How to debug a Site-to-Site VPN tunnel IPSec on AWS? - amazon-web-services

Is it possible to access logs of a Site-to-Site VPN connection IPsec tunnel establishment? If the tunnel establishment is failing, there's no visibility on the AWS side of what is the reason.
If accessing the logs is not possible, is it possible to inspect packets at the Site-to-Site VPN endpoint on the AWS side? I tried creating a Traffic Mirror Session, but couldn't feed it the right ENI as the source. I can't find the ENI interfaces that are created by transit gateway VPN attachments. This information is not returned by any of these commands.
$ aws ec2 describe-vpn-connections
$ aws ec2 describe-transit-gateways
$ aws ec2 describe-transit-gateway-attachments

Site-to-Site VPN connection logging was announced in August, 2022:
https://aws.amazon.com/about-aws/whats-new/2022/08/aws-site-vpn-connection-logs-amazon-cloudwatch/
The Terraform aws provider v4.30.0 also added this configuration:
https://github.com/hashicorp/terraform-provider-aws/pull/26637
If you’ve created a VPN but there are no attempts to connect, you won’t see any logs. CloudWatch Logs encrypts logs at rest by default; however, if you want control over the key or want to rotate encryption keys, you can use KMS to encrypt the logs. You can see how to grant CloudWatch permissions to the KMS key here:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html#cmk-permissions
A user viewing the log doesn’t permission to access to the key in KMS. The key is just used by the KMS services to encrypt the data at rest. The IAM permissions mentioned in the documentation are the permissions required of the user or role to enable VPN connection logging. You don’t need to change the service linked role. Note, you'll only see a service linked role when using a customer gateway with certificate authentication:
https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-service-linked-roles.html

Related

Restrict access to AWS Client VPN based on client version

Due to some security policies in our company we want to restrict access to VPN Client Endpoint for those users, who are using NOT the latest of AWS VPN Client installed on their laptops. I cannot find any references in AWS CLoudWatch or in Connection tab where I can check version of user client.
Does anyone have some ideas?

Connect timeout on endpoint URL: "https://sts.us-west-2.amazonaws.com/" in AWS EKS with IRSA for RDS,S3 and security groups applied for RDS

I created a cluster where a pod should read/write data from/to RDS and S3. In order to make the connection secure, I added IRSA for S3 and RDS. An additional layer of security was added by creating a security group for the pod so that it can talk to RDS. However after doing this, while the pod can write to RDS and S3 without any issues, pod can read only from RDS and not from S3. I exec'd into the pod to see what was happening. When I execute aws s3 ls and aws sts get-caller-identity. I get Connect timeout on endpoint URL: "https://sts.us-west-2.amazonaws.com/" as output.
In order to implement security groups for pods, I followed https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html. I understand that when security group is applied to a pod, source NAT is disabled so I created a VPC endpoint for S3 (Gateway Endpoint). I created an outbound rule in the pod's security group to access managed prefix list for S3 as well. I followed instructions on Managing Amazon S3 access with VPC endpoints and S3 Access Points for this. This didn't help with execution of the commands that I showed earlier.
I also created an Interface VPC Endpoint for STS but that didn't work either.
I have referred to https://github.com/aws/amazon-vpc-cni-k8s/issues/1211 as well. I am already following the instructions mentioned in this post as the dns resolution is active for my cluster.

AWS Transit Gateway Cross Account VPC Access using AWS Client VPN Endpoint

I am trying to connect to one of my EC2 from my local machine using AWS Client VPN Endpoint.
I have Landing Zone Setup.
Transit Gateway and AWS Client VPN Endpoint is created in Shared Account and Transit Gateway is shared with Application Account using AWS RAM.
VPC is also created in Shared Account, I am able to ping/connect with the instance launched in Shared Account, but I am not able to ping/connect to the server launched in Application Account.
I also tried to ping from EC2 machine in Shared Account to EC2 machine in Application Account, this also did not worked, ideally I was expecting this should connect.
I have tried to put most of the details and configurations which I did in the following images. It will be great if someone could help me to understand the root cause.
Note: I have not configured DNS Servers while creating AWS Client VPN Endpoint.
If you follow the routes in your picture, you want to connect from your machine to an IP address in the range 1.8.2.2/26.
This already fails at the start since the client VPN has no routes configured for that range. Only for 1.8.2.6/26. So your packet doesn't get passed the client VPN. Add a route at the client VPN for 1.8.2.2/26 to go to subnet SA.
That should get you at least one step further :)

Is it possible to create an AWS Private Link for resources in multiple AWS accounts?

I have my RDS instances on one AWS account and I have set up my application on Kubernetes Cluster on another account. I need the application to talk to RDS instances on another account. I chose VPC Endpoint(Private Link) to achieve the same, so that the RDS data is safe and secure. Is it possible to have a Private Link established between multiple AWS accounts. Both the accounts are under the same AWS organization.
Is it possible to have a Private Link established between multiple AWS accounts.
Yes. The AWS documentation explains that a service consumer can be a different account:
Grant permissions to specific service consumers (AWS accounts, IAM users, and IAM roles) to create a connection to your endpoint service.
Setting up permissions for other accounts to your Private Link service is explained in:
Adding and removing permissions for your endpoint service
I think the better architecture would be to use VPC Peering to connect the VPC with the database to the VPC with the Kubernetes cluster.
The data remains "safe and secure" because it stays within the two VPCs.
No Network Load Balancer would be required.

How to connect to snowflake using browser client in case of privatelink

What URL do we need to use to connect to snowflake using browser client when we have private link setup for snowflake? We have setup AWS privatelink to connect to Snowflake so that we can avoid traffic over the internet. Any input regarding this would be great if someone has setup this. I get 403 Forbidden error when I use privatelink dns from browser.
AWS PrivateLink is a great way for Snowflake customers on AWS to get private connectivity over AWS networking backbone. For example, you can run server tools such as Tableau server in your VPC, and connect to Snowflake without going over the internet.
Here's the high-level process flow to enable it for your account.
Enable PrivateLink in your VPC following AWS documentation.
File support case with Snowflake to enable PrivateLink for your account. Include your AWS account Id in the support case.
After enabling the feature, Snowflake support will provide back with 3 pieces of information a) Snowflake privatelink url, b) DNS record, and c) ip address to restrict public url access to your Snowflake account.
Set up DNS based on the DNS record provided to you above. Setup AWS security group policies to allow access to Snowflake privatelink url ports 443 and 80 (for OCSP).
Create a network policy in Snowflake allowing only the ip address provided above by support.
Verification: From your VPC, spin up an EC2 instance, and login to Snowflake privatelink url through the browser running on EC2. Or, use snowsql commandline tool for verification from inside the VPC.
Additional security best practice:
Setup S3 endpoint in your VPC. This will ensure that S3 access from your VPC goes over AWS backbone instead of internet. Note that Snowflake drivers connect directly to S3 for getting large resultsets or if you are using PUT commands to load data.
Also, refer to official doc for this topic https://docs.snowflake.net/manuals/user-guide/admin-security-privatelink.html
Here's high-level diagram of how it works.
Note: Private connectivity from your corporate network to AWS VPC is a separate topic, and you can configure it using AWS Direct Connect or AWS VPN. That configuration is independent of Snowflake, and you should be able to work directly with AWS to enable it.
Vikas Jain | Security Product Management | Snowflake