I have a replication set which is configured using private IPs, and we are able to access inside the VPC. All are fine,
But when I tried to access via the Public IP of the replica set like node1_ip,node2_ip,node_ip/?replicaSet=dev-mongo-cluster then it is not working. There is network level issues(the port is opened to our IP address)
But If I try to access a single node using Public IP without mentioning the replica set then it is working.
BindIP is set to 0.0.0.0
Any idea how to resolve this?
Related
I'm trying to set up a Tailscale node as a relay to my AWS VPC. I've followed the instructions here to the letter, multiple times. Unfortunately, I just cannot seem to ssh to the second (non-Tailscale) instance. My process, briefly:
Set up an AWS VPC with the VPC wizard
create an instance tailscale-relay on the VPC, on the public subnet, with SSH enabled, and my private key. Assign it a new Security Group called sg-tailscale-relay
ssh to tailscale-relay, install tailscale
enable IP forwarding (per docs here)
sudo tailscale up --advertise-routes=10.0.0.0/24, where 10.0.0.0/24 is the range specified in the private subnet (and equivalently in the public subnet, see photo at bottom)
disable key expiry and authorize subnet routes for this node in the Tailscale console
close off ssh access to tailscale-relay in its Security Group, then verify that I can ssh to it with it's Tailscale IP (annoyingly, still requiring my .pem key)
create another instance, test-tailscale, assign it to the same VPC but to the private subnet. Do NOT give it a public IP. Allow all inbound traffic from the sg-tailscale-relay subnet, but not from anywhere else
Then, from my local machine, SSH to the private IP of test-tailscale times out.
I can ping test-tailscale from tailscale-relay (but not tailscale ping, obviously)
What gives? I don't understand what I'm doing wrong.
Bonus: Can I ssh without the private key?
private subnet route table
One possibility is in the non-AWS Tailscale node which you're using to send the ping, if it is a Linux system. Linux was the first client developed, and the one most often used as a subnet router itself.
All of the other clients accept subnet routes by default, but Linux by default does not and needs tailscale up --accept-routes=true to be specified.
Following this tutorial, I set up an Aurora PostgreSQL database. I then tried to access the database from my computer using pgAdmin. However, pgAdmin gives the error: "Unable to connect to server: timeout expired"
I have tried the following things:
Ensured that the database is set to be publicly accessible
Verified that the database has an IP address (I ran nslookup on my local machine, and it returned a public IP address).
Verified that the database is in a public subnet (it is launched in two subnets, one of which is a public subnet with an Elastic IP address and one of which is a private subnet which directs traffic to a NAT gateway)
Ensured that my database is configured to use port 5432
Modified the security group to add inbound rules allowing TCP traffic on port 5432 from any IPv4 or IPv6 address
Ensured that I can send outbound traffic on port 5432 from my computer using this site
It looks like you have deployed the Aurora DB cluster into two subnets of a VPC and the problem is that one subnet is public, while the other is private. I suspect the DB will be accessible publicly as long as the public DNS resolves to the DB instance in the public subnet, but will be unreachable when it resolves to the instance in the private subnet (though I have not verified this).
To correct this and make the cluster publicly accessible, deploy the DB into public subnets only.
I have a VM instance (e2-micro) on GCP running with postgres. I added my own external ip address to pg_hba.conf so I can connect to the database on my local machine. Next to that I have a nodeJS application which I want to connect to that database. Locally that works, the application can connect to the database on the VM instance. But when I deploy the app to GCP I get a 500 Server Error when I try to visit the page in the browser.
These are the things I already did/tried:
Created a Firewall rule to allow connections on my own external ip address
Created a VPC connector and added that connector to my app.yaml
Made sure everything is in the same project and region (europe-west1)
If I allow all ip addresses on my VM instance with 0.0.0.0/0 then App Engine can connect, so my guess is that I'm doing something wrong the connector? I use 10.8.0.0/28 as ip range while the internal ip address of the VM instance is 10.132.0.2, is that an issue? I tried an ip range with 10.0.0.0 but that also didn't work.
First check if your app uses a /28 IP address range (see the documentation):
When you create a connector, you also assign it an IP range. Traffic
sent through the connector into your VPC network will originate from
an address in this range. The IP range must be a CIDR /28 range that
is not already reserved in your VPC network.
When you create a VPC connector a proper firewall rulle is also created to allow traffic:
An implicit firewall rule with priority 1000 is created on your VPC
network to allow ingress from the connector's IP range to all
destinations in the network.
As you wrote yourself when you create a rule that allows traffic from any IP it works (your app can connect). So - look for the rule that allows traffic from the IP range that your app is in - if it's not there create it.
Or - you can connect your app to your DB over public IP's - in such case you also have to create a proper rule that will allow the traffic from the app to DB.
Second - check the IP of the DB that app uses.
My guess is that you didn't change the IP of the DB (that app uses) and it tries to connect not via VPC connector but via external IP and that's why it cannot (and works only when you create a firewall rule).
This answer pointed me in the right direction: https://stackoverflow.com/a/64161504/3323605.
I needed to deploy my app with
gcloud beta app deploy
since the VPC connector method was on beta. Also, I tried to connect to the external IP in my app.yaml but that needed to be the internal IP ofcourse.
I have successfully created a scale set using (https://github.com/Azure/azure-quickstart-templates/tree/master/201-vmss-windows-customimage) with one instance from the my custom image:
The custom image has microsoft server data center DS1 V2 and node.js installed in and a copy of my application.
From the new portal I can see the IP of the VM.
I have also successfully started it from the powershell.
However the RDP on that IP with port 3389 or 50000, 50001 are not working.
I tried to add some inboud rules but the situation is same (may inboud rules not correct).
Please can you let me know the steps required after the scale set is created in order to make a RDP ?
You won't be able to connect to the IP of the VM from outside the VNET as each VM has an internal IP address. You need to connect to the public IP of the load balancer (you probably meant that implicitly but being precise just in case).
You will also need to create inbound NAT rules to map a port range on the load balancer public IP address to port 3389 on the backend, and double check that RDP was enabled on the source image before uploading it.
Take a look at this template for an example of inbound NAT rules.. https://github.com/Azure/azure-quickstart-templates/blob/master/201-vmss-windows-nat/azuredeploy.json
I have to run a program on an EC2 that reads the host's public IP address from config (which I don't appear to be able to easily change), and then connects to it, i.e. it's looping back to the instance via the public IP address.
I can't find out how to create a security group that can loopback to the the EC2 instance. My rules are:
outbound: 0.0.0.0/0 all tcp
inbound: [private IP/32, 127.0.0.1/32, public IP/32] all tcp 4440 (the port I need)
None of the inbound IPs work. I'm testing this by telnetting on the host to the public IP: telnet x.x.x.x 4440, and I'm never able to (where x.x.x.x is my public IP). I can do it by specifying 127.0.0.1 though, so the server I'm connecting to is online and bound correctly. I can also access the server through my browser. I just can't loopback. The connection hangs, which is why I think it's a security group issue.
How can I allow this program - which tries to connect to the public IP from the instance - to connect to the same instance by its public IP address?
I just did a test (using ICMP rule) , you have to add a rule in the security group as you said. you should add it normally, and set the source to 1.2.3.4/32 (following your example). please note that I am using Elastic IP in my tests.
According to the docs, it should also be possible to list that security group as its own source. This would permit the loopback even if the IP address changes due to a stop/start.
Another security group. This allows instances associated with the specified security group to access instances associated with this security group. This does not add rules from the source security group to this security group. You can specify one of the following security groups:
The current security group
A different security group for the same VPC
A different security group for a peer VPC in a VPC peering connection