Code Monkey home page Code Monkey logo

terraform-aws-selfconfig-cgw's Introduction

AWS site-to-site VPN with BGP

This module deploys a secure connection between two AWS VPC's, using the AWS site-to-site VPN service on one end, and a standard Ubuntu 20.04 LTS instance as the Customer Gateway (CGW) on the other end. With this reference setup you can easily test scenarios when you need to expose your VPC services hosted in private networks, to any external network that could be either in a different cloud (Azure, Google cloud or Oracle cloud) or in your own facilities (home, office or data center).

The setup has two logic sides, the blue represents your AWS VPC where your VPC services are attached to, the green side any external network reachable through the internet. In this setup, the green side is also a VPC in the same account as this is the easiest way for an end-to-end automation.

Base configuration

Key Features

1. Deploy a site-to-site VPN connection

Create a self-configured AWS site-to-site VPN between your VPC and a remote location through an IPSec tunnel.

VPN Up and Running

2. Automate the Customer Gateway configuration

A self-configured EC2 instance (Ubuntu 20.04 LTS) used as a remote-end for the secure connection established using an IPSec tunnel (Strongswan software) and a BGP session to advertise prefixes dynamically (Quagga software).

Auto-configured Tunnel Interfaces (green) The VPN instance has two additional interfaces, one for each IPSec tunnel. These tunnels work in an active/standby model. vpn_instance_interfaces

IPSec Up and Running (green) IPSec tunnels established successfully. vpn_instance_ipsec

BGP connection Established (green) BGP sessions established between the two neighbours, routes are being advertised and received. vpn_instance_bgp

3. Configure L3 routing

Access your VPC services from a remote network without exposing them to the internet. Advertise routes dynamically using BGP protocol.

VPN instance routes (green) Private networks hosted in the blue side are reachable from the VPN instance through the tunnel interface. vpn_instance_routes

AWS private subnet routes (blue) Private networks hosted in the green side are reachable through the Virtual Private Gateway (VPG). These routes are propagated from VPG and advertised by BGP.

blue_private_subnet_routes

Disclaimer

This module is a reference implementation for testing purposes and is NOT intended for a production environment. By using it you are at your own risk.

For a production setup, I strongly recommend to read Amazon Virtual Private Cloud Connectivity Options from where you can take all the insights you need to design an scalable, highly-available and secure architecture.

Usage

This module can be deployed without any input parameter by setting the pre-defined values in all input parameters (see inputs docs).

Basic setup


  module "my_vpn_setup" {

    source  = "aws-terraform-fullyconnectedvpn"
    version = "1.0.5"

    # insert the 12 optional variables

  }

Access CGW with a self-managed key pair


  module "my_vpn_setup" {

    source  = "aws-terraform-fullyconnectedvpn"
    version = "1.0.5"

    green_vpn_inst_keyname              = my-existing-keypair
    green_vpn_inst_allowed_networks_ssh = ["108.34.76.23/32", ...] # SSH sessions will be blocked if source IP is not set

  }

Customer Gateway with an auto-generated key pair

Do not define the input variable green_vpn_inst_keyname if you prefer to have an auto-generated key pair.


  module "my_vpn_setup" {

    source  = "aws-terraform-fullyconnectedvpn"
    version = "1.0.5"

    green_vpn_inst_allowed_networks_ssh = ["108.34.76.23/32", ...] # SSH won't be possible if source IP is not set

  }

To access the VPN instance, use the private key securely stored in AWS Systems Manager parameter store.

AWS Systems Manager - parameter store

Read this page if you're not familiar on how to Connect to your Linux instance using SSH.

Define custom network parameters

module "my_vpn_setup" {

    source  = "aws-terraform-fullyconnectedvpn"
    version = "1.0.5"

    # blue side input params
    blue_vpc_cidr               = "172.17.0.0/16" 
    blue_asn                    = "64620"
    blue_public_subnet_size     = 20 
    blue_private_subnet_size    = 20

    # green side input params
    green_vpc_cidr              = "172.16.0.0/16" 
    green_asn                   = "65220"
    green_public_subnet_size    = 24
    green_private_subnet_size   = 24

}

This module deploys a public and a private subnets on both sides. The public subnet always uses the first block from VPC address space with the specified size for the public subnet. The private subnet always uses the second block from VPC address space with the specified size for the private subnet.

Network

You can create more subnets using your own resources or modules by attaching them to the blue or green VPC. To get their ids see output documentation.

Requirements

Name Version
terraform >= 1.0.11
aws >= 4.5.0
tls 3.1.0

Providers

Name Version
aws >= 4.5.0
tls 3.1.0

Modules

Name Source Version
blue_vpc terraform-aws-modules/vpc/aws 3.13.0
green_vpc terraform-aws-modules/vpc/aws 3.13.0

Resources

Name Type
aws_eip.green_vpn_inst resource
aws_eip_association.green_vpn_inst_eip resource
aws_instance.green_vpn_inst resource
aws_key_pair.green_vpn_inst resource
aws_route.green_blue_side_route resource
aws_security_group.green_vpn_inst_green_traffic resource
aws_security_group.green_vpn_inst_ipsec resource
aws_security_group.green_vpn_inst_ssh resource
aws_ssm_parameter.green_vpn_inst resource
aws_vpn_connection.blue_vpn resource
tls_private_key.green_vpn_inst resource
aws_ami.green_vpn_inst_ubuntu data source
aws_availability_zones.available data source

Inputs

Name Description Type Default Required
blue_asn (Optional) The BGP Autonomous System Number (ASN) for the blue side. Select an ASN from the private pool 64512 - 65534) string "64620" no
blue_private_subnet_size (Optional) Private subnet size for the blue side. This size is a number that defines the subnet mask and can have any value from 16 to 28 as long as it is smaller than VPC size. We recommend to leave the default value If you have limited knowledge in subnetting. number 24 no
blue_public_subnet_size (Optional) Public subnet size for the blue side. This size is a number that defines the subnet mask and can have any value from 16 to 28 as long as it is smaller than VPC size. We recommend to leave the default value If you have limited knowledge in subnetting. number 24 no
blue_vpc_cidr (Optional) Blue side VPC CIDR. VPC size from /16 to /27. string "10.1.0.0/16" no
green_asn (Optional) The BGP Autonomous System Number (ASN) for the green side. Select an ASN from the private pool 64512 - 65534) string "65220" no
green_private_subnet_size (Optional) Private subnet size for the green side. This size is a number that defines the subnet mask and can have any value from 16 to 28 as long as it is smaller than VPC size. We recommend to leave the default value If you have limited knowledge in subnetting. number 24 no
green_public_subnet_size (Optional) Public subnet size for the green side. This size is a number that defines the subnet mask and can have any value from 16 to 28 as long as it is smaller than VPC size. We recommend to leave the default value If you have limited knowledge in subnetting. number 24 no
green_vpc_cidr (Optional) Green side VPC CIDR. VPC size from /16 to /27. string "10.2.0.0/16" no
green_vpn_endpoint_instancetype (Optional) The instance type for the VPN EC2 instance used as Customer Gateway (CGW). Make sure you use an instance type that meets you requirements in network performance. string "t3a.micro" no
green_vpn_inst_allowed_networks_ssh (Optional) Allowed networks (CIDR) to SSH to the VPN EC2 instance (green). Eg. 1. Use a single IP [1.1.1.1/32] 2. Use multple IP or networks [1.1.1.1/32, 10.0.1.0/24] list(any) [] no
green_vpn_inst_keyname (Optional) Specify an existing key pair name to associate with the VPN EC2 instance in the green side. This key pair will be used for SSH authentication. If not specified, a new key pair will be created and the private key stored in parameter store. string "" no
project_tags (Optional) A map of convenient tags assigned to all resources. string "https://registry.terraform.io/modules/bsrodrigs/fully-connected-vpn/aws/latest" no
region (Optional) AWS region where the module will be deployed (eg. eu-west-1). string "eu-west-1" no

Outputs

Name Description
blue_vpc Blue side VPC outputs. For more details see official documentation https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest?tab=outputs
green_vpc Green side VPC outputs. For more details see official documentation https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest?tab=outputs

terraform-aws-selfconfig-cgw's People

Contributors

bsrodrigs avatar pfilourenco avatar

Stargazers

avatar avatar avatar

Watchers

avatar

Forkers

goozeyx

terraform-aws-selfconfig-cgw's Issues

Green side can advertise multiple networks

  • Change bgpd.conf template
  • Escape '\n' char
#Auxiliar variables
p12 =  replace(tostring(join("", [for p in local.green_prefixes : join("", [local.green_prefixes_config_string, " ", "network ", p, "\n" ]) ])), "/", "BACKSLASH")
green_prefixes = concat(module.green_vpc.public_subnets_cidr_blocks, module.green_vpc.private_subnets_cidr_blocks, var.green_additonal_prefixes_advertise)
green_prefixes_config_string = "" 


variable "green_additonal_prefixes_advertise" {
  type        = list(any)
  default     = []
  description = "(Optional) Green subnets are automatically advertised. In addition to those them, you can advertise other sunets by adding their CIDR to this list."
}

Add issue templates

Add issue templates to this repo to allow creation of issues based on templates

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.