By using AWS re:Post, you agree to the Terms of Use
/Networking & Content Delivery/

Questions tagged with Networking & Content Delivery

Sort by most recent
  • 1
  • 90 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

S3 Interface Endpoint from On-Prem Acccess Denied

Hello, We have S3 Endpoint (interface type) created at eu-west-1 region. We are trying to write to the buckets using the DNS created in eu-west-1 from our on-premise location connected via Direct Connect. DNS: *.vpce-1234567890-abcd2zc.s3.eu-west-1.vpce.amazonaws.com I have given the following permission in the bucket policy to write to these bucket but still when we try to upload/write to this bucket, we are getting Access Denied error as below. ``` { "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "s3:PutObject", "s3:GetObject", "s3:PutObjectAcl", "s3:ListBucket" ], "Resource": [ "arn:aws:s3::<bucket-name>/*", "arn:aws:s3:::<bucket-name>" ] }, { "Effect": "Allow", "Principal": "*", "Action": [ "s3:PutObject", "s3:GetObject", "s3:PutObjectAcl", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::<bucket-name>/*", "arn:aws:s3::<bucket-name> ] } ] } ``` OTErrWrnLn||ERROR||-1||SERVICE||GBS3||<Bucket_Name> Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 0QWNYWPJZY14EGRC; S3 Extended Request ID: sXic/CHy/OU5oakn7MBb6UESIbggdr9IxaILUiVuGMeUu7iZTUpIUpLeIUieNs82g6jXdBdQ3sU=)||-1||-1||-1|| Access Denied I would like to know what permission is required to write to this bucket from on-premise please. Or any other steps or configuration I need to apply please. When I run nslookup on the s3 endpoint from the on-prem server, it resolves to private IP. BTW, it works when I enable Allow Public Access. Thank you
2
answers
0
votes
27
views
asked 15 days ago

Network traffic limits on x2gd.medium

We have setup redis on x2gd.medium with 2 to 5 ec2 instances connected within the same region https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/memory-optimized-instances.html indicates it has a baseline of .5Gbps. From the network In/Out monitoring, it seems we are averaging about .35Gbps with some minor peaks. https://photos.app.goo.gl/rkizVakGQpZo8v5q6 Yet we are observing constant increasing of ``` ethtool -S ens5 bw_in_allowance_exceeded: 314 bw_out_allowance_exceeded: 281794 ``` Our setup is fairly vanilla - ubuntu/images/hvm-ssd/ubuntu-focal-20.04-arm64-server-20220419 ami-0d70a59d7191a8079 - add-apt-repository -y ppa:redislabs/redis - apt-get -y update - apt-get install -y nvme-cli - apt-get -y install redis ``` uname -a Linux ip-10-0-0-41 5.13.0-1022-aws #24~20.04.1-Ubuntu SMP Thu Apr 7 22:14:11 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux redis-cli -v redis-cli 7.0.0 modinfo ena filename: /lib/modules/5.13.0-1022-aws/kernel/drivers/net/ethernet/amazon/ena/ena.ko license: GPL description: Elastic Network Adapter (ENA) author: Amazon.com, Inc. or its affiliates srcversion: 066F20794698BA58475C910 alias: pci:v00001D0Fd0000EC21sv*sd*bc*sc*i* alias: pci:v00001D0Fd0000EC20sv*sd*bc*sc*i* alias: pci:v00001D0Fd00001EC2sv*sd*bc*sc*i* alias: pci:v00001D0Fd00000EC2sv*sd*bc*sc*i* alias: pci:v00001D0Fd00000051sv*sd*bc*sc*i* depends: intree: Y name: ena vermagic: 5.13.0-1022-aws SMP mod_unload modversions aarch64 ``` Question: 1. How can we know more about this "hidden networking credits" that seems to be limiting our bandwidth to avoid exceeding the allowance?
3
answers
0
votes
35
views
asked 23 days ago

Encrypted VPN Connectivity from VMC on AWS SDDC to On-Premise DC

Dear Team, I have the following setup requirements between VMware on AWS SDDC and on-Premise DC. 1. Need an encrypted VPN Solution between SDDC and On-Premise DC. 2. Need an Encrypted VPN Solution between SideCar VPC and On-Premise DC. 3. We have direct connect setup between DC and AWS. 4. Protected firewall sitting behind the edge device in on-Premise DC , encrypted VPN setup on DX need two set of public. Firewall sitting behind edge devise VPN connectivity but that firewall could not configured with public ip. The last hop where the public ip could be configured is the edge devise on the customer site. As per my understanding, I can use the public VIF on direct connect to setup the encrypted VPN connection between the client edge devise and AWS router. But the problem statement in this case is 1. How to setup the encrypted VPN solution for both SDDC and sidecar VPC? Can we route the traffic from SDDC to VTGW to TGW(of the sidecar account) and then leverage public VIF to setup encrypted VPN from TGW to customer edge devise? 2. Do we need the DX gateway to setup the encrypted VPN connectivity? 3. Encrypted VPN on DX would need to set of public IPS. What if the customer firewall is not having the option to configure the public IP for encrypted VPN ? 4. Can I use the DX setup in one OU to create the public VIF for another account in separate OU. This is required because I am looking to create the encrypted VPN connection from two OUs to the DC. Please advise with your comments or if there is any reference architecture available with VMC/AWS. Many Thanks Rio
1
answers
0
votes
14
views
asked a month ago

My ECS tasks (VPC A) can't connect to my RDS (VPC B) even though the VPCs are peered and networking is configured correctly

Hi, As mentioned in the question, my ECS tasks cannot connect to my RDS. The ECS tasks try to resolve the rds by name, and it resolves to the RDS public IP (RDS has public and private IPs). However, the security group on RDS doesn't allow open access from all IPs so the connection fails. I temporarily allowed all connections and could see that the ECS tasks are routing through the open internet to access the RDS. Reachability Analyzer checking specific tasks' Elastic Network Interface to the RDI ENI is successful, using internal routing through the peering connection. At the same time I have another server on VPC C that can connect to the RDS. All the config is similar between these two apps, including the peering connection, security group policies and routing tables. Any help is appreciated Here are some details about the VPCs VPC A - 15.2.0.0/16 [three subnets] VPC B - 111.30.0.0/16 [three subnets] VPC C - 15.0.0.0/16 [three subnets] Peering Connection 1 between A and B Peering Connection 2 between C and B Route table for VPC A: 111.30.0.0/16 : Peering Connection 1 15.2.0.0/16: Local 0.0.0.0/0: Internet Gateway Route table for VPC C: 111.30.0.0/16: Peering Connection 2 15.2.0.0/16: Local 0.0.0.0/0: Internet Gateway Security groups allow traffic to RDS: Ingress: 15.0.0.0/16: Allow DB Port 15.2.0.0/16: Allow DB Port Egress: 0.0.0.0/0: Allow all ports When I add the rule: 0.0.0.0/0 Allow DB Port to the RDS, then ECS can connect to my RDS through its public IP.
1
answers
2
votes
13
views
asked 2 months ago

Issues getting split-tunnel in client VPN endpoint to work correctly.

I'm setting up a company VPN using AWS Client VPN endpoints, I have everything working so far however all client internet traffic is being routed through the VPN and out through the NAT gateway (and therefore incurring NAT gateway costs). I'm trying to enable split-tunnel however I'm still getting 0.0.0.0/0 routes to the vpn added to my route table. If I try: - Split tunnel enabled - Routes to local vpc and peered networks - Authorized access to these routes - Fairly open security group And then connect to the VPN I still get this in my route table: ``` > ~/d/i/vpn on branch ◦ netstat -nr 11:03:22 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.0.2.161 0.0.0.0 UG 0 0 0 tun0 0.0.0.0 192.168.4.1 0.0.0.0 UG 0 0 0 enp0s20f0u2 0.0.0.0 192.168.4.1 0.0.0.0 UG 0 0 0 wlp0s20f3 10.0.2.160 0.0.0.0 255.255.255.224 U 0 0 0 tun0 10.10.0.0 10.0.2.161 255.255.0.0 UG 0 0 0 tun0 ------- 10.0.2.161 255.255.0.0 UG 0 0 0 tun0 ``` (With some redaction above, I'm using 10.0.0.0/22 as the vpn cidr) I'm connecting from a Fedora laptop using the built in vpn client, I'm creating a vpn file based off the one you can download and importing it after adding in certs & keys). This all means that when I'm trying to connect to the VPN I can access my private resources, but I lose all general internet connectivity. For our use case it's not workable to us to keep having to hop on and off the VPN.
1
answers
0
votes
84
views
asked 2 months ago

Horizontal Scaling concerns, SSL issue with NLB

note: I'm new to scaling and firstly seeking advice on the best practices for horizontal scaling **I have the following setup:** *EC2 Instances <-> ASG(created from Launch template) -> TG <-> ALB <-> TG <-> NLB* Traffic flows through NLB to ALB and finally to EC2 instances configured via ASG. note: I'm assuming the above setup is the best one to go with horizontal scaling, if not please let me know. the above setup works fine for HTTP whereas when I try to configure HTTPS, I don't see options to do so. Issue1: Target Group(TG) doesn’t allow to create one with Load Balancer type with TLS port: 443 but allows only TCP: port 80, **Question1: **how else should I redirect HTTPS traffic to ALB? note: I need NLB because ALB doesn't provide Static IPs **Question2:** wrt Static IPs: NLB doesn't allow <2 AZs which means I need to have 2 Static IPs linked to my domain? any inputs would be really helpful! **Update1:** I've configured like below: In ALB listeners: HTTP(80) gets redirected to HTTPS HTTPS(443) gets forwarded to ASG In NLB listeners: HTTP(80) gets forwarded to ALB note: ALB's public URL is added to my domain(sample-alb.domain.com) NLB's public URL is added to my domain(sample-nlb.domain.com) SSL works fine if the user enters by hitting sample-alb.domain.com whereas if the user enters by hitting sample-nlb.domain.com, it always fails with "ERR_CERT_INVALID" any inputs on why this fails? **Update2:** I've got the answer to my Issue1/Question1 on how to redirect HTTPS traffic to ALB from here: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/application-load-balancer-target.html#configure-application-load-balancer-target > **Listeners and routing** > For Listeners, the default is a listener that accepts TCP traffic on port 80. Only TCP listeners can forward traffic to an Application Load Balancer target group. Keep the listener protocol set to TCP, but you can modify the port as required. > > This setup allows you to use HTTPS listeners on the Application Load Balancer to terminate the TLS protocol. so, I created a TG with TCP port 80 and listener to NLB, which redirects to ALB. (say for ex my NLB's public URL is 'nlb34323.amazonaws.com') now, when I hit my NLB's public URL with 'http://nlb34323.amazonaws.com', it does get redirected to 'https://nlb34323.amazonaws.com', but eventually fails with a timeout error. note: whereas when I hit ALB's public URL, it is working fine does it have anything to do with TLS termination as mentioned in the above documentation: > This setup allows you to use HTTPS listeners on the Application Load Balancer to terminate the TLS protocol. what am I doing wrong here?
2
answers
0
votes
15
views
asked 2 months ago

Linux OS networking bug in Elastic Beanstalk AMI with Tomcat & Corretto

We use AWS Elastic Beanstalk with an Amazon AMI with Tomcat & Corretto running on Amazon Linux 2 (`aws-elasticbeanstalk-amzn-2.0.20220316.64bit-eb_tomcat85corretto8_amazon_linux_2-hvm-2022-03-29T20-48`) and are running into an [OS networking bug](https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1924298) when Tomcat is under load. The result of this bug are that TCP connections from clients connect but timeout while the server is under load. The networking bug is due to a race condition in the TCP stack which is fixed in Linux 5.10 kernels. A description and diff of the bug can be found in [this commit](https://github.com/torvalds/linux/commit/01770a166165738a6e05c3d911fb4609cc4eb416). From the description of this bug it looks like this race condition affects all TCP networking and is not specific to Tomcat, but manifests more often under load. Currently, as far as I can tell, all the latest Amazon AMIs for Elastic Beanstalk for Tomcat or Corretto are using a 4.14 kernel. The AMI which we are using has a kernel of `4.14.268-205.500.amzn2.x86_64`. I have been able to reproduce the bug on this AMI using the sample server code in the Ubuntu bug report, which is independent of Tomcat. I have also tried reproing the bug on newer versions of Amazon Linux 2 (AMI `amzn2-ami-kernel-5.10-hvm-2.0.20220419.0-x86_64-gp2`) which are using a `5.10.109-104.500.amzn2.x86_64` kernel, but have not been able to repro the bug on this kernel. We would prefer not to have to create our own AMI for using Elastic Beanstalk, but were wondering if and when there will be an update to the Amazon Elastic Beanstalk AMI's which incorporate this OS bug fix since this is affecting the reliability of networking under load?
0
answers
2
votes
11
views
asked 2 months ago

EC2 BYOIP: signature couldn't be verified

**The goal** I am trying to bring my /46 IPv6 prefix to EC2. It is part of a /44 IPv6 assigned to my ASN with the status "ASSIGNED" within the RIPE database. The ROA records have been set which I could also verify under https://rpki.cloudflare.com/. **What I did so far** I have basically followed this doc, yet provisioning fails: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html#prepare-for-byoip When I send the `aws ec2 provision-byoip-cidr` request, the status is `failed-provision` with the message "The CidrAuthorizationContext signature could not b e verified with the X509 certificates in the RIR records". The command `whois -r -h whois.ripe.net abcd:efab:cde::/46 | grep descr | grep BEGIN` delivers my certificate succesfully. My request looks like this: ``` # ! bin/sh text_message="1|aws|123456789012|abcd:efab:cde::/46|20230101|SHA256|RSAPSS" signed_message=$(echo $text_message | tr -d "\n" | openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -sign private-key.pem -keyform PEM | openssl base64 | tr -- '+=/' '-_~' | tr -d "\n") aws ec2 provision-byoip-cidr --cidr abcd:efab:cde::/46 --cidr-authorization-context Message="$text_message",Signature="$signed_message" --region eu-central-1 ``` So, I checked the signature: ``` $ echo "1|aws|123456789012|abcd:efab:cde::/46|20230101|SHA256|RSAPSS" > file.txt $ cat file.txt | openssl dgst -sha256 -sign private-key.pem -keyform PEM > rsasign.txt $ openssl sha256 -verify certificate.pem -signature rsasign.txt file.txt unable to load key file ``` It only works when I use the public key instead of the certificate: ``` $ openssl sha256 -verify public-key.pem -signature rsasign.txt file.txt Verified OK ``` I also tried adding just the public key to the inet6num object's descr in the RIPE database, but that results in "No X509 certificate could be found in the Whois remarks", so that won't do it. **Question: Any ideas on how to bring my IPv6 prefix to AWS?** The linked documentation alone is of no help at this moment..
0
answers
0
votes
11
views
asked 2 months ago

Security group appears to block certain ports after google-authenticator mis-entries

I run a small server providing web and mail services with a public address. I was planning on upgrading from a t2 small to a t3 small instance so I began testing the new environment using ubuntu 20.04. The new instance is running nginx, postfix, dovecot and has ports 22,25,80,443,587 and 993 open through two security groups assigned. I wanted to test a user which used only google-authenticator with pam/sshd to log in (no pubkey, no password). What I discovered was that after two sets of failed login attempts (intentional), my connection to the server would be blocked and I would receive a timed out message. Checking the port status with nmap shows that ports 22,80 and 443 were closed. and the remaining still open. I can still reach all the ports normally from within my vpc, but from outside, the ports are blocked. Restarting the instance or reassigning the security groups will fix the problem. Also, after about 5 minutes, the problem resolves itself. It appears that the AWS security group is the source of the block, but I can find no discussion of this type of occurrence. This isn't critical, but a bit troubling, because it opens a route for malicious actions that could block access to my instance. I have never experienced anything like this in about 7 years of running a similar server, though I never used google-authenticator with pam/sshd before. Do you have any ideas? I'd be happy to provide the instance id and security groups if needed.
1
answers
0
votes
8
views
asked 2 months ago

[EC2] Why no Public IPv4, but can go to the Internet?

[ec2-user@ip-10-16-60-224 ~]$ **route** Kernel IP routing table ``` Destination Gateway Genmask Flags Metric Ref Use Iface default ip-10-16-48-1.a 0.0.0.0 UG 0 0 0 eth0 10.16.48.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0 instance-data.a 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 ``` [ec2-user@ip-10-16-60-224 ~]$ [ec2-user@ip-10-16-60-224 ~]$ **ip add** 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000 link/ether 06:bf:f7:bd:36:52 brd ff:ff:ff:ff:ff:ff inet 10.16.60.224/20 brd 10.16.63.255 scope global dynamic eth0 valid_lft 3109sec preferred_lft 3109sec inet6 2406:da18:e26:a403:977:a307:147f:a413/128 scope global dynamic valid_lft 437sec preferred_lft 127sec inet6 fe80::4bf:f7ff:febd:3652/64 scope link valid_lft forever preferred_lft forever [ec2-user@ip-10-16-60-224 ~]$ [ec2-user@ip-10-16-60-224 ~]$ **traceroute 1.1.1.1** traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets 1 ec2-18-141-171-15.ap-southeast-1.compute.amazonaws.com (18.141.171.15) 8.342 ms ec2-175-41-128-177.ap-southeast-1.compute.amazonaws.com (175.41.128.177) 7.433 ms ec2-18-141-171-1.ap-southeast-1.compute.amazonaws.com (18.141.171.1) 19.818 ms 2 100.65.32.224 (100.65.32.224) 3.347 ms 100.65.33.240 (100.65.33.240) 13.093 ms 100.65.34.176 (100.65.34.176) 23.462 ms 3 100.66.16.74 (100.66.16.74) 7.746 ms 100.66.16.202 (100.66.16.202) 7.773 ms 100.66.16.38 (100.66.16.38) 3.531 ms 4 100.66.19.190 (100.66.19.190) 5.059 ms 100.66.19.180 (100.66.19.180) 7.843 ms 100.66.18.228 (100.66.18.228) 16.918 ms 5 100.66.7.249 (100.66.7.249) 12.221 ms 100.66.6.247 (100.66.6.247) 10.830 ms 100.66.6.113 (100.66.6.113) 21.846 ms 6 100.66.4.89 (100.66.4.89) 80.326 ms 100.66.4.159 (100.66.4.159) 18.434 ms 100.66.4.9 (100.66.4.9) 11.122 ms 7 100.65.11.1 (100.65.11.1) 0.604 ms 100.65.9.97 (100.65.9.97) 0.322 ms 0.358 ms 8 203.83.223.30 (203.83.223.30) 1.243 ms 150.222.108.77 (150.222.108.77) 1.575 ms 52.93.10.76 (52.93.10.76) 1.316 ms 9 52.93.8.160 (52.93.8.160) 2.001 ms 150.222.108.66 (150.222.108.66) 1.870 ms 150.222.108.68 (150.222.108.68) 2.114 ms 10 52.93.11.127 (52.93.11.127) 1.386 ms 52.93.11.115 (52.93.11.115) 1.350 ms 52.93.11.125 (52.93.11.125) 1.338 ms 11 99.83.90.55 (99.83.90.55) 4.053 ms 4.046 ms 99.83.68.227 (99.83.68.227) 4.297 ms 12 172.70.140.3 (172.70.140.3) 2.673 ms * 172.70.144.5 (172.70.144.5) 2.274 ms 13 one.one.one.one (1.1.1.1) 1.755 ms 1.795 ms 1.771 ms Thank you very much.
1
answers
0
votes
13
views
asked 2 months ago

Problem adding nodegroup in EKS cluster with GW NAT

Hello I am having difficulties in bringing an EKS cluster back into compliance **Cluster:** I have an eks cluster with : - 6 EKS Plane Control Networks (network 1-6) i. Network 1/2/3 are in a RA routing table with a 0.0.0.0/0 which refers to an Internet Gateway ii. Network 4/5/6 are in an RB routing table with a 0.0.0.0/0 that refers to a NAT Gateway (+ other routes to my company network) - 4 cluster nodegroupe with networks 4/5/6 used for worker nodes - My EKS cluster has a Public and Private API ( => From a node, when I do a DNS resolution I do see a private IP) **Target:** EKS cluster with : - 6 EKS Plane Control Networks (network 1-6) i. Network 1/2/3 in a RA routing table with a 0.0.0.0/0 that refers to an Internet Gateway ii. Network 4/5/6 also in the RA routing table - 4 cluster nodegroupe i. Nodegroupe 1 : Use networks 10 and should be in the RC routing table with 0.0.0.0/0 which refers to a new NAT Gateway (+ other routes to my company network) ii. Nodegroupe 2 : Use networks 11 and should be in the RC routing table with 0.0.0.0/0 which refers to a new NAT Gateway (+ other routes to my company network) iii. Nodegroupe 3 : Use networks 12 and should be in the RC routing table with 0.0.0.0/0 which refers to a new NAT Gateway (+ other routes to my company network) iiii. Nodegroupe 4 : Use networks 13 and should be in the RC routing table with 0.0.0.0/0 which refers to a new NAT Gateway (+ other routes to my company network) **Problem** When creating a new nodegroup to replace an existing one, I indicate network 10/11/12 or 13 The RC routing table is OK with the NAT Gateway Problem: the node can't join the cluster (error message: **Instances failed to join the kubernetes cluster**) I can see the EC2 instance being created in the right network 10/11/12 or 13 I don't understand the problem, why the nodes in this network 10/11/12 or 13 can't join the API cluster through the ENI in network 1-6? When I create a new nodegroup and I indicate a network 1-6 (network on route table RA or RB) it works without problem Sincerely
0
answers
0
votes
4
views
asked 2 months ago

Problem receiving IP 127.0.0.1 at service startup instead of local IP

**Context:** We've got a number of load balanced web servers running on Windows OS in AWS using C# .NET (5). We have a web server application as well as a Windows Service running on the same machine and we have problems with logging from the Windows Service. **Problem Description**: Since we have many servers running load balanced, we name the log stream with the private IP number in order to distinguish which machine that potentially has problems. This private IP is extracted at startup of the application (for both the Windows Service and the Web Server.) This is usually sucessfull, but yesterday we had an incident when one Windows Service log stream was labeled with 127.0.0.1 instead of the local IP number. Eventually I was able to pinpoint which server it was, restarted the windows service, which made the private IP number appear instead in the new log stream name. **?: Suggested reason with possible solution:** I'm guessing this is a race condition error. The machine has not received it's private IP number yet by AWS network before our service asked for it. **If so we can wait for the real IP to appear just to make sure we get the right IP number in our log. ** I have three question related to this: **Questions:** 1. **Do you see any other reason than the one I suggested why the IP number 127.0.0.1 appears? ** 2. ** Is there a better solution available than the one I suggested?** 3. **Is there a way, using an AWS API of some sort to get hold of the public IP for the server?** Here's the code how we extract the private IP address in this context: ``` var hostName = System.Net.Dns.GetHostName(); var ipAddresses = System.Net.Dns.GetHostAddresses(hostName); var ipv4Address = ipAddresses.FirstOrDefault(ip => ip.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork); ```
2
answers
0
votes
22
views
asked 3 months ago
  • 1
  • 90 / page