Skip to main content

All Questions

Filter by
Sorted by
Tagged with
0 votes
1 answer
24 views

How to limit AWS VPC endpoint to to signed requests

We had a scan done recently of our AWS infrastructure, and one of the high risk level items that we need to address is to Identify any fully accessible VPC endpoints and update their access policy in ...
wonder95's user avatar
  • 123
1 vote
2 answers
254 views

Subnet associations in AWS Route tables

What is this "Subnet Associations" in AWS Route tables? Do I have to add the subnets under "Explicit Subnet Associations" as well? It is already under "Subnets without ...
Mark's user avatar
  • 83
0 votes
1 answer
59 views

What actually makes an EC2 instance in a private subnet unreachable from the internet?

I'm reading everywhere (including the official documentation) that an EC2 instance in a private subnet cannot be reached from the internet, even if it has a public IP. Let's say I have a 10.0.0.0/16 ...
Guerric P's user avatar
  • 111
1 vote
1 answer
217 views

Remove public IPv4 from AWS EC2 instances

Since February 1, 2024, AWS started charging for public IPv4 and I have several EC2 instances. Some instances I can having only public IPv6, for others I need to keep public IPv4. I disabled Elastic ...
TNT's user avatar
  • 111
1 vote
1 answer
367 views

Migrate AWS ECS cluster IPV4 to IPV6

I'm trying to avoid this new cost (public IPv4) in aws for small projects because it will represent a big percentage of the cost. In my ECS cluster, I use EC2 instances as capacity providers, ...
Matheus's user avatar
  • 63
0 votes
0 answers
13 views

AWS VPC Connect Endpoint and Workbrench integration

I have some RDS instances under a private subnet and a bastion host (ec2 instance) with a public IP to connect to it. As part of getting a security certification we need to get rid of all ec2 ...
Andrés Páez's user avatar
0 votes
0 answers
77 views

Prioritize S2S VPN on AWS when using 1 VGW

We have the following AWS setup: 1 VPC 1 Virtual Private Gateway (VGW) 8 Customer Gateways (CGWs) 8 Site-to-Site (S2S) VPN connections We have 4 sites, each connected to our VPC with 2 S2S VPN ...
J88's user avatar
  • 101
0 votes
1 answer
142 views

Allow AWS Identity provider to access a private VPC where the OIDC Idp resides

We want to implement Gitlab-AWS short-lived credentials but our Gitlab instance is located inside a private, non internet accessible VPC Subnet. I have looked into VPC Endpoints but I cannot find the ...
Michael Angel P.'s user avatar
0 votes
1 answer
235 views

how to block outgoing traffic in ec2 without blocking ssh

I have an EC2 with has public subnet and traffic is flowing through internet gateway. Now, i have an requirement like I have to block all outgoing traffic in EC2. I have tried to restrict the traffic ...
Ravi Teja RVN's user avatar
0 votes
1 answer
103 views

Spoke VPC over VPN to IGW

Is it possible to modify this solution so a spoke VPC connects to the TGW hub over VPN, and that spoke VPC's internet access is centralized full tunnel? https://aws.amazon.com/blogs/networking-and-...
aaaaaaaaaaa's user avatar
0 votes
2 answers
178 views

AWS CIDR Address is not within CIDR Address from VPC

In AWS have created VPC which CIDR is 10.0.0.24.I want to creates its two subnet.its public-subnet is in us-west-1a - IPv4 CIDR 10.0.0.0/24 thenwhen I create private subnet is in us-west-1b - ...
Developer.Sumit's user avatar
0 votes
0 answers
334 views

How to remove headers from all outgoing requests in AWS services (e.g. Lambda)

Just wondering, is there a way to remove a header from all outgoing network requests in AWS? I have a VPC with public and private subnets and a NAT gateway in the public subnet. A Lambda in this VPC ...
nerdlinger's user avatar
0 votes
2 answers
233 views

Unable to access apache2 from outside

I'm hosting a default site for apache2 server on AWS EC2 (Ubuntu) with Elastic IP. Security group set to open all inbound (testing purposed). I can access the server via SSH using public IP but I can'...
Artur Kedzior's user avatar
0 votes
0 answers
154 views

AWS - I want to route traffic from one VPC to another, but I want all traffic INTO that VPC to share an IP

Due to a very complicated situation that I can't really get into, we have a VPC that has access to a certain server via a direct connection. This server requires that we whitelist an IP to access it. ...
Whitewind617's user avatar
0 votes
0 answers
115 views

Can we setup VPC for AWS Lightsail resources?

I am developing an app and to host backend system I am using AWS Lightsail. Is there a way to keep all the inter service communication private? I am aware this can be achieved with VPC while using AWS ...
Kuldeep Yadav's user avatar
0 votes
1 answer
161 views

VPC endpoint to reach Beanstalk application associated with a public domain from within VPC

I have a web server running on Beanstalk that is associated with mydomain.org on Route53. The access to this web server is restricted by a security group. I have also a Lambda running in the same VPC, ...
revy's user avatar
  • 101
0 votes
1 answer
1k views

Why shouldn't EC2 instances be public, if they can be protected with security groups?

It is considered bad practice to place machines that shouldn't be accessible from the internet in a public subnet, because such topology, other than being logically wrong (private instance in an ...
F. Alessandro's user avatar
1 vote
0 answers
331 views

Elastic Beanstalk deploy app in private VPC without public ip address for EC2

I'm currently developing a NodeJS application that I want to deploy in Elastic Beanstalk (EBS). To isolate & secure my cloud resources I'm using VPCs where I deploy the EBS app and also my ...
Marc Becker's user avatar
0 votes
1 answer
160 views

AWS: routing back from VPC to an instance

I'm relatively new to AWS and need to set up some internal infrastructure. Example: a VPN server that routes people into a VPC. I have a VPN server instance bound to an elastic IP that has a subnet ...
Yuri's user avatar
  • 3
0 votes
1 answer
109 views

AWS cannot connect to any T3 instance, vpc config valid (I think)

I created a new VPC ca-central. I followed the same procedure as everywhere else: New VPC (this created acl which is wide open) three subnets, one for each availabiltiy zone, CIDR spaced out properly ...
mmix's user avatar
  • 141
0 votes
0 answers
66 views

AWS EC2: adding IP from a separate private block

I have an existing VPC with a CIDR in the 10.0.0.0/16 block. I now have to create a VPN connection to an external service, who want us to use IPs in 192.168.0.0/16 block. Unfortunately, AWS does not ...
NullPointer's user avatar
0 votes
0 answers
150 views

How to configure shared VPC for kOps?

As described in this documentation, I want to create a Kubernetes cluster using kOps in an existing VPC. I have created a VPC, Internet Gateway, Route Table, Subnet and an EC2 instance which I want to ...
Tapas Bose's user avatar
0 votes
0 answers
2k views

How to create EKS cluster with VPC CNI addon via CloudFormation?

I create a EKS cluster (1.24) via cloudformation, it works fine without a CNI plugin but fails when I add vpc-cni addon: AddonCNI: Type: 'AWS::EKS::Addon' Properties: AddonName: vpc-...
chingis's user avatar
  • 243
0 votes
1 answer
612 views

Seamless switch from NAT GATEWAY to VPC gateway

My team is currently burdened by the NAT Gateway costs and we would like to switch over to VPC Gateway endpoint to reduce the costs associated with all the EC2-S3 communication. at the same time, We ...
santhu's user avatar
  • 1
-1 votes
1 answer
125 views

Can I connect two vpc's with one site to site vpn in same region?

I currently have one site to site vpn connected to one vpc. I want to add a vpc here(It's the same region), but I want to connect the on-premise network connected through site to site vpn through site ...
john_smith's user avatar
1 vote
0 answers
179 views

which ECS task network mode?

I have an Application Load Balancer in a private subnet (used by API Gateway) that targets an ECS task. I want that task to only be accessible from inside the VPC, not from the internet, but I do have ...
Max's user avatar
  • 11
2 votes
2 answers
2k views

AWS security group cross regions

I am trying to set a security group A to allow SSH access from security group B in a different region. I don't have much experience with networking in general and AWS networking. Followed the ...
Elad Weiss's user avatar
2 votes
1 answer
7k views

Why does an S3 to S3 copy care about VPCs? Related to error: "VPC endpoints do not support cross-region requests."

Goal: Get files from Bucket 1 in ca-central-1 in Account A to Bucket 2 in us-east-1 in Account B using the AWS CLI from a third machine using an the IAM role with correct S3 read and write ...
Ben Ogorek's user avatar
0 votes
0 answers
1k views

Can't ping or traceroute through EC2 using AWS Site-to-Site VPN to Cisco ASA

My VPC is connected to Cisco ASA, tunnel is shown to be UP in the AWS console. What is working: The engineer on the Cisco side has successfully pinged my EC2 instance within my private 10.5.0.0/17 ...
MarkK's user avatar
  • 101
1 vote
1 answer
153 views

Is it necessary to put public and private subnet in different vpc for extra safety

Currently we put public accessible resources like ALB inside public subnet, application servers and data storages inside private subnet (different data storage, say RDS and Elasticache, have their own ...
nevets's user avatar
  • 111
0 votes
1 answer
95 views

Move an Elastic IP from a VPC to Classic EC2

I know it is possible to "Move to VPC Scope", but is it also possible to move back from VPC to Classic EC2?
Mark Hansen's user avatar
0 votes
1 answer
532 views

Creating Subnet IP address : IPv4 block sizes must be between a /16 netmask and /28 netmask

I'm new to AWS and I'm looking to create a subnet. Whenever I try the defaults subnets under I get either the error message "IPv4 block sizes must be between a /16 netmask and /28 netmask." ...
Christian Fuh's user avatar
1 vote
1 answer
1k views

AWS PrivateLink connection with HTTPS

I have two VPCs, a consumer VPC and a service VPC. Consumer application HAS to access the service via AWS PrivateLink and it HAS to be an HTTPS call. Here is my current setup, which works: Note that ...
itstrueimryan's user avatar
0 votes
1 answer
367 views

NAT Gateway breaks incoming traffic for instances in public subnet

I have Elastic Beanstalk instances accessible through an ALB in public subnets and want to assign them a single IP address (A partner asked us for an IP to whitelist to access their services) I have ...
BlackDog's user avatar
  • 121
0 votes
1 answer
262 views

How do I deploy a docker container on AWS Elastic Beanstalk privately such that only other AWS resources can access it?

Need to make an AWS deployment decision. A lot of this tech (docker, beanstalk) is pretty new so I don't know best practices (and I'm also foggier than I'd like to be on networking and security). Tech ...
Paranoid Altoid's user avatar
1 vote
1 answer
1k views

Fargate task from service with Public IP disabled can't download env file from S3

We have a Fargate service that should be exposed to the internet via a load balancer, and since for tests we had used so far the random Public IP of the task, we decided to disable the Public IP, so ...
Ncifra's user avatar
  • 111
0 votes
1 answer
290 views

How to specify AWS region in CloudFormation VPC

Reading through the AWS CloudFormation VPC docs, I'm not seeing how/where I specify the region to create the VPC in. Any ideas as to how this configuration works?
hotmeatballsoup's user avatar
0 votes
1 answer
607 views

AWS VPC Peering vs PrivateLink for network access to 3rd party cloud database

AWS here. I have a simple app server that is running on EC2 instances that are in an autoscaling ("target") group that are fronted by an application load balancer (ALB). The ALB's domain ...
hotmeatballsoup's user avatar
1 vote
0 answers
503 views

Elastic BeanStalk can't connect to ElastiCache Redis

I'm having issues connecting from Elastic BeanStalk to ElastiCache Redis. When I SSH into the EBS instance and try to use redis-cli to connect, it times out. This is how I set up my environment: I ...
Teotimo Garcia's user avatar
0 votes
0 answers
158 views

VPC connection between LDAP server onsite and LDAP client in Amazon

I currently have a VPC connection between LDAP server onsite and LDAP client in Amazon. However, after some time the connection starts to fail. I can notice that, since this appears for my user (even ...
kcpf's user avatar
  • 11
0 votes
1 answer
32 views

disassociate EIP and then convert to vps eip

I have an eip that I want to convert from scope EC2-classic to VPC. Can I disassociate, convert to VPC eip, and then just re-associate with the same ec2 instance? I'm not sure if I will be able to ...
thevoipman's user avatar
1 vote
1 answer
478 views

AWS Postgres database IP in security group, how to enter info to survive IP address changes?

I have an existing prod Postgres database and I would like to replicate a table to a new Postgres database. In order to get the two to be able to talk to each other, I had to edit an AWS security ...
mj_'s user avatar
  • 131
0 votes
0 answers
53 views

Apache/AWS: How to identify local instance requests from the same VPC

In this configuration the apache server instances are all in the same VPC (across several subnets) and all incoming requests are managed via an elastic load balancer, (with ProxyProtocol=On on each ...
Konchog's user avatar
  • 101
1 vote
1 answer
909 views

What is causing BadRequestException when calling the ExecuteStatement operation on Aurora Serverless db

I have a lambda function that retrieves records from AWS Aurora Serverless db. Now I thought of adding api gateway to trigger the lambda function but I get this error Connect an AWS Lambda function ...
sji gshan's user avatar
1 vote
0 answers
539 views

On AWS how can the ENI of my squid proxy become a blackhole in my route table if the EC2 instance still exists?

Been googling like crazy and can't find an answer. We have three AZs/subnets since we're in Ohio. But this diagram is close enough to explain the issue. We've set up squid proxies to filter outbound ...
Taylor's user avatar
  • 111
1 vote
1 answer
404 views

DNS policy for VPC endpoint

I have VPC with three subnets in different availability zones, and an interface VPC endpoint in each. The VPC endpoint has 4 DNS hostnames by default: A regional DNS hostname, e.g. vpce-x.ec2.us-east-...
Ralf's user avatar
  • 179
1 vote
2 answers
877 views

Restricting traffic between AWS VPCs

I have two VPCs: A and B. I want any node in A to be able to open a TCP connection to any node in B, but not the other way around. Any node in B must also be able to open outgoing connections to ...
Ralf's user avatar
  • 179
0 votes
0 answers
33 views

Web application not serving with Route53 under wifi?

I have a node application running in an Ec2 container on port 443. I've added an Elastic IP to the container. When I reference the Elastic IP or IPv4 DNS in the browser, I can see my application. I ...
Scott's user avatar
  • 101
0 votes
1 answer
850 views

Using the AWS VPC CNI add on for EKS can I access a pod directly via it's vpc ip address over a vpn?

My general question is in the title. I feel like I've misunderstood the way pods are connected to the VPC. I was assuming this would make pods routable on the vpc but it seems like this is not the ...
ClintM's user avatar
  • 103
1 vote
1 answer
961 views

Will aws s3 be still accessible using pre-signed urls if we create a vpc endpoint gateway?

I have a need to add a vpc endpoint for s3 so i can access it on lambda, but when i try to create the endpoint I get a warning Warning When you use an endpoint, the source IP addresses from your ...
code0x00's user avatar
  • 109

1
2 3 4 5
12