- Newest
- Most votes
- Most comments
if you want to post exactly what you are trying to do and the exact response, feel free to do so.
I would suggest getting the initial setup working before moving onto a VPN, which will add a whole other set of things to deal with.
I realize you are looking for a...cost effective solution..that comes at the expense of resiliency, scalability and a tco cost (total cost of ownership) of having to deal with more EC2 instances over time. It will also general increase your blast radius for attacks, compromises, and misconfigurations.
So, that being said, the 'poor man's' approach:
In theory, you can use a openvpn server as a nat instance as well, but boy, is that not going to be straightforward: You need both a NAT AMI and openvpn server installed and configured. You are going to find an ami for one or the other, and I don't think you will for both, so you'll have to configure something from scratch...never done it, and never will, so I can't tell you the right way to do so.
If you launch an openvpn server:
Yes in a public subnet
Yes have its own security group: For inbound you can google with the best of them on that..it's a few tcp and udp ports. For outbound, you probably want to keep it simply and allow all outbound.
correct: the windows system will need inbound on port 3389 for the openvpn security group id.
For Nat: You should strongly consider either a standalone NAT AMI or use the gateway, which is just..so easy...Either way, be sure the default route ends up going to the gateway id or the eni of the Nat AMI.
to be sure you are headed in the right direction, you might want to be clear about what your goals are.
if you want a windows instance in a private subnet, meaning no inbound traffic is allowed from the internet, but you want to be able to rdp into it and have internet access outbound from that instance, then:
You need to create a vpc with at least a public subnet and a private subnet.
A public subnet has an internet gateway associated with it. This only costs money when you send traffic out...it will be next to nothing.
You will also need a NAT Gateway or a NAT Instance created and deployed in the public subnet. Either of these will cost a few bucks: The NAT Gateway is easy and probably about $12/month
The private subnet will have the default route (0.0.0.0/0) pointed to the NAT Gateway (if you use a NAT gateway)
you can then spin up a windows instance from an ami that has session manager already enabled. You will have to create or use a keypair as part of this.
You will need to assign an IAM profile to that instance that has the SSMManagedCore policy associated with it.
The security group for the instance needs to have at least OUTBOUND 443 tcp access. Most beginners just have outbound open for all of tcp for 0.0.0.0/0
Once the windows instance spins up, you should then be able to use session manager to rdp into the instance. You will retrieve the password using the private key file.
Those are the basic ingredients...Good luck.
to be sure you are headed in the right direction, you might want to be clear about what your goals are.
if you want a windows instance in a private subnet, meaning no inbound traffic is allowed from the internet, but you want to be able to rdp into it and have internet access outbound from that instance, then:
You need to create a vpc with at least a public subnet and a private subnet.
A public subnet has an internet gateway associated with it. This only costs money when you send traffic out...it will be next to nothing.
You will also need a NAT Gateway or a NAT Instance created and deployed in the public subnet. Either of these will cost a few bucks: The NAT Gateway is easy and probably about $12/month
The private subnet will have the default route (0.0.0.0/0) pointed to the NAT Gateway (if you use a NAT gateway)
you can then spin up a windows instance from an ami that has session manager already enabled. You will have to create or use a keypair as part of this.
You will need to assign an IAM profile to that instance that has the SSMManagedCore policy associated with it.
The security group for the instance needs to have at least OUTBOUND 443 tcp access. Most beginners just have outbound open for all of tcp for 0.0.0.0/0
Once the windows instance spins up, you should then be able to use session manager to rdp into the instance. You will retrieve the password using the private key file.
Those are the basic ingredients...Good luck.
Thank you for the explanation; that is exactly what I have been looking for. I must have a setting mixed up as I can't connect yet but I'll keep tweaking it.
One new requirement that came up is to use a VPN. Since we will only have 1-2 users at a time, the suggestion was to use the OpenVPN AMI. From what I understand, that goes into the public subnet with a new security group, then I update the security group on the private Windows server to allow connections from the OpenVPN security group. Is this a reasonable approach?
Also, do I still need the NAT Gateway? Looking at the current pricing, it seems to be about $30/month and I read something about OpenVPN also providing NAT.
I took your suggestion and got the basic connection working, then added a VPN and so far it is working as expected; much appreciated!
The current configuration has an OpenVPN server and NAT gateway in a public subnet (route rule pointing to the internet gateway); and the main Windows server in a private subnet (route rule pointing to the NAT gateway). The OpenVPN server has a security group that allows the default TCP and UDP ports from the AMI, and the Windows server's security group has a single rule to allow RDP only from the OpenVPN security group.
I followed the OpenVPN documentation to configure the OpenVPN server and from what I understand, I shouldn't have to make any other changes to ensure a secure configuration.
Thanks again for your guidance. On to phase 2.
Relevant content
- Accepted Answerasked a year ago
- asked 2 years ago
- Accepted Answerasked a month ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago