[lug] Ubuntu repository access on private AWS VPC?

Bear Giles bgiles at coyotesong.com
Thu Mar 29 09:08:05 MDT 2018 

​NATs are out - the reason for the private VPN is that there's (nearly) no
possibility of illicit exfiltration of data.​ That's why I mentioned
(somewhere) that if some of my servers get pushed into the private VPN then
the database should be pushed into a privater VPN. [1/2 :-) ]

(Well, the real reason is to practice setting up this type of secured
environment... :-) It's overkill for a personal Atlassian instance but not
uncommon for a Hadoop cluster to be totally isolated except for designated
edge nodes.)

It looks like the answer is an S3 endpoint. The repository is located at
http://us-east-1.ec2.archive.ubuntu.com.s3.amazonaws.com/ubuntu/ and
there's an 'apt-transport-s3' that lets you download packages from an S3
repository instead of using http, https, or fp. (or tor!) I'll probably
write up something for my blog when I get it working.

BTW in case anyone uses Atlassian I think it costs $10/mo/user for each
service on their system, or $10/year/service for a 'starter license' for up
to 10 people. The EC2 resources you require, if you go that way, is

JIRA: t2.small
Confluence: t2.medium
Reverse proxy: t2.nano(?)
Database: t2.micro(?)

The Atlassian servers require the relatively large instances(*), even with
minimal use, due to the memory required by the tomcat instances. They
recommend against running both services on a single server, although it
might be okay with separate tomcat instances (they use different ports) or
virtual machines. This is annoying when it's a personal site so it's only a
single user. It's just a tad more expensive than their service if you get
3-year reserved instances, and you come out ahead (less sysadmin costs) for
2-10 users.

The reverse proxy isn't required but it's good practice and an easy way to
force https. It may allow you to push the servers into a private VPC but
I'm not certain - it might need to call other services. (NTP is an obvious
example, but highly secure networks will want to run their own NTP anyway
in order to avoid certain attacks. Again the real reason is to practice
setting up this environment.) (Same thing for DNS for reverse lookups if
you're running an open service.)

Of course it's probably cheaper for us to just set up a mid-range server in
the office or at home and use port forwarding on our router to allow access
from the internet. An i5 with 16 GB should be more than adequate.

The other server I'm probably going to add is an image hosting server. I
know JIRA can attach images but I don't know if Confluence can or if it
requires an external host.

(*) "large" since I have a small flock of nano instances. With the 3-year
prepaid plan the effective cost is < $2/month. I think - that assumes the 8
GB storage assocated with them is bundled in the cost. If not I need to
build my own image to upload...


On Wed, Mar 28, 2018 at 5:58 PM, Kevin Maris <kevin.r.maris at gmail.com>
wrote:

> How special are the instances? Build new AMIs with the updates and deploy
> a new instance in place of the old ones?
>
> On 03/27/2018 07:05 PM, Bear Giles wrote:
>
> I've seen references to this but haven't found actual instructions (except
> for S3 and Dynamo DB)....
>
> I have some AWS EC2 instances that have a public interface. I have a few
> that don't have a public interface at all - they're only accessible from
> the first systems.
>
> Think webapp server (public) and database (private). Or even reverse proxy
> (public), webapp server (private), database (super-private).
>
> The problem is getting Ubuntu packages onto the private instances. I've
> been manually copying a few extra packages, e.g., for the database, but
> that's not sustainable when I want to apply bug fixes, etc. Supposedly
> there's a way to set up your private VPC so it can see extremely selective
> external resources without setting up a full gateway but I haven't found
> any details.
>
> I am aware of 'endpoints', but only for S3 and DynamoDB.
>
> The Ubuntu repository is a HTTP server (http://us-east-1.ec2.archive.
> ubuntu.com/ubuntu/) or could be an FTP server.
>
> It looks like another approach is using 'apt-transport-s3' to point to an
> S3 bucket containing the packages, but I don't think that's what people
> were referring to. I don't know that for sure though.
>
> Bear
>
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
>
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20180329/bbdf398a/attachment-0001.html>

More information about the LUG mailing list