===== VPC Inbound Routing Single Interface =====
This deployment allows the use of a VyOS instance to control access to an Apache instance via VPC inbound routing.  With this deployment you can still use the public IP or EIP to access the Apache instance.  I also have a [[aws:vpc-inbound-routing-multiple-interface|multiple interface]] version of this available.  I am also working on creating a CloudFormation template that will deploy this.
{{tag>AWS Routing VyOS}}

==== Requirements ====
You will need access to an AWS account that grants you permissions to be able to make and modify the following;
  * VPC
  * Subnets
  * Route tables
  * Internet Gateway
  * Security Group
  * Instances from community AMIs or AWS Marketplace
==== Deployment Rundown ====
  - Create VPC
  - Create two subnets and configure to auto assign public IPs
  - Create three route tables
  - Create IGW
  - Associate public subnet with outbound public route table
  - Associate filtered public subnet with filtered public route table
  - Associate VPC edge with inbound IGW route table
  - Add 0.0.0.0/0 route to outbound public route table pointing to IGW
  - Configure Security Group to allow inbound traffic from Apache instance (or filtered public subnet) and management IPs
  - Launch VyOS instance in public subnet and associate security group (EIP can be used if desired)
  - Disable Source / Destination check on VyOS instance
  - Add 10.0.1.0/24 route to inbound IGW route table pointing to VyOS instance
  - Add 0.0.0.0/0 route to filtered public route table pointing to VyOS instance
  - Launch test instance in filtered public subnet, associate security group, and verify connectivity (EIP can be used if desired)
  - Access VyOS instance and create firewall rule to test limiting access to test instance

==== Known Issues / Limitations ====
<color red>Below is a list of known issues and limitations with this implementation.</color>
  * This works for me and has only been tested in my environment
  * Minimal error checking is being used
  * Installation, deployment, and configuration are done manually
  * Only a single availability zone is used, but this can be easily expanded to multiple AZs
  * No automated failover / recovery and been designed

==== Diagram ====
{{ :images:svg:vpc_inbound_routing_single_interface.svg?1000 | VPC Inbound Routing VPC Single Interface }}
[[ https://nerdydrunk.info/_media/images:svg:vpc_inbound_routing_single_interface.svg | Download diagram ]]

{{ :images:svg:vpc_inbound_routing_key.svg | VPC Inbound Routing Key }}
[[ https://nerdydrunk.info/_media/images:svg:vpc_inbound_routing_key.svg | Download diagram ]]

\\

==== Security Group Configuration ====
In this deployment a single security group was used.  The security group was self referencing and allowed all traffic between members of the security group and a few other ports for management and testing.

^ Direction ^ Protocol ^ Port ^ Source / Destination ^
| Inbound   | Any      | *    | Security Group       |
| Inbound   | TCP      | 22   | Management IP        |
| Inbound   | TCP      | 80   | Management IP        |
| Inbound   | TCP      | 443  | Management IP        |
| Outbound  | Any      | *    | 0.0.0.0/0            |

==== VyOS Configuration ====
The following configuration was used for testing that inbound traffic to the Apache server was passing through the VyOS instance.

<code>
configure
set firewall name to_filtered default-action 'accept'
set firewall name to_filtered rule 100 action 'drop'
set firewall name to_filtered rule 100 destination address '10.0.1.0/24'
set firewall name to_filtered rule 100 destination port '80'
set firewall name to_filtered rule 100 protocol 'tcp'
set firewall name to_filtered rule 100 source address '50.60.70.80/32'
set interfaces ethernet eth0 firewall in name 'to_filtered'
commit
save
</code>

==== CloudFormation Template ====
The following CloudFormation template can be used to deploy a VPC inbound routing test environment in US-East-1 or US-East-2. Other regions will work if the template is modified to include the mapping for the VyOS free community edition AMI.  The template will configure the VyOS instance to block HTTP traffic to the filtered public subnet and enable outbound NAT for a private subnet that is also created.  There are also options to deploy test HTTP servers in either, or both, the filtered public subnet and the private subnet.

https://files.nerdydrunk.info/cloudformation-templates/cfn-template-vpc-inbound-routing-vyos-single-az.yaml

{{ :images:svg:vpc_inbound_routing_single_interface_and_az.svg?1000 | VPC Inbound Routing VPC Single Interface and Availability Zone }}
[[ https://nerdydrunk.info/_media/images:svg:vpc_inbound_routing_single_interface_and_az.svg | Download diagram ]]

{{ :images:svg:vpc_inbound_routing_key.svg | VPC Inbound Routing Key }}
[[ https://nerdydrunk.info/_media/images:svg:vpc_inbound_routing_key.svg | Download diagram ]]