1

First of all thanks in advance for any help, this is the first time I'm setting up a system like this, so a few points are not clear and might be written in bad form (and that's why I'm here).

Scenario

This application is a Clojure service designed to run as an AWS batch job within a Fargate container, orchestrated by Aws Step functions. The service needs to communicate with two private endpoints, Server A and Server B.

Network Setup

  • Private Network Connectivity: The AWS Batch environment runs on a VPC. This VPC's private subnet is connected to our client's private network via a Site-to-Site (S2S) VPN connection
  • Access to External Hosts (A and B): The target servers, A and B, are located deep within the client's network. I do not have direct access to them
  • Intermediate Proxy Server: Within the client's network (accessible via the S2S VPN), there is a dedicated proxy server (let's call it the Jump Host). This Jump Host has direct network access to both Server A and Server B
  • Dynamic SSH Tunnel: To route traffic from my application (running in the Fargate container) to Server A and Server B, I establish a dynamic SSH tunnel (SOCKS proxy) through the Jump Host. This allows the application to treat the Jump Host as a SOCKS5 proxy to reach the final destinations

Extra info

  • I made sure to get A's certificate and put it in my application
  • B is fine, I mentioned it just to make it clear why I am using a dynamic tunnel
  • A's hostname ends with ".local", which seems to throw off JVM code

Before making any call to A I set a few system wide configurations, with the details of the socks proxy, like

(System/setProperty "socksProxyHost" proxy-host) (System/setProperty "socksProxyPort" proxy-port) (System/setProperty "socksProxyVersion" "5") (System/setProperty "java.net.preferIPv4Stack" "true")

The problem

During development I solve the issue by passing --dns $DNSIP to Docker to have A resolvable by my application, in production I can't do the same thing. Ideally I would love to have Java resolve A's IP address from inside the tunnel, but I don't know how to tell it without --dns $DNSIP.

Improve this question
4
  • Isn't using a static IP for A an option? Commented Oct 24 at 8:59
  • Your issue sounds similar to this: stackoverflow.com/questions/24754096/… It would also help if you shared more information about the error (such as stracktrace) Commented Oct 24 at 9:05
  • @JurajMartinka If I do that then SSL complains; I did not add a stack trace because that's just the usual unhandled 504. Commented Oct 24 at 12:59
  • I tried instructing the JVM with the DNS, but without success. Commented Oct 24 at 13:03
Load 4 more related questions Show fewer related questions

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.