1

First of all thanks in advance for any help, this is the first time I'm setting up a system like this, so a few points are not clear and might be written in bad form (and that's why I'm here).

Scenario

This application is a Clojure service designed to run as an AWS batch job within a Fargate container, orchestrated by Aws Step functions. The service needs to communicate with two private endpoints, Server A and Server B.

Network Setup

  • Private Network Connectivity: The AWS Batch environment runs on a VPC. This VPC's private subnet is connected to our client's private network via a Site-to-Site (S2S) VPN connection
  • Access to External Hosts (A and B): The target servers, A and B, are located deep within the client's network. I do not have direct access to them
  • Intermediate Proxy Server: Within the client's network (accessible via the S2S VPN), there is a dedicated proxy server (let's call it the Jump Host). This Jump Host has direct network access to both Server A and Server B
  • Dynamic SSH Tunnel: To route traffic from my application (running in the Fargate container) to Server A and Server B, I establish a dynamic SSH tunnel (SOCKS proxy) through the Jump Host. This allows the application to treat the Jump Host as a SOCKS5 proxy to reach the final destinations

Extra info

  • I made sure to get A's certificate and put it in my application
  • B is fine, I mentioned it just to make it clear why I am using a dynamic tunnel
  • A's hostname ends with ".local", which seems to throw off JVM code

Before making any call to A I set a few system wide configurations, with the details of the socks proxy, like

(System/setProperty "socksProxyHost" proxy-host)
(System/setProperty "socksProxyPort" proxy-port)
(System/setProperty "socksProxyVersion" "5")
(System/setProperty "java.net.preferIPv4Stack" "true")

The problem

During development I solve the issue by passing --dns $DNSIP to Docker to have A resolvable by my application, in production I can't do the same thing. Ideally I would love to have Java resolve A's IP address from inside the tunnel, but I don't know how to tell it without --dns $DNSIP.

Improve this question
4
  • Isn't using a static IP for A an option? Commented Oct 24 at 8:59
  • Your issue sounds similar to this: stackoverflow.com/questions/24754096/… It would also help if you shared more information about the error (such as stracktrace) Commented Oct 24 at 9:05
  • @JurajMartinka If I do that then SSL complains; I did not add a stack trace because that's just the usual unhandled 504. Commented Oct 24 at 12:59
  • I tried instructing the JVM with the DNS, but without success. Commented Oct 24 at 13:03
Related questions
2
How come I can't access AWS instance using Private DNS Address
15
How does SOCK 5 proxy-ing of DNS work in browsers?
20
How do I get AWS Client VPN to resolve DNS using VPC-peered Private Hosted Zone
Load 4 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.