Nerdy Drunk

Drunk on technology

User Tools

Site Tools


aws:vpc-inbound-routing-multiple-interface

VPC Inbound Routing Multiple Interface

This deployment allows the use of a VyOS instance to control access to an Apache instance via VPC inbound routing. With this deployment you can still use the public IP or EIP to access the Apache instance. I also have a single interface version of this available.

Requirements

You will need access to an AWS account that grants you permissions to be able to make and modify the following;

  • VPC
  • Subnets
  • Route tables
  • Internet Gateway
  • Security Group
  • Instances from community AMIs or AWS Marketplace
  • Elastic Network Interfaces
  • Elastic IPs

Deployment Rundown

  1. Create VPC
  2. Create three subnets and configure the two public subnets to auto assign public IPs
  3. Create four route tables
  4. Create IGW
  5. Associate public subnet with outbound public route table
  6. Associate filtered public subnet with filtered public route table
  7. Associate private subnet with private route table
  8. Associate VPC edge with inbound IGW route table
  9. Add 0.0.0.0/0 route to outbound public route table pointing to IGW
  10. Configure Security Group to allow inbound traffic from Apache instance (or filtered public subnet) and management IPs
  11. Launch VyOS instance (must support three NICs) in public subnet, associate security group, create and associate EIP
  12. Disable Source / Destination check on VyOS instance
  13. Add 10.0.1.0/24 route to inbound IGW route table pointing to VyOS instance
  14. SSH to VyOS instance and add default route / gateway as a static route (instead of relying on DHCP, this is CRITICAL)
  15. Stop VyOS instance and create and attach two ENIs, one for filtered public subnet and one for private subnet
  16. Disable Source / Destination check on both ENIs
  17. Start VyOS instance and configure DHCP on new interfaces (eth1 and eth2)
  18. Configure NAT on VyOS instance for private subnet egressing public subnet interface (eth0)
  19. Add 0.0.0.0/0 route to filtered public route table pointing to VyOS instance filtered interface (eth1)
  20. Add 0.0.0.0/0 route to private subnet route table pointing to VyOS instance private interface (eth2)
  21. Launch Apache instance in filtered public subnet, associate security group, and verify connectivity (EIP can be used if desired)
  22. Update Security Group to allow inbound traffic from test instance (or private subnet).
  23. Launch test instance in private subnet, associate security group, and verify connectivity via test instance in filtered public subnet
  24. Access VyOS instance and create firewall rule to test limiting access to test instance

Diagram

Known Issues / Limitations

Below is a list of known issues and limitations with this implementation.

  • This works for me and has only been tested in my environment
  • Minimal error checking is being used
  • Installation, deployment, and configuration are done manually
  • Only a single availability zone is used, but this can be easily expanded to multiple AZs
  • No automated failover / recovery and been designed

Security Group Configuration

In this deployment a single security group was used. The security group was self referencing and allowed all traffic between members of the security group and a few other ports for management and testing.

Direction Protocol Port Source / Destination
Inbound Any * Security Group
Inbound TCP 22 Management IP
Inbound TCP 80 Management IP
Inbound TCP 443 Management IP
Outbound Any * 0.0.0.0/0

VyOS Configuration

The following configuration was used for forcing the default route to use eth0.

configure
set protocols static route 0.0.0.0/0 next-hop 10.0.0.1
commit
save

The following configuration was used for enabling eth1 and eth2 as well as configuring NAT for the private subnet.

configure
set interfaces ethernet eth1 address 'dhcp'
set interfaces ethernet eth2 address 'dhcp'
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '10.0.2.0/24'
set nat source rule 100 translation address 'masquerade'
commit
save

The following configuration was used for testing that inbound traffic to the Apache server was passing through the VyOS instance.

configure
set firewall name filtered default-action 'accept'
set firewall name filtered rule 100 action 'drop'
set firewall name filtered rule 100 destination address '10.0.1.0/24'
set firewall name filtered rule 100 destination port '80'
set firewall name filtered rule 100 protocol 'tcp'
set firewall name filtered rule 100 source address '50.60.70.80/24'
set interfaces ethernet eth0 firewall in name 'filtered'
commit
save

The route table to look similar to the following;

vyos@ip-10-0-0-53:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued route, r - rejected route

S   0.0.0.0/0 [210/0] via 10.0.1.1, eth1, 00:24:43
                      via 10.0.2.1, eth2, 00:24:43
S>* 0.0.0.0/0 [1/0] via 10.0.0.1, eth0, 00:28:49
C>* 10.0.0.0/24 is directly connected, eth0, 00:28:49
C>* 10.0.1.0/24 is directly connected, eth1, 00:24:43
C>* 10.0.2.0/24 is directly connected, eth2, 00:28:10
vyos@ip-10-0-0-53:~$
aws/vpc-inbound-routing-multiple-interface.txt · Last modified: 2022/07/21 10:41 by 127.0.0.1