AWS Site To Site VPN - New video with improved steps (Part 1)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi guys this is Shaitan in this video I'm going to show how to set up in VPN connection in AWS so if you already seen a video around this this is a new version of the video and there are some improvements with respect to how AWS improved and there are some extended version of the connectivity which I'll be talking about in the later section of this video so just a quick recap as you know if you have to set up an connection between AWS and your on-premises network then in AWS there are two options first is setting up the IPSec VPN connection between AWS VPC and on-premises network now IPSec VPN works or the traffic flows over through the internet and it is encrypted that's where both the networks can communicate over a secure Channel so most of the small companies or medium-sized companies would prefer VPN connection because it is easy to setup it hardly takes few minutes to set it up and then you can communicate between these two networks seamlessly over our private IP addresses other option is AWS Direct Connect where it's a point-to-point physical connection between AWS data center and on-premises network we are not going to see direct connect in this video but we are going to see how to set up an AWS VPN connection so going back to this diagram you can see on AWS side we have V PC and we have virtual private gateway which will act as an aw side of the router on the right side which is on-premises network we call it we need a router we call it customer gateway and this customer gateway needs to be accessed over the internet that means it should have a public IP on this side now as we have access to AWS account we can set up the left side of this network into 8 as any of the region of your choice but we don't really have access to this side right and that's where in order to do this lab we need to have a simulated corporate network and if you can see I can simulate this network using AWS itself so what we can do is we can take another AWS VPC in another region and we can use a router here now if you say in the real world people will use a well-known routers like a Cisco or a juniper or Palo Alto firewalls to set up these VPN connections but we want to do it with minimal cost and that's where we are going to set up this router on in fact ec2 instance using opens fan software so if I talk about the network diagram in AWS this will look something like this on left side we have AWS Network on the right side it's simulated corporate network now in this network if you see I don't need to have this ec2 instance to be accessible over the internet that means I in this V PC I would just have a private subnet and when ec2 instance which would have just one private IP address however on the right side this is a simulated network as I said we would have EPC and we would have public subnet now why public because we actually want to launch an ec2 instance here and configure opens man on this instance so we would have to connect to this instance over an Internet and then configure opens man that's where we need it in a public subnet now if you see this diagram one thing is we can't really reach to this ec2 instance directly from or the Internet there is no Internet gateway and this is a private subnet that means the only way we can reach to this instance is from this instance and that to when we have this a VPN connection established so how a double use VPN works on a double your side of the network we need something called virtual private gateway vpg or vgw and on right side we need a customer gateway which in our case is this ec2 instance having open to and VPN software okay so in order to do this labs you will have to set up to V pcs for this exercise I have chosen Mumbai region as for aw side of the VPN connection and North Virginia region to simulate the corporate network so the first thing would be to create two V pcs create one private subnet here now in Mumbai region and one public subnet in North Virginia region then we launched to ec2 instances one private one public will create a virtual private gateway and suit how to modify routes we have to do lot of things that I will walk you through while we do this exercise so for simplicity or for you guys what I have done is I have created a doc which talks about each and every step in order to set up this VPN connection and if you follow this blog document in the end you should be able to set up a VPN connection on your own so let's jump into the action and let's implement the VPN connection so as you can see I need to create two V pcs I have defined these CID arranges as well so let me do the same thing so first thing I am going to create 2 V pcs in two different AWS regions so let me go back to my AWS console I have this console let me close some windows I'm in Mumbai region you can see I have one default V PC I am going to create a new V PC let's call it V PCA with TC idea range ten hundred zero zero sixteen rest of the things I am keeping default now in this VPC I just need a private subnet again look at the diagram and just follow the instructions which are written in the document so I'm going to the subnet I'm creating a subnet let me call this subnet VPC a private subnet and easy you can select anything in Mumbai region t2 micro instances are not supported in AZ 3 so I need to select anything other than AZ 3 and this Eid arranged I'm choosing ten hundred 0 0 24 if you are not sure what how to calculate this see ideas just refer to my video basics of a PC let's create this subnet now along with the subnet it always creator out table don't use default route table because then you won't understand what's happening so let me create a route table let me call it V PC a this is a private route table and once I create the route table I just don't need to add any routes typically if you see if you are creating a public subnet in the public subnet route table you need a route for the Internet and you add corresponding entry but here you don't need that however you need to associate this route table with the subnet that you created and that's what I am doing ok I have set up this left side let me quickly also launch ec2 instance in this subnet so I'm just going with most of the things as default I'm sure you know how to launch easy to instance and how to connect to ec2 instances so I'm not spending much time here select write V PC select write subnets I don't need a public IP this is a private ec2 instance I will go with the defaults let's add tag ec2 /a a - a security group now here you need to think actually what security group you want to use if you see this network diagram again you need to ask question on this issue - from where you are going to receive the traffic now if you see the traffic you are going to receive is only from this your corporate network and the C idea of corporate net of this 10200 0 0 16 that means ideally you should allow all the traffic from this network right so that's what I'm going to do I'm going to not allow SSH but I'll just allow all TCP every port but specifically from the C idea range of my corporate network I also should be able to ping from this machine to this machine and that's where I'm also going to enable the ping protocol that is all SCMP ipv4 and just using the same cid arranged on for the on-premise ID let's launch the instance it will take its own time by the time we can just proceed and we can go to our next phase setting up right side of the VPN connection that is simulated corporate network now here I am going to create another V PC in North Virginia region and one public subnet I'll be creating inside that so let's go back to the console this time let's go to the V PC but in North Virginia region so I'm in North Virginia V PC console let me create a new V PC let's call it V PC B now we need different CID arranges here because then VPN VPN connection need different CID ours otherwise there will be an au CID are overlapping and then routing won't work so here I'll choose 10 200 0 0 / 16 and as I need to create a public subnet that means I would also need an internet GAE to attach to this V PC and that's what I'm going to do next let's go to the Internet gateway and create an Internet gateway let's call it V PC bi G W create and once you create it you need to attach it to your V PC so I'm just attaching it there okay and next let's create a subnet we want to create a public subnet let's do it a name V PC be public and number one if you are going to create more subnets preference let's give it a Z a and the CIDR range 10200 0 0 / 424 ok one more thing on the subnet ideally when we launch the instance we also need that instance to have public IP so we should enable this setting even if you don't do this you can override this setting while launching the ec2 instance but to be on safer side if you forget no better enable this here next we are going to actually add a router table as well for this subnet so let's create a public route table for V PC B let's select the V PC now here we need to add our out for Internet gateway because this is going to be a public subnet so let's add our out 0 0 0 0 / 0 route it through the internet gateway and save the routes if you're not sure what I'm doing I probably you need to refer to my earlier videos about V PC basics let's associate this route table with the subnet that we created and just save this so I have seen most of the time people forget to attach these subnets to the route table and that's where the traffic does not flow now as you expect so make sure you you associate the table with the subnet okay so we have setup the right side we have setup 3 PCI GW public subnet let's also create ec2 instance in this subnet which will act as our customer gateway so right now I don't have any ec2 instance let me launch one ec2 instance there again I am selecting all default here I am just going with my B PC which I created there is only one subnet and it would have a public IP enabled because I had set up the auto assign public IP settings on the subnet storage default tag name tag let me call it easy to be which also acts as a router security group again you need to ask the same question to yourself from where the traffic is expected to come to this ec2 instance now if you look at the diagram the traffic is only coming from here right typically ICMP or any kind of TCP traffic but additionally I am going to login to this easy to instance from my machine that means we also need to open SSH connection at least for my IP address right so these are the two things we are going to add so SSH from my IP otherwise I won't be able to log in and configure open swang there and here we will go with the same all TCP traffic but this time on the left side we have ten hundred 0 0 16 which is aw side of these CIDR and I also want to enable the ICMP for pink that's what we need let's review and launch and launch the instance ok so so far what we have done we are done with these two differently pieces as of now there is no communication between these two next thing we want to do is create this virtual private gateway and then configure it for the VPN now in order to configure this virtual private gateway and a customer gateway what we need is public IP address of this ec2 instance because while you create an VPN connection you know you have to mention where is your customer router right and that's where you need a public IP of this machine so let me grab public IP of this machine which is this router and I'll just copy this address let's go back to our Mumbai region into the V PC console here you will see site-to-site VPN connection but before creating this connection you need to create a virtual private gateway and a customer gateway so let's create a virtual private gateway let's give it a name V PC a V PC b v GW or you can just say V PC AVG W that makes more sense we will go with the defaults this is detached you need to attach it to the V PC so let's do that by the time it gets attached let's create a customer gateway and as I said here you will need a public IP of your side of the network so let's create a customer gateway let's call it b pc b c GW no one know there is this is one place where people get confused they things like customer gateways aw side of the entity this is just a representation of your side of the network so this is not really a aw side of the network it's actually a corporate side of the network and that's where the IP address that we will be setting up is on the right side of this network which is corporate network so let's put an IP address which we just copied we want a static routing I will explain more about the static and down and dynamic routing in different video rest of the things you can keep default and just say create a customer gateway now we have customer gateway we have virtual private gateway now using this too we can create a site-to-site VPN connection so let's do that let's create a VPN connection let us call it V PC a V PC be VPN we already have a v GW created we already have a customer gateway created routing we want static we don't want dynamic routing as of now now this is this is an important step where you define the IP prefixes on the right side of the network that means this side of the network and that's where the vgw learns about you know what's the IP prefixes on the right side so that when the traffic comes in for those it will use of vgw 2 throughout this traffic to your corporate network so here we need to put 10 200 0 0 / 16 now that's the difference between static and dynamic routing when you enable the dynamic routing you don't have to provide all these routes the BGP protocol vgw will understand it dynamically what are the side arranges on the right side and I think I'll talk about it later sometime in the next video so that's what you have to put rest of the things you can keep default or you can also agenda set up some of these things on your own now something like pre shared key now VPN create two tunnels for high availability and the way VPN connection establishes is using a secure protocol IP sake and one of the process is to share a key between these two ends and either you can set up your own pre shared key or if you do not then AWS will generate this pre shared key for you we are going to leave it default and we will use the keys which are generated by AWS for both the tunnels so that's it let's create a VPN connection now typically takes around 2 to 3 minutes for this VPN connection to be available by the time let's let's log into this ec2 instance and configure opens one server there so that we can configure it for the terminating or VPN connection ok let's do that for this I need a public IP of easy to be instance which I got now what I need to do is go to my put decision and put this public IP I need to select keys for North Virginia I already have my key loaded you would have to select your keys and just say open let me accept the connection the default user is easy to - user okay I am in easy to be instance what I need to do is configure opens van now how to do that I have listed all these steps in this document I think I have already done most of this without referring to the document let me log into this box and do all these steps so first thing I need to change myself to root user so that I have full permission to install the opens van and then I will just run this command to install opens well okay done few things you need to make sure certain files are properly configured this is required so that IPSec service can pick the right configurations so in the file IPSec can make sure there is a line at the end which is not commented so that we can add further files into into this directory this is already uncommented so I'm not going to do anything here next thing we need to update etcc CTL conf now this is required because this machine is going to act as a router it's going to forward what traffic it gets to the next the other machines in the same corporate network and that's where we have to set the settings we need to add a couple of lines here which I have already listed some of they all got onto the same line they should be on the different lines so let me just quickly do that okay and after this is done we just need to restart our network service so that all the changes takes into effect done now next thing we want to configure our IPSec VPN so far we just installed the opens man but haven't really configured it we need to tell right you know what are the aw side of the network looks like what is preciate key and all those settings now from where do you get those settings so all those settings on AWS side of the network of what we configured on the BG W we get it from the AWS we can download all these settings in the form of text file and then we can use that text file to configure the opens man so let's do that let's go to AWS side of the VPN connection this connection is available now and you can download the configuration now here earlier there was no specific vendor specific specially open so and related configuration exported by AWS but now you can see open Swan configurations are already there earlier there were generic setting and they knew how to really pick the right values from this configuration but now it is much more easier so download this configuration file save it somewhere I'll save it maybe on the desktop just need to remember this name and close this now open this file in the notepad if you have let me go to notepad and open this ok now this file is interesting it talks about most of the things we already did but more importantly it has tunnel details so if you see all these settings we've already done what next we have to do is or create this file et Cie IPSec dot d AWS conf so let's do that so I am on easy to be machine and let me create this file and this file should have all the tunnel details now I would find this tunnel details here right so you just need to pick this complete block as it is and you just need to paste it here now one thing is these settings won't work as it is there is this line which causes the problem for the VPN connection because orthey SP is not really supported so what what we need to do is delete this line so make sure you follow this step delete this line and save this file similarly you also have to create a WS dot secrets file so let us do that which has a pre-shared key as I had told earlier so let us do that and just put this entry here that's it so there will be two tunnels information in this file because as I said AWS has two tunnels for high availability so right now this is tunnel one details and similarly there will be tunnel two details but in this case we are going to only setup one tunnel that's because opens one does not support having the two tunnels on the same host for that we need a different machine if we set up both the tunnels the VPN won't work now let's talk a bit about this file if you see the left ID is actually the IP address of the customer side of the network right so if you see the ec2 instance this IP comes from this right which is an open Swan server machine and the right side is actually the other end of the connection that is AWS connection now from where you got this right side of the IP address if you go back to your VPN connection and if you see this some virtual private gateway tunnel details you will see that there are two IP now these are the AWS side of the IP addresses because VPN always happens between the two public endpoints and what AWS does is create two public eyepiece for you so one of the IP you will see in tunnel one which is this and other IP you will see internal two as of now this tunnel is status is down because we haven't really established the VPN connection so let's do that similarly there are this left subnet and right subnet this is something you need to populate now left certain subnet is again the corporate network side of the network cidr and the right one is a wi side of the CIDR so let's go back to our this file and modify these two values so left subnet if you can remember left subnet is ten dot 200.000 subnet then dot 200.000 k so we are almost done with all our settings except one if you see this diagram that we had right in this we set up this VG w or v BG we have set up public sub sorry private subnet on this side but one thing we forgot is we haven't really configured a route table of this subnet which says if traffic has to go to this cid arrange use this virtual private gateway we haven't done that yet now how to do that let us go back to our AWS enrollment and let's go to our Road table this was a row table now here typically what you will do you will just add a route here and then probably just configure it through the vgw but there is other way to do this using route propagation this is like automatically what are the right side of the CIDR s will be learned by your v GW and they will be propagated automatically know why this because tomorrow if some new cid ours comes in on the right side of the network you don't have to modify your route tables they will be automatically propagated so just say propagate and just save and what you will see is after the VPN tunnel is up you will see that entry populating here ok so we are almost to the end of this exercise let us go back to our document we have done all of these steps we are done with setting up this IPSec con files we have set up the secrets file and just we need to run this command to start our VPN tunnel so let us go back to this V PCB and run this command and just let us check the status of this IPSec tunnel I p6 service and it says it's running now how do you verify it's running so one thing to understand is the VPN connection is all always initiated from the customer and not from the AWS side of the end if there is no traffic flowing from the customer aid VPN tunnel goes down so you need to make sure you are sending the keepalive bits or something to keep the tunnel up all the time ok let's go back to aw a set of the VPN and see if you see the tunnels up there so let me go back to side to side connections and you see this tunnel is up now and one more thing we wanted to verify that in the route table if you see this route getting propagated not yet but as the traffic will flow you will see the route getting propagated here in the route table okay so tunnel is up the final test that we actually have to do is to see if we can ping this machine from this machine we are already on this machine so let us try to ping to this private IP address of easy to a machine now let me get the private IP of the machine which is this and let's go back to easy to be let me just clear the screen and I'll just say ping this and you see traffic is flowing with private IP of the machine which actually means we are a we have successfully set up the VPN tunnel between this AWS network and using these open spanned router so if you have done you could done up to this part congratulations you have already set up the VPN connection now in the next part of the video I am going to show some advanced routing where we would have another ec2 instance in another subnet and then we should also be able to communicate with this instance using this router instance because this is now my customer end of the router and in actual real life scenario you would have a lot of servers on the right side and everybody should be able to talk to this network through this router where we terminate the IPSec VPN tunnels so if you have reached so far congratulations just follow the document and I'm sure you should be able to configure it on your own one last thing I wanted to check if routes are there they are still not propagated no they are there now it has been updated so that's it we wanted to see in this video follow my next video for advanced configurations and advanced routing using this open second router thanks for watching sorry one last thing I forgot if you are stopping here make sure you terminate ec2 instances and more importantly you clean up your VPN connection that's because you know there is charge of 0.05 dollar per hour for the VPN connections if you leave the connection opens you will unnecessarily unnecessarily charged so make sure you clean up your resources accordingly so that's it follow the next video thank you
Info
Channel: AWS Training Center
Views: 59,954
Rating: undefined out of 5
Keywords:
Id: 5YvcyBecQts
Channel Id: undefined
Length: 33min 50sec (2030 seconds)
Published: Thu Mar 12 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.