Connecting to DB instance in Private subnet from outside VPC - amazon-rds

I would like to create a DB instance in a private subnet that does not have access to internet. However, during the development stages of my application, I would like to connect to it from my PC over the internet. When everything is complete, I would like to disallow public access to the instance and let it be accessed only from within the VPC.
I tried creating an instance in the private subnet and configured it for public access. It would not allow me to do so and that is obvious.
Is there a way an Elastic Network Interface from a public subnet can be attached to the RDS instance so that it can be accessed publicly during development phases?

Related

Azure Private Endpoint for postgresql is not working with multiple Vnet

I have created two vnets (Main APP vnet, Reporting APP vnet both are in same region). My azure postgres database(PAAS) is hosted on main app vnet. I have created two private end point.
First private end point is used for Main App, vnet communication (DB <-> AKS) communication. It's working
Second private end point is created for establishing the database connection to Reporting app vnet. Not working.
I tried also peering the reporting app vnet to main app vnet. peering status showing as connected and second private end point status also in approved status.
But I couldn't able to connect my database using FQDN. I getting the following the error
FATAL: The public network access on this server is disabled. To connect to this server, use the Private Endpoint from inside your virtual network. FATAL: The public network access on this server is disabled. To connect to this server, use the Private Endpoint from inside your virtual network.
I checked nslookup inside reporting app vnet(inside virtual machine)DNS able to resolve. But I couldn't able to connect it via pgadmin or any app.
Not sure what I'm missing. Anyone please advise me on this
As you are using private endpoint for PostgreSQL and disabled public access for the PostgreSQL, you can do below configuration:
Create private endpoint for PostgreSQL in the vnet1 (Main App VNET)
Create peering between vnet1 (Main App VNET) and vnet2 (Reporting App
VNET)
Now, you would be able to access the PostgreSQL using the same private endpoint from both the Main App and the Reporting App.
Note: You cannot access the PostgreSQL using the public endpoint since the public access is disabled.

Static IP address for Azure Container Intances

We run tests on Azure Container Instances.
My question is rather simple. Is there a way to assign a public static ip address to the containers?
Our tests are running and need connection to certain nodes, but how to allow them that if I don't know what the public address will be?
If not what else as an option there is?
Unfortunately, it's impossible the assign a static public IP to the Azure Container Instance. Instead, you can create the Container Instance in a VNet, then put the container instance behind an application gateway and assign a static public IP to the application gateway. In this way, you can access the container instance via the static public IP address.

How to create a private VM on azure with internet access

I want to provision a VM which has no public ip so it can only be connected from other VM who have public ip. Now i can create a VM without public ip but then it does not have a internet access.
Now is there a way on Azure like on AWS where i can provision a NAT gateway or NAT instance on public subnet and let the private instances have internet connection
I also tried using NAT Gateway on Azure but it doesn't work unless i assign public ip to VM which is not what i want
I have two subnets lets say public_subnet & private_subnet , now i can ssh to my private vm from a jump but the thing is when i login to my private vm i cant install any package or even not able to ping or curl to any website. Both subnets were created using terraform so the configuration of subnets are all same there is no change is subnet configuration
Azure VMs have internet access by default, you dont have to do anything for them to have outbound access. It just works. Even without the public IP
There's two possibilities:
First one, under the same Vnet, you provision you VM without a public ip adress and then access it using Azure Bastion. You can find more details here.
Second one, is to provision two or more VMs in the same subnet one with public IP and the other without a public IP. and then access the one with private IP from the one with public IP.

EKS DNS accessible inside private subnet

The question is: How to expose DNS names pointing to the EKS cluster. DNS should only available inside our subnets and accessible with our VPN connection (which essentially means that DNS should point to addresses inside our VPC)
I have an EKS cluster which runs in the 10.0.0.0/16 VPC. Nodes are located inside private subnets, and services are exposed externally with ELB and Ingress Controller.
Since some of the services inside the VPC are only accessible inside of our company we have decided to runa OpenVPN server configured with routing to the 10.0.0.0/16 through the VPN and rest of the traffic going directly to the Internet. Currently public DNS configured in Route53 points to our private addresses which is not ideal. (ex A record for privateservice.example.com -> 10.0.1.1). It is not ideal (existence of the privateservice shouldn't be available in a public DNS) but worked for now.
To resolve the problem of private services in a public DNS I though about running Bind DNS server and configuring our OpenVPN to push this configuration to clients (couldn't get it to work on some client machines but I assume it will work).
However I have no idea how to expose some private services running inside EKS cluster. As mentioned before there are some services in the cluster which are available publicly through ELB. But in the same cluster I have a subset of services which should be available only inside our subnet.
Use private hosted zone of route 53 for private DNS resovling. It should be better using internal ELB to expose services in EKS.
Use route53 resovler for resolving aws managed DNS in on-perms.

Building AWS Infrastructure - Security Questions

I am building an cloud infrastructure on AWS.
I have some backend applications (like database servers) and other front end app (like webservers) that needs ingoing/outgoing traffic.
I also have some devops/dev app like Jenkins, and Airlfow (a workflow management tahts has a web UI) that i need to protect. Some of these apps, like Airflow, doesn't have security mechanism (for example login/password). And I still need access it on 80 port from Internet.
I was thinking to setup a AWS VPC, with a private subnet and public subnet. In the public subnet I will put the fron end apps and the private subnet I will put the backend services (like databases).
For the backend services, I need a way to my dev team to connect, for example, in a MySQL database (port: 3306).
What is the correct way of do this?
I need to expose port 3306?
Do I need a NAT or a bastion host? What is the difference between them?
If I setup a NAT/Bastion hosti will make a port foward rigth? If I have two instances of a mysql database, how can I connect to each other using the bastion? I need to allocate different ports on bastion and make the port foward?
For the devops/dev app:
Which subnet do I choose?
If i put on the private subnet, how can my team access it on 80 port?
Do i need a intranet/vpc foo this applications?
These are all quite common problems people are faced with on AWS. You have lots of options.
You could put all of your backend and dev opps services in the private subnet. You then have a number of choices to connect to them securely.
Option 1
Use Security Groups to limit access to these nodes. You can use Security groups to only allow specific IP addresses to connect to your resources.
Option 2
Use a bastion host.
Referring to your question "What is the difference NAT and bastion host?".
NAT simply allows instance inside a private subnet to connect to the internet by routing all their traffic through the NAT instance. The NAT instance then directs the return traffic from the internet back to the correct nodes in the private subnet. NAT alone does not allow you to connect to instances inside your private subnet from the outside, you'd need to combine it with Port Address Translation to achieve this.
A Bastion host is an instance that you place in a public subnet of your VPC. You can therefore connect to it from the internet. Once you're connected to your Bastion host, you can connect to any other instance inside your VPC using the private IP. Once you ensure maximum security to your bastion host, you're in business.
As a result, you could use a bastion host to connect to all those special nodes in your private subnet.
Option 3
Set up a VPN connection to your VPC using the built in functionality in VPC or setting up a VPN instance with something like OpenSwan running on it.
VPN connections are extremely secure but can often be a tad temperamental (*personal opinion from personal experience).
So, you have lots of choices. I'd recommend doing a few more google searches and digging deeper into the AWS docs as these are all commonly asked questions!
Good luck! :)

Resources