Enhancing connectivity from AWS to my on-premise network
A little backgroundIf you just want to read how to set it up click here
I've been using AWS for nearly 4 years now, soon after starting college. By the way, if you're not aware, AWS offers $100 credit on top of the extremely generous free tier, watch out for a blog post about this. But recently I've been setting up more advanced environments and fine tuning my process that makes it almost necessary to have a direct link to AWS.
The problem of advancing infrastructure.Recently I've been using Saltstack to coordinate spinning up and setting up different EC2 instances. As my salt master is on premises this introduced a unique challenge, I needed to have my minions communicate with my masters but that required opening up ports to my firewall.
Obviously this solution wasn't a great one at all as any open ports means the increasing the attack surface. Now of course I could open it only to certain source IPs but when you're constantly spinning up new instances it becomes hard to keep the list constantly updated.
Many solutions to one big problem.There were several solutions I looked at pursuing. The first one was scripting to interact with my OPNSense firewall but that would require diving deep into a new material and spending hours that could be better spent elsewhere. So scratched that off the list before attempting.
The next possible solution I wanted to try was doing a custom VPN connection from each aws instance to my on-premise network using wiregaurd. It seemed like a sound solution at the time but after a few days of trying it out, there were some shortfalls. The biggest was I had to supply an individual key for each instance set up, and since it would use my OPNSense box as an endpoint I fall into the same problem as above scripting a solution.
But I knew I was onto something, I didn't need a vpn to each instance just to my aws network. This is when I found the golden egg, the AWS VPN. It has two forms, a client endpoint and a site to site VPN. This allows for all kinds of use cases from making a seamless integration between on-prem networks to just having a single client, for example a master-minion relation, have access to your aws resources.
The best part about the VPN is it is extremely flexible and can allow for more fine grain control that I hope to fully understand one day. For example, you can configure the routes to which vpcs you have access too.
How to set AWS VPN UPTo be honest I had a bit of trouble figuring out how to properly set up the vpn since it definitely feels more aimed at enterprise customers who have a dedicated network person. I'll try my best to explain my steps below for future readers.
- Go to the VPC section and on the left side under VPN Connections click Customer gatewys
2. Create a new gateway,
A. In the name field enter something to remember
B. In IP Address enter your ip address of your home network
C. Click create
3. Next go to the Virtual private gateway under vpn connection and click create.
A. Here I entered a private ASN, which is the internet's way of seeing who's IP belongs to who and there is a certain amount of ASNs that are non-routable and available for private use.
4. Now the most IMPORTANT part of the config, your site to site configuration.
A. Create a memorable name
B. Choose Virtual Private gateway and click the gateway you made above
C. Choose the Customer gateway you created above
D. For routing Enter your Home CIDR block after selecting static. 192.168.32.0/24
E. You can leave the rest blank
Setting up your routerBehind the scenes both endpoints have a complicated process to make sure they only authenticate with each other, I suggest starting at this article by cisco press, this is not neccessary to move forward but it does help in understanding what your router does.
1. On the aws Site to Site connections download the configuration,
A. AWS has a wide array of compatible device configurations but if you don't see yours select Generic
2. This process takes 4 steps, 2 connections with 2 phases.
3. Click the Add Button for a new phase 1
1. Remote gateway enter from your config download
2. Enter the following for your config:
3. After saving, create a new phase two, pretty explanatory following the config instructions just make sure to put the remote network as the internal private network on your vpc
5. All traffic through the ipsec connection, for example web, saltstack, ssh.
6. On your security group modify the incoming rules to allow traffic from your on-premises networks (eg. 192.168.1.0/24 )
7. TO test ping from an on premise machine to ec2 and vice versa.