I cannot access the management console
If you are having trouble accessing the management console the below information may be helpful.
It may occur that you are unable to access the management console UI. This could occur right after installation, after a reboot (from an update or another reason) or after you have changed the subdomain name. The first two scenarios typically turn out to be Subnet issues and the last is typically a DNS issue (if it is temporary).
During deployment you are asked to specify a VPC and 2 Subnets (preferably in different AZs) for the Console to run in. If you want to access the console publicly then the subnets must provide public access. What we have seen with numerous customers is that they will pick 2 subnets, one happens to be public and one happens to be private. Inevitably during the initial boot or after a reboot the console spins up on the private subnet and then can no longer be accessed from the URL or public IP. Ensure the subnets you choose are both public so no matter which the console spins up in, you'll be able to get to it.
Neither the console nor the scanning agents require a public IP, however:
- They must have outbound to the internet routes (to pull ECR images).
- They must if you want to access the application from the URL.
- If you have a VPN or Direct Connect you can access from the private IP and forget the public IP.
You can leverage an Internet Gateway and/or VPC Endpoints (for those services available) to access what is needed without public outbound access. Checkout the Deployment Details page for more details on public and internal routing.
There are times, typically right after the subdomain changes, that you cannot access the application from the new URL. This is typically a DNS issue and you just have to wait for DNS to catch up in your area. If this issue persists longer than you expect, try to access the console via the public IP assigned to it which can be identified in the AWS Console. If neither work, then explore the subnet issue described above.
There is an easy way to fix this. Run a Stack Update and select two new subnets. Identify before hand which are public or which will provide the access mechanism you'd like to use. For the stack update you will use the existing template and make no other changes but the subnets. When you are able to get back into the console, you can double check your VPC and Subnets on the Console Settings page.
- If desired, you could create an entirely new VPC with Subnets designed to work how you expect and run the console off of those.
- Allow DNS enough time to distribute to all locations.
- Check your Security Groups. One user's work/home IP changed and the Security Group was set to only allow the previous IP to access.
The vast majority of the time, it will be a VPC or DNS issue as described above. If you do not believe either of those to be the case, then one other trouble shooting step you could take is go to the ECS service in the AWS Management Console to ensure the console task is running. If it is you can drill down into the task itself to find the public and private IPs and attempt to access the console directly from those. If you can, then you know the console is up and running properly and the issue lies in the registration with Route53. Please contact us if this is the issue.
We have seen a couple of scenarios where there is a public IP, but DNS fails to come back and allow you to leverage the URL in the CloudFormation outputs.
- VPCs with proxies/firewalls/etc steering traffic and enforcing allowed URLs
- add cloudstoragesecapp.com to the allowed list
- Blocking outbound HTTPS calls which are used to register with Route53
- ensure HTTP calls can be made outbound
- No outbound internet access
As suggested above, you can go into the Console Task itself and find the public and private IPs and attempt to access with those. If you can, then one of the items listed above could be in play to affect the URL access. If you choose to access the application privately, work out a method that gives you consistent access to the Console task even after reboot.
Once in the ECS Management Portal, find the Cloud Storage Security cluster.
Find and click into the Console service.
Select the Tasks tab and click into the Task.
Locate the public IP on the Task details screen.
Now try to access the console with the IP found. If you can access it directly, then you know the application is up and running properly and you are facing a DNS issue.
