By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Easiest / Best way to setup private VPC

0

Hello,
I am way out of my element with this and trying to learn so please keep that in mind, and I am certain this has been asked but I haven't been able to pinpoint it.

I am trying to configure a very simple proof of concept with a Windows EC2 instance that is accessed via RDP while also being secure. I will have at most 2 users accessing at the same time, but from different locations, one from a static IP and one dynamic. I've spent the last two days reading and it seems nearly all examples of locking down an instance involve a public subnet with a Web server and a private subnet with a DB server where the only way to get to the DB server is from the Web server. I just want to have the private subnet. I've also read some examples of using a VPN, or session manager to forward RDP ports but these leave out details and the more I look into it, the more confusing it gets.

Can someone point me to a straightforward example of how to configure a VPC for just a single instance that is secure?

Edit - I should also note that cost is a primary factor.

Edited by: BrianBPP on Feb 10, 2021 3:35 PM

Topics
Networking & Content Delivery
Tags
Amazon VPC
Language
English
BrianBPP
asked 3 years ago308 views
5 Answers
0
Accepted Answer

if you want to post exactly what you are trying to do and the exact response, feel free to do so.

I would suggest getting the initial setup working before moving onto a VPN, which will add a whole other set of things to deal with.

I realize you are looking for a...cost effective solution..that comes at the expense of resiliency, scalability and a tco cost (total cost of ownership) of having to deal with more EC2 instances over time. It will also general increase your blast radius for attacks, compromises, and misconfigurations.

So, that being said, the 'poor man's' approach:

In theory, you can use a openvpn server as a nat instance as well, but boy, is that not going to be straightforward: You need both a NAT AMI and openvpn server installed and configured. You are going to find an ami for one or the other, and I don't think you will for both, so you'll have to configure something from scratch...never done it, and never will, so I can't tell you the right way to do so.

If you launch an openvpn server:
Yes in a public subnet
Yes have its own security group: For inbound you can google with the best of them on that..it's a few tcp and udp ports. For outbound, you probably want to keep it simply and allow all outbound.

correct: the windows system will need inbound on port 3389 for the openvpn security group id.

For Nat: You should strongly consider either a standalone NAT AMI or use the gateway, which is just..so easy...Either way, be sure the default route ends up going to the gateway id or the eni of the Nat AMI.

cloudbutton
answered 3 years ago
0

to be sure you are headed in the right direction, you might want to be clear about what your goals are.

if you want a windows instance in a private subnet, meaning no inbound traffic is allowed from the internet, but you want to be able to rdp into it and have internet access outbound from that instance, then:

You need to create a vpc with at least a public subnet and a private subnet.
A public subnet has an internet gateway associated with it. This only costs money when you send traffic out...it will be next to nothing.
You will also need a NAT Gateway or a NAT Instance created and deployed in the public subnet. Either of these will cost a few bucks: The NAT Gateway is easy and probably about $12/month
The private subnet will have the default route (0.0.0.0/0) pointed to the NAT Gateway (if you use a NAT gateway)
you can then spin up a windows instance from an ami that has session manager already enabled. You will have to create or use a keypair as part of this.
You will need to assign an IAM profile to that instance that has the SSMManagedCore policy associated with it.
The security group for the instance needs to have at least OUTBOUND 443 tcp access. Most beginners just have outbound open for all of tcp for 0.0.0.0/0
Once the windows instance spins up, you should then be able to use session manager to rdp into the instance. You will retrieve the password using the private key file.

Those are the basic ingredients...Good luck.

cloudbutton
answered 3 years ago
0

to be sure you are headed in the right direction, you might want to be clear about what your goals are.

if you want a windows instance in a private subnet, meaning no inbound traffic is allowed from the internet, but you want to be able to rdp into it and have internet access outbound from that instance, then:

You need to create a vpc with at least a public subnet and a private subnet.
A public subnet has an internet gateway associated with it. This only costs money when you send traffic out...it will be next to nothing.
You will also need a NAT Gateway or a NAT Instance created and deployed in the public subnet. Either of these will cost a few bucks: The NAT Gateway is easy and probably about $12/month
The private subnet will have the default route (0.0.0.0/0) pointed to the NAT Gateway (if you use a NAT gateway)
you can then spin up a windows instance from an ami that has session manager already enabled. You will have to create or use a keypair as part of this.
You will need to assign an IAM profile to that instance that has the SSMManagedCore policy associated with it.
The security group for the instance needs to have at least OUTBOUND 443 tcp access. Most beginners just have outbound open for all of tcp for 0.0.0.0/0
Once the windows instance spins up, you should then be able to use session manager to rdp into the instance. You will retrieve the password using the private key file.

Those are the basic ingredients...Good luck.

cloudbutton
answered 3 years ago
0

Thank you for the explanation; that is exactly what I have been looking for. I must have a setting mixed up as I can't connect yet but I'll keep tweaking it.

One new requirement that came up is to use a VPN. Since we will only have 1-2 users at a time, the suggestion was to use the OpenVPN AMI. From what I understand, that goes into the public subnet with a new security group, then I update the security group on the private Windows server to allow connections from the OpenVPN security group. Is this a reasonable approach?

Also, do I still need the NAT Gateway? Looking at the current pricing, it seems to be about $30/month and I read something about OpenVPN also providing NAT.

BrianBPP
answered 3 years ago
0

I took your suggestion and got the basic connection working, then added a VPN and so far it is working as expected; much appreciated!

The current configuration has an OpenVPN server and NAT gateway in a public subnet (route rule pointing to the internet gateway); and the main Windows server in a private subnet (route rule pointing to the NAT gateway). The OpenVPN server has a security group that allows the default TCP and UDP ports from the AMI, and the Windows server's security group has a single rule to allow RDP only from the OpenVPN security group.

I followed the OpenVPN documentation to configure the OpenVPN server and from what I understand, I shouldn't have to make any other changes to ensure a secure configuration.

Thanks again for your guidance. On to phase 2.

BrianBPP
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content