search

QT-DevOps / AWSIssues

Issues with AWS
Apache License 2.0
3 stars 26 forks source link

Unable to SSH from Web to Business systems in a single tier setup #6

Closed srinivle closed 5 years ago

srinivle commented 5 years ago

As per the suggestions and instructions received from Khaja Sir to create a single tier setup such as "Windows N-tier application on Azure with SQL Server" (https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/n-tier/n-tier-sql-server):

We were not able to establish the connection or SSH from "Web tier subnet" to "Business tier subnet". We have tried all possible ways and methods and even tried all traffic open options as well and still vain.

I have created my network below way and created 4 instances respectively:

VPC : LearningVPC = IPv4 = 10.0.0.0/16

Subnet: Web : IPv4 = 10.0.1.0/24 ; Public IP Enabled Business Subnet : IPv4 = 10.0.2.0/24 ; Public IP Disabled Data Subnet : IPv4 = 10.0.3.0/24 ; Public IP Disabled JumpBox Subnet : IPv4 = 10.0.4.0/24 ; Public IP Enabled

IGW Created and associated to VPC

Route table updated as 10.0.0.0/16 local 0.0.0.0/0 given IGW Subnets are also associated.

Security group : Web = All traffic open Business = All traffic open Data = All traffic open JumpBox = All traffic open

NACL : Web = All traffic rules open

    Business =
            Inbound:
                    SSH = 10.0.1.0/24 = ALLOW       /       SSH = 0.0.0.0/0 = ALLOW
                    HTTP =  10.0.1.0/24 = ALLOW     /       HTTP =  0.0.0.0/0 = ALLOW
                    HTTPS = 10.0.1.0/24 = ALLOW     /       HTTPS = 0.0.0.0/0 = ALLOW
                    ICMPv4 = 10.0.1.0/24 = ALLOW    /       ICMPv4 = 0.0.0.0/0 = ALLOW
            Outbound:
                    SSH = 10.0.3.0/24 = ALLOW       /       SSH = 0.0.0.0/0 = ALLOW
                    HTTP = 10.0.3.0/24 = ALLOW      /       HTTP = 0.0.0.0/0 = ALLOW
                    HTTPS = 10.0.3.0/24 = ALLOW     /       HTTPS = 0.0.0.0/0 = ALLOW
                    ICMPv4 = 10.0.3.0/24 = ALLOW    /       ICMPv4 = 0.0.0.0/0 = ALLOW

    Data =
            Inbound:
                    SSH = 10.0.2.0/24 = ALLOW       /       SSH = 0.0.0.0/0 = ALLOW
                    HTTP = 10.0.2.0/24 = ALLOW      /       HTTP = 0.0.0.0/0 = ALLOW
                    HTTPS = 10.0.2.0/24 = ALLOW     /       HTTPS = 0.0.0.0/0 = ALLOW
                    ICMPv4 = 10.0.2.0/24 = ALLOW    /       ICMPv4 = 0.0.0.0/0 = ALLOW
            Outbound:
                    SSH = 10.0.4.0/24 = ALLOW       /       SSH = 0.0.0.0/0 = ALLOW
                    HTTP = 10.0.4.0/24 = ALLOW      /       HTTP = 0.0.0.0/0 = ALLOW
                    HTTPS = 10.0.4.0/24 = ALLOW     /       HTTPS = 0.0.0.0/0 = ALLOW
                    ICMPv4 = 10.0.4.0/24 = ALLOW    /       ICMPv4 = 0.0.0.0/0 = ALLOW

    JumpBox = All traffic rules open

I have tried all possible ways and checked & contacted the lab assistants and all went vain. Kindly check and investigate and let me know your inputs or help if at all I am doing wrong or missing somewhere or how you were successful and in which way. This applies with Azure as well. There also I have applied rules in NSG repectively and all went vain. No communications/SSH happen among Web & Business and Business & Data and vice versa. However, Web and JumpHost are able to communicate to the world outside.

Kindly provide your inputs or thoughts or solution in both AWS and AZURE. Thank you.

shaikkhajaibrahim commented 5 years ago

Please replace 0.0.0.0/24 with 0.0.0.0/0 in AWS & * in azure. This is my first observation. Change that & send me what happens

Get Outlook for Androidhttps://aka.ms/ghei36

From: srinivle notifications@github.com Sent: Tuesday, May 14, 2019 5:57:44 PM To: QT-DevOps/AWSIssues Cc: Subscribed Subject: [QT-DevOps/AWSIssues] Unable to SSH from Web to Business systems in a single tier setup (#6)

As per the suggestions and instructions received from Khaja Sir to create a single tier setup such as "Windows N-tier application on Azure with SQL Server" (https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/n-tier/n-tier-sql-server):

We were not able to establish the connection or SSH from "Web tier subnet" to "Business tier subnet". We have tried all possible ways and methods and even tried all traffic open options as well and still vain.

I have created my network below way and created 4 instances respectively:

VPC : LearningVPC = IPv4 = 10.0.0.0/16

Subnet: Web : IPv4 = 10.0.1.0/24 ; Public IP Enabled Business Subnet : IPv4 = 10.0.2.0/24 ; Public IP Disabled Data Subnet : IPv4 = 10.0.3.0/24 ; Public IP Disabled JumpBox Subnet : IPv4 = 10.0.4.0/24 ; Public IP Enabled

IGW Created and associated to VPC

Route table updated as 10.0.0.0/16 local 0.0.0.0/0 given IGW Subnets are also associated.

Security group : Web = All traffic open Business = All traffic open Data = All traffic open JumpBox = All traffic open

NACL : Web = All traffic rules open

Business =
        Inbound:
                SSH = 10.0.1.0/24 = ALLOW       /       SSH = 0.0.0.0/24 = ALLOW
                HTTP =  10.0.1.0/24 = ALLOW     /       HTTP =  0.0.0.0/24 = ALLOW
                HTTPS = 10.0.1.0/24 = ALLOW     /       HTTPS = 0.0.0.0/24 = ALLOW
                ICMPv4 = 10.0.1.0/24 = ALLOW    /       ICMPv4 = 0.0.0.0/24 = ALLOW
        Outbound:
                SSH = 10.0.3.0/24 = ALLOW       /       SSH = 0.0.0.0/24 = ALLOW
                HTTP = 10.0.3.0/24 = ALLOW      /       HTTP = 0.0.0.0/24 = ALLOW
                HTTPS = 10.0.3.0/24 = ALLOW     /       HTTPS = 0.0.0.0/24 = ALLOW
                ICMPv4 = 10.0.3.0/24 = ALLOW    /       ICMPv4 = 0.0.0.0/24 = ALLOW

Data =
        Inbound:
                SSH = 10.0.2.0/24 = ALLOW       /       SSH = 0.0.0.0/24 = ALLOW
                HTTP = 10.0.2.0/24 = ALLOW      /       HTTP = 0.0.0.0/24 = ALLOW
                HTTPS = 10.0.2.0/24 = ALLOW     /       HTTPS = 0.0.0.0/24 = ALLOW
                ICMPv4 = 10.0.2.0/24 = ALLOW    /       ICMPv4 = 0.0.0.0/24 = ALLOW
        Outbound:
                SSH = 10.0.4.0/24 = ALLOW       /       SSH = 0.0.0.0/24 = ALLOW
                HTTP = 10.0.4.0/24 = ALLOW      /       HTTP = 0.0.0.0/24 = ALLOW
                HTTPS = 10.0.4.0/24 = ALLOW     /       HTTPS = 0.0.0.0/24 = ALLOW
                ICMPv4 = 10.0.4.0/24 = ALLOW    /       ICMPv4 = 0.0.0.0/24 = ALLOW

JumpBox = All traffic rules open

I have tried all possible ways and checked & contacted the lab assistants and all went vain. Kindly check and investigate and let me know your inputs or help if at all I am doing wrong or missing somewhere or how you were successful and in which way. This applies with Azure as well. There also I have applied rules in NSG repectively and all went vain. No communications/SSH happen among Web & Business and Business & Data and vice versa. However, Web and JumpHost are able to communicate to the world outside.

Kindly provide your inputs or thoughts or solution in both AWS and AZURE. Thank you.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/QT-DevOps/AWSIssues/issues/6?email_source=notifications&email_token=AASTJLP33TKKEKQUH4IR3WLPVKV4BA5CNFSM4HMZNEU2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4GTVFONA, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AASTJLIPPG4MSNLT3A6Y72TPVKV4BANCNFSM4HMZNEUQ.

srinivle commented 5 years ago

Oops !!! I m sorry sir... It is 0.0.0.0/0 only, not 0.0.0.0/24.... Spelling & draft mistake!!! ..... It isn't working !!!

srinivle commented 5 years ago

I have updated the issue now !!!

srinivle commented 5 years ago

Using 0.0.0.0/0 ,

SSH connection are happening like this :::

from Web to Business - happening from Business to Data - not happening from Data to Business - not happening from JumpBox to Data - happening from Web to Data - happening from Web to Jumpbox - happening from Jumpbox to Business - happening

Its haywire

Ping is happening like this ::::

from Web to Business - happening from Business to Data - happening from Data to Business - happening from JumpBox to Data - happening from Web to Data - happening from Web to Jumpbox - happening from Jumpbox to Business - happening

But if we give respective private IP address or range even in the inbound & outbound rules then it is not at all working !!! .....

srinivle commented 5 years ago

Using 0.0.0.0/0, Following are the outputs:::

SSH from Web to Business: [ec2-user@ip-10-0-1-108 ~]$ ssh -i "QT_Test_Machine.pem" ec2-user@10.0.2.19 Last login: Tue May 14 13:52:31 2019 from 10.0.1.108

   __|  __|_  )
   _|  (     /   Amazon Linux 2 AMI
  ___|\___|___|

https://aws.amazon.com/amazon-linux-2/ [ec2-user@ip-10-0-2-19 ~]$

Ping from Web to Business: [ec2-user@ip-10-0-1-108 ~]$ ping 10.0.2.19 PING 10.0.2.19 (10.0.2.19) 56(84) bytes of data. 64 bytes from 10.0.2.19: icmp_seq=1 ttl=255 time=0.503 ms 64 bytes from 10.0.2.19: icmp_seq=2 ttl=255 time=0.546 ms 64 bytes from 10.0.2.19: icmp_seq=3 ttl=255 time=0.477 ms

SSH from Business to Data: [ec2-user@ip-10-0-2-19 ~]$ ssh -i "QT_Test_Machine.pem" ec2-user@10.0.3.218 ssh: connect to host 10.0.3.218 port 22: Connection timed out [ec2-user@ip-10-0-2-19 ~]$

Ping from Business to Data: [ec2-user@ip-10-0-2-19 ~]$ ping 10.0.3.218 PING 10.0.3.218 (10.0.3.218) 56(84) bytes of data. 64 bytes from 10.0.3.218: icmp_seq=1 ttl=255 time=0.375 ms 64 bytes from 10.0.3.218: icmp_seq=2 ttl=255 time=0.486 ms 64 bytes from 10.0.3.218: icmp_seq=3 ttl=255 time=0.510 ms

SSH from Data to Business: [ec2-user@ip-10-0-3-218 ~]$ ssh -i "QT_Test_Machine.pem" ec2-user@10.0.2.19 ssh: connect to host 10.0.2.19 port 22: Connection timed out [ec2-user@ip-10-0-3-218 ~]$

Ping from Data to Business: [ec2-user@ip-10-0-3-218 ~]$ ping 10.0.2.19 PING 10.0.2.19 (10.0.2.19) 56(84) bytes of data. 64 bytes from 10.0.2.19: icmp_seq=1 ttl=255 time=0.355 ms 64 bytes from 10.0.2.19: icmp_seq=2 ttl=255 time=0.524 ms

SSH Jumpbox to Data: [ec2-user@ip-10-0-4-209 ~]$ ssh -i "QT_Test_Machine.pem" ec2-user@10.0.3.218 The authenticity of host '10.0.3.218 (10.0.3.218)' can't be established. ECDSA key fingerprint is SHA256:0VEZYQxFK7TjRq5bK7qmzds0rMrAddayCu8VW3uHrNY. ECDSA key fingerprint is MD5:b4:8e:50:03:9e:ba:98:35:c8:e4:da:9c:82:3f:cc:69. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.0.3.218' (ECDSA) to the list of known hosts.

   __|  __|_  )
   _|  (     /   Amazon Linux 2 AMI
  ___|\___|___|

https://aws.amazon.com/amazon-linux-2/ [ec2-user@ip-10-0-3-218 ~]$

SSH Jumpbox to Business: [ec2-user@ip-10-0-4-209 ~]$ ssh -i "QT_Test_Machine.pem" ec2-user@10.0.2.19 The authenticity of host '10.0.2.19 (10.0.2.19)' can't be established. ECDSA key fingerprint is SHA256:EOThh1miq9EU4/0mg4E9bg0O4+2/W4zSJA0hyAr/GMQ. ECDSA key fingerprint is MD5:f9:b5:5c:04:55:8d:bc:32:6c:4a:30:48:9d:53:6e:87. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.0.2.19' (ECDSA) to the list of known hosts. Last login: Tue May 14 14:01:10 2019 from 10.0.1.108

   __|  __|_  )
   _|  (     /   Amazon Linux 2 AMI
  ___|\___|___|

https://aws.amazon.com/amazon-linux-2/ [ec2-user@ip-10-0-2-19 ~]$

Ping JumpBox to Data: [ec2-user@ip-10-0-4-209 ~]$ ping 10.0.3.218 PING 10.0.3.218 (10.0.3.218) 56(84) bytes of data. 64 bytes from 10.0.3.218: icmp_seq=1 ttl=255 time=0.361 ms 64 bytes from 10.0.3.218: icmp_seq=2 ttl=255 time=0.365 ms 64 bytes from 10.0.3.218: icmp_seq=3 ttl=255 time=0.484 ms

Ping Jumpbox to Business: [ec2-user@ip-10-0-4-209 ~]$ ping 10.0.2.19 PING 10.0.2.19 (10.0.2.19) 56(84) bytes of data. 64 bytes from 10.0.2.19: icmp_seq=1 ttl=255 time=0.374 ms 64 bytes from 10.0.2.19: icmp_seq=2 ttl=255 time=0.481 ms 64 bytes from 10.0.2.19: icmp_seq=3 ttl=255 time=0.490 ms 64 bytes from 10.0.2.19: icmp_seq=4 ttl=255 time=0.426 ms 64 bytes from 10.0.2.19: icmp_seq=5 ttl=255 time=0.501 ms

shaikkhajaibrahim commented 5 years ago

Is it fixed. If fixed close the issue with resolution

srinivle commented 5 years ago

Nope sir.... Only thing is Business to Data SSH connection cannot be established.... It is not able to connect vice versa... :(