Amazon AWS Certified Advanced Networking Specialty – Virtual Private Networks & IPSec Tunnels Part 2

4. Overview of AWS VPN Tunnels

Hey everyone and welcome back. In today’s video, we will be discussing about the site to site Terminal. Now a site to site VPN tunnel allows two networking domains to communicate securely between each other over an untrusted network like Internet. Now within the name itself, we have Site to Site. So basically, there are two sites which are available here. Now this can be two different locations from which you want to communicate securely. So it can be between an EC two instance and the data center. It can be between the two different VPCs. It can be between AWS and Azure or any other locations. Now do remember here that Site to Site terminal basically is referred as S two S also. So in case if you hear about S two S, it basically means Site to Site. Now, once the terminal is established, so let’s assume that you have the EC to instance. So this acts as a VPN termination. And here you have the data center. So there is a VPN terminal which is established over here.

Now one of the challenge that an organization might typically face in a site to site VPN is the high availability. So basically, if you see over here, there is a single terminal endpoint on each of the sites. So you have the EC to instance which acts as a VPN termination point. And if this EC two instance goes down, then the entire terminal would break. Now some time back when AWS did not really have an interregion VPC peering, site to Site terminal was pretty common. In fact, let’s assume that you wanted to establish a terminal between Singapore and Mumbai. VPC Peering was not an option back then. So organization used to use Site to Site VP internals pretty extensively. And also nowadays, if you see lot of organizations, they are based on hybrid cloud or they are based on premise and AWS.

So for such kind of a scenario, having a site to site VP internal is extremely important. So we were discussing about the availability challenges on how EC two instance, if you’re using it for the Site to site and if that EC two instance goes down, then your entire VPN connection would break. So in order to overcome that, what organizations, they typically do is they establish multiple terminals. So here you see you have one tunnel, this is an active tunnel. And then you have one more terminal. This is a passive terminal. So if one tunnel goes down, then you can switch over to the passive terminal for high availability. So here, this is the sample diagram. So this is a terminal established between Mumbai and North Virginia. Again, you can do this via VPC Peering as well.

But let’s assume that this is AWS. And on the right hand side you have Azure. Then you need to use a site to Site VPN. Now when it comes to the architecture of site to Site VPN, there are certain key terminologies that you need to understand. The first one is the virtual private gateway and second is the customer gateway. Customer gateway is nothing but the VPN termination endpoint on the customer side.

So this can be a firewall, this can be a server which acts as the IPsec VPN tunnel termination endpoint, et cetera. Now, on the AWS side, we make use of Virtual private gateway. However, do remember that there is not a mandatory need to have a virtual private gateway. Virtual private gateway has its own advantage. Like we were discussing that year, if the EC Two instance goes down, then the entire VPN tunnel that we have established over here that will also break. So now what happens in Virtual Private Gateway is that this virtual private gateway is highly available. So in order to understand this, let’s take the example of this specific diagram. So here a virtual private gateway has a built in High Availability for a VPN connection. So basically what happens is that this virtual private gateway has two Endpoint IP addresses and this Endpoint IP address are located in a different availability zone. So you have the endpoint IP one year. You have the end point IP two year. So now what you do from your customer side you establish two VPN tunnels. Now, two VPN tunnels would be for Endpoint IP One and the Endpoint IP Two and together they act as a single VPN connection.

Now, do remember that even though you have a virtual private gateway, if you implement this in your organization, specifically if you are having multiple virtual private gateways and multiple VPN connections, there are a lot of instances where one of the endpoint goes down and then you have to switch to Endpoint IP Two. Now, the great thing here is that the High Availability is managed by the AWS. So we do not really have to worry about this. But you will get into situations where you will see that one of the tunnel is down. However, if you have set up your VPN connection properly, you do not really have to worry because High Availability will be taken care of. So this can be understood with the diagram over here. So this is one of the screenshots that I had taken from a different video. So here you see within the VPN connection.

So this is a site to site terminal and this terminal has two IP addresses over here. The first IP address is 18 two, one 6150, dot 193, and second is 18 to 22 one one dot 76. So currently you see there is only one Endpoint which has the status of up and second has the status of down. Ideally, if you are implementing it, make sure that both of them are up. That basically means that from your customer location you have two VPN tunnels which are established. So this was just for the representation of the two IP addresses associated with the endpoints for the virtual private gateway.

So this is the high level overview about site to site terminal and how exactly a virtual private gateway helps in establishing a highly available site to site terminal, at least from the AWS perspective. Now, before we conclude, I just like to share is that although you have the High Availability over here on the right hand side, you still have one router over here, or it can be one server. And if this server goes down, or if this router goes down, then again your tunnel breaks. However, for example, one of the primary things that you need to remember is on how you can achieve the High Availability, at least from the AWS side, which is achieved with the help of a virtual private gateway.

5. Using AWS VPN for On-Premise to AWS connectivity

Hey everyone and welcome back. Now in the last lecture we were discussing about the ways in which we can connect the on premise environment with your VPC. Now, in order to do that, one of the most idle approach is to create a virtual private gateway in the AWS end and a customer gateway on the on premise end and establish a VPN connection between both of them. Now, ideally, this specific customer gateway is a firewall which supports the VPN functionality. So generally most of the organization they have like a dedicated firewall hardware box and that hardware box has the capability of VPN connection. So let’s do one thing, let’s go ahead and see on how we can implement this scenario in a very high level. So the first thing we need to do is go to the VPC. So I am under the VPC section and if you go down there is a VPN connection.

And within this there are three options. So you have to follow idle sequentially, which is the best. So go to customer gateway and you need to create a customer gateway. So before this you need to understand the topology of both the environments. So in my case, I have a VPC with the CIDR of 100 zero 00:16 and I have on premise environment with the topology of 192 168 00:16. Now, one important thing to remember is that these CITL blocks should not be overlapping. Like for example, if even my on premise has 100 00:16, then you cannot have a VPN connection basically. So you need to have a different range for the VPN connection to be established. Perfect. So now that we know this, let’s go ahead and create a customer gateway. So within the customer gateway, I’ll give it a name of Bangalore office and you have to basically give the IP address of the firewall. So if we look into the diagram, we have to give the IP address of the firewall where the VPN connection will be established to. So within my document I have a sample IP address, I’ll paste it and I’ll put it over here. So this needs to be public IP address. Remember, this is very important. Both the end needs to have a public IP address. I’ll click on create a customer gateway. Perfect.

So now the customer gateway is created. So this is our customer gateway. Now I can go to virtual private gateway. So now this part of the connection is done as far as AWS side is concerned. Now we have to create a virtual private gateway. So let’s click on create a virtual private gateway, I’ll say it as a payments VPC and I’ll click on create a virtual private gateway. Perfect. So our virtual private gateway is also created. Now, one thing that you will see is that this specific virtual private gateway has this state of detached. So one important thing to remember is that one virtual private gateway can attach to one VPC only. So I’ll click on Actions.

I click on Attached to VPC and I’ll select the payments. VPC. And I’ll click on Attach. So it is attaching the virtual private gateway to the VPC and perfect, it is attached. So now we have a virtual private gateway. We have a customer gateway. So now we have to create a VPN connection. So let’s go down to the last option of VPN connection and click on Create a VPN Connection. So in the VPN connection, I’ll say Bangalore office to payments. VPC? Within this I have to select the virtual private gateway that we had created, the customer gateway that we had created. And within the routing options, there are two routing options. One is BGP and one is static. I’ll be selecting Static for the time being. And within here you need to basically give the IP prefixes, the static IP prefixes. So if you look into the help menu, we have to put one or more IP prefixes in CID and Notations separated by commas to advertise to your VPC. So basically we have to give the IP prefix of my on premise network. So I’ll put 192 1680. I’ll click on Create VPN connection.

So it says that the VPN connection has been created successfully. Now, one important thing to remember is that it takes some amount of time generally for the VPN connection to be created. Now, once the VPN connection is you’ll see this menu, go ahead and click on Download Configuration. Now depending upon the firewall that you have, depending upon the firewall that you have on the customer gateway side, the configuration that will be present will be different. So within you see there are a lot of vendors which are here, which includes Open Source, which is the open source one. You have the PF sense also which is free, and you have the paid ones also like Cisco. So once you select the vendor, you have to select the platform and you also have to select the software version. After you select all of these three, you go ahead and click on Download and this will basically download the configuration. Now on the firewall site, you have to upload this configuration site configuration file and then the connectivity will be established between the virtual private gateway and the customer gateway.

So the configuration file that got downloaded, you have to upload it into the customer gateway site, into the firewall. Now after that there will be certain configuration that you need to do and the VPN connection will be established between a virtual private gateway and the customer gateway. So this is a very high level overview about how you can establish the VPN connection between on premise and AWS. I currently do not have a hardware firewall as of now, otherwise I would have shown you directly on how you can do that. But we’ll try to record a video with Opens One or PF Sense on the way. So this is it. About this lecture. As far as exams are concerned, you need to remember the three steps and always remember that the connection gets established from the customer gateway site to the virtual private gateway side. The virtual private gateway will never establish the communication. The communication is always established from the customer gateway to the virtual private gateway. And last point to remember is that virtual private gateway can be attached only to the VPC.

Now, one last thing that I forgot to mention is that once your VPN connection gets established, you have to update the route tables as well. So within the route table, you have to add an entry of the on premise network. So currently, my on premise network was of 109 21680 00:16. I’ll save this and I’ll put the VGW entry over here. So it says you must fix the error. Let me just refresh the page. I’ll click on add another route. 192 168 00:16. Perfect. I put a VGW and I’ll click on save. Perfect. So now the save has been successful. And this is one thing that you need to remember. Otherwise, even if your VPN tunnel is established, the traffic can reach from customer gateway to VPC, but from VPC, that traffic will not reach the on premise network. So in your exam, they might try to quiz you that the servers from your on premise are able to reach, but the VPN, the servers from your EC two or from your VPC are not able to reach the onpremise what might be the issue. So the issue is routable. So this is it. About this lecture. I hope this has been informative for you, and I look forward to seeing you in the next lecture.

6. IPSec with OpenSwan – Part 01

Hey everyone, and welcome back to the Knowledge Pool video series. Now in the earlier lecture, we had a very high level overview about a demo related to how two instance in different regions can communicate via private IP address with the help of IPsec journals. So what we’ll be doing in this lecture is we’ll start from the absolute scratch and we’ll look into how we can establish the tunnel between multiple instances in different region. So in this reinvent last week, AWS had announced interregion VPC Peering support. However, this is limited to a certain regions. But in 2018, maybe by the end of the year, more regions will be added. And one of the major criteria of creating IPsec VPN tunnels will be may be replaced by the VPC peering. But whenever it comes to on premise data center to AWS, you’ll always need a IPsec terminal. So this is quite important topic for us to understand. So now that we have our base, let’s go ahead and look into how we can create an IPsec terminal. So the first thing that you need to do is that let me just show you the setup.

So the setup is I have one EC two instance running in Mumbai region and I have an EC two instance running in Ohio region. So at the end of the lab, we should be able to connect the EC two instance. So I should be able to reach from my EC two instance in Mumbai region to this Ohio region via the private IP. So this is what we expect at the end of the lecture. Great. So in order to do that, the first thing that we must do is set up the VPN connection. So let’s try this out. So within the VPC, you see there is a VPN connection. So we have to establish this VPN connection on the Ohio region. So let’s get started. Let me click on customer Gateways. I’ll click on Create Customer Gateway. I’ll name this Ohio to Mumbai and IP address. I’ll give the IP address of the EC two instance. So this will be the customer gateway. So this EC two instance will be establishing the connection to the VPN that will be setting up here. So I’ll click on Create Customer Gateway. Perfect. So once the Customer gateway is created, we’ll go ahead and click on Virtual Private Gateway. I’ll name it the same and let’s create it. Perfect.

So once we have created the current status detached, so what we’ll do is we’ll attach and we’ll attach it to the VPC default VPC which is present over here. Perfect. So it takes around a minute for the Virtual Private gateway to get attached. So let’s do one thing. Let’s go ahead and click on VPN Connection. And click on Create a VPN connection. So again, I’ll just name it the same way. Now within the virtual gateway, I will select the virtual gateway we just created. Same with the Customer gateway we’ll select the one that we just created. There are two routing options. Static and dynamic will select static. So if you use BGP, you don’t really have to put the routing informations so it will be propagated. Anyways, I’ll put the IP address of the IPsec tunnel over here and I’ll click on create a VPN connection. Perfect. So this takes around few minutes to get established till the time this VPN is getting set up. What we’ll be doing is we’ll be configuring our IPsec EC Two instance with Opens One. So I am connected to the EC two instance. So this is the EC two instance.

So let’s quickly go ahead and install the Open Swan. Now one important thing to remember is make sure that you have the version which is higher than 2. 6. 32. So if you’re using Amazon Linux it does have a higher version but if you’re using Sentos, chances are that you might have a 2. 6. 32 similar actually that has a bug which creates some issues related to the terminal connectivity. So just make sure that you have the right version. So I’ll just click on Buy and the open swan got created. Now there are two important configuration file. One is the Etc IPsec Conn. So this is where we’ll be configuring our terminal related configuration. And second is etc.

IPsec Secret. And this is where we’ll be putting our preset key. So there is some kind of authentication as well that you must have if you want to establish the communication from the open source to the AWS VPN. Perfect. So let’s start with the first one which is the IPsec conifer. So what I have done is I have a base configuration file which I have created. So this is the base configuration file. This should be within the IPsec conn and I’ll paste it over here. So let’s click on Save and let’s quickly make sure whether our terminal is up. So I’ll just click on Refresh. Perfect. So the current state is pending sometimes. Okay, great. So the state is available now sometimes it does take quite a good amount of time for the state to be available anyway.

So within this VPN, if you go into the terminal details you’ll see there are two terminals which are present over here. Each one has a different IP address. So this is basically for redundancy or high availability. So what we’ll be doing is for the time being, we’ll be establishing the communication with this specific terminal. So let me copy the IP address over here for the first terminal. And this is something that we’ll be putting it in our configuration parameter. So if you see on the right, on the right hand we have to put the IP address of the VPN tunnel that is established. So I’ll paste it over here on the right subnet, we have to put the subnet CID R of the destination VPC. So in the Ohio region if you see the VPC CIDR is 172 31 00:16. And this is precisely what we have over here. Now on the left subnet, you have to put the CIDR of your current VPC where your IPsec tunnel is from. So currently in my Mumbai region.

So if you go to the VPC, let me select the KP Labs VPC. The CID R is 10770 zero slash 16. So just put that detail over here. So these are the parameters that we have to put and go ahead and click on Save. Perfect. So this is one of the first step. The next step that we have to do is once the VPN connection, it’s in Wire region. So in the VPN connection, once a VPN connection state is available, you have an option of Download Configuration. So click on Download configuration. The vendor would be generic and click on Download. So this will basically download the configuration file. And this file basically has a lot of details, including the preshared secret that we will be needing when we establish the communication. So this is the file. Let me just open this up with a WordPad so that we can have a good formatting. So within this you will see I have IPsec Terminal One, and if you go a bit down, you have IPsec Terminal Two. So currently since we are working with only one tunnel, we’ll be looking into the IPsec tunnel one. So within this there is the option of preshared key. So you see you have a pre shared key over here. Now you need this to be configured within your IPsec. Otherwise the connection terminal will not be up. So let’s quickly configure this. I’ll say etc. IPsec secret. And within here we’ll be putting the configuration file. So again, I have Base configuration over here. I’ll just copy this base configuration. I’ll paste it over here and let’s go ahead and replace things.

So I’ll replace this secret with the secret that we have. Great. So I’ll just copy this up and I’ll paste it along with this. You have to replace the first column with the IP address of the terminal One. So let’s go to Terminal details. I’ll copy the IP address and I’ll paste it over here. Perfect. So once you have saved this, go ahead and restart the IPsec. Great. Now, let’s click on status. And now you see one terminal is up. Perfect. So now you see the status is now up. One important thing that I would like to share is sometimes the status will remain down even though the terminal is up and running. So this specific might actually take five minutes or sometimes even ten minutes for this status to be up. However, the connectivity is already established.

So sometimes, even though it might show you down, just make sure to wait for some time. If you have done everything correctly, then the status will come to us. Perfect. So once this is up, let me just quickly create a static route. I’ll say ten dot 77 00:16. So this is the route of my destination VPC. And there is one more route that you’ll have to create. Let me show you within the route table of the Ohio. And here you have to give the 1077 00:16 and you will have to click on the VGW. So, what this basically means is that if my EC two instance from the OIO region wants to communicate to the EC to instance in Mumbai region and that EC two instance in Mumbai region has this specific CIDR. So any traffic that goes to this CIDR should go to this virtual gateway where the VPN is connected.

So, this is what it really means. And I’ll click on save. Perfect. So once we have configured this, let me go to the EC To instance. And let’s quickly go ahead and do a ping. And now you see, I am actually able to get the reply from the destination region. So currently, if you see my source IP is 1077 to 88 and I am able to connect to the EC two instance in Wire region via the private IP. So this is all about how you can set up IPsec terminal between AWS regions. So go ahead and try this out. In the upcoming lecture. We’ll look into much more details related to some of the important configurations. And I look forward to see you in the next lecture.

• Category: Uncategorized