目次
目的
- CloudFormationに慣れる
- 構築の自動化
- 構築の冪等性の確保
- 構築内容・手順の可視化(IaC)
今回作成する構成
処理概要
作成したテンプレート
AWSTemplateFormatVersion: 2010-09-09 Parameters: # VPC VpcCidrBlock: Description: VPC CIDR Block Type: String Default: 172.18.0.0/16 # Customer Gateway IP CustomerGatewayIp: Description: Gustomer Gateway IP Type: String Default: X.X.X.X # Subnet SubnetCidrBlock: Description: Subnet CIDR Block Type: String Default: 172.18.0.0/24 # EC2 Instance Type InstanceType: Description: EC2 Instance Type Type: String Default: t2.micro ConstraintDescription: must be a valid EC2 instance type # Key Pair Name KeyName: Description: Key Pair Name Type: AWS::EC2::KeyPair::KeyName Default: keypair01 ConstraintDescription: Can contain onluy ASCII characters Mappings: # EC2 Instance image Map RegionMap: ap-northeast-1: hvm: "ami-001f026eaf69770b4" ap-southeast-1: hmv: "ami-0e8e39877665a7c92" Resources: # VPC VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VpcCidrBlock EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: !Sub ${AWS::StackName}-vpc # Customer Gateway CustomerGateway: Type: AWS::EC2::CustomerGateway Properties: Type: ipsec.1 BgpAsn: 65000 IpAddress: !Ref CustomerGatewayIp Tags: - Key: Name Value: !Sub ${AWS::StackName}-cgw # VPN Gateway VPNGateway: Type: AWS::EC2::VPNGateway Properties: Type: ipsec.1 Tags: - Key: Name Value: !Sub ${AWS::StackName}-vgw AttachVPNGateway: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref VPC VpnGatewayId: !Ref VPNGateway # VPN Connection VPNConnection: Type: AWS::EC2::VPNConnection Properties: Type: ipsec.1 StaticRoutesOnly: False CustomerGatewayId: !Ref CustomerGateway VpnGatewayId: !Ref VPNGateway Tags: - Key: Name Value: !Sub ${AWS::StackName}-vpnconn # Subnet Subnet: Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: !Ref SubnetCidrBlock MapPublicIpOnLaunch: False Tags: - Key: Name Value: !Sub ${AWS::StackName}-subnet # Route Table RouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub ${AWS::StackName}-rtb RouteTableAssociation: Type: AWS::EC2::SubnetRouteTableAssociation Properties: RouteTableId: !Ref RouteTable SubnetId: !Ref Subnet RoutePropagation: Type: AWS::EC2::VPNGatewayRoutePropagation DependsOn: AttachVPNGateway Properties: RouteTableIds: - !Ref RouteTable VpnGatewayId: !Ref VPNGateway # EC2 Security Group InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: !Ref VPC GroupDescription: Accept SSH, ICMP SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 - IpProtocol: icmp FromPort: -1 ToPort: -1 CidrIp: 0.0.0.0/0 Tags: - Key: Name Value: !Sub ${AWS::StackName}-securitygroup # EC2 Instance EC2Instance: Type: AWS::EC2::Instance Properties: ImageId: Fn::FindInMap: [RegionMap, Ref: AWS::Region, hvm] InstanceType: Ref: InstanceType KeyName: Ref: KeyName Tags: - Key: Name Value: !Sub ${AWS::StackName}-instance NetworkInterfaces: - GroupSet: - Ref: InstanceSecurityGroup AssociatePublicIpAddress: false DeviceIndex: 0 DeleteOnTermination: true SubnetId: !Ref Subnet
スタック作成後の作業
1.NATルータのポート開放/マッピング(環境に依存)
当環境ではインターネット接続にNATルータを使用している。いわゆる市販の「無線LAN親機+有線LANのルータ」だ。これがVPNセッションの間に存在する。AWS側のエンドポイント発→オンプレ側のエンドポイント着の通信を通すため、NATルータに転送設定を入れる必要がある。
3.ルータのVPN接続設定[オンプレ]
AWSのVPN設定画面より、ルータに投入するコンフィグを入手する。
! Amazon Web Services ! Virtual Private Cloud ! AWS utilizes unique identifiers to manipulate the configuration of ! a VPN Connection. Each VPN Connection is assigned an identifier and is ! associated with two other identifiers, namely the ! Customer Gateway Identifier and Virtual Private Gateway Identifier. ! ! Your VPN Connection ID : vpn-0f6da5e2f75ebe6a1 ! Your Virtual Private Gateway ID : vgw-0d3787853b3d7acf6 ! Your Customer Gateway ID : cgw-0bbe8c483fb8bcd62 ! ! ! This configuration consists of two tunnels. Both tunnels must be ! configured on your Customer Gateway. ! ! -------------------------------------------------------------------------------- ! IPSec Tunnel #1 ! -------------------------------------------------------------------------------- ! #1: Internet Key Exchange (IKE) Configuration ! ! A policy is established for the supported ISAKMP encryption, ! authentication, Diffie-Hellman, lifetime, and key parameters. ! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. ! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14. ! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24. ! NOTE: If you customized tunnel options when creating or modifying your VPN connection, you may need to modify these sample configurations to match the custom settings for your tunnels. ! ! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic". ! The address of the external interface for your customer gateway must be a static address. ! Your customer gateway may reside behind a device performing network address translation (NAT). ! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500. | If not behind NAT, and you are not using an Accelerated VPN, we recommend disabling NAT-T. If you are using an Accelerated VPN, make sure that NAT-T is enabled. ! set vpn ipsec ike-group AWS lifetime '28800' set vpn ipsec ike-group AWS proposal 1 dh-group '2' set vpn ipsec ike-group AWS proposal 1 encryption 'aes128' set vpn ipsec ike-group AWS proposal 1 hash 'sha1' set vpn ipsec site-to-site peer 13.113.234.114 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 13.113.234.114 authentication pre-shared-secret 'vBj9QDCoZb0rAT8Sbgkx_ApK3IHBsyHx' set vpn ipsec site-to-site peer 13.113.234.114 description 'VPC tunnel 1' set vpn ipsec site-to-site peer 13.113.234.114 ike-group 'AWS' set vpn ipsec site-to-site peer 13.113.234.114 local-address 'X.X.X.X' set vpn ipsec site-to-site peer 13.113.234.114 vti bind 'vti0' set vpn ipsec site-to-site peer 13.113.234.114 vti esp-group 'AWS' ! #2: IPSec Configuration ! ! The IPSec (Phase 2) proposal defines the protocol, authentication, ! encryption, and lifetime parameters for our IPSec security association. ! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14. ! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24. ! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic". ! set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec esp-group AWS compression 'disable' set vpn ipsec esp-group AWS lifetime '3600' set vpn ipsec esp-group AWS mode 'tunnel' set vpn ipsec esp-group AWS pfs 'enable' set vpn ipsec esp-group AWS proposal 1 encryption 'aes128' set vpn ipsec esp-group AWS proposal 1 hash 'sha1' ! This option enables IPSec Dead Peer Detection, which causes periodic ! messages to be sent to ensure a Security Association remains operational. ! set vpn ipsec ike-group AWS dead-peer-detection action 'restart' set vpn ipsec ike-group AWS dead-peer-detection interval '15' set vpn ipsec ike-group AWS dead-peer-detection timeout '30' ! -------------------------------------------------------------------------------- ! #3: Tunnel Interface Configuration ! ! The tunnel interface is configured with the internal IP address. set interfaces vti vti0 address '169.254.101.30/30' set interfaces vti vti0 description 'VPC tunnel 1' set interfaces vti vti0 mtu '1436' ! -------------------------------------------------------------------------------- ! #4: Border Gateway Protocol (BGP) Configuration ! ! BGP is used within the tunnel to exchange prefixes between the ! Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway ! will announce the prefix corresponding to your VPC. ! ! Your Customer Gateway may announce a default route (0.0.0.0/0), ! which can be done with the 'network' statement. ! ! The BGP timers are adjusted to provide more rapid detection of outages. ! ! The local BGP Autonomous System Number (ASN) (65000) is configured ! as part of your Customer Gateway. If the ASN must be changed, the ! Customer Gateway and VPN Connection will need to be recreated with AWS. ! set protocols bgp 65000 neighbor 169.254.101.29 remote-as '64512' set protocols bgp 65000 neighbor 169.254.101.29 soft-reconfiguration 'inbound' set protocols bgp 65000 neighbor 169.254.101.29 timers holdtime '30' set protocols bgp 65000 neighbor 169.254.101.29 timers keepalive '10' ! To advertise additional prefixes to Amazon VPC, replace the 0.0.0.0/0 from the ! the following line with the prefix you wish to advertise. Make sure the prefix is present ! in the routing table of the device with a valid next-hop. set protocols bgp 65000 network 0.0.0.0/0 ! -------------------------------------------------------------------------------- ! IPSec Tunnel #2 ! -------------------------------------------------------------------------------- ! #1: Internet Key Exchange (IKE) Configuration ! ! A policy is established for the supported ISAKMP encryption, ! authentication, Diffie-Hellman, lifetime, and key parameters. ! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. ! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14. ! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24. ! NOTE: If you customized tunnel options when creating or modifying your VPN connection, you may need to modify these sample configurations to match the custom settings for your tunnels. ! ! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic". ! The address of the external interface for your customer gateway must be a static address. ! Your customer gateway may reside behind a device performing network address translation (NAT). ! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500. | If not behind NAT, and you are not using an Accelerated VPN, we recommend disabling NAT-T. If you are using an Accelerated VPN, make sure that NAT-T is enabled. ! set vpn ipsec ike-group AWS lifetime '28800' set vpn ipsec ike-group AWS proposal 1 dh-group '2' set vpn ipsec ike-group AWS proposal 1 encryption 'aes128' set vpn ipsec ike-group AWS proposal 1 hash 'sha1' set vpn ipsec site-to-site peer 52.199.22.93 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 52.199.22.93 authentication pre-shared-secret 'TdBgv71bbrEl9hKNpXpas4Kj6wcXh1Jf' set vpn ipsec site-to-site peer 52.199.22.93 description 'VPC tunnel 2' set vpn ipsec site-to-site peer 52.199.22.93 ike-group 'AWS' set vpn ipsec site-to-site peer 52.199.22.93 local-address 'X.X.X.X' set vpn ipsec site-to-site peer 52.199.22.93 vti bind 'vti1' set vpn ipsec site-to-site peer 52.199.22.93 vti esp-group 'AWS' ! #2: IPSec Configuration ! ! The IPSec (Phase 2) proposal defines the protocol, authentication, ! encryption, and lifetime parameters for our IPSec security association. ! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14. ! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24. ! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic". ! set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec esp-group AWS compression 'disable' set vpn ipsec esp-group AWS lifetime '3600' set vpn ipsec esp-group AWS mode 'tunnel' set vpn ipsec esp-group AWS pfs 'enable' set vpn ipsec esp-group AWS proposal 1 encryption 'aes128' set vpn ipsec esp-group AWS proposal 1 hash 'sha1' ! This option enables IPSec Dead Peer Detection, which causes periodic ! messages to be sent to ensure a Security Association remains operational. ! set vpn ipsec ike-group AWS dead-peer-detection action 'restart' set vpn ipsec ike-group AWS dead-peer-detection interval '15' set vpn ipsec ike-group AWS dead-peer-detection timeout '30' ! -------------------------------------------------------------------------------- ! #3: Tunnel Interface Configuration ! ! The tunnel interface is configured with the internal IP address. set interfaces vti vti1 address '169.254.25.154/30' set interfaces vti vti1 description 'VPC tunnel 2' set interfaces vti vti1 mtu '1436' ! -------------------------------------------------------------------------------- ! #4: Border Gateway Protocol (BGP) Configuration ! ! BGP is used within the tunnel to exchange prefixes between the ! Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway ! will announce the prefix corresponding to your VPC. ! ! Your Customer Gateway may announce a default route (0.0.0.0/0), ! which can be done with the 'network' statement. ! ! The BGP timers are adjusted to provide more rapid detection of outages. ! ! The local BGP Autonomous System Number (ASN) (65000) is configured ! as part of your Customer Gateway. If the ASN must be changed, the ! Customer Gateway and VPN Connection will need to be recreated with AWS. ! set protocols bgp 65000 neighbor 169.254.25.153 remote-as '64512' set protocols bgp 65000 neighbor 169.254.25.153 soft-reconfiguration 'inbound' set protocols bgp 65000 neighbor 169.254.25.153 timers holdtime '30' set protocols bgp 65000 neighbor 169.254.25.153 timers keepalive '10' ! To advertise additional prefixes to Amazon VPC, replace the 0.0.0.0/0 from the ! the following line with the prefix you wish to advertise. Make sure the prefix is present ! in the routing table of the device with a valid next-hop. set protocols bgp 65000 network 0.0.0.0/0 ! Additional Notes and Questions ! - Amazon Virtual Private Cloud Getting Started Guide: ! http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide ! - Amazon Virtual Private Cloud Network Administrator Guide: ! http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide ! - XSL Version: 2009-07-15-1119716
ただし、このままでは上手くいかなかった。VyOSとVyattaはあくまで別物だからだろうか。
整理して実際に投入したコンフィグは以下。
# delete previous configuration configure delete interface vti vti0 delete interface vti vti1 delete interface vti vti2 delete protocols bgp delete vpn commit save exit # configure tunnel #1 configure set vpn ipsec ike-group AWS lifetime '28800' set vpn ipsec ike-group AWS proposal 1 dh-group '2' set vpn ipsec ike-group AWS proposal 1 encryption 'aes128' set vpn ipsec ike-group AWS proposal 1 hash 'sha1' set vpn ipsec site-to-site peer 13.113.234.114 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 13.113.234.114 authentication pre-shared-secret 'vBj9QDCoZb0rAT8Sbgkx_ApK3IHBsyHx' set vpn ipsec site-to-site peer 13.113.234.114 description 'VPC tunnel 1' set vpn ipsec site-to-site peer 13.113.234.114 ike-group 'AWS' set vpn ipsec site-to-site peer 13.113.234.114 local-address '10.0.0.253' set vpn ipsec site-to-site peer 13.113.234.114 vti bind 'vti1' set vpn ipsec site-to-site peer 13.113.234.114 vti esp-group 'AWS' set vpn ipsec ipsec-interfaces interface 'eth1' set vpn ipsec esp-group AWS compression 'disable' set vpn ipsec esp-group AWS lifetime '3600' set vpn ipsec esp-group AWS mode 'tunnel' set vpn ipsec esp-group AWS pfs 'enable' set vpn ipsec esp-group AWS proposal 1 encryption 'aes128' set vpn ipsec esp-group AWS proposal 1 hash 'sha1' set vpn ipsec ike-group AWS dead-peer-detection action 'restart' set vpn ipsec ike-group AWS dead-peer-detection interval '15' set vpn ipsec ike-group AWS dead-peer-detection timeout '30' set interfaces vti vti1 address '169.254.101.30/30' set interfaces vti vti1 description 'VPC tunnel 1' set interfaces vti vti1 mtu '1436' set protocols bgp neighbor 169.254.101.29 remote-as '64512' set protocols bgp neighbor 169.254.101.29 soft-reconfiguration 'inbound' set protocols bgp neighbor 169.254.101.29 timers holdtime '30' set protocols bgp neighbor 169.254.101.29 timers keepalive '10' set protocols bgp local-as 65000 commit save exit # configure tunnel #2 configure set vpn ipsec ike-group AWS lifetime '28800' set vpn ipsec ike-group AWS proposal 1 dh-group '2' set vpn ipsec ike-group AWS proposal 1 encryption 'aes128' set vpn ipsec ike-group AWS proposal 1 hash 'sha1' set vpn ipsec site-to-site peer 52.199.22.93 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 52.199.22.93 authentication pre-shared-secret 'TdBgv71bbrEl9hKNpXpas4Kj6wcXh1Jf' set vpn ipsec site-to-site peer 52.199.22.93 description 'VPC tunnel 2' set vpn ipsec site-to-site peer 52.199.22.93 ike-group 'AWS' set vpn ipsec site-to-site peer 52.199.22.93 local-address '10.0.0.253' set vpn ipsec site-to-site peer 52.199.22.93 vti bind 'vti2' set vpn ipsec site-to-site peer 52.199.22.93 vti esp-group 'AWS' set vpn ipsec ipsec-interfaces interface 'eth1' set vpn ipsec esp-group AWS compression 'disable' set vpn ipsec esp-group AWS lifetime '3600' set vpn ipsec esp-group AWS mode 'tunnel' set vpn ipsec esp-group AWS pfs 'enable' set vpn ipsec esp-group AWS proposal 1 encryption 'aes128' set vpn ipsec esp-group AWS proposal 1 hash 'sha1' set vpn ipsec ike-group AWS dead-peer-detection action 'restart' set vpn ipsec ike-group AWS dead-peer-detection interval '15' set vpn ipsec ike-group AWS dead-peer-detection timeout '30' set interfaces vti vti2 address '169.254.25.154/30' set interfaces vti vti2 description 'VPC tunnel 2' set interfaces vti vti2 mtu '1436' set protocols bgp neighbor 169.254.25.153 remote-as '64512' set protocols bgp neighbor 169.254.25.153 soft-reconfiguration 'inbound' set protocols bgp neighbor 169.254.25.153 timers holdtime '30' set protocols bgp neighbor 169.254.25.153 timers keepalive '10' set protocols bgp local-as 65000 commit save exit # route advertisement configure set protocols bgp address-family ipv4-unicast network 172.16.0.0/24 commit save exit # confirm show interfaces show vpn ike sa show vpn ipsec sa show bgp summary show ip route show ip bgp
4.VPN接続の確認[オンプレ]
vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 172.16.0.253/24 u/u eth1 10.0.0.253/24 u/u lo 127.0.0.1/8 u/u ::1/128 vti1 169.254.101.30/30 u/u VPC tunnel 1 vti2 169.254.25.154/30 u/u VPC tunnel 2
vyos@vyos:~$ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 52.199.22.93 52.199.22.93 10.0.0.253 10.0.0.253 State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------ up IKEv2 AES_CBC_128 HMAC_SHA1_96 MODP_1024 yes 11 0 Peer ID / IP Local ID / IP ------------ ------------- 13.113.234.114 13.113.234.114 10.0.0.253 10.0.0.253 State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------ up IKEv2 AES_CBC_128 HMAC_SHA1_96 MODP_1024 yes 28 0
vyos@vyos:~$ show vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal --------------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------- -------------- peer_52-199-22-93_vti up 11s 663B/801B 9/11 52.199.22.93 N/A AES_CBC_12 8/HMAC_SHA1_96
vyos@vyos:~$ show bgp summary IPv4 Unicast Summary: BGP router identifier 172.16.0.253, local AS number 65000 vrf-id 0 BGP table version 2 RIB entries 3, using 576 bytes of memory Peers 2, using 43 KiB of memory Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt 169.254.25.153 4 64512 6 5 0 0 0 00:00:11 1 2 169.254.101.29 4 64512 7 6 0 0 0 00:00:29 1 2 Total number of neighbors 2
vyos@vyos:~$ show ip route Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP, F - PBR, f - OpenFabric, > - selected route, * - FIB route, q - queued, r - rejected, b - backup S>* 0.0.0.0/0 [1/0] via 10.0.0.254, eth1, weight 1, 00:16:15 C>* 10.0.0.0/24 is directly connected, eth1, 00:16:25 C>* 169.254.25.152/30 is directly connected, vti2, 00:00:11 C>* 169.254.101.28/30 is directly connected, vti1, 00:00:29 C>* 172.16.0.0/24 is directly connected, eth0, 00:16:25 B>* 172.18.0.0/16 [20/100] via 169.254.101.29, vti1, weight 1, 00:00:28
vyos@vyos:~$ show ip bgp BGP table version is 2, local router ID is 172.16.0.253, vrf id 0 Default local pref 100, local AS 65000 Status codes: s suppressed, d damped, h history, * valid, > best, = multipath, i internal, r RIB-failure, S Stale, R Removed Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 172.16.0.0/24 0.0.0.0 0 32768 i * 172.18.0.0/16 169.254.25.153 200 0 64512 i *> 169.254.101.29 100 0 64512 i Displayed 2 routes and 3 total paths
5.VPN接続の確認[AWS]
以下を確認する。スクリーンショットは気が向いたら貼る。
- VPNのトンネル1,2の状態がアップであること。
- ルートテーブルにオンプレのルートが自動登録されていること(172.16.0.0/24)。BGPによる伝搬。
6.疎通確認用のサーバの構築[オンプレ]
以下の要件を満たすサーバを用意する。手段は問わない。当環境ではQEMU+KVMの仮想ゲストとしてCentOSを構築した。
- プライベートサブネット(172.16.0.0/24)に所属する。
- デフォルトゲートウェイはVyOSのルータ(172.16.0.253)。
7.疎通確認[オンプレ→AWS]
ping疎通を確認。EC2インスタンスのIPは172.18.1.198。これはパブリックIPでもElasticIPでもなく、インターネットゲートウェイに繋がっていないプライベートサブネットのIP。ここ重要。
[root@server ~]# ping 172.18.1.198 PING 172.18.1.198 (172.18.1.198) 56(84) bytes of data. 64 bytes from 172.18.1.198: icmp_seq=1 ttl=253 time=11.10 ms 64 bytes from 172.18.1.198: icmp_seq=2 ttl=253 time=10.2 ms --- 172.18.1.198 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 3ms rtt min/avg/max/mdev = 10.242/11.116/11.990/0.874 ms
ssh疎通を確認。公開鍵は事前にサーバ上に配置済み。
[root@server ~]# ssh -i /tmp/keypair01.pem -l ec2-user 172.18.1.198 The authenticity of host '172.18.1.198 (172.18.1.198)' can't be established. ECDSA key fingerprint is SHA256:VqK/desWkzYLa8xHrqkmM3LyyeBvqckLVGWR3oClAxg. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '172.18.1.198' (ECDSA) to the list of known hosts. __| __|_ ) _| ( / Amazon Linux 2 AMI ___|\___|___| https://aws.amazon.com/amazon-linux-2/ [ec2-user@ip-172-18-1-198 ~]$
接続元がオンプレのサーバ(172.16.0.1)であることが確認できる。
[ec2-user@ip-172-18-1-198 ~]$ w
12:18:51 up 21 min, 1 user, load average: 0.00, 0.02, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
ec2-user pts/0 ip-172-16-0-1.am 12:18 2.00s 0.02s 0.00s w
[ec2-user@ip-172-18-1-198 ~]$ tps -ef || entstnetstat -an | grep 22 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 36 172.18.1.198:22 172.16.0.1:39320 ESTABLISHED tcp6 0 0 :::22 :::* LISTEN
8.疎通確認[AWS→オンプレ]
疎通確認元であるAWSのEC2にログインする手段は、オンプレからのVPN経由しか存在しない。この時点で疎通できていることが明白だが、もしかしたら逆方向のトラフィックは通らないかもしれないので確認する。
ping疎通を確認。
[ec2-user@ip-172-18-1-198 ~]$ ping 172.16.0.1 PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data. 64 bytes from 172.16.0.1: icmp_seq=1 ttl=63 time=9.74 ms 64 bytes from 172.16.0.1: icmp_seq=2 ttl=63 time=10.4 ms --- 172.16.0.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 9.748/10.087/10.427/0.354 ms
ssh疎通を確認。
[ec2-user@ip-172-18-1-198 ~]$ ssh root@172.16.0.1 The authenticity of host '172.16.0.1 (172.16.0.1)' can't be established. ECDSA key fingerprint is SHA256:GaMu1CbR/A6wKpX/Ce0ceD2T8RESL9A+tWE39qTmSSM. ECDSA key fingerprint is MD5:17:e2:8a:eb:44:46:1a:18:d2:49:b4:8c:ad:27:8f:10. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.0.1' (ECDSA) to the list of known hosts. root@172.16.0.1's password: Last login: Tue Jul 6 21:18:10 2021 [root@server ~]#
接続元がEC2(172.18.1.198)であることが確認できる。
[root@server ~]# w 21:21:46 up 4 min, 2 users, load average: 0.04, 0.17, 0.09 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root ttyS0 - 21:18 1.00s 1.20s 0.05s ssh -i /tmp/keypair01.pem -l ec2-user 172.18.1.198 root pts/0 172.18.1.198 21:21 1.00s 0.05s 0.01s w
[root@server ~]# ps -ef | grep netstat -an | grep 22 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 36 172.16.0.1:22 172.18.1.198:50280 ESTABLISHED tcp 0 36 172.16.0.1:39326 172.18.1.198:22 ESTABLISHED tcp6 0 0 :::22 :::* LISTEN