Due to some security policies in our company we want to restrict access to VPN Client Endpoint for those users, who are using NOT the latest of AWS VPN Client installed on their laptops. I cannot find any references in AWS CLoudWatch or in Connection tab where I can check version of user client.
Does anyone have some ideas?
Related
I am trying to connect to one of my EC2 from my local machine using AWS Client VPN Endpoint.
I have Landing Zone Setup.
Transit Gateway and AWS Client VPN Endpoint is created in Shared Account and Transit Gateway is shared with Application Account using AWS RAM.
VPC is also created in Shared Account, I am able to ping/connect with the instance launched in Shared Account, but I am not able to ping/connect to the server launched in Application Account.
I also tried to ping from EC2 machine in Shared Account to EC2 machine in Application Account, this also did not worked, ideally I was expecting this should connect.
I have tried to put most of the details and configurations which I did in the following images. It will be great if someone could help me to understand the root cause.
Note: I have not configured DNS Servers while creating AWS Client VPN Endpoint.
If you follow the routes in your picture, you want to connect from your machine to an IP address in the range 1.8.2.2/26.
This already fails at the start since the client VPN has no routes configured for that range. Only for 1.8.2.6/26. So your packet doesn't get passed the client VPN. Add a route at the client VPN for 1.8.2.2/26 to go to subnet SA.
That should get you at least one step further :)
We are moving from AWS to the GCP. I used Client VPN Endpoint in AWS to get into the VPC network in the AWS. What is the alternative in GCP which I can quickly setup and get my laptop into the VPC network? If there is no exact alternative, what's the closest one and please provide instructions to set it up.
AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS resources and resources in your on-premises network. With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client.
Currently there is no managed product available on GCP to allow VPN connections from multiple clients to directly access resources within a VPC as Cloud VPN only supports site-to-site connectivity, however there is an existing Feature Request for this.
As an alternative a Compute Engine Instance can be used instead with OpenVPN server manually installed and configured following the OpenVPN documentation, however this would be a self managed solution.
Is it possible to access logs of a Site-to-Site VPN connection IPsec tunnel establishment? If the tunnel establishment is failing, there's no visibility on the AWS side of what is the reason.
If accessing the logs is not possible, is it possible to inspect packets at the Site-to-Site VPN endpoint on the AWS side? I tried creating a Traffic Mirror Session, but couldn't feed it the right ENI as the source. I can't find the ENI interfaces that are created by transit gateway VPN attachments. This information is not returned by any of these commands.
$ aws ec2 describe-vpn-connections
$ aws ec2 describe-transit-gateways
$ aws ec2 describe-transit-gateway-attachments
Site-to-Site VPN connection logging was announced in August, 2022:
https://aws.amazon.com/about-aws/whats-new/2022/08/aws-site-vpn-connection-logs-amazon-cloudwatch/
The Terraform aws provider v4.30.0 also added this configuration:
https://github.com/hashicorp/terraform-provider-aws/pull/26637
If you’ve created a VPN but there are no attempts to connect, you won’t see any logs. CloudWatch Logs encrypts logs at rest by default; however, if you want control over the key or want to rotate encryption keys, you can use KMS to encrypt the logs. You can see how to grant CloudWatch permissions to the KMS key here:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html#cmk-permissions
A user viewing the log doesn’t permission to access to the key in KMS. The key is just used by the KMS services to encrypt the data at rest. The IAM permissions mentioned in the documentation are the permissions required of the user or role to enable VPN connection logging. You don’t need to change the service linked role. Note, you'll only see a service linked role when using a customer gateway with certificate authentication:
https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-service-linked-roles.html
In a private subnet, We have an EC2(client) talking to server(another EC2) listening on a port.
client EC2 is assigned a role to get access to server EC2. Client and server are GOLang programs.
AWS role is mainly used to perform communication with AWS API calls between any two services(AWS) without specifying the credentials.
Does AWS role also help in client-server communication? to authenticate right client..
Not directly, no. You don't use IAM to control access between your client and your server. You use it to control access between your client and AWS services. IAM authenticates clients and authorizes them to perform specific actions against specific AWS resources.
One option that would allow your client to leverage IAM roles for authentication to your server's API would be to insert API Gateway between them. Another option is to use standard auth mechanisms such as bearer tokens, API request signing etc.
Note that, typically, you would use Security Groups to control which EC2 instances can actually talk to the server API on port N.
What URL do we need to use to connect to snowflake using browser client when we have private link setup for snowflake? We have setup AWS privatelink to connect to Snowflake so that we can avoid traffic over the internet. Any input regarding this would be great if someone has setup this. I get 403 Forbidden error when I use privatelink dns from browser.
AWS PrivateLink is a great way for Snowflake customers on AWS to get private connectivity over AWS networking backbone. For example, you can run server tools such as Tableau server in your VPC, and connect to Snowflake without going over the internet.
Here's the high-level process flow to enable it for your account.
Enable PrivateLink in your VPC following AWS documentation.
File support case with Snowflake to enable PrivateLink for your account. Include your AWS account Id in the support case.
After enabling the feature, Snowflake support will provide back with 3 pieces of information a) Snowflake privatelink url, b) DNS record, and c) ip address to restrict public url access to your Snowflake account.
Set up DNS based on the DNS record provided to you above. Setup AWS security group policies to allow access to Snowflake privatelink url ports 443 and 80 (for OCSP).
Create a network policy in Snowflake allowing only the ip address provided above by support.
Verification: From your VPC, spin up an EC2 instance, and login to Snowflake privatelink url through the browser running on EC2. Or, use snowsql commandline tool for verification from inside the VPC.
Additional security best practice:
Setup S3 endpoint in your VPC. This will ensure that S3 access from your VPC goes over AWS backbone instead of internet. Note that Snowflake drivers connect directly to S3 for getting large resultsets or if you are using PUT commands to load data.
Also, refer to official doc for this topic https://docs.snowflake.net/manuals/user-guide/admin-security-privatelink.html
Here's high-level diagram of how it works.
Note: Private connectivity from your corporate network to AWS VPC is a separate topic, and you can configure it using AWS Direct Connect or AWS VPN. That configuration is independent of Snowflake, and you should be able to work directly with AWS to enable it.
Vikas Jain | Security Product Management | Snowflake