We're setting up an Amazon VPC in which we will provision (for now) a single EC2 instance and one RDS instance. This is to 'extend our data center', and should only be using private subnet(s).
So actually, we have this setup, and it is working well (insert smiley face icon). For all intents and purposes, we're mirroring the VPC scenario 4 outlined by Amazon here: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario4.html
tl;dr: A single VCP, with a VPN connecting to our corporate network. The VPN uses a Virtual Private Gateway (VPC end) and Customer Gateway (our end) to allow us access as necessary to the EC2, which contains a webserver connecting to the RDS instance as needed. Anyone on our network has access to the web server running on the EC2 via a URL. All this is working as expected.
The problem comes when the EC2 instance needs to access a resource on the Internet - The idea is for us to NOT have any public subnets, but to route all traffic from the EC2 instance through our VPN and out the 'standard' path of our corporate Internet access. However we're having trouble setting this up.
The fact that it can be done is hightlighted in Amazon's FAQ here:
https://aws.amazon.com/vpc/faqs/
Q. How do instances without public IP addresses access the Internet?
Instances without public IP addresses can access the Internet in one of two ways:
Instances without public IP addresses can route their traffic through a NAT gateway or a NAT instance to access the Internet. These instances use the public IP address of the NAT gateway or NAT instance to traverse the Internet. The NAT gateway or NAT instance allows outbound communication but doesn’t allow machines on the Internet to initiate a connection to the privately addressed instances.
For VPCs with a hardware VPN connection or Direct Connect connection, instances can route their Internet traffic down the virtual private gateway to your existing datacenter. From there, it can access the Internet via your existing egress points and network security/monitoring devices.
We are trying to avoid option #1 as there is a cost involved (along with complexity and security issues). #2 is the perfect resolution for us, but understanding the process to set it up has been eluding us for a while.
Can anyone walk us through what we need to do (or point us to the correct resources) to ensure the EC2 instance* can access the Internet by routing the traffic down the VPN, through our corporate datacenter, and our our existing Internet access point?
* and anything within the private subnet for that matter
If you are using scenario #2, then all there is to do on the AWS end is to ensure that traffic destined for the internet, 0.0.0.0/0 is routed to your Virtual Private Gateway.
Once traffic heads there, it will go to your Customer Gateway, and into your corporate datacenter. It's up to your local IT guys on that end to get Internet-destined traffic heading out, if it's even possible. But at that point, it's no longer an AWS issue.
Related
I am currently working on a ETL tool at work (python & bash scripts managed with Airflow basically) and I am asking myself wether I should put my EC2 instance which will run the ETL in a public or private subnet. My instance should have acces to the internet to retrieve data (basically ssh through on-premises instances we have) and should also be able to be accesses through SSH.
However, I don't know if allowing outbound connection to the internet and restrict inbound connection to SSH is enough about security or if I should put the instance in a private subnet and tweaking things to be able to connect to it.
Your ETL instance should be in a private subnet behind a NAT instance.
NAT gateway will give your EC2 private network internet connectivity but still ensure that your EC2 instances are not accessible from the internet. So in order to allow access to internet it has to route traffic through public network which has a Internet gateway attached.
You should put your EC2 instance in a private subnet to prevent hackers from gaining access and stealing your data.
You can learn how to setup NAT gateway here
https://aws.amazon.com/premiumsupport/knowledge-center/nat-gateway-vpc-private-subnet/
As the main purpose of your instance is not to deliver a public service, it'd be more secure in a private subnet and go through a NAT gateway to fetch data from the Internet.
That being said a NAT gateway is expensive, so a common pattern is to use a public subnet/ through an Internet gateway with a deny rule for any incoming traffic. If you don't want your instance exposed to ddos, don't even open ssh and use AWS systems manager to ssh your instance.
Question
Can we make a route table which has both igw-id (Internet gateway ID) and vgw-id (VPN gateway ID)? If we can't/shouldn't do it, why?
Example
10.0.0.0/16 --> Local
172.16.0.0/12 --> vgw-id
0.0.0.0/0 --> igw-id
Reference
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario3.html
(I mainly refer to "Overview" section and "Alternate routing" section.)
Explanation
This webpage above shows the scenario where one VPC has one public subnet, one private subnet and one VPN gateway. In this example, the VPN gateway is always accessed from instances in the private subnet (meaning its route table doesn't have the record "igw-id"). I wonder why one route table doesn't have both "igw-id" and "vgw-id".
Yes, we can have both igw and vgw. In fact, the example above would be a perfect for a public subnet which can connect to your corporate network through direct connect or site-to-site VPN, and also have internet access and be accessible from the internet.
Now, weather you would want this or not, it is an architectural decision. In the example scenario given by AWS, they try to segregate subnets by having a public subnet (with the igw) which can contain services accessible from the internet and a private subnet for other backend services (exmaple: databases). These backend services can be accessed from the corporate network using a site-to-site VPN, this is why the subnet has the vgw.
Yes, you can have a route table with the 3 routes you specified. However, bear in mind that with a route 0.0.0.0/0 --> igw-id, hosts on the internet can initiate connections with the instances in that subnet. Typically, you would want to secure the instances in a subnet that you allow a route to your on-premise network, and not expose it to the internet. If these instances require to connect to the internet, AWS recommends NAT devices for your VPC.
While it's technically possible, the main reason not to do that is due to a concept called network segmentation. It basically follows a "defense in depth" approach that network layers should be separated in a "public" and a "private" part (more zones are also often used like third tier for data storage and a fourth for infra used to manage the other three tiers).
Since your public subnet is directly exposed to the internet, it'most likely to be breached when you misconfigure something. If you would have routes in your public subnet to your VPN gateway, a single breach enables an attacker to attack your on-prem environment as well.
This is why its best practice to add one or two network tiers to your architecture. Even when the public tier is compromised, they still need to get into an instance in the private tier before they can attack your on prem environment.
It's recommended that your public subnet only contains an elastic load balancer or similar when possible. Its a pretty good way to reduce the attack surface of your application servers (less chance that you expose an unwanted port etc.).
A nice guide on this can be found here. It doenst include vpns, but you can condisider them part of the app layer.
From a cost optimization perspective, are there any benefits in deploying web servers in private subnets rather than in public subnets? (behind an Internet-facing ALB)
What would be the pros and cons for the two approaches?
Putting your web-servers in private subnets will probably be more expensive (depends on exactly what the servers do) then putting them in public. The reason is that in private subnet they will not have access to the internet nor any AWS services.
Thus if they require the use of some external API or access to some AWS services you will need to use NAT gateway and/or VPC endpoints which are not free (except endpoints to S3 and DynamoDB).
But keeping everything in a public subnet is a security risk and many prefer to keep the servers in private subnets to follow good practices and be more secure then cheap.
Short answer - No
One case where it will be a bit more expensive:
If you need to access public internet from your server, you will need to pay some money for either NAT gateway, or NAT instance. NAT gateway vs NAT instance.
When to use Public subnet
You are not planning on using any ALB, or autoscaling, and would like to attach Elastic IP directly to your single instance.
You would like to have access to the internet from your ec2, and not pay for NAT
When to use Private subnet
If you are planning to use ALB: You should always have 1 entry point to your application, let it be through publicly faced ALB, and don't risk, by allowing direct public access to your service. For ssh or other direct connection, you can setup bastion host
Any service that should not be accessible from the public internet should be better placed in a private subnet and communicate with other services through a private network, which is faster and cheaper, also, when communicating inside vpc, you can set up good security groups.
I'm learning AWS and how to configure networking for EC2 instances and have a few questions. I'm using CentOS 7 in t2.micro instances.
The private IP is tied to the NIC in the instance as shown by ifconfig -a. The purpose seems to be a single point of contact for the server. Adding another network interface does NOT add another NIC as shown by ifconfig -a. Since the primary network interface cannot be a static IP, a secondary network interface is necessary for most configurations. For example, to connect the application to the database server, use the static IP assigned to the second network interface. Am I understanding this correctly?
The public IP is shown in the AWS console and provides a means to connect to the instance via SSH, assuming you configure the SG. The public IP also provides a means to access the internet for system updates. This seems to contradict the AWS documentation for NAT. If the public IP already provides internet access, why is a NAT (instance or gateway) needed? This is in reference to system updates which the documentation references.
You can use a NAT device to enable instances in a private subnet to connect to the Internet (for example, for software updates) or other AWS services, but prevent the Internet from initiating connections with the instances. A NAT device forwards traffic from the instances in the private subnet to the Internet or other AWS services, and then sends the response back to the instances.
Is a public IP and private IP are always assigned to each instance? I haven't walked through the process of creating an [new] AMI to verify if there's an option to not have a public IP. If the instance doesn't have a public IP, will the AWS console Connect button still allow you to connect to it to administer the server? Under what scenario will an instance NOT have a public IP? How do you connect to that instance to administer it?
I have read the NAT Gateway documentation and understand much of it. I'm having trouble understanding the pieces that state a NAT gateway or internet gateway is necessary to enable internet access, when it seems this is enabled by default. What am I missing?
I think your confusion stems from your third question. A public IP is not always assigned to an instance. Public IP is an option that you can enable or disable in public VPC subnets, and in private VPC subnets public IP isn't an option at all. For EC2 instances without a public IP a NAT gateway (or NAT instance) is required in order to access anything outside of the VPC.
You may want to place something like a database server in a private subnet so that nothing outside your VPC can ever access it. However you might want the database server to be able to access the Internet to download patches or something, or you may want it to access the AWS API in order to copy backups to S3 or something, in which case you would need a NAT Gateway to provide the server access to resources outside your VPC.
I started to mess around with aws a couple days ago and I have a question about VPCs.
I'm considering two options to make "private" a subnet and I want to know your opinion:
OPTION 1:
A subnet with an ig attached (a public subnet really) with an ACL to only allow traffic from the VPC.
Pros: cheaper!
Cons: public ip for each instance (is this a real problem?), different public Ip for each instance (a kind of messy stuff for ip's whitelists)
OPTION 2:
A subnet without an ig attached using a Nat gateway.
Pros: more secure?, same public Ip for each instance.
Cons: more expensive.
I consider the Option 2 the best technical solution, only a bit more expensive. But, do you consider the option 1 a bad practice? Has more pitfalls that I'm not seeing?
It appears that your requirements are:
Run some Amazon EC2 instances
Keep them "private" from the Internet (no direct access from the Internet to the instances)
Allow the instances to access the Internet (eg to download updates, or to communicate with AWS API endpoints)
Your Option 1 is a public subnet, made private by modifying the Network ACLs to allow traffic only within the subnet. You are giving public IP addresses to the instances, presumably so they can access the Internet. This will not work. The Network ACLs that limit access to the VPC will also block traffic from the instances to the Internet.
Your Option 2 is a private subnet, with instances accessing the Internet via a NAT gateway. There is no need to assign public IP addresses to these instances, since they are in a private subnet. Yes, this will work but, as you note, there is the extra expense of the NAT Gateway (or a NAT instance).
An alternative is to use a Public Subnet with Security Groups:
Use a public subnet and give instances auto-assigned public IP addresses. This will allow them to access the Internet. (Note: This is different to an Elastic IP Address, which is limited to 5 per region per AWS account.)
Use a Security Group on each instance to block Inbound access. The instances will still be able to initiate outbound access to the Internet (and responses will come back because Security Groups are stateful)
See documentation: Amazon EC2 Security Groups for Linux Instances
Of course, since the instances now block inbound traffic, you will need a way to connect to them. This is typically done by launching a Bastion Server (Jump Box) in your public subnet. You can connect to the Bastion Server via public IP address, then connect to the private servers via their private IP address. To allow this, configure the Security Group on the private instances to permit inbound traffic from the IP range of the VPC, or from the Security Group associated with the Bastion Server.