I'm wondering if I need port forwarding compatible Vpn given my tasks below:
Ill be connecting to aws services such as documentDB and RDS while travelling.
As a result, I plan on purchasing a dedicated IP VPN, so I can work while travelling, and add my VPN's static IP address to AWS to grant me access.
I'm working with a java spring boot backend. It connects to the documentDB and RDS and performs CRUD operations.
Does my VPN need to be port forwarding compatible?
I'm planning to purchase NordVPN with a dedicated IP, but might have to look into other VPNs port forwarding is required.
Some AWS services are VPC only, i.e. accessible only from the same VPC network. One of those services is DocumentDB, in order to connect directly from your laptop you'll have to create an ssh tunnel and port forward.
Having said that, you could have a bastion host in AWS configured with the right access, ssh (Linux) or RDP (Windows) to it and connect from that host.
The other option is https://aws.amazon.com/vpn/
Related
I have a private RDS instance that I want to connect to using bastion host.
I've found a couple of tutorial on how to set it up which doesn't seem too advanced, but I struggle to understand what a bastion host actually is.
All the tutorials I've seen just creates an empty ec2 instance (bastion host) and edit the RDS security group to allow incoming traffic from it and voila, connection from local machine is working.
What I struggle to understand is that there's no configuration on the ec2 instance that enables this behaviour.
Wouldn't that mean that any server that have access to RDS could be used as a bastion host?
For example, I have an EKS cluster where I host a couple of services.
Some of these services are supposed to have access to RDS.
So in order for the services to access RDS I put RDS in the same VPC and Security Group as eks-nodegroups.
Even though the services that need access to RDS aren't publicly accessible, there are publicly accessible services that are running in the same VPC and Security Group.
Would I then be able to use one of the publicly accessible services as a bastion host in order to gain access to RDS from anywhere, thus making it public?
From Bastion - Wikipedia:
A bastion or bulwark is a structure projecting outward from the curtain wall of a fortification, most commonly angular in shape and positioned at the corners of the fort:
It 'sticks out' from the walled portion of the city and provides added security by being able to target attackers attempting to scale the wall. In a similar way, a bastion host 'sticks out' from a walled computer network, acting as a secure connection to the outside world.
When using an Amazon EC2 instance as a Bastion Host, users typically use SSH Port Forwarding. For example, if the Amazon RDS database is running on port 3306, a connection can be established to the Bastion server like this:
ssh -i key_file.pem ec2-user#BASTION-IP -L 8000:mysql–instance1.123456789012.us-east-1.rds.amazonaws.com:3306
This will 'forward' local port 8000 to the bastion, which will then forward traffic to port 3306 on the database server. Thus, you can point an SQL client to localhost:8000 and it would connect to the Amazon RDS server. All software for making this 'port forward' is part of the Linux operating system, which is why there is no configuration required.
Yes, you can use anything as a Bastion Host, as long as it has:
The ability to receive incoming connections from the Internet
The ability to (somehow) forward those requests to another server within the VPC
A Security Group that permits the inbound traffic from the Internet (or preferably just your IP address), and the target resource permits incoming traffic from this security group
Assuming I have a custom VPC with IP ranges 10.148.0.0/20
This custom VPC has firewall rules to allow-internal so the service inside those IP ranges can communicate to each other.
After the system grows I need to connect to some on-premises network by using Classic Cloud VPN, already create Cloud VPN (the on-premises side configuration already configured by someone) and the VPN Tunnel already established (with green checkmarks).
I also can ping to on-premises IP right now (let's say ping to 10.xxx.xxx.xxx where this is not GCP internal/private IP but on-premises private IP) using compute engine created on custom VPC network.
The problem is all the compute engine instance spawn in custom VPC network can't communicate to the internet now (like doing sudo apt update) or even communicate to google cloud storage (using gsutil), but they can communicate using private IP.
I also can't spawn dataproc cluster on that custom VPC (I guess because it can't connect to GCS, since dataproc needs GCS for staging buckets).
Since I do not really know about networking stuff and relatively new to GCP, how to be able to connect to the internet on instances that I created inside custom VPC?
After checking more in-depth about my custom VPC and Cloud VPN I realize there's misconfiguration when I establish the Cloud VPN, I've chosen route-based in routing option and input 0.0.0.0/0 in Remote network IP ranges. I guess this routes sending all traffic to VPN as #John Hanley said.
Solved it by using policy-based in routing option and only add specific IP in Remote network IP ranges.
Thank you #John Hanley and
#guillaume blaquiere for pointing this out
I run some web services running in Google Compute Engine. I want to secure them and make available only to my coallegues. I don't want to rely on web server security, so my idea was to configure a VPN with Google Cloud Platform.
My question may be silly, because I don't really know how VPN works. Is it possible to create a VPN in Google Cloud and connect to it directly from my laptop? I've tried to use "Hybrid Connectivity VPN" - but it allows only to connect to another VPN. When I make a tunnel, it asks me "Remote peer IP address". I don't have any on-premise VPN in my organization, also I am behind a NAT of my provider.
I know that that it could be possible in principle - once I've connected to VPN of my previous job. I've just used build-in Windows function "Add a VPN connection", inputed IP of the server and the secret. After that I could connect to the servers that were inside the corporate network.
Can I configure Google Cloud VPN to work in similar way?
Client-to-gateway(road warrior) setup is not supported by CloudVPN. For client-to-gateway scenarios, you can install and configure an IPSec VPN software, like Strongswan on a GCE VM and configure it for remote access. Users can than connect to this VPN server through VPN client and, after a secure tunnel established they can connect to all other VMs which are deployed inside the same network. With this setup, you can also configure NAT gateway and remove the public IP from other VMs. Configuring a NAT gateway is described in this article.
https://serverfault.com/questions/818101/does-gcp-support-p2s
Is it Possible to directly connect to AWS CLoud HSM directly through Local Machine for Development Purpose, Or do we need to compulsorily instantiate an EC2 to connect and work with CLoud HSM.
You can create a micro/small instance on public subnet of VPC, assign public ip (or elastic ip if you want), install a vpn (easy openvpn install: https://github.com/Nyr/openvpn-install), after you connect to vpn you can act like you are on same VPC with CloudHSM.
Note: make sure that your vpn client on your local machine is routing traffic to vpn, you can either configure that from client or push route from vpn server.
Your client must be in the VPC of the CloudHSM. So if you want to use your "local machine" I guess your laptop to the CloudHSM, you have to use AWS VPN or if you have on-premises server, use AWS Direct Connect.
I'm running an application in EC2 which needs to connect to an external service running in a VPN (a connection to third party network). I have the IP address and auth details (pre-shared key) through which to connect, but don't know how exactly to setup the connection. Do I need to install a VPN Client or is there any other way through AWS Console?
If you can share the steps/tutorial to set it up, it would be really helpful.
I've configured Site-Site VPN and can see two tunnels under the VPN Connection (both are DOWN right now). I've shared the VPN config file with the third party and they have asked my source IP address to be used for both the tunnels. I'm assuming the source IP will be the public IP of NAT Gateway attached to my VPC (since the servers don't have public IP assigned to them).
You can use the Site to Site VPN(AWS hardware VPN) configuration from Amazon Virtual Private Cloud to your On-Premise Network which do not require a separate VPN Client. After the configuration, you can access the Server in the VPN from its IP range.
Following AWS User Guides will take you through to configure a VPN Connection. Basic configuration is straight forward and AWS will also provide automated scripts to setup configuration in your OnPremise network.
General Introduction to VPN Options Available in AWS: VPN Connections
Guide with Details in Setting up VPN: Adding a Hardware Virtual Private Gateway to Your VPC
Step by Step Guide for Configuration: Setting Up the VPN Connection
You can set up a VPN client in your EC2 instance but also can connect your VPC to the VPN server using:
VPN Connections.
Adding a Hardware Virtual Private Gateway to Your VPC