All Questions
Tagged with amazon-web-services amazon-vpc
568
questions
0
votes
1
answer
24
views
How to limit AWS VPC endpoint to to signed requests
We had a scan done recently of our AWS infrastructure, and one of the high risk level items that we need to address is to
Identify any fully accessible VPC endpoints and update their access policy in ...
- 123
1
vote
2
answers
254
views
Subnet associations in AWS Route tables
What is this "Subnet Associations" in AWS Route tables? Do I have to add the subnets under "Explicit Subnet Associations" as well?
It is already under "Subnets without ...
- 83
0
votes
1
answer
59
views
What actually makes an EC2 instance in a private subnet unreachable from the internet?
I'm reading everywhere (including the official documentation) that an EC2 instance in a private subnet cannot be reached from the internet, even if it has a public IP.
Let's say I have a 10.0.0.0/16 ...
- 111
1
vote
1
answer
217
views
Remove public IPv4 from AWS EC2 instances
Since February 1, 2024, AWS started charging for public IPv4 and I have several EC2 instances.
Some instances I can having only public IPv6, for others I need to keep public IPv4. I disabled Elastic ...
- 111
1
vote
1
answer
367
views
Migrate AWS ECS cluster IPV4 to IPV6
I'm trying to avoid this new cost (public IPv4) in aws for small projects because it will represent a big percentage of the cost.
In my ECS cluster, I use EC2 instances as capacity providers, ...
- 63
0
votes
0
answers
13
views
AWS VPC Connect Endpoint and Workbrench integration
I have some RDS instances under a private subnet and a bastion host (ec2 instance) with a public IP to connect to it. As part of getting a security certification we need to get rid of all ec2 ...
0
votes
0
answers
77
views
Prioritize S2S VPN on AWS when using 1 VGW
We have the following AWS setup:
1 VPC
1 Virtual Private Gateway (VGW)
8 Customer Gateways (CGWs)
8 Site-to-Site (S2S) VPN connections
We have 4 sites, each connected to our VPC with 2 S2S VPN ...
- 101
0
votes
1
answer
142
views
Allow AWS Identity provider to access a private VPC where the OIDC Idp resides
We want to implement Gitlab-AWS short-lived credentials but our Gitlab instance is located inside a private, non internet accessible VPC Subnet.
I have looked into VPC Endpoints but I cannot find the ...
0
votes
1
answer
235
views
how to block outgoing traffic in ec2 without blocking ssh
I have an EC2 with has public subnet and traffic is flowing through internet gateway.
Now, i have an requirement like I have to block all outgoing traffic in EC2.
I have tried to restrict the traffic ...
0
votes
1
answer
103
views
Spoke VPC over VPN to IGW
Is it possible to modify this solution so a spoke VPC connects to the TGW hub over VPN, and that spoke VPC's internet access is centralized full tunnel?
https://aws.amazon.com/blogs/networking-and-...
- 105
0
votes
2
answers
178
views
AWS CIDR Address is not within CIDR Address from VPC
In AWS have created VPC which CIDR is 10.0.0.24.I want to creates its two subnet.its public-subnet is in us-west-1a - IPv4 CIDR 10.0.0.0/24 thenwhen I create private subnet is in us-west-1b - ...
0
votes
0
answers
334
views
How to remove headers from all outgoing requests in AWS services (e.g. Lambda)
Just wondering, is there a way to remove a header from all outgoing network requests in AWS?
I have a VPC with public and private subnets and a NAT gateway in the public subnet. A Lambda in this VPC ...
- 121
0
votes
2
answers
233
views
Unable to access apache2 from outside
I'm hosting a default site for apache2 server on AWS EC2 (Ubuntu) with Elastic IP.
Security group set to open all inbound (testing purposed).
I can access the server via SSH using public IP but I can'...
- 161
0
votes
0
answers
154
views
AWS - I want to route traffic from one VPC to another, but I want all traffic INTO that VPC to share an IP
Due to a very complicated situation that I can't really get into, we have a VPC that has access to a certain server via a direct connection.
This server requires that we whitelist an IP to access it. ...
- 113
0
votes
0
answers
115
views
Can we setup VPC for AWS Lightsail resources?
I am developing an app and to host backend system I am using AWS Lightsail. Is there a way to keep all the inter service communication private?
I am aware this can be achieved with VPC while using AWS ...
- 101
0
votes
1
answer
161
views
VPC endpoint to reach Beanstalk application associated with a public domain from within VPC
I have a web server running on Beanstalk that is associated with mydomain.org on Route53. The access to this web server is restricted by a security group. I have also a Lambda running in the same VPC, ...
- 101
0
votes
1
answer
1k
views
Why shouldn't EC2 instances be public, if they can be protected with security groups?
It is considered bad practice to place machines that shouldn't be accessible from the internet in a public subnet, because such topology, other than being logically wrong (private instance in an ...
1
vote
0
answers
331
views
Elastic Beanstalk deploy app in private VPC without public ip address for EC2
I'm currently developing a NodeJS application that I want to deploy in Elastic Beanstalk (EBS). To isolate & secure my cloud resources I'm using VPCs where I deploy the EBS app and also my ...
- 11
0
votes
1
answer
160
views
AWS: routing back from VPC to an instance
I'm relatively new to AWS and need to set up some internal infrastructure. Example: a VPN server that routes people into a VPC.
I have a VPN server instance bound to an elastic IP that has a subnet ...
- 3
0
votes
1
answer
109
views
AWS cannot connect to any T3 instance, vpc config valid (I think)
I created a new VPC ca-central. I followed the same procedure as everywhere else:
New VPC (this created acl which is wide open)
three subnets, one for each availabiltiy zone, CIDR spaced out properly
...
- 141
0
votes
0
answers
66
views
AWS EC2: adding IP from a separate private block
I have an existing VPC with a CIDR in the 10.0.0.0/16 block.
I now have to create a VPN connection to an external service, who want us to use IPs in 192.168.0.0/16 block.
Unfortunately, AWS does not ...
0
votes
0
answers
150
views
How to configure shared VPC for kOps?
As described in this documentation, I want to create a Kubernetes cluster using kOps in an existing VPC. I have created a VPC, Internet Gateway, Route Table, Subnet and an EC2 instance which I want to ...
- 101
0
votes
0
answers
2k
views
How to create EKS cluster with VPC CNI addon via CloudFormation?
I create a EKS cluster (1.24) via cloudformation, it works fine without a CNI plugin but fails when I add vpc-cni addon:
AddonCNI:
Type: 'AWS::EKS::Addon'
Properties:
AddonName: vpc-...
- 243
0
votes
1
answer
612
views
Seamless switch from NAT GATEWAY to VPC gateway
My team is currently burdened by the NAT Gateway costs and we would like to switch over to VPC Gateway endpoint to reduce the costs associated with all the EC2-S3 communication.
at the same time,
We ...
- 1
-1
votes
1
answer
125
views
Can I connect two vpc's with one site to site vpn in same region?
I currently have one site to site vpn connected to one vpc.
I want to add a vpc here(It's the same region),
but I want to connect the on-premise network connected through site to site vpn through site ...
- 15
1
vote
0
answers
179
views
which ECS task network mode?
I have an Application Load Balancer in a private subnet (used by API Gateway) that targets an ECS task. I want that task to only be accessible from inside the VPC, not from the internet, but I do have ...
- 11
2
votes
2
answers
2k
views
AWS security group cross regions
I am trying to set a security group A to allow SSH access from security group B in a different region. I don't have much experience with networking in general and AWS networking.
Followed the ...
- 199
2
votes
1
answer
7k
views
Why does an S3 to S3 copy care about VPCs? Related to error: "VPC endpoints do not support cross-region requests."
Goal: Get files
from Bucket 1 in ca-central-1 in Account A
to Bucket 2 in us-east-1 in Account B
using the AWS CLI from a third machine using an the IAM role with correct S3 read and write ...
- 123
0
votes
0
answers
1k
views
Can't ping or traceroute through EC2 using AWS Site-to-Site VPN to Cisco ASA
My VPC is connected to Cisco ASA, tunnel is shown to be UP in the AWS console.
What is working:
The engineer on the Cisco side has successfully pinged my EC2
instance within my private 10.5.0.0/17 ...
- 101
1
vote
1
answer
153
views
Is it necessary to put public and private subnet in different vpc for extra safety
Currently we put public accessible resources like ALB inside public subnet, application servers and data storages inside private subnet (different data storage, say RDS and Elasticache, have their own ...
- 111
0
votes
1
answer
95
views
Move an Elastic IP from a VPC to Classic EC2
I know it is possible to "Move to VPC Scope", but is it also possible to move back from VPC to Classic EC2?
- 193
0
votes
1
answer
532
views
Creating Subnet IP address : IPv4 block sizes must be between a /16 netmask and /28 netmask
I'm new to AWS and I'm looking to create a subnet. Whenever I try the defaults subnets under I get either the error message "IPv4 block sizes must be between a /16 netmask and /28 netmask." ...
1
vote
1
answer
1k
views
AWS PrivateLink connection with HTTPS
I have two VPCs, a consumer VPC and a service VPC. Consumer application HAS to access the service via AWS PrivateLink and it HAS to be an HTTPS call. Here is my current setup, which works:
Note that ...
- 111
0
votes
1
answer
367
views
NAT Gateway breaks incoming traffic for instances in public subnet
I have Elastic Beanstalk instances accessible through an ALB in public subnets and want to assign them a single IP address (A partner asked us for an IP to whitelist to access their services)
I have ...
- 121
0
votes
1
answer
262
views
How do I deploy a docker container on AWS Elastic Beanstalk privately such that only other AWS resources can access it?
Need to make an AWS deployment decision. A lot of this tech (docker, beanstalk) is pretty new so I don't know best practices (and I'm also foggier than I'd like to be on networking and security).
Tech ...
1
vote
1
answer
1k
views
Fargate task from service with Public IP disabled can't download env file from S3
We have a Fargate service that should be exposed to the internet via a load balancer, and since for tests we had used so far the random Public IP of the task, we decided to disable the Public IP, so ...
- 111
0
votes
1
answer
290
views
How to specify AWS region in CloudFormation VPC
Reading through the AWS CloudFormation VPC docs, I'm not seeing how/where I specify the region to create the VPC in. Any ideas as to how this configuration works?
- 143
0
votes
1
answer
607
views
AWS VPC Peering vs PrivateLink for network access to 3rd party cloud database
AWS here. I have a simple app server that is running on EC2 instances that are in an autoscaling ("target") group that are fronted by an application load balancer (ALB). The ALB's domain ...
- 143
1
vote
0
answers
503
views
Elastic BeanStalk can't connect to ElastiCache Redis
I'm having issues connecting from Elastic BeanStalk to ElastiCache Redis. When I SSH into the EBS instance and try to use redis-cli to connect, it times out. This is how I set up my environment:
I ...
0
votes
0
answers
158
views
VPC connection between LDAP server onsite and LDAP client in Amazon
I currently have a VPC connection between LDAP server onsite and LDAP client in Amazon. However, after some time the connection starts to fail. I can notice that, since this appears for my user (even ...
- 11
0
votes
1
answer
32
views
disassociate EIP and then convert to vps eip
I have an eip that I want to convert from scope EC2-classic to VPC. Can I disassociate, convert to VPC eip, and then just re-associate with the same ec2 instance? I'm not sure if I will be able to ...
- 103
1
vote
1
answer
478
views
AWS Postgres database IP in security group, how to enter info to survive IP address changes?
I have an existing prod Postgres database and I would like to replicate a table to a new Postgres database. In order to get the two to be able to talk to each other, I had to edit an AWS security ...
- 131
0
votes
0
answers
53
views
Apache/AWS: How to identify local instance requests from the same VPC
In this configuration the apache server instances are all in the same VPC (across several subnets) and all incoming requests are managed via an elastic load balancer, (with ProxyProtocol=On on each ...
- 101
1
vote
1
answer
909
views
What is causing BadRequestException when calling the ExecuteStatement operation on Aurora Serverless db
I have a lambda function that retrieves records from AWS Aurora Serverless db. Now I thought of adding api gateway to trigger the lambda function but I get this error
Connect an AWS Lambda function ...
- 11
1
vote
0
answers
539
views
On AWS how can the ENI of my squid proxy become a blackhole in my route table if the EC2 instance still exists?
Been googling like crazy and can't find an answer. We have three AZs/subnets since we're in Ohio. But this diagram is close enough to explain the issue.
We've set up squid proxies to filter outbound ...
- 111
1
vote
1
answer
404
views
DNS policy for VPC endpoint
I have VPC with three subnets in different availability zones, and an interface VPC endpoint in each. The VPC endpoint has 4 DNS hostnames by default:
A regional DNS hostname, e.g. vpce-x.ec2.us-east-...
- 179
1
vote
2
answers
877
views
Restricting traffic between AWS VPCs
I have two VPCs: A and B.
I want any node in A to be able to open a TCP connection to any node in B, but not the other way around. Any node in B must also be able to open outgoing connections to ...
- 179
0
votes
0
answers
33
views
Web application not serving with Route53 under wifi?
I have a node application running in an Ec2 container on port 443. I've added an Elastic IP to the container. When I reference the Elastic IP or IPv4 DNS in the browser, I can see my application. I ...
- 101
0
votes
1
answer
850
views
Using the AWS VPC CNI add on for EKS can I access a pod directly via it's vpc ip address over a vpn?
My general question is in the title. I feel like I've misunderstood the way pods are connected to the VPC. I was assuming this would make pods routable on the vpc but it seems like this is not the ...
- 103
1
vote
1
answer
961
views
Will aws s3 be still accessible using pre-signed urls if we create a vpc endpoint gateway?
I have a need to add a vpc endpoint for s3 so i can access it on lambda, but when i try to create the endpoint I get a warning
Warning
When you use an endpoint, the source IP addresses from your ...
- 109