090120_-_Securely_access_your_Amazon_EC2_instances.pdf

Transcript

1. © 2018, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Securely access your Amazon EC2 instances Antoine Yeramian Solutions Architect Amazon Web Services

2. © 2018, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Reminder - basics AWS Region Availability zone 2 VPC Availability zone 1 Private subnet Private subnet Public subnet Public subnet VPC CIDR 10.1.0.0/16 + Expand + IPv6

3. © 2018, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. AWS Lambda Reminder – more advanced AWS Region Availability zone 2 VPC Availability zone 1 Private subnet VPC VGW VPC Peering VPC Flow Logs VPN AWS Direct Connect The Internet Private subnet Public subnet Instance A Public subnet AWS IoT Amazon DynamoDB Amazon S3 Amazon SQS Amazon SNS VPC CIDR 10.1.0.0/16 10.1.0.11/24 Instance B 10.1.1.11/24 Instance C 10.1.2.11/24 Instance D 10.1.3.11/24 DXGW + Expand + IPv6 IGW VPCE 10.1.0.0/16 Local 0.0.0.0/0 IGW S3.prefix.list VPCE-123 On-premises VGW VPC-B PCX-123 Destination Target Intra or Inter region 10.1.0.0/16 Local 0.0.0.0/0 Instance B S3.prefix.list VPCE-123 On-premises VGW VPC-B PCX-123 Destination Target VPC AWS PrivateLink Service Provider VPC NLB AWS PrivateLink NAT On-Premises VPC-B EIP - 10.1.0.11 : 54.23.12.43 EIP - 10.1.1.11 : 54.19.12.23 NAT-GW NAT-GW

4. © 2018, Amazon Web Services, Inc. or its affiliates. All

   rights reserved.

5. © 2018, Amazon Web Services, Inc. or its affiliates. All

   rights reserved.

6. © 2018, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Access through a Linux Bastion Host https://aws.amazon.com/quickstart/architecture/linux-bastion/ )

7. © 2018, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Configuring SSH Agent

8. © 2018, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Configuring SSH Agent

9. © 2018, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Configuring SSH Agent

10. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved.

11. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. On-Premises IPsec Tunnel 1 - Primary IPsec Tunnel 2- Secondary Virtual private gateway VGW IPSEC tunnel over the internet Customer gateway CGW The Internet VPC

12. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Before AWS Client VPN VPC VPN connections were site-to-site only

13. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. After AWS Client VPN AWS now supports client-to-site VPN termination with Open VPN clients through the Client VPN Endpoint

14. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Attachment to Amazon VPC TLS based tunnel over the internet User with Open VPN Client VPC Client VPN Endpoint Client The Internet Amazon DynamoDB Amazon S3 On-Premises VPC

15. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Features—Authentication & authorization End-user(s) AWS services (like Amazon S3, DynamoDB) CORP VGW On-prem Internet IGW VPC peering VPC Subnet

16. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Features—Connectivity End-user(s) AWS services (like Amazon S3, DynamoDB) CORP VGW On-prem Internet IGW VPC peering VPC Subnet

17. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Features—Manageability & clients End-user(s) AWS services (like Amazon S3, DynamoDB) CORP VGW On-prem Internet IGW VPC peering VPC Subnet

18. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved.

19. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS Systems Manager Resource groups Run command Inventory Patch manager Automation Parameter store Maintenance window State manager Session Manager Distributor

20. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Session Manager VPC IAM permissions Session Manager Infrastructure security SSM endpoint

21. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Session Manager features

22. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Session Manager initial setup

23. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Session Manager access

24. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved.

25. © 2018, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Instance Connect (+ Bastion Host ?)

26. Thank you! © 2018, Amazon Web Services, Inc. or its

    affiliates. All rights reserved.