Questions tagged with Networking & Content Delivery

I have deploy 3 fargate tasks in 3 different regions and each of them are in different url. Now, if there is a user wanted to connect to the service, I'll need to help user to select the AWS region for them, as latency/geolocation is just one of the criteria. Is there anyway that I can have a latency data for references when I wanted to do the match-making?

we host exclusive content on our platform. only specific users that meet certain criteria are intended to have access to the content. we authenticate the users. we would like to know how we can ensure that authenticated users are unable to share the link generated to give them access to the content stored in s3 bucket. any suggestions or documentation we can study on how to prevent users from sharing the link?

I hope all is well. I am working on a project to move our infrastructure to terraform and have the Infrastructure as Code. Route propagation is not working in our test account however I copied everything that we have in our main account. I know there is no limitation for routings and it should be a technical config issue. 3 VPCs (Prod, Dev, Stage) are going to route traffic to the internet through 1 VPC (DMZ) and 1 IGW in the DMZ. In the main account the routing is working fine but in the test account the propagation does not change to enabled ("yes").

We're using OpenVPN Cloud and accessing a number of AWS-based resources. We have split tunnelling enabled and we want to send our S3 and certain other traffic through the VPN with everything else through the user's internet connection. The buckets that we have require access from specific IP addresses (and impose other conditions such as secure transport) and I've added the VPN instance's external IP to that list of permitted IPs. We've added a certain number of DNS domains (including "amazonaws.com") and s3-related IP ranges to the list of destinations that need to go via the VPN as OpenVPN cloud does both domain-based and IP-based routing. At present we have buckets in a few regions, so I've added the S3 ip ranges for those regions, but I'm still getting rejected by the bucket policy with "...(AccessDenied) when calling ListObjectsV2" for some of them. If I turn off the VPN I can access the bucket with no problem. Has anyone encountered this or is anyone else running a set up like this one?

I'd like to consolidate all of my domain registration on AWS Route53. Please add support for registering/transferring .gg domains and take my money.

If we migrate ec2 to vpc ,Can we get the same Hostname and IP Address?

We are creating an AWS Site-to-Site VPN connection between a client's on-premise network and our AWS VPC. The client receives an authentication error when attempting to establish a connection (using a pre-shared key). In order to debug this, we ran strongSwan on an EC2 instance to be able to inspect the logs and traffic. While doing this, we could see that they were attempting to connect from IP address 1 (e.g. 1.0.0.1) but using IP address 2 (e.g. 1.0.0.2) as an ID. When we setup strongSwan to authenticate against IP address 2 (e.g. 1.0.0.2), the connection was established successfully. We have since learned that IP address 1 (e.g. 1.0.0.1) is their NAT device, and IP address 2 (e.g. 1.0.0.2) is their customer gateway device. To my question: how can I setup the AWS Site-to-Site VPN connection and customer gateway so that they can be authenticated successfully? If I create the customer gateway with IP address 1 (e.g. 1.0.0.1, NAT device) they can connect but can't authenticate. If I create the customer gateway with IP address 2 (e.g. 1.0.0.2, customer gateway device) they can't connect at all.

Trying to setup a multicast testing environment between AWS Cloud and OnPrem. The following is my setup. EC2----TGW(Multicast)---CSR1000v-----(VPN)-----ISR4000----Linux I want to mcjoin(https://github.com/troglobit/mcjoin) to verify the multicast performance, but it failed at the CSR1000v. It works with 2 EC2-linuxs sitting in the same VPC. I am not sure any additional configuration I should have done on TGW.

I've been serving my static site (fromammawithlove.com) through a public S3 bucket but wanted to switch to CloudFront so I can block public access, but am getting a DNS error that the site can't be reached. I have a valid AWS generated certificate and testing the record in Route 53 gives me "no error" response but I can't reach the site. Would appreciate any ideas. thanks, N.

I follow this [aws blog](https://aws.amazon.com/blogs/networking-and-content-delivery/simulating-site-to-site-vpn-customer-gateways-strongswan/) to setup a simulated on-premise with site-to-site VPN and Transit Gateway to connect to AWS. The simulated on-premise uses the strongswan installed in an EC2. 1. Ping and Reach Analyzer works for path between VPCs in AWS. 2. Ping works for a path between the simulated on-premise and VPCS in AWS 3. Reach Analyzer does not work for a path between the simulated on-premise and VPCS in AWS. WHY?

We have 4x EC2 instances with httpd web server scattered across B and D zones. In random times of the day, one of the instances in Zone B would get none of the traffic and have its traffic rerouted the other EC2 instance in that zone. The **user-traffic** would be like this: 1. Zone B, Instance 1 - 50% 2. Zone B, Instance 2 - 0% 3. Zone D, Instance 3 - 25% 4. Zone D, Instance 4 - 25% I mentioned user-traffic above because the traffic from health checks during this period are equal across all machines and all of them are fine. After 5 minutes it would return back to normal. Any help would be appreciated.

Hi all, I have been trying out EC2 services with my hobby Wordpress website. It had been working on t2.micro instance for 4 months. But since yesterday, I cannot reach it. However the instance seems up and did not go down at all (up for 121 days). I did not change any of the important configurations, like Route 53 or EC2 configs. When I analyze the auth.log, I have seen that there are many invalid user logs which are totally unrelated to my instance IP. Could you help me to find out what is the problem under this unreachability issue? Thank you all. Additional info: I looked at AMIs under Images on EC2 page. There seems nothing. When I was installing the website on EC2, I did use Wordpress by Bitnami AMI for sure. Can it be the problem?

We have DEV and Production servers in different AWS accounts and these account's VPC are connected via Transit Gateway. I want to connect the VPN to the same Transit gateway so that we don't need to create separate VPNs for DEV And Production account. As AWS doesn't support multiple Remote IPv4 network CIDR in to Site to Site VPN. The CIDR range for which both the accounts can be accessible is of size /16. Since it is a very big CIDR and this can cause overlapping of IP addresses for the client's Network they are not allowing it. Also they are not accepting CIDR greater than size /30. AWS support has recommended that we can consider using a dynamic VPN routing. Does anyone has any idea how we can achieve this configuration without setting up Two VPNs.

Hello, I am trying to deploy Dask cluster on Fargate. I managed to deploy the cluster and also can see the Dask status screen via the public http address, but not able to connect using the tcp channel. I have used this article as reference "https://gist.github.com/jacobtomlinson/ee5ba79228e42bcc9975faf0179c3d1a" and tried several combinations of Inboud/Outbound rules on the security group. I used sage make to create the cluster. Any help will be very much appreciated. Best

Hi team, I'm configuring response headerPolicies for each of my CloudFront behaviours (for static assets) I just want to give the client's browser a hint to cache contents for a specific time before going to the edge location. but for one of my behaviours (only index.html) I don't want that the client browser cache that file( index.html) at all but fetch it from the edge location instead my response header cache policy for index.html behaviour looks like this : ``` {header:'cache-control', value'public, max-age=0,s-maxage=31536000, must-revalidate;', overide:tre} ``` but noticed each time I have a cache miss (X-cache = Error from cloud front'). not sure why I have each time a cache miss for index.html I want to tell the client browser not to cache it but I want that the file be served from the edge location (cache HIT, NOT cache miss) appreciate any idea how ta achieve that? Thank you!

What configuration are needed on the security appliance(lets say using Palo Alto) while using GWLB(Gateway Load Balancer)? Obviously we will configure zone, policy associated with zone. What about routing? Will the appliance pass the traffic to GWLB --> GWLBe without any routing entries on the security appliance("Palo Alto") (or) any any routing entries required. If routing entries requires, which IP should be the next hop ip on the security appliance?

Hello, We have S3 Endpoint (interface type) created at eu-west-1 region. We are trying to write to the buckets using the DNS created in eu-west-1 from our on-premise location connected via Direct Connect. DNS: *.vpce-1234567890-abcd2zc.s3.eu-west-1.vpce.amazonaws.com I have given the following permission in the bucket policy to write to these bucket but still when we try to upload/write to this bucket, we are getting Access Denied error as below. ``` { "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "s3:PutObject", "s3:GetObject", "s3:PutObjectAcl", "s3:ListBucket" ], "Resource": [ "arn:aws:s3::<bucket-name>/*", "arn:aws:s3:::<bucket-name>" ] }, { "Effect": "Allow", "Principal": "*", "Action": [ "s3:PutObject", "s3:GetObject", "s3:PutObjectAcl", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::<bucket-name>/*", "arn:aws:s3::<bucket-name> ] } ] } ``` OTErrWrnLn||ERROR||-1||SERVICE||GBS3||<Bucket_Name> Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 0QWNYWPJZY14EGRC; S3 Extended Request ID: sXic/CHy/OU5oakn7MBb6UESIbggdr9IxaILUiVuGMeUu7iZTUpIUpLeIUieNs82g6jXdBdQ3sU=)||-1||-1||-1|| Access Denied I would like to know what permission is required to write to this bucket from on-premise please. Or any other steps or configuration I need to apply please. When I run nslookup on the s3 endpoint from the on-prem server, it resolves to private IP. BTW, it works when I enable Allow Public Access. Thank you

Hi, I have the following infrastructure: LightSail CDN --- (distribuition) > Lightsail ALB --> Lightsail Servers Everything works as expected except my custom domain from CDN which changes to Load Balancer DNS name once someone hits my custom DNS. For example: My domain is pointing to CDN DNS Name using approved certificate and enabled custom domain. So the network behaves like that: Mydomain (mysample.com) -> Lighsail CDN ( cdn-sample123.cloudfront.net) -> Lighsail Load Balancer (lb-sample.elb.amazonaws.com) -> Lightsail Instances. The problem is when I hit "mysample.com". My web site is indeed loaded but the address changes to lb-sample.elb.amazonaws.com. The consequence as you can expect is the browser complaning about certificate: the certificate is issued to mysample.com and the URL address is lb-sample.elb.amazonaws.com. How can I prevent CDN change the address to the load balancer and keep my custom DNS instead?

Hi, I would like to know what would be the best possible option in terms of complexity and cost for the scenario below that we are trying to implement for a client. Customer A has all web apps deployed on-prem and has clients that come through a co-located VPN based network(say ClientNet network) to access those apps. Now all these apps will be deployed in AWS regions(Prod and Non-prod vpc-s) so in essence Customer A will now be on AWS and all these clients will need to access these apps on AWS via this ClientNet network. At the same time, there will be some to and from communication between AWS VPC-s and Customer A's network for stuff that will still be hosted on-prem like Active Directory and other COTS. Can this be achieved without creating 2 separate Direct Connects or 2 separate VPN-s? By 2 separate DC-s I mean - one DC between ClientNet and AWS and one DC between Cutomer A one-prem and AWS and the same applies for VPN if we were to replace DC with VPN. Can TGW be used to consolidate this one just one connection whether its DC or VPN that can assessed later based on requirements for security and bandwidth?

Hi there, Is it possible to restrict login by source IP address when using [AWS SSO cloud application](https://docs.aws.amazon.com/singlesignon/latest/userguide/saasapps.html)? I want to use AWS SSO as IdP for logging in to MuleSoft AnyPoint. I know that I can restrict access to the AWS Management Console by source IP address by using Permission sets, but I'm not sure if it is possible to restrict login by source IP address when using AWS SSO cloud application. If it is possible to restrict login by IP address when using AWS SSO cloud application, please let me know how to configure it. Thanks.

Hello! I have recently been experiencing some Error 403 issues with accessing AWS/CloudFront services, and I believe it may be reputation related. Does AWS have a lookup to tool to check for IP reputation on there internal lists? https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-ip-rep.html Thanks in advance!

Hi team, I create a VPC flow log with destination S3, file format = parquet it generates files like this : `76451945824541_vpcflowlogs_region_fl-08fsf0225fa03sf9874_20220607T8000Z_9f45sfsff.log.gz` I tried to unzip it via 7-Zip I had a message: cannot open the file, is not archive is there a way to open this parquet file and explore it in windows without passing by Athena? Thank you

We have setup redis on x2gd.medium with 2 to 5 ec2 instances connected within the same region https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/memory-optimized-instances.html indicates it has a baseline of .5Gbps. From the network In/Out monitoring, it seems we are averaging about .35Gbps with some minor peaks. https://photos.app.goo.gl/rkizVakGQpZo8v5q6 Yet we are observing constant increasing of ``` ethtool -S ens5 bw_in_allowance_exceeded: 314 bw_out_allowance_exceeded: 281794 ``` Our setup is fairly vanilla - ubuntu/images/hvm-ssd/ubuntu-focal-20.04-arm64-server-20220419 ami-0d70a59d7191a8079 - add-apt-repository -y ppa:redislabs/redis - apt-get -y update - apt-get install -y nvme-cli - apt-get -y install redis ``` uname -a Linux ip-10-0-0-41 5.13.0-1022-aws #24~20.04.1-Ubuntu SMP Thu Apr 7 22:14:11 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux redis-cli -v redis-cli 7.0.0 modinfo ena filename: /lib/modules/5.13.0-1022-aws/kernel/drivers/net/ethernet/amazon/ena/ena.ko license: GPL description: Elastic Network Adapter (ENA) author: Amazon.com, Inc. or its affiliates srcversion: 066F20794698BA58475C910 alias: pci:v00001D0Fd0000EC21sv*sd*bc*sc*i* alias: pci:v00001D0Fd0000EC20sv*sd*bc*sc*i* alias: pci:v00001D0Fd00001EC2sv*sd*bc*sc*i* alias: pci:v00001D0Fd00000EC2sv*sd*bc*sc*i* alias: pci:v00001D0Fd00000051sv*sd*bc*sc*i* depends: intree: Y name: ena vermagic: 5.13.0-1022-aws SMP mod_unload modversions aarch64 ``` Question: 1. How can we know more about this "hidden networking credits" that seems to be limiting our bandwidth to avoid exceeding the allowance?

One of my environment start to get into Environment Health Sever state with `Target.ResponseCodeMismatch` while on the ELB target, the instance was listed as `HTTP 502: Bad gateway` I've verified below all looks correctly setup for me, but still not able to get the Environment Health back to normal 1. Load Balancer setting for listener and processors all on HTTP, PORT 80, for processor the Health check path is `/health` (this is the same as my other environment), the respond code was left as default `200` 2. Load Balancer is in a EB default created security group and EC2 Instance also has EB default created security group where is allowing traffic from and to ELB over 80 3. Subnet is in a subnet where ACL is allowing traffic on all port I also restarted and launched new instance couple of times, the error is not going away

Hi, I'm looking to see what options are available and what might be the best practice to accomplish routing HTTP traffic based on a parameter within the parameter store. Currently we have multiple services all sending HTTP traffic to a single URL. This receiving endpoint is about to be duplicated and we will be introducing a setting in the parameter store that will determine whether traffic will be send to endpoint A, or endpoint B. A lambda function is always an option, but I'm looking to see if there's anything already within the managed services side of AWS that can help us. At first ALB seemed a logical choice as that has routing rules, unfortunately it seems the rules can only be determined by attributes of the incoming request, and not a Parameter from the parameter store. So perhaps API gateway could be utilised, but with around a million requests per day, I'm concerned this would be costly and it's also not clear whether I forward traffic based on a setting from the parameter store. Any thoughts appreciated, thanks!

Hello, I am working on improving security compliance in my project and recently I've come across security finding related to network ACL: `[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389`. I've updated my ACLs in the following manner: | Rule Number| Type | Protocol | Port Range | Source | Allow/Deny | | --- | --- | --- | --- | --- | --- | |10 | SSH(22) | TCP(6) | 22 | 0.0.0.0/0 | Deny | | 11 | SSH(22) | TCP(6) | 22 | ::/0 | Deny | | 20 | RDP(3389) | TCP(6) | 3389 | 0.0.0.0/0 | Deny | | 21 | RDP(3389) | TCP(6) | 3389 | ::/0 | Deny | | 100 | All traffic | All | All | 0.0.0.0/0 | Allow | | * | All traffic | All | All | 0.0.0.0/0 | Deny | According to ACL evaluation rules ports 22 and 3389 are blocked, but check still fails. I suppose that it looks only for record that allows for all traffic and ignores the order of the rules. In my opinion the current rule validation is wrong. What are your thoughts on this?

Hi, I've set up an inter-region VPC peering connection between 2 VPCs located in different regions, however when I try ping between two servers in those two regions, the ping rate is exactly the same no matter I ping with private IP or public IP (between 200-300ms), I understand data transfer via peer connection stays on AWS global backbone and never traverse the internet therefore the latency with private IP should be much lower? any suggestions will be greatly appreciated

Hi All, I'm not able to figure out what steps needs to be done in order to access the webbrowser through IPV4 address. Showing this site can't be reached please help me , I'm new to AWS. what I have done:- 1. I have set the inbound rules HTTP (80) and SSH(22) Thanks in advance!!!

Hello, even if I use the newest public bundle for my workspaces I have the Internet Explorer installed and not Edge. The official support of the Internet Explorer will end in the middle of June 2022. So why isn't there any bundle with Edge? That would solve a lot of problems that I have and will have. In the public bundle that I use there is Mozilla Firefox installed but it's not possible for the users to update it because we don't give them local admin rights. And obviously Firefox isn't updated automatically. Thanks a lot in advance, Michaela

Hi there, May I know if the private API Gateway has static ip or dynamic ip?

Hello, Does anyone know if this is a factor in a cost model? We are going to setup our own org within AWS to build Control Tower, but we are also taking services from our ISP in another account. The traffic will mainly be between the 2 organizations within the same region, over transit GW. Is there an added cost for cross-organization traffic? Kr, JT

Use-case: Automatically build AWS Security groups by reporting the external-facing IP address of an edge device running AWS Greengrass V2. Is there an AWS provided component that does this ? I see that the IoT Device Defender Component posts some information regarding how many bytes over which ports. We are looking for a component that can report: - External facing IP - Bandwidth usage (or at least, bandwidth used by the Greengrass software) Does such a public component exist, or would it have to be a custom-built component ?

There is conflicting information: some docs say your static ip will only be "saved" if you started the instance on EC2 to begin with. some say you will retain the static ip on lightsail even if you reboot it. 1. will static ip for lightsail -ubuntu be saved for reboot ? 2. will static ip for lightsail -ubuntu be saved for start and stop ? how can i reserve the allocated ip through both 1 and 2 above? TIA

Hello, I have deployed my service built with django to ec2 and am using it. On the console, the instance is running. However, the Instance status checks fails, and the ssh connection is not possible. Even if I try to use the connection service within aws, I can't connect with the error "There was a problem connecting to your instance". Network access, security groups are still in use, so I don't think there was a problem here. What can i do now? + I've tried everything like rebooting, shutting down, and restarting a little later!

We have an App hosted on AWS and our DNS is hosted at a different provider (cPanel). We are currently evaluating to move DNS hosting and homepage hosting from cPanel to AWS Route53 in order to make DNS management more easy. We are struggling with the cost estimations. We pay annually 97€ for hosting of two main domains + approx. 5 sub domains including the hosting of our homepage using WordPress at cPanel right now and I need to understand the costs for moving to AWS Route53. Any help on getting at least an idea of the costs is highly appreciated. Best Regards, falk von Rönn

The database looks OK but starting from tonight no communication from any client Any ideas on what should I do to fix it?

If I have an IPv4 /24 address block, and I use it (transfer it) to AWS, can it apply to different regions simultaneously? A simplified example: one ip address (of the supplied block) used in the Oregon data center (region) and another used in the Virginia data center (region)? I want to have redundant EC2 services in different geographic locations in case of natural disasters, among other reasons. I also want them running simultaneously, not fail-over. I am wondering if I need multiple /24 blocks, one for each data center (region), or if one will suffice. Thanks

Hey, I have a webhook endpoint where our service provider send a payload which I have to respond to within 2 seconds. I've been getting way too many timeout errors from the service provider, meaning I wasn't able to respond within 2 seconds. I did some digging as to when the Fargate Server gets the payload vs when the ALB receives it. I went through some of the access logs from the ALB and found that it takes about a second or so to pass the payload from ALB to the fargate server. Here's the timestamp at which the request arrived to the ALB - 15:19:20.01 and my server recieved it at - 15:19:21.69. There's over a second of difference, I wanna know how to reduce it. One of the solution I thought of was that instead of registering my domain + the URI to the service provider to send webhook to, I set my IP + the URI so there's no need of forwarding done by ALB. Let me know what you guys think. EDIT - The solution I thought of was pretty stupid because fargate provides a new IP everytime a new task is deployed (as far as I know). Also the ALB forwards the request / payload to the ECS Target Group, just throwing this fact in as well.

Hi, We have a manual setup redis ec2 instance that is maxing out the baseline bandwidth allocated for the instance, but we do not need higher CPU/Mem for the instance, what are our options? We aren't able to use ElasticCache it does not fit our budget range. ``` ubuntu@ip-10-0-0-98:~$ ethtool -S ens5 NIC statistics: tx_timeout: 0 suspend: 0 resume: 0 wd_expired: 0 interface_up: 2 interface_down: 1 admin_q_pause: 0 bw_in_allowance_exceeded: 333 bw_out_allowance_exceeded: 303473 ``` Also, there seems to be not where to lookup what this invisible network "credit balance" unlikely CPU, EBS disk balance?

Hi community, When launching AWS Client VPN on Ubuntu 22.04, it briefly opens but suddenly crashes. Do you guys plan to support the client in Ubuntu 22.04? Thanks in advance.

we are trying to restrict a cloudfront CDN to Spain, but on of our internet lines, located in Spain is getting a forbiden response. I have checked the info in http://whois.arin.net/rest/net/NET-*-*-*-*-1 and it is updated and correct. Where is the IP location database Amazon use for the Geolicalization ? And how to force the update of that database ? Regards

Hi, So I hosted a wordpress site on amazon lightsail, and I have attached a domain to it, now half of my site uses my domain while the other half still loads on my static ip. I have no idea why this is happening because I also have other wordpress sites and they don't have this issue. Please help me out

Dear Team, I have the following setup requirements between VMware on AWS SDDC and on-Premise DC. 1. Need an encrypted VPN Solution between SDDC and On-Premise DC. 2. Need an Encrypted VPN Solution between SideCar VPC and On-Premise DC. 3. We have direct connect setup between DC and AWS. 4. Protected firewall sitting behind the edge device in on-Premise DC , encrypted VPN setup on DX need two set of public. Firewall sitting behind edge devise VPN connectivity but that firewall could not configured with public ip. The last hop where the public ip could be configured is the edge devise on the customer site. As per my understanding, I can use the public VIF on direct connect to setup the encrypted VPN connection between the client edge devise and AWS router. But the problem statement in this case is 1. How to setup the encrypted VPN solution for both SDDC and sidecar VPC? Can we route the traffic from SDDC to VTGW to TGW(of the sidecar account) and then leverage public VIF to setup encrypted VPN from TGW to customer edge devise? 2. Do we need the DX gateway to setup the encrypted VPN connectivity? 3. Encrypted VPN on DX would need to set of public IPS. What if the customer firewall is not having the option to configure the public IP for encrypted VPN ? 4. Can I use the DX setup in one OU to create the public VIF for another account in separate OU. This is required because I am looking to create the encrypted VPN connection from two OUs to the DC. Please advise with your comments or if there is any reference architecture available with VMC/AWS. Many Thanks Rio

A site that was thought to be on another provider is being hosted by Amazon at ip address 15.197.142.173. How can I find out which account owns that ip address? I've looked through our AWS accounts and it's not in any of them.

i am having a 2 GB RAM, 1 vCPU, 60 GB SSD Windows 2019 server instance with static ip,iis installed, the default port 80 is opening good, now i am having another website with port 8080, how to access the site using my lightsail instance, in the networking panel of lightsail dashboard i have allowed custom tcp port 8080 and inside the windows provided firewall access to the particular port. i am able to access a site that is hosted in port 80 externally, but a connection time out is coming for the application hosted via port 8080 . Any idea. Thanks and regards

Hi, I have a architectual doubt, Its possible place a firewall virtual appliance in front of a regional API gateway to inspect or control the traffic from the internet agains an particular API? Thanks in advance for any hint about.

Two questions. First, if you create a network on Amazon Managed Blockchain, then do you necessarily need to use AWS cloud storage? Or would it be possible to divide up the cloud storage among different providers? Second, Do all other members of an AMB network also need to use AWS cloud storage? If organization B wanted to join the network and insisted on using some other cloud storage provider, would it be possible for them to join the network? Or would the network operator need to launch a peer node on their behalf, using another AWS account?

Steps to reproduce: Create EC2 instance in eu-central-1 region with following configuration - t3.small, ami-042172eb88687b43e (Windows Server 2016 Base), Public IP, igw to handle traffic. Login to the instance through RDP. Install telnet (it can be done through PowerShell with following command Install-WindowsFeature -name Telnet-Client). Open command line and try use telnet to connect 10-20 times to remote host with following command telnet 212.90.186.150 80. At least one attempt will fail with error "Connection failed". Repeat all steps above in eu-north-1 region and will see 0 errors. Is there a problem with routing in eu-central-1 region? You can also trace (tracert 212.90.186.150) to find out through which IPs/Networks the connection goes. From the 212.90.186.150 country (Ukraine) side the route is the same for both regions but when you trace from eu-central-1 it also goes through few internal IPs: 100.95.20.135, 100.100.22.2, 100.95.21.129, 100.100.4.58 and one "Frankfurt IPv4 Peering LAN". It could be a problem with this route. Could you help to solve the issue?

I recently registered a .co.uk domain thinking it could be hosted on Route 53. I later learned Route 53 isn't compatible with the storefront service that the domain was intended to point to. Cloudflare is compatible and I've moved NS authority to their platform and updated NS in Route 53. However, .co.uk domains are managed by Gandi and I also need to update NS records there. Simply updating on Route 53 didn't update Gandi. I don't have a Gandi account, how do I make these changes?

Hello Everyone, I have created DNS Zone in the Networking tab of Lightsail. It is not letting me add DKIM of 2048 length. I saw some of the solutions like dividing them with double-quote but not working in Lightsail DNS. Any suggestion, please? Thanks, SPViradiya

Hi, I work in an ISP Recently we have rented an IP segment, we are doing the paperwork to formalize the transfer to my region, however, in the meanwhile we are using the IPs. We detected that AWS CloudFront is providing a Geo restriction to some websites, because Route 53 is using the previous IP's Geolocation DB. How could I proceed to indicates AWS the new IPs location? Thanks so much your help and support

Hi, I created an AWS Opensearch domain in a VPC, but I can't figure out how to access it? When I am clicking on AWS Opensearch dashboard it's not opening and there is a timeout. I fould 2 solutions: EC2 instance with SSH tunnel or NGINX proxy on EC2 instance. But can I access the domain in a VPC without spinning the EC2 instance at all?

I'm using [this cloudformation template](https://s3.amazonaws.com/aws-neptune-customer-samples/v2/cloudformation-templates/neptune-base-stack.json) as part of a deployment of an amazon neptune db. However the NAT gateways that it creates are quite expensive. One suggestion that seems appealing is to use NAT instances instead of NAT gateways. My understanding so far is that the NAT gateways allow my db and its associated resources to make outbound network requests while remaining unavailable from the public internet. I would like to preserve that functionality while switching to NAT instances, but I'm not sure how to go about modifying the template to achieve that. Can someone please offer direction on how I can do this?

Hi, As mentioned in the question, my ECS tasks cannot connect to my RDS. The ECS tasks try to resolve the rds by name, and it resolves to the RDS public IP (RDS has public and private IPs). However, the security group on RDS doesn't allow open access from all IPs so the connection fails. I temporarily allowed all connections and could see that the ECS tasks are routing through the open internet to access the RDS. Reachability Analyzer checking specific tasks' Elastic Network Interface to the RDI ENI is successful, using internal routing through the peering connection. At the same time I have another server on VPC C that can connect to the RDS. All the config is similar between these two apps, including the peering connection, security group policies and routing tables. Any help is appreciated Here are some details about the VPCs VPC A - 15.2.0.0/16 [three subnets] VPC B - 111.30.0.0/16 [three subnets] VPC C - 15.0.0.0/16 [three subnets] Peering Connection 1 between A and B Peering Connection 2 between C and B Route table for VPC A: 111.30.0.0/16 : Peering Connection 1 15.2.0.0/16: Local 0.0.0.0/0: Internet Gateway Route table for VPC C: 111.30.0.0/16: Peering Connection 2 15.2.0.0/16: Local 0.0.0.0/0: Internet Gateway Security groups allow traffic to RDS: Ingress: 15.0.0.0/16: Allow DB Port 15.2.0.0/16: Allow DB Port Egress: 0.0.0.0/0: Allow all ports When I add the rule: 0.0.0.0/0 Allow DB Port to the RDS, then ECS can connect to my RDS through its public IP.

In my AWS instance, I only have one network interface, and **one internal IP address** from my subnet 10.1.1.0/24, let's say it's 10.1.1.66, I have 10 EIPs, 52.2.2.1 - 52.2.2.10 as well. Can I associate these 10 public EIPs to my single internal IP 10.1.1.66? My instance has code to direct these 10 public IPs to different web services. Thanks

My question is about whether it is possible to build a permissioned network with Proof of Authority on Ethereum, making use of the AWS Managed Blockchain service. If possible, I would like to know the limits of gas per block that can be handled.

Hi, So we have an EC2 instance setup with a load balancer and elastic IP.... It works perfectly, except when the Elastic IP address becomes unassociated with the instance. The EIP addr is still there in the EIP table, just no instance is connected to it. And it does this seemingly at random. It will work for hours - days - then all of a sudden we can't connect. We check the EIP and it's unassociated. We re-associated it, and it's back to working again. (We do not have the *Reassociation* checkbox marked when you go to associate an EIP, so that shouldn't be causing it.) Other information: 1. No one has made changes to aws setting when it disassociates. 2. It doesn't coincide with bitbucket pipeline build. 3. Security groups, inbound rules are still all the same and associated with the instance. 4. We also only have a couple EIP, so we shouldn't be hitting any limits. So we are at a complete loss. Nothing else seems to change in aws - just the EIP association. Any ideas? I will happily add more information if needed.

I'm setting up a company VPN using AWS Client VPN endpoints, I have everything working so far however all client internet traffic is being routed through the VPN and out through the NAT gateway (and therefore incurring NAT gateway costs). I'm trying to enable split-tunnel however I'm still getting 0.0.0.0/0 routes to the vpn added to my route table. If I try: - Split tunnel enabled - Routes to local vpc and peered networks - Authorized access to these routes - Fairly open security group And then connect to the VPN I still get this in my route table: ``` > ~/d/i/vpn on branch ◦ netstat -nr 11:03:22 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.0.2.161 0.0.0.0 UG 0 0 0 tun0 0.0.0.0 192.168.4.1 0.0.0.0 UG 0 0 0 enp0s20f0u2 0.0.0.0 192.168.4.1 0.0.0.0 UG 0 0 0 wlp0s20f3 10.0.2.160 0.0.0.0 255.255.255.224 U 0 0 0 tun0 10.10.0.0 10.0.2.161 255.255.0.0 UG 0 0 0 tun0 ------- 10.0.2.161 255.255.0.0 UG 0 0 0 tun0 ``` (With some redaction above, I'm using 10.0.0.0/22 as the vpn cidr) I'm connecting from a Fedora laptop using the built in vpn client, I'm creating a vpn file based off the one you can download and importing it after adding in certs & keys). This all means that when I'm trying to connect to the VPN I can access my private resources, but I lose all general internet connectivity. For our use case it's not workable to us to keep having to hop on and off the VPN.

Launch instance from a clone AMI and the status check fails. Unable to ssh in the ec2 instance checked the Private IPv4 addresses and it's correct for the current VPC and the correct security group inbound ports is open ie..port 22. Click on Get instance screenshot and the IP showing in the login screen is incorrect. example..ec2 intance IP: 10.2.68.xx screenshot IP: 10.1.x.x This will happen with any flavor of Linux ie..centos, redhat, ubuntu etc I did shut down the ec2 instance and still had the incorrect private IP

How can I check the cost of network load balancer with cross-zone load balancing enabled on AWS console? Cross zone load balancing only.

how can i point a new instance with a domain which is already exist with another ip address in hosting zone? Is that even possible?

> ACM requires additional information to process this certificate request. This happens as a fraud-protection measure if your domain ranks within the Alexa top 1000 websites. To provide the required information, use the Support Center to contact AWS Support. If you don't have a support plan, post a new thread in the ACM Discussion Forum. `arn:aws:acm:us-east-1:811691864949:certificate/e7fc01d2-043f-4189-aabf-faf521db9fb7` So what kind of information do I need to provide to issue the certificate?

note: I'm new to scaling and firstly seeking advice on the best practices for horizontal scaling **I have the following setup:** *EC2 Instances <-> ASG(created from Launch template) -> TG <-> ALB <-> TG <-> NLB* Traffic flows through NLB to ALB and finally to EC2 instances configured via ASG. note: I'm assuming the above setup is the best one to go with horizontal scaling, if not please let me know. the above setup works fine for HTTP whereas when I try to configure HTTPS, I don't see options to do so. Issue1: Target Group(TG) doesn’t allow to create one with Load Balancer type with TLS port: 443 but allows only TCP: port 80, **Question1: **how else should I redirect HTTPS traffic to ALB? note: I need NLB because ALB doesn't provide Static IPs **Question2:** wrt Static IPs: NLB doesn't allow <2 AZs which means I need to have 2 Static IPs linked to my domain? any inputs would be really helpful! **Update1:** I've configured like below: In ALB listeners: HTTP(80) gets redirected to HTTPS HTTPS(443) gets forwarded to ASG In NLB listeners: HTTP(80) gets forwarded to ALB note: ALB's public URL is added to my domain(sample-alb.domain.com) NLB's public URL is added to my domain(sample-nlb.domain.com) SSL works fine if the user enters by hitting sample-alb.domain.com whereas if the user enters by hitting sample-nlb.domain.com, it always fails with "ERR_CERT_INVALID" any inputs on why this fails? **Update2:** I've got the answer to my Issue1/Question1 on how to redirect HTTPS traffic to ALB from here: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/application-load-balancer-target.html#configure-application-load-balancer-target > **Listeners and routing** > For Listeners, the default is a listener that accepts TCP traffic on port 80. Only TCP listeners can forward traffic to an Application Load Balancer target group. Keep the listener protocol set to TCP, but you can modify the port as required. > > This setup allows you to use HTTPS listeners on the Application Load Balancer to terminate the TLS protocol. so, I created a TG with TCP port 80 and listener to NLB, which redirects to ALB. (say for ex my NLB's public URL is 'nlb34323.amazonaws.com') now, when I hit my NLB's public URL with 'http://nlb34323.amazonaws.com', it does get redirected to 'https://nlb34323.amazonaws.com', but eventually fails with a timeout error. note: whereas when I hit ALB's public URL, it is working fine does it have anything to do with TLS termination as mentioned in the above documentation: > This setup allows you to use HTTPS listeners on the Application Load Balancer to terminate the TLS protocol. what am I doing wrong here?

We use AWS Elastic Beanstalk with an Amazon AMI with Tomcat & Corretto running on Amazon Linux 2 (`aws-elasticbeanstalk-amzn-2.0.20220316.64bit-eb_tomcat85corretto8_amazon_linux_2-hvm-2022-03-29T20-48`) and are running into an [OS networking bug](https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1924298) when Tomcat is under load. The result of this bug are that TCP connections from clients connect but timeout while the server is under load. The networking bug is due to a race condition in the TCP stack which is fixed in Linux 5.10 kernels. A description and diff of the bug can be found in [this commit](https://github.com/torvalds/linux/commit/01770a166165738a6e05c3d911fb4609cc4eb416). From the description of this bug it looks like this race condition affects all TCP networking and is not specific to Tomcat, but manifests more often under load. Currently, as far as I can tell, all the latest Amazon AMIs for Elastic Beanstalk for Tomcat or Corretto are using a 4.14 kernel. The AMI which we are using has a kernel of `4.14.268-205.500.amzn2.x86_64`. I have been able to reproduce the bug on this AMI using the sample server code in the Ubuntu bug report, which is independent of Tomcat. I have also tried reproing the bug on newer versions of Amazon Linux 2 (AMI `amzn2-ami-kernel-5.10-hvm-2.0.20220419.0-x86_64-gp2`) which are using a `5.10.109-104.500.amzn2.x86_64` kernel, but have not been able to repro the bug on this kernel. We would prefer not to have to create our own AMI for using Elastic Beanstalk, but were wondering if and when there will be an update to the Amazon Elastic Beanstalk AMI's which incorporate this OS bug fix since this is affecting the reliability of networking under load?

Hello, I just setup a lightsail Centos 8 instance and also installed firewalld. I am trying to open port 3306 for MySQL. I did the following commands and each time got a success response: sudo firewall-cmd --zone=public --permanent --add-port=3306/tcp sudo firewall-cmd --reload sudo firewall-cmd --zone=public --permanent ----add-service=mysql sudo firewall-cmd --reload Online open port checker, https://www.yougetsignal.com/tools/open-ports/ shows its closed. Been self-hosting this database for several months from my home CentOS 8 server but wanted to move it somewhere for reliability. Any help or suggestions would be greatly appreciated! TIA

**Setup** There are multiple instances in our Lightsail account. They run Ubuntu 20.04 and their hostnames were set to `backend` (IP `172.26.0.10`) and `database` (IP `172.26.0.11`). **Problem** `backend` can reach `database` via `ping 172.26.0.11` but it cannot reach database via `ping database`. **Question** Is there any way to configure AWS Lightsail to allow private hostname resolution? We have tried: * mDNS. Not possible because Lightsail prohibits broadcasts & multicasts. * Route 53. We're not experts here but we tried to configure a private hosted zone. These zones need to be associated with a VPC but apparently we could only choose our default VPC which is different from the (invisible) Lightsail DNS. * `/etc/hosts`. This would be our fallback solution if we cannot find an easier-to-maintain way to use private hostnames.

Hi, I understand from [this article](https://aws.amazon.com/blogs/networking-and-content-delivery/integrate-your-custom-logic-or-appliance-with-aws-gateway-load-balancer/) that GWLB supports overlapping CIDRs through the GENEVE protocol. However, does this also work with TGW? Thanks

Mistakenly, I created VPC with selecting the single AZ, this configuration has no redundancy for networking and running instances as I know. Now I have services running in VPC. Can I convert it to multiple AZs in current region without other configurations affected?

Hello, I have a wordpress site and trying to use cloudfront in order to improve the website response time. I followed the steps in the article below: https://aws.amazon.com/blogs/startups/how-to-accelerate-your-wordpress-site-with-amazon-cloudfront/ I completed all the steps and modified C:\Windows\System32\drivers\etc\hosts on my computer so that the domain name of my site points to the ip address of my cloudfare distribution. (when I ping www.domain.com => I get the ip address of my distribution). When I put the domain name of my site on a browser, I get the response below: -------------- 403 ERROR The request could not be satisfied. Bad request. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner. If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation. Generated by cloudfront (CloudFront) Request ID: SVH3QfYg-qs-TkAfBIrIkFH-Er0R-V1aJGjORaub7-ApZ5Vdte372w== -------------------------- What did I do wrong ??

Looking for an answer for my AWS implementation, does anyone have experience to reserve the Elastic IP range? for example 52.2.2.1 - 52.2.2.8. If yes, does it charge more? I would assign my AWS instance with consecutive public IP addresses for easy management. Thanks

Hi Team, Please clarify below as I fail to search suitable answers in documentations / Knowledge center - 1. how to Move AWS Environment to a new AWS Environment 2. how to Migrate servers own VPC and account 3. how to create DC Controller (new domain) in AWS ? 4. how to create brand new servers in the new AWS account (further to Q1) 5. hot to Create images and move them to the new account (further toQ4) 6. how to do DNS change for new account? 7. If I create a new domain on GoDaddy and want to move to AWS new account (created in Q1) , how to move the registered domain? 8. How to ensure that all users (from old AWS / from Godaddy) are in the new domain? 9. How to ensure successful migration from old AWS to new AWS ?

I have an ECS Fargate service with a security group associated. This security group is only used by the Fargate service. If I decided to delete the service and the security group I'm having an error deleting the security group saying that the security group has some dependant objects. I get that this is due to the network interface created by the ECS service. What I would like to understand is how long it takes to AWS/ECS to clean these network interfaces after the services are deleted? I've tried to add a waiter after I delete the service waiting for the network interface to be gone but it is too variable and sometimes it can take more than 12 min!! Do I really need to wait until this network interface is gone to delete the security group? Is there another resource I can check to know that I can delete the security group? Is there a way to predict/make faster the deletion of the internal network interfaces created by ECS? It is quite annoying not having control over this.

Hello, I'm trying to determine the availability zone of a NAT gateway in an account, not just for one, but for a list of NAT gateways one after another. As far as I understand, when calling `ec2Client.DescribeNatGateways()` the NAT's availability zone is not provided. In order to get the AZ, I'm doing another API call to `ec2Client.DescribeSubnets` with the NAT's subnet ID, Only then the AZ is in the output. As I'm making a multiple API calls, this could be time-consuming. I was wondering what is the most efficient way to determine the NAT's AZ? Thank you, Ori Adler

I have a subdomain that I want to point my EC2 instance. My instance is running a 3rd party software that requires HTTPS. I use Cloudflare for all my DNS routing and created an A Record to point to my EC2 IP address. I have no problems access it by IP, but fails when using the subdomain address (test.mydomain.com). Receiving an Error 520 message - Web server is returning an unknown error. I made sure that: * EC2 security group port 80/443 is open for both 0.0.0.0/0 and ::/0 * Cloudflare SSL/TLS is set at Flexible Not sure what I'm missing?

I have a public ALB with a WAF firewall attached to it and a Global Accelerator endpoint which forwards traffic to this ALB. Now, I'd like to limit direct access to the ALB to IP Range of the AWS Global Accelerator range - so to start with, none can access directly the ALB if not via the GA endpoint. I have created an AWS Lambda as per https://aws.amazon.com/blogs/security/automatically-update-aws-waf-ip-sets-with-aws-ip-ranges/ which downloads the https://ip-ranges.amazonaws.com/ip-ranges.json file and adds automatically all the IP Subnets that matches "service": "GLOBALACCELERATOR" to the WAF IPset for both IPv4 and IPv6. The process works and the Lambda can successfully add the IP address range to the WAF IPSet, though when I configure a rule to Match/Count this IPSet, I'm not seeing any hits that matches these subnets. The only way I got this to match was to add all the IP ranges which matches "service": "AMAZON" rather then "service": "GLOBALACCELERATOR". This makes me believe that the https://ip-ranges.amazonaws.com/ip-ranges.json list is not updated with the correct IP Ranges for the GLOBALACCELERATOR.

Recently, saw a huge spike in the Route 53 queries for unidentified domain names. Looks like some scan tools query not existing domain which is hosted on Amazon Route 53 public host zone. For example, they query abc.abcde.<company>.com. The request amount over 1 billion and we have to pay extra. How do I stop this from happening?

Hi all, I want to set up a S2S VPN connection using dynamic routing between on-prem and AWS environment. But on-prem engineers are telling me to set up a BGP password on this VPN in AWS side. Is possible to set up a BGP password in AWS side? As I didn't found anything about BGP password on S2S VPN documentation and in console as well, didn't found the field for BGP password. I know that on a Direct Connect is possible to set up a BGP password. I'm only asking is for a S2S VPN is possible as well? Thank you, Valentin.

**The goal** I am trying to bring my /46 IPv6 prefix to EC2. It is part of a /44 IPv6 assigned to my ASN with the status "ASSIGNED" within the RIPE database. The ROA records have been set which I could also verify under https://rpki.cloudflare.com/. **What I did so far** I have basically followed this doc, yet provisioning fails: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html#prepare-for-byoip When I send the `aws ec2 provision-byoip-cidr` request, the status is `failed-provision` with the message "The CidrAuthorizationContext signature could not b e verified with the X509 certificates in the RIR records". The command `whois -r -h whois.ripe.net abcd:efab:cde::/46 | grep descr | grep BEGIN` delivers my certificate succesfully. My request looks like this: ``` # ! bin/sh text_message="1|aws|123456789012|abcd:efab:cde::/46|20230101|SHA256|RSAPSS" signed_message=$(echo $text_message | tr -d "\n" | openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -sign private-key.pem -keyform PEM | openssl base64 | tr -- '+=/' '-_~' | tr -d "\n") aws ec2 provision-byoip-cidr --cidr abcd:efab:cde::/46 --cidr-authorization-context Message="$text_message",Signature="$signed_message" --region eu-central-1 ``` So, I checked the signature: ``` $ echo "1|aws|123456789012|abcd:efab:cde::/46|20230101|SHA256|RSAPSS" > file.txt $ cat file.txt | openssl dgst -sha256 -sign private-key.pem -keyform PEM > rsasign.txt $ openssl sha256 -verify certificate.pem -signature rsasign.txt file.txt unable to load key file ``` It only works when I use the public key instead of the certificate: ``` $ openssl sha256 -verify public-key.pem -signature rsasign.txt file.txt Verified OK ``` I also tried adding just the public key to the inet6num object's descr in the RIPE database, but that results in "No X509 certificate could be found in the Whois remarks", so that won't do it. **Question: Any ideas on how to bring my IPv6 prefix to AWS?** The linked documentation alone is of no help at this moment..

I run a small server providing web and mail services with a public address. I was planning on upgrading from a t2 small to a t3 small instance so I began testing the new environment using ubuntu 20.04. The new instance is running nginx, postfix, dovecot and has ports 22,25,80,443,587 and 993 open through two security groups assigned. I wanted to test a user which used only google-authenticator with pam/sshd to log in (no pubkey, no password). What I discovered was that after two sets of failed login attempts (intentional), my connection to the server would be blocked and I would receive a timed out message. Checking the port status with nmap shows that ports 22,80 and 443 were closed. and the remaining still open. I can still reach all the ports normally from within my vpc, but from outside, the ports are blocked. Restarting the instance or reassigning the security groups will fix the problem. Also, after about 5 minutes, the problem resolves itself. It appears that the AWS security group is the source of the block, but I can find no discussion of this type of occurrence. This isn't critical, but a bit troubling, because it opens a route for malicious actions that could block access to my instance. I have never experienced anything like this in about 7 years of running a similar server, though I never used google-authenticator with pam/sshd before. Do you have any ideas? I'd be happy to provide the instance id and security groups if needed.

[ec2-user@ip-10-16-60-224 ~]$ **route** Kernel IP routing table ``` Destination Gateway Genmask Flags Metric Ref Use Iface default ip-10-16-48-1.a 0.0.0.0 UG 0 0 0 eth0 10.16.48.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0 instance-data.a 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 ``` [ec2-user@ip-10-16-60-224 ~]$ [ec2-user@ip-10-16-60-224 ~]$ **ip add** 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000 link/ether 06:bf:f7:bd:36:52 brd ff:ff:ff:ff:ff:ff inet 10.16.60.224/20 brd 10.16.63.255 scope global dynamic eth0 valid_lft 3109sec preferred_lft 3109sec inet6 2406:da18:e26:a403:977:a307:147f:a413/128 scope global dynamic valid_lft 437sec preferred_lft 127sec inet6 fe80::4bf:f7ff:febd:3652/64 scope link valid_lft forever preferred_lft forever [ec2-user@ip-10-16-60-224 ~]$ [ec2-user@ip-10-16-60-224 ~]$ **traceroute 1.1.1.1** traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets 1 ec2-18-141-171-15.ap-southeast-1.compute.amazonaws.com (18.141.171.15) 8.342 ms ec2-175-41-128-177.ap-southeast-1.compute.amazonaws.com (175.41.128.177) 7.433 ms ec2-18-141-171-1.ap-southeast-1.compute.amazonaws.com (18.141.171.1) 19.818 ms 2 100.65.32.224 (100.65.32.224) 3.347 ms 100.65.33.240 (100.65.33.240) 13.093 ms 100.65.34.176 (100.65.34.176) 23.462 ms 3 100.66.16.74 (100.66.16.74) 7.746 ms 100.66.16.202 (100.66.16.202) 7.773 ms 100.66.16.38 (100.66.16.38) 3.531 ms 4 100.66.19.190 (100.66.19.190) 5.059 ms 100.66.19.180 (100.66.19.180) 7.843 ms 100.66.18.228 (100.66.18.228) 16.918 ms 5 100.66.7.249 (100.66.7.249) 12.221 ms 100.66.6.247 (100.66.6.247) 10.830 ms 100.66.6.113 (100.66.6.113) 21.846 ms 6 100.66.4.89 (100.66.4.89) 80.326 ms 100.66.4.159 (100.66.4.159) 18.434 ms 100.66.4.9 (100.66.4.9) 11.122 ms 7 100.65.11.1 (100.65.11.1) 0.604 ms 100.65.9.97 (100.65.9.97) 0.322 ms 0.358 ms 8 203.83.223.30 (203.83.223.30) 1.243 ms 150.222.108.77 (150.222.108.77) 1.575 ms 52.93.10.76 (52.93.10.76) 1.316 ms 9 52.93.8.160 (52.93.8.160) 2.001 ms 150.222.108.66 (150.222.108.66) 1.870 ms 150.222.108.68 (150.222.108.68) 2.114 ms 10 52.93.11.127 (52.93.11.127) 1.386 ms 52.93.11.115 (52.93.11.115) 1.350 ms 52.93.11.125 (52.93.11.125) 1.338 ms 11 99.83.90.55 (99.83.90.55) 4.053 ms 4.046 ms 99.83.68.227 (99.83.68.227) 4.297 ms 12 172.70.140.3 (172.70.140.3) 2.673 ms * 172.70.144.5 (172.70.144.5) 2.274 ms 13 one.one.one.one (1.1.1.1) 1.755 ms 1.795 ms 1.771 ms Thank you very much.

Hi, I run EC2 in Ireland region with GoAnyhwere Application that receives SFTP traffic on 922 port. Normally, on prem, I receive constant 5-10Mbps inbound, but in AWS instance I receive 1mbs and constant drops to 0mbps. The instance is c5.xlarge. Is there anyone who faces similar anomaly ? The same anomaly happens when I transfer to the attached S3

Please help me I use Lightsail and set the firewall using Lightsail/ Manage/ Networking/ Ipv4 Firewall rules. There are SSH TCT 22, HTTP TCP 80, MySQL TCP 3306 etc. When I failed open a web site on that Lightsail, I connected the instance using Putty and run sudo ufw allow 'Apache Full' and sudo ufw enable. Since then, I cannot access the instance in anyway. Nothing works ! How can I login to my instance ? Please Help

how to automate elastic ip assignment on aws ec2?

Hello I am having difficulties in bringing an EKS cluster back into compliance **Cluster:** I have an eks cluster with : - 6 EKS Plane Control Networks (network 1-6) i. Network 1/2/3 are in a RA routing table with a 0.0.0.0/0 which refers to an Internet Gateway ii. Network 4/5/6 are in an RB routing table with a 0.0.0.0/0 that refers to a NAT Gateway (+ other routes to my company network) - 4 cluster nodegroupe with networks 4/5/6 used for worker nodes - My EKS cluster has a Public and Private API ( => From a node, when I do a DNS resolution I do see a private IP) **Target:** EKS cluster with : - 6 EKS Plane Control Networks (network 1-6) i. Network 1/2/3 in a RA routing table with a 0.0.0.0/0 that refers to an Internet Gateway ii. Network 4/5/6 also in the RA routing table - 4 cluster nodegroupe i. Nodegroupe 1 : Use networks 10 and should be in the RC routing table with 0.0.0.0/0 which refers to a new NAT Gateway (+ other routes to my company network) ii. Nodegroupe 2 : Use networks 11 and should be in the RC routing table with 0.0.0.0/0 which refers to a new NAT Gateway (+ other routes to my company network) iii. Nodegroupe 3 : Use networks 12 and should be in the RC routing table with 0.0.0.0/0 which refers to a new NAT Gateway (+ other routes to my company network) iiii. Nodegroupe 4 : Use networks 13 and should be in the RC routing table with 0.0.0.0/0 which refers to a new NAT Gateway (+ other routes to my company network) **Problem** When creating a new nodegroup to replace an existing one, I indicate network 10/11/12 or 13 The RC routing table is OK with the NAT Gateway Problem: the node can't join the cluster (error message: **Instances failed to join the kubernetes cluster**) I can see the EC2 instance being created in the right network 10/11/12 or 13 I don't understand the problem, why the nodes in this network 10/11/12 or 13 can't join the API cluster through the ENI in network 1-6? When I create a new nodegroup and I indicate a network 1-6 (network on route table RA or RB) it works without problem Sincerely

Hi there, I'm trying to write a lambda layer in Go using the `google/gopacket` package for capturing network traffic packets. This uses the libpcap C library underneath, and I used https://github.com/lambci/yumda to produce a separate lambda layer that provides the libpcap.so shared library In my layer, I've added the code as outlined here: https://pkg.go.dev/github.com/google/gopacket@v1.1.19/pcap#hdr-Reading_Live_Packets However I am receiving the following error: ``` panic: vinternal_1: You don't have permission to capture on that device (socket: Operation not permitted) ``` I've also tried passing different network IDs, e.g. `"eth0"`, however I am still receiving the same error I am wondering if I do not have access to the right permissions/capabilities when using the .zip method. I had previously tested the custom lambda container image approach, and it worked, but I would prefer to use the zip file approach to avoid heavy deployment processes. Any ideas how I can get the right permissions in a zip-file lambda layer, to allow libpcap to capture packets on the lambda-managed network interface? Thanks :)

I have created an AWS ENclave enabled instance using the command ``` aws ec2 run-instances --image-id ami-<id> --count 1 --instance-type c5.2xlarge --key-name key_file_without_extension --region us-east-1 --enclave-options 'Enabled=true' --subnet-id subnet-<id> ``` But I cannot see a public IPv4 address though it has a private IPv4 address How to ssh in to this instance ? how to assign a public IPv4 address?

**Context:** We've got a number of load balanced web servers running on Windows OS in AWS using C# .NET (5). We have a web server application as well as a Windows Service running on the same machine and we have problems with logging from the Windows Service. **Problem Description**: Since we have many servers running load balanced, we name the log stream with the private IP number in order to distinguish which machine that potentially has problems. This private IP is extracted at startup of the application (for both the Windows Service and the Web Server.) This is usually sucessfull, but yesterday we had an incident when one Windows Service log stream was labeled with 127.0.0.1 instead of the local IP number. Eventually I was able to pinpoint which server it was, restarted the windows service, which made the private IP number appear instead in the new log stream name. **?: Suggested reason with possible solution:** I'm guessing this is a race condition error. The machine has not received it's private IP number yet by AWS network before our service asked for it. **If so we can wait for the real IP to appear just to make sure we get the right IP number in our log. ** I have three question related to this: **Questions:** 1. **Do you see any other reason than the one I suggested why the IP number 127.0.0.1 appears? ** 2. ** Is there a better solution available than the one I suggested?** 3. **Is there a way, using an AWS API of some sort to get hold of the public IP for the server?** Here's the code how we extract the private IP address in this context: ``` var hostName = System.Net.Dns.GetHostName(); var ipAddresses = System.Net.Dns.GetHostAddresses(hostName); var ipv4Address = ipAddresses.FirstOrDefault(ip => ip.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork); ```

Several times a day, we are getting this error message in our logs when our front-end webserver (i-08a436fb2d0811658) attempts to connect to our database server (i-0ddd3807ec3bac491): **The network path was not found**: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) The configuration of these EC2 instances has not changed in years, and this issue just randomly started a few days ago. We tried stopping the web server and starting it again, to hopefully move it to new hardware, but the issue persists. There are no warnings or errors in the event logs on the web server or the database server indicating what might be the cause. TCP is the primary protocol to communicate with SQL Server. The reference to "named pipes" above indicates it was used a the secondary protocol after the TCP connection failed. Can someone please assist us in troubleshooting this issue. Thank you.

We would like to deploy software via appstream that requires a license tied to the MAC address. I can see the ENIs in the EC2 page, but those are transient. Is there a way to assign a network interface to each appstream streaming instance that would guarantee a repeatable MAC address, or range or MAC addresses for multiple instances? Thanks!

Hi, I see While creating Loadbalancer, We need minimum two public subnets. Once LB is created, it shows me two IPs of LB Dns URL. Ex - non-authoritative answer: Name: Lb1LoadBalancer-405154402.eu-west-1.elb.amazonaws.com Address: 54.228.29.194 Name: Lb1LoadBalancer-405154402.eu-west-1.elb.amazonaws.com Address: 52.30.70.94 Does it mean these Public Ips are one from each Public Subnet ( or Availability zones) . I also tried using three Availability zones ( Each zone has Public Subnet) . But still DNS only shows Two Public Ips of LB Url. I was expecting it to show 3 Addresses. But it doesn't show that way. Is anything wrong with my understanding ? What will happen if one AZ goes down, Will the DNS still show two Ips ? I am confused. Any one knows ?