Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(NET405) Build a Remote Access VPN Solution on AWS

5,659 views

Published on

"What if weather or any other major event prevents a large number of your users from coming into the office? Does your VPN or remote connectivity solution scale?  

Deploying solutions in AWS gives you access to agility, cost savings, elasticity, breadth of functionality, and the ability to deploy globally in minutes. With access to these benefits through the AWS platform, administrators can launch global, scalable and resilient VPN solutions to support your business at a moments notice.

In this session, learn how to build a flexible, elastic, highly secure VPN infrastructure by using Amazon Route 53, Amazon EC2, Auto Scaling, and 3rd party solutions to allow hundreds or thousands of users to work remotely as soon as the first snowflakes begin to fall. 

To attend this session it is suggested that attendees have a working knowledge of VPC, EC2, general networking and an understanding of routing protocols."

Published in: Technology

(NET405) Build a Remote Access VPN Solution on AWS

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Darryl Osborne, Matt Lehwess, Joe Fontes, AWS Solution Architects October, 2015 NET405 Snowstorm Got You Trapped at Home? Build a Remote Access VPN Solution on AWS
  2. 2. What to Expect from the Session 1. Overview on traditional remote access VPN solutions 2. What if ? – The disaster scenario 3. How to build an enterprise VPN solution in AWS 4. Let’s do the same – open source this time 5. Summation
  3. 3. The now… What does a traditional VPN solution look like?
  4. 4. Overview of existing VPN solutions Corporate HQ Things Small Site Other Sites, Users, and Whatnots Service Provider MPLS IP VPN Data Center Stuff VPN Devices Encrypted VPN Time VPN Users Capacity Time Bandwidth Capacity Physical Infrastructure
  5. 5. What if ?
  6. 6. Time VPN Users Capacity Time Bandwidth Capacity Overview of existing VPN Solutions Corporate HQ Things Small Site Other Sites, Users, and Whatnots Service Provider MPLS IP VPN Data Center Stuff VPN Devices Encrypted VPN Physical Infrastructure Capacity Shortfall
  7. 7. What do you do?
  8. 8. You’ve hit the red button… Now let’s watch our enterprise VPN solution build out.
  9. 9. How do you build a VPN solution in AWS? Requirements: 1. One click deployment – AWS CloudFormation templates 2. Take advantage of AWS:  Agility  Cost savings  Breadth of functionality  The ability to deploy globally in minutes  Elasticity 3. Complete infrastructure automation  Horizontal scaling  Fault tolerance
  10. 10. Time Bandwidth Capacity Time VPN Users Capacity How do you build a VPN solution in AWS? Corporate HQ Things Other Sites, Users, and Whatnots Service Provider MPLS IP VPN Small Site Data Center Stuff Other Servers Encrypted VPN AWS Direct Connect or VPN Auto Scaling Infrastructure Capacity Grows with Demand
  11. 11. Time Bandwidth Capacity Time VPN Users Capacity How do you build a VPN solution in AWS? Corporate HQ Things Other Sites, Users, and Whatnots Service Provider MPLS IP VPN Small Site Encrypted VPN AWS Direct Connect or VPN Auto Scaling Infrastructure Capacity Grows with Demand Depending on Direct Connect Architecture
  12. 12. Amazon Route 53 VPC Architecture AWS Region - eg: US-WEST1 VPC CIDR - eg: 10.0.0.0/16 Availability Zone A Availability Zone B Customer DC Data Center Stuff Other Servers Internet Gateway Internet Gateway (Same as above, just shown again due to traffic flow) On premises Data Center VPN Users For DNS Load Balancing Amazon Region Amazon VPC Availability ZoneAvailability Zone Worker Node SubnetWorker Node Subnet VPN Instance Subnet VPN Instance Subnet
  13. 13. VPN Instance(s) VPC Architecture AWS Region - eg: US-WEST1 VPC CIDR - eg: 10.0.0.0/16 Availability Zone A Availability Zone B W W Customer DC Data Center Stuff Other Servers VPN VPN VPNVPN Auto Scaling Group Downstream VPNs Worker NodeWorker Node ASG Amazon Route 53
  14. 14. VPC Architecture AWS Region - eg: US-WEST1 VPC CIDR - eg: 10.0.0.0/16 Availability Zone A Availability Zone B W W Customer DC Data Center Stuff Other Servers VPN VPN VPNVPN ASG DNS Request vpn.example.com DNS Response eg 54.10.52.230 Amazon Route 53
  15. 15. VPC Architecture AWS Region - eg: US-WEST1 VPC CIDR - eg: 10.0.0.0/16 Availability Zone A Availability Zone B W W Customer DC Data Center Stuff Other Servers VPN VPN VPNVPN ASG VPN INSTANCE HOST SUBNET i-093c3601 100.64.0.0/20 i-58303a50 100.64.16.0/20 i-89497b86 100.64.32.0/20 i-c8a771c7 100.64.48.0/20 Each VPN Instance assigns hosts from unique subnet Client-to-site VPN connection Amazon Route 53
  16. 16. Auto Scaling Group Auto Scaling Integration CloudWatch Custom Metrics can trigger alarms Time VPN Users Capacity Time Bandwidth Capacity Launch More Instances Amazon CloudWatch
  17. 17. Time Bandwidth Capacity Time VPN Users Capacity Auto Scaling Integration CloudWatch Custom Metrics can trigger alarms Launch More Instances Auto Scaling Group Amazon CloudWatch
  18. 18. Configuration of VPN Instances Autoscale Group Simple Queue Service Route 53
  19. 19. Sample Worker Node VPN Configuration # Get IP address of instance ip = ec2.Instance(instance_id).public_ip_address # Create a CGW for the new instance client.create_customer_gateway( PublicIp=ip, Type='ipsec.1', BgpAsn=65501) # Create VPN connection between the instance and VGW client.create_vpn_connection( CustomerGatewayId=cgw_id, VpnGatewayId=vgw_id, Type="ipsec.1") # Configure VPN appliance via REST API http.post(ip, "/restore", vpn_config)
  20. 20. Sample VPN Instance Configuration set as ${BGPASN} set router-id ${RouterID} config neighbor edit "${RemoteTunnel2BGPPeerIP}" set remote-as ${RemoteTunnel2ASN} next edit "${RemoteTunnel1BGPPeerIP}" set remote-as ${RemoteTunnel1ASN} set send-community6 disable next end config network edit 1 set prefix 100.64.0.0 255.255.240.0 next edit 2 set prefix ${LocalVPCSubnet} ${LocalVPCSubnetMask} next end
  21. 21. VPC Architecture AWS Region - eg: US-WEST1 VPC CIDR - eg: 10.0.0.0/16 Availability Zone A Availability Zone B W W Route 53 Customer DC Data Center Stuff Other Servers VPN VPN VPNVPN ASG Instance numbers can now scale as needed based on users and bandwidth Users can grow and shrink with no infrastructure shortfalls or capacity waste
  22. 22. How do you build a VPN solution in AWS? Requirements: 1. One click deployment 2. Take advantage of AWS
  23. 23. What if I want to save more $$$ Lets go Open Source!
  24. 24. Agenda • Design Overview – Network Design – IP Assignments – Amazon DynamoDB • DNS Load Balancing – Amazon Route 53 Latency-based routing – Amazon Route 53 Geo Routing • Routing Deployment – Amazon Direct Connect – Configuring route instance – OpenVPN P2P – GRE/IPSec • VPN Deployment – Image creation – VPN image configuration scripts Amazon CloudWatch Metrics Recording Metrics Amazon CloudWatch Alarms Auto Scaling Adding Machines Use of Amazon CloudWatch Metrics Review of Overall Design Expanding to the Future
  25. 25. Time Bandwidth Capacity Time VPN Users Capacity Let’s Review Corporate HQ Things Other Sites, Users, and Whatnots Service Provider MPLS IP VPN Small Site Encrypted VPN AWS Direct Connect or VPN Auto Scaling Infrastructure Capacity Grows with Demand Depending on Direct Connect Architecture
  26. 26. US-WEST (Oregon) EU (Ireland) ASIA PACIFIC (Tokyo) US-WEST (N. California) SOUTH AMERICA (Sao Paulo) US-EAST (N. Virginia) AWS GOVCLOUD (US) ASIA PACIFIC (Sydney) ASIA PACIFIC (Singapore) CHINA (Beijing) Availability Zones EU (Frankfurt) 11 Regions 30 Availability Zones Continuous Expansion
  27. 27. Amazon Route 53 User Amazon CloudWatch Availability Zone Private Subnet Public Subnet Routing Subnet Routing Instance VPN Instances Amazon DynamoDB VPN Instance ENI-Priv VPN Instance ENI-Pub Router Instance ENI-P2P OpenSwan /GRE/Ope nVPN NAT Traffic Corporate Traffic Design Overview – Single AZ
  28. 28. Amazon Route 53 User VPN PUBLICSUBNET US-WEST-1 (Oregon) Virtual Private Cloud VPN Routing Instance VPN VPN Routing Instance Routing Instance VPN VPN Routing Instance VPN VPN Routing Instance PRIVATESUBNETROUTINGSUBNET Routing Instance VPN PUBLICSUBNET EU-WEST-1 (Ireland) Virtual Private Cloud VPN Routing Instance VPN VPN Routing Instance Routing Instance VPN VPN Routing Instance VPN VPN Routing Instance PRIVATESUBNETROUTINGSUBNET Routing Instance PUBLICSUBNETPRIVATESUBNETROUTINGSUBNET ROUTINGSUBNETPRIVATESUBNETPUBLICSUBNET Design Overview – Multi-AZ, Multi-VPC
  29. 29. Amazon Route 53 User PUBLICSUBNET US-WEST-1 (Oregon) Virtual Private Cloud PRIVATESUBNETROUTINGSUBNET EU-WEST-1 (Ireland) VPC PUBLICSUBNETPRIVATESUBNETROUTINGSUBNET ROUTINGSUBNETPRIVATESUBNETPUBLICSUBNET Design Overview – IP Reservations Network Reserved Ranges VPN Address Pool 10.33.0.0/16 Private Subnets 10.X.1-3.0/24 Public Subnets 10.X.4-6.0/24 Routing Subnets 10.X.7-9.0/24 P2P IPSec Ranges 10.255.255.0/24 10.101.4.0/24 10.101.5.0/24 10.102.4.0/24 10.101.2.0/24 10.101.7.0/24 10.101.2.0/24 10.101.8.0/24 10.102.1.0/24 10.102.7.0/24
  30. 30. Amazon Route 53 User Private Subnet Public Subnet Routing Instance VPN Instances VPN Instance ENI-Priv Router Instance ENI-P2P Design Overview – IP Reservations US-WEST-2 VPN Instance ENI-Pub Routing Instance VPN Instances VPN Instance ENI-Priv Router Instance ENI-P2P US-EAST-1 VPN Instance ENI-Pub Private Subnet Public Subnet corporate data center 10.101.4.0/2410.101.2.0/24 10.101.7.0/24 10.102.4.0/2410.102.1.0/24 10.102.7.0/24 10.255.255.1/30 OpenVPN 10.255.255.2/30 OpenVPN 10.255.255.5/30 GRE 10.255.255.6/30 GRE
  31. 31. Amazon Route 53 User Private Subnet Public Subnet Routing Instance VPN Instances VPN Instance ENI-Priv Router Instance ENI-P2P OpenSwan /OpenVPN Amazon DynamoDB Configuration Storage What is stored? US-WEST-2 VPN Instance ENI-Pub 10.101.4.0/2410.101.2.0/24 10.101.7.0/24 10.255.255.1/30 NetworkID – Unique Network ID NetworkAddr – Subnet used for VPN clients InstanceID – Instance ID assigned to NetworkAddr Region – Region instance is running in Description: Description of network
  32. 32. Agenda • Design Overview – Network Design – IP Assignments – Amazon DynamoDB • DNS Load Balancing – Amazon Route 53 Latency-based routing – Amazon Route 53 Geo Routing • Routing Deployment – Amazon Direct Connect – Configuring route instance – OpenVPN P2P – GRE/IPSec • VPN Deployment – Image creation – VPN image configuration scripts Amazon CloudWatch Metrics Recording Metrics Amazon CloudWatch Alarms Auto Scaling Adding Machines Use of Amazon CloudWatch Metrics Review of Overall Design Expanding to the Future
  33. 33. Amazon Route 53 User VPN PUBLICSUBNET US-WEST-1 (Oregon) Virtual Private Cloud VPN Routing Instance VPN VPN Routing Instance PUBLICSUBNET VPN PUBLICSUBNET US-WEST-1 (Oregon) Virtual Private Cloud VPN Routing Instance VPN VPN Routing Instance PUBLICSUBNET US-EAST-1 (N. Virgnia) VPC VPN VPN VPN VPN Routing Instance Routing Instance
  34. 34. VPN PUBLICSUBNET US-WEST-1 (Oregon) Virtual Private Cloud VPN Routing Instance VPN VPN Routing Instance PUBLICSUBNET VPN PUBLICSUBNET US-WEST-1 (Oregon) Virtual Private Cloud VPN Routing Instance VPN VPN Routing Instance PUBLICSUBNET US-EAST-1 (N. Virgnia) VPC VPN VPN VPN VPN Routing Instance Routing Instance Amazon Route 53
  35. 35. Amazon Route 53 User VPN PUBLICSUBNET US-WEST-1 (Oregon) Virtual Private Cloud VPN Routing Instance VPN VPN Routing Instance PUBLICSUBNET VPN PUBLICSUBNET US-WEST-1 (Oregon) Virtual Private Cloud VPN Routing Instance VPN VPN Routing Instance PUBLICSUBNET US-EAST-1 (N. Virgnia) VPC VPN VPN VPN VPN Routing Instance Routing Instance Where are you physically? Within the closest region, what VPN instance has the lowest latency to you?
  36. 36. Amazon Route 53 User VPN PUBLICSUBNET US-WEST-1 (Oregon) Virtual Private Cloud VPN Routing Instance VPN VPN Routing Instance PUBLICSUBNET $searchName = "vpn.".$regionID.".unicorn.rentals"; $R53Data = array('HostedZoneId' => $zoneId, //'StartRecordName' => $recordName, 'StartRecordName' => $searchName, 'StartRecordType' => 'CNAME', ); $R53Res = $R53Client->listResourceRecordSets($R53Data); 'HealthCheckConfig' => array('Port' => 34992, 'Type' => 'TCP', 'FullyQualifiedDomainName' => $publicHost, 'RequestInterval' => 10, 'FailureThreshold' => 2, ), ); $R53ResHC = $R53Client->createHealthCheck($R53DataHC); $updateInfo = array('HostedZoneId' => $zoneId, 'ChangeBatch' => array('Comment' => $commentU, 'Changes' => array( array('Action' => 'CREATE', 'ResourceRecordSet' => array('Name' => $searchName, 'Type' => 'CNAME', 'SetIdentifier' => $instID 'Weight' => 10, 'TTL' => 60, 'ResourceRecords' => array(array('Value' => $publicHost)), 'HealthCheckId' => $hcheckId, ), ), ), ), $R53ResU = $R53Client->changeResourceRecordSets($updateInfo); What do we push to the API?
  37. 37. Agenda • Design Overview – Network Design – IP Assignments – Amazon DynamoDB • DNS Load Balancing – Amazon Route 53 Latency-based routing – Amazon Route 53 Geo Routing • Routing Deployment – Amazon Direct Connect – Configuring route instance – OpenVPN P2P – GRE/IPSec • VPN Deployment – Image creation – VPN image configuration scripts Amazon CloudWatch Metrics Recording Metrics Amazon CloudWatch Alarms Auto Scaling Adding Machines Use of Amazon CloudWatch Metrics Review of Overall Design Expanding to the Future
  38. 38. Routing Subnet Routing Instance Corporate Traffic Corporate Connections Routing Subnet Routing Instance Corporate Traffic AWS Direct Connect VPN Connections
  39. 39. Routing Instance Router Instance ENI-P2P OpenVPN P2P Connections US-WEST-2 Routing Instance Router Instance ENI-P2P GRE US-EAST-1 corporate data center 10.101.7.0/24 10.100.7.0/24 10.255.255.1/30 10.255.255.2/30 10.255.255.5/30 GRE 10.255.255.6/30 GRE Traffic between sites is encrypted and compressed OpenVPN Left Side OpenVPN Right Side
  40. 40. Routing Instance Router Instance ENI-P2P OpenSwan Point to Point Connections US-WEST-2 Routing Instance Router Instance ENI-P2P GRE US-EAST-1 corporate data center 10.101.7.0/24 10.100.7.0/24 10.255.255.1/30 OpenVPN 10.255.255.2/30 OpenVPN 10.255.255.5/30 GRE 10.255.255.6/30 GRE Configuration (Left Side) /usr/sbin/openvpn –daemon --config aws-p2p-left.conf route –n add –net 10.102.0.0/16 gw 10.255.255.2 Configuration (Right Side) /usr/sbin/openvpn –daemon --config aws-p2p-right.conf route –n add –net 10.100.0.0/16 gw 10.255.255.1
  41. 41. Local VPC CIDR listed first Auto-created routes to VPN servers listed on right Left points towards the /18 of the VPN pool Four VPN VPCs utilize their own slice of /18 AWS VPC Route Table
  42. 42. Agenda • Design Overview – Network Design – IP Assignments – Amazon DynamoDB • DNS Load Balancing – Amazon Route 53 Latency-based routing – Amazon Route 53 Geo Routing • Routing Deployment – Amazon Direct Connect – Configuring route instance – OpenVPN P2P – GRE/IPSec • VPN Deployment – Image creation – VPN image configuration scripts Amazon CloudWatch Metrics Recording Metrics Amazon CloudWatch Alarms Auto Scaling Adding Machines Use of Amazon CloudWatch Metrics Review of Overall Design Expanding to the Future
  43. 43. VPN Instance VPN Image Creation Amazon Linux AMI • Install first instance to get baseline system • Install OpenVPN • Download scripts • Configure scripts • Create image • Create AWS Launch Configuration • Create Auto Scaling Group
  44. 44. Example Deployment Scripts • vpn-config.sh • Pulls metadata for Instance ID and AZ information • Calls assign-address.php to receive assigned subnet • Updates OpenVPN config with subnet information • assign-address.php • Pass in Instance ID and Region • Returns per-instance VPN Subnet CIDR • check-vpn-routes.sh • Gathers meta-data VPC ID, MAC Address, IP Address, and Subnet ID • Checks for existing route entry associated with Subnet CIDR • If none exist, creates a route entry for Subnet CIDR to Instance ID • add-to-dns.sh • Pulls in Public Hostname, AZ, and Instance ID, and Route 53 Zone ID • Creates health check for Route 53 resource record • Creates Route 53 CNAME for latency-based routing • send-to-cw.sh • Gathers current number of connected VPN clients • Sends number to custom CloudWatch Metric VPN Instance Amazon Linux AMI
  45. 45. Amazon Route 53 User Availability Zone Private Subnet Public Subnet Routing Subnet Routing Instance VPN Instances VPN Instance Eth1 VPN Instance Eth0 NAT Traffic Corporate Traffic VPN Traffic Routing Instance Route entry: 0.0.0.0 -> default gateway VPN traffic route entry ip route add default via 10.102.2.11 dev eth1 table ovpn ip rule add from 10.33.4.0/24 table ovpn
  46. 46. Agenda • Design Overview – Network Design – IP Assignments – Amazon DynamoDB • DNS Load Balancing – Amazon Route 53 Latency-based routing – Amazon Route 53 Geo Routing • Routing Deployment – Amazon Direct Connect – Configuring route instance – OpenVPN P2P – GRE/IPSec • VPN Deployment – Image creation – VPN image configuration scripts Amazon CloudWatch Metrics Recording Metrics Amazon CloudWatch Alarms Auto Scaling Adding Machines Use of Amazon CloudWatch Metrics Review of Overall Design Expanding to the Future
  47. 47. #!/bin/bash COUNT=`cat /etc/openvpn/logs/openvpn-client-status.log | grep ^10. | wc -l` INSTID=`elinks -dump http://169.254.169.254/latest/meta-data/instance-id | xargs` /usr/bin/aws cloudwatch put-metric-data --metric-name "ConnectedUsers" --namespace "OVPN" --dimensions "InstanceId=$INSTID” --unit "Count" --value=$COUNT Amazon CloudWatch VPN Instance ENI-Priv Amazon CloudWatch Metrics Recording • Number of connected users • Per-instance • Crontab running every minute • Instance ID as CW Metric dimension Variables • Instance ID • Connection Count • NameSpace • Dimension
  48. 48. Amazon CloudWatch VPN Instance ENI-Priv Amazon CloudWatch Metrics
  49. 49. Amazon CloudWatch VPN Instance ENI-Priv Amazon CloudWatch Alarms • Create alarm • Choose actions • Select metric
  50. 50. Agenda • Design Overview – Network Design – IP Assignments – Amazon DynamoDB • DNS Load Balancing – Amazon Route 53 Latency-based routing – Amazon Route 53 Geo Routing • Routing Deployment – Amazon Direct Connect – Configuring route instance – OpenVPN P2P – GRE/IPSec • VPN Deployment – Image creation – VPN image configuration scripts Amazon CloudWatch Metrics Recording Metrics Amazon CloudWatch Alarms Auto Scaling Adding Machines Use of Amazon CloudWatch Metrics Review of Overall Design Expanding to the Future
  51. 51. VPN Instance Auto Scaling Auto Scaling group VPN Instance VPN Instance VPN Instance VPN Instance VPN Instance As demand increases, so do resources. Scale based upon: Average users Sum of users Per-instance rules Minimum across time period Maximum across time period Additional custom metrics
  52. 52. Agenda • Design Overview – Network Design – IP Assignments – Amazon DynamoDB • DNS Load Balancing – Amazon Route 53 Latency-based routing – Amazon Route 53 Geo Routing • Routing Deployment – Amazon Direct Connect – Configuring route instance – OpenVPN P2P – GRE/IPSec • VPN Deployment – Image creation – VPN image configuration scripts Amazon CloudWatch Metrics Recording Metrics Amazon CloudWatch Alarms Auto Scaling Adding Machines Use of Amazon CloudWatch Metrics Review of Overall Design Expanding to the Future
  53. 53. Amazon Route 53 User Future Changes Routing Instance VPN Instances VPN Instance ENI-Priv Router Instance ENI-P2P GRE US-EAST-1 VPN Instance ENI-Pub Private Subnet Public Subnet corporate data center 10.102.4.0/2410.102.1.0/24 10.102.7.0/24 10.255.255.2/30 10.255.255.5/30 GRE 10.255.255.6/30 GRE Future changes to implementation: Use of Quagga for routing Enable OSPF Route summarization with corporate Enable failover with OSPF
  54. 54. Thank you!
  55. 55. Remember to complete your evaluations!

×