AWS EC2 with full isolation

Before You Start

Overview

A few EC2 servers are existing in one VPC, all of them need to be isolated from the Internet, but available for theme selves. Same time they need to be manageable and accessible from the internal network. The current network structure looks like it on the screen.

To reach the goal we will install vGateway from Acreto, and install it on the new EC2 with Ubuntu. vGateway with two network interfaces, existing in two separate subnets will behave as a router for the isolated servers. All network traffic will be blocked by Acreto, only connections from Acreto Ecosystem will be allowed.

Prerequisits

To complete this procedure those elements may be required:

  1. AWS account
  2. Wedge Account with at last one working Ecosystem
  3. Knowledge about routing and subnets

How to

The procedure consists of the following steps:

  1. Create and configure VPC
  2. Create and configure EC2 instances
  3. Create and configure vGateway in Wedge
  4. Install vGateway on EC2
  5. Change VPC Routing

If you already own an infrastructure on AWS you may move straight to Create and configure vGateway in Wedge.

Create and configure VPC

Create and configure the AWS VPC.

  1. Log in to AWS Console
  2. Click on Services menu (1) and search for VPC option (2)
  3. Click on Launch VPC Wizard to create a new VPC
  4. At the first step of the wizard choose VPC with a Single Public subnet option.
  5. At the second step of the wizard fill the form with:
    1. VPC Name - with Full isolation or another descriptive name.
    2. Public subnet’s IPv4 CIDR - with 10.0.0.0/16.
  6. Click on the Create VPC button to finish creation.
  7. Newly created VPC has only the Public Subnet. To isolate virtual machines from the Internet we need two separated subnets: Public subnet (with Internet access) and Private Subnet (isolated from the internet).
  8. From the left menu choose the Subnets option and check if Public subnet exists.
  9. Click on the Create subnet button and fill the creation form:
    1. On the VPC select previously created VPC.
    2. Create the private subnet:
      1. On the Subnet name field, set Private subnet.
      2. On the IPv4 CIDR block set 10.0.1.0/24.
  10. Click on the Create subnet button.
  11. Newly created subnets should be visible on the list.

As a result of this part, we have two separated subnets inside one VPC.
When the subnets are ready we can start to create EC2’s inside them.

Create and configure EC2 instances

As a proof of concept we will create 2 instances:

  • vGateway-full-isolation - that will serve as a gateway between a private network and Acreto Ecosystem,
  • Server-01-full-isolation, which will act as the resource we will connect to Acreto Ecosystem.

Both EC2’s will be created through wizzard, but one will be in Private subnet and the secon one in both - Public and Private at same time.

Create EC2 Instances

  1. Use the Services (1) menu button to search for EC2 option (2)
  2. From the left menu of this console choose Instances position.
  3. Click on the Launch instances button in the top right corner to start EC2 creation Wizard.
  4. Use the wizard to create the first EC2 in previously created VPC:
    1. At the first step of the wizard select the Ubuntu Server 20.04 LTS.
    2. At the second step of the wizard choose instance type - for this purpose, it can be Free tier with 1 CPU and 1 GB of RAM.
    3. At the third step of the wizard:
      1. Choose previously created VPC in the Network field (1) and choose the Private subnet (2).
      2. Make sure that the Auto-assign Public IP option is disabled - instances will not get public IP addresses and they will be available only through VPC addresses.
    4. Go through the rest of the steps and configure EC2 for your purposes.
  5. Go back to the EC2’s console to check if the created instance is on the list. It will probably have no name, so it’s a good idea to name it now as Server-01-full-isolation.
  6. Repeat the creation process, but this time create EC2:
    1. In the same VPC (1),
    2. Public subnet (2) - becouse its needs to be available from the internet,
    3. Auto-assign Public IP (3)- set to enable to get the Public IP address.
    4. Launch the instance.
  7. Go back to the EC2’s console and name newly created isntanst as vGateway-full-isolation.
  8. On the list of EC2’s you should now have two instances: Server-01-full-isolation, vGateway-full-isolation. Only one of them will have an Public IP address.
  9. Note the Instance ID of EC2 that has an external IP address.

At the end of this step, you should have two running instances. vGateway-full-isolation instance should have only Public IP address, second network interface will be added in next steps.

Configure the EC2 instances

In this step we will configure previously created instances to work with Acreto.

The procedure consists of the following steps:

  1. Configure the Security Groups
  2. Disable source/destination check
  3. Add a second network interface to vGateway instance

Configure the Security Groups

By default, AWS provides a very strict setting for Security Groups that allows only for SSH connection, they need to be changed to allow all different types of traffic. The below sets are only for PoC purposes, in your real-life case set Security Groups in a way that provides you maximum security.

  1. Go to EC2 dashboard and click on the ID of vGateway instance.
  2. Move to the Security tab (1).
  3. Click on the name of Security group (2) to edit traffic rules.
  4. Allow for any type of network connection from anywhere to this EC2. When you install the vGateway you will control those rules from the Acreto Wedge
  5. Repeat this operation for Server-01-full-isolation if it will need any other communication than SSH.

Disable source/destination check

  1. Go back to EC2 Dashboard and check vGateway EC2 (1), from top-right menu choose Actions(2) > Networking(3) > Change source/destination check (4).
  2. Verify that source/destination checking is stopped. Otherwise, choose Stop.

Add a second network interface to vGateway instance

vGateway instance needs to be available from both subnets, which means that it needs to have different network interfaces. We will use the Network Interfaces option to add an additional IP address, from the Private subnet, to the instance.

  1. Go to EC2 dashboard.
  2. From the left menu choose the Network & Security > Network Interfaces option then click on the Create network interface.
  3. Fill the form by adding a descriptive name (1), choosing the Private subnet (2) and the same Security group that is used by isolated EC2 Instances.
  4. Click on Create New Interface Button.
  5. Choose a newly created interface from the list.
  6. From top right Actions menu choose Attach option.
  7. From the list of available instances choose the vGataway-full-isolation EC2, click on the Attach button.
  8. Go back to the EC2 details screen, now there should be two IP addresses, from two different subnets. Also in the networking tab, there should be two network interfaces. Note the IP of the second interface, in this case 10.0.1.112
  9. Log in to the instance through ssh and run ip a commend to check if there are two interfaces available. Eth0 should be present and up, and Eth1 present but not configured.
  10. Configure the second interface (Eth1) to use the IP address of the Private subnet (10.0.1.112). Create new file in /etc/netplan/ with proper configuration. Remember to replace the IP address with your second interface IP from Private subnet.
sudo su
cat > 51-eth1.yaml  <<EOF
network:
  version: 2
  renderer: networkd
  ethernets:
    eth1:
      addresses:
       - 10.0.1.112/24
EOF
  1. Try the new network configuration sudo netplan try and apply sudo netplan apply.
  2. Retry ip a you should get two working interfaces.

From now on the vGateway-full-isolation instance got two working network interfaces - it is reachable from Public and Private subnets. Now its ready to install Acreto vGateway.

Create and configure Ecosystem and vGateway in Wedge

To reach our goal we need three things to be configured in the Ecosystem:

  1. Add the Gateway - configure the gateway that will be installed on EC2.
  2. Create Policy - configure the policy to allow control traffic from/to Gateway.
  3. Create Thing - configure the access point for a device like a computer to be able to connect to EC2 after Gateway will be installed.

How to

  1. Log in to an Acreto platform at wedge.acreto.net
  2. Select your Ecosystem and use the left menu to go to Objects (1) > Gateways (2) > + Add New Gateway (3).
  3. Fill at least:
    1. Name: - the name of the gateway that you creating, needs to be compatible with Strongswan connection name requirements (basically, only letters and numbers).
    2. vGateway: - choose the IPsec type.
    3. Category: - set IoT.
    4. Allow Connection From: - set IP address range for Private subnet 10.0.1.0/24.
    5. Local Networks: - set network addres and mask from VPC - in this case 10.0.0.0/16.
  4. Click on the Add button to save the created Gateway.
  5. Add security policy that will allow newly created Gateway to communicate with the Internet. You may want to create Allow all policy.
  6. Create at last one Thing - this will allow you to connect your computer to the Ecosystem that you created. This step is required, becouse after installtion of vGateway on EC2 it will be reachable only from Ecosystem.
  7. Commit pending changes using the button on the top right corner of the screen.
  8. Connect you device using Acreto Connect Client
  9. Go back to Gateway dashboard and click on the name of the newly created Gateway to opean the details screen.
  10. On the details screen click on the Play button to generate a configuration file for your vGateway.
  11. When the configuration is ready, the button to copy the link to the file will appear - click on it. URL to config file be userfull in next steps.

At this point, all elements of the Ecosystem have been set. It’s time to move to the next step and install vGateway on EC2.

Install vGateway on EC2

In this stepp vGateway will be finally installed on vGateway-full-isolation instance.

  1. Log in to the vGateway-full-isolation EC2 instance through SSH.
  2. Install vGateway using acreto auto-installation script and link to the config file from Wedge.
curl -fsSL https://kb.acreto.net/reference-material/downloads/acreto-ipsec.sh | sudo bash -s -- [URL_to_strongswan_config]

where [URL_to_strongswan_config] is the URL copied in previous step.

  1. Execute the command to install vGateway with configuration.
  2. Wait for the confirmation of connection established.
  3. It’s possible that when the installation will be finished your SSH session will end. To reconnect you need to use an internal IP address from the Public subnet f.e. 10.0.0.226. From now on this EC2 is available only from the Acreto Ecosystem so your computer also needs to be connected to it - check how to connect a computer to the ecosystem.
  4. Use tracepath 8.8.8.8 to check if the connection goes through Acreto 100.65.0.30 - vGateway works and the Internet route goes thru Acreto Ecosystem.

Change VPC Routing

  1. Go back to the AWS VPC console
  2. Choose the Root Tables in the left menu, then select route table right for your VPC.
  3. Click on Edit routs and add a new rule.
    1. Destination: address of private subnet
    2. Target: Choose Interface of the EC2 with vgateway installed f.e. eni-0db11f683c0e232b1
  4. Save the routing table.
  5. Connect to EC2 with vgateway thru SSH.
  6. Jump to one of the other EC2 using the same key (they will unavailable from the Internet, no IPv4 - you need to connect using internal IP)
  7. Use tracepath 8.8.8.8 to check does the connection goes through Acreto 100.65.0.30
  8. Done

From now on all traffic from/to EC2 existing in the Private subnet goes thru Acreto. It is completely secured and available only for users that have properly configured Acreto Connect Client or from a designed location like a branch office.

Summary

Thanks to Acreto and AWS VPC you can isolate your Virtual Servers from the Internet and leave only one secured gateway. vGateway installed on Free Tier EC2 is a powerful and elastic solution to secure and control traffic from and to the Internet.

Next page: AWS EC2 - Automatic IPsec Configuration