AWS VPC Setup

aws_vpc_setup.md

Summary

• Overall setup consists of
  • EC2 instance with open outbound internet access and only SSH inbound access via OpenVPN server
  • S3 endpoints to optimize S3 usage
  • IPSEC tunnel to local firewall
  • OpenVPN server with a public IP

Create an account

• https://portal.aws.amazon.com/billing/signup#/start
• If you already have an account and want to create sub-account which gets billed to base account
  • Create a linked account from here: https://console.aws.amazon.com/organizations/home?#/accounts

Create a VPC

• https://console.aws.amazon.com/vpc/
  • Select the correct region in top-right-corner
  • Create an IPv4 CIDR block (eg: 10.0.0.0/16)
  • Name it test_vpc for future references.
  • Enable DNS hostnames and DNS resolution for more flexibility later.
• Create a new subnet in test_vpc - this will contain your VPN instance
  • Name it vpn_public_subnet. Use a subset IPv4 CIDR block (eg: 10.0.1.0/24)
• Create a new subnet in test_vpc - this will contain your VPN instance
  • Name it ec2_private_subnet. Use a subset IPv4 CIDR block (eg: 10.0.2.0/24)
• Create two route tables public_route_table and private_route_table in test_vpc
  • These will have local 10.0.0.0/8 network enabled by default
• Create an internet gateway igw_test_vpc
  • Attach this to test_vpc
• Create a NAT gateway nat_test_vpc
  • Create this on vpn_public_subnet. An Elastic IP will get associated with this gateway
• Edit public_route_table
  • Add 0.0.0.0/0 to go to igw_test_vpc
• Edit private_route_table
  • Add 0.0.0.0/0 to go to nat_test_vpc
• Edit route table association on vpn_public_subnet
  • Attach public_route_table to this subnet
• Edit route table association on ec2_private_subnet
  • Attach private_route_table to this subnet
• Create Endpoint for S3
  • Select s3 endpoint (works only within region)
  • Select your VPC: test_vpc
  • Select all route tables
  • Select Full access policy
  • This will ensure S3 accesses don't go via internet.
• Create a prefix list test_vpc_prefix_list
  • This will contain a list of all IPv4 CIDR blocks which can access your resources
  • You can add static IPs of your office network in this as well
  • This will help in managing instances which are open to internet. You can avoid giving access to 0.0.0.0/0 by using this prefix list.

Setup IPSEC tunnels to office premises

• Reference: https://aws.amazon.com/premiumsupport/knowledge-center/create-connection-vpc/
• Create customer gateway office_cgw
  • Provide office static IP
• Create Virtual Private gateway office_vpgw
  • Attach to test_vpc
• Create site-to-site VPN connection office_s2s
  • Select office_vpgw as Virtual Private Gateway
  • Select office_cgw as Customer Gateway
  • Set routing to BGP/static as per your local firewall
  • Add static IP routes from your office network (eg: 172.16.1.0/24)
  • Use default tunnel options if you have no idea what these are.
• Edit private_route_table and public_route_table
  • Route office traffic through the office_vpgw
• Goto Site-to-site VPN connections
  • Wait until office_s2s moves to available state
  • Select office_s2s - Click on 'Download configuration' - select your local firewall
    • This will provide a configuration file for your office firewall
    • Setup an IPSEC tunnel on your office firewall with this.
    • There will be two pipes to AWS ("Outside IP Address" in office_s2s) from the office firewall
    • For each tunnel you will need to create one P1 entry with multiple P2 entries
    • P2 entries control access to AWS from different networks within your office
  • Edit public_route_table and private_route_table
    • Add your office subnets and route them via office_vpgw

Create SSH admin keys

• Under EC2 -> Network & Security -> Key pairs
  • Create or import existing keys. Name it cloud_admin.pem for future reference.

Setup OpenVPN

• Launch an EC2 instance with following details
  • tx.micro is usually enough. Upgrade later if needed.
  • Use OpenVPN-Access Server AMI - this is available for free in AWS marketplace.
    • Default is free for two connections. License can be upgraded later as needed.
  • Select subnet as vpn_public_subnet
  • Enable public IP - Another Elastic IP gets allocated here. openvpn_ip for future reference
  • Select cloud_admin.pem as SSH key
  • 8 GB disk is sufficient.
  • Security groups are automatically suggested by the AMI
• Login to the box ssh -i cloud_admin.pem openvpnas@openvpn_ip
• On first login, OpenVPN configuration executes automatically. Default options are usually enough.
• If you set up admin user as openvpn - setup the user and password on this box for the WebUI.
  • sudo useradd -mU -s /bin/bash openvpn; sudo passwd openvpn
• Login to WebUI https://openvpn_ip:943
  • Download OpenVPN profile client.ovpn
  • Connect to your VPC using sudo openvpn client.ovpn
• You can setup LDAP server on same instance as OpenVPN to optimize EC2 costs. You will need to use t3.medium at least (4GB RAM).

Setup LDAP server

• Launch any latest Ubuntu AMI
  • Use one with at least 4GB RAM (Anything smaller does not work)
  • Select subnet as ec2_private_subnet
  • Public IP is not needed. You may set it up if needed.
  • Assume private IP is ldap_private_ip for future reference
  • Select cloud_admin.pem as SSH key
• Update network security group to open up ports 443 for WebUI and 389 and 636 for LDAP
• Login to the box
  • Connect to your VPC using sudo openvpn client.ovpn
  • ssh -i cloud_admin.pem ubuntu@ldap_private_ip
  • sudo hostnamectl set-hostname ldap.test.com
  • Edit /etc/hosts - Add entry <ldap_private_ip> ldap.test.com
  • sudo ipa-server-install install
  • Use domain/realm as test.com and TEST.COM
  • Skip DNSSEC setup. (Or set it up as needed)

Setup generic EC2 instance

• Launch AMI as needed
• Select subnet as ec2_private_subnet
• Select cloud_admin.pem as SSH key
• Instance will be allocated a private IP test_ec2_instance_ip
• Connect to VPN
• Connect to box ssh -i cloud_admin.pem ubuntu@test_ec2_instance_ip
  • Other default users might be root/ec2-user/etc depending on the AMI used.
  • If you don't know the default user try with root - usually this will suggest the right name

NAT Gateways vs Internet Gateways

• Internet Gateways
  • Ref: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html
  • No charges (??)
  • Instance directly exposed to Internet via a public IP
• NAT Gateways
  • Ref: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
  • No one on internet can make direct connection to your VPC
  • Charged per gateway
  • Charged for data usage as well
  • All internet traffic routed through single IP
  • Reducing NAT gateway costs:
    • Ref: https://aws.amazon.com/premiumsupport/knowledge-center/vpc-reduce-nat-gateway-transfer-costs/
    • Ref: https://aws.amazon.com/premiumsupport/knowledge-center/vpc-find-traffic-sources-nat-gateway/
• Gateway VPC endpoints
  • Ref: https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html
  • No charges (??)
  • Reduces traffic through NAT gateways. Primarily useful for S3 and DynamoDB