AWS VPC Cloud Environment Setup

Similar documents
VNS3 Configuration. Google Compute Engine

VNS3 Configuration. Quick Launch for first time VNS3 users in Azure

CenturyLink Cloud Configuration. CenturyLink Setup for VNS3

VNS3 version 4. Free and Lite Edition Reset Overlay Subnet

VNS3 Configuration. IaaS Private Cloud Deployments

Microsoft Azure Configuration. Azure Setup for VNS3

VNS3 Configuration. ElasticHosts

VNS3 IPsec Configuration. Connecting VNS3 Side by Side via IPsec

VNS Administration Guide

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

VNS3 4.0 Configuration Guide

VNS3 to Windows RRAS Instructions. Windows 2012 R2 RRAS Configuration Guide

Overlay Engine. VNS3 Plugins Guide 2018

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 9.2

VPN-Cubed 2.x vpcplus Free Edition

VPN-Cubed 2.x vpcplus Enterprise Edition

How to Deploy the Barracuda NG Firewall in an Amazon Virtual Private Cloud

VNS3 3.x Trial Edition Configuration Instructions

Cloud Security Best Practices

Logging Container. VNS3 Plugins Guide 2018

Amazon Virtual Private Cloud. Network Administrator Guide

Virtual Private Cloud. User Guide. Issue 03 Date

VPN-Cubed 2.x Datacenter Connect ElasticHosts

DataDog Container. VNS3 Plugins Guide 2018

VPN-Cubed Datacenter Connect IBM Trial Edition v201102

VNS3 3.5 Upgrade Instructions

VPN-Cubed 2.x Datacenter Connect Lite Edition

VPN-Cubed 2.x Datacenter Connect SME Edition

VPN-Cubed 2.1 UL for Terremark Datacenter Connect or Cloud Only

Container System Overview

Virtual Private Network. Network User Guide. Issue 05 Date

SAM 8.0 SP2 Deployment at AWS. Version 1.0

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

EdgeConnect for Amazon Web Services (AWS)

VMware Cloud on AWS Networking and Security. 5 September 2018 VMware Cloud on AWS

Amazon Virtual Private Cloud. Getting Started Guide

VPN-Cubed 2.x Cloud Only Lite Edition

Integration Guide. Oracle Bare Metal BOVPN

VMware Cloud on AWS Getting Started. 18 DEC 2017 VMware Cloud on AWS

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

VNS3 3.5 Container System Add-Ons

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

VPN-Cubed 2.x Datacenter Connect SME Edition

PCoIP Connection Manager for Amazon WorkSpaces

Transit Network VPC. AWS Reference Deployment Guide. Last updated: May 10, Aviatrix Systems, Inc. 411 High Street Palo Alto, CA USA

Pexip Infinity and Amazon Web Services Deployment Guide

Deploy the Firepower Management Center Virtual On the AWS Cloud

How to Install Forcepoint NGFW in Amazon AWS TECHNICAL DOCUMENT

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

Top 30 AWS VPC Interview Questions and Answers Pdf

Cisco CSR1000V Overview. Cisco CSR 1000V Use Cases in Amazon AWS

Deploy and Secure an Internet Facing Application with the Barracuda Web Application Firewall in Amazon Web Services

FortiMail AWS Deployment Guide

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems

How to set up a Virtual Private Cloud (VPC)

How to Configure an IKEv1 IPsec Site-to-Site VPN to the Static Microsoft Azure VPN Gateway

Amazon Virtual Private Cloud. User Guide API Version

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

Deploy ERSPAN with the ExtraHop Discover Appliance and Brocade 5600 vrouter in AWS

How to Configure an IPsec Site-to-Site VPN to a Windows Azure VPN Gateway

PCoIP Connection Manager for Amazon WorkSpaces

Fundamentals of Network Security v1.1 Scope and Sequence

Greenbow VPN Client Example

CloudEdge Deployment Guide

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

VNS3 Plugin Guide. VSN3:turret NIDS Container

Firebox Cloud. Deployment Guide. Firebox Cloud for AWS and Microsoft Azure

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Firepower Threat Defense Site-to-site VPNs

SD-WAN Deployment Guide (CVD)

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

CloudEdge SG6000-VM Installation Guide

Virtual Private Cloud. User Guide. Issue 21 Date HUAWEI TECHNOLOGIES CO., LTD.

VPN Overview. VPN Types

Configuration of an IPSec VPN Server on RV130 and RV130W

How to configure IPSec VPN between a CradlePoint router and a Fortinet router

Transit VPC Deployment Using AWS CloudFormation Templates. White Paper

Load Balancing FreePBX / Asterisk in AWS

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

From there, navigate to the Policies option and select the Create Policy button at the top:

vcloud Director User's Guide 04 OCT 2018 vcloud Director 9.5

Manual Key Configuration for Two SonicWALLs

VPN Auto Provisioning

Proxicast IPSec VPN Client Example

Configuring AWS for Zerto Virtual Replication

F5 BIG-IQ Centralized Management and Amazon Web Services: Setup. Version 5.4

Virtual Private Cloud. User Guide

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Pexip Infinity and Amazon Web Services Deployment Guide

VNS3 Plugins. VSN3:turret WAF Container Guide

Configuring VPC Peering For AWS

MyIGW Main. Oregon. MyVPC /16. MySecurityGroup / us-west-2b. Type Port Source SSH /0 HTTP

Configuring a Palo Alto Firewall in AWS

Aviatrix Virtual Appliance

Docker Container Access Reference Design

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

Cisco Asa 8.4 Ipsec Vpn Client Configuration. Example >>>CLICK HERE<<<

Transcription:

AWS VPC Cloud Environment Setup

Table of Contents Introduction 3 Requirements 5 Step 1: VPC Deployment Setup 10 Step 2: Launching a VNS3 Controller 15 Instance VNS3 Configuration Document Links 19 2

Introduction 3

= Introduction This guide describes the basic steps to setup an AWS VPC where you plan on running a VNS3 controller and AWS instances for your cloud use-case. A simple deployment scenario is presented with some best practice pointers. For more complex deployments please open a support ticket via the Cohesive Networks Support Site or email to support@coheisve.net. VNS3 is an Appliance as a Service that provides network security and connectivity - Security Appliance, Application Delivery Controller and Unified Thread Management all rolled into one - to your cloud-based applications. SA ADC UTM VNS3 + + application unified threat security appliance delivery controller management 4

Requirements 5

Requirements You have an AWS account that Cohesive can use for enabling your access to the VNS3 Controller AMIs (via DevPay, AWS Marketplace, or private Image permissions). Ability to configure a client (whether desktop based or cloud based) to use OpenVPN client software. You have a compliant IPsec firewall/router networking device: Preferred Most models from Cisco Systems*, Juniper, Watchguard, Dell SONICWALL, Netgear, Fortinet, Barracuda Networks, Check Point*, Zyxel USA, McAfee Retail, Citrix Systems, Hewlett Packard, D-Link, WatchGuard, Palo Alto Networks, OpenSwan, pfsense, and Vyatta. Best Effort Any IPsec device that supports: IKE1 or IKE2, AES256 or AES128 or 3DES, SHA1 or MD5. *Known Exclusions Checkpoint R65+ requires native IPSec connections as Checkpoint does not conform to NAT-Traversal Standards and Cisco ASA 8.4(2)-8.4(any) bugs prevent a stable connection from being maintained. 6

Getting Help with VNS3 Support for VNS3 is provided through the Cohesive Networks Support Site according to our Support Plans. We recommend reviewing the Support Site FAQs and this document before opening a support ticket. If you need more information on how to setup a specific cloud environment or prefer video instructions, please see our Product Resources page for additional links. If you need specific help with project planning, POCs, or audits, contact our professional services team via sales@cohesive.net for details. 7

Firewall Considerations The VNS3 network appliance uses the following portsvns3 Controller instances use the following TCP and UDP ports. VNS3 Web UI/API - TCP port 8000 HTTPS admin interface; must be accessible from hosts where you will want to obtain runtime status or configure peering, also needs to be open to and from the Controllers at least for the peering process, and needs to be accessible when downloading credentials for installation on overlay network clients. VNS3 encrypted Overlay Network - UDP port 1194 For client VPN connections; must be accessible from all servers that will join VNS3 topology as clients. VNS3 Controller Mesh Peering - UDP 1195-1203 For tunnels between Controller peers; must be accessible from all peers in a given topology. IPsec Phase1/ISAKMP - UDP port 500 UDP port 500 is used the phase 1 or IKE (Internet Key Exchange) component of an IPsec VPN connection. IPsec Phase2/ESP or NAT-Traversal - UDP port 4500 or Protocol 50 (ESP)* Protocol 50 is used for phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection only when negotiating with native IPsec. UDP port 4500 is used for the phase 2 or ESP (Encapsulated Security Payload) component of an IPsec VPN connection when using NAT-Traversal Encapsulation. *Some public cloud providers require IPsec connections to use NAT-Traversal encapsulation on UDP port 4500 8

Remote Support In the event Cohesive needs to observe runtime state of a VNS3 Controller in response to a tech support request, we will ask you to open Security Group access to TCP port 22 (SSH) from our support IP, 54.236.197.84, and Enable Remote Support via the Web UI. Note that TCP 22 (ssh) is not required for normal operations. Each VNS3 Controller is running a restricted SSH daemon, with access limited only to Cohesive for debugging purposes controlled by the user via the Remote Support toggle and key exchange generation. Cohesive will send you an encrypted passphrase to generate a private key used by Cohesive Support staff to access your Controller. Access to the restricted SSH daemon is completely controlled by the user. Once the support ticket has been closed you can disable remote support access and invalidate the access key. 9

Step 1: VPC Deployment Setup 10

Create a VPC From the VPC Wizard Create a VPC from the VPC tab at the top of the AWS Console. Click Start VPC Wizard or Click Get Started in your VPC Dashboard. Choose either VPC with a Single Public Subnet Only or VPC with Public and Private Subnets. The other two choices will not work with VNS3. For this example we choose VPC with a Single Public Subnet Only. You can leave the default values in for the VPC CIDR and VPC Subnet or edit them to fit your addressing requirements. For this example we use 173.31.2.0/24 for the VPC CIDR and 173.31.2.0/25 for the Public Subnet. Remember the VPC CIDR and VPC Subnets must not overlap with the VNS3 Overlay Network Subnet. Click Create VPC. The VPC Wizard creates the VPC, the Subnet, Network ACL, Internet Gateway, 2 Routing Tables, and a Security Group. Note: More complex VPC deployments can be set up (more than one VPC Subnet inside a VPC CIDR) but the VNS3 Controller must be launched in a Public VPC Subnet. 11

Inbound and Outbound VPC ACL Setup Click Network ACLs in the left column menu under the SECURITY section. Select the ACL created by the VPC Wizard. The default settings allow all ports on all protocols from all destinations for both inbound and outbound connections. This due to our selection of a Public Subnet when setting up the VPC. It is recommended you leave the ACLs open during initial configuration of your deployment. Once all connections are established and tested you can lock down the ACL based on the Firewall Considerations outlined on page 7 by deleting the default Rule #100 and adding specific ALLOW rules. 12

VPC Security Group Setup Option 1: Default Group Configure Security Groups from the VPC AWS Console. Click Security Groups in the left column menu under the SECURITY section. Select the Security Group created by the VPC Wizard. The default settings allow inbound connections on all ports from servers launched in the VPC security group and allow outbound connections on all ports to all routes (0.0.0.0/0). Again, this due to our selection of a Public Subnet when setting up the VPC. It is your choice to leave the default Outgoing rules or modify based on your use case. From the Inbound tab, click Edit to update the following exceptions: TCP port 8000 from your public IP (you can find your IP address by navigating to http://whatismyip.com) UDP port 500 from the IP of your Datacenter-based IPsec Device Custom Protocol Rule for ESP (50) from IP of your Datacenter-based IPsec Device Optional Inbound Exceptions: UDP port 4500 from the IP of your Datacenter-based IPsec Device (only required if you will use NAT-Traversal encapsulation) TCP port 8000 from the Elastic IP of the Controller in the other VPC deployment (only required for deployments across multiple VPCs or between VPC and EC2) UDP ports 1195-1197 from the Elastic IP of the Controller in the other VPC deployment or EC2 (only required for deployments across multiple VPCs or between VPC and EC2) Click Save. 13

VPC Security Group Setup Option 2: Multiple Security Groups An alternative to just using the default security group setup by the VPC wizard is to separate the Controllers from the Client Servers. To do this we recommend creating two groups inside the already created VPC: vns3-mgr and vns3-client. Note: no rules are needed in the vns3-client group by default. Select the vns3-mgr group to Edit the following inbound exceptions: TCP port 8000 from your public IP (you can find your IP address by navigating to http:// whatismyip.com) TCP port 8000 from the vns3-mgr Security Group ID (for Peering if needed) UDP port 1195-1197 from the vns3-mgr Security Group ID (for Peering if needed) UDP port 500 from the IP of your Datacenter-based IPsec Device Custom Protocol Rule for ESP/Protocol 50 from the IP of your Datacenter-based IPsec Device Optional Inbound Exceptions: UDP port 1194 from the vns3-client Security Group ID if you plan on using the Overlay Network (see page 6). UDP ports 1195-1197 from the Elastic IP of the Controller in the other VPC deployment (required for peering) if you are deploying the Overlay Network across multiple VPCs. UDP port 4500 from the IP of your Datacenter-based IPsec Device if you plan on using NAT-Traversal encapsulation for your IPsec connection. In this guide we disable NAT- Traversal on the Controller. Click Apply Rule Changes. 14

Step 2: Launching a VNS3 Controller Instance 15

Launch a VNS3 Controller Switch to the EC2 tab at the top of the AWS Console. Click AMIs in the left column menu under the IMAGES section. Launch a VNS3 instance using the AMI ID supplied by Cohesive. Be sure to launch the Instance in the VPC and the VPC security group that was created using the VPC Wizard. NOTE: On Step 3: Configure Instance Details, in the Launch Wizard you can specify a particular IP Address for the Controller Instance on the VPC Subnet that was created using the VPC Wizard. AWS will automatically assign an IP inside the VPC Subnet if this field is left blank (as we did for this example). 16

Disable Source/Destination Check on the Controller Instance Once the Controller Instance is launched, you will need to disable the Source/Destination check on the instance. This step is required so the Controller instance is allowed to forward packets to the client servers. If this is not disabled the Controller will not be able to route traffic appropriately. To Disable select the Controller Instance the click Instance Actions. Click Change Source/Dest. Check. Click Yes, Disable. 17

Create a VPC Specific Elastic IP and Assign to the Controller Instance Switch back to the VPC tab at the top of the AWS Console. Click Elastic IPs in the left column menu under the Network & Security section. Click Allocate New Address and select the Elastic IP be used in VPC. Click Yes, Allocate. Click Close. Associate the Elastic IP Address with your VNS3 Controller Instance by clicking Associate Address. Select your VNS3 Controller Instance and click Yes, Associate. Associating an Elastic IP with your VNS3 Controller Instance will make the instance publicly available so you can log into the Controller Web UI to configure your Overlay Network and setup IPsec connections. Repeat steps outlined on pages 9-14 to create a second VPC deployment. We recommend using different VPC CIDR for each VPC deployment. 18

VNS3 Configuration Document Links 19

VNS3 Configuration Document Links VNS3 Product Resources - Documentation Add-ons VNS3 Configuration Instructions (Free and Lite Editions BYOL) Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to the Overlay Network. VNS3 Administration Document Covers the administration and operation of a configured VNS3 Controller. Additional detail is provided around the VNS3 Firewall, all administration menu items, upgrade licenses, other routes and SNMP traps. VNS3 Docker Instructions Explains the value of the VNS3 3.5 Docker integration and covers uploading, allocating and exporting application containers. VNS3 Troubleshooting Troubleshooting document that provides explanation issues that are more commonly experienced with VNS3. 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback