Amazon Web Services

Enable IP between VPC Instances in Amazon Web Services

In this easy Ask the Admin, I’ll show you how to configure security groups in Amazon Web Services (AWS) so that EC2 Virtual Private Cloud (VPC) instances can communicate with each other. In Manage IP Addressing with Virtual Private Clouds in Amazon Web Services on the Petri IT Knowledgebase, I provisioned virtual machines (Elastic Compute instances) in a VPC, so that the VMs would be assigned to the same internal private IP address each time they are started. This is especially important for servers that require a static IP address, such as Active Directory domain controllers.

In that article, I created an Internet gateway for the VPC and set up a new security group that would allow traffic from the Internet to reach instances on TCP port 3389 for Remote Desktop access. Security groups are locked down by default. Because security group configuration is applied to each instance, communication between instances in the same VPC is prevented. In AWS, network ACLs control the traffic allowed to reach VPC subnets, and security groups are used to protect instances.

Add Rules to a Security Group

For the purposes of this article, I’m going to assume that you already have a security group in your VPC, as described in the article mentioned above. If not, create a new group that allows RDP access to your instances. Don’t forget that you can have more than one security group, and instances connected to a VPC can be associated with different security groups. You will also need to have the AWS Tools for Windows PowerShell installed on your PC as described here in Provision Windows Server in Amazon Web Services using PowerShell. First, I need to establish the GroupId for myPSSecurityGroup, which is the security group I created when provisioning the VPC and instances.

​$options = @( @{Name="group-id";[email protected]("*")}) 
Get-EC2SecurityGroup –filter $options

Make a note of the GroupId that corresponds to your security group from the output of the previous commands. Now I know the GroupId for myPSSecurityGroup, I’ll put it into a variable:

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

​$groupID = “sg-95c1b0f0”
Using PowerShell to get the security group ID. (Image Credit: Russell Smith)
Using PowerShell to get the security group ID. (Image Credit: Russell Smith)

I also know that my VPC private subnet is 10.0.0.0/16, so I can allow all inbound TCP traffic from any address in this range.

​$cidrBlocks = New-Object 'collections.generic.list[string]' 
$cidrBlocks.add("10.0.0.0/16") 
$ipPermissions = New-Object Amazon.EC2.Model.IpPermission –Property @{IpProtocol = “tcp”; FromPort = “0”; ToPort = “65535”; IpRanges = $cidrBlocks}

Grant-EC2SecurityGroupIngress –GroupID $groupID -IpPermissions @($ipPermissions)

Now I’ll repeat that for UDP, keeping the address block the same.

​$ipPermissions = New-Object Amazon.EC2.Model.IpPermission –Property @{IpProtocol = “udp”; FromPort = “0”; ToPort = “65535”; IpRanges = $cidrBlocks}
Grant-EC2SecurityGroupIngress –GroupID $groupID -IpPermissions @($ipPermissions)

Finally, I’ll configure ICMP echo requests so that I can use the ping command for troubleshooting. In FromPort, I’m specifying the ICMP type, which is 8. The ToPort value is not used for ICMP, so must be set to -1.

$ipPermissions = New-Object Amazon.EC2.Model.IpPermission –Property @{IpProtocol = “icmp”; FromPort = “8”; ToPort = “-1”; IpRanges = $cidrBlocks}
Grant-EC2SecurityGroupIngress –GroupID $groupID -IpPermissions @($ipPermissions)

Check Security Group Settings

Now check that the settings above have been applied to the group correctly.

​($groupid | Get-EC2SecurityGroup).IpPermissions
Check the rules added to the security group (Image Credit: Russell Smith)
Check the rules added to the security group (Image Credit: Russell Smith)

You should now be able to ping and communicate using IP between any instances in your VPC that belong to the security group determined in the $groupID variable.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
Don't leave your business open to attack! Come learn how to protect your AD in this FREE masterclass!REGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: