Components of AWS VPC

  • Note
    Route Table:

    In AWS Virtual Private Cloud, route Tables are the set of rules, that are used to determine where the network traffic has to be directed. The route table specifies the destination (IP address) and target (where do want to send the traffic to that destination). The target can be an Internet gateway, NAT gateway, Virtual private gateway, VPC peering connection, etc

    Subnet

    It is a portion of the network that shares a common address component. All devices whose addresses have the same prefix are in the same subnet. For example, all those devices whose IP address would start with 172.31.1 would be part of the same subnet. There are two types of subnets. Private Subnet where resources are not exposed to the outside world and Public Subnet where resources are exposed to the internet through Internet Gateway.

    Security Groups:

    Security groups are a set of firewall rules that controls the traffic for your instance. In Amazon Firewall the only action that can be carried out is allowed. You cannot create a rule to deny. The destination is always the instance on which the service security group is running. You can have a single security group associated with multiple instances.

    NAT Gateway:

    Network Address Translation (NAT) Gateway is used when higher bandwidth and availability with lesser administrative effort is required. NAT gateway always resides inside the public subnet of an Availability Zone. It updates the routing table of the private subnet such that it sends the traffic to the NAT gateway. Elastic IP must be attached to the NAT gateway while creating. It supports only TCP, UDP, and ICMP protocols.

    VPC Peering:

    A VPC peering connection allows you to route traffic between two Virtual Private Cloud’s using IPv4 or IPv6 private addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. A VPC peering connection helps you to facilitate the transfer of data

    Network Access Control Lists (NACL):

    an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC. The default network ACL is configured to allow all traffic to flow in and out of the subnets to which it is associated.

    Virtual Private Gateway:

    A virtual private gateway is the VPN concentrator on the Amazon side of the VPN connection. You create a virtual private gateway and attach it to the VPC from which you want to create the VPN connection.

    Customer Gateway:

    An Amazon VPC VPN connection links your data center (or network) to your Amazon VPC (virtual private cloud). A customer gateway is an anchor on your side of that connection. It can be a physical or software appliance.

    Elastic IP:

    It is a static IP address that never changes and is a reserved public IP address that can be assigned to any Instance in a particular region. An elastic IP is reserved for your AWS account and is yours until you release it.

    Network Interface:

    Network Interface is a point of connection between a public and a private network. Every instance has a default network interface, called the primary network interface. Network traffic is automatically shifted to the new instance if you move it from one instance to the other.

    VPC Endpoints:

    VPC endpoints allow private connection between your AWS VPC and other AWS services without using the internet. VPC endpoint devices are scaled, redundant, and highly available VPC components. There are two types of AWS Virtual Private Cloud endpoints Interface endpoints and Gateway Endpoints.

  • Setup
    1. Create VPN
    2. Create Subnet
    3. Create EC2
    4. Create client certificate
    5. upload certificates
    6. Client VPN endpoints
    7. Download and setup Client configuration
    8. Setup AWS client VPN tool
    9. Connect to server using RDP

    1. Create VPN

    1. goto AWS VPN console

    2. create new VPN

    3. give IPV4 CIDR range To check the IP range: https://www.ipaddressguide.com/cidr

    2. Create Subnet

    3. Create EC2

    1. select private VPN in VPC selectbox

    2. select private subnet in the subnet selectbox

    3. Public IP is disabled because we use IP range in the subnet

    4. Create client certificate

    1. download 'EasyRSA' from https://github.com/OpenVPN/easy-rsa/releases

    2. navigate to easy-rsa (downloaded folder)

    2. Commands for EasyRSA to create server and client certificates and keys: 

    

                        .\EasyRSA-Start.bat
                        ./easyrsa init-pki
                        ./easyrsa build-ca nopass
                        ./easyrsa build-server-full server nopass
                        ./easyrsa build-client-full client1.domain.tld nopass
                        exit
    output files 
    
                    1. ca.crt 
                    2. client1.domain.tld.crt
                    3. client1.domain.tld.key 
                    4. server.crt 
                    5. server.key

    5. upload certificates

    Step 1. import server certificates

    1. goto AWS certificate manager

    2. select 'import certificate' from the left menu

    3. copy the 'ca.crt' content to 'certificate chain'

    4. copy the 'server.crt' content to 'certificate body'

    5. copy the 'server.key' content to 'certificate private key'

    step 2. import client certificate

    1. goto AWS certificate manager

    2. select 'import certificate' from the left menu

    3. copy the 'ca.crt' content to 'certificate chain'

    4. copy the 'client1.domain.tld.crt' content to 'certificate body'

    5. copy the 'cient1.domain.tld.key' content to 'certificate private key'

    output

    there will be 2 certificates

    6. Client VPN endpoints

    1. Create endpoint

    1. goto VPC section

    2. select 'Client VPN endpoints' under 'Virtual Private Network'

    3. add client 'IPv4 CIDR' , 'Server certificate' , 'Client certificate'

    4. add VPC ID and security group

    2. Add Target Network Association

    3. add Athorization rule

    Output

    7. Download and setup Client configuration

    1. download from endpoint list

    2. open the downloaded file

    3. add two parameters in the downloaded file &

    4. open the 'client1.domain.tld.crt' and paste the content into part

    5. open the 'cient1.domain.tld.key' and paster the content into part

    8. Setup AWS client VPN tool

    1. download the tool from https://aws.amazon.com/vpn/client-vpn-download/

    2. install the tool

    3. add profile

    4. browse the downloaded client configuration file

    4. Connect

    Output

    9. Connect to server using RDP

    1. Open windows RDP

    2. Add Private IP of EC2

    To get password to connect RDP

    1. go to EC2

    2. click on 'connect' button

    3. select 'RDP client' tab

    4. click on 'get password' text

    5. upload private pem key of EC2

    https://www.youtube.com/watch?v=36qsohuPzMQ&list=PL7iMyoQPMtAN4xl6oWzafqJebfay7K8KP&index=12 https://www.youtube.com/watch?v=36qsohuPzMQ https://www.youtube.com/watch?v=FHRXXrQ765M https://www.youtube.com/watch?v=GV4KreiF_D4&t=11s https://www.youtube.com/watch?v=ydxEeVAqVdo https://www.youtube.com/watch?v=tXgOSt80Mtg role and EC2 https://www.youtube.com/watch?v=X8lv_I7xm6c https://vipulvyas.medium.com/mastering-aws-iam-a-comprehensive-guide-to-assuming-roles-c79d8e381dc6 https://theithollow.com/2018/04/30/manage-multiple-aws-accounts-with-role-switching/