stackoom
  简体   繁体   中英

Amazon Cassandra connection timeout on EC2 instance (Elastic Beanstalk)

 原文  2021-01-27 17:00:23       amazon-web-services/ cassandra/ amazon-keyspaces

Question

I cannot connect to Amazon managed Cassandra (Keyspaces) from my EC2 instance. The EC2 instance is in a private su.net of a VPC with a VPC endpoint for Keyspaces.

EC2 outbound rules: 

All TCP 0.0.0.0/0

VPC Endpoint inbound rules: 

Custom TCP  TCP 9142    0.0.0.0/0

VPC Endpoint outbound rules: 

Custom TCP  TCP 9142    0.0.0.0/0

These rules might actually be too permissive.

C# driver error: 

Cassandra.NoHostAvailableException: 
  All hosts tried for query failed (tried 10.16.192.201:9142: 
    TimeoutException 'The timeout period elapsed prior to completion of SSL authentication operation.'; 10.16.224.203:9142: 
      TimeoutException 'The timeout period elapsed prior to completion of SSL authentication operation.')

I can SSH into the EC2.

The DNS seems correct: 

$ nslookup cassandra.eu-west-2.amazonaws.com 
Server:     10.16.0.2
Address:    10.16.0.2#53

Non-authoritative answer:
Name:   cassandra.eu-west-2.amazonaws.com
Address: 10.16.192.201
Name:   cassandra.eu-west-2.amazonaws.com
Address: 10.16.224.203

I cannot curl the endpoint (timeout):

$ curl cassandra.eu-west-2.amazonaws.com:9142

And Te.net:

$ sudo yum -y install telnet

$ telnet cassandra.eu-west-2.amazonaws.com 
Trying 10.16.192.201...
^C 

# Gave up after 60s

The security group for the VPC endpoint allows 9142 traffic to/from anywhere. The security group for the EC2 instance allows egress to anywhere.

How can I connect to Cassandra?

Update

Adding the VPC endpoint to the public su.net I can now do:

$ telnet cassandra.eu-west-2.amazonaws.com 9142
Trying 10.16.224.203...
Connected to cassandra.eu-west-2.amazonaws.com.
Escape character is '^]'.

Update

I can connect if the certificate revocation check is disabled.

sslOptions.SetCertificateRevocationCheck false

This makes me think that the issue is the connectivity from the EC2 to wherever the CRL is hosted. However, I don't want to move my EC2 to a public VPC, so what is a good strategy here?

2 answers

solution1
 0  2021-01-27 17:16:48

I think you need a key to connect to Cassandra as per the documentation Using a Cassandra .NET Core Client Driver to Access Amazon Keyspaces Programmatically

$client = new-object System.Net.WebClient
$client.DownloadFile("https://www.amazontrust.com/repository/AmazonRootCA1.pem","path_to_file\AmazonRootCA1.pem")

solution2
 0  2021-01-28 23:05:11

You can use private interface VPC endpoints to connect to keyspaces. This will allow you to use a different endpoint that's only accessible from a vpc so that.network traffic does not leave the Amazon.network.

https://docs.aws.amazon.com/keyspaces/latest/devguide/vpc-endpoints.html

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Default username for ec2 instance spawned by elastic beanstalk How to change the EC2 instance types in a Elastic Beanstalk environment programmatically? Where is my jar in Elastic Beanstalk EC2 Where does my application code sit on AWS Elastic Beanstalk EC2 Instance? AWS Connection timeout + EC2 Instance Connect not working Amazon EC2 instance connect Amazon Elastic File System Policy (EFS) - allows access EC2 instance by IAM role doesn't work Elastic beanstalk is not pushing updated version of source code on EC2 Amazon ec2 instance unable to resolve domain Migrating EC2 RHEL instance to Amazon Linux 2
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM