Network Guide

We offer three delivery methods (aka fulfillment options) for bucketAV:

  • Dedicated public VPC (dedicated-public-vpc)
  • Dedicated private VPC (dedicated-private-vpc)
  • Existing VPC (shared-vpc)

We recommend using the Dedicated public VPC or Dedicated private VPC delivery method for two reasons. First, in our opinion, you should isolate the network used by bucketAV to scan potentially infected files from any other networks. Second, the complexity of setting up bucketAV increases when choosing the Existing VPC delivery method.

The EC2 instances managed by bucketAV require access to AWS services like S3, CloudWatch, and more. See Required outbound ports for details.

This guide helps you debug networking issues using the Existing VPC delivery method.

Run the test script

Use SSH or the Session Manager to connect to one of the EC2 instances launched by bucketAV. Check out My SSH connection is not working; what’s wrong? in case you have trouble connecting to a machine. Also, to avoid instance termination, you might want to set the AutoScalingMinSize to >=1 (see How can I edit the configuration?).

$ /home/ec2-user/networktest.sh

The script will generate an output as shown in the following listing.

[SUCCESS] Connected to SNS successfully.
[SUCCESS] Connected to SQS successfully.
[SUCCESS] Connected to S3 (Region) successfully.
[SUCCESS] Connected to S3 (HTTP) successfully.
[SUCCESS] Connected to S3 (Global) successfully.
[SUCCESS] Connected to CloudWatch Monitoring successfully.
[SUCCESS] Connected to CloudWatch Logs successfully.
[SUCCESS] Connected to CloudFormation successfully.
[SUCCESS] Connected to SSM successfully.
[SUCCESS] Connected to SSM Messages successfully.
[SUCCESS] Connected to EC2 Messages successfully.
[SUCCESS] Connected to ClamAV Mirror successfully.
[SUCCESS] Connected to Amazon Linux 2 Repository successfully.

Watch out for [FAILURE] messages.

Fixing networking issues

As network configurations differ, we cannot provide a solution but give you some hints.

Internet Gateway

Check the routing table attached to the subnet of a bucketAV instance. In case the route table contains an entry for 0.0.0.0/0 pointing to an Internet Gateway (igw-) you are deploying bucketAV into a public subnet.

In this case, you must ensure that bucketAV attaches a public IP address when launching an EC2 instance. Set the AssociatePublicIpAddress parameter to true. Check out How can I edit the configuration? in case you need detailed instructions on how to do so.

Also, ensure that all subnets used by bucketAV (see Subnets parameter) use a routing table with an entry pointing to the Internet Gateway.

NAT Gateway

If you deployed bucketAV into a subnet without an Internet Gateway, you might use a typical VPC configuration with private and public subnets. Again, check the routing table attached to the subnet of a bucketAV instance. In case the route table contains an entry for 0.0.0.0/0 pointing to a NAT Gateway (ngw-) you are deploying bucketAV into a private subnet with access to a NAT Gateway.

  1. Verify that the Network Access Control List attached to the subnet used by bucketAV and the NAT Gateway allow outbound traffic on port 443 (HTTPS) and 80 (HTTP) as well as inbound traffic on high ports.
  2. Verify that all subnets used by bucketAV (see Subnets parameter) use a routing table with an entry pointing to the NAT Gateway.

VPC Endpoint

If the subnets are neither connected with an Internet Gateway nor a NAT Gateway, we recommend configuring VPC Endpoints for the AWS services required by bucketAV.

com.amazonaws.eu-west-1.sns (Interface)
com.amazonaws.eu-west-1.sqs (Interface)
com.amazonaws.eu-west-1.s3 (Gateway)
com.amazonaws.eu-west-1.monitoring (Interface)
com.amazonaws.eu-west-1.logs (Interface)
com.amazonaws.eu-west-1.cloudformation (Interface)

If you set the SystemsManagerAccess parameter to true, additional VPC endpoints are required.

com.amazonaws.eu-west-1.ssm (Interface)
com.amazonaws.eu-west-1.ssmmessages (Interface)
com.amazonaws.eu-west-1.ec2messages (Interface)

Need more help?

Write us, and we'll get back to you as soon as we can.

Send us an email