0

I have a web app deployed to an ec2 instance. It uses the DefaultAWSCredentialsProviderChain and works from local PC however, it is getting an error when it is connecting to kinesisvideo from the ec2 instance.

I have assigned the IAM role AmazonKinesisVideoStreamsFullAccess to the ec2 instance but still get the following error: com.amazonaws.SdkClientException: Unable to execute HTTP request: Connect to kinesisvideo.[region].amazonaws.com:443 [kinesisvideo.[region].amazonaws.com/[some random ip here each try]] failed: connect timed out

I am limiting the IP and security groups for the ec2 instance so maybe I have to add a rule there?

h2o
  • 45
  • 7
  • The EC2 instance needs a network path to the KinesisVideo endpoint. What did you do when "limiting the IP and security groups for the ec2 instance"? Does the instance have a public IP or does it route via NAT? Or do you have VPC Endpoint for KinesisVideo? – jarmod Feb 04 '22 at 01:16
  • @jarmod The ec2 does not have a public IP and we are limiting traffic to only those from the web server(another ec2 instance with public ip). do you have VPC Endpoint for KinesisVideo? -No. – h2o Feb 04 '22 at 01:30
  • So, if I understand, you have an EC2 instance without a public IP (and it has no Elastic IP) that makes API requests to the Amazon Kinesis Video endpoint, yes? How do you intend to route these requests from a private IP? It would need to route via NAT or via a service-specific VPC Endpoint. – jarmod Feb 04 '22 at 01:39
  • @jarmod yes? -correct. NAT is out of the question.. is there a way I can access kinesisvideo the same way as I access RDS? because I can access RDS from it.. – h2o Feb 04 '22 at 01:55
  • 1
    If by RDS you mean an RDS instance, then it's deployed in your VPC and traffic typically routes privately. If by RDS you mean the RDS service, then that routes over the internet or via VPC Endpoint. It [looks like](https://docs.aws.amazon.com/vpc/latest/privatelink/integrated-services-vpce-list.html) Kinesis Video doesn't support PrivateLink (VPC Endpoints). You'd have to route via NAT or give the EC2 instance a public IP, but either way you are going to be paying for data transferred out to Kinesis Video, I think. – jarmod Feb 04 '22 at 02:03
  • @jarmod i see.. it started connecting the moment I assigned a public ip to it. however this defeats the purpose of the web and app server setup.. – h2o Feb 04 '22 at 02:47
  • 1
    How does what "defeat the purpose"? You can't talk to computers on the internet without a public IP (directly or indirectly). That doesn't mean the instance that has the public IP needs to allow inbound connections. – jarmod Feb 04 '22 at 02:55
  • @jarmod sorry, I meant our system setup (if I will assign a public ip to the app server). So you mean to say that I can still assign a public ip but retain the security limits attached to it. Got it. I think that should work. Thank you! – h2o Feb 04 '22 at 03:00
  • Read about Security Groups. They are firewalls. By default, no inbound connections are allowed to your EC2 instances. – jarmod Feb 04 '22 at 12:01

0 Answers0