Since I cannot afford Direct Connect, one thought of connecting into my AWS environment is to use software VPN such as OpenVPN Access Server. Google search resulted in many articles covering this software and AWS.
I chose one article that outlines the setup and testing:
My VPC has both Public and Private subnets. The VPN EC2 instance is in the Public subnet with an Elastic IP (EIP).
The above article left the security group wide open in the rules purely for quick testing purposes. It was recommended to revisit the rules for the VPN security group, and make them more secure. I decided to restrict these rules to my Public IP as the source after successfully testing:
- VPN Connection
- SSH connection to a test Linux EC2 instance.
Tools for finding Public IP addresses include https://www.ipchicken.com/, https://www.whatismyip.com/, etc.
After making the changes of the security group rules, test #2 failed. I knew that the private NACL needed to be updated, but what would the source be for the SSH rule(s)? I started using OpenVPN’s Dynamic IP Address Network for the SSH rules and that did not work. I found the answer through VPN Routing settings that states “NAT is preferred for client access to private networks.” Since NAT is used, the VPN server’s private IP address needed to be added as the source. Instead of adding the IP address, I added the subnet CIDR corresponding to all public subnets to the private NACL. Test #2 passed successfully.
To go one step further, I decided to edit the security group rule for the private EC2 instance. Instead of leaving it wide open, I changed the source to my VPC’s private network, and test #2 passed again.
Now unto some devopsy stuff via my VPN connection…
Tek or Belly Up 