AWS Transit Gateway Cross Account VPC Access using AWS Client VPN Endpoint - amazon-web-services

I am trying to connect to one of my EC2 from my local machine using AWS Client VPN Endpoint.
I have Landing Zone Setup.
Transit Gateway and AWS Client VPN Endpoint is created in Shared Account and Transit Gateway is shared with Application Account using AWS RAM.
VPC is also created in Shared Account, I am able to ping/connect with the instance launched in Shared Account, but I am not able to ping/connect to the server launched in Application Account.
I also tried to ping from EC2 machine in Shared Account to EC2 machine in Application Account, this also did not worked, ideally I was expecting this should connect.
I have tried to put most of the details and configurations which I did in the following images. It will be great if someone could help me to understand the root cause.
Note: I have not configured DNS Servers while creating AWS Client VPN Endpoint.

If you follow the routes in your picture, you want to connect from your machine to an IP address in the range 1.8.2.2/26.
This already fails at the start since the client VPN has no routes configured for that range. Only for 1.8.2.6/26. So your packet doesn't get passed the client VPN. Add a route at the client VPN for 1.8.2.2/26 to go to subnet SA.
That should get you at least one step further :)

Related

Is the connection from EC2 to AWS Service (like dynamodb) happening within the AWS Network, or via public internet?

I have VPC with couple of subnets containing EC2 instances.
The EC2 instances have code that invokes various AWS services like dybamodb.
Is the connection from EC2 to AWS Service (like dynamodb) happening within the AWS Network, or via public internet?
Is there any way to control this?
Is the connection from EC2 to AWS Service (like dynamodb) happening within the AWS Network, or via public internet?
Technically the process on EC2 would be hitting the AWS DynamoDB public API which is on the Internet. The traffic would be routed through the Internet Gateway you have attached to the VPC. I think if it is all in the same region it may not actually leave the AWS data center, and you could try testing that via tools like traceroute, but I don't think there are any guarantees of that.
Is there any way to control this?
Yes, add a VPC Endpoint to your VPC for the service you want to connect to. Then the DNS server in your VPC will route all traffic to that service over the VPC Endpoint, instead of routing it to your VPC's Internet Gateway. The traffic will then be guaranteed to stay within the AWS network.

What is the GCP equivalent of AWS Client VPN Endpoint

We are moving from AWS to the GCP. I used Client VPN Endpoint in AWS to get into the VPC network in the AWS. What is the alternative in GCP which I can quickly setup and get my laptop into the VPC network? If there is no exact alternative, what's the closest one and please provide instructions to set it up.
AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS resources and resources in your on-premises network. With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client.
Currently there is no managed product available on GCP to allow VPN connections from multiple clients to directly access resources within a VPC as Cloud VPN only supports site-to-site connectivity, however there is an existing Feature Request for this.
As an alternative a Compute Engine Instance can be used instead with OpenVPN server manually installed and configured following the OpenVPN documentation, however this would be a self managed solution.

How do I set up and log into a vpn from my mac in aws?

I have an instance and s3 bucket in AWS (which I'm limiting to a range of IPs). I'm wanting to create a VPN and be able to authenticate myself while trying to log into that VPN to get to that instance.
To simplify, I'm trying to set up a dev environment for my site. I'm wanting to make sure I can limit access to that instance. I'm wanting to use a service to authenticate anybody wanting to get to that instance. Is there a way to do all of this in AWS?
Have you looked at AWS Client VPN:
https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/what-is.html
This allows you to create a managed VPN server in your VPC which you can connect to using any OpenVPN client. You could then allow traffic from this vpn to your instance using security group rules.
Alternatively you can achieve the same effect using OpenVPN on an EC2 server, available from the marketplace:
https://aws.amazon.com/marketplace/pp/B00MI40CAE/ref=mkt_wir_openvpn_byol
Requires a bit more set up but works just fine, perfect if AWS Client VPN isn't available in your region yet.
Both these approaches ensure that your EC2 instance remains in a private subnet and is not accessible directly from the internet. Also, the OpenVPN client for mac works just fine.

Is there a managed way to do P2S VPN in AWS?

I want to connect my (OSX) laptop to a VPC in AWS but I couldn't find a way to do this since I don't have a static IP.
Azure has managed P2S VPN: https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about. Is there something like this in AWS?
You can stand up a virtual device (such as a CheckPoint firewall) in the VPC on an EC2 instance that has point to site VPN functionality. There are a number of AMI’s and quick starts for this available. You would also need a VPN client running on your laptop.
As an alternative, you can set up a bastion server and whitelist your IP. You can create a shell script that gets your IP and makes an AWS CLI call to update the security group with that value if it doesn’t exist. Then, log into the bastion and you’re in the VPC.
You can setup a client VPN under the VPC menu:
https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-endpoints.html
It will require to have server cert, as well as client certificates or a link to managed AD for authentication.

How to setup a connection to VPN from AWS EC2 instance?

I'm running an application in EC2 which needs to connect to an external service running in a VPN (a connection to third party network). I have the IP address and auth details (pre-shared key) through which to connect, but don't know how exactly to setup the connection. Do I need to install a VPN Client or is there any other way through AWS Console?
If you can share the steps/tutorial to set it up, it would be really helpful.
I've configured Site-Site VPN and can see two tunnels under the VPN Connection (both are DOWN right now). I've shared the VPN config file with the third party and they have asked my source IP address to be used for both the tunnels. I'm assuming the source IP will be the public IP of NAT Gateway attached to my VPC (since the servers don't have public IP assigned to them).
You can use the Site to Site VPN(AWS hardware VPN) configuration from Amazon Virtual Private Cloud to your On-Premise Network which do not require a separate VPN Client. After the configuration, you can access the Server in the VPN from its IP range.
Following AWS User Guides will take you through to configure a VPN Connection. Basic configuration is straight forward and AWS will also provide automated scripts to setup configuration in your OnPremise network.
General Introduction to VPN Options Available in AWS: VPN Connections
Guide with Details in Setting up VPN: Adding a Hardware Virtual Private Gateway to Your VPC
Step by Step Guide for Configuration: Setting Up the VPN Connection
You can set up a VPN client in your EC2 instance but also can connect your VPC to the VPN server using:
VPN Connections.
Adding a Hardware Virtual Private Gateway to Your VPC