I have a private M2M GSM network for my company devices.
I want to send traffic from my devices to AWS IOT but the M2M provider doesn't allow internet access from its sim cards, it only provide an IPSec connexion to a a private network.
I had now problem configuring the IPSec connexion to an AWS VPC and my sims can successfully ping all instance in my AWS VPC. However what I want is for my sims to access AWS IOT.
What I did:
I configured my VPN with AWS third scenario. I have a public network with CIDR 192.168.0.0/24 and a private network with CIDR 192.168.1.0/24. My VPN has a static route CIDR 10.1.128.0/14 for my M2M network.
Then I launched an EC2 Nat Instance inside my public network.
I added a routing rule to my VPC main routing table to route trafic to 0.0.0.0/0 to my NAT instance.
I launched an EC2 instance in my VPC's private network and try to access internet from it, this work and I can see trafic going throung my nat instance. So I assume my nat and routing is well configured.
However I still can't manage to access internet from my sim cards, traffic isn't even routed to my NAT instance. According to John Rotenstein's answer VPN traffic will not use my routing rule.
Does AWS VPN drop traffic which is not destinated to the VPC's or VPN's CIDR ? Is there a security reason for that ?
If that's the case is there a way to customize routing rules for the VPN's traffic ? Or is the only solution to use a custom VPN within an EC2 instance ?
Thank you for your help.
I added a routing rule to my VPC main routing table to route trafic to 0.0.0.0/0 to my NAT instance.
It is an understandable misconception that the "main" route table of a VPC impacts traffic coming in from a VPC hardware VPN. It doesn't. There is no route table that applies to such traffic, only the implicit target of the VPC subnets. Only the assigned CIDR blocks can be reached from such a VPN.
Does AWS VPN drop traffic which is not destinated to the VPC's or VPN's CIDR? Is there a security reason for that?
Yes, that traffic is dropped.
It probably not specifically for security reasons... it's just the way the service was designed to work. Managed VPN connections are intended for access to instance-based services, and don't support traffic flows we might generally categorize as gateway, edge-to-edge, peering, or transit.
If you can configure your edge devices to use a web proxy, then a forward proxy server like squid could handle the connectivity for the devices, because the IP path between a device and a forward proxy is a connection involving only the device and proxy IPs.
A simpler solution would be to use an instance-based firewall to terminate the VPN, instead of the built-in VPC VPN service, because then the firewall instance could allow the traffic to hairpin through itself, source-masquerading (NAT) the traffic behind its own EIP, and this would be something the VPC infrastructure easily supports.
An instance-based firewall is something you can build yourself, of course, but there are also several products in the AWS Marketplace that provide IPSec tunnel termination and NAT capability. Some have free trial periods where the only cost is the cost of the instance.
Related
My VPC is in eu-west-2. I have two subnets for an RDS instance, split across two different availability zones for reasons of high availability: eu-west-2a and eu-west-2b. I also have a Redshift cluster in its own subnet in eu-west-2c.
With this configuration, I have successfully configured an AWS Client VPN endpoint so that I can access RDS and Redshift from my local machine when connected to a VPN client with the appropriate configuration.
While following the same principles of using subnets for specific services, I would like my EC2 instances to live in private subnets that are also only accessible over a VPN connection. However, one of the limitations of the Client VPN service is:
You cannot associate multiple subnets from the same Availability Zone with a Client VPN endpoint.
This implies that I would need to create a separate endpoint for connecting to my private EC2 subnet—which feels like complete overkill for my modest networking architecture!
Is there a workaround?
By default, a subnet can reach the other subnets.
This means that you won't need to do anything. This will work out of the box. If not, check the route tables and see if there is a route from your VPN subnet to your private subnet.
When you associate the first subnet with the Client VPN endpoint, the following happens:
The state of the Client VPN endpoint changes to available. Clients can now establish a VPN connection, but they cannot access any resources in the VPC until you add the authorization rules.
The local route of the VPC is automatically added to the Client VPN endpoint route table. (This local route allows you to communicate with every subnet within the VPC that the subnet is in.)
The VPC's default security group is automatically applied for the Client VPN endpoint.
See documentation for details.
Using Terraform to setup a VPC with two EC2s in private subnets. The setup needs to SSH to the EC2s to install package updates from the Internet and install the application software. To do this there is an IGW and a NAT-GW in a public subnet. Both EC2s can access the Internet at this point as both private subnets are routing to the NAT-GW. Terraform and SSH to the private subnets is done via Client VPN.
One of the EC2s is going to host a web service so a Classic mode Load Balancer is added and configured to target the web server EC2. Using Classic mode because I can't find a way to make Terraform build Application mode LBs. The Load Balancer requires the instance to be using a subnet that routes to the IGW, so it is changed from routing to the NAT-GW, to the IGW. At this point, the Load Balancer comes online with the EC2 responding and public Internet can access the web service using the DNS supplied End Point for the LB.
But now the web server EC2 can no longer access the Internet itself. I can't curl google.com or get package updates.
I would like to find a way to let the EC2 access the Internet from behind the LB and not use CloudFront at this time.
I would like to keep the EC2 in a private subnet because a public subnet causes the EC2 to have a public IP address, and I don't want that.
Looking for a way to make LB work without switching subnets, as that would make the EC web service unavailable when doing updates.
Not wanting any iptables or firewalld tricks. I would really like an AWS solution that is disto agnostic.
A few points/clarifications about the problems you're facing:
Instances on a public subnet do not need a NAT Gateway. They can initiate outbound requests to the internet via IGW. NGW is for allowing outbound IPv4 connections from instances in private subnets.
The load balancer itself needs to be on a public subnet. The instances that the LB will route to do not. They can be in the same subnet or different subnets, public or private, as long as traffic is allowed through security groups.
You can create instances without a public IP, on a public subnet. However, they won't be able to receive or send traffic to the internet.
Terraform supports ALBs. The resource is aws_lb with load_balancer_type set to "application" (this is the default option).
That said, the public-private configuration you want is entirely possible.
Your ALB and NAT Gateway need to be on the public subnet, and EC2 instances on the private subnet.
The private subnet's route table needs to have a route to the NGW, to facilitate outbound connections.
EC2 instances' security group needs to allow traffic from the ALB's security group.
It sounds like you got steps 1 and 2 working, so the connection from ALB to EC2 is what you have to work on. See the documentation page here as well - https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html
We have Typical 3 tier architecture having Web, App and DB.
Can we make EC2 instances in the web tier as Private? and allow incoming traffic only through ALB?
AFAIK we can apply an SG only allowing connections from the SG of the ALB. But What if our Private EC2 instance has to return response back to the client? How it'll be routed through ALB as ALB is mostly used for managing incoming traffic.
Also for outgoing traffic can we configure something like Private EC2 instance -> ALB -> Internet? If yes then how? So, is there any way for private EC2 instances to communicate to internet without assigning them public IP?
But What if our Private EC2 instance has to return response back to the client? How it'll be routed through ALB as ALB is mostly used for managing incoming traffic.
You don't have to do anything special, assuming your ALB and instances are correctly set. Any request coming to ALB, will be able to return to the client event if instances are in private subnet without any internet connectivity.
However, your instance won't be able to initiate internet connections by themselves. So if the instances don't need internet to operate, you don't need NAT. Otherwise, it is required.
Keeping your instances in a private subnet is best practice, even for the web layer.
For inbound traffic you would add a load balancer into your public subnets then allow HTTP/HTTPS ingress on the webs security group only from the load balancer. You can either do this through adding the subnet ranges into the web servers security group, or reference the security group the load balancer has assigned to it instead.
For outbound internet traffic in a private subnet you will need to create either a NAT Gateway or NAT instance within a public subnet, and then add a route for 0.0.0.0/0 for the private subnet to route traffic to the NAT. Additionally if you want IPv6 traffic you would create an egress only internet gateway with a route of ::/0.
I have a server running on ec2 but I cant connect to the localhost 8085. Any suggestions ?
Check to make sure your setup has the following:
There is an elastic IP attached to the instance, or it has a public IP address.
The security group allows incoming traffic on the correct port.
The network ACL of the subnet that allow for the needed inbound and outbound traffic, or you're using the non-existent/default ACLs, which allow all inbound/outbound traffic.
An Internet Gateway is in the same VPC as the instance.
There is a rule in the subnet's route table that sends internet-bound traffic to the Internet Gateway.
You may also find this AWS article helpful for using the Internet Gateway in your VPC.
We would like to know if its possible to make our on-premise firewall the NAT instance for the private instance in AWS VPC for outbound internet access (to get updates for example)?
We currently have AWS VPC scenario 4 implemented.
Thanks!!
For Scenario 4: VPC with a Private Subnet Only and Hardware VPN Access, all outbound (non-VPC) traffic has to go through the customer gateway to on-prem. So if you want to access internet, the traffic goes through on-prem and then outbound from on-prem/corporate network.
In short: From AWS VPC, if you want to access any AWS endpoint, you have to go through the corporate/customer network. You have to allow outbound in your on-prem firewall. There is no other option.
If you really want to access internet through NAT, you should have created Scenario 3: VPC with Public and Private Subnets and Hardware VPN Access