AWS Security: Bastion Host, NAT instances and VPC Peering
Effective security requires close control over your data and resources. Bastion hosts, NAT instances, and VPC peering can help you secure your AWS ...Learn More
As you know, multiple AWS instances living within a single VPC can communicate with each other using private IP addresses. You can also directly connect instances in two separate VPC’s within a single region using VPC Peering.
Assuming that you’ve set up your subnets so they don’t overlap, a peering connection enables direct traffic routing between VPCs using private IP address ranges. But what if you want to connect instances hosted in separate AWS regions? OpenVPN can make it happen.
If your organization can’t afford commercial VPN’s like a commercial product from Cisco or an on-premise UTM appliance, you can use the open source OpenVPN package to secure communications between your distributed resources at no cost. OpenVPN’s SSL/TLS based user-space VPN supports Linux, Solaris, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Windows 2000/XP.
First, you’ll need to have VPCs configured with both public and private subnets in at least two different AWS regions. In this guide, we will assume that there is one VPC in AWS’s US East Region which we will call VPC-1, and a second VPC in EU West that we’ll call VPC-2.
From the Launch Instance menu of the EC2 dashboard, search for “Open VPN Access Server” from AWS Marketplace and launch the instance in the public subnet of VPC-1.
Make sure the security group associated with this instance has ports 22 (SSH), 443 (SSL), 993 (Admin Web UI), and 1194 (OpenVPN UDP port) open. You should also allocate an Elastic IP to this instance.
Login to the instance via SSH using the username openvpnas and the keypair you set for this instance. To start the OpenVPN Access Server Setup Wizard from within your terminal session, run:
sudo vpn-init --ec2
Follow the instructions to begin configuring your server.
Disable the Source/Destination check for your VPN instance:
Now navigate to the VPC-2 dashboard in EU West Region and click on Customer Gateways, and then Create Customer Gateway. In the dialogue that opens, enter the public IP address of your OpenVPN Access Server instance, with Routing set to the default value of Static.
From the VPN Connections section on the left, click on Virtual Private Gateways and then Create Virtual Private Gateway. Select the virtual private gateway that you’ve just created and select Attach to VPC-2.
Click on Route Tables in VPC Management Console and select the routing table corresponding to your subnet(s). Click on the Route Propagation tab and select the vgw identifier for the virtual private gateway that you created earlier, then click the Add button.
Finally, click on the VPN Connections link at the bottom of the left frame, and then on Create VPN Connection. In the dialogue, select the virtual private gateway (vgw) and the customer gateway that you just created.
Select Use Static Routing, and then enter the EIP of Open VPN Access VPN server. Select the VPN connection that was created, and then note the Tunnel 1 and Tunnel 2 IP addresses below. Click the Download Configuration button when finished.
SSH into your OpenVPN Access Server instance and open the /etc/ipsec.conf:
Edit the rightsubnet= value to point to your VPC CIDR mask.
Under the VPC-CUST-GW1 and VPC-CUST-GW2 sections, add the Tunnel 1 and Tunnel 2 IPs and save the file.
Now open the /etc/ipsec.secrets file and enter the Pre-Shared Keys (PSKs) from the VPC-2 configuration file you downloaded earlier.
To start the VPN connection, issue the ipsec start command.
If VPN started properly you should see green-colored VPN connection entries in your AWS VPC management console.
Because OpenVPN devices are fully managed by the kernel, data transfers are invisible to the network, enhancing security and cross-platform compatibility.I'm not going to talk about configuring OpenVPN in an AWS environment, for that you should read OpenVPN: Connecting VPCs between re...
In my last blog post, we discussed the advantages of using the CipherGraph Cloud VPN solution to connect the Amazon VPC environment from office LANs or homes or any other locations. In this post, we will discuss how to deploy the CipherGraph solution to connect your VPC resources.He...
Since Amazon AWS has made the EC2-VPC as the default platform for using the AWS Computing resources, Amazon VPC will give great control over the AWS resources with respect to networking, IP Addressing, Security and Routing.In VPC, we can completely isolate our resources in private n...