--- # System prepended metadata title: AWS EC2實例創建與VPN連線 --- # AWS EC2實例創建與VPN連線 ## Today's Goal: - Understand basics of AWS EC2 service - Understand VPC architechture - Create an EC2 instance on AWS - Setup VPN connection to AWS VPC and access private resources ## Introduction ### What is EC2 Elastic Compute Cloud (EC2) is a compute platform with customizable core, storage, memory and operating system images. Some advanced features: - Auto-scaling: automatically launch new instances on high loading - Load balancing: distributing traffics to multiple instances - Marketplace: provides more pre-installed software or environment on different platforms ### What is VPC Amazon Virtual Private Cloud (Amazon VPC) *(Introduced last time)* ### What is AWS Client VPN > AWS Client VPN 是以用戶端為基礎的受管 VPN 服務,能讓您安全地存取您的 AWS 資源或您的內部部署網路。您可以藉由 AWS Client VPN 來設定使用者可以連線的端點,以建立安全 TLS VPN 工作階段。如此可讓用戶端使用以 OpenVPN 為基礎的 VPN 用戶端,從任何位置存取 AWS 或內部部署中的資源。如需詳細資訊,請參閱 AWS Client VPN 管理員指南。 - Difference between site-to-site VPN ## Workshop ![](https://i.imgur.com/THuN66N.png) ### Create an EC2 instance - Go to EC2 service - Select "launch instances" - Enter instance name - Choose "Application & OS Images" > select Amazon linux 2 - Choose "Instance type" > select "t2.micro" - Select Key pair for login credential > Create new key pair - Remember to save the private key - Setup Network settings > select existing security group ### Connecting to an instance #### Public access: - fetch public IP of the instance - use the following command to connect: ```bash ssh -i id_rsa.pem ec2-user@your-public-ip ``` #### Private access: - Client VPN - Site-to-site VPN (Not in this tutorial) - Setup rsa key pair with this instruction: - https://docs.aws.amazon.com/zh_tw/vpn/latest/clientvpn-admin/client-authentication.html#mutual - Create VPN endpoint: - In VPC > Client VPN Endpoints > create client VPN endpoint - Client IPv4 CIDR: `10.0.0.0/22` - Select imported certificate in "Server certificate ARN" > `server` - Select "Use mutual authentication" - Associate target network - In VPC > Client VPN Endpoints > `your created VPN endpoint` - Select Target network accoications > Assoicate target network - Select the same VPC and subnet of the instance - Add authorized rule - In VPC > Client VPN Endpoints > `your created VPN endpoint` - Select Authorization rules > Add Authorization rules - Destination network to enable access: ~~`10.0.0.0/22`~~(Use the same IPv4 CIDR of your VPC) - Connect via OpenVPN - In VPC > Client VPN Endpoints > `your created VPN endpoint` - Download client configuration - Add the following contents to the .ovpn file: ``` Contents of client certificate (.crt) file Contents of private key (.key) file ``` - Download & install openvpn client - Connect to the vpn ```bash sudo apt install openvpn openvpn ``` - Connect to EC2 instance ```bash ssh -i id_rsa.pem ec2-user@private-ip ``` ## Reference - https://aws.amazon.com/tw/ec2/ - https://docs.aws.amazon.com/zh_tw/vpc/latest/userguide/what-is-amazon-vpc.html - https://docs.aws.amazon.com/zh_tw/vpn/latest/clientvpn-admin/cvpn-getting-started.html - https://docs.aws.amazon.com/zh_tw/vpn/latest/clientvpn-admin/client-authentication.html#mutual