I am setting up a VPC on Amazon AWS using Scenario 2: VPC with Public and Private Subnets.
In the "Adding Rules to the WebServerSG Security Group" section, it specifies to set an inbound SSH rule, specifying allowed sources to be: "Your network's public IP address range".
I have an elastic IP address assigned to my NAT EC2 device. When I created my public web server (in the public subnet) I also assigned a public IP address to it (as part of the wizard). This does not appear in my elastic IP list for some reason (although I believe them to be the same thing right?). They are are not contiguous addresses.
I am not sure exactly what is supposed to happen here. Am I supposed to be able to ssh into the web server in the public subnet? Why would I specify that the only source to be able to ssh into the web server is my network's public IP address range? When I set the allowable source address to either of the public IPs, my connection is refused. Am I supposed to be SSH-ing somewhere else.
Could someone please explain to me exactly how this setup is supposed to work, in terms of how I am supposed to be SSH-ing into the instances remotely?
"Your network's public IP address range" means the network where you are -- not EC2... it refers to the public IP address or range of the computer where you're sitting now, your office network, your home network, any network where your traffic will be be coming from when you want to access the EC2 machines remotely to administer them.
Related
I am struggeling to connect to my home server that is connected via a Fritzbox router to the internet. I want to connect to the home server from outside of the home net, as it serves as a NAS and provides HTTP(S) services.
The problem is, that I don't understand how to connect to the server over the internet. My Fritzbox is connected to my internet provider via DS-Lite internet connection. As far as I understood, this means that my Fritzbox has no public IPv4 address and therefore the server is not reachable.
Is it still somehow possible to connect to the server?
Reading your question, I can see that there are multiple steps to solve this.
figure out if your internet provider allows you to have incoming connections
I do not know, what a ds lite connection is. Depending on your connection type, e.g. glass fibre, dsl, mobile and your provider incoming connections might be allowed or not. Also specific ports might be forbidden.
Enable port forwarding for incoming connections to your lan server.
Your fritzbox does not know, where to route the incoming connection to.
Make your lan server ip address static. Go to your fritzbox admin page and create a port forwarding rule and map data incoming on port 80(HTTP) and 443(HTTPS) to the lan server ip address.
You can read further here: https://en.wikipedia.org/wiki/Port_forwarding
Figure out the fritzbox's public ip address by checking out this website from within your lan. https://whatismyipaddress.com/
Connect to your server via http(s)://publicip
setup dynamic dns to have a public domain, which you can use instead of the ip address.
Usually private customer internet connections use dynamic ip addresses. So your ip address changes regularly. This is annoying, because you need to lookup the ip address before you can connect again. To avoid this issue, you can use a dynamic dns provider to give you a domain name, which you can use instead of the public ip address. Your fritzbox should have this kind of functionality already. If not, you can also configure it on your server with a cron job.
You can read further here: https://en.wikipedia.org/wiki/Dynamic_DNS
This provider is easy to use and for free: https://freedns.afraid.org/
use the dynamic dns domain name instead othe public to access your server from anywhere
Be aware, that having open connections to your local network gives attack surface from the public internet. So people might steal or delete data on your server or abuse it in other ways.
I have a TCP Server for a my personal chat, I want to expand my connection beyond my local network and I want to open my port: 28752 to my IP public of pc to enter wherever I want only when my computer is on.
I have seen different solutions for example DMZ to associate my local IP to public IP, but i want to do this without modifying to router's setting I wanted to do it from a program. Is it possible?
It is possible to open up ports. But it depends on the OS in which you are trying to accomplish it. You can use the linux iptables to manipulate the ports opened and closed to any linux machine. IptablesSome examples . The ports should also be opened on the firewall layer outside the VM. eg: It could be AWS access policy, Security group, MAC's security firewall. Your laptop, when connected to the internet, will have a public IP address, you can share that public IP. But these IP address will change when you get connected to a different router. You can use AWS cli commands to assign a static IP address for your machine and expose it publicly. At the least minimum, you would need a public DNS server to expose your IP publicly. Easy way to achieve this is by putting in web server on cloud. Without a domain , you cant expose your IP. Once you have finalized on the domain (eg: AWS Route 53, Ingree IP from K8 etc), you can change/manipulate them from your program. It need not be language specific.
I want to access localhost of a computer but other computers in the same network also has the same public IP. Can we access its localhost host by knowing both(public and private) IP address of that computer. I want to connect to it directly(not through any software like ngrok or VPN).
Thanks in advance.
You can only access localhost on the computer itself. Localhost refers to 'this node' by definition.
When communicating on an internal network you usually use the private IP addresses, not the public one(s). Connecting to a computer with a private IP behind a public IP requires reverse NAT aka destination NAT aka port mapping.
Connecting out from and right back into the same network through NAT may require a special firewall setup aka hairpinning. It's usually easier and faster to use split-brain DNS and resolve the public name to the private IP address of the device.
When I try to create a VM with a public IP address on Bluemix, I get the following error:
Your VMs are in error - Resource CREATE failed: Error: Resource CREATE
failed: Error: Resource CREATE failed: NotFound: External network
f242da31-3809-48a4-aa84-46da1c50586c is not reachable from subnet
a78fbf7e-1e4a-4d3a-a039-c05be4846bc3. Therefore, cannot associate Port
6978
Creating a VM without a public IP works, but I cannot connect to the VM without a public IP.
I also tried creating a network on the Horizon dashboard, but I could not figure out how to assign a public IPv4 or IPv6 address.
I understand that IPv4 addresses may be short in supply and would be happy with an "IPv6 only" VM, but I could not figure out how to request a "public" IPv6 prefix on Bluemix.
I have not seen that error. I think the problem you ran into may be intermittent. I just created a VM an hour ago using the Bluemix dashboard and that worked no problem. As usual, the VM was assigned two IP's, one internal and one public.
As you've discovered, in the Horizon dashboard, when you create a VM, by default it only has an internal IP. To add a public IP takes a few steps that aren't exactly obvious:
From the Cloud Management Dashboard, select the Instances tab
In the Actions column for your VM, select Associate Floating IP
In the IP Address field, select an IP address
By default, there won't be any IP addresses to select. To allocate one, press the plus (+) sign.
In the Allocate Floating IP dialog, set the Pool to Public-Network and press Allocate IP.
Now select that IP address you've just allocated.
For Port to be associated, choose the internal IP and press Associate.
Now the Instances tab will display the VM with two IP addresses.
If this doesn't work: There is a limit to how many public IPs you get, so maybe you've hit that limit. Looks like Horizon shows the limit as 10; I think that's public, but it may be public and private.
To see the list of IPs allocated to your account (and whether that list has reached 10):
From the Cloud Management Dashboard, go to the Access & Security tab.
Go to the Floating IPs sub-tab.
That shows your list of public IPs and their mapping to internal IPs. If you've reached you max, you'll need to move an IP from one VM to another. You can delete the first VM to make its IP available. Or you can disassociate the IP from one VM (don't release the IP, disassociate it) and then assign it to another VM has described above.
This screen is another place to allocate IPs to your account. The only network I see is Public-Network, and it has IPv4 addresses. I don't see any way to allocate IPv6 addresses.
I need to access the internet and a completely separate private network from a single Windows 7 computer. Each network is connected to my computer with its own network interface card.
The private network uses the '10.0.0.0' address space and provides its own DNS services. This network is not connected to the Internet and I do not want to connect it to the Internet in a way, other than being able to access both from my computer.
Basic routing is not that big deal. The problem is that no one wants to have to deal with IP addresses to get everywhere.
My default gateway points to the Internet and the default gateway is blank on the network interface for my private network.
My DNS server points to the Internet.
The show stopper at this point is figuring out a way to have my system use the DNS server on my private network for the DNS suffix used on my private network and still allow everything else to go out on the Internet.
Is there any way to make this work?
Bob
In the properties of the network interface card connected to the private LAN have you gone into the TCP properties and set a search domain and DNS server under the DNS tab? If you only need to hit a few hosts on the private LAN host file entries are also an option.