I have bastion (EC2 instance) and an postgres RDS instance, and I have run a script (from a 3rd party) that should allow me to connect to the RDS from my machine via ssh tunnelling through the bastion. Is there any command I can run to verify that this script has worked, and that there is actually a connection present?
Related
I'm trying to connect to my Mongo CosmosDB instance through Azure Bastion. Our IT department blocks all outbound traffic thats not on port 443 so in order for me to be able to access anything I have to tunnel it through port 443 first.
I have a bit of script that looks like this:
COSMOS_ID=$(az cosmosdb list --resource-group $RES_NAME | jq -r '.[] | .id')
az network bastion tunnel \
--resource-group $RES_NAME \
--name $RES_NAME \
--target-resource-id $COSMOS_ID \
--resource-port 10255 \
--port 10255 \
--debug
Which emits this output:
Opening tunnel on port: 10255
Tunnel is ready, connect on port 10255
Ctrl + C to close
I'm then using mongo compass and the connection string found in the azure portal, replacing the cosmosdb host name with localhost, immediately upon attempting to connect I see this error in the terminal, and the tunnel process exits:
Exception in thread Thread-1 (_start_tunnel):
Traceback (most recent call last):
File "/usr/local/Cellar/python#3.10/3.10.4/Frameworks/Python.framework/Versions/3.10/lib/python3.10/threading.py", line 1009, in _bootstrap_inner
self.run()
File "/usr/local/Cellar/python#3.10/3.10.4/Frameworks/Python.framework/Versions/3.10/lib/python3.10/threading.py", line 946, in run
self._target(*self._args, **self._kwargs)
File "/usr/local/Cellar/azure-cli/2.37.0/libexec/lib/python3.10/site-packages/azure/cli/command_modules/network/custom.py", line 8482, in _start_tunnel
tunnel_server.start_server()
File "/usr/local/Cellar/azure-cli/2.37.0/libexec/lib/python3.10/site-packages/azure/cli/command_modules/network/tunnel.py", line 184, in start_server
self._listen()
File "/usr/local/Cellar/azure-cli/2.37.0/libexec/lib/python3.10/site-packages/azure/cli/command_modules/network/tunnel.py", line 117, in _listen
auth_token = self._get_auth_token()
File "/usr/local/Cellar/azure-cli/2.37.0/libexec/lib/python3.10/site-packages/azure/cli/command_modules/network/tunnel.py", line 104, in _get_auth_token
raise exp
msrestazure.azure_exceptions.CloudError: Unexpected internal error
If I enable debug logging I get a lot of output but these are the last 3 lines before the exception:
urllib3.connectionpool: Starting new HTTPS connection (1): bst-210816cd-d967-41ee-8f90-31ee6af4574d.bastion.azure.com:443
urllib3.connectionpool: https://bst-210816cd-d967-41ee-8f90-31ee6af4574d.bastion.azure.com:443 "POST /api/tokens HTTP/1.1" 500 None
msrest.exceptions: Unexpected internal error
I have added the bastion subnet to cosmosdb's firewall and I have added the port to the NSG... I think. The problem I'm having is just not knowing if I misconfigured something or if this is just completely not supported.
Should I be able to just tunnel directly to cosmos? If not then why not, or what other solutions would be available for me to connect to cosmos tunneled through port 443?
As I found this question when searching for a solution having the same problem, and after some fiddling, The answer is, yes you can!
It took some experimenting but it works with 2 tunnels. Connect to the bastion host (which is also a VM) with enabling an ssh-tunnel to itself to connect via another more sophisticate ssh client and then use this ssh client to "lay" the tunnel to the DB:
You need ssh capability on the bastion host which you should already have if you can connect via az network bastion ssh
maybe put your pub ssh-key to ~/.ssh/authorized_keys (with the usual restricted directory and file permissions) to enable pwd less auth
login via:
az network bastion tunnel --name $the_bastion_host_name --resource-group $your_resource_group --target-resource-id /subscriptions/$your_subscription_id/resourceGroups/$the_resource_group_name/providers/Microsoft.Compute/virtualMachines/$the_jumphost_resource_name --resource-port "22" --port "2222"
replace the vars accordingly to your setup, subscription and resource names
the last command should connect to your bastion/jump host and also open a tunnel #port 2222#localhost to connect via another ssh client!
keep this running/open
have your (cosmos) db connection string ready (from azure portal)
login via standard ssh client (or adjust using putty or similar):
ssh -L 20255:$your_db_name.mongo.cosmos.azure.com:10255 -p 2222 the_bastion_host_account_name#localhost
so we connect via ssh on port 2222 at localhost (which is actually sshd at the bastion host by the command before) with our bastion host username (+credentials) and open the local port 20255 to be tunneled by bastion host's sshd to the (cosmos) db instance's Port 10255 in the remote vnet
can use other local ports by changing the 1st port after the -L but adjust the connection string in the next step
adjust according to your db-name/host and Port (which should be 10255 default)
have the db connection string handy (again)
now use your local client to connect to:
mongodb://azure_dbname:leaveTheBase64CodedCredentialsfromAzurePortalHere==#localhost:10255/?ssl=true&replicaSet=globaldb&retrywrites=false&maxIdleTimeMS=120000&appName=#db_app_name_from_azure_portal#
in nosql-booster I had to deselect replicaset and use "single server" even if "replicaSet=global" in the azure portal db connection string. But the connection initiation failed with some protocol errors when using replica-set setup
The answer is no, you can't. It only works with VMs.
The solution I came up with is to essentially create a VM, run sockd on it, use bastion to establish the port forwarding, then configure your local client to use a socks5 proxy to localhost.
I created a VM in Microsoft Azure with Ubuntu 20 in which I run a Tomcat Server exposed to Port 443 and 80 (redirecting to 443), Neo4j on Port 7474, and Jenkins on Port 8081.
I can't access neither of those ports, although I set all the Inbound Port Rules like this:
When I try to reach IP:PORT, I always get this:
I am kinda new to Azure. It is possible to log in to the servier via SSH in the Terminal. Can anyone help me? How can I access my Server?
Have you tried to access to the VMs by using SSH and looking whats going on with the logs ?!
Yes, you can connect to a terminal by SSH:
ssh -i <private key path> username#ipaddress
If you don't config your SSH key, you can use create you password on the Azure portal.
In your VM, on the left, you have many options, and one name reset password.
I am unable to connect to remote mongodb service deployed using Mlabs. I am able to connect to this service from the node server deployed on my local machine but it does not works when I try to deploy it on Amazon EC2 windows instance.
I have opened the following inbound and outbound rules.
enter image description here
enter image description here
I have also opened the firewall rules for that, but still it does not works.
I am trying to connect to it using mongoose in nodejs.
mongoose.connect('mongodb://user:pass#ds031947.mlab.com:31947/db');
As you said its accessible from your local system so most probably you have your bind-ip set to localhost instead of public ip.
open your /etc/mongodb.conf and make sure the bind ip is set to public access not local host.
run on EC2 instance:
netstat -pl
the output must shows
tcp 0 0 0.0.0.0:27017 : LISTEN 2025/mongod
if it shows localhost:27017 you have to change the config file to make it accessible to public.
Hope it will help !
I have 2 machines: One has a mysql server that runs on localhost.The second one has no mysql server. I want to access the mysql server from the first machine on the second machine also on localhost. It should be something like a virtual localhost.
The first machine should log in the second machine via secure socket and should emulate the server there somehow.
Is something like this possible, how is it called , and how does it work.
Is this what is called a tunnel?
Yes, this is what is called a tunnel.
Assuming host A is running the mysql server and host B is the one that dose not.
To create the tunnel enter the following on host B:
ssh -L 3306:localhost:3306 username#A
(Add -f -N to the command to not execute any command on the remote host and immediately background the ssh connection).
This creates a listening port 3306 on host B which is forwarded over the ssh tunnel to localhost:3306 on host A.
Now just run mysql on host B and you should be able to connect to the mysql server on host A.
Hope it helps!
i've got another question for you.
I have Amazon EC2 instance with mondodb installed.
It works great except one thing - i can't access (connect to) it from outside (my PC).
I think the problem with Security Groups. It's some sort of default firewall.
Does anyone know how to configure EC2 instance to have access to mongodb?
Thanks in advance.
Think carefully before doing this. If you open the ports, make sure you restrict the IP numbers that can access it, otherwise anyone will be able to access your database. You can enable authentication in MongoDB, but it's not particularly safe, just a username and password. You should not have your database open to the internet, it is not a good idea.
A better way than opening up ports in the EC2 firewall is to open an SSH tunnel an forward the port, this makes sure that only you can access the database, and only while the SSH tunnel is active.
Open up a new terminal and run this command (replacing user and host with the user you use when SSH'ing to your server and the name of the server):
ssh user#host -N -L 27017:127.0.0.1:27017
The command will forward the port 27017 on your computer to the same port on the server. To connect to the MongoDB instance simply run mongo in a terminal (if that doesn't work, try mongo --host 127.0.0.1 or even mongo --host 127.0.0.1 --port 27017).
If you run MongoDB on your local machine you will have to change the first port, since the local server is already using it. In that case run this command instead:
ssh user#host -N -L 27018:127.0.0.1:27017
and then connect with
mongo --port 27018
(possibly adding --host 127.0.0.1 if it doesn't work).
When you're done working with the database, exit mongo and press ctrl-C in the terminal with the SSH command.
You need to add a security group exception for the port 27017 if you are using default config for you to access it from outside. For security group configuration, please check the amazon EC2 documentation. And if you are using a different port on Mongo, change the security group port accordingly.
--Sai
Is your EC2 instance a Windows server by any chance? If so, in addition to EC2's Security Groups you also need to configure Windows Firewall to allow the incoming connection.
Go To Administrative Tools, Windows Firewall with Advanced Security, and configure a new Rule that allows incoming connections on port 27017 (the default mongo port) or whatever port you've chosen.