Tuesday, May 19, 2020

Accessing private resources using AWS Client VPN

AWS VPC supports creating public and private subnets. Any EC2 in the public subnet will have public and private IP and so front end or customer facing applications like web applications are installed on this EC2. Also, this EC2 can be reached from outside the Cloud using the public IP for any maintenance.

The private subnet EC2 will have only private IP and no public IP, backend applications like databases ore installed on this EC2. This EC2 can't be reached directly from outside the Cloud as it doesn't have any public IP. So, how do we connect to it for activities like updating databases, creating tables etc? This is where Jump box or the Bastion box comes into play.

To connect to the EC2 in the private subnet we need to launch a Bastion box in the public subnet, connect to it and from there connect to the EC2 in the private subnet. This corresponds to step (1) and (2) in the below diagram. Step (2) pretty much like connecting to remote server, but in this case both the EC2s are in the same

The problem with the above approach is that the Bastion box does have an public IP and there is a probability of someone trying to access it over the public IP. We can get rid of the Bastion Box and use AWS Client VPN to connect the EC2 in the private subnet although the EC2 doesn't have an public IP as shown below.


I have created a new VPC with public and private subnet using the VPC wizard. And then created an EC2 in the private subnet. Note that there is no public IP and just the private IP. But, still we want to connect to it for doing the maintenance work on the EC2.

I followed this blog and created a VPN Endpoint and connected to the EC2 in the private subnet. Note the AWS Client VPN on the left side and connection to the EC2 from my Laptop via the Putty on the right side. Notice that the IP address in the Putty matches with the private IP address of the EC2 in the above screen.

1 comment: