Code Monkey home page Code Monkey logo

iot-static-ip-endpoints's Introduction

Deprecation Notice

This AWS Solution has been archived and is no longer maintained by AWS. To discover other solutions, please visit the AWS Solutions Library.

IoT Static IP Endpoints Solution

The IoT Static IP Endpoints Solution provides the capability to route all traffic through a set of static IP addresses to other AWS or Internet services.

Through the deployment of an OpenVPN server cluster, IoT devices in remote location can establish a VPN tunnel, reducing the configuration of firewalls and other security devices in those locations. This solution provides the ability to automate the creation and revocation of client certificates and configurations as needed.

This repository is the same code base used to generate the AWS CloudFormation templates and assets, and uses the AWS Cloud Development Kit (CDK) to build and deploy the stack.

This solution collects anonymous operational metrics to help AWS improve the quality of features of the solution. For more information, including how to disable this capability, please see the implementation guide.

Getting Started

To get started with the IoT Static IP Endpoints Solution, please review the solution documentation. https://aws.amazon.com/answers/iot/iot-static-ip-endpoints/

Building and deploying from source

This build process is based on using an AWS CloudShell environment to complete the build steps. Please adjust accordingly if using a different environment to deploy from source. When not using CloudShell you will need to have Docker and npm installed for the build to complete.

Install Python3.8

sudo amazon-linux-extras enable python3.8
sudo yum -y install python3.8

Checkout the source

git clone https://github.com/awslabs/iot-static-ip-endpoints

Configure

cd iot-static-ip-endpoints/deployment
source ./solution_config
export AWS_REGION=us-west-2
export SOLUTION_TRADEMARKEDNAME=iot-static-ip-endpoints
export BUCKET_NAME_PREFIX=my-solution-assets-bucket
export VERSION=1.0.0

Make a bucket to store the compiled CloudFormation template and S3 assets.

aws s3 mb --region=${AWS_REGION} s3://${BUCKET_NAME_PREFIX}-${AWS_REGION}

Build

./build-s3-dist.sh ${BUCKET_NAME_PREFIX} v${VERSION}

Upload the template and assets to S3

aws s3 sync global-s3-assets/ s3://${BUCKET_NAME_PREFIX}-${AWS_REGION}/${SOLUTION_TRADEMARKEDNAME}/v${VERSION}/
aws s3 sync regional-s3-assets/ s3://${BUCKET_NAME_PREFIX}-${AWS_REGION}/${SOLUTION_TRADEMARKEDNAME}/v${VERSION}/

Deploy a new stack

aws cloudformation create-stack \
   --stack-name=MyIoTEndpoints \
   --template-url=https://${BUCKET_NAME_PREFIX}-${AWS_REGION}.s3-${AWS_REGION}.amazonaws.com/${SOLUTION_TRADEMARKEDNAME}/v${VERSION}/${SOLUTION_TRADEMARKEDNAME}.template \
   --capabilities=CAPABILITY_IAM \
   --parameters \
      ParameterKey=Zone1,ParameterValue=${AWS_REGION}a \
      ParameterKey=Zone2,ParameterValue=${AWS_REGION}b

Generate a device configuration

export CLIENT_NAME=MyTestClient
export MY_STACK_NAME=MyIoTEndpoints

export LAMBDA_FUNCTION=$(aws cloudformation describe-stacks --stack-name=${MY_STACK_NAME} --query "Stacks[0].Outputs[?OutputKey == 'CreateCertFunctionName'].OutputValue" --output text)

aws lambda invoke \
  --region $AWS_REGION \
  --function-name $LAMBDA_FUNCTION \
  --cli-binary-format raw-in-base64-out \
  --payload '{"ClientName": "'"$CLIENT_NAME"'"}' \
  $CLIENT_NAME.ovpn \
  && echo -e $(cat $CLIENT_NAME.ovpn | xargs) > $CLIENT_NAME.ovpn

Parameters

Parameter Description Update Action Default
Zone1 Availability Zone 1 Do not update †
Zone2 Availability Zone 2 Do not update †
VpcCIDR The VPC CIDR, must be in the form x.x.x.x/16-24 Do not update † 10.249.0.0/24
UseNatGateways Controls if NAT Gateway's will be used Do not update † No
EIPNAT1 Bring your own IP - NAT1 - EIP Allocation ID Do not update †
EIPNAT2 Bring your own IP - NAT2 - EIP Allocation ID Do not update †
Port The port the endpoint will listen on Do not update † 1194
EIPNLB1 Bring your own IP - NLB1 - EIP Allocation ID Do not update †
EIPNLB2 Bring your own IP - NLB2 - EIP Allocation ID Do not update †
GlobalAccelerator Toggles if a Global Accelerator endpoint is created Do not update † No
BYOIPGA1 Bring your own IP - GA 1 - IP Address Do not update †
BYOIPGA2 Bring your own IP - GA 2 - IP Address Do not update †
VPNProtocol UDP is strongly recommended to avoid TCP Meltdown. Do not update † UDP
AutoScalingMinCapacity Minimum cluster size. No interruption 2
AutoScalingMaxCapacity Maximum cluster size. Possible interruption 10
InstanceAMI SSM instance parameter for Amazon Linux 2 Interruption AmazonLinux2 x86_64
InstanceType EC2 instance type Interruption t3.small
CAValidDays Private CA valid days Do not update † 3653
OpenVpnKeepAliveSeconds OpenVPN Keepalive Seconds Do not update † 10
PeerCidr The remote CIDR range to permit ingress traffic to our endpoints Possible interruption 0.0.0.0/0
NotificationsEmail The email which notifications will be sent to. (i.e. Auto Scaling Events) No interruption
LogRetentionDays Number of days to retain logs No interruption 365
ActivateFlowLogsToCloudWatch Send VPC flow logs to CloudWatch No interruption Yes
EFSRetentionPolicy Toggles the EFS share with OpenVPN will be Retained or Deleted No interruption Retain
CWLRetentionPolicy Toggles the CloudWatch log groups will be Retained or Deleted No interruption Retain

† Many parameters are used to initialize the OpenVPN cluster, and are passed to clients in the configuration files. These parameters cannot be changed once the stack has been deployed.

Command Reference

Command Purpose
npm run build Run Build
npm run tests Run Unit Tests
npm run lint Run Linting
npm run full-build Lint, Build, Test, and Synth
npm run check Run Build & Synth
npm run nag Run Build, Synth, and cfn-nag

A note on configuration and conditions

This solution uses the AWS CDK, however is also published as a synthesized Cloud Formation template which can be deployed without using the AWS CDK. For this reason we move all configuration and conditional logic into the resulting template using Cloud Formation conditions. This makes the resulting code slightly more awkward, however allows us to produce an easily consumable solution without requiring use of the AWS CDK.

Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.

Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at

http://www.apache.org/licenses/LICENSE-2.0

or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

iot-static-ip-endpoints's People

Contributors

amazon-auto avatar maclema avatar

Stargazers

avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

aassadza-org gadams999 orkungursel

iot-static-ip-endpoints's Issues

Restrict non-AWS service access from the IoT Gateway via the VPN connection

Is your feature request related to a problem? Please describe.
The solution works, but in it's current form allows the IoT Gateway to access any internet based hosts, so thinking of potential security exposures it grants open access from inside the customer network well beyond the connectivity required for IoT operation

Describe the feature you'd like
I would like a prescribed solution that limits the connectivity through the VPN to only the AWS services required to operate an AWS IoT solution. Specifically preventing access (via the VPN) for the IoT device/Core to potentially malicious hosts on the internet. In an ideal world the any solution should not introduce further overhead in needing to scale infrastructure from a customer perspective.

Additional context
Add any other context or screenshots about the feature request here.

Solution is not building/ deploying

Describe the bug
I am following the steps to build and deploy the solution using AWS cloudShell but it is not succeeding

error:

`CDK version 1.143.0
------ EXEC npm run build

[email protected] build /home/cloudshell-user/iot-static-ip-endpoints/source
tsc

lib/GreengrassVpnService.ts:90:7 - error TS2322: Type 'SolutionVpc' is not assignable to type 'IVpc'.

90 vpc: props.vpc,
~~~

node_modules/@aws-cdk/aws-ec2/lib/security-group.d.ts:184:14
184 readonly vpc: IVpc;
~~~
The expected type comes from property 'vpc' which is declared here on type 'SecurityGroupProps'

lib/GreengrassVpnService.ts:98:7 - error TS2322: Type 'SolutionVpc' is not assignable to type 'IVpc'.

98 vpc: props.vpc,
~~~

node_modules/@aws-cdk/aws-efs/lib/efs-file-system.d.ts:151:14
151 readonly vpc: ec2.IVpc;
~~~
The expected type comes from property 'vpc' which is declared here on type 'FileSystemProps'

lib/NLBEC2Service.ts:128:7 - error TS2739: Type 'SolutionVpc' is missing the following properties from type 'IVpc': vpcArn, addClientVpnEndpoint, applyRemovalPolicy

128 vpc: props.vpc
~~~

node_modules/@aws-cdk/aws-ec2/lib/security-group.d.ts:184:14
184 readonly vpc: IVpc;
~~~
The expected type comes from property 'vpc' which is declared here on type 'SecurityGroupProps'

lib/NLBEC2Service.ts:161:7 - error TS2322: Type 'SolutionVpc' is not assignable to type 'IVpc'.

161 vpc: props.vpc,
~~~

node_modules/@aws-cdk/aws-autoscaling/lib/auto-scaling-group.d.ts:328:14
328 readonly vpc: ec2.IVpc;
~~~
The expected type comes from property 'vpc' which is declared here on type 'AutoScalingGroupProps'

lib/NLBGlobalAccelerator.ts:15:84 - error TS2305: Module '"@aws-cdk/aws-globalaccelerator"' has no exported member 'EndpointConfiguration'.

15 import { Accelerator, Listener, EndpointGroup, CfnAccelerator, ConnectionProtocol, EndpointConfiguration } from "@aws-cdk/aws-globalaccelerator"
~~~~~~~~~~~~~~~~~~~~~

lib/SolutionSubnet.ts:17:14 - error TS2420: Class 'SolutionSubnet' incorrectly implements interface 'ISubnet'.
Property 'applyRemovalPolicy' is missing in type 'SolutionSubnet' but required in type 'ISubnet'.

17 export class SolutionSubnet implements ISubnet {
~~~~~~~~~~~~~~

node_modules/@aws-cdk/core/lib/resource.d.ts:76:5
76 applyRemovalPolicy(policy: RemovalPolicy): void;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'applyRemovalPolicy' is declared here.

lib/SolutionVpc.ts:54:14 - error TS2420: Class 'SolutionVpc' incorrectly implements interface 'IVpc'.
Type 'SolutionVpc' is missing the following properties from type 'IVpc': vpcArn, addClientVpnEndpoint, applyRemovalPolicy

54 export class SolutionVpc extends Construct implements IVpc {
~~~~~~~~~~~

lib/SolutionVpc.ts:283:9 - error TS2741: Property 'applyRemovalPolicy' is missing in type 'SolutionSubnet' but required in type 'ISubnet'.

283 new SolutionSubnet(this.cfnPublicSubnets[0], this.publicRouteTable),
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

node_modules/@aws-cdk/core/lib/resource.d.ts:76:5
76 applyRemovalPolicy(policy: RemovalPolicy): void;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'applyRemovalPolicy' is declared here.

lib/SolutionVpc.ts:284:9 - error TS2322: Type 'SolutionSubnet' is not assignable to type 'ISubnet'.

284 new SolutionSubnet(this.cfnPublicSubnets[1], this.publicRouteTable)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

lib/SolutionVpc.ts:292:9 - error TS2322: Type 'SolutionSubnet' is not assignable to type 'ISubnet'.

292 new SolutionSubnet(this.cfnPrivateSubnets[0], this.privateRouteTables[0]),
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

lib/SolutionVpc.ts:293:9 - error TS2322: Type 'SolutionSubnet' is not assignable to type 'ISubnet'.

293 new SolutionSubnet(this.cfnPrivateSubnets[1], this.privateRouteTables[1])
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

lib/SolutionVpc.ts:312:5 - error TS2741: Property 'applyRemovalPolicy' is missing in type '{ subnetId: any; availabilityZone: any; internetConnectivityEstablished: boolean; ipv4CidrBlock: string; readonly routeTable: IRouteTable; associateNetworkAcl(): void; readonly node: ConstructNode; readonly env: ResourceEnvironment; readonly stack: Stack; }' but required in type 'ISubnet'.

312 return {
~~~~~~~~
313 subnetId: ifNat(pri.subnetId, pub.subnetId),
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
...
331 }
~~~~~~~
332 }
~~~~~

node_modules/@aws-cdk/core/lib/resource.d.ts:76:5
76 applyRemovalPolicy(policy: RemovalPolicy): void;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'applyRemovalPolicy' is declared here.

test/SolutionSubnet.spec.ts:42:9 - error TS2571: Object is of type 'unknown'.

42 if (err.message !== "Not implemented") {
~~~

test/SolutionSubnet.spec.ts:55:9 - error TS2571: Object is of type 'unknown'.

55 if (err.message !== "Not implemented") {
~~~

test/SolutionVpc.spec.ts:200:9 - error TS2571: Object is of type 'unknown'.

200 if (err.message !== "not implemented") {
~~~

test/SolutionVpc.spec.ts:208:9 - error TS2571: Object is of type 'unknown'.

208 if (err.message !== "not implemented") {
~~~

test/SolutionVpc.spec.ts:216:9 - error TS2571: Object is of type 'unknown'.

216 if (err.message !== "not implemented") {
~~~

test/SolutionVpc.spec.ts:224:9 - error TS2571: Object is of type 'unknown'.

224 if (err.message !== "not implemented") {
~~~

test/SolutionVpc.spec.ts:232:9 - error TS2571: Object is of type 'unknown'.

232 if (err.message !== "not implemented") {
~~~

test/SolutionVpc.spec.ts:254:9 - error TS2571: Object is of type 'unknown'.

254 if (err.message !== "not implemented") {
~~~

test/SolutionVpc.spec.ts:262:9 - error TS2571: Object is of type 'unknown'.

262 if (err.message !== "not implemented") {
~~~

test/SolutionVpc.spec.ts:270:9 - error TS2571: Object is of type 'unknown'.

270 if (err.message !== "vpc.isolatedSubnets Not Implemented") {
~~~

test/SolutionVpc.spec.ts:278:9 - error TS2571: Object is of type 'unknown'.

278 if (err.message !== "vpc.vpnGatewayId Not Implemented") {
~~~

test/SolutionVpc.spec.ts:286:9 - error TS2571: Object is of type 'unknown'.

286 if (err.message !== "vpc.internetConnectivityEstablished Not Implemented") {
~~~

test/SolutionVpc.spec.ts:294:9 - error TS2571: Object is of type 'unknown'.

294 if (err.message !== "vpc.env Not Implemented") {
~~~

test/SolutionVpc.spec.ts:302:9 - error TS2571: Object is of type 'unknown'.

302 if (err.message !== "vpc.enableVpnGateway Not Implemented") {
~~~

test/SolutionVpc.spec.ts:310:9 - error TS2571: Object is of type 'unknown'.

310 if (err.message !== "vpc.addVpnConnection Not Implemented") {
~~~

test/SolutionVpc.spec.ts:318:9 - error TS2571: Object is of type 'unknown'.

318 if (err.message !== "vpc.addGatewayEndpoint Not Implemented") {
~~~

test/SolutionVpc.spec.ts:326:9 - error TS2571: Object is of type 'unknown'.

326 if (err.message !== "vpc.addInterfaceEndpoint Not Implemented") {
~~~

test/SolutionVpc.spec.ts:334:9 - error TS2571: Object is of type 'unknown'.

334 if (err.message !== "vpc.addFlowLog Not Implemented") {
~~~

Found 30 errors.

npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! [email protected] build: tsc
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the [email protected] build script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR! /home/cloudshell-user/.npm/_logs/2022-02-08T17_23_07_794Z-debug.log
Aborted - rc=1`

How do i use the solution?

Firstly, I am not reporting a bug.
I could build and install the solution, but I don't understand how I can use this. I don't find any documentation for using static ip setup for IoT.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.