AWS Client VPNを試してみた

Transcript

1. 2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ ϥϯαʔζגࣜձࣾ
 43&ʗ҆ୡ
   ྋ ͋ͩͪΜ AWS Client VPNΛ ࢼͯ͠Έͨ

2. 
   ϥϯαʔζΫϥγίϜϕʔγοΫ
   ߹ಉษڧձ
   ɹΞδΣϯμ
    ɾࣗݾ঺հ ɾAWS Client VPNͬͯͲ͏ͳͷΑʁ ɾ΍Γ͍ͨ͜ͱ ɾߏ੒

   ɾϨΠςϯγ ɾϩά ɾσϞ ɾϋϚͬͨͱ͜Ζ ɾ·ͱΊ

3. 
   ϥϯαʔζΫϥγίϜϕʔγοΫ
   ߹ಉษڧձ
   ࣗݾ঺հ
    - name: Introduction me user: name:

   adachin work: SRE/Hiring Recruitment detail: aws analytical base menta
 skill: ansible terraform shell etc
 blog: blog.adachin.me
 oss: Vuls https://www.wantedly.com/companies/lancers/post_articles/151653

4. 
   ϥϯαʔζΫϥγίϜϕʔγοΫ
   ߹ಉษڧձ
   AWS Client VPNͬͯͲ͏ͳͷΑʁ
    https://blog.adachin.me/archives/9813

5. 2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ Ϛωʔδυ ΊͪΌͪ͘Ό͍͍!!!

6. 
   ϥϯαʔζΫϥγίϜϕʔγοΫ
   ߹ಉษڧձ
   ΍Γ͍ͨ͜ͱ
    ɾΦϨΰϯʹVPC01ͱAWS Client VPNͷઃఆ 
 ɾ౦ژϦʔδϣϯʹVPC02,VPC03Λ2ͭઃఆ 


   ɾVPC01(ΦϨΰϯ)ͱVPC02,03(౦ژ)ΛVPCϐΞϦϯάͰ઀ଓ 
 ɾVPC01,VPC02,VPC03ͦΕͧΕʹEC2ͷߏங 
 ɾAWS Client VPNͷϢʔβʔ࡞੒(ূ໌ॻɺ伴) 
 ɾ઀ଓͨ͠ࡍͷϩάʢCloudWatch Logs)͕औಘͰ͖Δ͜ͱΛ֬ೝ 
 ɾVPNܦ༝ͰEC2ʹSSHͰ͖Δ͔֬ೝ 
 ɾϨΠςϯγͷ֬ೝ

7. 
   ϥϯαʔζΫϥγίϜϕʔγοΫ
   ߹ಉษڧձ
   ߏ੒
   

8. 
   ϥϯαʔζΫϥγίϜϕʔγοΫ
   ߹ಉษڧձ
   ߏ੒
    ɾVPC01/ΦϨΰϯ ɾeasy-rsa
 CIDR 10.0.0.0/16 OpenVPNͷϢʔςΟϦςΟ
 subnet

   10.0.0.0/24 10.0.1.0/24 αʔόূ໌ॻɺ伴ͷ࡞੒
 
 ɾVPC02,VPC03/౦ژ 
 CIDR 10.10.0.0/16 10.20.0.0/16 Subnet 10.10.0.0/24 10.20.0.0/24 ɾTuunelblick


9. 2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ ઃఆʹ͍ͭͯ͸… ϒϩάݟ͍ͯͩ͘͞!!!!

10. 2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ ϨΠςϯγͱ͔Ͳ͏ͳΜʁ

11. 
    ϥϯαʔζΫϥγίϜϕʔγοΫ
    ߹ಉษڧձ
    ϨΠςϯγ
     $ ping 10.0.0.189 PING 10.0.0.189 (10.0.0.189):

    56 data bytes 64 bytes from 10.0.0.189: icmp_seq=0 ttl=254 time=127.708 ms 64 bytes from 10.0.0.189: icmp_seq=1 ttl=254 time=127.965 ms 64 bytes from 10.0.0.189: icmp_seq=2 ttl=254 time=128.099 ms 64 bytes from 10.0.0.189: icmp_seq=3 ttl=254 time=127.861 ms 64 bytes from 10.0.0.189: icmp_seq=4 ttl=254 time=127.784 ms 64 bytes from 10.0.0.189: icmp_seq=5 ttl=254 time=127.855 ms ^C --- 10.0.0.189 ping statistics --- 6 packets transmitted, 6 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 127.708/127.879/128.099/0.126 ms
 $ ifconfig utun1 utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 inet 10.110.1.98 --> 10.110.1.98 netmask 0xffffffe0

12. 2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ VPNͷϩάͱ͔औΕΔΜʁ

13. 
    ϥϯαʔζΫϥγίϜϕʔγοΫ
    ߹ಉษڧձ
    ϩά
     CloudWatch LogsͰશ෦ݟΕΔʂ

14. 2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ σϞ΍Γ·͢

15. 2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ ͜͜Ͱ໰୊͕!….

16. 2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ ͱࢥ͍͖΍…
 Πϯλʔωοτ͕ܨ͕Βͳ͍ "

17. 
    ϥϯαʔζΫϥγίϜϕʔγοΫ
    ߹ಉษڧձ
    ϋϚͬͨͱ͜Ζ
     https://inamuu.com/aws-client-vpn ɾͦ΋ͦ΋ssh͸Ͱ͖Δ͕ɺΠϯλʔωοτ͕઀ଓͰ͖ͳ͍ ɾϧʔτ௥Ճ ɾauthorization ruleʹΠϯλʔωοτ΁ͷΞΫηεΛڐՄ
 ɾެࣜΛՇ!!

18. 
    ϥϯαʔζΫϥγίϜϕʔγοΫ
    ߹ಉษڧձ
    ɹ·ͱΊ
     ɾOpenVPNαʔόӡ༻͍Βͣ ɾΦϨΰϯ͕ͩे෼ૣ͍ ɾϩά͸CloudWatch Logsʹ ɾαʔόূ໌ॻɺ伴Λ؅ཧ͢Δඞཁ͕͋Δ ɾϓϩΩγɺBastion΋EIP΋ৼΒͳͯ͘ྑ͖

    ɾطଘͷαʔόূ໌ॻΛ࢖ͬͯVPN͸࡞੒Ͱ͖Δ ɾΞΧ΢ϯτ࡟আͱ͍͏֓೦Ͱ͸ͳ͘ূ໌ॻΛrevoke ɾϥϯαʔζ΋ಋೖ͢Δ༧ఆʂʂ

19. 2019/2/22 ϥϯαʔζ&ΫϥγίϜ&ϕʔγοΫ ߹ಉษڧձ ͝ਗ਼ௌ͋Γ͕ͱ͏
 ͍͟͝·ͨ͠ʂʂ