Questions tagged with Security Group
Content language: English
Sort by most recent
Bug Report - Copy Launch configuration to launch template
Proceed as follows: step 1: go to Launch configurations console. step 2: choose a Launch configuration. step 3: copy to launch template > Copy selected > Copy. I got an error message: "The security group ID 'awseb-e-yy32fjb***-stack-AWSEBSecurityGroup-RKGBZ9JQ****' is not valid. The expected format is sg-xxxxxxxx or sg-xxxxxxxxxxxxxxxxx." After investigating, I realized that AWS is taking "Security name" data instead of "Security ID" when copying Launch configuration to launch template. as in my case above, 'awseb-e-yy32fjbzmp-stack-AWSEBSecurityGroup-RKGBZ9JQ****' is the security group name, AWS sends this data as security group ID, so get above error.
AWS internal communication between 2 EC2 servers
Our infrastructure is in AWS. We use AWS Security Group to define inbound/outbound traffic rules. Our servers are ip restricted, as in only traffic from one particular ip is allowed as per the Security Group rule. Say, we have 2 EC2 apps that serve web traffic. And, as per the Security Group rule, only traffic from that one ip is allowed to these servers on port 80 and 443. We now need for these apps to communicate with each other, i.e. send each other HTTP requests. We want the 2 apps to communicate with each other internally because they belong to the same Public Subnet and VPC. If the communication is not internal, traffic from one app would reach the other app via the internet, and this would not be allowed by the existing Security Group rules. Is trying to keep the communication internal between the 2 apps the standard way? I need some guidance on how to best implement this idea.
How to setup an EC2 Security Group to only allow inbound traffic on a port from the API Gateway only
Background: * EC2 instances hosting a REST API microservice * A Network Load Balancer that fronts the EC2 instances with a port 443 Listener that has an ACM issued Private SSL cert installed on it * I have created a VPC link to that NLB. * Created an instance of the API Gateway and defined a method on it. Everything is working fine. I need help with creating a Security Group rule that only allows inbound traffic from the API Gateway on the EC2 port where the API Microservice is exposed. How can I go about doing that? Will appreciate any help with this issue.
Using DataSync, unable to transfer files from one FSx for Lustre to another in separate VPC's
Hello, I am trying to use AWS DataSync to transfer files from one FSx for Lustre setup in the original default VPC to a new VPC with another FSx for Lustre that's already setup. I am copying from "/" on the source to "/" on the destination. When I try to run the task, I get the following error: Task failed to access location loc-sourcelocation:x40017: Mount command timed out. Both FSx for Lustre setups are in the same region. I copied the settings for the 2nd one to match the first one. They both have security groups that have the All traffic rule for all protocols, ports and the source being the security group it's in. They also have rules for ports 988 and 1021-1023 with the source also being the security group. VPC Peering has been setup as well between the two VPC's. I have been looking at the steps here: https://docs.aws.amazon.com/fsx/latest/LustreGuide/migrating-fsx-lustre.html and am not sure what I'm missing. I look in the FSx console and it shows the status for both as available. I've tried looking around on the internet, but have not had any success finding anybody who's done this before. No videos or anything like that. It feels like I'm missing something, but I'm not sure what it is.
Connection Timeout Issue with DocumentDB
I created an EC2 instance and a DocumentDB cluster, they belong to different VPC ID, from the document https://docs.aws.amazon.com/documentdb/latest/developerguide/connect-from-outside-a-vpc.html , to directly connect to DocumentDB (access port 27017), I need to use the EC2 instance running in the same VPC as DocumentDB cluster, there's no way to do it because the VPN running DocumentDB is not showing up in my VPC list, can anyone tell me how resolve this issue? ncat ( nc -zv <documentdb hostname> 27017) returned timeout error
Default Security Group for Task Definition
Hello, I am developing a container deployment on ECS, and I am in a development phase where I am frequently launching a task by deploying from the task definition. I am using the web interface to do this. The container runs a service that requires an inbound port, and I have created a security group to do this. Right now, I have to change from the default security group to this new security group every time I launch the task. This is onerous, and it's only a matter of time before I forget to do that. What is the right way to do this? It seems like the inbound port requirement is a feature of the task definition, but I can't find a way to set a default security group for a task definition. Thanks
Network traffic within a VPC
What would cause intermittent network disruptions between servers in the same VPC? For testing purposes I setup a Windows Active Directory server (10.0.0.190) and Web Server (10.0.0.133) in the same VPC (for testing purposes). The web server has joined the AD domain. I real all internal traffic is by default disabled in a VPN and so I allowed all inbound traffic on the intranet (10.0.0.0/16) with this security group rule: **IP version = IPv4; Type = All Traffic; Protocol = All; Port Range = All; Source = 10.0.0.0/16** Windows Firewall is turned off on both servers. DNS server is installed on the AD server. Web server has its DNS set to the IP of the AD Server. It is set manually in the network adapter for IPv4. IPv6 is disabled on both servers. Sometimes the web server can not ping the AD server by name or by IP address. Sometimes the web server can ping by name (in domain's DNS) and by IP address. What am I missing? Thanks, Mike
AWS Private Hosted Zone and Security Group
**Background:** I have 3 apps on EC2 - App1 supported by an Application Load Balancer(ALB), App2 & App3. App3 needs to communicate **internally** to both -> ALB and App2. ALB, App2 & App3 all have a security group (SG) with Inbound Rules that allow connections on Port 80 and 443 with Source as itself, i.e. it's own SG ID (so App3 can communicate with App2 and the ALB). App1 has a SG with Inbound Rules that allow connections on Port 80 and 443 with Source as ALB's SG (so that the ALB can forward requests to App1). I also have a Private Hosted Zone with records that have private ip for App2 and App3. For, ALB the value is the DNS name. **Question:** Now, when I make a request from App3 -> to App2, it works. However, App3 -> ALB does not. My observation for this is that App3 -> to App2 is resolved internally because of the private ip on the Private Hosted Zone. However, App3 -> ALB is not resolved internally because of the DNS name of the ALB. Looking for any ideas/pointers/suggestions. Thanks. **Workaround that works:** If I remove the ALB, and change App1's SG to the same as App2 & App3 and change Private Hosted Zone record from ALB DNS name to App1's private ip, App3 -> App1 also works. However, I cannot get it working with the load balancer.
Can't connect to RDS from task
I have an ecs task that I cannot get to connect to an rds cluster. It was working a week ago but it needed to be rebuilt and I've obviously missed something but I cannot for the life of me work out what's missing. The fargate cluster has full outbound access in the security group, the RDS cluster also has that security group attached. But the task itself seems to have no outbound access. The networkmode for cluster and task is set to awsvpc and it is all on the same vpc. What am I missing?
A static route between instances EC2
hello guys! Could you explain me how I can get working the static route working between two of instance? My design looks like: One is ec2 ubuntu 20. The second is CHR. All is on private network - 10.10.1.0/24 Ec2 ubuntu is 10.10.1.10, CHR is 10.10.1.31. I have created the dummy interfaces on the EC2 ubuntu like dummy-1 with IP 10.55.0.1/24 I have crated a static route on CHR to 10.55.0.0/24 like next-hop 10.10.1.10 (on the CHR side). But looks like there is no direct connection between instance, all traffic walks over iGW, and no one static route works. Of course I have added a rule in security group to allow 10.55.0.0/24. Acl on the interfaces has allow all. Bit no ping from CHR to 10.55.0.1. How I can get it working???? help pls.