VPN on EC2 to Heroku server - amazon-web-services

Hi there networking experts,
I have a Rails app hosted on Heroku, and I am looking to set up a VPN tunnel on a separate EC2 instance which will connect with a 3rd party.
3rd party <----(VPN tunnel)----> EC2 <----(HTTP/SSH)---> Heroku
Best case scenario would have been to set up the tunnel directly on our Heroku instance, but that doesn't seem possible according to some of these answers.
With my limited knowledge, I figured that the next best thing would be to set up a 'middle-man' EC2 instance with the capability to listen to the VPN tunnel as well as send HTTP requests to our Heroku server over SSH. The most important consideration in this integration would be security. I would like to encrypt end-to-end, and only decrypt on our Heroku server.
What would be the best practice for achieving something like this, if possible at all?
Thank you!

AWS has a managed VPN offering.
You configure a customer gateway for the client side, attach a virtual private gateway to your VPC, and the VPN connects the two. You can then set up routes which will allow them to connect securely to any services running inside your VPC.
A VPN in AWS can use static or dynamic routing. Static is generally simpler, especially if there is a limited IP range on the client side.

Related

How can a beginner use AWS services to host a public server and create endpoints for a web application

I have been in the front end development before, but this is my first time researching how to use AWS services to host a public server for our web application. Currently, I have trouble understanding how does EC2 and API gateway work with each other. And I also have some trouble understanding how does public server host a web application in this case. I have reads a number of tutorials, but I have trouble understanding where does this API endpoint generate in this case. I saw that API gateway could generate an endpoint, but in this case, do I still use EC2 to host the web application? And how can the url from these 2 connect to each other? Yeah, I think I got messy on understanding this web app structure especially on server side. Coud someone help me on breif explain on these 2 services and maybe some useful tutorial that I could reference? As a beginner, everything is so confusing to me. Thank you so much!!
The simple approach is deploy your web/app server in EC2 instance and check on which port yours service is running e.g. 8080 , go to attached securty group of that EC2 instance and open port for 8080, you can also attach the elastic IP so that even after restart EC2 instance your IP will never change and then access your application publically using http;//<elastic-ip>:8080/<>
btw best approach is to use ELB on ECS/EKS and then use API gateway deploy your static content in S3 and use cloudfront.

connect local environment to CloudSQL with private IP

I have hosted my application in a CloudRun Container and connected it to CloudSQL.
Everything is in a VPC Network and is running smoothly. Now I would like to modify data in production from a Database tool like DataGrid. Therefore I need to connect my local environment to my VPC-Network. I did this through a Cloud VPN Tunnel. Now I would like to connect to the SQL instance.
Here I got stuck and I'm wondering how I can establish the connection.
It would be great if someone would know how I can solve this issue. Thanks!
My preferred solution is to use the public IP BUT without whitelisting any network. In fact, it's like if y ou have a public IP and all the connexion are forbidden.
The solution here is to use Cloud SQL proxy and to open a tunnel from your computer to the Cloud SQL database (that you reach on the public IP, but the tunnel is secured); It's exactly like a VPN connexion: a secure tunnel.
You can do this
Download Cloud SQL prowy
Launch it
./cloud_sql_proxy -instances=<INSTANCE_CONNECTION_NAME>=tcp:3306
Connect your SQL client on localhost:3306
If the port 3306 is already in use, feel free to use another one
If you prefer the private IP only (sometime, it's security team requirement), I wrote an article on this.
If you use a VPN (and you are connected to Cloud VPN) take care to open the correct route and firewalls in both way (in and out)

AWS EC2 for QuickBooks

AWS and network noob. I've been asked to migrate QuickBooks Desktop Enterprise to AWS. This seems easy in principle but I'm finding a lot of conflicting and confusing information on how best to do it. The requirements are:
Setup a Windows Server using AWS EC2
QuickBooks will be installed on the server, including a file share that users will map to.
Configure VPN connectivity so that the EC2 instance appears and behaves as if it were on prem.
Allow additional off site VPN connectivity as needed for ad hoc remote access
Cost is a major consideration, which is why I am doing this instead of getting someone who knows this stuff.
The on-prem network is very small - one Win2008R2 server (I know...) that hosts QB now and acts as a file server, 10-15 PCs/printers and a Netgear Nighthawk router with a static IP.
My approach was to first create a new VPC with a private subnet that will contain the EC2 instance and setup a site-to-site VPN connection with the Nighthawk for the on-prem users. I'm unclear as to if I also need to create security group rules to only allow inbound traffic (UDP,TCP file sharing ports) from the static IP or if the VPN negates that need.
I'm trying to test this one step at a time and have an instance setup now. I am remote and am using my current IP address in the security group rules for the test (no VPN yet). I setup the file share but I am unable to access it from my computer. I can RDP and ping it and have turned on the firewall rules to allow NB and SMB but still nothing. I just read another thread that says I need to setup a storage gateway but before I do that, I wanted to see if that is really required or if there's another/better approach. I have to believe this is a common requirement but I seem to be missing something.
This is a bad approach for QuickBooks. Intuit explicitly recommends against using QuickBooks with a file share via VPN:
Networks that are NOT recommended
Virtual Private Network (VPN) Connects computers over long distances via the Internet using an encrypted tunnel.
From here: https://quickbooks.intuit.com/learn-support/en-us/configure-for-multiple-users/recommended-networks-for-quickbooks/00/203276
The correct approach here is to host QuickBooks on the EC2 instance, and let people RDP (remote desktop) into the EC2 Windows server to use QuickBooks. Do not let them install QuickBooks on their client machines and access the QuickBooks data file over the VPN link. Make them RDP directly to the QuickBooks server and access it from there.

EC2 OpenVPN server within VPC access with ALB/ELB

I currently have a private VPC with an OpenVPN server on an EC2 within it. Clients connect to the OVPN server and I can ping the connected clients via the server. Now I'd like to setup an ALB/ELB that would allow access to the clients on the OVPN server. Is that possible, I think I need a bridge?
I was thinking about perhaps installing nginx on the OVPN server and reverse proxying to the clients, but I feel like there's a more AWS way of going about this.
Thanks in advance!

Self hosted VPN with PiHole on AWS

I'm trying to create a setup where all of my (mobile and home) traffic is encrypted and ad-blocked. The idea is to use this setup:
wherein all of my traffic when using the VPN client on my phone or PC is routed through a custom OpenVPN setup running on a AWS EC2 instance. On its way out of the EC2 instance towards the public internet, I want to have a PiHole or equivalent DNS sinkhole filtering requests for blacklisted sites.
It's important that this is configured in such a way that I'm not allowing for a public/open DNS resolver - only traffic coming from through the OpenVPN (and therefore coming from an OpenVPN client that is using one of my keys) should be allowed.
Is this possible? Am I correctly understanding the functionality of all the parts?
How do I set this up? What concepts do I need to understand to make this work?
This tutorial seems like a good place to start. This is using lightsail not EC2, but if you aren't planning to scale this up much that might be simpler and cheaper.