A few months back we acquired a company and the team has been working to migrate their infrastructure out of their AWS account and into our AWS accounts. As part of that work, I ran into an interesting problem. Since our plan was always to migrate them into our environments, we did not bother setting up a VPN or Direct Connect to their account, rather we relied (as they did before they joined us) on adding our local IP address to the AWS Security Group and then ssh’ing to the system you needed to access.
So when the need came up to access one of their servers to look at some configuration files, I ran `curl ifconfig.co` from the command line, put that IP address into the security group, and then tried to log in. Nothing. Unable to connect. I spent about 10 minutes trying to troubleshoot. I checked the security group again, making sure there were no access control lists, and that the routing tables were ok. I also asked the team leader if maybe they were doing some sort of local firewall like IP Tables that might be the problem. Nope.
I chalked it up to some type of weirdness in our network (we have made a lot of changes lately), and figured I would try again when I get home. I ended up getting home a little late, but I did a quick test and had the same problem. I also noticed that my IP address at home was almost identical to the one I had at work. While that seemed odd, I wasn’t really in the mood to deal with it, so I just let it go and went to bed.
Then this morning I stopped by Starbucks with my wife and decided to figure out what the heck was going on with connectivity. After connecting to Starbucks wifi, running the curl command, and going to put my IP address in the security group, I again noticed it was similar to the one I had put in last night. By similar, I mean exactly the same. OK, wait a minute. How do I get the same IP address at Starbucks as I do at the office?
Rather than running the curl, I opened my web browser and went to a few different IP address retrieval sites. The one that proved to be the most fruitful was whatismyipaddress.com, since it returned more information, such as the ISP and Services that were running. As it turns out (and makes sense in retrospect), the IP address that was being returned from both the browser and curl were being redirected through our ScanSafe proxy server that my company uses on all company issued assets (and anything that can connect to the VPN).
From that I assumed that while it proxies http/https traffic, it was not proxying SSH traffic, so there must be another IP address that I needed to use. The question became, how do I get it without going to a website (and the proxy server)? I found the answer in a 2015 post on the nixCraft Blog. The post shows how to use the dig command on a linux system to get your local IP:
dig +short myip.opendns.com @resolver1.opendns.com
182.16.4.116
Since this queries over DNS (port 53), it does not get sent through the proxy, so it should reliably give me the same address I would need for SSH. I added that IP address to the security group and was able to get access to the machine as needed. I have added an alias to my .bash_profile going forward that will allow me to get my IP anytime with a single command:
alias myip='dig +short myip.opendns.com @resolver1.opendns.com'
Now I can get the configurations off the server and finish up my ansible.
Comments