Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Help me vpc -> bastion -> rds #43

Closed
gwendallg opened this issue May 2, 2019 · 8 comments
Closed

Help me vpc -> bastion -> rds #43

gwendallg opened this issue May 2, 2019 · 8 comments

Comments

@gwendallg
Copy link

I use this great terraform module, but i don't know if this is my configuration is good

  1. I created a AWS VPC on eu-west-2 with
  • public subnets : 10.0.x.0/24, with x between 0-2
  • private subnets : 10.0.10x.0/24 with x between 0-2
  • db subnets : 10.0.20x.0/24 with between 0-2
  1. I created the security groups next :

  • sg "from-internet"
    input : 22/80/443 - 0.0.0.0/0
    output : All - 0.0.0.0/0

  • sg "from-public-subnet"
    input : 22/80/443 - 10.0.x.0/24 with x between 0-2
    output : All - 0.0.0.0/0

  • sg "from-private"
    input : 22/80/443 - 10.0.10x.0/24 with x between 0-2
    output : All - 0.0.0.0/0

  • sg "from-private-to-db"
    input : 5432 - 10.0.10x.0/24 with x between 0-2
    output : All - 0.0.0.0/0

  1. I created a RDS postgres on db subnet
    with security group from-private-to-db

I use bastion module with

  • ELB subnets in public subnets ,10.0.x.0/24 with x between 0-2
  • bastion EC2 in public subnets, 10.0.10x.0/24 with x between 0-2

but i succeed to connect to bastion host ssh -i ec2-user@, but i don't access to rds ....

are you one idea.
@Guimove
Copy link
Owner

Guimove commented May 2, 2019

Just to well understand your issue :

You connect to the bastion from your computer ==> ELB (10.0.x.0/24) ==> Bastion (10.0.10x.0/24) right ?

For the rds connection, you connect directly with the bastion ? I meen using psql on the bastion
Or you connect from your computer by using an SSH Tunnel from the bastion ?

For the newtork part, all seems OK in what you describe.
Just a little typo mistake :

private subnets : 10.0.10x.0/24 with x between 0-2

bastion EC2 in public subnets, 10.0.10x.0/24 with x between 0-2

10.0.10x.0/24 is public or private ?

@gwendallg
Copy link
Author

ELB is in public subnet
BASTION is in private subnet

I Succeed to connection on bastion host with ssh -i .. ec2-user@,
I try create ssh tunnel but fail ....
I
I try ,after install telnet on bastion host access to rds with telnet 5432 but fail ...

ELB ( 10.0.x.0/24 ) -> bastion ( 10.0.10x.0/24 ) -> RDS ( 10.0.20x.0/24 )

10.0.10x.0/24 is private ..

security group on RDS
allow IN :=> 5432 / TCP from 10.0.10x.0/24 , OUT :=> ALL / ALL to 0.0.0.0/0

@Guimove
Copy link
Owner

Guimove commented May 2, 2019

Telnet is not enabled it's normal.
To enable the ssh tunnel, you need to be sure that, the following lines are no present in the user_data.sh (arround line 22) or use the last version on this module :

awk '!/AllowTcpForwarding/' /etc/ssh/sshd_config > temp && mv temp /etc/ssh/sshd_config
echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config

What command to you use to open the ssh tunnel ?

@gwendallg
Copy link
Author

sh -N -L 5432:testdb.c4ph7qms4ytk.eu-west-3.rds.amazonaws.com:5432 ec2-user@tf-lb-20190501161031900800000004-d40f07fdab3ad749.elb.eu-west-3.amazonaws.com -i innovagro-infrastructure-live/non-prod/bastion

where :

  • testdb.c4ph7qms4ytk.eu-west-3.rds.amazonaws.com : RDS name
  • tf-lb-20190501161031900800000004-d40f07fdab3ad749.elb.eu-west-3.amazonaws.com : ELB name
  • innovagro-infrastructure-live/non-prod/bastion : Private Key

it's ready ?

@Guimove
Copy link
Owner

Guimove commented May 2, 2019

Imo you cannot use the same local and remote port. Try replacing the first 5432 by 5433.

Please retry in verdbose mode (-v) and share the output.

@gwendallg
Copy link
Author

first command : ok to connect bastion

ssh ec2-user@tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaws.com -i bastion
NOTE: This SSH session will be recorded
AUDIT KEY: 2019-05-02_16-56-48_ec2-user

[ec2-user@ip-10-0-101-152 ~]$

second command : ko

ssh -N -L 5432:innovagro-stage-baccus-db.c4ph7qms4ytk.eu-west-3.rds.amazonaws.com:5432 ec2-user@tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaws.com -i bastion
^C%
➜ non-prod git:(develop) ✗ ssh -N -L 5432:innovagro-stage-baccus-db.c4ph7qms4ytk.eu-west-3.rds.amazonaws.com:5432 ec2-user@tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaws.com -i bastion -v
OpenSSH_7.9p1, LibreSSL 2.7.3
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaws.com port 22.
debug1: Connection established.
debug1: identity file bastion type 0
debug1: identity file bastion-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaws.com:22 as 'ec2-user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:wxxZKmiSMY/pbexofCfWkOhxiIxUEB/CnxZZ+IBHRTs
debug1: Host 'tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /Users/gwendallgarnier/.ssh/known_hosts:55
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: Will attempt key: bastion RSA SHA256:froSARAguiOGS0r4AXeEFxN/7Elx7fnwS90mCiAFf6M explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering public key: bastion RSA SHA256:froSARAguiOGS0r4AXeEFxN/7Elx7fnwS90mCiAFf6M explicit
debug1: Server accepts key: bastion RSA SHA256:froSARAguiOGS0r4AXeEFxN/7Elx7fnwS90mCiAFf6M explicit
debug1: Authentication succeeded (publickey).
Authenticated to tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaws.com ([52.47.130.91]:22).
debug1: Local connections to LOCALHOST:5432 forwarded to remote address innovagro-stage-baccus-db.c4ph7qms4ytk.eu-west-3.rds.amazonaws.com:5432
debug1: Local forwarding listening on ::1 port 5432.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 5432.
➜ non-prod git:(develop) ✗ ssh -N -L 5432:innovagro-stage-baccus-db.c4ph7qms4ytk.eu-west-3.rds.am
azonaws.com:5432 ec2-user@tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaw
s.com -i bastion -v
OpenSSH_7.9p1, LibreSSL 2.7.3
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaws.co
m port 22.
debug1: Connection established.
debug1: identity file bastion type 0
debug1: identity file bastion-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,Op
enSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaws.com:22 as 'ec2-user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:wxxZKmiSMY/pbexofCfWkOhxiIxUEB/CnxZZ+IBHRTs
debug1: Host 'tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /Users/gwendallgarnier/.ssh/known_hosts:55
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: Will attempt key: bastion RSA SHA256:froSARAguiOGS0r4AXeEFxN/7Elx7fnwS90mCiAFf6M explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering public key: bastion RSA SHA256:froSARAguiOGS0r4AXeEFxN/7Elx7fnwS90mCiAFf6M explicit
debug1: Server accepts key: bastion RSA SHA256:froSARAguiOGS0r4AXeEFxN/7Elx7fnwS90mCiAFf6M explicit
debug1: Authentication succeeded (publickey).
Authenticated to tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaws.com ([52.47.130.91]:22).
debug1: Local connections to LOCALHOST:5432 forwarded to remote address innovagro-stage-baccus-db.c4ph7qms4ytk.eu-west-3.rds.amazonaws.com:5432
debug1: Local forwarding listening on ::1 port 5432.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 5432.
debug1: channel 1: new [port listener]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0

@Guimove
Copy link
Owner

Guimove commented May 2, 2019

mmmh I don't see any error... The ssh tunnel is not giving you the hand back and it's normal.

You have to open a new terminal and then use a psql command with 127.0.0.1 as the hostname while the tunnel is running.

@gwendallg
Copy link
Author

Eureka ! i find
you modify security group for outbound rules 👍

current value

resource "aws_security_group" "bastion_host_security_group" {
description = "Enable SSH access to the bastion host from external via SSH port"
vpc_id = "${var.vpc_id}"

ingress {
from_port = "${var.public_ssh_port}"
protocol = "TCP"
to_port = "${var.public_ssh_port}"
cidr_blocks = "${var.cidrs}"
}

egress {
from_port = "${var.private_ssh_port}"
protocol = "TCP"
to_port = "${var.private_ssh_port}"
cidr_blocks = ["0.0.0.0/0"]
}

egress {
from_port = 443
to_port = 443
protocol = "TCP"
cidr_blocks = ["0.0.0.0/0"]
}

egress {
from_port = 80
to_port = 80
protocol = "TCP"
cidr_blocks = ["0.0.0.0/0"]
}

tags = "${merge(var.tags)}"
}

modification value

resource "aws_security_group" "bastion_host_security_group" {
description = "Enable SSH access to the bastion host from external via SSH port"
vpc_id = "${var.vpc_id}"

ingress {
from_port = "${var.public_ssh_port}"
protocol = "TCP"
to_port = "${var.public_ssh_port}"
cidr_blocks = "${var.cidrs}"
}

egress {
from_port = 0
to_port = 65535
protocol = "TCP"
cidr_blocks = ["0.0.0.0/0"]
}

tags = "${merge(var.tags)}"
}

@Guimove Guimove closed this as completed May 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gwendallg @Guimove