.

  • tomsantos
    6 mesi fa

    Ok, that makes sense. I imagine the best way to allow connections from the client IP address is to add them to the Security Group, correct? I think that's it, but I want to make sure.

    I really appreciate the answer @Brettski-AWS

  • Brettski-AWS ESPERTO
    6 mesi fa

    Yes, you need to put the client IP address(es) in the security group.

  • dragosa83
    3 mesi fa

    In my case the Ec2 instance is running in private subnet and the security group inbound rule allows all traffic from 0.0.0.0/0. When i enable in target group where ec2 is registered Preserver Client IP I can not reach anymore SFTP trough NLB.

0

Hello.

This is not a troubleshooting of not being able to connect to SFTP with NLB, but how about the following measures?
What if I use SFTP with port forwarding in Systems Manager?
This eliminates the need to create an NLB.
https://aws.amazon.com/jp/blogs/mt/use-port-forwarding-in-aws-systems-manager-session-manager-to-connect-to-remote-hosts/

profile picture
ESPERTO
Riku_Kobayashi
con risposta 6 mesi fa
0

In my case the Ec2 instance is running in private subnet and the security group inbound rule allows all traffic from 0.0.0.0/0. When i enable in target group where ec2 is registered Preserver Client IP I can not reach anymore SFTP trough NLB.

dragosa83
con risposta 3 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente