I am trying to create VPN tunnel from VPC to office location. I have created Virtual Private Gateways and when i try to attached to VPC it says
Error
VPC vpc-xxxxxxxx is currently attached to the Virtual Private Gateway
VPC can only be attached to one Virtual Private Gateways ?
If I have to create multiple VPN tunnel to multiple office location then I have to reuse the already attached Virtual Private Gateways to VPC for VPN ?
that's correct. you will have to use the same VPG for the other VPN connections.
You can attach only one virtual private gateway to a VPC at a time.
Source: https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-limits.html
Related
I have a private subnet in VNet 1 with Network Security Group only allowing inbound traffic from a specific private IP CIDR. This subnet hosts Azure Database for PostgreSQL with a server name.
I also have a public subnet in a different VNet (VNet2) that hosts a standard VM.
I have done VNet peering to connect the two and they don't overlap the address spaces. I have also whitelisted the Private IP of the VM (in VNet2) in the NSG of Private subnet in VNet 1 but I cannot ping the PostgreSQL DB from my VM. It says:
ping: mydb-dev.postgres.database.azure.com: Name or service not known
Both VNets are in same subscription and same region
Things to be notice.
You can't ping directly with server name ping mydb-dev.postgres.database.azure.com. Because this domain/server name is not registered in any public or private DNS Zone. If you want to ping with Server name your domain should be registered in DNS record.
Another more imortant things is you need to open port default PostgreSQL port is 5432 at both the Vnet for inbound and outbound level.
you are able to ping when your deploying both the resource in one VNEt.So By default, there is no security boundary between subnets for a VNet, so VMs in each of these subnets can talk to one another.
I'm trying to set up a Tailscale node as a relay to my AWS VPC. I've followed the instructions here to the letter, multiple times. Unfortunately, I just cannot seem to ssh to the second (non-Tailscale) instance. My process, briefly:
Set up an AWS VPC with the VPC wizard
create an instance tailscale-relay on the VPC, on the public subnet, with SSH enabled, and my private key. Assign it a new Security Group called sg-tailscale-relay
ssh to tailscale-relay, install tailscale
enable IP forwarding (per docs here)
sudo tailscale up --advertise-routes=10.0.0.0/24, where 10.0.0.0/24 is the range specified in the private subnet (and equivalently in the public subnet, see photo at bottom)
disable key expiry and authorize subnet routes for this node in the Tailscale console
close off ssh access to tailscale-relay in its Security Group, then verify that I can ssh to it with it's Tailscale IP (annoyingly, still requiring my .pem key)
create another instance, test-tailscale, assign it to the same VPC but to the private subnet. Do NOT give it a public IP. Allow all inbound traffic from the sg-tailscale-relay subnet, but not from anywhere else
Then, from my local machine, SSH to the private IP of test-tailscale times out.
I can ping test-tailscale from tailscale-relay (but not tailscale ping, obviously)
What gives? I don't understand what I'm doing wrong.
Bonus: Can I ssh without the private key?
private subnet route table
One possibility is in the non-AWS Tailscale node which you're using to send the ping, if it is a Linux system. Linux was the first client developed, and the one most often used as a subnet router itself.
All of the other clients accept subnet routes by default, but Linux by default does not and needs tailscale up --accept-routes=true to be specified.
I have been struggling when trying to connect to an instance of Postgresql in Google Cloud Platform (from my machine in my home network), which has a private IP.
I have tried with https://cloud.google.com/sql/docs/postgres/connect-admin-proxy (Proxy cloud sql) but I need my instance to have a public IP, and that is not possible according to the requirements I have.
Also I read that I can connect to my VPC using https://cloud.google.com/vpc/docs/configure-serverless-vpc-access , but I have no idea what I have to do.
Does anyone have ever faced a similar issue?
Thanks! I am new at GCP configuration.
You can connect to private IP by having access to the VPC your Cloud SQL instance is paired in. There are instructions under "Connecting from an external source" on the Configuring Private IP page.
However please note that connecting with Public IP with the Cloud SQL proxy is also very secure, and encrypts the data between the proxy and your instance in a similar fashion to how the Cloud VPN works.
It is not possible out of the box, but you can use openVPN to create a site to client VPN (bastion host) I found an article about how to address this scenario, this is a very elaborate solution as was mentioned on the question comments.
I found this feature request for Cloud SQL to allow connection between on-premise servers to instances with private IP
I created the public subnet and private subnet ,Internet gateway associated the public subnet. Now the webserver was provisioned or installed in private subnet but how do we access any content from private subnet ,why was the server installed. in the lecture ? Also, say for example if I install mysql db in private , how do i access the db from outside? in other words how do i access the webserver/db running in private subnet from public or http?
If you want to access your private subnet from outside of the VPC you need to add a bastion host to the public subnet. The bastion host should have a security group which only allows connections from the IP of your personal machine (if this is where your accessing from). And the security group of the insurance in the private subnet should allow traffic from the bastion host's security group. (The private subnet NACL, allows all by default).
If your trying to access the private subnet from within the VPC. Then you don't need to configure anything by default. As the private subnet NACL by default allows all local traffic. (Security groups by default deny all traffic, so ensure the dB instance, if in a security group, allows traffic from the public subnet, ideally limiting to the specific protocol).
You can access to your private subnet in ssh or rdp by using a bastion host which you have to install to your public subnet. But you have to configure well your security groups and your NACL.
For internet access of your private subnet, you have to install a NAT Gateway in your public subnet (for example for your db)
For more information, this is an interesting link for you:
https://cloudacademy.com/blog/aws-bastion-host-nat-instances-vpc-peering-security/
Hope it will help
I'm trying to access a private RDS Instance from a different VPC using a Peering Connection. I have two VPCs:
VPC-K8S (172.20.0.0/16) with one public subnet
VPC-RDS (172.17.0.0/16) with one public subnet (172.17.0.0/24) and 3 private subnets (172.17.{1,2,3}.0/24)
VPC-RDS has 2 security groups (not actual names):
default, which accepts SSH from my IP
db, which accepts TCP over port 5432 from the default security group.
I deploy my DB instances in VPC-RDS after creating a DB Subnet Group in the private subnets, and configure it to not be publicly accessible. To access it from my workstation, I create a small instance in the public subnet of VPC-RDS with the default security group, and create an SSH tunnel:
ssh -L 5432:rds-host-name.us-east-1.rds.amazonaws.com:5432 -i "KeyName.pem" ec2-user#ec2-host-name.compute-1.amazonaws.com
I can access the RDS from my workstation via localhost.
I want to be able to access my RDS instance from my Kubernetes cluster (VPC-K8S). I set up a peering connection between the two, and configure the route tables appropriately (in VPC-K8S: 172.17.0.0/16 -> pcx-112233; VPC-RDS: 172.20.0.0/16 -> pcx-112233)
I cannot connect to RDS from one of my K8S nodes, or any instance in the K8S VPC. I suspected that it had something to do with the db security group, but even when I opened port 5432 to all IPs (0.0.0.0/0) it didn't help.
Any ideas how to do this, or is this only possible via a publicly accessible RDS instance or a Bastion host that is in VPC-RDS and the default SG?
Stupid oversight, but I'll leave this up if it helps anyone.
My private subnets in VPC-RDS use a different route table than the public subnet. This is done so that internet addresses (for the catch all rule 0.0.0.0/0) point to the NAT gateway as opposed to the internet gateway in the public subnet.
I added a rule to the private subnets' route table for the peering connection (172.20.0.0/16 -> pcx-112233), and then configured the db security group to accept TCP traffic on port 5432 from 172.20.0.0/16.