Amazon AWS Certified Advanced Networking Specialty – Virtual Private Networks & IPSec Tunnels Part 3

7. IPSec with OpenSwan – Part 02

Hey everyone and welcome back. So in the earlier lecture we discuss on how we can create a IPsec based VPN tunnel. Now, in today’s lecture, we will look more into how we can make sure that all the EC two instances which are part of this region should be able to communicate there, because this is what the requirements are. So basically, basically what should happen is let me show you. I have one easy to instance which I have created. Let me just copy the public IP and let’s paste the wire. Perfect. So this is the easy to instance that I am connected to. Now, let’s quickly verify the IP address of the Ohio regions EC Two instance. The private IP is something that we are interested in. I’ll go ahead and ping. And now you see I am not able to ping.

Now, the reason why I’m not able to ping is because currently the terminal is established between this new IPsec EC Two instance and the AWS VPN on the Ohio region side. So, if I want the EC two instances to communicate there, I have to route the traffic to this specific terminal. So this is very important thing to understand. So all the traffic which are destined to 172, 310, 00:16, it should go to this terminal. And this is how it would really work. So in order to do that, the first thing that you would do is you would disable the source destination checks. So you’ll click on yes, disable. So this is something that you do even for the Nat instances I hope you remember. So you disable the source destination check. Now what you have to do is you have to create a route.

So let me click on the VPC. I’ll select the route table. There’s one route table and you have to select a route saying that the traffic that goes to 172, 310 dot zero slash 16. So this is the CID R of the VPC in the Ohio region. So any traffic that goes here, it should go to the IPsec instance over here. So you see, this is the IPsec instance over here and I’ll click on save. So this is the route which is configured. Now, the next step that you must do is to enable the IPV four forwarding in the IPsec instance. So I’ll log in to the IPsec instance. Perfect. So I’ll log in over here and if you go to tecta. Con f, the IP packet forwarding is disabled. So let’s go ahead and click on Enable and do a service network restart.

Perfect. So now this seems to be restarted and we should be ready to go. So let’s log out and let’s login back to the EC two instance that we had logged in earlier, which is the IP address of 127. Perfect. And if I do a ping now, you see, I am able to ping to the EC two instance which is in the Oi region. So this is how the setup would really look like in a high level overview. So maybe in the upcoming lectures, if you need, we can discuss more in detail related to the configuration parameter. However, for the time being, I hope this lecture has been informative for you, and I look forward to seeing you in the next lecture.

8. VPN Performance

Hey everyone and welcome back. In today’s video we will be discussing about the VPN performance aspect. Now, I’m sure you remember that whenever we create a doubles VPN, AWS basically creates two different VPN endpoints. And this can be also seen in the below screenshot which we had taken from our different video. So here you see there are two endpoints which are available for a VPN connection. Now, there are certain restrictions in terms of the bandwidth that a VPN can support. So for the exam perspective, it is important for us to remember the limitations. Now, the first limitation is that the virtual private gateway supports IPsec VPN’s throughput of up to 1. 25 Gbps.

So this 1. 25 Gbps is the limitation of the virtual private gateway Excel. And this is the reason why whatever VPN that you have associated with the VGW can have up to 1. 25 Gbps of throughput. Now, these two points I have especially added because this will confuse you if you are reading from the official AWS advanced Networking book. It does have these two points. So let’s discuss what it is. So it states that to increase the bandwidth you can forward the traffic to both the endpoints. Now, if you read this specific line, what would be the first thought? The first thought would be that if we want to increase the overall throughput from 1. 25 Gbps to something higher, then you can forward the traffic to both the endpoints. So there are two endpoints over here. So then the question will come is okay, you can forward the traffic to both of these endpoints and first endpoints would support 1. 25 Gbps, second endpoint would support 1. 25 Gbps and you will have increased throughput. So that is not the case. Now there is one more point. It states that to support about design, the customer gateway should support the equal cost multipart which is ECMP to load balance traffic across both the links.

So basically you can load balance the traffic across both the links and maybe you can have an increased throughput. However, very important to remember that this specific two pointers are referred for the AWS Classic VPN. All right, so ECMP is not supported on the latest AWS VPN, it is only for the classic VPN. So, if I can quickly show you, so this is one of the premium support articles. It is related to how you can migrate from AWS Classic VPN to the new AWS VPN. So in terms of classic VPN, there were certain restrictions at the endpoint level and this was the reason why customers could use the ECMP to load balance the traffic across both of these endpoints to have a better throughput.

However, with the latest AWS VPN the ECMP is not supported. So this is something which will help you not only for your exams but also in the real world scenario. Now, one of the questions that comes is that let’s assume that you want more throughput much more higher performance than the typical 1. 25 Gbps range. What are the alternatives? So alternatives which I have seen in organizations is that they make you use of their own VPN in their EC two instance. So if you have an EC two instance which is much more larger so it has a higher instance type, then it will be able to support a better bandwidth. So that is one case which a lot of organizations use to have a better performance.

9. Interface Level Flow Logs

Hi everyone and welcome back to the Knowledge Portal video series. So today we are going to talk about a very important topic called as flow logs. So basically what flow logs allows us to do is it allows us to see on what type of traffic is coming to our particular interface. So let me give you a very simple example. So this slide we have already looked into the earlier your video lectures where this is a security group and it is allowing the port 20 to access on this particular IP. So this is a genuine user. When he tries to do a SSH on this server, he’ll be allowed. However, there can be a lot of hackers as well who also will try to do a SSH. So as there is no security group to allow this particular IP, the security group over here, it will block or deny this access to this particular user. Now as a security engineer, we should be knowing on what kind of packets are getting blocked at the security group level so that we can have a better understanding on from where the malicious traffic is coming from. And one of the amazing features that AWS provides is it allows us to see exactly what is coming over here, what is getting accepted and what is getting blocked.

So this we already looked, I just wanted to add a slide that the security group is always associated at the network interface level. So basically what the flow log does is flow log works at the network interface level and it basically allows us to check on what type of traffic is coming and also if the traffic targets are getting accepted or rejected by the security group. So let’s go to our favorite AWS console and here we have the EC to instance running on a public subnet with a public IP. So if we just click on this particular interface, you see that there is a flow lock section over here. So what this flow lock allows us to do is it allows us to monitor the traffic of this particular interface.

Now one important thing to remember over here is that as there are a lot of interfaces that you see over here, AWS allows us to enable flow logs at the global level. So if let’s say you have hundred servers, one thing is you can go into each interface and you can enable the flow log or you can directly go to your VPC and you can enable the flow log over here. So in my case, I already have a flow log enabled. Let me just delete this particular flow log. So this I used it for testing. So what I’ll do is I’ll create a new flow log and the first thing which will be required over here is you need to set up the permission. So I’ll click here and basically you need to create a new IAM rule. So Amazon has already filled the document policy.

So what this basically does is it allows the VPC to create a log group and put the events inside a particular log group. So if I just click on allow over here. Okay, let me go back to my VPC. Let me just try again. So I’ll create flow logs, rule and destination group name. Let me type kplabsay flow logs. Okay, I’ll create a flow log. And now you see the status is active. It is also showing the Cloud Watch log group as Kplabflows. So let’s do one thing. Let’s go back to the EC to instance. So we have to generate some kind of a login. So I’ll go to the EC two instance, I’ll copy the public IP and let’s just verify the security group. So, security group is only allowing on port 80. So let’s do one thing. Let’s try to generate some traffic which we know that it will be blocked.

For example, ICMP traffic. If I just paste ICMP, you see it will not reach because security group is not allowing. Let’s generate one more packet, say telnet on, say port 22. So we know that the 22 is not allowed. So it will not work. Let’s do one thing. Let’s to try to do telnet on 3306, which will again be not allowed. So these are all the traffic which will be rejected at the security group level. Now, all of these entries will be present in the new log group of the flow logs that we just created. So in order to just verify, just open up the Cloud Watch. Let’s go to logs. And generally, if you will see there is no log entry which is created. So generally what happens is that the first time you create this log group in Cloud Watch, it will take around four to five minutes to populate the data. So if you will just see over here, you see this particular log group is already created. But here the data is not yet populated. Let me just try to open this. Let’s see if it works now.

Okay, there is some error. So I delete comes up in a minute or two. So let’s try and wait for a few more seconds. One thing that is really good here is that once you start to capture the flow logs, you’ll see an amazing chemistry between your servers and the hackers. You’ll actually see the insights on what actually is happening or what actually hackers are trying to do very interesting things. Let me try to refresh this page. Okay, so it might take some time. So let me do one thing. Let me pause this video for a while, and in a minute or two, let me check if this is up and running. Okay, so it has been around five minutes for the log group to be created. So it is created. Now, let me open this particular log group. And this is the interface of the public, easy to instance and you see these all are the flow logs. Now let’s just tune it to the last five minutes. It has already been five minutes since we had already paused this video. But one very interesting thing that you will see that there are a lot of unknown IPS which are trying to connect to my public instances.

Very interesting. So let’s do one thing. Let’s take this IP address. Let me do an IP trace. I’ll say IP trace. So as I said, there is a very interesting chemistry between hackers and the EC to instance which you’ll be able to see in VPC flow logs and you see it is from Hong Kong, I believe it’s China. So generally you find tremendous amount of packets which gets rejected, many from many countries, which includes China. China is at the top of the list. So, anyways, so coming back to our main topic, let’s select one or over here. So ideally many enterprises, they just block lot of Chinese subnets because there are tremendous amount of traffic, the malicious traffic which comes from China. So if you will notice, let’s see the one one six because this is my IP and if you’ll remember what we did was we tried to do a TenneT on port 3306 which is basically the MySQL port. And here you see that the VPC flow log is saying that someone from this particular IP tried to connect to port 3306 and that was rejected. That means the security group had blocked this particular packet.

Now, it is very important for you even in the exam you have to understand what exactly each and every field within the log means. So let’s do one thing. Let’s go back to the presentation and understand each and every field from the log file. So what I have done is I have copied the sample VPC flow log and let’s understand each and every field over here. So the first field is the version which is a VPC flow log version which is two. The second field is the account name or account ID which is here. The third field is the interface ID. The fourth field that you see over here, it is the source IP address. So this is the IP address from which the packet is coming from. The next field over here is the destination private IP address of the EC two instance. Just remember, this will always be a private IP address of the EC two instance. Next is the source port and this is the destination port followed by six. Six is basically the protocol number. So six is basically denoted for TCP. The next is the amount of packets transferred. So the amount of packets transferred followed by the number of bytes transferred. And the next two fields over here are the seconds which is start time and the end time in Unix seconds. And the second last field is basically the action which can be either accept or reject.

In our case it is reject and the last field is okay, which is basically the log status. It means that this particular entry is stored in the VPC flow log. So two important thing to remember as far as Exam is concerned, you need to be very thorough with what each and every field here means. That is one thing. Second thing, remember that flow log can be enabled at the individual interface level, it can be enabled at the subnet level and it can be enabled at the VPC level. So let me show you the interface level. So if I go back to the EC two instance, so there is an 80 edge zero interface. Let me click here. Since we have already enabled it at the VPC level, what will happen is the VPC will automatically enable it at all the interfaces which are connected. So this is one interface and you see the flow log is already active. So basically you can enable the flow log at this interface level, you can enable it at the subnet level and you can enable it at the VPC level. So these are the two things that are very important in real life as well as in Exam point of view.

• Category: Uncategorized