Questions tagged with Amazon VPC

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

I have client VPN set up with split tunnel enabled and have just one route i.e. to target subnet in a VPC. I have gone throug other similar [question](https://repost.aws/questions/QUedk6QWR_SluIj4-DrHCPmw/aws-client-vpn-connected-but-cannot-access-internet) on AWS re:Post and have made sure that I do not have 0.0.0.0 route in Routes associated with Cvpn endpoint. Also I am not supplying and DNS servers at the moment. ![vpn-config](/media/postImages/original/IMFaXmp2fHTkWip9vVQQ3VJw) ![local-route-table](/media/postImages/original/IMRbwtXzwkSvyP_ERwzfgtcw) ![cvpn-route-table](/media/postImages/original/IM-wo-OgImRwCT8L84Qq_Lbg) I can see why I am loosing the internet access which is because a route entry is being pushed down to my local route table (i am using Linux Mint 21 and default openvpn client inbuilt into it to connect) for 0.0.0.0 -> 10.54.0.161 which does not make sense. That route entry should not be pushed by Cvpn to my host machine as I have split tunnel enabled. Not sure what am I doing wrong.
1
answers
0
votes
7
views
asked 17 hours ago
Hi, I have been banging my head trying to get this working and cannot figure it out. I have an ECS fargate cluster in 2 private subnets. There are 2 public subnets with NatGWs (needed for the tasks running in Fargate). Currently I have S3 traffic going through the NatGWs and I would like to implement an S3 endpoint as "best practice". I have created CFN scripts to create the endpoint and associated security group. All resources are created and appear to be working. However I can see from the logs that traffic for s3 is still going through the NatGWs. Is there something basic that I have missed? Is there a way to force the traffic from the tasks to the S3 endpoints? The fargate task security group has the following egress: ``` SecurityGroupEgress: - IpProtocol: "-1" CidrIp: 0.0.0.0/0 ``` Here is the script that creates the enpoint and SG: ``` endpointS3SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: "Security group for S3 endpoint" GroupName: "S3-endpoint-sg" Tags: - Key: "Name" Value: "S3-endpoint-sg" VpcId: !Ref vpc SecurityGroupIngress: - IpProtocol: "tcp" FromPort: 443 ToPort: 443 SourceSecurityGroupId: !Ref fargateContainerSecurityGroup # S3 endpoint endpointS3: Type: AWS::EC2::VPCEndpoint Properties: PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: '*' Action: 's3:*' Resource: '*' SubnetIds: - !Ref privateSubnet1 - !Ref privateSubnet2 VpcEndpointType: Interface SecurityGroupIds: - !Ref endpointS3SecurityGroup ServiceName: Fn::Sub: "com.amazonaws.${AWS::Region}.s3" VpcId: !Ref vpc ``` Thanks in advance. Regards, Don.
2
answers
0
votes
9
views
Don
asked a day ago
Hi, We're looking for a solution to remediate the excessive IP address consumption by EKS clusters. As the enterprise CIDR ranges are limited and tend to get eaten up fast by EKS we are facing an IP shortage and overlap. We thought of having a peering between two VPCs (1 that is routable and the 2nd will be a non-routable VPC which is the by default AWS VPC). We would then have the IPs we would like to publish on the routable one... Have anyone tried that approach ? Is there an alternative solution ? Thanks in advance,
1
answers
0
votes
9
views
asked 2 days ago
Hi, I have a Step Functions Express state machine for which I start executions with AWS SDK for PHP (StartExecution API). My code is running on an EC2 instance (Docker container on t3.micro) in a load balanced Beanstalk application. For the API call to start an execution, the total time it takes (everything included) is between 155ms and 500ms. The average is around 200ms. This is quite high and is a problem for us. My first question is if this is unusually high, or if this is normal? I tried starting the same workflow through API Gateway and saw roughly the same response times (or maybe slightly lower). I also tried using the PutItem API for a DynamoDB table and saw an average of around 200ms. Am I correct in assuming that these numbers should be lower? If my assumption is correct, I am thinking that maybe this is caused by the network path from my EC2 instance to the AWS API. My Beanstalk application is not using a VPC (though the EC2 instance is in the default VPC). Perhaps things could be improved by using a VPC and PrivateLink (VPC interface endpoint)? https://docs.aws.amazon.com/step-functions/latest/dg/vpc-endpoints.html So; 1. Is an average of 200ms unusually high or is this to be expected? 2. If #1 is true, should I expect using VPC/PrivateLink to improve this? 3. Which response times (everything included) should I expect (roughly/ballpark)? Thanks a lot!
0
answers
0
votes
15
views
thdev
asked 2 days ago
My simplified network architecture is as follows: 1. VPC has a public and private subnets. 2. Public Subnet is connected to Internet Gateway. 3. Private subnet is connected to Internet through NAT. 4. Public EC2 Win Server has public IP4: 13.22.45.23 and private IP4: 10.0.10.15. The security group allows incoming traffic from private EC2 Web server on ports 80, 1433 and 433. 5. Security group of private EC2 Win Server allows incoming traffic from the public EC2 Web server on ports 80, 1433 and 433. 6. Public website https://MyWebSite.com/MyWebApplication has binding to port 443 and hostname associated with EC2 Win Server's public IP4 address. The hostname is registered in AWS Route 53, i.e. MyWebSite.com is associated with 13.22.45.23. What I tried: 1. Test #1 - Successfully opened website in my laptop typing https://MyWebSite.com/MyWebApplication in Chrome browser. This proved that website was working and was accessible from Internet. 2. Test #2 - RDC'd to private EC2 Win Server and successfully opened random Internet websites in Chrome browser. This proved that private EC2's Internet connection works OK. Note, private EC2 is connected to Internet through NAT installed in public subnet. 3. Test #3 - RDC'd to private EC2 Win Server and successfully opened Default website (port:80) hosted by public EC2 Win Server IIS. I opened it using private IP address of public EC2 instance, i.e. typing http://10.0.10.15 in Chrome. This proved that HTTP requests go through OK from private to public subnet. 4. Test #4 - RDC'd to private EC2 Win Server and tried to open https://MyWebSite.com/MyWebApplication. The browser displayed a message 'This site can’t be reached. MyWebSite.com took too long to respond' 5. Test #5 - Tried the same test #4 above but using public IP4 address of the public EC2, i.e. using URL https://13.22.45.23/MyWebApplication. The result was the same like in test #4. 6. Test #6 - Tried the same test #4 above but using private IP4 address of the public EC2, i.e. using URL https://10.0.10.15/MyWebApplication. The result was the same like in test #4. The problem is the https://MyWebSite.com/MyWebApplication exposes Web API endpoints that I need to call from the private subnet. Because all calls failed, I did the above connection tests. I don't understand why I can open https://MyWebSite.com/MyWebApplication from outside of my VPC but can't from the private subnet. In fact, as I mentioned above, I can can open any https websites from the private subnet except MyWebsite.com. I wonder what is special about it? I must admit that the real VPC looks more complex than I described in the beginning. It has Load Balancers associated with Cloud Watch, Event Bridge, Private Link and API Gateway. None of the load balancers have listeners on port 443 though. Can anyone please advise any directions where should I look at for a solution ? Thank you.
2
answers
0
votes
15
views
asked 2 days ago
I want to allowlist the Sagemaker studio IP so people can access certain allowlisted services from Sagemaker. I created a sagemaker domain in my private subnet of my VPC, so theoretically it should use the IP of the associated NAT gateway, right? But I see a different IP 🤔
1
answers
0
votes
19
views
asked 2 days ago
I want to connect my EventBridge's API Destinations to resources in my private VPC by calling the API endpoints at their private endpoints (not going through any public route like API Gateway). I saw this [doc](https://docs.amazonaws.cn/en_us/eventbridge/latest/userguide/eb-related-service-vpc.html) from AWS China that says using PrivateLink it might be possible but also found other [sources](https://repost.aws/questions/QUF6vrV82RQDe7__jyGFK7cg/how-to-invoke-a-private-rest-api-created-with-aws-gateway-endpoint-from-an-event-bus-rule) that say EventBridge can't connect to VPC. How should I go about this?
1
answers
0
votes
26
views
asked 3 days ago
PrivateLink partially works with Network Load Balancers - allowing listeners to be TCP, but not UDP. Is there a defined technical reason for this - as opposed to "doesn't do that". Might it?
1
answers
0
votes
14
views
asked 3 days ago
IHAC who have ec2 nodes tagged. When they send traffic out to the Internet from these nodes, they can see that traffic (DataTransfer-Out-Bytes) in the aggregate outbound reporting, but the traffic outbound to the Internet passes through a NAT gateway (for example, nat-XXXXXX). Passing through the NAT gateway, the tagging attribution is lost. Consequently, when they use cost explorer and filter on Tag and Usage type: DataTransfer-Out-Bytes, they get nothing. Is there a solution for this, so that they can correctly attribute data transfer out costs from natgateway by product or tag.
1
answers
0
votes
15
views
profile picture
AWS
asked 4 days ago
I have a service which is hosted in my private VPC and currently we are using API Gateway to expose it publicly. All our API calls go through it. So right now EventBridge's API Destinations point to the API Gateway's public endpoint. But we would like to change that and call the service at its private endpoint from EventBridge's API Destination itself so as to make sure our internal service calls stays in our VPC. How can we go about this?
1
answers
0
votes
34
views
asked 4 days ago
I have a Fargate container running in a private subnet using the KPL to write to my Kinesis Data Stream. I don't have any latency issues but my NAT gateway bill is pretty high. What would I gain by using an interface VPC Endpoint here over just continuing using my current way. I'm thinking based on this(https://docs.aws.amazon.com/streams/latest/dev/vpc.html) that this might be a way for me to cut my NAT costs but would love some feedback.
2
answers
0
votes
21
views
profile picture
asked 4 days ago
Hello my account have been charged while i am om free tier , it is under VPC (this is the message : $0.1 per analysis processed by VPC Reachability Analyzer)
2
answers
0
votes
25
views
asked 5 days ago