AWS Account for Sale: Hand-in-Hand Teach You to Use AWS Site-to-Site VPN to Safely Connect Local Computer Room and Cloud VPC
In the process of enterprise information transformation, few companies can move all their business to the cloud overnight. The most realistic and secure solution is usually to leave the core confidential data in the local physical data center (IDC), and deploy the business with high flexibility and high concurrency in the cloud.
At this time, a hard core technical pain point surfaced:
How can I establish a secure, stable, and inexpensive communication channel between a local physical data center and a VPC?
It is good to pull a physical dedicated line (such as AWS Direct Connect), but the initial installation fee of tens of thousands of yuan and the construction period of several months are simply too much for most small and medium-sized enterprises. Under the premise of balancing cost and safety, the most cost-effective gold solution is to use.
AWS Site-to-Site VPN
.
Today, we don't pull complicated network theory and reject the big truth. We will start from pure actual combat and take you hand in hand to use the standard specifications of large factories to completely open up the local IDC and AWS cloud network.
Stage 1: Understand network topology and core concepts
Before you start typing commands, you must clear up the underlying human structure of this secure pipeline in your mind, otherwise you will be blind to the various IP routing configurations behind.
The connection model we want to build consists of the following four core components:
Local Gateway (Customer Gateway, CGW): The hardware firewall or router (such as Shenxin, Huawei, Cisco, etc.) that you exit from the local physical computer room. You have to tell AWS the public IP address of this device.
Virtual Private Gateway (Virtual Private Gateway, VGW): The active connector on the AWS side. It is a virtual router mounted on your cloud VPC and is responsible for handling all encrypted traffic in and out of the cloud.
VPN Connection (VPN Connection): A truly secure pipe. By default, AWS will be very kind to create two independent IPsec encrypted tunnels (Tunnel 1 and Tunnel 2) for you to realize double live disaster tolerance.
BGP dynamic routing vs. static routing: Determines how traffic flows. If your local device supports BGP protocol, dynamic routing is preferred, and it will automatically synchronize when the network topology changes. It doesn't matter if you don't support it, it is as stable as manually specifying the network segment with static routes.
Phase II: Cloud (AWS) Defense Position Configuration Express
Log in to your
AWS Console
, switch to the region where your business is located (e. g. Tokyo
ap-northeast-1
), enter
VPC service
.
1. Create a Customer Gateway (CGW)
Find Customer Gateway in the menu on the left and click Create.
Name: IDC-Main-Gateway.
BGP ASN: If using static routes, keep silent
Just recognize (65000).
IP address: extremely important! Enter the real public network IP of the exit router of your local computer room.
2. Create a virtual private gateway (VGW) and bind the VPC
Click "Virtual Private Gateway"-> Create a virtual private gateway named AWS-To-IDC-VGW.
After the creation is complete, select it, click Actions-> "Attach to VPC", and select the VPC where you are running the business. This step is equivalent to inserting the cloud's encrypted connector into your server base camp.
3. Formally establish a VPN connection
Click "Site-to-Site VPN Connection"-> Create VPN Connection.
Parameter Welding Death Configuration: Name: AWS-IDC-Vpn-Pipe. Target Gateway Type: Select Virtual Private Gateway and select the created VGW. Customer Gateway: Select Existing to select the CGW created in the first step. Routing Options: If your local router is older, select Static ". In the static IP prefix below, accurately fill in the internal network segment of your local physical data center (for example, 192.168.1.0/24).
Click Create. At this time, the AWS configuration has entered the "Pending (configuring)" state and will become "Available" after a few minutes ".
The third stage: local (IDC) firewall hardware configuration (the most easy to roll over point)
After the AWS side is configured, the best thing is that AWS has automatically written configuration files for you to adapt to various mainstream hardware devices.
In the list of AWS VPN connections, select the connection you just created and click "Download configuration file (Download Configuration)" at the top ".
In the pop-up window, select the router brand (such as Huawei, Cisco or Generic general-purpose) used in your local computer room. After downloading, you will get a text file containing all encryption parameters (pre-shared key Pre-Shared Key, IKE protocol, IPsec protocol).
Take it to your network manager and let him log into the background of the local physical router and configure it against the files. There are three core actions:
Configure the public network IP of the two tunnels (the configuration file will clearly give the external network IP of Tunnel 1 and Tunnel 2 assigned to you by AWS).
Alignment security parameters: encryption algorithm (usually AES256), authentication algorithm (SHA256), DH group (Group 14 or higher), both ends must be exactly the same, the wrong punctuation mark tunnel can not be built.
Enter the pre-shared key: The complex random string (PSK) in the plaintext is pasted into the key box of the local device.
Phase 4: Open up the two channels of Ren and Du-Routing Table Configuration and Traffic Release at Both Ends
Hard
The pieces are ready and the tunnel is connected, but at this time you are going from here.
ping
The intranet IP of the cloud server is still blocked with a high probability. Because the "routing tables" and "firewalls" of the operating systems on both sides have not yet been released.
1. AWS side: enable route propagation (Route Propagation)
This is the novice 99% will miss the operation.
In the AWS VPC console, click Route Table to find the route table where your cloud server is located.
Switch to the Route Propagation tab and click Edit.
Select Enable the created VGW.
Bottom Insider: After opening, AWS will automatically write the network segment (192.168.1.0/24) of your local physical computer room into the routing table of the cloud, telling the cloud machine: "In the future, all traffic to the local area will be transported by VGW through an encrypted tunnel".
2. Security Group (Security Group) big green light
Go to your cloud server (EC2) security group and add the inbound rule:
Type: All traffic (or only TCP depending on the business).
Source address: you must fill in the internal network segment 192.168.1.0/24 of your local computer room. Never open 0.0.0.0/0. We must ensure that only local machines that pass through the VPN tunnel can access the cloud.
The fifth stage: on-line verification and double live tunnel disaster recovery drill
Five minutes after all configurations are completed, switch to the AWS VPN connection details page.
"Tunnel Details"
. If you see the status of Tunnel 1 changed to green
“UP”
It shows that the network has been completely opened.
1. Real connectivity test
In the local physical computer room, find a server (IP:
192.168.1.50
), open the terminal and go directly
ping
Intranet IP of an EC2 in AWS cloud (IP:
10.0.1.23
).
If the screen jumps out of the familiar
64 bytes from 10.0.1.23... time=25ms
Congratulations, hybrid cloud networking has won! Both ends can already transmit data smoothly and securely through the intranet, and external hackers cannot eavesdrop at all.
2. Physical simulation net breaking exercise (double-activity verification)
As mentioned earlier, AWS defaults to two tunnels to prevent single point of failure.
Exercise: Have the network manager deliberately disable (shutdown) the physical interface or routing policy corresponding to Tunnel 1 in the local data center.
Observation: Staring at the console, you will find that the traffic is automatically and seamlessly cut to Tunnel 2 after a short period of jitter for a few seconds, and the intranet communication at both ends is completely uninterrupted. This is a highly available architecture that meets enterprise production specifications.
Summary
Utilization
The core secret of AWS Site-to-Site VPN to build a hybrid cloud network is eight words:
parameter alignment, routing bidirectional
. With a very low cloud gateway custody fee and local existing hardware equipment, you can weld an unbreakable, automatic disaster-tolerant cloud and local viaduct for the company in one afternoon. With balance warning and regular tunnel heartbeat detection, this hybrid cloud lifeline will become the most stable foundation in your architecture.
