I see a lot of ec2-xxx-xxx-xxx-xxx-region-compute.amazonaws.com traffic on WAN ports pcap capture on MX appliances. Infact all Traffic on secondary WAN is from AWS. Any idea why this would be happening. I have no VPN tunnel setup with AWS or have any traffic coming from AWS instances.(pic attached)
I was wondering could get some advice from the forum on probably some AWS Direct Connect connection or if anyone has seen this before. I think if you don't have an answer it's better to keep shut than advising to open a support case.
Is it terminating to anything on the LAN side? I notice a lot of hacking/scanning garbage from AWS in general so maybe just that? I would want to see a LAN side pcap to and from that AWS address to understand better.
If I'm reading the pcap correctly, all of the packets are sourced from a known port and designed for an ephemeral port. That would typically indicate that something in your LAN side initiated the connection.
As @BrandonS suggested, a LAN side capture might yield done better information.
Checking with AWS it is identified that there are EC2 instances from some account which have theses ips.AWS cannot reveal the account holder or their location as per their policy. I have blocked the xxx.xxx.xxx.xxx/32 public ip in layer 7 rules (ip range section) but still see traffic visible on WAN internet pcap capture on Meraki Dashboard. How else could I block "Internet Protocol Version 4, Src: ec2-xxx.xxx.xxx.xxx.us-east-2.compute.amazonaws.com from hitting our MX. We do not have advanced security features option.
@TheAlchemist you cannot stop any internet traffic hitting your MX from the WAN side unless you use a cloud/ISP proxy or firewall. Anyone in the world can try to send traffic to you. Is your public IP one you have had for a while, or a new one?