User Tools
Sidebar
Table of Contents
VPC Inbound Routing Single Interface
This deployment allows the use of a VyOS instance to control access to an Apache instance via VPC inbound routing. With this deployment you can still use the public IP or EIP to access the Apache instance. I also have a multiple interface version of this available. I am also working on creating a CloudFormation template that will deploy this.
Requirements
You will need access to an AWS account that grants you permissions to be able to make and modify the following;
- VPC
- Subnets
- Route tables
- Internet Gateway
- Security Group
- Instances from community AMIs or AWS Marketplace
Deployment Rundown
- Create VPC
- Create two subnets and configure to auto assign public IPs
- Create three route tables
- Create IGW
- Associate public subnet with outbound public route table
- Associate filtered public subnet with filtered public route table
- Associate VPC edge with inbound IGW route table
- Add 0.0.0.0/0 route to outbound public route table pointing to IGW
- Configure Security Group to allow inbound traffic from Apache instance (or filtered public subnet) and management IPs
- Launch VyOS instance in public subnet and associate security group (EIP can be used if desired)
- Disable Source / Destination check on VyOS instance
- Add 10.0.1.0/24 route to inbound IGW route table pointing to VyOS instance
- Add 0.0.0.0/0 route to filtered public route table pointing to VyOS instance
- Launch test instance in filtered public subnet, associate security group, and verify connectivity (EIP can be used if desired)
- Access VyOS instance and create firewall rule to test limiting access to test instance
Known Issues / Limitations
Below is a list of known issues and limitations with this implementation.
- This works for me and has only been tested in my environment
- Minimal error checking is being used
- Installation, deployment, and configuration are done manually
- Only a single availability zone is used, but this can be easily expanded to multiple AZs
- No automated failover / recovery and been designed
Diagram
Security Group Configuration
In this deployment a single security group was used. The security group was self referencing and allowed all traffic between members of the security group and a few other ports for management and testing.
| Direction | Protocol | Port | Source / Destination |
|---|---|---|---|
| Inbound | Any | * | Security Group |
| Inbound | TCP | 22 | Management IP |
| Inbound | TCP | 80 | Management IP |
| Inbound | TCP | 443 | Management IP |
| Outbound | Any | * | 0.0.0.0/0 |
VyOS Configuration
The following configuration was used for testing that inbound traffic to the Apache server was passing through the VyOS instance.
configure set firewall name to_filtered default-action 'accept' set firewall name to_filtered rule 100 action 'drop' set firewall name to_filtered rule 100 destination address '10.0.1.0/24' set firewall name to_filtered rule 100 destination port '80' set firewall name to_filtered rule 100 protocol 'tcp' set firewall name to_filtered rule 100 source address '50.60.70.80/32' set interfaces ethernet eth0 firewall in name 'to_filtered' commit save
CloudFormation Template
The following CloudFormation template can be used to deploy a VPC inbound routing test environment in US-East-1 or US-East-2. Other regions will work if the template is modified to include the mapping for the VyOS free community edition AMI. The template will configure the VyOS instance to block HTTP traffic to the filtered public subnet and enable outbound NAT for a private subnet that is also created. There are also options to deploy test HTTP servers in either, or both, the filtered public subnet and the private subnet.
