AWS Client VPN: Connected with the Cloud

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] this video is about aws client vpn so how to connect with the cloud so this is perfect for remote workers or whoever needs access to aws or on-premises networks i wanted to dive into that service because over the past month aws announced new features and the service matured so i think it's worth having a look into the service now so what is this video all about so first of all we will talk a little bit about what is aws client vpn how does it work i will show you how you can install the vpn client how everything works from an end user perspective we will discuss some network scenarios that you can implement with aws client vpn and i will show you how to configure client vpn together with azure active directory to use that for single sign-on so that's i think really cool and at the end i have some independent insights into aws client vpn so things i learned from using the service okay let's get started so how does aws client vpn work so it is a service for client-to-site vpn connections so whenever you want to connect for example engineers or users to a vpc this is the service um that you should have a look at it allows for example devops engineers to ssh in two ec2 instances running in private subnets directly connect to rds databases and so on it's a managed service provided adapted by aws so you don't don't need to have a vpn machine running that you need to manage and operate on your own it's a fully managed service provided by aws let's have a look into to the feature set so it's a managed service um openvpn underneath uh it's secure client to site connections with tls um it is multi-asset so it's been you can spam multiple subnets in multiple data centers it scales automatically so one client connection to thousands of client connection there's no problem with the service for the authentication um it works with active directory federated authentication with saml and you can also use a certificate based authentication so that are the different options that are available right now in the first demo i want to show you how everything works from an end user perspective so how does a devops engineer for example connect to vpc to ssh into an ec2 instance so how does that work so it all starts with the so-called self-service portal for the vpn client so what users can fetch from there is first of all the vpn configuration that's a configuration file and then the vpn client itself for windows or osx and by the way you can use any other open vpn compatible clients as well but that's what aws provides by default okay the next step is you install and start the vpn client and then what you can do is you can add a profile let's call it demo and you import the configuration file that you have downloaded so that's it and now you're ready could to connect with the vpn okay the vpn client now says it is connected so let's prove that and ssh into an ec2 instance running in the vpc i'm copying the private ip address here ssh into that machine and it works so we have a network connection from my macbook to the vpc that this ec2 instance runs in so yeah that's exactly what we expected right a short recap of what we have doing in the demo so users connect to the self-service portal where they can fetch the vpn client and the configuration they use that vpn client to establish a network a vpn connection and then they are able to connect with the vpc and for example ssh into an ec2 instance next i want to discuss different scenarios uh when to use the aws client vpn so different networking scenarios um but this is interesting so first scenario is what we already discussed you need to get a network access for your users to a certain vpc so this can be devops engineers but it could also be for end users that need to access a certain internal application that is running inside that vpn so this is the standard scenario i would say also you can use client vpn if users have to access appeared vpc so because client vpn creates an elastic network interface in the vpc you can reach peered vpcs from that as well so it also works with peering a similar scenario is when you have a side-to-side vpn connection between your vpc and your corporate data center your on-premises networks you can also use client vpn for that so this would be as a remote worker you could even get all your remote workers connected via aws client vpn to vpc and then have only one single side to side connection vpn connection or even um a direct connect connection um that then connects to epc with your corporate data center and by doing so you can basically outsource all that client repair and stuff to aws that might be an interesting option for remote workers as well um you can also use aws client vpn the same way you use those end user centric services that provide vpn access to basically go around geo restrictions and stuff like that so in theory you could use aws client vpn for that as well because in every region you can spin up your client vpn endpoint and then you can connect to that and you can connect to the internet from that vpc as well so that is possible um but oftentimes you don't want to root the internet traffic from your users over dvpn connection and that is where split tunnel comes into play also supported by aws client vpn you can set up split tunneling that means only the traffic um for example in your vpc gets routed over the vpn connection everything else to the internet goes directly to the internet not going through your vpn infrastructure that reduces costs a lot because you have to pay for the traffic that goes through the aws networks okay those are a few network scenarios that you can use client vpn for i think it's a very interesting service that can replace um ez2 instances where you have been operating your own vpn servers so personal me and michael we have been doing that a lot we have even cloud formation templates for that and it's definitely time to replace that with the managed aws client service next i want to show you how the authentication part works with aws client vpn and i've chosen to do it with an azure active directory so i'm using saml you can use it to connect to other identity providers as well but that's the example that i took so let's have a look at the bigger picture here so um the scenario is you have users that should be able to connect to vpc over vpn connection so we talked about the self service portal the client repair and everything now the question is how do those users authenticate themselves and i think one interesting option is to use saml for that and you can use that for example to connect to an azure active directory i think that's a popular one that's why i've chosen that example so it works like that your users start their vpn client and then they get redirected to sso with azure active directory where they type in their username and password they go back to the vpn client which then establishes the connection and they does client vpn make sure that those credentials are valid and only then lets people into your networks and establish a vpn connection by the way it even goes further than that you can have groups in azure ad that then uh authorize users to access certain areas of your networks only so that's the the um the advanced feature that you can here have here as well and of course you can have not only access to your vpc you could also have access to internet gateway and the internet as well so that's what i want to demo next so we have to have a look at two different things one is the vpc endpoint configuration so this is something that you configure in your vpc in the vpc service you can find client vpn endpoints in here and i've already set this up it took me about two hours so i'm not going through every detail how to set up the whole thing here but i will link the relevant blog posts and documentations in the notes uh attached to that video so you can get all the information that you need and if you have any questions or problems feel free to to write in um but what i wanted to show you is when you create a client vpn endpoint and that's to quickly do that you give it a name and you give it a p address ranges you have to specify a certificate for that and then you can choose that you want to have user-based authentication and basically now you can have federated authentication with summel and that's what we want to have a look in at today so i will first go over the configuration that i have so this is a client vpn endpoint i have set up federated authentication we will quickly jump into that um i have specified the dns server of the vpc as the dns server for the vpn clients as well i'm using the details um a lot and i've enabled cloudwatch so you can get logs about the vpn connections in there i've disabled split tunnel here and i've enabled the self-service port so that is what we have already seen okay and then it is important to associated subnets to the client vpn endpoint um associate in the subnet means those are the subnets that clients that connect with the vpn can connect to um it also says the or also defines the availability zones that you run in so you can attach one subnet per availability zone in here so i have done two to have multi asat but i haven't much more than that because i don't need it in here okay so that is the configuration of at the client vpn endpoint but what is also important is um you can define a root table in here so basically here you specify when a vpn client connects and wants to talk to a certain address is that possible and when if yes how do you root that so for example this is the internal vpc network for both subnets and i've also added a route to the internet um so then that goes through the internet gateway so this is something you can explicitly allow or deny by adding a route to the route table here um by the way authorization this is also something you can do i talked about that you can have groups um connected to certain networks so only allow certain groups for example of azure active directory to talk to certain ip address ranges in my case i've just allowed everything in here for a simple example okay so this is the um client vpn endpoint and that is up and running this is then managed by aws i don't need to care a lot about that and now i think the interesting part is how to set up the symbol integration with active directory with azure active directory and this is very similar to another video that i've done before so you can check that out as well this is aws sso with saml and then active azure active directory was an example in there as well it works very similar um but yeah let's quickly go over it so um what you need to do is um first of all you need to go to the identity and access management service because there you need to create a so-called identity provider for everything and that identity provider is then intended for client vpn so i've created that one the type is summel and basically the next step is to switch over to azure active directory and configure the application in there so in azure you have to configure the azure active directory let's do that and basically what you have to do the most important thing is you create a so-called enterprise application and if you do so you click on new application and the good news is if you type aws client vpn in here there's a pre-configured profile for that that you can use already so you can just use that and create an enterprise application based on that so that is very cool because many of the problems are already solved in there so after creating the enterprise application and after setting up some um between aws and azure active directory you can add users and groups to the enterprise application and this allows only users in certain groups or users that you specify as individuals to access the client vpn later so for example i'm selecting myself here and um giving me default access and now my user is allowed and a group named aws inside azure active directory is allowed to use um the client vpn i think that's really cool because you can manage that at a central place very easily okay after you've set up everything correctly let's let's have a look in how this looks like from the end user perspective again so i didn't show that in the first demo so let's do it here so if you connect the vpn client basically what's happened is the browser is opening up and asks you to log in with your microsoft with azure active directory account and that's what i'm doing here okay you click on sign in and then you get redirected back to your vpn client let's see how this goes and now it says connected so now i'm connected to the vpn and the authentication authorization happened over azure active directory and i think that's really a cool thing because it's now really easy to provide people's and teams access to certain vpcs i hope you enjoyed the demo next i want to dive into the details that you not notice right from reading the documentation but that pop up and using the service first of all i did a benchmark i did a network benchmark and try to find out what's the bandwidth that you can expect from one vpn client going over aws vpn client connecting to a resource in uvpc and i did a benchmark between two ec2 instances that were connected connected one vpc over a client vpn connection with another vpc and i measured about 300 megabits per second per client so this was the throughput that i could achieve with the managed service i think that's probably fine i think i'm i'm totally happy with those numbers couldn't detect anything here next i want to talk about um the certificate so um client vpn uses tls for encrypting the vpn traffic so you need to have a certificate in place and i started with a certificate a public certificate created and managed by the amazon certificate manager but this caused some troubles with the certificate chain and that's why i switched to um using easy rsr so this is a github repository you'll find the links to that in the description for this video and i use that to create self-signed certificates that are optimized for what we need here so this was much easier and then i uploaded or imported those into the amazon certificate manager this worked much better out of the box and then there's another important thing if you plan to use aws client vpn with a lot of clients and you should think about that so aws client vpn supports one subnet per availability zone so that means depending on the region that is something between two and five i think so that region defines the maximum number of availability zones which also defines the maximum subnets that you can attach to a client vpn endpoint and now it gets tricky because the number of attached subnets define the maximum vpn connections that can connect to the vpc endpoint so this is interesting so with one subnet is 7000 with two it's 36 36500 and so on so if you have really a large installation you should check that out and you should think what's the region how many availabilities and zones does it provide and from there on you can make the mouth and see if that works for you next about the monthly costs so what does what does it all cost so um a production ready setup multi-asset so that means two subnets associated in two availability zones starts at about 150 dollars per month um so this is for rare production workloads um the minimum fee and then you pay on top of that you pay for each um vpn connection hour i would say quite a small fee also remember that you pay for the traffic so the traffic to aws into aws is free but the traffic back has a charge so um you should take that into consideration as well do you have any questions if so please go to community.global.io you will find this video posted in there and that's the perfect place to ask your questions about klein vpn i'm happy to answer them i'm happy to join a discussion about everything about alternatives and so on and the whole community can profit from that so i'm looking forward for you joining there thanks for watching this video bye
Info
Channel: cloudonaut
Views: 775
Rating: undefined out of 5
Keywords: aws, amazon web service, cloudonaut, cloud, cloudcomputing, cloud computing, aws training, aws cloud, aws tutorial, aws tutorial for beginners, amazon aws tutorial, aws client vpn, client vpn, client, client-to-site connections, tls, Self-service Portal, Easy-rsa + ACM, VPN Connections, aws client vpn costs, Client VPN & Self-service Portal, Client VPN & Azure AD (SAML), client vpn and azure, client vpn self service portal, aws client vpn azure, aws client vpn self service portal
Id: rq3UXjGBZdE
Channel Id: undefined
Length: 19min 23sec (1163 seconds)
Published: Sun Oct 03 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.